| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 2090 |
tcp |
trojans |
Premium scan |
Backdoor.Expjan [Symantec-2002-082614-3947-99] (2002.08.26) - remote access trojan. Affects all current Windows versions.
Load Report Protocol (IANA official) |
| 1533 |
tcp |
trojans |
Premium scan |
Backdoor.Miffice [Symantec-2002-082617-0523-99] (2002.08.26) - remote access trojan. Affects all current Windows versions.
IBM Lotus Sametime is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Community Services Multiplexer service (StMux.exe). By sending an overly long HTTP request to TCP port 1533, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-2499], [BID-29328]
Port is also registered with IANA for: Virtual Places Software |
| 59211 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy [Symantec-2002-071814-5240-99] (2002.07.18) - remote access trojan, affects Windows, listens to ports 29559 and 59211 by default.
NewFuture trojan |
| 29559 |
tcp |
trojans |
Premium scan |
Backdoor.Ducktoy [Symantec-2002-071814-5240-99] (2002.07.18) - remote access trojan, affects Windows, listens to ports 29559 and 59211 by default.
Backdoor.Latinus [Symantec-2002-060710-5206-99] - remote access trojan, afects Windows 9x/ME/NT/2k/XP, opens TCP port 11831/tcp for direct control, 29559/tcp for file transfer, may also use ports 24289/tcp, 29559/tcp.
Backdoor.AntiLam [Symantec-2002-060715-0902-99], a.k.a. AntiLamer backdoor - remote access trojan, affects Windows, listens on TCP ports 29559 and 47891, may also use port 29999.
Other trojans that use this port: DarkFace, DataRape, Pest, Vagr Nocker
Backdoor.Win32.Antilam.11 / Unauthenticated Remote Code Execution - the Win32.Antilam.11 malware aka "Backdoor.Win32.Latinus.b" (MVID-2021-0029), listens on TCP ports 11831, 29559. Third-party attackers who can reach infected systems can execute commands made available by the backdoor.
References: [MVID-2021-0324] |
| 58666 |
tcp |
trojans |
Premium scan |
Backdoor.Redkod [Symantec-2003-022517-1058-99] (2003.02.03) - remote access trojan, affects Windows NT/2000/XP. |
| 58008 |
tcp |
trojans |
Premium scan |
Backdoor.Tron [Symantec-2002-060414-2700-99] (2002.06.04) - remote access trojan, affects Windows, has the ability to kill software firewall processes. |
| 56565 |
tcp |
trojans |
Premium scan |
Backdoor.Osirdoor [Symantec-2002-081217-3251-99] - remote access trojan, affects Windows |
| 51234 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234.
Backdoor.Fearles [Symantec-2003-111910-1404-99] (2003.11.18) - a trojan horse that gives an attacker remote access to your computer. By default, the trojan listens on TCP port 51234.
Port also used by TeamSpeak server to telnet remotely. |
| 15432 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234. |
| 47891 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam [Symantec-2002-060715-0902-99], a.k.a. AntiLamer backdoor - remote access trojan, affects Windows, listens on TCP ports 29559 and 47891, may also use port 29999.
Backdoor.Win32.Antilam.14.o / Unauthenticated Remote Command Execution - the malware listens on TCP ports 47891, 29559. Third party attackers who can reach infected systems can execute commands made available by the backdoor. Netcat utility worked the best for running commands, which are supplied as numeric values or hex characters. The values sent correspond to different commands mapped in the backdoor. Commands are typically three digits e.g. 001 and perform various actions on the infected host.
References: [MVID-2021-0379] |
| 29999 |
tcp |
trojans |
Premium scan |
Backdoor.AntiLam [Symantec-2002-060715-0902-99], a.k.a. AntiLamer backdoor - remote access trojan, affects Windows, listens on TCP ports 29559 and 47891, may also use port 29999.
Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards expose a service called DashBoard server at port 29999 that allows for control over core robot functions like starting/stopping programs, shutdown, reset safety and more. The DashBoard server is not protected by any kind of authentication or authorization.
References: [CVE-2020-10265], [XFDB-179125]
IANA registered for: Data exchange protocol for IEC61850 in wind power plants [DEIF_AS] |
| 16322 |
tcp |
trojans |
Premium scan |
Backdoor.Lastdoor [Symantec-2002-090517-3251-99] (2002.09.04) - remote access trojan. Affects all current Windows versions. |
| 8888 |
tcp |
althttpd |
Members scan |
Used by some applications as an alt http port.
Applications using this port:
AirDroid
Freenet nodes
FortiNet's enterprise UTM client software
MAMP on macOS default Apache port
GNUmp3d HTTP music streaming and Web interface
LoLo Catcher HTTP web interface (www.optiform.com)
SimpleCam v2.0
Sun Answerbook HTTP server
Winpower Manager for UPS (internal server)
HyperVM HTTPS
D2GS Admin Console Telnet administration console for D2GS servers (Diablo 2)
Earthland Relams 2 Server (AU1_2)
NewsEDGE server (IANA official)
Games using port 8888:
Evil Islands
Heroes of Might and Magic 5
Splinter Cell (Chaos Theory, Double Agent, Pandora Tomorrow)
Ultima Online
Vulnerabilities/Malware:
Napster
W32.Axatak
Dark IRC (trojan)
W32.Axatak [Symantec-2002-082217-5638-99] - password stealing virus with remote access trojan capabilities. Affects all current Windows versions, uses ports 8888 and 8889.
