How to judge from the port whether virus or Trojan? The port can be divided into 3 main categories:
1, recognized port (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.
2, registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.
3, dynamic and/or private ports (dynamically and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.
In general, viruses, Trojans will not adopt the first category, that is, 0-1023 ports. But there are exceptions, such as the Red Code, which uses the 80 port. Therefore, can not be generally said that certain ports out of the virus, Trojan horse. In addition, the current Trojan custom function is more and more powerful, you can design the communication port, this also to identify whether the Trojan brought difficulties.