Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission [Reference Link]

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission [Reference Link]

[Sagar Kapadia]

http://www.file.net/process/xlaunch.exe.html

On Wed, Jun 28, 2017 at 9:37 PM, Sagar Kapadia
<sagar@cloudnineconsulting.in> wrote:
> HI,
> I wish to report that Cygwin.XLaunch.exe is a Trojan and it allows
> remote control of a pc without the users knowledge or permission. I
> installed the cygwin package and the Xwindows server too. However,
> today, I found somebody controlling my pc remotely. I know because the
> mouse behaved erratically and then the XLanuch configuration screen
> came up. I tried to kill it using the Task Manager but it would
> restart. I had to reboot and turn off networking and then delete the
> cygwin folder.
>
> McAfee did not report this as a Trojan. I have written a mail to
> McAfee notifying them of this issue.
>
> I dont know if you are aware of this issue or not, but I found it
> serious enough to report.
>
> to summarize
> XLaunch allows remote control of a pc without the users knowledge or permission.
> Sincerely,
> Sagar R. Kapadia,
> India

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission [Reference Link]

[Erik Soderquist]

On Wed, Jun 28, 2017 at 12:26 PM, Sagar Kapadia  wrote:
> http://www.file.net/process/xlaunch.exe.html

#1: please do not top post on this list.

#2: Any program can be renamed, and the description in that page has
the wrong location in general for standard cygwin installations.

I ask again, where did you get it from?  Did you use the standard
installers?  which mirror?

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission [Reference Link]

[Erik Soderquist]

On Wed, Jun 28, 2017 at 12:48 PM, Sagar Kapadia wrote:
> Hi Erik,
> Thanks for your reply. I could not find the file in the windows
> directory or its sub folders. However, I saw the xlaunch configuration
> screen on my pc. It came up on its own. I tired killing it but it
> would start again.

That indicates something else on your machine is launching it, and
deleting it only blocked whatever else is on your machine from
starting it again.  No program, no matter how complicated, can
magically start itself; something else must always start it.  Virus
and trojan programs typically do this by running several different
very small programs that watch each other, and when any one program
from the malaicious package is killed, the others restart it.

> I installed it over a year ago, and I dont remember which mirror I
> used. However, I did use the standard installer.

This being new behavior after being installed over a year also points
to something else trying to use xlaunch rather than xlaunch itself
being the problem.

> By the way, I did not quite understand about top posting .

http://linux.sgms-centre.com/misc/netiquette.php#toppost

> I am replying only to you . If you permit, I will
> reply to the list too
> Sincerely,
> Sagar

Everything I've said has already been posted to the list; you need to
be subscribed to the list for the replies to come to you as a normal
practice, and it is highly recommended when posting to possible
problem to be subscribed at least as long as the problem is being
addressed.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission [Reference Link]

[Erik Soderquist]

On Wed, Jun 28, 2017 at 1:02 PM, Sagar Kapadia  wrote:
> Thanks for the detailed reply.
> However, one thing still puzzles me. Even if a another trojan/virus
> were to start XLaunch, it would still require another user to connect
> to my pc remotely over xlaunch to be any use. I have a static ip. by
> the way.

A static IP effectively means your computer will always be found at
the same address, so anyone on the network can reliably find your
computer when it is on and connected.

> Does that imply any vulnerability in xlaunch.

No, just that the remote controlling person wanted to use it for
something, no different from a remote controlling person using Windows
Explorer to copy files does not imply any vulnerability Windows
Explorer.  The vulnerability lies in how/where the remote controlling
person gained access to do the remote controlling in the first place.
That part is still a mystery.

> With my limited background, it seems that even though something
> launched xlaunch, there was somebody controlling it actively.
> And the connection did not ask for my permission.

I would check that your firewall is enabled and active, and if you are
not knowledgeable enough yourself, find someone who is to examine the
firewall rules for openings that should not be present as well as scan
the entire computer with an updated malware scanner.


-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple