G-Lock Software \ Products \ AATools \ Report examples\ Port Scanner Report

Port Description/Possible Trojan simply shows what trojans and programs are known to commonly use a particular port. For example, a port description on port 25 shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all of those trojans! It just lets you know which trojans and programs have been known to frequent that port.

If you are dealing with the port scan of a networked Windows machine, you are more than likely to find active ports in the 1024 - 5000 range, and this activity is nothing more than a Windows service or a Windows application using the vacant port for some legitimate function or another. (I think that most of these functions have to do with drive-mapping and file sharing services, but I'm not sure.)   Also it may be ICQ ports.

According to the official RFC, dynamic allocations are technically supposed to be used only in the very high port ranges, but it seems that Microsoft has decided instead to use the mid-range values of 1024 ... 5000 for this purpose. (The Microsoft dynamic allocation routine only allocates a port if it is not already active, therefore it doesn't ever interfere with, or clobber, any existing services that may be legitimately running in that range). So if you run the Port Scanner against a Windows machine and find activity on, say, "Port 1042 -- Bla 1.1 Trojan" do not be so alarmed. Port 1042 often turns out to be one of the ports that a Windows server will dynamically use to manage its resources.

For information about well known trojan programs, please go to our web page at http://www.glocksoft.com/trojan_port.htm

Below is example of HTML report produced by the AATools Port Scanner utility