Had a really strange virus break out on our network yesterday. Here’s the breakdown:
Trend Micro Office Scan detected an initiation on a workstation at 12:21 PM. The virus was located in the file C:\Program Files\RealVNC\VNC4\WinVNC4.exe. This is a legitimate file and location for us as we have VNC server installed on workstations for remote admin. Trend reported the virus name as Trojan_Generic and it could not be cleaned or quarantine. It propagated through an unknown transport to random machines on the WAN in a matter of 10 minutes.
15 machines got infected before I shut down the MS Exchange services just in case it was using the address book as a transport. It didn’t seem logical that this was the propagation mechanism but the outbreak seemed to subside. We then removed VNC from the machines that got infected and I restarted the Exchange services. Two more machines were infected after this but no more. Several other workstations on the network had VNC server and the port open but were not ever infected.
One more interesting lead I have is that the machine where the outbreak initiated was the only one on the network with ports 6697 and 9234 recently opened for a custom IRC application. These have been closed. Anyone with any information about this outbreak is welcome to leave a comment.
_______________________________________________________
Update: 07-26-2006
Turns out this was a “false-positive” in Officescan virus definitions release 5.99.
Upgrading to the 6.07 definitions clears the problem. I still think Trend Micro is the leader in the Anti-virus industry.
Hey thanks a lot for posting this it was the only note of the issue anywhere that I could find. We took an update last night at 1:00 which caused this same issue and we were working franticly to get it resolved!