Autodesk VRED Professional 2014 contains an unauthenticated remote code execution vulnerability. Autodesk VRED Professional 2014 contains an integrated web server that binds to port tcp/8888 which is accessible remotely. It has been reported that this web server gives access to a Python API which provides users with a vast amount of libraries which could allow an attacker to execute operating system commands. Through this API, Python code can be executed on the target system, the output is returned in the web server response. By importing the Python "os" library, arbitrary operating system commands can be executed on the target system with the privileges of the user running VRED Professional 2014.
References: [CVE-2014-2967]
An issue was discovered in CloudMe 1.11.0. An unauthenticated local attacker that can connect to the "CloudMe Sync" client application listening on 127.0.0.1 port 8888 can send a malicious payload causing a buffer overflow condition. This will result in code execution, as demonstrated by a TCP reverse shell, or a crash. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-6892.
References: [CVE-2018-7886], [EDB-44470]
A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
References: [CVE-2019-7678]
XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
References: [CVE-2019-7677]
A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
References: [CVE-2019-7676] |
| 1168 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability, 6.28.2003. It opens ports 1168-1170 and 2536.
Port is also IANA registered for:
1168/tcp - VChat Conference Service |
| 2536 |
tcp |
trojans |
Premium scan |
W32/Colevo@MM [Symantec-2003-062813-0620-99] (2003.06.28) - mass mailing worm which harvests MSN Messenger contact addresses with backdoor capability. It opens ports 1168-1170 and 2536.
Schneider Electric Accutech Manager is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to port 2536 of the RFManagerService, which could allow the attacker to view, add, modify or delete information in the back-end database.
References: [XFDB-90180]
Port is also IANA registered for:
2536/tcp - btpp2audctr1 |
| 6699 |
tcp |
winmx |
Members scan |
Port used by p2p software, such as WinMX, Napster.
Note: WinMX also uses port 6257/udp.
Trojans using this port: Host Control trojan |
| 593 |
tcp |
|
Members scan |
MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet. |
| 4444 |
tcp |
trojans |
Members scan |
Sophos Admin console default HTTPS port
Metasploit listener port is 4444 (TCP/UDP) by default.
I2P HTTP/S proxy uses this port.
W32.Blaster.Worm [Symantec-2003-081113-0229-99] is a widely spread worm that exploits the DCOM RPC vulnerability described in MS Security Bulletin [MS03-026]. The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
W32.Reidana.A [Symantec-2005-032515-4042-99] (2005.03.24) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.
Some other trojans using this port: AlexTrojan, CrackDown, Oracle, Prosiak, SwiftRemote, W32.Hllw.Donk.M, W32.mockbot.a.worm [Symantec-2004-022608-5242-99]
HP Business Service Management (BSM) 9.12 does not properly restrict the uploading of .war files, which allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component via a crafted request to TCP port 1098, 1099, or 4444.
References: [CVE-2012-2561]
MinaliC Webserver is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing HTTP Post method. By sending a specially-crafted request containing an overly long string to TCP port 4444, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-83714]
KNet Web Server is vulnerable to a buffer overflow. By sending a specially-crafted request to TCP port 4444, containing an overly long string argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
References: [XFDB-83114], [BID-58781], [EDB-24897]
Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.
References: [CVE-2018-5704]
KRB524 (IANA official) |
| 17300 |
tcp |
trojans |
Premium scan |
Milkit backdoor (Spybot 3), Kuang2 the_Virus trojan. |
| 39581 |
tcp |
trojans |
Premium scan |
Backdoor.WinShell.50.b [Symantec-2003-081110-5211-99] - remote access trojan, affects Windows, listens on port 39581. It is a variant of Backdoor.WinShell.50 [Symantec-2003-080611-0047-99] (port 8719) and usually packed along with Trojan.Stealther.B [Symantec-2003-080716-1231-99]. |
| 8719 |
tcp |
trojans |
Premium scan |
Backdoor.WinShell.50 [Symantec-2003-080611-0047-99] - remote access trojan, affects all current Windows versions, listens on port 8719. It is an earlier variant of Backdoor.WinShell.50.b [Symantec-2003-081110-5211-99] (port 39581) and usually packed along with Trojan.Stealther.B [Symantec-2003-080716-1231-99]. |
| 61000 |
tcp |
trojans |
Premium scan |
Backdoor.Mite [Symantec-2002-090309-2255-99] - remote access trojan with password-stealing capabilities, affects Windows. Opens a backdoor on port 61000/tcp. BD Windows Mite 1.0 variant listens on port 65530/tcp. |
| 5151 |
tcp |
trojans |
Premium scan |
Backdoor.Optix.04.c [Symantec-2002-102319-1255-99] (2002.10.23) - remote access troan. Affects all current Windows versions, listens to port 5151 by default.
