What Range This Port Belongs To
Port 2989 is a registered port — sitting in the 1024–49151 range that IANA maintains for services that have applied for an assignment. These ports aren't reserved for the operating system (that's the well-known range below 1024), but they're supposed to be spoken for.
"Supposed to" is doing a lot of work in this case.
The Registered Service: ZARKOV
IANA lists port 2989 as assigned to ZARKOV Intelligent Agent Communication, over both TCP and UDP.1
Nobody seems to know what ZARKOV actually was. There are no RFCs, no surviving documentation, no deployed systems anyone has written about. The name suggests something from the late 1990s or early 2000s AI agent boom — a period when "intelligent agents" were going to transform computing, before the concept mostly dissolved back into software. ZARKOV registered the port and then, apparently, vanished.
The port sits in the registry with its name and nothing else.
What the Port Is Actually Known For
In August 2004, a piece of malware appeared that would earn a small place in security history: Backdoor.Brador, the first trojan backdoor written for Windows Mobile Pocket PCs.2
The author chose port 2989 deliberately. In hexadecimal, 2989 is 0xBAD.
Brador's behavior was straightforward: once executed on a Pocket PC, it copied itself into \Windows\StartUp\svchost.exe (borrowing a Windows process name for cover), then connected to an SMTP server through port 2989 to email its creator — "I'm here." After that, it reopened port 2989 in listen mode, accepting up to five connections, ready to receive commands.3
It wasn't self-replicating. Someone had to open it. But whoever did had handed a remote attacker full control of their PDA: file uploads, file downloads, arbitrary command execution.
Kaspersky traced it to a Russian writer. The port choice suggests someone proud of their work.
Security Posture
Port 2989 appears on multiple threat intelligence lists as historically associated with RAT activity.4 If you find it open on a system unexpectedly, investigate.
That said, Brador was a 2004 threat targeting hardware that no longer exists. The port itself is not dangerous — no port is. What listens on it determines the risk.
How to Check What's Using This Port
On Linux or macOS:
On Windows:
Match the PID from netstat output against Task Manager to identify the process.
If nothing appears, the port is closed. If something appears that you don't recognize, that's worth knowing.
Why Unassigned or Obscure Ports Matter
The registered port range contains thousands of entries like ZARKOV — services that applied for an assignment, may or may not have been built, and left no further trace. The registry is a historical document as much as an operational one.
This matters because obscure registered ports are attractive to malware authors for exactly the reason Brador's creator chose 0xBAD: the port name appears "legitimate" in a registry, traffic on it looks less suspicious than traffic on a completely unregistered port, and administrators are less likely to block it by default.
The honest lesson: a port's registration status tells you who claimed it, not what's running on it now.
Frequently Asked Questions
Hasznos volt ez az oldal?