[快讯]1月10日，瑞星公司发布《中国大陆地区2005年度计算机病毒疫情&网络安全报告》，该报告显示，瑞星公司在2005年共截获的72836个病毒，其中90%以上带有利益驱动的特征，而正规商业公司正日趋成为黑客和流氓软件的主要推动力。瑞星副总裁毛一丁指出，贪婪是目前病毒和黑客的最大特征，而一些正规商业公司和互联网企业，则正在成为网络威胁的最大的幕后黑手。

《瑞星安全报告》指出，2005年整个网络威胁的发展呈现出一个明显的特征，那就是病毒、黑客和流氓软件紧密结合，拥有明确的利益目的，并且已经形成了清晰的“产业链条”。他们的手段可以总结为“一偷二骗三劫持四流氓”，有的是自己盗窃有价虚拟财产牟利，有的是为幕后的买家服务，而这些买家往往是正规的商业公司和一些互联网企业。

以“偷”为目的黑客们的典型案例有：2005年3月，金华警方破获一个专门盗取“传奇”游戏账号的黑客团伙，其中某一个黑客窃取的账号就价值百万元；2005年11月，“QQ被盗第一案”被深圳警方破获，两名黑客出卖窃取的QQ号获利至少6万5千元。

所谓“骗”，就是黑客会先设立一个“钓鱼网站”，然后大量发送垃圾邮件、手机短信等，以“免费软件、手机彩铃”为诱饵欺骗用户登陆，用户“上钩”之后就会中毒，或被欺骗进行网络购物。2005年国庆黄金周，全国各地爆发大规模银行卡短信诈骗，其中某用户一次被骗走31万元。自2005年年初以来，公安部、北京市公安局等相继发布警示，网络钓鱼欺诈、网络木马等犯罪行为正在成为新型高科技犯罪热点。

“劫持”是指黑客利用病毒控制用户的电脑，并将这些电脑变成自己胡作非为的工具。根据《瑞星报告》的统计，2005年“波特”（BOT）类病毒有23844个，占到总病毒数的32.7%。该类病毒感染计算机后，会在这些机器上开置后门，接受黑客的远程控制。被安装了后门的计算机被称为“肉鸡”，由许多“肉鸡”组成的计算机网络被称为“僵尸网络（Botnet）。黑客控制的“僵尸网络”，可以帮某个的网站带来巨大的点击量，也可以替“雇主”攻击竞争对手，前提是“你得付得起价钱”。

2005年1月10日，唐山警方抓获黑客徐某，他操纵6万多台中毒电脑（僵尸网络）攻击一个音乐网站；有国外黑客利用类似的攻击来敲诈商业网站，每次敲诈的金额在1万到10万美元之间；而国内某黑客团伙则自称控制着数十万台电脑，可以在24小时之内为雇主网站带来上百万点击，或者让竞争对手的网站瘫痪。

“流氓软件”是指具有一定的实用价值，但具备电脑病毒和黑客的部分行为特征的软件，他们以“强制、隐瞒、欺骗”用户为最基本特征，帮助商业公司特别是互联网企业抢夺用户资源，或者加载广告软件等，以牟取暴利。

据《瑞星安全报告》透露，某国内网站借助流氓软件偷换用户的首页，在短短两个半月里全球排名从零上升到前500位。而浏览器被劫持、乱弹广告等常见的流氓软件，已成为网民司空见惯的事情。在利益驱使和生存压力下，很多共享软件作者也在软件里强行捆绑“流氓软件”，这些捆绑“流氓软件”的共享软件，已经成为“流氓软件”的主要传播渠道。

根据统计和分析，《瑞星安全报告》显示出，以某些网络企业为主的商业公司已经成为上述网络威胁的“第一驱动力”，而病毒制造者、黑客和部分共享软件作者则成为帮凶，并且两者之间已经形成完整的“产业链条”。

《瑞星安全报告》最后指出，随着网络深入到社会的方方面面，“流氓软件”等网络威胁牵涉到各种不同群体的利益，因此彻底解决这些问题，需要全社会各个方面的共同努力。譬如，某些共享软件作者加入“流氓软件”的行业，和我国软件盗版率居高不下是分不开的，他们无法通过正常渠道获取应得的报酬，只能沦为商业公司的帮凶。

Frequently Asked Questions about WMF Hotfix

1. What operating systems are supported?
2. How to install the hotfix on a single computer?
3. How to install the hotfix on my network?
4. How to uninstall the hotfix?
5. How to check that the hotfix is working on my computer?
6. What does the hotfix exactly do?

