Port Details | SANS Internet Storm Center; Cooperative Network Security Community

Graph

[show ascii data]

Graph Criteria

Port Information

Protocol Service Name

tcp mydoom W32/MyDoom, W32.Novarg.A backdoor
tcp ctx-bridge
udp ctx-bridge

[get complete service list]

Protocol	Service	Name
tcp	mydoom	W32/MyDoom, W32.Novarg.A backdoor
tcp	ctx-bridge
udp	ctx-bridge

Top of page

User Comment

Submitted By Date

Comment

2009-10-04 18:45:22

The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.

Karma 2009-10-04 18:45:22

Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.

K-OTik.COM (TechNet) 2009-10-04 18:45:22

As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild) http://www.securityfocus.com/archive/1/353325 http://www.k-otik.com

Brian Porter 2004-02-10 19:50:07

MyDoom.C / Doomjuice http://www.lurhq.com/mydoom-c.html http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html http://www.f-secure.com/v-descs/doomjuice.shtml http://www.viruslist.com/eng/alert.html?id=930701

2004-02-06 22:18:53

The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference: http://www3.ca.com/virusinfo/virus.aspx?ID=38102

sfuechsli 2004-01-27 18:14:12

WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)

Add a comment

Top of page

CVE Links

CVE #	Description

Top of page

Port Details: Port 3127

Graph

Port Information

User Comment

CVE Links

Get ISC Swag!!

Security News Feeds

Diary Archives

Contact Us

Submitted By	Date
Comment
	2009-10-04 18:45:22
The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.
Karma	2009-10-04 18:45:22
Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.
K-OTik.COM (TechNet)	2009-10-04 18:45:22
As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild) http://www.securityfocus.com/archive/1/353325 http://www.k-otik.com
Brian Porter	2004-02-10 19:50:07
MyDoom.C / Doomjuice http://www.lurhq.com/mydoom-c.html http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html http://www.f-secure.com/v-descs/doomjuice.shtml http://www.viruslist.com/eng/alert.html?id=930701
	2004-02-06 22:18:53
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference: http://www3.ca.com/virusinfo/virus.aspx?ID=38102
sfuechsli	2004-01-27 18:14:12
WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)