smallmo.bokee.com

7.7�Ϻ��⼮Ůģ�ر�ɱ��

smallmo.bokee.com — Fri,11 Jul 2008 14:02:40 CST

��Ϻ��й��վ��Ϣ��

“7.7”�ѻ�·�װ�� ——��˳¾��Ϫ��

    ��Ϻ��ҹ��飬“7.7”�ѻ�·�װ�˳��ơ�7��11��糿��ڰ��ʡ��й��ִ��Э��£��˳¾��Ϫ��
    7��賿5ʱ30��й��110ָ��Ľӱ��ƣ��ѻ�·һ��¥��һŮ�ӱ��Ѹ��ǰ��á��飬��˴��23�꣬�ּ��ô��գ��6��24��뾳��ס�ѻ�·��
    ��й��쵼�߶��ӣ�Ҫ��ư��Ϻ��ǿ��й��ܶӺͳ��־ֵȵ�λ��ɵ�ר��飬ȫ��չ��ƹ��
    ��ֳ��飬ר��Ϊһ��ԣ��е��ģ��һ��г��ֳ��鹤��漴��Ե�չ��
    7��10�գ�һ�г¾��ӽ��뾯��ߡ��ݲ飬�¾��1990��2�³��㽭��ݣ��ڰ��ǵ��֡��ճ¾��켣��ר��鼴��֯��ϸ��ʵʩץ��
    7��11�� 8ʱ 15��Ǿ��Э��£��˳¾��Ϫ��־��ܡ��󣬾��׷��“7.7”��б��ٵı�Яʽ��Ե��Ʒ��
    ��Ѷ��˳¾��7��6��ѻ�·β�汻��Һ�ʵʩ��ԣ��ⱻ��˷��ɱ��Ǯ�Ƶķ��ﾭ��

ԭ�ĵ�ַ��http://gaj.sh.gov.cn/shga/gweb/xxnr_view.jsp?pa=58e282badd297ff32c39d6aa91d115dd002b8ca9817ab551b3e4c275140f52b48756d7d06f8129ba

[ת]�봨��ͬ��繫��

smallmo.bokee.com — Sun,18 May 2008 15:42:40 CST

��һ��»��վ�Ͽ��Ϣ��2��ʱ��ȥ��һ�µģ��һֱ�޷��½��վ��Ҳ��̫��ѷ��ʵ�Ե�ʡ��ȥ��һ�£��Է��ˡ�

��繫��ַ��http://512.china5000.org.cn

�ʻ��ַ��http://www.china5000.org.cn/flower/default.aspx

24��֤ȯ(��Ʊ)��ӡ��˰˰�ʵ��1��

smallmo.bokee.com — Wed,23 Apr 2008 19:48:31 CST

�Ǻǣ�һ��Сʱǰ�տ��Ϣ��

�»��վ��Ѿ��Ϣ�ˡ�

��š��

smallmo.bokee.com — Sun,20 Apr 2008 16:36:54 CST

��עһ���й��ڿ� vs CNN��¼��

һ��Ϊ��ж��ڹ��ڻ��ϱ��㷺��Google���ٶ���һ��ص��ݣ��൱�Ķࡣ��Arbor Networks�ı��ȷʵ��ˣ��û��ص��ݣ�ֻ�м�̵ļ��仰��

UPDATE 8PM US Eastern: More attacks to report, with greater intensity. It look s like some people still giving this a go. I cannot, with the data I have, attribute this to any of the Chinese attacker groups that are supposedly behind the rally call, so this could be other parties entirely.

��Neeao��־�￴��ر��ڵ�ҳ����ȥ��ʱ��CNN�ƺ��Ѿ��ָ��ˡ�

4.19��DDoS��ʾ��

smallmo.bokee.com — Sat,19 Apr 2008 14:41:15 CST

��ڰ�ȫ��п��˹��ý��й��ڿͽ��ڽ��죨4.19��CNN��վ��DDoS������

�ڸ�ƪ��У��ᵽ��һ��ΪThe Dark Visitor��վ��ƺ��һ��й��ڿͻ��վ��ǲ��ϣ��˹��վ�ľ��Ҳһ��֪��Arbornet works�ļ��ƺ��ģ�Ĺ��δ��ʼ��

Destinations	www.cnn.com (one of the IPs for this DNS name)
Attacks in past 24 hours	36 attacks measured
Attacks by type	36 TCP SYN floods
Average and max attack duration	330 seconds average (5.5 minutes), 337 second maximum (slightly longer)

��֮�⣬��컪��Ҳ׼����ʾ��ףʾ���ܴﵽԤ�ڵ�Ч��

Ī��Ļ��

smallmo.bokee.com — Tue,05 Feb 2008 13:04:41 CST

��ȥ��䣬�յ�һ��Ī��Ļ��ʼ��ʼ��ƭ�İɣ�

��⣺ ��ʻ�
��ˣ� cfgh@qq.com.cn

��ã�

�鷳��⣲�죩�ѿ��ʻ��

�й�ƽ��--��ڷ��

��ţ�6222 9800 0012 6369

��Ƽ

�뾡��--��л��

Google��Baidu��һ�£��ƺ�Ҳ��Щ��յ��ʼ��

AV-TEST Q1/2008 ��

smallmo.bokee.com — Sat,26 Jan 2008 12:33:42 CST

��ַ��http://blogs.pcmag.com/securitywatch/Results-2008q1.htm

��ǻ��Ŭ��

��˽�

smallmo.bokee.com — Tue,15 Jan 2008 19:31:51 CST

�տ��ţ��ʶ��˽ڡ�ף��λ��˽ڿ��֣�

��ʨ��췢��һƪ��£��𣺡�ʵս��¶��ʡ��˰�ȫ��ߵĹ�ע��ܶࣨ��^_^��컨��Щʱ�䣬��е��ۿ��һ�£��о��Ȥ��һ��һ��ս��˵ĸо��Ȼ��Ҫʨ��˵��е��ˣ��ǲ��ܵ��£��Ϊ��Щ��ϲ��ģ��Լ�û��һ��У��Щ��ѵ��ܳϿң�ϣ��ǿ��ɣ��Ϊ��û��Ӧ��ġ�

