WinVNC4.exe virus

Had a really strange virus break out on our network yesterday. Here’s the breakdown:

Trend Micro Office Scan detected an initiation on a workstation at 12:21 PM. The virus was located in the file C:\Program Files\RealVNC\VNC4\WinVNC4.exe. This is a legitimate file and location for us as we have VNC server installed on workstations for remote admin. Trend reported the virus name as Trojan_Generic and it could not be cleaned or quarantine. It propagated through an unknown transport to random machines on the WAN in a matter of 10 minutes.

15 machines got infected before I shut down the MS Exchange services just in case it was using the address book as a transport. It didn’t seem logical that this was the propagation mechanism but the outbreak seemed to subside. We then removed VNC from the machines that got infected and I restarted the Exchange services. Two more machines were infected after this but no more. Several other workstations on the network had VNC server and the port open but were not ever infected.

One more interesting lead I have is that the machine where the outbreak initiated was the only one on the network with ports 6697 and 9234 recently opened for a custom IRC application. These have been closed. Anyone with any information about this outbreak is welcome to leave a comment.

_______________________________________________________

Update: 07-26-2006

Turns out this was a “false-positive” in Officescan virus definitions release 5.99.

Upgrading to the 6.07 definitions clears the problem.  I still think Trend Micro is the leader in the Anti-virus industry.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Inline Feedbacks
View all comments
16 years ago

Hey thanks a lot for posting this it was the only note of the issue anywhere that I could find. We took an update last night at 1:00 which caused this same issue and we were working franticly to get it resolved!

1
0
Would love your thoughts, please comment.x
()
x