Introduction to Trojan horses

Trojan horses

A Trojan horse is a computer program which carries out malicious operations without the user's knowledge. The name "Trojan horse" comes from a legend told in the Iliad (by the writer Homer) about the siege of the city of Troy by the Greeks.

Legend has it that the Greeks, unable to penetrate the city's defences, got the idea to give up the siege and instead give the city a giant wooden horse as a gift offering.

The Trojans (the people of the city of Troy) accepted this seemingly harmless gift and brought it within the city walls. However, the horse was filled with soldiers, who came out at nightfall, while the town slept, to open the city gates so that the rest of the army could enter.

Thus, a Trojan horse (in the world of computing) is a hidden program which secretly runs commands, and usually opens up access to the computer running it by opening a backdoor. For this reason, it is sometimes called a Trojan by analogy to the citizens of Troy.

Like a virus, a Trojan horse is a piece of harmful code placed within a healthy program (like a false file-listing command, which destroys files instead of displaying the list).

A Trojan horse may, for example:

  • steal passwords;
  • copy sensitive date;
  • carry out any other harmful operations;
  • etc.

Worse, such a program can create an intentional security breach within your network, so as give outside users access to protected areas on the network.

The most common Trojan horses open machine ports, allowing their designer to gain entry to your computer over the network by opening a backdoor or backorifice.

A Trojan horse is not necessarily a virus, as its goal is not to reproduce itself to infect other machines. On the other hand, some viruses may also be Trojan horses; that is, they might spread like viruses and open ports on infected machines!

Detecting such a program is difficult because you must be able to determine whether an action is being carried out by the Trojan horse or by the user.

Symptoms of infection

Infection by a Trojan horse usually comes after opening a contaminated file containing the Trojan horse (see the article on protecting yourself from worms) and is indicated by the following symptoms:

  • Abnormal activity by the modem, network adapter or hard drive: data is being loaded without any activity from the user;
  • Strange reactions from the mouse;
  • Programs opening unexpectedly;
  • Repeated crashes.

Principle of a Trojan horse

As a Trojan horse is usually (and increasingly) intended to open a port on your machine so that a hacker can gain control of it (such as by stealing personal data stored on the hard drive), the hacker's goal is to first infect your machine by making you open an infected file containing the Trojan and then to access your machine through the opened port.

However, to be able to infiltrate your machine, the hacker normally has to know its IP address. So:

  • Either you have a fixed IP address (as with businesses, or with individuals with a cable or similar connection, etc.) in which case your IP address can easily be discovered;
  • or your IP address is dynamic (reassigned each time you connect), as with modem connections; in which case the hacker must scan IP addresses at random in order to detect those which correspond to infected machines.

Protect yourself from Trojans

Installing a firewall (a program which filters data entering and leaving your machine) is enough to protect you from this kind of intrusion. A firewall monitors both data leaving your machine (normally initiated by the programs you are using) and data entering it. However, the firewall may detect unknown outside connections even if a hacker is not specifically targeting you.. They may be tests carried out by your Internet service provider, or a hacker randomly scanning a range of IP addresses.

For Windows systems, there are two free high-performance firewalls:

In case of infection

If a program whose origins you are unsure of attempts to open a connection, the firewall will ask you to confirm it before initiating the connection. It is important to not authorize connections for a program you don't recognise, because it might very well be a Trojan horse.

If this reoccurs, it may be helpful to check that your computer isn't affected by a Trojan, by using a program that detects and deletes them (called an anti-Trojan).
One example is The Cleaner, which can be downloaded from

List of ports commonly used by Trojans

Trojan horses commonly open a port on the infected machine and wait for a connection to open on that port, so that hackers will be able to gain total control over the computer. Here is a (non exhaustive) list of the most common ports used by Trojan horses (source: Site de Rico):

