Thu Sep 18 17:25:01 2003
The file you are looking for is a malformed vnchooks.dll file found in
the C:\WINNT\Fonts folder. This worm utilizes a malformed VNhooks.dll
file and other malformed dlls to accept commands over port 445 from a
remote IRC connection. A hacker connects to a specific channel on IRC
that reports the ip address of compromised PC's and then begins sending
commands to that PC via IRC to allow him to remotely control that
I would recommend you update your OS to the latest patch and update your
antivirus software with the latest def files.
From: "James ''Wez'' Weatherall" <firstname.lastname@example.org>
Subject: Re: deloader worm
Date: Wed, 17 Sep 2003 12:20:49 +0100
However, WinVNC still comes up at boot (at least the splash screen).
It must be running as a service, because I can't find it in the startup
menu (or anywhere else), and I don't see anything in the task manager
that looks like winvnc. There is no tray icon. How the heck do I get
it from starting at boot??? I can't even find the darn thing on the HD.
I run a search for winvnc and get no results.
You need to find the description of deloader on one of the antivirus
sites - that will tell you what files to look for. I think
vnsystask.exe was the nobbled winvnc file name.
But you mention a splash screen, which WinVNC doesn't have, suggesting
that it's not WinVNC that is on your system.
Dr. James "Wez" Weatherall
RealVNC Ltd. - http://www.realvnc.com - The Home of VNC