The following is an nmap-services file that can be used in conjuction with nmap to hunt for viruses on a network. It can't find all viruses — only those ones that open a TCP or UDP port as a backdoor — so only use it as a small part of the overall defense for your network. I won't bother explaining how to use it — if you don't know how then you probably shouldn't be using it. It could potentially be used for good or evil. I use it for the former.
# List of ports used by malware # # Note: some of these have legitimate uses too. These are given # as [bracketed] comments where known. # # Also, tonnes of trojans use common ports such as 21, 25, 80, etc. # I have generally left these out as they'll result in tonnes of # false-positives. Blaster 69/udp # [tftp] Sobig 995/udp # Sobig 996/udp # Sobig 997/udp # Sobig 998/udp # Sobig 999/udp # MyDoom 1080/tcp # bugbear, [some proxies] Ultor 1111/tcp # subseven 1234/tcp # subseven 1243/tcp # subseven 1999/tcp # Beagle 2556/tcp # Beagle 2745/tcp # subseven 2773/tcp # subseven 2774/tcp # MyDoom 3127/tcp # MyDoom 3128/tcp # [some proxies] Blaster 4444/tcp # subseven 6667/tcp # DefCon 8 subseven 6711/tcp # subseven 6712/tcp # subseven 6713/tcp # subseven 6776/tcp # subseven 7000/tcp # subseven 7215/tcp # qaz 7597/tcp # Beagle 8866/tcp # NetBus 12345/tcp # [italk chat system] NetBus 12346/tcp # subseven 16959/tcp # subseven 27374/tcp # subseven 27573/tcp # Elite 31337/tcp # BackOrifice 31337/udp # Bugbear 36794/tcp # Bugbear 36794/udp # RWShutdown 53001/tcp # subseven 54283/tcp # BackOrifice 54320/tcp # BackOrifice 54321/tcp #
If you have any improvements, please let me know.