Aliases

not-a-virus:RemoteAdmin.Win32.WinVNC.4 (Kaspersky Lab) is also known as: not-a-virus:RiskWare.RemoteAdmin.WinVNC.4 (Kaspersky Lab), Application.Vnc.Server.4.0 (SOFTWIN)

Detection added	Jan 23 2005
Description added	Aug 03 2006
Behavior	not-a-virus:RemoteAdmin

Technical details

WinVNC is a remote administration utility, providing access to the interface of a remote machine in real-time. Symantec's pcAnywhere is a similar type of program. The program is produced by AT&T Laboratories, Cambridge.

It can be used to remotely administer or observe the host machine.

This is a legal program, but can be used maliciously. There have been cases in which the WinVNC server component was installed to a host machine without the user's knowledge or consent. This provides a remote malicious user with full access to the victim machine.

Users should exercise maximum caution when working with programs of this type.

The utility has a server and a client component.

In order for the utility to work, the server component has to be installed on the remote host machine. In order to gain access to the remote machine, the client component has to be launched (it does not have to be installed) and the IP address and password of the host machine entered.

The interface of the client component has the following appearance:

In order to access the system, WinVNC opens TCP ports 5800 and 5900 on the remote host machine.

If the icon shown below can be seen in the system tray, this means that the server component of WinVNC is installed on the computer:

When a connection is made from remote, the icon will take on the following appearance:

However, given certain configuration parameters, it may only be possible to see the utility in the list of active processes.

A remote malicious user will, by using the client component, be able to gain full access to the remote host, view the screen, and use his/her keybaord and mouse to give commands to the remote host.