Norton 2005: Default Block DeepThroat Trojan horse

Geiri · Post by *Geiri » 2005-02-02, 12:44 UTC

Hi there

I connected to my ISP'S ftp to upload some files with TC
while uploading I got many warnings about Trojan activity?

Is my ISP conterminated? or?

This is Nortons-2005 log

Code: Select all

Details: Rule "Default Block DeepThroat Trojan horse" blocked communication.
Local address: All local network adapters(3150).
Process name is "C:\totalcmd\TOTALCMD.EXE".

And this  

Default Block Master Paradise Trojan horse
Default Block WinCrash Trojan horse
Default Block Phinneas Phucker Trojan horse
Default Block Bugs Trojan horse
Default Block Ripper Trojan horse
Default Block TransScout
Default Block Backdoor/SubSeven Trojan horse
Default Block Spy Sender Trojan horse
Default Block Shiva Burka Trojan horse
Default Block FTP99CMP Trojan horse
Default Block Ultor's Trojan horse

Maxwish · Post by *Maxwish » 2005-02-02, 13:54 UTC

These are probably false warnings.
During FTP sessions, Windows will negotiate with the FTP server concerning ports to use for the data connection. It will use ports above the 1024 range for this, but some of these ports are also used by certain Trojans. And because NORTON is a bad firewall it is showing the FTP data connections for TC to these ports as possible hacking attempts.

Post by *ghisler(Author) » 2005-02-03, 20:29 UTC

Maxwish's explanation is correct. Good firewalls use so-called stateful packet inspection: They see that FTP requests these ports, and temporarily allow them for just that server.

To avoid the problem with Norton, you should use passive mode, it uses only outgoing connections, no incoming.