1. What operating systems are supported?

   The fix is known to work on Windows 2000, XP (SP1 and SP2), XP64, Windows 2003. It does not work on Windows 98, ME, NT. The impact of the vulneratility for unsupported systems is small and they are not as vulnerable as 2000 and XP.

2. How to install the hotfix on a single computer?

   Just run wnffix_hexblog14.exe. If the fix happens to be incompatible with your system, it will inform you about it and quit. After a successful installation, REBOOT.

3. How to install the hotfix on my network?

   You can run the installer in the silent mode:

   wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

   There will be no dialog boxes on the screen and the installtion will be completely automatic.

4. How to uninstall the hotfix?

   The hotfix will be listed in the Add/Remove programs window and you can uninstall it from there.

5. How to check that the hotfix is working on my computer?

   Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

6. What does the hotfix exactly do?

   The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

The fix is known to work on Windows 2000, XP (SP1 and SP2), XP64, Windows 2003. It does not work on Windows 98, ME, NT. The impact of the vulneratility for unsupported systems is small and they are not as vulnerable as 2000 and XP.

7. How to install the hotfix on a single computer?

   Just run wnffix_hexblog14.exe. If the fix happens to be incompatible with your system, it will inform you about it and quit. After a successful installation, REBOOT.

8. How to install the hotfix on my network?

   You can run the installer in the silent mode:

   wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

   There will be no dialog boxes on the screen and the installtion will be completely automatic.

9. How to uninstall the hotfix?

   The hotfix will be listed in the Add/Remove programs window and you can uninstall it from there.

10. How to check that the hotfix is working on my computer?

    Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

11. What does the hotfix exactly do?

    The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

Just run wnffix_hexblog14.exe. If the fix happens to be incompatible with your system, it will inform you about it and quit. After a successful installation, REBOOT.

12. How to install the hotfix on my network?

    You can run the installer in the silent mode:

    wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

    There will be no dialog boxes on the screen and the installtion will be completely automatic.

13. How to uninstall the hotfix?

    The hotfix will be listed in the Add/Remove programs window and you can uninstall it from there.

14. How to check that the hotfix is working on my computer?

    Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

15. What does the hotfix exactly do?

    The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

You can run the installer in the silent mode:

wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

There will be no dialog boxes on the screen and the installtion will be completely automatic.

16. How to uninstall the hotfix?

    The hotfix will be listed in the Add/Remove programs window and you can uninstall it from there.

17. How to check that the hotfix is working on my computer?

    Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

18. What does the hotfix exactly do?

    The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

The hotfix will be listed in the Add/Remove programs window and you can uninstall it from there.

19. How to check that the hotfix is working on my computer?

    Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

20. What does the hotfix exactly do?

    The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

21. What does the hotfix exactly do?

    The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

今天在金山论坛的安全软件版看到了同一个ID发的几篇关于瑞星的负面帖子。

发帖人的ID为“实话一定要实说”，但他真的是实话实说了么？进去看看，内容完全是恶意的造谣诽谤，同时这些帖子还被转载到了Donews、江民、瑞星、天天365等论坛上，可以肯定这是瑞星竞争对手的故意行为。对这种做法表示不齿和鄙视，也对国产安全软件业的发展表示遗憾……

近期WMF漏洞成为安全届最热的话题，利用该漏洞的Downloader、Trojan、IM-Worm出现了不少。据称，McAfee 6%的用户已经遭受该漏洞的攻击，可见，该漏洞在国外的影响力。

国内的反病毒厂商大多从国外收集到攻击代码，并加入病毒库进行处理。目前，大陆地区还没有受到该漏洞的大规模攻击。

微软暂时还没有针对该漏洞发布补丁，著名的反汇编软件IDA作者Ilfak Guilfanov开发出了一款用来修补WMF漏洞的临时工具，详细信息可以参看：http://www.hexblog.com/2005/12/wmf_vuln.html

下载地址链接：http://www.hexblog.com/security/files/wmffix_hexblog13.e    （全文共510字）——点击此处阅读全文