USB drive listening on open port?

[Steve]

A co-worker in my tech support dept. has found that some (or all?) USB flash memory drives seem to be opening and listening to a port. The process is UStorSrv.exe (perhaps used in all USB flash memory drives?) and it appears to be sitting on port 32219.

Does anybody have any info on whether this is actively transmitting anything? Where it would be sending to? Anything that could have potential misuse?

 

[MercenaryForHire]

Mine doesn't do it (Sandisk) so I don't know what to tell you on that aspect. Google shows a Spanish result, if anyone can translate.

Far as sending/receiving, throw up a netstat -a and see if anyone's connecting on 32219, or get a packetsniffer running.

- M4H

 

[VirtualLarry]

Wild, I can't find anything either. I don't believe that it's a component of Windows. I'm guessing spyware or some sort of remote-access trojan got installed. It's definately not normal for all USB flash drives.

 

[Mark R]

A quick google search reveals that this program is called 'OTi content service'. OTi are certainly one of the largest producer of USB drive chips, so its conceivable that this could be part of a driver. The issue is, however, that USB drive drivers are not required on Win2k and later - and indeed, OTi do not supply drivers for these OSs. This begs the question, where did this program come from?

You certainly have to consider the possibility that this is not a legitimate program, and has been installed for malicious purposes - the name chosen to make it sound legitimate.

 

[epsilon9090]

Yes, this could be a trojan horse designed to let a malicious user remotely access the computer at a later time.

I would:

a) set up the office network router to monitor all incoming connections to port 32219.
b) log any connections made
c) check to see if outgoing connections are made
d) monitor the network traffic totals

 

[Steve]

Thanks for the information, folks. We will certainly act on this first thing Monday morning. Please continue to forward any more info you find