Mike is exactly correct. We have been seeing this on several resident
computers. It's basically a root kit that installs vnc + a spec checker +
sec policy changes + several other utilities. It was placed
there by other infected bots, who are all controled over IRC networks.
It's set up to connect to an IRC channel and serve illegal content, which
you may also see on the computer.
How did it get installed in the first place? My guess is that it takes
advantage of unpatched/already virus infected computers. IE: first you get
infected w/ virus that leaves an opening, then you get rooted.
I am still not exactly sure of all the changes it makes - on several
machines, we have removed all traces of it (watch for services) only to
have it return again - may be a backdoor that I'm missing.
If you'd like a copy of one of the kits, one of our RCCs has forwarded it
to me.
Noah
Lead Network Security
Rescomp
On Fri, 16 Jul 2004, Michael Getz wrote:
> Thanks for the advice. I tried installing the realvnc server and I did not
> see any process labeled msmvnc.exe. I know there are many different VNC
> servers, but I don't know whether to assume this process is VNC-related
> solely because of the process name. In addition, I would think if it is
> associated with a widely distributed VNC package, there would be some hits
> on Google.
>
> At 04:04 PM 7/16/2004, you wrote:
> >On Fri, Jul 16, 2004 at 03:47:12PM -0700, Michael Getz wrote:
> > > After being notified by the campus Intrusion Detection Team about a
> > > possible virus infection on two of our machines here, I noticed a strange
> > > process running called msmvnc.exe. Running fport, I discovered this
> > > process opened many random ports on the machine. The msmvnc.exe key was
> > > added to both the HKCU\Software\Microsft\Windows\CurrentVersion\Run and
> > the
> > > HKLM\Software\Microsft\Windows\CurrentVersion\Run registry hives. Our
> > > symantec antivirus did not suspect any suspicious files even with the
> > > latest definitions. In addition, I have been unable to find absolutely
> > > anything on this process using Google (for once Google is speechless). I
> > > have since reimaged those machines but would like to know if anyone has
> > any
> > > ideas on what this could be? A brand new virus?
> > > Thanks.
> >
> >Maybe it's a version of VNC, which is a Timbuktu-like way of
> >controlling a remote workstation. (Can be used for good or evil).
> >
> ><http://www.realvnc.com/>.
> >
> >--
> >Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069)
> >College of Letters & Science
> >249 Campbell Hall
>
> __________________________________________________________________________________
>
> Michael Getz
> Technical Support Coordinator
> Computing Support Services- Information Technologies
> Residential and Student Service Programs
> University of California, Berkeley
> (510) 643-4880
> http://ac.housing.berkeley.edu
>
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Sat Jul 17 21:57:32 2004
This archive was generated by hypermail 2.1.8 : Sat Jul 17 2004 - 21:57:43 PDT