Warning

 

Close
Confirm Action

Are you sure you wish to do this?

Cancel Confirm
5772 Online
bravocompany bravocompany bravocompany
brownells brownells
tnvc tnvc tnvc
AR15.COM
bravocompany
My Account
bravocompany bravocompany bravocompany
brownells brownells
tnvc tnvc tnvc
silencerShop
palmetto
brownells
magpul
primaryArms
geissele
DFC
aim
cz
vortex
skd
springfield
colt
midwest
fightlite
JRH
Holosun
OSIGHT
Guns
RS
bravocompany
GS
5772 Online
DFC
fightlite
springfield
skd
Holosun
GS
JRH
geissele
midwest
magpul
silencerShop
OSIGHT
primaryArms
bravocompany
palmetto
brownells
RS
colt
aim
cz
Guns
vortex
Site News Could You Have Stopped This? Vegas Shooting Analysis with Attorneys on Retainer
Sponsor News Introducing TNVC's NEW and Exclusive Filmed SuperGain (FSG) and Chimera Panoramic Goggle Giveaway!
3/2/2002 4:49:59 PM EDT
I have noticed that I somtimes see outgoing traffic on port 9999. Do any computer guru`s here know what this is?
3/2/2002 5:02:38 PM EDT
[#1]
Possible trojan horse.  Get yourself a good virus scanner and run it!

Here are the specifics...

The Prayer

--------------------------------------------------------------------------------
Name:  The Prayer
Aliases:  
Ports:  2716, 9999  
Files:  Prayer.zip - 256,349 bytes Prayer.zip - 806,956 bytes ThePrayer1.0.zip - 208,450 vytes ThePrayer1.2.zip - 256,553 bytes ThePrayer1.3.zip - 255,994 bytes ThePrayer1.5.zip - 526,730 bytes Prayer.exe - 240,897 bytes Prayer.exe - 423,936 bytes Prayer13.exe - 418,304 bytes Server.exe - 206,336 bytes Server.exe - 226,304 bytes Ps.exe - 160,982 bytes Mswinsck.ocx - 62,540 bytes Tabctl32.ocx - 118,781 bytes Winsck.ocx - 106,768 bytes Winsck.ocx - 126,976 bytes Msinet.ocx - 64,567 bytes S etup.exe - 89,600 bytes Setup1.exe - 73,501 bytes Prayer.mid- 22,557 bytes St5unst.exe - 38,692 bytes Vb5stkit.dll - 16,457 bytes Dlls32.exe - - 208,869 bytes
Created:  Nov 1999
Requires:  Winsck.ocx - is required to run the trojan.
Actions:  Remote Access
 
Versions:  1.0, 1.2, 1.3, 1.5,  
Registers:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Notes:  Works on Windows.  
Country:  written in Brazil
Program:  
3/2/2002 5:06:26 PM EDT
[#2]
According to the IANA, port 9999 is used by a UNIX function called "distinct".  I have no idea of any other programs that use this port on windows platforms.  However, the Prayer 1.2 and 1.3 trojans also use this port.  Try upgrading your virus scanning software or defintions and scanning your entire computer.
3/2/2002 5:07:26 PM EDT
[#3]
Could be just about anything... lots of programs like to use port 9999, from proxy programs to the malicious.  I'd agree with Capone on this one... run some antivirus.

Another possibility... run a firewall.  There are lots of free firewall programs (Tiny Personal Firewall for example).  Configure the firewall to block outgoing traffic on port 9999.  If one of your legit programs complains, then let it through, otherwise keep it blocked.

Viper Out
3/2/2002 5:10:28 PM EDT
[#4]
Well thats scarry! Here`s the deal. I have latest McAfee Ver. 6.02.1019. And the only time I see activity on port 9999 is when I connect to AR15.COM.

edited to add I have a firewall router and I run zone alarm.
3/2/2002 5:13:15 PM EDT
[#5]
Firewalls only stop what you tell them to stop. I doubt you would block access to the internet, though you could increase your surveilance. I recommend 'zone alarm' [url]www.zonealarm.com[/url] it's free!- and effective for the home user. A good virus scanning software- with current dats is essential as well!

[8D]
3/2/2002 5:36:09 PM EDT
[#6]

a packet sniffer may help you figure out what type of information is being sent...or at least identify if it is headed anywhere significant. but it's probably just the batf. in conjunction with ar15.com, they sometimes use 9999 to gather data on gun owners.
3/4/2002 4:13:10 AM EDT
[#7]
WTF....???

found this script in the AR15.com Source code

-START Of Script Attempt-
SRC="http://www.ar15.com:9999/engine/advertise.html?zid=1&js=1

Any comments?
brownells
primaryArms
LAPG
gray
SAS
springfield
cmmg
Faxxon
bravocompany
Pro2A
CA
fightlite
THBRD
colt
ar15com
LAPG
silencerShop
ar15com
RS
geissele
blackhills
ar15com