Tony Hawks Pro Skater 3 also uses port 5151 (TCP/UDP).
Email-Worm.Win32.Sidex / Unauthenticated Remote Command Execution - the malware listens on TCP port 5151 and creates a dir named "vortex" with several PE files. Third-party adversaries who can reach an infected host can run commands made available by the backdoor.
References: [MVID-2022-0564]
esri_sde - ESRI SDE Instance (IANA official) |
| 1720 |
tcp |
h323 |
Premium scan |
Port most commonly used by Microsoft NetMeeting.
H.323 used for voice-over IP call set-up (H.323 Call Control Signalling, IANA official).
IPContact also uses port 1720 (TCP/UDP)
Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) by sending crafted H.323 packets to TCP port 1720, aka Bug ID CSCth11006.
References: [CVE-2011-3277], [BID-49822]
innovaphone is vulnerable to a denial of service. By sending random data to its H.323 network service on the TCP port 1720, a remote attacker could exploit this vulnerability to cause the system to reboot.
References: [XFDB-111292]
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
References: [CVE-2020-14305] |
| 41 |
tcp |
trojans |
Members scan |
Some trojans use this port: Deep Throat, Foreplay
Graphics (TCP/UDP) (IANA official) |
| 48 |
tcp |
auditd |
Premium scan |
DRAT remote access trojan (11-1999) uses ports 48,50.
Port is also IANA assigned for: Digital Audit Daemon |
| 50 |
tcp |
re-mail-ck |
Members scan |
Some trojans that also use this port: DRAT remote access trojan (11-1999). Uses ports 48,50.
Dark Ages of Camelot, Vodafone Sure Signal use this port. |
| 669 |
tcp |
trojans |
Premium scan |
Trojans that use this port: DP trojan , SniperNet
Port is also IANA assigned for: MeRegister |
| 1095-1099 |
tcp |
trojans |
Members scan |
Some trojans use these ports: Blood Fest Evolution, Hvl RAT (also uses port 2283), Remote Administration Tool - RAT |
| 1967 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: For Your Eyes Only , WM FTP Server
The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967.
References: [CVE-2003-0305]
SNS Quote (IANA official) |
| 1981 |
tcp |
trojans |
Premium scan |
Some trojans/backdoors use this port: Bowl, Shockrave
Port is also IANA registered for: p2pQ |
| 2001 |
tcp |
vmware |
Members scan |
VMware Workspace ONE / Airwatch AWCM server uses port 2001.
Some trojans/backdoors use this port: Der Spaeher, Duddie, Glacier, Protoss, Senna Spy Trojan Generator, Singularity, Trojan Cow. Port also used by FreeBSD.Scalper.Worm [Symantec-2002-062814-5031-99] (2002.06.28) - FreeBSD Apache worm.
WellinTech KingView 6.53 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted packet to (1) TCP or (2) UDP port 2001.
References: [CVE-2012-1832]
The Panda Antivirus console on port 2001 allows local users to execute arbitrary commands without authentication via the CMD command.
References: [CVE-2000-0541] [BID-1359]
curry (IANA official) |
| 2002 |
tcp |
trojans |
Members scan |
Port used by LogMeIn (also uses ports 80 and 443 TCP)
W32.Beagle.AX@mm [Symantec-2004-111612-2714-99] (2004.11.15) - mass-mailing worm, also spreads through file-sharing networks. Affects all current Windows versions. The worm opens a backdoor on port 2002/tcp, allowing the machine to be used as an open email relay. Also uses port 80 to contact "webmoney.net".
Backdoor.Singu.C [Symantec-2006-112113-2825-99] (2006.11.21) - a trojan horse that logs keystrokes and opens a back door on the compromised computer.
The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002.
References: [CVE-2004-1458] [BID-11047] [SECUNIA-12386] [OSVDB-9182]
Some other trojans/backdoors that also use this port: Duddie, Senna Spy Trojan Generator, Sensive, TransScout |
| 2773 |
tcp |
trojans |
Premium scan |
Trojans: SubSeven, SubSeven 2.1 Gold, BackDoor-G
RBackup Remote Backup (IANA official) |
| 3459 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Eclipse 2000, Sanctuary
Port IANA registered for: TIP Integral |
| 5400 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy
Xwis server also uses port 5400 (TCP/UDP)
Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan
Unspecified vulnerability in Appian Enterprise Business Process Management (BPM) Suite 5.6 SP1 allows remote attackers to cause a denial of service via a crafted packet to TCP port 5400.
References: [CVE-2007-6509], [BID-26913]
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (disk consumption) via a flood of TCP packets to port 5400, leading to large error-log files, aka Bug ID CSCua42724.
