Port 1980: PearlDoc XACT — A registered name pointing at nothing

What Port 1980 Is

Port 1980 sits in the registered ports range (1024–49151), the middle tier of the port numbering system. Unlike the well-known ports (0–1023), which are reserved for foundational Internet services like HTTP, DNS, and SSH, registered ports are available to any application or vendor willing to submit a request to IANA.

IANA lists port 1980 as assigned to PearlDoc XACT, supporting both TCP and UDP. That's where the official story ends. PearlDoc XACT appears to be a defunct or extremely niche document management or transaction service with no surviving documentation, no RFC, and no discernible presence on the modern Internet. The registration exists; the service apparently does not.¹

What Port 1980 Is Actually Known For

The port's real reputation comes from a different source entirely: ZSpy (also identified as BackDoor-AGK or Backdoor.ZSpy), a keylogger and remote access trojan that circulated in the late 1990s and early 2000s. ZSpy used ports 1979 and 1980 for its command-and-control communication — no IANA registration required, and no permission asked.²

ZSpy is effectively extinct as an active threat. Modern antivirus tools have long since catalogued it, and the infrastructure it relied on is gone. But it illustrates something true about port numbers: the registry describes intent, not reality. What actually runs on a port is whatever someone decided to put there.

What the Registered Ports Range Means

The registered range exists so that applications can stake a claim on a port number — reducing the chance that two popular programs accidentally collide. IANA accepts submissions, reviews them for obvious conflicts, and adds them to the registry.

But registration doesn't guarantee:

• The service still exists
• Anyone uses it
• Something else hasn't moved in

Port 1980 is a clear example. A name sits in the registry. Below it, in practice, is silence — except for the ghost of an old trojan.

How to Check What's on Port 1980

If you see traffic on port 1980 and want to know what's causing it:

On Linux/macOS:

# See what process is listening on port 1980
ss -tlnp | grep 1980

# Or with lsof
lsof -i :1980

On Windows:

# Show listening ports and their process IDs
netstat -ano | findstr :1980

# Then identify the process
tasklist | findstr <PID>

There's no legitimate modern service you're likely to recognize here. If something is listening on port 1980, it warrants a closer look.

Why This Matters

The port system works because most participants follow the map. Well-known ports carry the services they're supposed to carry. Registered ports mostly behave.

But the map has gaps, ghosts, and squatters. PearlDoc XACT is a ghost — a name without a service. ZSpy was a squatter that didn't bother with the map at all. Port 1980 is a small reminder that the registry describes the intended Internet, not the actual one.