(Clearwisdom.net)

(Updated 10:30 Beijing Time, September 6, 2005)

[Clearwisdom editor's note: Those who directly visited English site http://fgmtv.net/ should not have this problem unless you did that by following the link on the Chinese site.]

On September 2 Beijing Time, it was discovered that hackers had planted malicious code into web pages at the Fangguangming website (http://asp.fgmtv.org). Technical staff had cleaned up the malicious code by the morning of September 3 Beijing Time. Based on results of current examination, the above-mentioned malicious code was planted early August. We recommend that readers in China and overseas, who visited Fangguangming and related websites with Internet Explorer (IE) during the period noted above, immediately re-install the operating system and take other relevant measures.

This malicious code redirected visitors to a particular vicious website in Mainland China, where IE security loopholes were exploited to plant a Trojan program onto the visitor's computer, which could expose the machine's IP address and other information and possibly monitor the visitor's keyboard operations, etc. Anti-virus software (by Norton, for example) cannot detect this Trojan.

If you have visited the Fangguangming website with IE from early August 2005 to September 3, 2005, the above-mentioned malicious code would have automatically downloaded a Trojan program from elsewhere and planted it on your computer. We advise readers to immediately reinstall the computer's operation system to completely get rid of this security problem.

We do not recommend the use of software to clean up this Trojan, as it is very malicious. Reinstallation of the operating system is the only way to ensure your computer's security.

The Qingzhou website at http://qingzhou.sytes.net/ (including all sites sharing this domain name as used by the Qingzhou website) has also experienced the same security problem. The time period is from early August 2005 to the morning of September 4, 2005. Administrators of the Qingzhou website have been notified, and they have shut down the website and are in the process of cleaning up the contents. If you browsed the Qingzhou website with IE during that period of time, we also advise you to immediately reinstall the operating system software on your computer as well.

Clearwisdom.net Technical Department and Fangguangming Technical Department

September 3, 2005

Appendix: Steps to Examine Your Personal Computer

The following instructions are based on the current results of examination. Refer to them to help in determining if your personal computer has been hit by the virus. Its accuracy is based on our current examination, which focuses on the detection of Trojan programs.

There are two Trojan programs. One is hndylau.exe, which existed on both the Qingzhou and the Fangguangming websites. The other is ray.exe, which existed only on the Fangguangming website.

The first Trojan, hndylau.exe, would have produced two files in the system directory: SSock32.dll and svch0st.exe. If your search of the hard drive turns up these file names, it is almost certain that your computer has been affected. This Trojan would send the personal computer user's information to a specific email account in Mainland China.

The second Trojan, ray.exe, has been examined on six various operating systems in Mainland and overseas. It has been verified that an entry of Yzxekttb would have been registered in the registry, and a file with the name of Yzxekttb would have been planted in the system directory. If your search turns up a file with the name of Yzxekttb, it is certain that your machine has been affected. The exact behavior of this Trojan is not clear yet. But so far, we have not found any backdoor capabilities, similar to rootkit, associated with it.

Examination steps for reference:

Posting date: 9/7/2005
Original article date: 9/7/2005
Category: Announcements
Chinese version available at http://minghui.ca/mh/articles/2005/9/4/109789.html

 Yearly Archive  Printer Version