Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Port 3127 (tcp/udp) Attack Activity Port 3127 (tcp/udp) Attack Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[get complete service list]
Port Information
Protocol Service Name
tcp mydoom W32/MyDoom, W32.Novarg.A backdoor
tcp ctx-bridge ctx-bridge
udp ctx-bridge ctx-bridge
Top IPs Scanning
TodayYesterday (183) (394) (133) (254) (13) (97) (10) (31) (5) (26) (1) (20) (1) (15) (1) (14)
Port diary mentions
Update 20:10 GMT 2004-1-28: New variant of NovargMyDoom found, Microsoft Changing IE's URL Handling, Solaris Local Privilege Escalation
ASN.1 DoS exploit hostname resolution, Recent Scan Increases, anti spam effort
User Comments
Submitted By Date
2009-10-04 18:45:22
The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.
Karma 2009-10-04 18:45:22
Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.
K-OTik.COM (TechNet) 2009-10-04 18:45:22
As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild)
Brian Porter 2004-02-10 19:50:07
MyDoom.C / Doomjuice;virus_k=101002
2004-02-06 22:18:53
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference:
sfuechsli 2004-01-27 18:14:12
WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)
Add a comment
CVE Links
CVE # Description