TCP PORT 139

TCP Port 139
Netbios Session Service is used for resource sharing on Windows 9x, ME and NT. This is the port that is used to connect file shares for example.

Inbound Traffic
Outbound Traffic

Inbound Traffic
Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share.

If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.

Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.

PORT 139 – Information

* Port Number: 139
* TCP / UDP: TCP
* Delivery: Yes
* Protocol / Name: [Malware known as Qaz]
* Port Description: [malware info: Qaz]
* Virus / Trojan: Yes, Caution!


TCP port 139 uses the Transmission Control Protocol. TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered on port 139 in the same order in which they were sent. Guaranteed communication over port 139 is the key difference between TCP and UDP. UDP port 139 would not have guaranteed communication in the same way as TCP.

Because protocol TCP port 139 was flagged as a virus (colored red) does not mean that a virus is using port 139, but that a Trojan or Virus has used this port in the past to communicate.