Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: TCP/UDP Port 3127 Activity - SANS Internet Storm Center TCP/UDP Port 3127 Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port Information
Protocol Service Name
tcp mydoom W32/MyDoom, W32.Novarg.A backdoor
tcp ctx-bridge ctx-bridge
udp ctx-bridge ctx-bridge
[get complete service list]
User Comments
Submitted By Date
2009-10-04 18:45:22
The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.
Karma 2009-10-04 18:45:22
Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.
K-OTik.COM (TechNet) 2009-10-04 18:45:22
As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild)
Brian Porter 2004-02-10 19:50:07
MyDoom.C / Doomjuice;virus_k=101002
2004-02-06 22:18:53
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference:
sfuechsli 2004-01-27 18:14:12
WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)
Add a comment
CVE Links
CVE # Description