21Back construction, Blade runner, Doly, Fore, FTP trojan, Invisible FTP, Larva, WebEx, WinCrash
23TTS (Tiny Telnet Server)
25Ajan, Antigen, Email Password Sender, Happy99, Kuang 2, ProMail trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy
31Agent 31, Hackers Paradise, Masters Paradise
41Deep Throat
80Executor, RingZero
99Hidden port
110ProMail trojan
119Happy 99
421TCP Wrappers
456Hackers Paradise
555Ini-Killer, NetAdmin, Phase Zero, Stealth Spy
666Attack FTP, Back Construction, Cain & Abel, Satanz Backdoor, ServeU, Shadow Phyre
911Dark Shadow
999Deep Throat, WinSatan
1002Silencer, WebEx
1010 to 1015Doly trojan
1170Psyber Stream Server, Streaming Audio Trojan, voice
1234Ultor trojan
port 1234Ultors Trojan
port 1243BackDoor-G, SubSeven, SubSeven Apocalypse
port 1245VooDoo Doll
port 1269Mavericks Matrix
port 1349 (UDP)BO DLL
port 1492FTP99CMP
port 1509Psyber Streaming Server
port 1600Shivka-Burka
port 1807SpySender
port 1981Shockrave
port 1999BackDoor
port 1999TransScout
port 2000TransScout
port 2001TransScout
port 2001Trojan Cow
port 2002TransScout
port 2003TransScout
port 2004TransScout
port 2005TransScout
port 2023Ripper
port 2115Bugs
port 2140Deep Throat, The Invasor
port 2155Illusion Mailer
port 2283HVL Rat5
port 2565Striker
port 2583WinCrash
port 2600Digital RootBeer
port 2801Phineas Phucker
port 2989 (UDP)RAT
port 3024WinCrash
port 3128RingZero
port 3129Masters Paradise
port 3150Deep Throat, The Invasor
port 3459Eclipse 2000
port 3700portal of Doom
port 3791Eclypse
port 3801 (UDP)Eclypse
port 4092WinCrash
port 4321BoBo
port 4567File Nail
port 4590ICQTrojan
port 5000Bubbel, Back Door Setup, Sockets de Troie
port 5001Back Door Setup, Sockets de Troie
port 5011One of the Last Trojans (OOTLT)
port 5031NetMetro
port 5321FireHotcker
port 5400Blade Runner, Back Construction
port 5401Blade Runner, Back Construction
port 5402Blade Runner, Back Construction
port 5550Xtcp
port 5512Illusion Mailer
port 5555ServeMe
port 5556BO Facil
port 5557BO Facil
port 5569Robo-Hack
port 5742WinCrash
port 6400The Thing
port 6669Vampyre
port 6670Deep Throat
port 6771Deep Throat
port 6776BackDoor-G, SubSeven
port 6912Shit Heep (not port 69123!)
port 6939Indoctrination
port 6969GateCrasher, Priority, IRC 3
port 6970GateCrasher
port 7000Remote Grab, Kazimas
port 7300NetMonitor
port 7301NetMonitor
port 7306NetMonitor
port 7307NetMonitor
port 7308NetMonitor
port 7789Back Door Setup, ICKiller
port 8080RingZero
port 9400InCommand
port 9872portal of Doom
port 9873portal of Doom
port 9874portal of Doom
port 9875portal of Doom
port 9876Cyber Attacker
port 9878TransScout
port 9989iNi-Killer
port 10067 (UDP)portal of Doom
port 10101BrainSpy
port 10167 (UDP)portal of Doom
port 10520Acid Shivers
port 10607Coma
port 11000Senna Spy
port 11223Progenic trojan
port 12076Gjamer
port 12223Hack'99 KeyLogger
port 12345GabanBus, NetBus, Pie Bill Gates, X-bill
port 12346GabanBus, NetBus, X-bill
port 12361Whack-a-mole
port 12362Whack-a-mole
port 12631WhackJob
port 13000Senna Spy
port 16969Priority
port 17300Kuang2 The Virus
port 20000Millennium
port 20001Millennium
port 20034NetBus 2 Pro
port 20203Logged
port 21544GirlFriend
port 22222Prosiak
port 23456Evil FTP, Ugly FTP, Whack Job
port 23476Donald Dick
port 23477Donald Dick
port 26274 (UDP)Delta Source
port 27374SubSeven 2.0
port 29891 (UDP)The Unexplained
port 30029AOL trojan
port 30100NetSphere
port 30101NetSphere
port 30102NetSphere
port 30303Sockets de Troie
port 30999Kuang2
port 31336Bo Whack
port 31337Baron Night, BO client, BO2, Bo Facil
port 31337 (UDP)BackFire, Back Orifice, DeepBO
port 31338NetSpy DK
port 31338 (UDP)Back Orifice, DeepBO
port 31339NetSpy DK
port 31666Bo Whack
port 31785Hack'a'Tack
port 31787Hack'a'Tack
port 31788Hack'a'Tack
port 31789 (UDP)Hack'a'Tack
port 31791 (UDP)Hack'a'Tack
port 31792Hack'a'Tack
port 33333Prosiak
port 33911Spirit 2001a
port 34324BigGluck, TN
port 40412The Spy
port 40421Agent 40421, Masters Paradise
port 40422Masters Paradise
port 40423Masters Paradise
port 40426Masters Paradise
port 47262 (UDP)Delta Source
port 50505Sockets de Troie
port 50766Fore, Schwindler
port 53001Remote Windows Shutdown
port 54320Back Orifice 2000
port 54321School Bus
port 54321 (UDP)Back Orifice 2000
port 60000Deep Throat
port 61466Telecommando
port 65000Devil
Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM reaches more than 50 million unique visitors per month and is available in 11 languages.


This document, titled « Introduction to Trojan horses », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (