I got a announcement about this issue. It is indeed a VNC-related security problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2) ********************************** There is a known exposure in some versions of the popular program VNC by which an attacker can get past the password protection and compromise the system. It was found in the "RealVNC" version and an upgrade which fixes this exposure is available. Other versions of VNC may or may not be affected. Recently, a program which exploits this vulnerability has been spotted in the wild. The corporate threat team is aware of this and has set the corporate IPS systems to block this worm when spotted and to issue service desk tickets against the source address (if internal). At this time, there is no indication that a "CIO Patch Override" will be needed. If you currently use RealVNC to remotely access your systems please check that you have the latest build of your version of RealVNC. During the recent Digital Threat and Risk Assessment it was discovered that older builds of RealVNC has vulnerabilities that can be (and were) exploited to gain unauthorized access to systems. You will need to upgrade your version of RealVNC if you have a build date earlier then MAY 2006. RealVNC upgrades are available at http://www.realvnc.com/upgrade.html ********************************* Carey Fisher - NCS wrote: > > > Frank Niu wrote: >> How is this matter going? Actually I encountered exact the same >> virus/worm >> and don't know how to get rid of it. >> >> > I've scanned with multiple virus scanners including AVG and Norton. > I've run Adaware and Spybot and I've > found nothing at all. > > Also, still no intrusions with any one or more of the following true: > VNC stopped > network disconnected > logged out > >> Checked with sysinternal autorun.exe, found nothing suspicious. I'm >> pretty >> sure it has something to do with VNC: This issue occurs with my 3 >> machines >> with VNC server installed every a few minutes intermittently. After I >> closed >> VNC server, seems it won't occur for now. >> >> Any final solution for this? >> pe a >> > I'm convinced there is no virus in the machine and it seems someone is > trying to (manually?) type a command in the Start/Run box as if they are > sitting in front of the computer. > > So, that sorta leaves VNC except I have it running as a Service which > means if someone was using VNC they could still use it when all users > are logged out except they can't login cause I have a strong password. > I have 3 machines with VNC but only one is forwarded to from the > router. That's the one that's being compromised. > > Now I'm investigating my Wi-Fi nodes. > > Carey > -- > http://www.piclist.com PIC/SX FAQ & list archive > View/change your membership options at > http://mailman.mit.edu/mailman/listinfo/piclist > > -- View this message in context: http://www.nabble.com/-EE-%3A-WINXP-Malware-Attacks--CAUTION---POSSIBLE-BAD-LINKS-LISTED-tf2391073.html#a6753085 Sent from the MicroControllers - PIC mailing list archive at Nabble.com. -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist