(Clearwisdom.net)

(Updated 10:30 Beijing Time, September 6, 2005)

[Clearwisdom editor's note: Those who directly visited English site http://fgmtv.net/ should not have this problem unless you did that by following the link on the Chinese site.]

On September 2 Beijing Time, it was discovered that hackers had planted malicious code into web pages at the Fangguangming website (http://asp.fgmtv.org). Technical staff had cleaned up the malicious code by the morning of September 3 Beijing Time. Based on results of current examination, the above-mentioned malicious code was planted early August. We recommend that readers in China and overseas, who visited Fangguangming and related websites with Internet Explorer (IE) during the period noted above, immediately re-install the operating system and take other relevant measures.

This malicious code redirected visitors to a particular vicious website in Mainland China, where IE security loopholes were exploited to plant a Trojan program onto the visitor's computer, which could expose the machine's IP address and other information and possibly monitor the visitor's keyboard operations, etc. Anti-virus software (by Norton, for example) cannot detect this Trojan.

If you have visited the Fangguangming website with IE from early August 2005 to September 3, 2005, the above-mentioned malicious code would have automatically downloaded a Trojan program from elsewhere and planted it on your computer. We advise readers to immediately reinstall the computer's operation system to completely get rid of this security problem.

  • See appendix for steps to examine if your computer is affected by this virus.
  • If your computer is affected, please take security remedies immediately. We advise the following approach:
  • Reinstall the operating system on the personal computer. If there was a GHOST mirror image when the computer was assembled, it could be used to restore the initial settings.
  • Change the IP for Internet access.
  • Change the password for your email account. If you have been using an email account with domestic Internet service providers, Yahoo!, Hotmail, or Gmail, you should stop using it to avoid any surveillance that might be carried out by these companies on behalf of the Chinese Communist Party.
  • We do not recommend the use of software to clean up this Trojan, as it is very malicious. Reinstallation of the operating system is the only way to ensure your computer's security.

    The Qingzhou website at http://qingzhou.sytes.net/ (including all sites sharing this domain name as used by the Qingzhou website) has also experienced the same security problem. The time period is from early August 2005 to the morning of September 4, 2005. Administrators of the Qingzhou website have been notified, and they have shut down the website and are in the process of cleaning up the contents. If you browsed the Qingzhou website with IE during that period of time, we also advise you to immediately reinstall the operating system software on your computer as well.

    Clearwisdom.net Technical Department and Fangguangming Technical Department

    September 3, 2005

    Appendix: Steps to Examine Your Personal Computer

    The following instructions are based on the current results of examination. Refer to them to help in determining if your personal computer has been hit by the virus. Its accuracy is based on our current examination, which focuses on the detection of Trojan programs.

    There are two Trojan programs. One is hndylau.exe, which existed on both the Qingzhou and the Fangguangming websites. The other is ray.exe, which existed only on the Fangguangming website.

    The first Trojan, hndylau.exe, would have produced two files in the system directory: SSock32.dll and svch0st.exe. If your search of the hard drive turns up these file names, it is almost certain that your computer has been affected. This Trojan would send the personal computer user's information to a specific email account in Mainland China.

    The second Trojan, ray.exe, has been examined on six various operating systems in Mainland and overseas. It has been verified that an entry of Yzxekttb would have been registered in the registry, and a file with the name of Yzxekttb would have been planted in the system directory. If your search turns up a file with the name of Yzxekttb, it is certain that your machine has been affected. The exact behavior of this Trojan is not clear yet. But so far, we have not found any backdoor capabilities, similar to rootkit, associated with it.

    Examination steps for reference:

    Search all files on the hard drive(s), and it is almost certain the machine has been hit by the virus if these four strings are found: Yzxekttb, SSock32.dll, svch0st.exe, ray.exe. Reinstallation of the operating system is necessary.

    From "Start" (which is located on the Microsoft Windows status bar) select "Run..." and then enter "regedit" in the "Open" field. Place cursor on "My Computer" and highlight it. Under "Edit" menu, select "Find ..." and search for Yzxekttb and svch0st.exe respectively. If either string is found, it is quite certain that your machine has been affected by the Trojan virus. (There is one exception: In Windows XP's registry, any keyword under "Search Assistant" entry should not be counted, as this entry took note of your recent search for these strings. In Windows 2000, the entry to ignore is Internet explorer/ExplorerBars/FilesNamedMRU/.)