Case Analysis of Emergency Cybercrime

This year 1 month, when handling the second-generation ID card, the police of Longhuashan Police Station in Xiantao City found that the computer used to handle the second-generation ID card had been poisoned. Even if it is poisoned, it will return to its original appearance. Then, some office computers of the bureau were paralyzed by the panda incense burning virus.

At the same time, the network supervision brigade of the Municipal Public Security Bureau received a report from the Jianghan Hotline Information Center of Xiantao City that a large area of panda incense burning virus appeared in the central server of the website.

This is the first time that a fierce computer virus has appeared in this city, which has caused the network supervision department of this city's public security bureau to attach great importance to relevant data. Since June 5438+February last year, more than 500,000 computers have been infected and poisoned by the panda incense burning virus, and millions of netizens have suffered greatly.

The police also found that Rising's 2006 security report listed panda burning incense as the top of 10 virus, and in the top ten viruses reported by Chinese mainland's computer virus epidemic and Internet security in 2006, the virus became the king of poison.

1October 22nd, the network supervision brigade of 65438 Municipal Public Security Bureau reported the case to the public security bureau chief Yu Pinghui, political commissar Li Peigang and deputy director Ye Tieguan. On June 24th, 65438 10, the bureau officially put on record for investigation, and named it 1.22 case.

study

Wuhan boy is listed as a major suspect.

Yesterday, Ye Tieguan, deputy director of Xiantao Public Security Bureau, introduced that after the city's network supervision department filed a case, it searched the Internet for relevant information and conducted an analysis and investigation on the computer virus of panda incense burning.

The results show that panda incense burning virus is an infectious worm virus, which can infect files such as execompifsrchtmlasp in the system, stop a large number of antivirus software and firewall software processes, and try to read the list of downloaded files from specific websites, and spread quickly through browsing LAN * * * and U disk and other channels.

In addition, the infected computer will restart frequently and a blue screen will appear, the data files in the system hard disk will be destroyed, and the GHO files will be deleted. All exe executable files in the infected user's system will be changed into a panda with three incense sticks.

According to the analysis of the characteristics of virus infection and transmission, the network supervision department of the bureau speculated that the author of panda incense burning virus was written by a team or someone; Or one person makes it up and many people spread it.

The National Computer Virus Emergency Response Center and related information on the Internet show that the computer virus program of Panda Burning Incense bears the signature of whboy Wuhan Boy. After the virus infects the webpage file, it will add code to redirect the webpage to a specific URL.

According to the registration information of this website, the registrant is Hu, a technician of Wuhan network supervision department. According to the analysis, the person who owns all the virus codes should be from Wuhan, which is likely to be closely related to Trojans such as the QQ tail of Wuhan boy that broke out in 2005. The network supervision department of the Municipal Public Security Bureau decided to conduct serial and parallel investigation.

During the investigation, the network supervision department of the bureau obtained relevant information. Whboy is famous for writing the legendary Trojan horse of Wuhan boy, and his works are usually signed by wh boy and Wuhan boy.

Therefore, the network supervision department of the Municipal Public Security Bureau listed Wuhan boy as a major criminal suspect and conducted targeted investigations.

draw in a net

Pretending to buy software to catch Wuhan boys

65438+1October 3 1 day, under the command and coordination of the network supervision corps of the provincial public security department, the 1.22 task force was established.

On February 1 day, the task force found out that Wuhan boy and two other project investigators rented in Hongshan District of Wuhan pretended to buy anti-virus software in Wuhan and arrested a seller.

Project police analysis: the seller is a Wuhan guy who was later investigated. This Wuhan boy named Li Jun, male, 25 years old, from Yangluo Town, Xinzhou District, Wuhan, is quite proficient in computers.

On February 2nd, police officers Zhang, Liu Jie and others conducted 24-hour surveillance in a rented HOS house. In the afternoon, the project police studied and implemented the arrest operation, and formulated the arrest plan and interrogation plan.

On February 3, the task force analyzed various signs and found that Wuhan boys might have to flee and arrest them in advance.

At 8: 40 pm on the 3rd, the police of Xiantao City Network Supervision Brigade waiting in the rental house arrested Li Jun who had returned to the rental house to get something, and inspected the rental house.

After a surprise trial, Li Jun confessed his own panda incense burning virus, and the source code of the virus was in the hard disk of a hotel room where he and Lei Lei lived, and admitted to giving a copy of the source code to Lei Lei (male, 25 years old, from Changshan Village, Yangluo Town, Xinzhou District, Wuhan, and Li Jun's classmate).

The project police immediately attacked, captured Lei Lei who was about to escape, and seized items such as laptop hard disk. The national computer virus emergency treatment center identified the extracted source code as the source code of the panda incense burning virus.

question

Make money to sell and spread the virus for fun.