References: [CVE-2013-3387]
Port is also IANA registered for: 5400/tcp Excerpt Search |
| 5401 |
tcp |
excerpts |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy , Mneah
Cisco Security Agent could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the Management Center web interface (webagent.exe). By sending a specially-crafted POST request over port 5401 TCP, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
References: [CVE-2011-0364] [EDB-17155] [XFDB-65436]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The HTTP service (default port 5401/tcp) of the SiNVR 3 Video Server contains an authentication bypass vulnerability, even when properly configured with enforced authentication. A remote attacker with network access to the Video Server could exploit this vulnerability to read the SiNVR users database, including the passwords of all users in obfuscated cleartext.
References: [CVE-2019-18339]
Port is also IANA registered for:
5401/tcp Excerpt Search Secure |
| 5333 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Backage, NetDemon |
| 7215 |
tcp |
trojans |
Premium scan |
trojans: SubSeven, SubSeven 2.1 Gold, BackDoor-G [Symantec-2000-121907-4858-99]
IANA registered for: Communication ports for PaperStream Server services |
| 7300 |
tcp |
trojans |
Premium scan |
WinMagic SecureDoc Server uses port 7300 TCP by default.
NetMonitor trojan (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor)
Backdoor.Win32.Wollf.h / Hardcoded Cleartext Password - the malware listens on TCP port 7300 and runs with SYSTEM
integrity. Authentication is required for remote user access. However, the password "grish5800" is hardcoded within the executable. The malware is packed with UPX and exposes the cleartext credentials when decompressed.
References: [MVID-2021-0405] |
| 3127 |
tcp |
worm |
Premium scan |
W32.Novarg.A@mm [Symantec-2004-012612-5422-99] (2004.01.26) - mass-mailing worm with remote access trojan. Affects all current Windows versions. A.K.A W32/Mydoom@MM.
When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, compromissing the entire system.
W32.HLLW.Deadhat [Symantec-2004-020619-0805-99] (2004.02.06) - a worm with backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms, and then it spreads to other systems infected with Mydoom. Also, it spreads through the Soulseek file-sharing program.
Some other trojans using this port: W32.HLLW.DoomJuice [Symantec-2004-020909-2916-99], W32.MockBot.A [Symantec-2004-022608-5242-99], Moody.Worm, W32.DoomHunter, W32.SoLame.A, W32.Welchia.D |
| 39999 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.C [Symantec-2004-012012-0813-99] - Mail Relay trojan, affects Windows, listens on port 39999/tcp. Opens a mail relay on your computer (allowing others to use it to send unsolicited commercial email). The Trojan also downloads and executes PWSteal.Ldpinch. |
| 20742 |
tcp |
trojans |
Members scan |
Trojan.Mitglieder.E [Symantec-2004-031315-1648-99] (2004.03.13) - Mail Relay trojan. Affects all current Windows versions, creates a listening proxy on a configurable high port that allows the ability to relay email. By default, the Trojan listens on port 20742. |
| 2556 |
tcp |
trojans |
Members scan |
W32.Beagle.M@mm [Symantec-2004-031310-3624-99] - mass mailing worm and backdoor trojan, 03.13.2004. Affects all current Windows versions, opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks.
Port also used by other variants of the worm, like W32.Beagle.N@mm [Symantec-2004-031508-5302-99]. |
| 5554 |
tcp |
trojans |
Members scan |
W32.Sasser.Worm [Symantec-2004-050116-1831-99] (2004.04.30) - remote access trojan. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin [MS04-011]. There are some issues associated with using the [MS04-011] update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm.
Backdoor.Win32.FTP.Ics / Authentication Bypass - the malware runs an FTP server on TCP port 5554. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2022-0498]
Backdoor.Win32.FTP.Ics / Port Bounce Scan (MITM) - the malware listens on TCP port 5554 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0500] |
| 2535 |
tcp |
trojans |
Members scan |
W32.Beagle.W@mm [Symantec-2004-042617-0238-99] and W32.Beagle.X@mm [Symantec-2004-042815-2313-99] variants - mass mailing worm and backdoor trojan. Affects all current Windows versions, opens a backdoor (it listens on TCP port 2535) and attempts to spread through file-sharing networks.
Port 2556 was used by earlier variants of the worm, like W32.Beagle.M@mm [Symantec-2004-031310-3624-99] and W32.Beagle.N@mm [Symantec-2004-031508-5302-99].
Port is IANA assigned for MADCAP - Multicast Address Dynamic Client Allocation Protocol |
| 63000 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX [Symantec-2004-042412-3100-99] (2004.04.24) - Windows worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. Listens on these TCP ports: 63000 (HTTP), 63001 (HTTPS), 30001 (SOCKS proxy), and a FTP server on a random port. |
| 63001 |
tcp |
trojans |
Premium scan |
W32.Gaobot.ADX [Symantec-2004-042412-3100-99] (2004.04.24) - Windows worm that spreads through a few different methods, including open network shares, several known Windows vulnerabilities, and other backdoors like Beagle and Mydoom. Listens on these TCP ports: 63000 (HTTP), 63001 (HTTPS), 30001 (SOCKS proxy), and a FTP server on a random port. |
| 5900 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control programs. VNC typically also uses ports 5800+ and 5900+ for additional machines.