��ʨ��˵��Ժ��йز�Ʒ��£��ڸ��˲��ϣ��Ҫ��ڸ��˲��ϣ��Ǽǵùر��۹��ܣ��Ͳ��ᱻһЩ“��”��ϡ�

�׾�ж��

smallmo.bokee.com — Fri,21 Dec 2007 18:54:42 CST

�տ��й��׾�ж��ְ��Ϣ��

��ȷ�Ǹ��Ծ��Ϣ��׵��վ��Ѷ��׾��ְ�¼��ר�ⱨ��http://tech.163.com/special/00092GJD/ljlz.html

��MSN��ر��

smallmo.bokee.com — Fri,21 Sep 2007 21:39:10 CST

07��ƺ��MSN��Ĵ��꣬��ֹĿǰΪֹ�Ѿ��˽��ʮ��֡��ͨ��Ĵ��Ѿ��ȫ��Ӵ�Ľ�ʬ��磨Botnet��

CISRT�ո��Խ��MSN��淢��ص��ܽᱨ�棬ϣ��MSN�û��а��

��ѿ��Է��ʣ�http://www.cisrt.org/blog/read.php?383

��ɱ�ţ��Ҳ��

smallmo.bokee.com — Thu,12 Jul 2007 23:21:39 CST

��˹�ע��ɱ��¼��Ҷ��˽��˰ɡ��죬��51CTO�Ͽ��ôƪ��£��Ϊ����Ҷΰ��Ļ ɱ��ڹ��ɱ��

Ҷΰ�׵Ĳ��ֻ��

��ߣ��˵Ϊ��ò��б��Եúܳ��ʾ��˾�ļ��ʵ��еĳ��̹��ɱ��

Ҷΰ�ף��ȷ�г��ɱ��㣬��Ϊ�û�ͨ��Ϊɱ��Ĳ��Խ�࣬ɱ��Խ��Ч��浱Ȼ��⣬��ǳ��ǻ��һ�㣬��һЩ��Ƕ��ǵĳ��Ҳ�Ž��

��ߣ��˽⣬��й��ж��ٳ��

Ҷΰ�ף�ǰ��ʱ��å��ս�ǵ��͵��ӣ��ʵ��Щ��å��ĳ��ò��÷Ž��ֵ��ȶ�ģ��Ȼ�г��ƿƼ��ϻ��ԭ��¿ͻ��Ǳ�Թ�г��Ĳ��ࡣ

��˵˭�أ��˵��Ҷ��ס��߼��ʣ��߼��ǰɡ�

ԭ�ĵ�ַ��http://netsecurity.51cto.com/art/200707/51097.htm

�� VS ��

smallmo.bokee.com — Sat,07 Jul 2007 23:36:59 CST

7.2��˹��й��һ��˹��ǲ��Ϊ��һ��Ժ��ϣ��ͥ��7.23��

��ȥһ��Ժ��վ��һ�£��ɵ�ۡ�

��Ҹ��ˣ��ǰ��ӵ��ϻ�û��ϵͳ��

[��]��è��㡱��߱��

smallmo.bokee.com — Mon,12 Feb 2007 21:57:03 CST

��Ϳ��ɫ��CISRT��һ��ţ��Ϊ�� [��]��è��㡱��߱��

��ڷ��ˣ�ͬ־�ǻ��ǲ�Ҫ��Ҫ��

ÿ��downһ��

smallmo.bokee.com — Mon,22 Jan 2007 18:28:07 CST

�Ʒ��ÿ��Ҫdownһ�Ρ��

��֪��ɶʱ��Իָ��﷢��ɧ

��ɫ˵��down��ǿ��ÿ��ϻؼҿ��ӣ�10��׼ʱ˯��

21��Сʱ��

smallmo.bokee.com — Fri,19 Jan 2007 17:45:06 CST

һ��Сʱǰ��Ҳ��Ǳ��ʱ��16:30��ң��ǵķ��down�ˣ�Ŀǰ��֪��ɶԭ��Ǳ��ˡ��֪��Ҫ��ָܻ��

��ɫ˵��ĩ��ǿ��Գ��Ϣһ��ˣ��ǻָ��˵�

��ڻָ��

smallmo.bokee.com — Thu,18 Jan 2007 22:18:58 CST

��ڽ��8ʱ45��ң��ӵ��ɫ��Ϣ��ǵķ��ڽ��19ʱ��һָ��ˡ��ھ��֮һ��ܵ�½��ǵ�Сվ�ˣ��

ͬ־�ǣ��װ��Ը��ٱ��ˡ�

Ҫ֪��վ��𣿺ڿ�ͬѧ��ҲҪΪ��밡

��ǿ�ʼ׼��daily backup�ƶȣ�ͬʱ��Ҹ��ռ��ǵĸ�վ�㣬�Ա��ʱ֮�衣

��⹥��

smallmo.bokee.com — Tue,16 Jan 2007 16:34:33 CST

�ӽ��11:20��ң��CISRT�ķ��ʼ��ܹ��ֹĿǰΪֹ��δ�޸��ֻ��ڴ��ָ��

׼��CISRT��BAIDU��ʱ�ռ䣬�ջ�ջ��

��ƿƼ��й��ģ�China Lab��China PatternѸ�ͳ��

smallmo.bokee.com — Tue,09 Jan 2007 18:23:34 CST

ǰЩ��ӣ��ڡ��á��ƿƼ��й��ܲ�Ҷΰ��˵��07��1�»��й��ʵ��ҡ��ƿƼ��й��վ�Ͽ��ţ�China Lab��Ϻ��Ϻ��أ��л��һ��Ҫȥ��

��ƿƼ��й��ģ�China Lab��China PatternѸ�ͳ��

��簲ȫ��ȫ��쵼�ߡ��ƿƼ��˹��˴��룺TMIC��֤ȯ��룺4704��ƿƼ��й��ģ�China Lab��Ϻ��ͬʱ��Ƴ��й��Ĳ��⣨China pattern��2007��ʼ��չ��ȫ��ġ�ɨ��ж��ƿƼ�ͨ��ռ��й��ٷ��й��ý��ڰ��ȫ�򲡶��Ļ��ϣ��й��ı��룬��ƿƼ��ġ��嶾��DCE 5.0��ƿƼ��Ʒ��й��û��Ĳ��ɱ�ʡ�

