TCP Port 3127
Used by the myDoom/Novarg virus as a backdoor port. DoomJuice, Welchia, and Deadhat have appeared as the first widely spread worms to take
advantage of this back door, but port 3127 has become one of the favourite infection
vectors of an endless parade of Agobot and other malware.
myDoom has been called the
fastest spreading email virus yet recorded and attempted to DOS www.sco.com
and www.microsoft.com. myDoom also
installs a backdoor that listens on TCP port 3127 allowing a hacker to execute
code remotely. TCP port 3127 traffic should be blocked by your firewall.
Outbound scans especially if occurring in volume should be considered an indication of a
possible infection or compromise on the source computer and should be
What You Should Know About the Mydoom and Doomjuice Worm Variants
DoomJuice.A / myDoom.C PortPeeker Capture (large)
DoomJuice.B PortPeeker Capture
Deadhat / Vesser PortPeeker Capture (large)
Link Logger report for inbound port 3127 scans for
February 1th - April 29, 2004. First scan or the outbreak was
February 9th 5:46 AM local time. This graph shows the arrival and
continuing impact of malicious attacks attempting to utilize
the myDoom backdoor.
Page last updated on
April 30, 2004