In September last year, when Li Jun was studying software development in a computer school in Wuhan, he began to make panda incense burning virus 10. After graduation, Li Jun rented a one-room house in Hongshan District, Wuhan, and devoted himself to making panda incense burning virus. In the process of writing, he constantly exchanged writing progress with Lei Lei.

165438+ 10, Li Jun wrote the panda incense burning virus and released the news of selling the panda incense burning virus through QQ group. About 20 sets of each virus were sold online at a price of 500 1000 yuan.

On June 24 this year, at 65438, Lei Lei found Li Jun and told him that the online hype about panda burning incense was very strong and asked him to avoid it.

On the same day, Li Junhe Lei Lei opened a room in a hotel in Wuhan to study panda incense burning together, and Lei Lei continued to sell 2,000 sets of poisonous meat machines for Li Jun online.

On February 4th, the Network Supervision Brigade of Xiantao Public Security Bureau checked the site again, and sent Li Jun Lei Lei back to Xiantao Public Security Department to organize and coordinate the network supervision departments in Shandong, Zhejiang, Yunnan, Guangdong and Guangxi to control and detain the servers of the people involved.

On the evening of 5th, Ye Tieguan, deputy director of Xiantao Public Security Bureau, captured Wang Leyan in Weihai, Shandong Province. After preliminary examination, Wang Leyan confessed that he was the person who spread the panda incense burning virus the most, with an average daily income of more than 7,000 yuan, and the income was equally divided with Li Jun.

Wang Leyan also confessed to two other correspondents, one of whom was called X Fire. With the support of the provincial network supervision corps, Xiantao police learned that it was Xiantao people who claimed to be X fire. That night, the police arrested them at X Fire's home (this person's real name is Wang Zhe). All the way to the special class, the suspect Ye Peixin was arrested in Wenzhou, Zhejiang.

At this time, Wan, the captain of the network supervision brigade who is collecting servers in Nanchang, drove to Lishui, Zhejiang after receiving the notice from the headquarters. The No.3 pursuit class met in Lishui, Zhejiang Province on the evening of the 6 th and arrested the suspect Zhang Shun

After the trial, Li Jun was the producer of the panda incense burning virus, and the other five were sales communicators, aiming at making money for fun.

Li Jun confessed that Panda Incense Burning Virus is a new virus which is a combination of several viruses. It can control computers, make Trojan horses in computers and steal QQ game equipment from other people's computers. After selling, you can still make a profit. Li Jun's maximum daily income is 1 10,000 yuan.

After six suspects were arrested, the police seized more than 654.38 million yuan of money on the spot, including Wang Leyan who bought a jeep with the money.

So far, from February 3 to 10, the network supervision brigade of Xiantao Public Security Bureau has arrested six major suspects in Hubei, Shandong and Zhejiang.

(Comprehensive Chutian Metropolis Daily Wuhan Morning News)

Li Jun in the eyes of his family

Li Jun's parents have been working in a cement factory in his hometown. Both of them were laid off a few years ago. His mother made a trolley to sell breakfast in the street, and his father worked in a private tile factory. Ms. Chen, a 52-year-old mother, said that Li Jun liked playing computer when he was very young, and he went to Internet cafes when he was free. I bought him a computer at home for fear that he would not learn well outside. Unexpectedly, her son was caught by the police for playing computer. Ms. Chen feels remorse.

Li Jun's father said that when he was four or five years old, Li Jun fell in love with playing with building blocks and disassembling small machines at home. At that time, Li Jun took apart everything that could be taken apart at home, such as radio, alarm clock and flashlight. After looking at each part with his head tilted, he reassembled the parts and restored them to their original state. If the alarm clock moves again or the radio can make a sound, Li Jun will often clap his hands and laugh to celebrate for a long time.

Li Jun's younger brother Li Ming is three years younger than him. He is a music education major in Southwest University for Nationalities. He went home this winter vacation. He occasionally mentioned to his brother that he and his classmates had recently been infected with the computer virus of panda burning incense. Hearing this, his brother changed his previous introversion and humility, and smiled disdainfully: this virus is no big deal. At that time, Li Ming did not think that his brother was the initiator of the panda burning incense.

Li Ming told reporters that his brother was good at math and English at school. Nevertheless, he failed to get into high school, but entered a technical school run by a cement factory (now renamed Jieshi Vocational and Technical School). After working in a computer city in Wuhan in 2000, he earned money by himself, but in Li Ming's memory, he rarely gave money to his family. My brother never asked his parents for money. Someone once told Li Jun that Li Ming was his younger brother. People who can't make money are incompetent.

The 27-year-old car from Sichuan often chats online under the screen name of "Young Master". Humorous words fascinated the greedy little sister Xiaohua, and the two chatted very speculatively. Feeling that the time is ripe, the "young master" warmly invited the "greedy little sister" to play in Chengdu.

Xiaohua gladly kept the appointment and followed the "young master" back home. As soon as the door was closed, the "young master" immediately lost his previous warmth, and in a blink of an eye he became a "pervert", showing bedroom eyes and constantly stroking Xiaohua. Xiaohua was shocked. He never dreamed that the netizen he trusted was this public face, and finally he was raped under the coercion and inducement of the "young master".

poker-faced assassin

The girl whose net name is "sand" is a freshman in a university in Nanjing. Before May Day this year, Sha, who was preparing to study abroad, came to Beijing and attended an intensive English training class.

Unexpectedly, after the training class, Sha's parents suddenly lost contact with Sha.

Two days later, Sha's father suddenly received a text message on his mobile phone, claiming that "we have your daughter, and we are going to pay1180,000 yuan. Don't call the police, or you will be at your own risk"! Next, he received several similar text messages in succession, all of which were sent by Sha's mobile phone!

According to the call record of the fool's mobile phone, the police verified that this mobile phone was in the hands of Tang Zhendong, an unemployed person in Yichun, Heilongjiang. The local police quickly attacked and arrested the suspect Tang Zhendong and his neighbor Bi Dongdong respectively.

However, the sand can never return to his parents. The suspect confessed that they conspired to kidnap and kill the sand.

Bi Dongdong 2 1 year. After graduating from high school, he worked as a network administrator in an Internet cafe in Yichun. 200 1, 10, Bi Dongdong and Sha met while chatting online.

Before the Spring Festival in 2002, Bi Dongdong came to Yichun from Nanjing with sand, and came to reality from the virtual space in the network. Through this contact, Bi Dongdong learned that Sha's family was rich and had the idea of changing his fate through online dating.

However, after the Spring Festival this year, Sha's parents went through the formalities of studying abroad for her and arranged for her to attend intensive English study in Beijing. During this period, Sha proposed to break up with Bi Dongdong.

Seeing that the tide was gone, Bi Dongdong invited Sha to Yichun on the grounds of seeing him again before going abroad. Naive Sand doesn't know that Ghost Valley conspires with neighbor Tang Zhendong to kidnap Sand and ask her father for money.

At 9: 00 pm on May 10, Sha arrived in Yichun from Beijing and came to Bi Dongdong's home. In the middle of the night, Tang Zhendong and Bi Dongdong made a video of Sha, and prepared to send it to Sha's parents by email to blackmail them.

This video became the last paragraph of Sha's life. After the video, Tang Zhendong and Bi Dongdong reached out their sinful hands, strangled the sand alive, and buried the body in the wasteland behind Bi Dongdong's home overnight.

In just over half a year, a story that started with a romantic "online love" came to the final ending, and death became the end of this infatuation.

According to the police, when criminals use the Internet to commit traditional crimes, they often form close "netizens" with inexperienced boys and girls through chatting and online games. Once the time is ripe, they will show their ferocious face.

In the "10 26" kidnapping case that shocked Liaoning, the suspect also grasped the victim's family situation through online dating and defrauded the victim's trust before implementing the whole criminal process. It was not until the day when 20-year-old Xi was killed that she realized that her trusted netizen "Seimi Zhang" turned out to be a wolf in sheep's clothing.

Criminal Xu Hongxi works in Anshan, Taiyuan. During his online dating with Xi, he also kept online relationships with many girls and asked about their family and personal situation through chatting.

Because Xi's grandfather and father opened a factory in Anshan, their family was very rich and gradually became the target of Xu Hongxi's lock. After the two met, the simple Xi believed in this "confidant" who talked about everything on the Internet. Seeing that he gradually gained the trust of Xi, Xu Hongxi began to plan an action plan of kidnapping and extorting huge amounts of money with others.

In the murder case of Jiangsu girl Sha, the suspect Bi Dongdong also admitted that he was "best at chatting with girls". According to Bi Dongdong, I know a lot about women's psychology because I often chat with girls online. "When chatting online, I can guess whether this person is male or female just by looking at the screen name. I only need to say a few words to know the character of this woman. "

In order to win the favor of female netizens, Bi Dongdong often changes his identity when chatting online. Bi Dongdong said: "Sometimes I joke with netizens, or deliberately deceive them and say that I am good. Sometimes I will tell them that I am a college student and tell them a school that I know better, so that they feel knowledgeable, so that she will be willing to talk to me. "

According to Hou Naifeng, political commissar of the third brigade of the Criminal Investigation Detachment of Harbin Public Security Bureau, Heilongjiang Province, Bi Dongdong can grasp the psychology of girls very well, so under normal circumstances, online girls are willing to chat with him. "After all, online communication is not a face-to-face communication between two people. It is not easy to grasp each other's situation, especially some girls, whose ability to distinguish right from wrong is poor and naive, so they are often easily deceived by some rhetoric and finally deceived. "