The file you are looking for is a malformed vnchooks.dll file found in the C:\WINNT\Fonts folder. This worm utilizes a malformed VNhooks.dll file and other malformed dlls to accept commands over port 445 from a remote IRC connection. A hacker connects to a specific channel on IRC that reports the ip address of compromised PC's and then begins sending commands to that PC via IRC to allow him to remotely control that target. I would recommend you update your OS to the latest patch and update your antivirus software with the latest def files.
http://www.klcconsulting.net/articles/deloder/deloder_loads_vnc_password .pdf Message: 1 From: "James ''Wez'' Weatherall" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Subject: Re: deloader worm Date: Wed, 17 Sep 2003 12:20:49 +0100 --- However, WinVNC still comes up at boot (at least the splash screen). It must be running as a service, because I can't find it in the startup menu (or anywhere else), and I don't see anything in the task manager that looks like winvnc. There is no tray icon. How the heck do I get it from starting at boot??? I can't even find the darn thing on the HD. I run a search for winvnc and get no results. --- You need to find the description of deloader on one of the antivirus sites - that will tell you what files to look for. I think vnsystask.exe was the nobbled winvnc file name. But you mention a splash screen, which WinVNC doesn't have, suggesting that it's not WinVNC that is on your system. Cheers, -- Dr. James "Wez" Weatherall RealVNC Ltd. - http://www.realvnc.com - The Home of VNC _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