Citrix NetScaler appliance Lights out Management uses ports 4001, 5900, 623 TCP to run a daemon that offers unified configuration management of routing protocols.
Backdoor.Evivinc [Symantec-2004-042518-0520-99] also uses this port.
Some Apple applications use this port as well: Apple Remote Desktop 2.0 or later (Observe/Control feature), Screen Sharing (Mac OS X 10.5 or later)
RealVNC 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900.
References: [CVE-2004-1750], [BID-11048]
W32.Gangbot [Symantec-2007-012219-2952-99] (2007.01.22) - a worm that opens a back door and connects to an IRC server. It spreads by searching for vulnerable SQL servers and by sending an HTML link to available contacts on instant messenger programs. It also spreads by exploiting the Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability [BID-20096] and RealVNC Remote Authentication Bypass Vulnerability [BID-17978].
Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read clipboard activity by listening on TCP port 5900.
References: [CVE-2012-4429]
Vino could allow a remote attacker to bypass security restrictions, caused by an error in vino-preferences dialog box when providing information on network accessibility. By sending a specially-crafted UPnP request to TCP port 5900, an attacker could exploit this vulnerability to bypass security restrictions to scan internal hosts or proxy Internet traffic and gain unauthorized access to the vulnerable application.
References: [XFDB-82881], [CVE-2011-1164]
EchoVNC Viewer is vulnerable to a denial of service, caused by an error when allocating heap buffer size. By connecting to a malicious server, a remote attacker could exploit this vulnerability using a malformed request to TCP port 5900 to cause the application to crash.
References: [BID-61545], [XFDB-86113]
A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions >= V3.0 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (V2.4.X_with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions =< V2.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 400 systems (All versions _with_ Siemens Healthineers Informatics products). A factory account with hardcoded password might allow attackers access to the device over port 5900/tcp. Successful exploitation requires no user interaction or privileges and impacts the confidentiality, integrity, and availability of the affected device. At the time of advisory publication, no public exploitation of this security vulnerability is known. Siemens Healthineers confirms the security vulnerability and provides mitigations to resolve the security issue.
References: [CVE-2018-4846]
Siemens SINUMERIK Controllers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending specially crafted network requests to TCP Port 5900, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
References: [CVE-2018-11458], [XFDB-154197], [BID-106185]
Remote Framebuffer (TCP/UDP) [RFC6143] (IANA official) |
| 456 |
tcp |
trojans |
Premium scan |
used by Hackers Paradise trojan (also uses port 31) |
| 654 |
tcp |
trojans |
Premium scan |
Official use by AODV (Ad-hoc On-demand Distance Vector)
Port also used by HoaVelu trojan
|
| 911 |
tcp |
trojans |
Premium scan |
Backdoor.NetCrack [Symantec-2002-082815-5727-99] (2002.08.28) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 911 on the compromised computer. Backdoor.NetCrack is a Delphi application, packed using UPX v1.05-1.22.
Port is also used by Dark Shadow trojan.
xact-backup (IANA registered) |
| 1010 |
tcp |
thinklinc |
Premium scan |
ThinLinc Web Administration
Doly trojan v 1.3/v1.35 (different versions use TCP ports 1010, 1011, 1012, 1015, 1016)
CafeIni 0.9 trojan
Surf (IANA official) |
| 1033 |
tcp |
trojans |
Premium scan |
Port used by Netspy2, Dosh, ICQ Trojan, KWM, Little Witch, Net Advance, NetSpy trojans |
| 1042 |
tcp |
trojans |
Premium scan |
ASUS Armoury Crate "NodeJS Web Framework" process uses TCP ports 1042 and 1043
Trojans that use this port: Bla1.1, MyDoom.L [Symantec-2004-071915-0829-99] |
| 1245 |
tcp |
trojans |
Premium scan |
Trojans that use this port: GabanBus, NetBus, Voodoo Doll |
| 65535 |
tcp |
trojans |
Premium scan |
Trojans using this port: Adore, Sins, ShitHeep, RC trojan
Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535 (TCP/UDP) as well. |
| 61466 |
tcp |
trojans |
Premium scan |
TeleCommando trojan |
| 57341 |
tcp |
trojans |
Premium scan |
Port used by NetRaider trojan. |
| 54321 |
tcp |
various |
Premium scan |
Citrix admin workstation connects to provisioning server over ports 54321-54323 TCP for SOAP service, used by console and APIs (MCLI, PowerShell, etc.)
opendkim default port (may also use ports 8891,12345)
Trojans using this port:
Schoolbus .69-1.11, 1.6, 2.0 (TCP)
Back Orifice 2000, BO2K(*) (TCP/UDP)
Backdoor.Robofo [Symantec-2007-053013-4425-99]
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
References: [CVE-2010-4741]
The Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and OpenPort implementations on Iridium satellite terminals allows remote attackers to execute arbitrary code by uploading new firmware to TCP port 54321.
References: [CVE-2014-0327]
|
| 50505 |
tcp |
trojans |
Premium scan |
Sockets des Trois2 trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion. |
| 34324 |
tcp |
trojans |
Premium scan |
Port used by BigGluck aka TN, Tiny Telnet Server. |
| 1269 |
tcp |
trojans |
Premium scan |
Maverick's Matrix remote access trojan (different variants from May 1999 to January 2004). Trojan provides an attacker with the capability of remotely controlling a machine by running a server in the victim's machine. |
| 1492 |
tcp |
trojans |
Premium scan |
CivNet game
FTP99CMP - remote access trojan, 05.1999. Runs an FTP server on port 1492.
Back.Orifice.FTP also uses port 1492.
Backdoor.Win32.FTP99 / Authentication Bypass Race Condition - the malware listens on TCP port 1492. Credentials are stored in cleartext in "Serv-u.ini" file under "C:\Program Files (x86)\My Paquet archive" with a blank password. Third-party attackers who can reach the system before a password has been set can logon by just supplying the username "HACKCITY".
References: [MVID-2022-0465]
Backdoor.Win32.FTP99 / Port Bounce Scan (MITM) - the malware listens on TCP port 1492. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0466] |
| 1509 |
tcp |
trojans |
Premium scan |
Psyber Streaming Server (PSS) - remote access trojan, uses ports 1170, 1509, 4000. |
| 1600 |
tcp |
trojans |
Premium scan |
Port used by some trojans: Shiva Burka, Backdoor.DirectConnection (remote access trojan, uses ports 1000, 1600-1602) |
| 1807 |
tcp |
trojans |
Premium scan |
Backdoor.Delf.hp a.k.a. SpySender - remote access trojan, affects Windows 9x/NT/2k/XP/Vista, uses ports 1807, 3418. |
| 3418 |
tcp |
trojans |
Premium scan |
Backdoor.Delf.hp a.k.a. SpySender - remote access trojan, affects Windows 9x/NT/2k/XP/Vista, uses ports 1807, 3418.
Xposure trojan |
| 2444 |
tcp |
trojans |
Premium scan |
Backdoor.Delf [Symantec-2003-050207-0707-99] - remote access and keylogging trojan family of backdoors, affect Windows. Different varians listen to these TCP ports: 23, 2189,2444,27378.
Cisco Unified Communications Manager deployed in secure mode is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by CTLProvider.exe. By sending an overly long request to TCP port 2444, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the service to crash.
References: [CVE-2008-0027], [BID-27313] |
| 27378 |
tcp |
trojans |
Premium scan |
Backdoor.Delf [Symantec-2003-050207-0707-99] - remote access and keylogging trojan family of backdoors, affect Windows. Different varians listen to these TCP ports: 23, 2189,2444,27378. |
| 2189 |
tcp |
trojans |
Premium scan |
Backdoor.Delf [Symantec-2003-050207-0707-99] - remote access and keylogging trojan family of backdoors, affect Windows. Different varians listen to these TCP ports: 23, 2189,2444,27378.
IANA registered for Secure Radware Resource Pool Manager |
| 1979,1980 |
tcp |
trojans |
Premium scan |
ZSpyII 0.99b (a.k.a. BackDoor-AGK, Backdoor.ZSpy) key logger |
| 2023 |
tcp |
trojans |
Premium scan |
Ripper Pro trojan (a.k.a BackDoor-AL, Backdoor.Ripper) - key logger, steals passwords |
| 22311 |
tcp |
trojans |
Premium scan |
Backdoor.Simali [Symantec-2003-042414-3952-99] - remote access trojan, affects Windows, listens on port 22311 by default. Notifies attacker via email or ICQ. |
| 36794 |
tcp |
trojans |
Premium scan |
W32.Bugbear@mm [Symantec-2002-093007-2144-99] - mass-mailing worm, also spreading through network shares, affects Windows. The worm also attempts to terminate the processes of various antivirus and firewall programs and opens a backdoor service on port 36794. |
| 2020 |
tcp |
trojans |
Premium scan |
Port used by Backdoor.Rockse [Symantec-2003-050614-4623-99] (2003.05.06) - remote access trojan. Affects all current Windows versions, opens a server on port 2020 or 2525.
The TCP-to-ODBC gateway in IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.3 does not require authentication for SQL statements, which allows remote attackers to modify, create, or read database records via a session on TCP port 2020. NOTE: the vendor disputes this issue, stating that the "default Microsoft Access database is not password protected because it is intended to be used for evaluation purposes only."
References: [CVE-2010-4121]
Backdoor.Win32.Onalf / Missing Authentication - WinRemoteShell (Onalf) listens for commands on TCP port 2020. Interestingly, it will only start listening once it can connect outbound to SMTP port 25. Not much of a self respecting backdoor, as it allows anyone to logon without requiring a password.
References: [MVID-2021-0042]
GTA Rumble also uses port 2020 (TCP/UDP) |
| 2525 |
tcp |
altsmtp |
Members scan |
Sometimes used as an alternate to port 25 SMTP (Simple Mail Transfer Protocol). This is useful as a dedicated port for VPN clients or for those who cannot directly send mail to a mail server outside of their ISP's network because of ISPs blocking port 25.
Backdoor.Rockse [Symantec-2003-050614-4623-99] (2005.05.06) - remote access trojan. Affects Windows, opens a server on port 2020 or 2525.
Backdoor.Berbew.R [Symantec-2005-051915-2101-99] (2005.05.19) - remote access trojan that steals passwords and opens backdoors on ports 2525/tcp and 4495/tcp. |
| 4912 |
tcp |
trojans |
Premium scan |
Backdoor.Mirab [Symantec-2002-062114-0920-99] (2002.06.21) - remote access trojan. Affects all current Windows versions. It uses port 4912 for direct control and port 6430 for file transfer by default. |
| 6430 |
tcp |
trojans |
Premium scan |
Backdoor.Mirab [Symantec-2002-062114-0920-99] (2002.06.21) - remote access trojan. Affects all current Windows versions. It uses port 4912 for direct control and port 6430 for file transfer by default. |
| 2283 |
tcp |
trojans |
Members scan |
Dumaru.Y [Symantec-2004-012316-2557-99] (2004.01.23) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Hvl RAT - remote access trojan, coded in VB5, uses TCP ports 1095-1099 and 2283.
Port registered for Lotus Notes LNVSTATUS |
| 24681 |
tcp |
trojans |
Premium scan |
Backdoor.Lowtaper [Symantec-2004-101411-3637-99] - remote access trojan, affects Windows, uses ports 24681/tcp and 10104/udp |
| 1971 |
tcp |
trojans |
Premium scan |
Backdoor.Bifrose [Symantec-2004-101214-5358-99] - remote access trojan, affects Windows.
Faronics Deep Freeze (workstation OS protection software) uses either port 1971 or 7725.
IANA registered for: Netop Business Solutions - Netop School. |
| 10888 |
tcp |
trojans |
Premium scan |
Trojan.Webus.C [Symantec-2004-101212-0903-99] (2004.10.12) - remote access trojan. Affects all current Windows versions. Connects to an IRC server (on port 8080) and opens a backdoor on TCP port 10888 or 1080. |
| 57005 |
tcp |
trojans |
Premium scan |
Backdoor.IRC.Cirebot [Symantec-2003-080214-3019-99] (2003.08.02). Trojan that exploits the MS DCOM vulnerability and installs a backdoor. Uses ports 445 & 69, opens port 57005. |
| 32791 |
tcp |
trojans |
Premium scan |
Backdoor.Acropolis [Symantec-2001-021616-0142-99] remote access trojan, affects Windows, listens on TCP ports 32791, 45673. |
| 45673 |
tcp |
trojans |
Premium scan |
Backdoor.Acropolis [Symantec-2001-021616-0142-99] remote access trojan, affects Windows, listens on TCP ports 32791, 45673. |
| 2414 |
tcp |
trojans |
Premium scan |
VBS.Shania [Symantec-2004-020217-3141-99] (2004.02.02) - remote access trojan. Affects all current Windows versions, listens on port 2414. |
| 9867 |
tcp |
trojans |
Premium scan |
Backdoor.Sokeven [Symantec-2004-092214-2730-99] - remote access trojan. Affects all current Windows versions, opens a SOCKS proxy on port 9867 by default. Systems can get infected by visiting malicious website with Internet Explorer - exploits IE File Installation Vulnerability. |
| 2050 |
tcp |
trojans |
Premium scan |
PWSteal.Ldpinch.C [Symantec-2004-100416-1738-99] (2004.10.04) - password stealing trojan horse program. Affects all current Windows versions. May open a backdoor allowing shell commands on port 2050/tcp |
| 2745 |
tcp |
trojans |
Members scan |
Beagle.C [Symantec-2004-022715-1724-99] (2004.02.28) through Beagle.K [Symantec-2004-030312-0201-99] (2004.03.03) - mass mailing worms that use their own SMTP engine and open a backdoor on port 2745. They spread through email and file-sharing networks. |
| 8866 |
tcp |
nextpvr |
Members scan |
NextPVR xbmc web server uses port 8866. NextPVR NEWA uses port 7648 for streaming by default.
Beagle.B [Symantec-2004-021713-3625-99] (2004.02.17) - mass mailing worm that uses its own SMTP engine and opens a backdoor on port 8866/tcp. |
| 9898 |
tcp |
safeq |
Members scan |
YSoft SafeQ workflow software, Tripwire-File Integrity Monitoring Software
Dabber.A [Symantec-2004-051414-5013-99] (2004.05.14) and Dabber.B [Symantec-2004-060414-4404-99] (2004.06.04) - a worm that propagates by exploiting vulnerability in the FTP server component of W32.Sasser.Worm and its variants. It installs a backdoor on port 9898/tcp (if it fails, tries to listen on ports 9899-9999).
Backdoor.CrashCool [Symantec-2003-091308-3135-99] (2003.09.13) - a trojan horse that allows unauthorized access to the victim machine. By default it opens port 9898 for listening.
MonkeyCom (TCP/UDP) (IANA official). |
| 10000 |
tcp |
multiple |
Basic scan |
Applications that use this port:
Webmin - web-based system administration tool, BackupExec, Ericsson Account Manager (avim).
The Matrix Online, Everquest Online Adventures, BitTornado, Viatalk, Dungeon Fighter Online (TCP/UDP), FIFA Manager 10 (TCP/UDP)
QuickTime Streaming Server 4 also uses ports 10000-20000 (TCP).
Dumaru.Y [Symantec-2004-012316-2557-99] (2004.01.23) - multi-threaded, mass mailing worm that opens a backdoor, runs a keylogger and attempts to steal personal information. Opens ports 2283/tcp and 10000/tcp.
Other trojans that use this port: Oracle, TCP Door, XHX, OpwinTRojan
The default configuration of the New Atlanta BlueDragon administrative interface in MediaCAST 8 and earlier enables external TCP connections to port 10000, instead of connections only from 127.0.0.1, which makes it easier for remote attackers to have an unspecified impact via a TCP session.
References: [CVE-2011-2077]
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a buffer overflow in observiced.exe that allows remote attackers to execute arbitrary code via vectors related to a "reverse lookup of connections" to TCP port 10000.
References: [CVE-2010-0072]
The web interface in BitTorrent allows remote attackers to execute arbitrary commands by leveraging knowledge of the pairing values and a crafted request to port 10000.
References: [CVE-2014-8515], [XFDB-99764]
By using port 10000 TCP in VERITAS Backup Exec Remote Agent, a remote attacker may be able to gain access to, and retrieve arbitrary files from a target system.
References: [CVE-2005-2611], [BID-14551]
Siemens RUGGEDCOM ROX I (all versions) allow an authenticated user to bypass access restrictions in the web interface at port 10000/TCP to obtain privileged file system access or change configuration settings.
References: [CVE-2017-2689], [BID-97170]
Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability in the integrated web server at port 10000/TCP which is prone to reflected Cross-Site Scripting attacks if an unsuspecting user is induced to click on a malicious link.
References: [CVE-2017-2687], [BID-97170]
Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability that could allow an authenticated user to read arbitrary files through the web interface at port 10000/TCP and access sensitive information.
References: [CVE-2017-2686], [BID-97170]
An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.
References: [CVE-2017-2876], [CVE-2017-2875]
The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode."
References: [CVE-2019-9484]
Network Data Management Protocol (TCP/UDP) (IANA official) |
| 10080 |
tcp |
trojans |
Premium scan |
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure)
Mydoom.B [Symantec-2004-012816-3647-99] (2004.01.28) - mass-mailing worm that opens a backdoor into the system. The backdoor makes use of TCP ports 80, 1080, 3128, 8080, and 10080.
IANA registered for: Amanda backup software |
| 65506 |
tcp |
trojans |
Premium scan |
Port 65506 is used by some trojans for a spam email relay.
PhatBot (a.k.a. Agobot, Gaobot) - most variants exploit the MS DCOM RPC vilnerability (MS Security Billetin [MS03-026]) and the RPC locator vulnerability (MS Security Bulletin [MS03-001]) to spread. Some variants scan port 65506 for a possible backdoor. |
| 1101 |
tcp |
applications |
not scanned |
ZenSysSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (service crash) or possibly execute arbitrary code via a series of connections and disconnections on TCP port 1101, aka Reference Number 25212.
References: [CVE-2011-4534], [BID-51897]
Backdoor.Hatckel [Symantec-2002-120515-0748-99] - a backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens 15 ports on the infected computer: 1101 to 1115. Backdoor.Hatckel is written in Visual Basic. |
| 4899 |
tcp |
radmin |
Premium scan |
Radmin (Fama Tech) - remote administration of PCs. Some potenital vulnerabilities, see Radmin Default Installation Security vulnerabilities.
Worms using this port: Win32/ Agobot Family, W32.Rahack |
| 6129 |
tcp |
dameware |
Premium scan |
W32.mockbot.a.worm [Symantec-2004-022608-5242-99]
Dameware (Solarwinds) - Buffer overflow in DameWare Mini Remote Control before 3.73 allows remote attackers to execute arbitrary code via a long pre-authentication request to TCP port 6129.
References: [CVE-2003-1030], [BID-9213], CERT Vulnerability Note VU#909678.
|
| 4191 |
tcp |
trojans |
Premium scan |
Backdoor.Sdbot.AH [Symantec-2004-112217-1611-99] (2004.11.22) - a network aware worm with backdoor functionality. Affects all current Windows versions. It spreads via network shares and allows remote access on port 4191. |
| 37 |
tcp |
worm |
Basic scan |
Officially assigned for use by TIME protocol [RFC 868] [RFC 956]
TIME (port 37/tcp) can pose a DOS subnet threat because it has embedded functions used for the identification of critical processing time intervals and the ability to re-issue its output to port 7.
W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp.
W32.Sober.J@mm [Symantec-2005-013110-1026-99] (2005.01.30)
W32.Sober.O@mm [Symantec-2005-050210-2339-99] (2005.05.02)
W32.Sober.X@mm [Symantec-2005-111915-0848-99] (2005.11.19) |
