Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Port 3127 (tcp/udp) Attack Activity - SANS Internet Storm Center Port 3127 (tcp/udp) Attack Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp mydoom W32/MyDoom, W32.Novarg.A backdoor
tcp ctx-bridge ctx-bridge
udp ctx-bridge ctx-bridge
Top IPs Scanning
TodayYesterday
Port diary mentions
URL
Update 20:10 GMT 2004-1-28: New variant of NovargMyDoom found, Microsoft Changing IE's URL Handling, Solaris Local Privilege Escalation
ASN.1 DoS exploit hostname resolution, Recent Scan Increases, anti spam effort
User Comments
Submitted By Date
Comment
2009-10-04 18:45:22
The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.
Karma 2009-10-04 18:45:22
Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.
K-OTik.COM (TechNet) 2009-10-04 18:45:22
As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild) http://www.securityfocus.com/archive/1/353325 http://www.k-otik.com
Brian Porter 2004-02-10 19:50:07
MyDoom.C / Doomjuice http://www.lurhq.com/mydoom-c.html http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html http://www.f-secure.com/v-descs/doomjuice.shtml http://www.viruslist.com/eng/alert.html?id=930701
2004-02-06 22:18:53
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference: http://www3.ca.com/virusinfo/virus.aspx?ID=38102
sfuechsli 2004-01-27 18:14:12
WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)
Add a comment
CVE Links
CVE # Description