Port Details - Port 3127

Jun 30 58 Jul 01 66 Jul 02 68 Jul 03 57 Jul 04 64 Jul 05 64 Jul 06 62 Jul 07 72 Jul 08 70 Jul 09 72 Jul 10 49 Jul 11 57 Jul 12 79 Jul 13 77 Jul 14 59 Jul 15 62 Jul 16 68 Jul 17 71 Jul 18 64 Jul 19 82 Jul 20 94 Jul 21 67 Jul 22 60 Jul 23 62 Jul 24 41 Jul 25 49 Jul 26 56 Jul 27 55 Jul 28 51 Jul 29 51 Jul 30 4 Jun 30 1,706 Jul 01 82 Jul 02 95 Jul 03 530 Jul 04 606 Jul 05 298 Jul 06 348 Jul 07 2,163 Jul 08 433 Jul 09 513 Jul 10 314 Jul 11 315 Jul 12 230 Jul 13 617 Jul 14 512 Jul 15 257 Jul 16 117 Jul 17 1,476 Jul 18 129 Jul 19 150 Jul 20 225 Jul 21 270 Jul 22 443 Jul 23 278 Jul 24 395 Jul 25 194 Jul 26 575 Jul 27 1,098 Jul 28 577 Jul 29 762 Jul 30 4
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpmydoomW32/MyDoom, W32.Novarg.A backdoor
tcpctx-bridge
udpctx-bridge
[get complete service list]

User Comment

Submitted ByDate
Comment
2009-10-04 18:45:22
The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.
Karma2009-10-04 18:45:22
Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.
K-OTik.COM (TechNet)2009-10-04 18:45:22
As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild) http://www.securityfocus.com/archive/1/353325 http://www.k-otik.com
Brian Porter2004-02-10 19:50:07
MyDoom.C / Doomjuice http://www.lurhq.com/mydoom-c.html http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html http://www.f-secure.com/v-descs/doomjuice.shtml http://www.viruslist.com/eng/alert.html?id=930701
2004-02-06 22:18:53
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference: http://www3.ca.com/virusinfo/virus.aspx?ID=38102
sfuechsli2004-01-27 18:14:12
WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)
Add a comment

CVE Links

CVE #Description