[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?

Bill McCarty bmccarty at pt-net.net
Mon Feb 9 23:41:54 GMT 2004

Hi Blake and all,

--On Monday, February 09, 2004 3:14 PM -0700 Blake McNeill 
<mcneillb at linklogger.com> wrote:

> DoomJuice only seems to scan TCP port 3127.  Scans to ports 1080 and 3128
> are unrelated and likely scans for open proxies.

Yes, Symantec's description of DoomJuice, 
.html>, mentions port 3127 but does not mention port 1080 or 3127.

On the other hand, the Feb. 7 Handler's Diary, 
<http://isc.incidents.org/diary.html?date=2004-02-07>, had suggested that 
the Vesser worm--also known as Deadhat--might be responsible for traffic on 
all three ports. Symantec's description of Deadhat, 
tml>, does indeed state that Deadhat is active on ports 1080, 3127, and 

However, Deadhat does not seem to be the source of the scan that I 
observed, since the scan did not involve port 3127. Of course, it's 
possible that Deadhat has multiple operating modes, at least one of which 
does not scan port 3127 but does scan the several other ports that I 
observed. Nevertheless, assuming that Symantec's information is reasonably 
complete, my scan likely relates to some tool other than Deadhat.

Because the observed scan continued into class Cs adjacent to my network, I 
suspect that the same tool is being seen elsewhere and may be a significant 
source of the observed traffic increase on ports 1080 and 3128 across the 
Internet. In casual analysis, the traffic from this tool may be confounded 
with that from Deadhat and other sources related to port 3127 and therefore 
ignored as inconsequential. Indeed, the user(s) of this tool may be 
expressly hoping to hide within the noise generated by the current worms. 
If the author of this tool is especially clever, he may modify it to also 
probe port 3127, in which case its scanning is likely to be ignored by many 


Bill McCarty

More information about the list mailing list