I would like to know if there is a program/script able to analyse
the ports opened on a computer when you do a netstat
and showed the corresponding service/trojan running
What do you mean "analyze"? On XP and above, you can do a netstat and get the PID of the process using that port. Maybe if you could tell us what you're looking for…
In fact, when you do a netstat or fport , you have some information like protocol, local ip , distante ip, state and pid and you have the port used by process so I thought for a program/script able to indicate for example port 21=ftp , port 22 = ssh, 109=pop , port X = Trojan XXX
This could be a way to identify known and suspect processes.
A kind of "live" ports'database
This sort of thing is out there, but I don't recommend the use of them.
First off, a static ports database doesn't really constitute "analysis".
Second, trojans are configurable…many, very much so. In my incident response course, I "infect" systems with a netcat listener (I rename nc.exe to inetinfo.exe) bound to port 80. That alone makes the ports database useless.
I'd recommend a process of examining the executable; for example when you run openports.exe and get the path to the executable, "c\windows\system32\svchost.exe" is legitimate (assuming WFP hasn't been mucked with…) while "c\windows\temp\svchost.exe" may not be. Another way to analyze the svchost.exe (or any other legit file) is to hash it, and to see what the file version info says.
Also, consider using nmap.exe to do service identification.
hope that helps,
Like Harlan suggested Nmap is worth a look. It has a database of port fingerprints that identifies services, including trojans, and it gets updated regularly. As pointed out by Harlan the database will not contain an exhaustive list of all the contemporary, reconfigured versions of all trojans, but it is a good resource.
Ok thanks for the answers
nmap seems to be the right tool
I am going to try it as soon as possible