WinVNC.A
Threat LevelDamageDistribution

Effects 

WinVNC.A carries out the following actions:

• It reaches the computer in a file with the icon belonging to a PowerPoint document in order to pass itself off as an inoffensive file:
  
  
• When it is run, a presentation which contains several slideshows in Spanish about the swine flu are displayed. The following image belongs to one of these slideshows:
  
  
• If you want to know how WinVNC.A infects users and view the presentation it displays, click here.
• It obtains information from the affected computer, such as computername.
• Additionally, it uses a legal program called UltraVNC, which allow to connect to a computer remotely, with malicious intentions.
• It establishes connections with the website www.hd<blocked>f.info in order to inform its creator of the state of the affected computer.

Infection strategy 

WinVNC.A creates the following files in the Windows directory:

• AUDIOSOUND.EXE. This file is actually WINVNC.EXE, a file belonging to UltraVNC, which is a legal program used to control a computer remotely and which is used by this backdoor with malicious intentions.
• AUDIOSYSTEM.EXE
• ROKK.DLL. In this file the information about the affected computer is stored.

WinVNC.A creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Windows Audio Service = %windir%\audiosystem.exe
  where %windir% is the Windows directory.
  By creating this entry, WinVNC.A ensures that it is run whenever Windows is started.

Means of transmission 

WinVNC.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The malicious file could have been distributed via email attached in messages that have been sent massively.

Further Details  

WinVNC.A is written in the programming language Visual Basic 6.0. This backdoor is 2,539,520 bytesin size.