Port 3134: ECP — An Assigned Name, a Forgotten Protocol, and a Worm's Fingerprint

What Range This Port Belongs To

Port 3134 is a registered port (range: 1024–49151). These ports are assigned by the Internet Assigned Numbers Authority (IANA) to specific services that apply for registration. Unlike well-known ports (0–1023), registered ports don't require root or administrator privileges to open, and the IANA assignment is voluntary — services can use them without registering, and registered names carry no enforcement.¹

The Official Assignment: ECP

IANA lists port 3134 as assigned to ECP — Extensible Code Protocol on both TCP and UDP.²

In practice, almost nothing is documented about this protocol. No RFC exists. No major software project claims it. The assignment exists in the registry, but the protocol that earned the name is essentially a ghost — registered but never meaningfully deployed, at least not publicly.

This isn't unusual. The registered port range contains hundreds of assignments for protocols that were proposed, assigned, and then quietly abandoned as the projects behind them faded.

The More Notable History: MyDoom

If port 3134 appears in a security context, it's almost certainly because of MyDoom — the email worm that exploded across the Internet in January 2004 and still holds records for the speed of its initial spread.³

MyDoom installed a backdoor component (shimgapi.dll) that opened a sequential range of TCP ports from 3127 through 3198, listening for incoming commands from an attacker. The worm didn't care which specific port in the range connected — it cast a wide net across 72 ports, and 3134 was one of them.

The backdoor allowed attackers to download and execute arbitrary files on infected machines. MyDoom.A targeted SCO Group; MyDoom.B extended the campaign toward Microsoft.⁴

By the time the outbreak peaked, millions of machines had these ports open. Today, any scan that finds an unexpected service on port 3134 should raise the same question it raised in 2004: is this legitimate, or is something listening that shouldn't be?

How to Check What's Listening on This Port

On any system where you suspect port 3134 is open, these commands tell you what's there:

Linux/macOS:

# Show what process is listening on port 3134
ss -tlnp | grep 3134

# Or with lsof
lsof -i :3134

Windows:

# Show listening ports with process IDs
netstat -aon | findstr "3134"

# Then look up the PID
tasklist | findstr "<PID>"

If something appears on this port and you don't know what it is, that's worth investigating before assuming it's benign.

Why Unassigned (and Obscurely Assigned) Ports Matter

The registered port range is vast — over 48,000 ports. Most are unassigned or assigned to protocols that never gained adoption. This creates a landscape that matters for two reasons:

For attackers: Obscure ports are quieter. Malware and backdoors often choose ports outside the well-known range precisely because monitoring tools focus attention on ports 0–1023. A service listening on 3134 is easier to miss than one on 80 or 443.

For defenders: Knowing what should be on a port makes unexpected occupants visible. A port with no known legitimate use that suddenly appears active on a machine is a signal worth investigating.

The IANA registry isn't a guarantee of anything. It's a reference — a starting point for asking whether what's running matches what's expected.⁵