[Dshield] Is there a legitimate service named doom?

Brenden Walker BKWalker at drbsystems.com
Thu Jun 23 18:17:57 GMT 2005

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of 
> securityguy at dslextreme.com
> Sent: Thursday, June 23, 2005 1:29 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Is there a legitimate service named doom?
> Troubleshooting a windows 2k server, a netstat showed a 
> protocol named "doom" listening on port 1035.  The latest 
> virus scans show no infection (symantec, mcafee stinger, and 
> trendmicro's housecall) all report clean. 
> There's been (so far as I can tell) no slow down in service, 
> increase in disk size, or anything out of the ordinary.  It 
> possible that this is a normal service as opposed to someone 
> running a game?  How would I track down what is spawning this service?

Start with netstat -o which will give you the PID of the process that
opened the service, find that in your task manager and then hunt down
the executable.  That'll probably tell you a lot right there.

More information about the list mailing list