TCP Port 3127

Common Use

Used by the myDoom/Novarg virus as a backdoor port.  DoomJuice, Welchia,  and Deadhat have appeared as the first widely spread worms to take advantage of this back door, but port 3127 has become one of the favourite infection vectors of an endless parade of Agobot and other malware.

Inbound Traffic

myDoom has been called the fastest spreading email virus yet recorded and attempted to DOS www.sco.com and www.microsoft.com.  myDoom also installs a backdoor that listens on TCP port 3127 allowing a hacker to execute code remotely.  TCP port 3127 traffic should be blocked by your firewall.

Outbound Traffic

Outbound scans especially if occurring in volume should be considered an indication of a possible infection or compromise on the source computer and should be investigated immediately.

Additional Information

http://www.cert.org/incident_notes/IN-2004-01.html

What You Should Know About the Mydoom and Doomjuice Worm Variants

DoomJuice.A / myDoom.C PortPeeker Capture (large)

DoomJuice.B PortPeeker Capture

Deadhat / Vesser PortPeeker Capture (large)

DoomHunter Capture

 

Link Logger report for inbound port 3127 scans for February 1th - April 29, 2004.  First scan or the outbreak was February 9th 5:46 AM local time.  This graph shows the arrival and continuing impact of malicious attacks attempting to utilize the myDoom backdoor.

Page last updated on April 30, 2004