ȫ�ģ��ƿƼ��й��ģ�China Lab��China PatternѸ�ͳ��

��Elva��ר��

smallmo.bokee.com — Sun,24 Dec 2006 22:52:11 CST

��ר��1087��͹��һ��ˣ��͸��Լ��ʥ��ɣ��ҹ��˵��д��ƪblog��ʱ��顣��Ҹ��˱Ƚ�ϲ��С�Honey Honey Honey��Զ��ˡ��Ҫ��硷��

��ר��л��һ��صĸ��С��衷��ǽ��ڡ��Ҫ��硷��ģ��5'15''��ҵ��ӣ��ǿɱ��Կ�^_^

Backdooring Images

smallmo.bokee.com — Fri,15 Dec 2006 18:35:51 CST

�ոտ��һƪ��£��ת��һ�¡��ǧ��ɻ��Ŷ

Backdooring Images��http://www.gnucitizen.org/blog/backdooring-images

Elva��ר��1087��

smallmo.bokee.com — Thu,07 Dec 2006 14:39:24 CST

Elva��ר��1087��ڱ��22��ȫ��ͬ��С�Too great��

��б��ײ��衶��ס��Ƭ

��ɽ��ϵͳ��ר��

smallmo.bokee.com — Wed,15 Nov 2006 12:36:20 CST

��Ƿ��3.0�󣬽��ɽ��˾Ҳ��µ�һ��Կ��å��Ĺ��ߡ��ɽ��ϵͳ��ר�ң�KSC��ڵķ��˾�Ѿ��å��ս��ȵĽ��KV2007�м��뷴��å��ܣ��ڵĿ��3.0��ɽ��ϵͳ��ר�ң�KSC��å��ĵ�λ��ǹ��Ѿ��ڲ��桢ľ��

��å��Ǿʹ˱��սᣬ��ǵ��һ�ߡ�ħ��һ�ɣ��Ŀ�Դ��å��ŵ��ǵ��ǿ��ѡ��ʺ��Լ��һ���Լ��ĵ��ԡ�

��ӣ�

1. ��ɽ��ϵͳ��ר�ң�KSC��

2. ��ɽ��ϵͳ��ר�ң�KSC��ר��ҳ

��ǿ��3.0��

smallmo.bokee.com — Tue,14 Nov 2006 13:33:41 CST

��һ�磬��ҳ�͸�ͷ��ˡ��Ƴ��ǵ��¹��ߡ��ǿ��3.0��ص��Խ��ڹ��һ��ͻ��å��֪��Ϊʲô��Ҷ��Щ��᲻��һ��Ȥ��360safe��ǿ��3.0��Ҫ��ǿ��ȥ��ʹ�ã�

��ţ�

1. ��ǿ��3.0��÷��å��

2. [��]��ǡ��(Anti-Rootkits)��˵��

3. ��ǿ��ȫ��3.0��أ�

��ǲ��

smallmo.bokee.com — Fri,27 Oct 2006 21:31:31 CST

��콭�񷢲��һ��š� ��̡��ǲ�� ר�ҽ��΢��Զ�� ݺ�ɫ˵��20��Ҿͷ��ˣ��ʱû��ô��Kaspersky�Ͷ��Զ��ˣ��CISRTҲ��˱��

��Է���Զ��ʲô�ģ��š��

��CISRT2006053��ľ�� .exe Ȥζ��Ϸ.exe bug.exe ��

��ʣ�Elva is back

smallmo.bokee.com — Thu,26 Oct 2006 21:46:38 CST

��elva is back��
��
��:�� º�� alex
��:alex��
��music��
rap: turn the music up
because i been waiting so
long for a chance to dance
to a elva song
she's back
bikky bu bu back
she's back
bikky bikky bu bu back
turn the music up
because i been waiting so
long for a chance to dance
to a elva song
she's back
bikky bu bu back
she's back
bikky bikky bu bu back
��û��Ż�
��û��ú�ˮʧ��
��û�г��һ�ֽ�ɫ��ĭ
ͣ��ס�ҵ��ջ�
��һ��ɸ��
̫Ǻ�Ķ��˻�
�ȴ��۾��ſ�
��
��ÿ��
��˭�ĵ��
��һ��
��һ��
��о��
��Լ��̨
��ˮ��high��
��̵��
��ҵĵ��
��Ƕ��̰��
ֻ��е�̰��
��
��ṩ:��
��û��ͣס
rap: turn the music up
because i been waiting solong
for a chance to dance
to a elva song
she's back
bikky bu bu back
she's back
bikky bikky bu bu back
turn the music up
because i been waiting solong
for a chance to dance
to a elva song
she's back
bikky bu bu back
she's back
bikky bikky bu bu back
��һ��ɸ��
̫Ǻ�Ķ��˻�
�ȴ��۾��ſ�
��
��ÿ��
��˭�ĵ��
��һ��
��һ��
��о��
��Լ��̨
��ˮ��high��
��̵��
��ҵĵ��
��Ƕ��̰��
ֻ��е�̰��
��
bridge:
��û��ͣס
bridge:ewe-ewe-ewe-
elva's back
biwi back-b-back-back-back
b-biwi-back-biwi
back-b-back-back-back
b-biwi-biwi-biwi
el-e-el-ewe-el-e-elva-ewe
el-e-el-ewe-ow-ow-ow-ow-ow
back-b-back-back-back-
bbiwi-back-biwi
back-b-back-back-back
b-biwi-biwi-biwi
el-e-el-ewe-el-e-elva-ewe
el-e-el-ewe-ow-ow-ow-ow
��Լ��
��̵Ľ��û��

SpamThru��ľ��

smallmo.bokee.com — Mon,23 Oct 2006 19:16:29 CST

��cnBeta�Ͽ��һ��ţ��Ϊ��:ľ��װ�Դ��ɨ�� רɱ��ᵽ��ǹ��ķ��Ա��ֵ�һ��ľ��ľ��Դ��ɨ�輼��,��ľ��Ƶľ��ܶȺ͸��Ŀ��.Ʋ��ľ��ƻ��Բ�̸,��Ⱦ��һ̨ϵͳ��Ҫ��龹Ȼ�ǽ�"��"ɨ�س��š�

��һ�¹��ϣ��SecureWorks��Joe Stewart��һ��꾡�ķ��棺SpamThru Trojan Analysis

��һ��Warezov��湥��

smallmo.bokee.com — Fri,20 Oct 2006 22:11:54 CST

��쿪ʼ��һ�ֵ�Warezov��濪ʼ�ڻ��Ͽ��ٴ��ˣ��Ѿ��յ��˲��ٵı��漰��ʼ��

CISRTҲ�Ѿ��ص��ţ�

http://www.cisrt.org/blog/read.php?137

http://www.cisrt.org/blog/read.php?138

�鿴��Kaspersky�Ŀ��¼��쿪ʼ��Kaspersky�յ��֣��ֱ�Ϊ��

Email-Worm.Win32.Warezov.dc Email-Worm.Win32.Warezov.dd Email-Worm.Win32.Warezov.de Email-Worm.Win32.Warezov.df Email-Worm.Win32.Warezov.dg Email-Worm.Win32.Warezov.dh Email-Worm.Win32.Warezov.di Email-Worm.Win32.Warezov.dj Email-Worm.Win32.Warezov.dk Email-Worm.Win32.Warezov.dl Email-Worm.Win32.Warezov.dm Email-Worm.Win32.Warezov.dn Email-Worm.Win32.Warezov.do Email-Worm.Win32.Warezov.dp Email-Worm.Win32.Warezov.dq

Elva is back

smallmo.bokee.com — Wed,18 Oct 2006 23:09:28 CST

��Elva��¸�"Elva is back"��Ҫ��ȫ�򷢲��ˣ�ǰ��¸�Ľ��Ƭ�Ѿ��elva��blog�Ϸ��ˡ��һ�£��к�ǿ��

�ڴ�elva��ĩ��ר��

CISRT��վ��⵽��

smallmo.bokee.com — Thu,28 Sep 2006 20:17:10 CST

��CISRT��վ��ʱ�򱻺ڿ��֣��ط��ֲ��˶��ַ��ǵ��ĵ��ڷ��ˡ��ɫ�Ѿ��ʱ��Щ��ַ��ˣ��ֻ��ʱ�η��վ��˵��Ǹ�ˡ�

��ҵ��ûװɱ��û�򲹶��һϵ�е�ľ��ҵ��ˡ��ҿ��һ�£��в��ľ��е�qq�ģ��е��ĵȵȡ�ϣ��λ�ڿ��Ѳ�Ҫ��ˣ��ҫ�Լ��ļ��û�κ��˼��

�Ҽ�¼��һЩľ��ص�ַ��

http://kkpic.net/ggg/adc/123.txt
http://222.220.16.185/data6/jwm.exe
http://222.220.16.185/data6/zt2.exe
http://222.220.16.185/data6/wol.exe
http://222.220.16.185/data6/mir.exe
http://222.220.16.185/data6/qqq.exe
http://222.220.16.185/data6/mhh.exe

��һЩ��

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<9> [Microsoft Corporation]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[]

KV07

smallmo.bokee.com — Sat,09 Sep 2006 23:21:46 CST

��uninstall��KV06��install��KV07��һ�£�07��Ĺ��ܱ�֮06��ָ��࣬��ֲ��Ѿ�Խ��Խ��ʺ�װ��ô�๦�ܵ�ɱ��ˡ��е�һЩ��ܻ��ǿ��԰��ǶԸ�һЩ��в��ϣ��KV��ͬ־�ǻ��һЩaver�ǿ��Ժ��²��һЩKV�¹��ܵ�ʹ�ý̳̣��¹��ܻķϿ��

��æ��һЩ˽�˵��飬��ʱ��Ƚ��٣�һ��ں��ҾͿ��Գ��ʱ��²��͡�ϣ��ʱ��KV07��ƣ��

��07��

smallmo.bokee.com — Sat,02 Sep 2006 13:16:24 CST

ǰ��컹��˵��飬�Ǻǣ��ⲻ��Ե�07�湫��Ҳ��ϽŲ��ˡ�

��¿ɺã��һ�𹫲⣬��ǱȽ��ټ��ģ�׼��һ��йϷ��г��

ϲ��Ե�ͬѧ��Զ�װһ�£�

1.��07�湫�⣺http://www.duba.net/zt/2007gc/index.shtml

2.��07�湫�⣺http://www.ikaka.com/2007/index.htm

3.��07�湫�⣺http://forum.jiangmin.com/kv2007/kv2007.htm

��ɫ��

smallmo.bokee.com — Fri,01 Sep 2006 18:51:40 CST

��KV2007��ӣ��ֹĿǰΪֹ��Ƕ��Ѿ��Ƴ��Լ��һ��Ĳ�Ʒ��й��⣬��Ų��Ժ�ͻ��ʽ��ˡ�

��Ҳ�ò��ʱ��Ƴ��Լ��Ʒ�ˣ��ҵ�Ա��û��Ц��ҵ��²�Ʒ�Ҷ��ûװ��Բ��ܸ��ۡ��о��Լ��Ѿ�ʧȥ��Ĳ��Ȥ�ˣ��ǵ��ʽ��װ��ʽ��ɡ��

��һ�䣬װɱ��𣿲�װɱ��һ��ж��

��°�bokee

smallmo.bokee.com — Thu,31 Aug 2006 23:55:25 CST

�°�Blog�Ѿ��Ӫ��ʱ��ˡ��Ҳ�ڽ��ԭ��ľɲ��Ƶ��ϵͳ��ˡ��Ǻǣ��Ҫ�Բ��ļ��Ա��ʾ��л��

��о��°�Blog��Ż��չ��ƣ��ȡ�˸��Blog�ķ�񣬱��ǰ�ϰ汾�Ļ��ˣ��ͷ��ˣ�Ӧ�û��һЩ�µ��û��

��ô˵��Ҳ�ᵽ��ϵͳ��ˣ��Ǻǣ�Ҳ��Ǩ��һ�ѣ�ϣ��ܹ��Ӧ��ϵͳ��

��Ҳ��ı�Blogԭ��ƣ��¿�ʼBlog��

QQDragon��Ϊ��

smallmo.bokee.com — Thu,10 Aug 2006 13:17:16 CST

��⼸�죬QQDragonϵ�еı��ڹ��ڿ�ʼ��в��Ѷ��ˡ��Ҽ��QQDragon��QQβ�͵ĵ��ʹ��ֵ��±��ȴ��Ҹ��ƵĹ��ܣ��ʼ��Ϊ��ˣ��ļ��¸��ơ��ѵ�Trojan.QQDragonҪ��Worm.QQDragon�ˣ�

�й��Ľ��ܿ��Կ��⣺services.exe is virus?

��µ�һƪ

smallmo.bokee.com — Sat,05 Aug 2006 12:58:07 CST

�Ѿ�n��û��Լ��blog�ˣ��ƺ��Ѿ��blog��

ԭ��ж��1��Ϊ�ͼ��һ��˸�CISRT��Blog��Ҫʱ�䶼��Ǳ�� 2��ΪҪ׼��һ��Ա��˵�ǳ��Ҫ�Ŀ��

��ԭ��Ժ��ķ��Ѷ��CISRT�Ǳߣ��߽��Ǽ��һЩ�Ҹ��˵Ķ��

��⻹��ǵ�һƪ��£��ڶ��²��ɱ��ս ��Ϸ��QQ��ǵ�Σ�ռ��Ҳ��Ϊ��Σ�� С�ģ�

��ر�ץ�ˣ�

smallmo.bokee.com — Tue,25 Jul 2006 11:22:39 CST

��￴��ţ��թ�ߡ��ߡ��ŷ��أ��ѱ��¾��

��𣬸�λͬѧ��ǧ��ѧ��Ŷ

ԭ�ĵ�ַ��ȫ��թ�� ɷ��ѱ��¾��

��ǿ� ɽ�� ǿս��ľ��

smallmo.bokee.com — Sun,23 Jul 2006 18:59:28 CST

��¼һ�£�"��ǿ� ɽ�� ǿս��"��ľ��

��ľ��ַ��http://www.vnetedu.com/down/count.js

Microsoft PowerPoint 0-day Vulnerability FAQ

smallmo.bokee.com — Fri,21 Jul 2006 11:05:25 CST

ת��һƪ��Securiteam�Ĺ��MS Powerpoint 0-day©��FAQ��

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft PowerPoint. The document describes related malwares and e-mail attacks as well.

- Several updates done on 15th Jul and 17th Jul, 2006.
NOTE: Several Riler category Trojan descriptions included

Q: What is Microsoft PowerPoint 0-day vulnerability?
A: This previously unknown vulnerability is caused by an unknown error when processing malformed PowerPoint documents. The detailed characteristics is not publicly known, but the component being exploited is mso.dll (a shared Office library). Vulnerability was disclosed via malware descriptions informing new Trojan exploiting undocumented vulnerability in PowerPoint. This flaw has been used in several e-mail attacks against unknown organizations. Microsoft has confirmed these ��very targeted�� attacks.

Q: How does the vulnerability work?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user. It is known that keylogger and backdoor features are included to malwares exploiting this vulnerability. Additionally, vulnerability is caused due to memory corruption triggered by a specially drafted string in PowerPoint file.

Q: When this vulnerability was found?
A: The first malware description was published on Wednesday 12th July. Microsoft confirmed the existence of vulnerability on 13th July and officially in MSRC Blog on 14th July. There is information about samples received by one AV vendor on 11th July already.

Q: Is this one of the critical vulnerabilities reported on 11th July with MS July Security Bulletins?
A: No. This is new, unpatched vulnerability. Vulnerabilities fixed in MS06-038 etc. are different issues.

Q: Which Windows versions are affected?
A: Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.

Q: What PowerPoint versions are affected?
A: According to Microsoft Security Advisory #922970 PowerPoint versions 2003, 2002 and 2000 are affected. Several vendors list Office 2000, Office XP (2002) and Office 2003 as affected too.
Three PoCs posted to public mailing list have been tested against PowerPoint version 2003.

Q: Is PowerPoint Viewer utility affected too?
A: UPDATE: No. Microsoft lists PowerPoint Viewer 2003 as immune on its Security Advisory #922970

Q: Is Microsoft Works Suite affected too?
A: At time of writing there is no official information about this yet.

Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no official information about this. US-CERT lists Mac versions affected too.

Q: I am using non-English version of PowerPoint 2003. Am I affected?
A: As of 17th July it is impossible to say. Exact information about affected language versions is not available yet.

Q: Where are the official Microsoft documents related to this case located?
A: Documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. UPDATE: Security advisory was published at Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date.

Q: Is the exploit code of this vulnerability publicly released?
A: UPDATE: Yes. Three separate Proof-of-Concept has been posted to public, non-moderated and moderated security mailing lists on 15th July. These PoCs has been tested against PowerPoint version 2003. However, it is reported that these PoCs demonstrate new, different vulnerabilities.

Q: Does this mean that there are several, unpatched vulnerabilities in PowerPoint?
A: According to the newest information answer is yes.
PoCs introduce the following three vulnerabilities:
#1 memory corruption - CVE-2006-3656
#2 mso.dll - CVE-2006-3655
#3 powerpnt.exe CVE-2006-3660

PoC exploits mentioned reportedly affect a Denial of Service state or enable code execution, but code execution is not confirmed yet. It is worth of mentioning that exploitation in CVE-2006-3656 triggers when a PowerPoint document is closed.
UPDATE: Separate CVE names assigned to these vulnerabilities are the following:
CVE-2006-3656
CVE-2006-3655
CVE-2006-3660

Q: Is these separate malwares related to these three new disclosures yet?
A: No. This is the situation on 18th July, 2006.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.

Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknown sources. However, files from familiar sources can cause an infection too if a spoofed e-mail is being used.

Q: Are there any visual effects informing about the infection?
A: Yes. The title page (dia) shows Chinese characters when a malicious PowerPoint document is opened. Screenshot of the first page is included to Sophos document related to this vulnerability (see related item later). The background colour in PowerPoint presentation used is black and the text colour is white, in turn.

Q: Are there any changes to file system made by related Trojan malware?
A: Yes. Files rtfmsv.exe and regvrt.exe are being copied to the Windows System folder when the malicious .PPT attachment is opened.

Q: What are the Registry keys used?
A: Modifications are done under HKCU\Software\SKavx\ and HKEY_LOCAL_MACHINE\Software\SKavx.

Q: Are there any special features included to the way how this new Trojan works?
A: Yes. It can inject itself to Explorer process.

Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one Trojan and one dropper component for this malware. The following names are used:

Backdoor.Bifrose.F [Trojan]
Trojan.PPDropper.B [dropper]

BKDR_BIFROSE.DS [Trojan]
TROJ_MDROPPER.AS [dropper]

BackDoor-CEP [Trojan]
Exploit-PPT.b [exploit]

Troj/Edepol-C [Trojan]

Bifrose.UZ [Trojan]

Backdoor.Win32.Bifrose.uz [Trojan]

Backdoor:Win32/Bifrose!E029 [Trojan]

W32/Bifrose.UZ [Trojan]

The list is very coverage. There are some W32/Bifrose based names in use too.

��-
NOTE: The following names assigned on 17th July or later:

Trojan.Riler.F [Trojan]
Trojan.PPDropper.C. [dropper]

TROJ_RILER.B [Trojan]
TROJ_MDROPPER.AK [dropper]

Win32.Fantador.E [Trojan]

Win32/Fantador.E!Backdoor [Trojan]

This new category uses different techniques, e.g. Layered Service Provider (LSP), see
en.wikipedia.org/wiki/Layered_Service_Provider
and
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_RILER.B

Q: My AV vendor doesn��t list these names at their Web pages. How do I know my AV software protects me?
A: It��s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn��t include specific write-up yet because of beginning weekend, holiday season etc. The best way is to check the situation from your AV vendor.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has been released the following Diary entry: isc.sans.org/diary.php?storyid=1484

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: Yes. According to new MSRC Blog posting there is detection added to Windows Live Safety Center (in Beta phase) now.

Q: What is the file attachment name used in attacks mentioned?
A: Name including Chinese characters was used. The attackers can use other names in the future too, because the information about the format of the name used is publicly known.

Q: Is there information about file size used?
A: UPDATE: Yes. The size of the PowerPoint file is 220,160 bytes. Additionally, the .PPT file includes 18 slides.

Q: What is the sender address in use?
A: Reportedly gmail.com addresses has been used.

Q: Are the names of the recipients shown in message including malicious PowerPoint attachment?
A: No. Only name ��Undisclosed-Recipient:;�� used widely in phishing e-mails etc. was used.

Q: What is the Subject line of e-mails sent in attacks mentioned?
A: Chinese characters has been used.

Q: What is the contents of the PowerPoint presentation?
A: Sophos has a short translation of two first pages located at
www.sophos.com/pressoffice/news/articles/2006/07/chinesewords.html

Q: Is any user interaction needed when opening malicious PowerPoint file?
A: No. Opening a malformed PowerPoint file triggers a vulnerability.

Q: Is it safe to open PowerPoint presentations coming from trusted, known sender during next days?
A: The answer is yes and no. If your anti-virus software is updated it will protect you. If you want protection of one hundred percent you can save presentations first and scan them with your AV software.
These days you can��t trust that the sender information included to message PowerPoint file attached is truthful. If You are not sure, You can always call to the sender if e-mail including .PPT attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Power Point files as embedded files to Microsoft Word files, or Microsoft Excel files.

Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed PowerPoint files to Web pages too.

Q: Does the filtering PowerPoint documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Normally Microsoft security advisory includes information about the fixing timeline of unpatched vulnerabilities. The next monthly security updates are scheduled to 8th August, 2006.

Q: Is there CVE name available to this vulnerability?
A: Yes, CVE name CVE-2006-3590 was assigned on 14th July. Link to the CVE document is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590.

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit functionality included.

Q: Is there other payload than backdoor and keylogging functionality included to Trojan malware?
A: Yes. Reportedly this Trojan horse may attempt to disable AV (anti-virus) software. Additionally, it sends system information to the remote Web site. This can help attacker in future attacks.

Q: Is there information about the origin of related malware authors?
A: No. It is known that some of the target Web sites used in attacks mentioned are located in China, in Hong Kong and Jiangsu area. Additionally, some target sites are located in the USA.

Q: What is the TCP/IP port used in related attacks?
A: There are several, random TCP/IP ports in use.

-UPDATE-: MSRC Blog posting states Microsoft has activated their security response process and they have added detection to the Windows Live Safety Center.

Revision History:
1.0 14-07-2006 Initial release
1.1 14-07-2006 Added information about Registry keys used
1.2 14-07-2006 Added Trojan descriptions and information about translation of PPT file contents
1.3 14-07-2006 Added CVE name. Some minor updates.
1.4 15-07-2006 Added information about Windows Live Safety Center protection and PoCs posted to public mailing list
1.5 15-07-2006 Several updates and fixes, added new items
1.6 16-07-2006 Added new item to clarify the existence of multiple vulnerabilities, minor updates
1.7 17-07-2006 Added information about TCP/IP ports used in attacks and more technical information about Trojan. Added CVE names of three separate issues reported by ��naveed��. Added new item about affected language versions, minor updates and fixes
1.8 18-07-2006 Added information from published Microsoft Security Advisory, added new type of Trojans and droppers. Added new item related to malwares exploiting three separate 0-day vulnerabilties, so-called ��naveed issues��.
1.9 20-07-2006 Added new Riler category Trojan description, added more Fantador based Trojan names

��ð��Ϧ��õ��QQβ��

smallmo.bokee.com — Sun,16 Jul 2006 12:33:41 CST

ת��CISRT��һƪ��ð��Ϧ��õ��QQβ��

�Ǻǣ��ֵ��ˡ��Ϧ��ҽ��Ϧ��õ�һ��Ϧ��ľ��Ѿ��ˣ��ڶ��Ϧ��ʲô�µı仯��

ľ��

ľ��ö��˹��ͳ�վ��Ѷ��

smallmo.bokee.com — Thu,13 Jul 2006 21:57:10 CST

Sophos��챨��һ��ö��˹��ͳ�վ��Ѷ��д��ľ��Troj/Dloadr-ZP

��һ��Sophos��ʼ��ͼƬ��

smallmo.bokee.com — Thu,13 Jul 2006 13:08:44 CST

ľ��ͨ��ʼ��д��չ��Ϊ.ppt�ĸ��û��䡣��û��֧��©��ppt�ĵ��󣬻��ͷ�%System%\regvrt.exe��Backdoor.Bifrose.E��֡�Ȼ��ע��EXPLORER.EXE��̣��ͷ�һ��û��©��ppt�ĵ��©��ĵ��

ͬʱ��ʾһ�λ��ʲô��֪�Ǹ�Ů��͸��999��õ�壻ʲô��˷ѣ��֪�Ǹ�Ů��͸��999��õ�塱��ͼ��ͼƬ��Symantec��

΢��7�°�ȫ��

smallmo.bokee.com — Wed,12 Jul 2006 11:41:06 CST

΢��7�°�ȫ��棬��5�����ȼ��2����Ҫ�ȼ��Ѿ��ز��װ��

��η��Ĳ��

Sohu��֮��ҳ��е��ľ��

smallmo.bokee.com — Mon,10 Jul 2006 23:35:53 CST

�սӵ��ѵķ�ӳ��Ż��վ�Ѻ��Sohu.com���ϵ��ҳ��Ӻ��ľ��Сİ�Ը��ҳ��˷��ȷ��ľ��һ��ľ��Ƚ��£�Kaspersky��ǵȷ��޷��⣬��С�ģ�

��ľ��ҳ��һ��С�ѩ��ơ��һ��ͨ����ҳ��ͼ��

�ڴ�ͼ�к��ָ��ҳ�󣬻��ַ��ͼ��

��ַ��һ��ű�h**p://bcwr1.3322.org/css/1/sp2.asp

�ýű��h**p://bcwr1.3322.org/css/1/wsxedc.jpg��ļ��ʵ��һ��exe��ļ��С66,381 �ֽڣ�NSPack�ӿǣ�AVP��ΪTrojan-PSW.Win32.QQPass.fq��Trojan.PSW.Liumazi.fd��ǣ��

ͬʱ��h**p://bcwr1.3322.org/css/1/edcx.gif��Ǹ��ű��ļ��С2,588 �ֽڣ��wsxedc.jpg�ġ�

��h**p://bcwr1.3322.org/css/1/index.htm��أ�h**p://bcwr1.3322.org/css/1/upx.gif��Ǹ�chm�ĵ��С39,280 �ֽڣ��ͷ�schove.exe��UPX�ӿǣ��С31,232 �ֽڣ��Ǹ��Ϸ�ʺŵ�ľ��ĿǰKaspersky��ǵȶ��ܲ�ɱ��

2006.7.11 11:55��£�

AVP��µĿ��Ѿ��Բ�ɱ��ΪTrojan-Spy.Win32.Agent.nf

��18.35.10�汾��Բ�ɱTrojan.PSW.Agent.adw

��CISRT��⣬ѩ��ơ�Ƶ��վ�Ͷ�Ҵ��վ��к��˵��ҳ��Ҳ��ڸ��վ��ӣ��ɷ��CISRT��̳���Ѻ��֮��ҳ��е��ľ��ʱ��С��

Jalabed.B��ٽ��籭��Ʊ

smallmo.bokee.com — Sun,09 Jul 2006 18:18:49 CST

һ֧��W32.Jalabed.B@mm��汻Symantec�ػ��֧��ͨ��ʼ��P2P��IRC��ַ�ʽ��Ҽ�ð2006�¹��籭��Ʊ��С�ģ�

Jalabed.B��С77312�ֽڣ��ʼ��ʽ��£�

��:
Im the winner of 2 FIFA tickets

��:
You wont believe it but im the winner of 2 tickets for FIFA 2006 in Germany,if you want a ticket read attackment ;)

��:
FIFA 2006 Ticket.doc.exe

��û��в��󣬻��

%Windows%\kh4l3d.txt
%Windows%\arabic.exe
%Windows%\usefull.txt.exe
%Windows%\FIFA 2006 Ticket.doc.exe
%Windows%\mail.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
"4r4bic h4x0r" = "%Windir%\arabic.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"4r4bic h4x0r" = "%Windir%\arabic.exe"

��滹��ͨ��IRC��IRCƵ��û��Ϊusefull.txt.exe��ͬʱ��ͨ��Kazaa��д��

��Ͳ��Gattmanָ�򷴻��IDA

smallmo.bokee.com — Sat,08 Jul 2006 18:36:34 CST

һ��ͨ��IDA��ĸ��Ͳ��Gattman-A��̽ػ�

Datarescue IDA PRO��ȫ��󷴲��ʦ�ڷ��ʱ��õ��һ��ù��ߣ��γ��ֵ�Gattman-A��Ŀ��ָ��IDA��ƺ��ͨ��ʦ��д��

Gattman-A��Ⱦ.IDC�ű��ļ��.IDC�ű��ļ��Ա�IDA�򿪡�

��Ƿ��˾��һЩ��

1. Sophos: W32/Gattman-A

2. Trend Micro: PE_GATTMAN.A-O

��Ա��ӡ��վ��ľ��

smallmo.bokee.com — Fri,07 Jul 2006 19:18:12 CST

�ղ��ڷ��һ��ľ��ַʱ��żȻ��ˡ��Ա����վ��taobaobox.com��˳��վ��һ�μ�飬��վ��˷��ľ��Ҵ�ľ��Ƚ��£�Kaspersky�ȷ��Ŀǰ��޷��ɱ��ѹ��ѣ��ر��Ա��ĸ��û��С�ģ�

�ڡ��Ա����վ��β��ֲ��һ��ַ��ͼ��

ͬʱ��ҳ��Ҳ��˴��ɫ��sms.htm��ͬʱ��
h**p://www.ads173.com/shipin/index.htm
h**p://www.ads173.com/shipin/count.asp

index.htm��ҳ��ϵͳ�İ汾�ֱ��
h**p://www.ads173.com/shipin/w98.htm
h**p://www.ads173.com/shipin/winnt.htm
��ַ�ֱ��h**p://www.ads173.com/shipin/haha.ico��h**p://www.ads173.com/shipin/logo.gif��haha.ico��С30,839 �ֽڣ�FSG2.0�ӿǣ��Ǹ��Ƚ��µĵ��ľ��

count.asp��h**p://www.ads173.com/shipin/ray.exe��30,839 �ֽڣ�FSG2.0�ӿǣ�ͬhaha.ico��ͬʱ�޸�ע��
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","REG_DWORD" = "0"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200","REG_DWORD" = "0"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004","REG_DWORD" = "0"

2006.7.7 21:40��£�

AVP��µĿ��Բ��Trojan-PSW.Win32.QQPass.io

��̳��ľ��

smallmo.bokee.com — Thu,06 Jul 2006 19:06:19 CST

��ѷ�ӳ����̳��sorrowbyes.com��ľ��Сİ��һ�£��ȷ��˷��ľ��Ѵ��С�ģ�

��ľ��ַ��ͼ��

ad.htm��ҳ��

h**p://mm.47555.com/count.html
h**p://mm.47555.com/winnt.htm
h**p://mm.47555.com/w98.htm

count.html�Ǹ�chm�ĵ��С19,062 �ֽڣ��ͷ�QQ.EXE��QQ.EXE��С11,208 �ֽڣ�NSPack�ӿǣ�MD5ֵΪf04973fb8267827f347594b373732290��AVP��ΪTrojan-Downloader.Win32.Agent.ue

winnt.htm��ز��
h**p://mm.47555.com/logo.gif
h**p://mm.47555.com/logo.ico��ͬQQ.EXE��

w98.htm��h**p://mm.47555.com/count.html

ͬ��̳��ľ��ϵ�ľ��

IRCBot.st��ð΢��WGA

smallmo.bokee.com — Tue,04 Jul 2006 12:42:43 CST

2006.6.30��ң�һ��Backdoor.Win32.IRCBot.st��AVP��汻��󷴲��̽ػ��֧��ð΢��WGA��˲��ٰ�ȫ��Ϣ��̵Ĺ�ע��

��ĿǰСİ�ռ��Ϣ��ͨ��AOL��ʱ��д��Ҫ�ĸ�Ⱦ��ǹ��û��Ѿ��յ�һЩ��û��Ⱦ��֧��ı��棬��ŶԹ��û��Ӱ�컹�ǱȽ�С�ġ��򵥽��һ�¹��֧��Ϣ��

Backdoor.Win32.IRCBot.st��С��7K��ң�ͨ��AOL��б��еĺ��ѷ��Ϊ��wgavn.exe��ļ��û��ļ��󣬻��ϵͳ��

\%system32%\wgavn.exe
\%Windows%\Debug\dcpromo.log

�ڷ��

��: wgavn
��ʾ��: Windows Genuine Advantage Validation Notification
��ִ��ļ��·��: \%system32%\wgavn.exe
��: �Զ�

��ӡ��޸�ע��

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgavn
DisplayName = "Windows Genuine Advantage Validation Notification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = "dword:00000001"
AntiVirusDisableNotify = "dword:00000001"
FirewallDisableNotify = "dword:00000001"
AntiVirusOverride = "dword:00000001"
FirewallOverride = "dword:00000001"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "dword:00000000"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "dword:00000000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks = "dword:00000000"
AutoShareServer = "dword:00000000"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = "dword:00000001"

��̵��

1. Trend Micro: BKDR_IRCBOT.DB

2. Sophos: W32/Cuebot-K

3. Nod32: Win32/IRCBot.OO

4. Symantec: W32.Esbot.E

��籭�йص�IRC��

smallmo.bokee.com — Mon,03 Jul 2006 13:29:28 CST

�ոշ��һ��籭�йص�IRC��棬��Ǹ��д�ġ�

�ļ��ΪPortugal.vbs��С1,937�ֽڣ��Ǹ��ű��AVP��ΪIRC-Worm.VBS.Generic��ΪVBS.I-Worm.Lee-Based

��Ϊ��

1. ͨ��MAPI�Զ��ʼ��ʼ��ʽ��

���� "��Ӯ��"
���� "��Ӯ��Ӯ��"
����Portugal.vbs

2. ��ע��
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page,"h**p://www.mumayi.net"
HKCU\Software\Microsoft\Internet Explorer\Main\Window Title, ""
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Portugal,"C:\WINDOWS\Portugal.vbs"
HKCU\software\Worm\Mirqued", "1"

��ͨ��mirc��Portugal.vbs

AVP��Ƕ��ǹ��׵��Ǻǣ��Ҹ��Ҳ��˸��ͽ�IRC-Worm.VBS.Mirqued.a��

��㽭Ӱ��Ƶ��վ��ľ��

smallmo.bokee.com — Fri,30 Jun 2006 22:49:24 CST

���㽭Ӱ��Ƶ����վ��ztv-5.com��ľ��Сİ��ѹ��С�ģ�

��վ�ϱ��ֲ��һ��ַ��ͼ��

sina.htm��ϵͳ�汾��򿪲�ͬ��ҳ

98�汾�Ļ��h**p://sina109.3322.org/sina/w98.htm��ҳ�Ϻ��ļ�

h**p://sina109.3322.org/sina/young.css
h**p://sina109.3322.org/sina/young.gif

young.css��ʵ�Ǹ�exe�ļ��С512 �ֽڣ�PE_Patch�ӿǣ��Ǹ�ľ��AVP��ΪTrojan-Downloader.Win32.Tiny.cj��Զ��ػҸ��ӣ�h**p://sina109.3322.org/sina/sina.exe��С303,104�ֽڣ�AVP��ΪBackdoor.Win32.GrayBird.jj��ΪBackdoor.Gpigeon.xiy

nt�汾�Ļ��h**p://sina109.3322.org/sina/winnt.htm��ҳ�Ϻ��ļ�

h**p://sina109.3322.org/sina/young.css
h**p://sina109.3322.org/sina/young.gif��ͬ�ϣ�

smallmo.bokee.com

7.7�Ϻ��⼮Ůģ�ر�ɱ������

[ת]�봨���������ͬ�����繫��

24����֤ȯ(��Ʊ)����ӡ��˰˰�ʵ���1��

���š�����������

4.19��DDoS��ʾ������

Ī������Ļ��

AV-TEST Q1/2008 �������

���˽�

�׾�ж��

����MSN����ر��

��ɱ�ţ�����Ҳ��������

���� VS ����

[����]����è���㡱���߱���

ÿ��downһ��

21��Сʱ��

���������ڻָ���

�������⹥��

���ƿƼ������й������������ģ�China Lab����China PatternѸ�ͳ���

����Elva��ר��

Backdooring Images

Elva��ר����1087��

��ɽ����ϵͳ����ר��

���ǿ���3.0��������

�����ǲ���

��ʣ�Elva is back

SpamThru���������ľ��

��һ��Warezov��湥��

Elva is back

CISRT��վ���������⵽����

KV07

����07����

��ɫ����

�����°�bokee

QQDragon�������Ϊ��

���µ�һƪ

���ر�ץ�ˣ�

�������ǿ� ɽ�� �ǿս���������ľ��