XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission

XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission

[Sagar Kapadia]

HI,
I wish to report that Cygwin.XLaunch.exe is a Trojan and it allows
remote control of a pc without the users knowledge or permission. I
installed the cygwin package and the Xwindows server too. However,
today, I found somebody controlling my pc remotely. I know because the
mouse behaved erratically and then the XLanuch configuration screen
came up. I tried to kill it using the Task Manager but it would
restart. I had to reboot and turn off networking and then delete the
cygwin folder.

McAfee did not report this as a Trojan. I have written a mail to
McAfee notifying them of this issue.

I dont know if you are aware of this issue or not, but I found it
serious enough to report.

to summarize
XLaunch allows remote control of a pc without the users knowledge or permission.
Sincerely,
Sagar R. Kapadia,
India

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission

[Erik Soderquist]

On Wed, Jun 28, 2017 at 12:07 PM, Sagar Kapadia  wrote:
> HI,
> I wish to report that Cygwin.XLaunch.exe is a Trojan and it allows
> remote control of a pc without the users knowledge or permission. I
> installed the cygwin package and the Xwindows server too. However,
> today, I found somebody controlling my pc remotely. I know because the
> mouse behaved erratically and then the XLanuch configuration screen
> came up. I tried to kill it using the Task Manager but it would
> restart. I had to reboot and turn off networking and then delete the
> cygwin folder.

Where did you get this copy of cygwin from?  Did you use the official
installer package from the cygwin site?
https://www.cygwin.com/setup-x86_64.exe or
https://www.cygwin.com/setup-x86.exe

XLaunch itself is a wizard to configure X server sessions, and if
someone remote controllig your PC is happening with the legitimate
XLaunch executable, I would suspect there is something else unwanted
on your machine that is using XLaunch as a tool.

However, if the cygwin source you downloaded from was either
compromised or was not a legitimate mirror to start with, that is not
a direct fault of cygwin, but rather a fault of the source of your
download.


> I dont know if you are aware of this issue or not, but I found it
> serious enough to report.

This is the first I've heard


-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission

[Brian Inglis]

On 2017-06-28 10:21, Erik Soderquist wrote:
> On Wed, Jun 28, 2017 at 12:07 PM, Sagar Kapadia  wrote:
>> HI,
>> I wish to report that Cygwin.XLaunch.exe is a Trojan and it allows
>> remote control of a pc without the users knowledge or permission. I
>> installed the cygwin package and the Xwindows server too. However,
>> today, I found somebody controlling my pc remotely. I know because the
>> mouse behaved erratically and then the XLanuch configuration screen
>> came up. I tried to kill it using the Task Manager but it would
>> restart. I had to reboot and turn off networking and then delete the
>> cygwin folder.

I've had mice behave like that when they needed a new battery or before they
died; also intermittent responsiveness which can have weird results, while
Windows Update is failing to apply patches and backing them out in the background.
Replace your mouse battery and check Windows Update History for that timeframe.

> Where did you get this copy of cygwin from?  Did you use the official
> installer package from the cygwin site?
> https://www.cygwin.com/setup-x86_64.exe or
> https://www.cygwin.com/setup-x86.exe
> XLaunch itself is a wizard to configure X server sessions, and if
> someone remote controllig your PC is happening with the legitimate
> XLaunch executable, I would suspect there is something else unwanted
> on your machine that is using XLaunch as a tool.
> However, if the cygwin source you downloaded from was either
> compromised or was not a legitimate mirror to start with, that is not
> a direct fault of cygwin, but rather a fault of the source of your
> download.
>> I dont know if you are aware of this issue or not, but I found it
>> serious enough to report.

Do you have Remote Access or Remote Assistance enabled on your system?
Have you opened up your firewall to allow remote access?
Did you run a malware scan to identify if there is something on your system?

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission

[bzs]

I would also think about X11 permissions. Someone might be scanning
for activity on port 6000 (&c) and if they find something and it's not
locked down (see for example 'xhost(1)') it's trivial to just launch
X11 apps on your system which can cause all sorts of mischief.

-- 
        -Barry Shein

Software Tool & Die    | bzs@TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission

[Dan Kegel]

On Wed, Jun 28, 2017 at 3:02 PM,  <bzs@theworld.com> wrote:
> I would also think about X11 permissions. Someone might be scanning
> for activity on port 6000 (&c) and if they find something and it's not
> locked down (see for example 'xhost(1)') it's trivial to just launch
> X11 apps on your system which can cause all sorts of mischief.

Also note that Xlaunch starts the X server, and can supply the
commandline option needed to listen for connections on TCP.
Maybe you put that in by accident while following some tutorial?

It'd be interesting to see who's trying to connect to your
machine via port 6000.  Maybe run wireshark and listen for a while?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple