Re: Norton AntiVirus vptray.exe

From: NiDoTEcH (nidotech@hkicable.com)
Date: 08/05/01 

Message-ID: <003401c11de2$90a01830$0100a8c0@nidotech.2y.net>
From: "NiDoTEcH" <nidotech@hkicable.com>
To: "Kevin Guidry" <thekevbo1@yahoo.com>, <focus-ms@securityfocus.com>
Subject: Re: Norton AntiVirus vptray.exe
Date: Mon, 6 Aug 2001 03:12:26 +0800

it seems that your NAV has been hacked to incorporate the VNC software (the
pop up of ip address when you mouse over the icon is a typical VNC
behavior), i heard some virus/worm would do that to allow full control of
the infested computer remotely, i suggest you to investigate the listening
port of that computer (either 5800 or 5900 for VNC, maybe changed to other -
considered it is a hack) for that program

----- Original Message -----
From: "Kevin Guidry" <thekevbo1@yahoo.com>
To: <focus-ms@securityfocus.com>
Sent: Saturday, August 04, 2001 12:17 AM
Subject: Norton AntiVirus vptray.exe

> The university I am employed at has several
> computer labs. The computers run either 2000 or NT
> 4.0. We also have a site license for Norton
> AntiVirus(NAV) Corporate Edition.
> We have noticed some strange behavior on some of
> our machines. At startup, vptray.exe is executed.
> This is normal and is how NAV should behave. This
> program, to the best of my knowledge, just loads a
> small program that resides in the system tray that
> allows quick access to NAV.
> However, vptray.exe appears to have been replaced
> with another program. The "new" version has a
> different creation date and size than the vptray.exe
> that is on the other machines. Specifically, the new
> program has a creation date of July 12, 2001 compared
> with the April 20, 2001 creation date of the original.
> The new program is also considerably larger than the
> original, weighing in at 184,320 bytes versus 49,152
> bytes for the original.
> The new program has either no icon at all or an
> invisible one. Since it has replaced the original
> vptray.exe, it is launched at startup and resides in
> the system tray. The invisible icon leaves a
> conspicious empty space in the system tray. If you
> hover over the icon, a tooltip appears with the
> computer's IP address. Clicking on the icon opens a
> large box labeled "Current connections." Inside the
> box it simply says "No connections."
> I have searched Google, Deja, and the archives on
> SecurityFocus and have found nothing about this. We
> have contacted Symantec for further guidance and help,
> but are not too hopeful(we have had some negative
> experiences with them). Can anyone offer any insight
> into this problem?
> Thanks!
>
>
> Kevin
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
>