Port Details - Port 3127

Jan 10 67 Jan 11 77 Jan 12 79 Jan 13 77 Jan 14 82 Jan 15 66 Jan 16 65 Jan 17 72 Jan 18 63 Jan 19 85 Jan 20 64 Jan 21 88 Jan 22 69 Jan 23 65 Jan 24 66 Jan 25 72 Jan 26 81 Jan 27 73 Jan 28 77 Jan 29 64 Jan 30 53 Jan 31 56 Feb 01 85 Feb 02 67 Feb 03 62 Feb 04 80 Feb 05 59 Feb 06 51 Feb 07 55 Feb 08 71 Feb 09 34 Jan 10 340 Jan 11 679 Jan 12 106 Jan 13 85 Jan 14 644 Jan 15 684 Jan 16 74 Jan 17 2,583 Jan 18 413 Jan 19 420 Jan 20 328 Jan 21 179 Jan 22 1,923 Jan 23 1,107 Jan 24 808 Jan 25 1,630 Jan 26 1,259 Jan 27 1,407 Jan 28 133 Jan 29 1,360 Jan 30 481 Jan 31 525 Feb 01 128 Feb 02 280 Feb 03 77 Feb 04 584 Feb 05 274 Feb 06 74 Feb 07 1,837 Feb 08 1,555 Feb 09 1,260
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpmydoomW32/MyDoom, W32.Novarg.A backdoor
tcpctx-bridge
udpctx-bridge
[get complete service list]

User Comment

Submitted ByDate
Comment
2009-10-04 18:45:22
The overwhelming majority of hits I've seen are Doomjuice.A &;; B. Nachi and Vesser have been very rare. I've also been sent "Phatbot3" which is probably a modified version of Argobot.
Karma2009-10-04 18:45:22
Although MyDoom may listen on 3127, this activity is probably that of DoomJuice or Nachi.B/C variants "looking" for MyDoom backdoors.
K-OTik.COM (TechNet)2009-10-04 18:45:22
As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a faster and more dangerous worm exploiting these machines : his name is "kiddies" !! so here is one of the codes used by kiddies to exploit Mydoom.A machines (many other codes in the wild) http://www.securityfocus.com/archive/1/353325 http://www.k-otik.com
Brian Porter2004-02-10 19:50:07
MyDoom.C / Doomjuice http://www.lurhq.com/mydoom-c.html http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOOMJUICE.A http://us.mcafee.com/virusInfo/default.asp?id=description&;virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html http://www.f-secure.com/v-descs/doomjuice.shtml http://www.viruslist.com/eng/alert.html?id=930701
2004-02-06 22:18:53
The Win32.Mydoom computer-virus opens and listens to the TCP port 3127, (if this port is already in use, the worm tries the next one free from the range 3128- 3199). The backdoor appears to have two main functions: execution of remotely-supplied code, and port forwarding. Reference: http://www3.ca.com/virusinfo/virus.aspx?ID=38102
sfuechsli2004-01-27 18:14:12
WORM_MIMAIL.R (Aliases: W32/Mydoom@MM, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm)
Add a comment

CVE Links

CVE #Description