from the doc: 'The first thing you should know about this rootkit is that the built-in backdoor can communicate with the client in 4 ways (0:Userdefined,1:Icmp,2:Udp,3:Tcp). these are all connectionless so using a utility like fport.exe will not show a connection since there isnt one. TCP and UDP are the most reliable.'
Backdoor Program [Panda]Backdoor.RtKit.10.c [Kaspersky]Backdoor.RtKit.10.d [Kaspersky]Backdoor/RtKit.10.C!Server [Computer Associates]Backdoor/RtKit.10.d!Server [Computer Associates]
ntrootkit.exertclient.exe