This worm is reported to use VNC as the active control component of infected machines. It attacks open shares on netbios port 445 which is only used in Win NT/2000/XP.
Internet Storm Centre Reports http://isc.incidents.org/ probably indicate something like 100,000+ machines are infected. An earlier recent respondent to this list who complained of unauthorised VNC installation is probably infected. http://news.ists.dartmouth.edu/todaysnews.html#internal9171 says: > A new worm has begun spreading over the Internet that leaves behind two > Trojan horse programs, possibly paving the way for a massive distributing > denial of service (DDoS) attack. The Deloder worm is not yet considered > a high risk to PC users, but the SANS Institute's Internet Storm Center has > raised its alert status from green to yellow. The Deloder worm requires no user > intervention to spread, instead it exploits common passwords in share directories > of Windows NT/2000/XP machines. Although security experts have not seen wide > distribution of this worm yet, the Trojan horse programs left behind are of concern. > Both Trojan horse programs would allow a remote user full control of the machine. It looks from the incident graphs at the Internet Storm Centre as though the first attack peaked over the weekend. Unfortunately it looks probable that this is the first phase in a much larger attack on the internet using 100,000+ machines controlled by VNC. I don't know that there is much we can do, but it has to be bad news that VNC is being used as the control agent in this attack. On 11 Mar 2003 at 1:40, Bill Cassady wrote: > On Mon, 10 Mar 2003, Robin & Jerry wrote: > > > When starting up my computer a WinVNC dialog box opens each time > > asking me to set up some kind of properties. > > > > Problem is neither I nor anyone in my household has downloaded or > > otherwise installed this program. > > > > I have searched the disk for anything called WinVNC and found > > nothing. > > > > I don't know what this is, don't want it, and need to know how to > > remove this. > > > > Please help. > > thx/Jerry > > Hmm. Darwin posted earlier today about a worm attacking Win2000 shares > and installing modifications to VNC. I was not clear if VNC had to > first reside on the target computer or not... > > You might want to investigate. > > -Bill > > [EMAIL PROTECTED] > SDF Public Access UNIX System - http://sdf.lonestar.org > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list ----------------------------------- Peter Ball Computers For Linguists [EMAIL PROTECTED] Tel: +44(0)20 7732 1741 Fax: +44(0)20 7358 9214 Mobile: +44(0)77 1968 2913 45 Endwell Road, London, SE4 2PQ, United Kingdom _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
