deloader worm

[Jim Rowland]

The file you are looking for is a malformed vnchooks.dll file found in
the C:\WINNT\Fonts folder. This worm utilizes a malformed VNhooks.dll
file and other malformed dlls to accept commands over port 445 from a
remote IRC connection. A hacker connects to a specific channel on IRC
that reports the ip address of compromised PC's and then begins sending
commands to that PC via IRC to allow him to remotely control that
target. 
I would recommend you update your OS to the latest patch and update your
antivirus software with the latest def files. 

http://www.klcconsulting.net/articles/deloder/deloder_loads_vnc_password
.pdf


Message: 1
From: "James ''Wez'' Weatherall" <jnw@realvnc.com>
To: <reclark@amaonline.com>
Cc: <vnc-list@realvnc.com>
Subject: Re: deloader worm
Date: Wed, 17 Sep 2003 12:20:49 +0100

---
However,  WinVNC still comes up at boot (at least the splash screen).
It must be running as a service, because I can't find it in the startup
menu (or anywhere else), and I don't see anything in the task manager
that looks like winvnc.  There is no tray icon.  How the heck do I get
it from starting at boot???  I can't even find the darn thing on the HD.
I run a search for winvnc and get no results.
---

You need to find the description of deloader on one of the antivirus
sites - that will tell you what files to look for.  I think
vnsystask.exe was the nobbled winvnc file name.

But you mention a splash screen, which WinVNC doesn't have, suggesting
that it's not WinVNC that is on your system.

Cheers,

--
Dr. James "Wez" Weatherall
RealVNC Ltd. - http://www.realvnc.com - The Home of VNC