Port 3127: Unassigned — The Port Mydoom Called Home

What Port 3127 Is

Port 3127 sits in the registered port range (1024–49151) — the middle tier of the port numbering system. IANA accepts registrations for this range from application developers, but port 3127 has no assigned service. Nobody claimed it.

That doesn't mean it's quiet.

The Mydoom Backdoor

On January 26, 2004, a worm called Mydoom began spreading by email. Within hours it was responsible for roughly one in ten email messages on the Internet. It slowed global web traffic by an estimated 10%. It remains, as of 2026, the fastest-spreading email worm ever recorded.¹

Mydoom carried two payloads. The first was a denial-of-service attack against SCO Group. The second was a backdoor — a quiet listener that let attackers return to any machine Mydoom had infected and run whatever code they wanted.

That backdoor opened on port 3127.

Specifically, Mydoom.A would drop a file called SHIMGAPI.DLL into the Windows system32 directory and launch it as a child process of Windows Explorer. The DLL would then listen for incoming TCP connections on port 3127, trying ports sequentially up to 3198 until it found one available.² An attacker who connected could send an executable and have it run immediately on the infected machine.

A companion worm, Doomjuice, was designed specifically to exploit Mydoom-infected machines. It scanned random IP addresses for open TCP port 3127. If it found one, it knew it had found a Mydoom victim and delivered its own payload through the waiting backdoor.³

At peak infection, hundreds of thousands of machines were listening on this port.

Why It Still Matters

Mydoom is long dead as an active threat. But port 3127 carries its history. Intrusion detection systems flag it. Firewall rulesets block it. When security teams see unexpected traffic on 3127, they investigate.

The port is a reminder that unassigned doesn't mean unused — and that history shapes how traffic gets treated long after the original event fades.

What's Actually on Port 3127 Today

If you see something listening on port 3127 today, it's almost certainly not Mydoom. More likely candidates:

• A development server someone configured arbitrarily
• An application that chose a random high port
• A misconfigured proxy or tunnel
• Rarely: something genuinely malicious that picked this port knowing it might slip past outdated signature-based rules

Check with:

# macOS / Linux - see what process is listening
sudo lsof -i :3127

# Linux alternative
sudo ss -tlnp | grep 3127

# Windows
netstat -ano | findstr :3127
# Then match the PID in Task Manager

The Registered Port Range

Port 3127 belongs to the registered range (1024–49151), which works differently from the well-known ports below 1024.

Well-known ports (0–1023) require root/administrator privileges to bind on most systems. They're reserved for established protocols: HTTP at 80, HTTPS at 443, SSH at 22. The registered range has no such privilege requirement — any process can open a port here. IANA maintains a registry of assignments, but registration is voluntary and many ports in this range are simply unclaimed.

Above 49151 are the ephemeral ports — the temporary ports your OS assigns to outgoing connections. Your browser uses thousands of them every day.

Port 3127 sits in the middle: officially available, currently unregistered, and carrying the particular history of having been weaponized by the worst email worm the Internet has ever seen.