Frank Niu wrote:
> I got a announcement about this issue. It is indeed a VNC-related security
> problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)
>
> **********************************
> There is a known exposure in some versions of the popular program VNC by
> which an attacker can get past the password protection and compromise the
> system.   It was found in the "RealVNC" version and an upgrade which fixes
> this exposure is available.  Other versions of VNC may or may not be
> affected.  
>   
That's a very important catch, Frank. Thanks!

--Bob

> Recently, a program which exploits this vulnerability has been spotted in
> the wild.     The corporate threat team is aware of this and has set the
> corporate IPS systems to block this worm when spotted and to issue service
> desk tickets against the source address (if internal).    At this time,
> there is no indication that a "CIO Patch Override" will be needed.
>
>
> If you currently use RealVNC to remotely access your systems please check
> that you have the latest build of your version of RealVNC.  During the
> recent Digital Threat and Risk Assessment it was discovered that older
> builds of RealVNC has vulnerabilities that can be (and were) exploited to
> gain unauthorized access to systems.
>
> You will need to upgrade your version of RealVNC if you have a build date
> earlier then MAY 2006.  RealVNC upgrades are available at
> http://www.realvnc.com/upgrade.html
>
> *********************************
>
>
> Carey Fisher - NCS wrote:
>   
>> Frank Niu wrote:
>>     
>>> How is this matter going?  Actually I encountered exact the same
>>> virus/worm
>>> and don't know how to get rid of it.
>>>
>>>   
>>>       
>> I've scanned with multiple virus scanners including AVG and Norton.  
>> I've run Adaware and Spybot and I've
>> found nothing at all.
>>
>> Also, still no intrusions with any one or more of the following true:
>> VNC stopped
>> network disconnected
>> logged out
>>
>>     
>>> Checked with sysinternal autorun.exe, found nothing suspicious. I'm
>>> pretty
>>> sure it has something to do with VNC: This issue occurs with my 3
>>> machines
>>> with VNC server installed every a few minutes intermittently. After I
>>> closed
>>> VNC server, seems it won't occur for now.
>>>
>>> Any final solution for this? 
>>> pe a 
>>>   
>>>       
>> I'm convinced there is no virus in the machine and it seems someone is 
>> trying to (manually?) type a command in the Start/Run box as if they are 
>> sitting in front of the computer.
>>
>> So, that sorta leaves VNC except I have it running as a Service which 
>> means if someone was using VNC they could still use it when all users 
>> are logged out except they can't login cause I have a strong password.  
>> I have 3 machines with VNC but only one is forwarded to from the 
>> router.  That's the one that's being compromised.
>>
>> Now I'm investigating my Wi-Fi nodes.
>>
>> Carey
>> -- 
>> http://www.piclist.com PIC/SX FAQ & list archive
>> View/change your membership options at
>> http://mailman.mit.edu/mailman/listinfo/piclist
>>
>>
>>     
>
>   

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist