mailing list archives
Winmx Software making calls to Port 25
From: Retro Granny <retrogranny () netscape net>
Date: 6 Aug 2004 04:42:49 -0000
I have been involved as a chatroom admin within the Winmx program for quite awhile now and have been the one to make
whatever security updates were needed to keep the room a pleasant place for folks who visit. A couple of months ago, I
installed Zone Alarm. While running a temp room, ZA popped up and asked if I would allow the Winmx program to send
information on Port 25. This particular version of ZA allows you to specify on a program by program basis, which are
allowed to send email. Denying Winmx access to Port 25 resulted in the room dropping, although, Winmx itself continued
At first I thought it was the work of a trojan that had found it's way into my system. But, after running a variety of
system scanners available on the internet as well as spyware scanners, my system still came up clean and bug free. A
relief there, but still not an answer to the Port 25 call.
I installed a clean multi-boot partition and downloaded the Winmx program (v.3.53) directly from Winmx.com. I then
installed the 30 day trial version of the Iris Packet Sniffer software and of course Zone Alarm. I ran ZA with "ask
permission" set on port 25 and it once again it popped up a request. I then defined a filter in Iris to capture
activity on 25 (SMTP), 43 (WHOIS), 69 (TFTP), 80 (HTTP), 110 (POP3), 119 (NNTP), 143 (IMAP) and 7940 which is a port I
am told is used by the Winmx program for communicating with their servers.
Test 1 - Zone Alarm, Iris and Winmx using a primary connection and hosting a testroom. Packets were captured on port
25. The packets captured using port 25 were destined for a valid ip address in Japan. I am told Winmx does not have
servers in Japan, and the activity I have captured from them tends to verify that statement.
Test 2 - No applications running except Zone Alarm and Iris. No packets captured.
Test 3 - Zone Alarm, Iris and Winmx running a secondary connection. The only packets captured were on Port 80 showing
the setup and Keep Alive calls to Winmx.com
I did email Winmx on this issue, but have not received a response from them. I know of other systems that have this
issue, but as they received their setups from me, they aren't far enough at arms length to act as verifiers. Today, I
received verification that I was not alone with this problem when another user posted it to one of the support
websites. I have asked this user to confirm my findings to the best of his ability.
This activity clearly raises an alarm of a possible backdoor to the Winmx program. I would appreciate any information
on how to proceed from here.
- Winmx Software making calls to Port 25 Retro Granny (Aug 06)