[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?
bmccarty at pt-net.net
Mon Feb 9 23:41:54 GMT 2004
Hi Blake and all,
--On Monday, February 09, 2004 3:14 PM -0700 Blake McNeill
<mcneillb at linklogger.com> wrote:
> DoomJuice only seems to scan TCP port 3127. Scans to ports 1080 and 3128
> are unrelated and likely scans for open proxies.
Yes, Symantec's description of DoomJuice,
.html>, mentions port 3127 but does not mention port 1080 or 3127.
On the other hand, the Feb. 7 Handler's Diary,
<http://isc.incidents.org/diary.html?date=2004-02-07>, had suggested that
the Vesser worm--also known as Deadhat--might be responsible for traffic on
all three ports. Symantec's description of Deadhat,
tml>, does indeed state that Deadhat is active on ports 1080, 3127, and
However, Deadhat does not seem to be the source of the scan that I
observed, since the scan did not involve port 3127. Of course, it's
possible that Deadhat has multiple operating modes, at least one of which
does not scan port 3127 but does scan the several other ports that I
observed. Nevertheless, assuming that Symantec's information is reasonably
complete, my scan likely relates to some tool other than Deadhat.
Because the observed scan continued into class Cs adjacent to my network, I
suspect that the same tool is being seen elsewhere and may be a significant
source of the observed traffic increase on ports 1080 and 3128 across the
Internet. In casual analysis, the traffic from this tool may be confounded
with that from Deadhat and other sources related to port 3127 and therefore
ignored as inconsequential. Indeed, the user(s) of this tool may be
expressly hoping to hide within the noise generated by the current worms.
If the author of this tool is especially clever, he may modify it to also
probe port 3127, in which case its scanning is likely to be ignored by many
More information about the list