爱黑武论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 10708|回复: 5

[工具] 请不要使用网上的QPST 2.7.422版本,经验证有病毒

[复制链接]
发表于 2015-11-28 11:53 | 显示全部楼层 |阅读模式

立即注册,加入爱黑武论坛的大家庭!爱黑武,爱上搞机生活!

您需要 登录 才可以下载或查看,没有账号?注册

x
本来看尘封的教程下载QPST
http://bbs.ihei5.com/thread-328434-1-1.html

结果KIS跳了,卡巴误报的情况真的不多,平时都安静的不行

结果在XDA看到有人说422版本有问题,实际是402改的,加了个keylogger

http://forum.xda-developers.com/showthread.php?t=2263391
  1. Hello, fellow QPST users.

  2. QPST 2.7 Build 4.2.2 is a fake version with keylogger.
  3. Some a$hole downloaded latest public QPST build (4.0.2) and decompiled MSI installer package, then edited all "4.0.2" to "4.2.2", added "fake changelog", added keylogger (qualcomm.exe), then repackaged and spread around web!

  4. Everyone who downloaded QPST build "4.2.2" should change all his passwords.

  5. More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
  6. MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker's server.

  7. How to delete the actual malware from your system?
  8. Look at the startup from msconfig or CCleaner, there should be a file called qualcomm.exe thats set to start everytime system starts. Delete both registry and file.

  9. If you wanted to see what data thief was stolen from you. Just open the .dc file (in "dclogs" folder) with Notepad and see for yourself.
  10. In XP, dc file is located here!
  11. C:\Documents and Settings\Administrator\Application Data\dclogs
  12. there should be a file called "201X-XX-XX-X.dc
  13. if you open that DC files with Notepad, you'll see all your keystrokes.

  14. Here is mine. I've intentionally entered paypal site with fake info.
  15. Quote:
  16. :: Run (3:01:51 AM)
  17. Script kiddie. NET Based malware, huh?[ESC]

  18. :: Program Manager (3:02:14 AM)
  19. e

  20. :: Firefox (3:02:18 AM)
  21. www.paypal.com

  22. johhny193@yahoo.com[TAB]
  23. mypaypalpass
  24. [ENTER]

  25. :: Documents and Settings (3:02:19 AM)
  26. [UP]


  27. :: Administrator (3:02:28 AM)
  28. [DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
  29. [DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
  30. d

  31. :: (3:02:34 AM)


  32. :: Administrator (3:02:34 AM)
  33. d

  34. :: (3:03:11 AM)
  35. mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

  36. :: [Release] QPST 2.7 BUILD 422 - Download Here - Enjoy - Mozilla Firefox (3:03:57 AM)
  37. crap


  38. How to delete?d

  39. :: Clipboard Change : size = 16 Bytes (3:03:57 AM)
  40. QPST.2.7.422.msi

  41. :: (3:04:23 AM)
  42. cccccc
  43. Keylogger sends the logs from keylogger to "qpst.hopto.me"

  44. So please report about this incident where and when you encounter QPST 4.2.2 somewhere (forums, posts, sharing-sites, etc)
  45. Copy my whole post and paste it where you see 4.2.2 mentioned.

  46. Bonus: Fake Changelog
  47. If you've installed this 422 build, then open the Readme.txt in C:\Program Files\Qualcomm\QPST\Documents
  48. Scroll down and see the "6/12/13 QPST 2.7.422 changelog"

  49. Quote:
  50. 6/12/13 QPST 2.7.422
  51. 1) EFS Hello commands will not be sent unless the device is in a compatible mode. Sending this command when the
  52. device is in download mode can cause a "server busy" message for a few seconds because of command retries.
  53. 2) Support for the Sahara device protocol (see 80-N1008-1 or equivalent) is now built in to the QPST server process.
  54. This protocol is only supported by USB Serial ports, not TCP/IP connections. In QPST Configuration a device in
  55. this mode will display as "Q/QCP-XXX (Sahara Download)". This mode can only be detected (1) when the QPST server
  56. process starts or a COM port in this mode added to QPST, or (2) when a device enters Sahara mode on a port assigned
  57. to QPST. This is because the device only sends its Hello message once, as soon as the COM port is opened.
  58. Changelog above is actually cloned from QPST 2.7.394 Just scroll down and see Build 2.7.394 changelog. Its same!

  59. So forget about Build 422. It doesn't exist.
  60. Use QPST 2.7 Build 402. It's the latest public build
复制代码

这里也有讨论:
http://cdmagurus.com/archive/index.php/t-17103.html

但是,说422有问题的人发的411链接,经验证也是有问题

  1. !!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!

  2. !!! TROJAN AGAIN !!!

  3. Some time ago in Feb 2014 man named anycallmongolia posted a link to QPST 2.7 build 411
  4. Link points to the site HuaweiDevices.ru
  5. h_t_t_p_://_huaweidevices._ru/ROMS/QPST_2.7.411.rar
  6. Later I'd personally downloaded this version from this topic a few times in 2014 and this was normal non fake QPST which i'd installed on a few PC's. (Can't remember particular link now). Today I would like to install QPST to a new NB PC, so assumed this topic as the best source. Being a recovery/data structures expert I always inspect code (mostly by viewing in text/hex). As most of members I've very high trust level to xda (certainly it's much higher then one related to the "famous and respectable" corps like Google/MS/Apple/etc, who aren't on my side, I'm sure).
  7. I've installed QPST got from this topic a few times, so I'd almost pressed Enter (I use FAR most of time and advice you to do the same) over the DL'd file "qpst 2 7 411.exe".... What??? - EXE??? And it's just about 500Kb long... But QPST installer occupies about 16Mb.
  8. I've explored body - I's typical malware with slightly "encoded" (to prevent direct reading) data inside. QXDM offered on the neighbor page is the same malware of the same size.

  9. If you'll try to dl QPST from above link you'll got 404 error in the center of normal html page with site menu etc... What normal man would think in this case? He'll think page/product have moved (e.g. due to overload protection) and what he'll do next? He'll try to find where page have moved and... will got link in menu just at the bottom of 404 page. It's just trivial (but very good working!) "social engineering" - publish real app in trusted place and when it will pass checks replace it with malware. (Or may be domain was sold to the criminals as it often occures in Russia for a few latest years). Even if you will check DL url in the status bar it will show link to the .RAR archive, but ASAY click the link it will be redirected to .exe!

  10. PLEASE PUBLISH BIG WARNING on TOPIC START and remove links to HUAWEIDEVICES.RU!!!

  11. Furthermore. Situation is much worse because huaweidevices shows 1ST position in search request "QPST 2.7.411" by Yandex.ru (#1 search engine in Russia) and 2ND position in Google results with the same request!!! It's VERY DANGEROUS situation! Thousands if not millions of peoples are at risk of infection.
  12. I'm going to write abuses to Google and Yandex NOW!
  13. Please spread info on such a new attack manner/technique around your friends, collegues and internet.!
  14. Always check what you run!!!
复制代码



后面有人发了425版本,KIS扫描没问题,但网络险恶,我也不能保证425没有问题,还请谨慎使用,用个电信手机真不容易,蛋!

  1. http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
复制代码




QQ截图20151128113902.png
QQ截图20151128113927.png
回复

使用道具 举报

发表于 2015-11-30 23:22 | 显示全部楼层
能传一个425到百度盘吗???
回复 支持 反对

使用道具 举报

发表于 2015-12-27 23:06 | 显示全部楼层
{:vape:}{:vape:}{:vape:}
回复

使用道具 举报

发表于 2016-6-25 07:03 | 显示全部楼层
谢谢楼主分享,学习了
回复 支持 反对

使用道具 举报

发表于 2016-12-5 23:33 | 显示全部楼层
帖子看不了啊 怎么办
回复 支持 反对

使用道具 举报

发表于 2020-11-8 21:01 | 显示全部楼层

谢谢楼主分享,学习了
回复 支持 反对

使用道具 举报

 Hello,黑武的好机友!回复想偷个懒?点这里: 
您需要登录后才可以回帖 登录 | 注册

本版积分规则

关闭

站长推荐上一条 /1 下一条

QQ|小黑屋|Archiver|手机版|爱黑武论坛 ( 京ICP备2023028323号 | 京公网安备11011202000270号 )

GMT+8, 2024-11-28 01:37 , Processed in 0.044432 second(s), 24 queries .

Powered by Discuz! X3.4

Copyright © 2001-2024, ihei5.com

快速回复 返回顶部 返回列表