WORM_IRCBOT.ABJ
Windows 98, ME, NT, 2000, XP, Server 2003
マルウェアタイプ:
ワーム
破壊活動の有無:
なし
暗号化:
なし
感染報告の有無 :
はい
概要
ワームは、リモートサイトから他のマルウェア、グレイウェアまたはスパイウェアにダウンロードされ、コンピュータに侵入します。 ワームは、悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。
ワームは、特定のユーザ名とパスワードのリストを用いて、パスワード保護された共有ファイルにアクセスします。 ワームは、ソフトウェアに存在する脆弱性を利用して、同じネットワーク上にある他のコンピュータへの感染活動をします。
ワームは、ポートを開き、不正リモートユーザからのコマンドを待機します。 ワームは、不正リモートユーザからのコマンドを実行し、感染コンピュータを改ざんします。
ワームは、対象とするWebサイトに特定のフラッド攻撃を実行します。これにより、ユーザは、一定時間の間これらのWebサイトにアクセスすることができなくなります。
ワームは、特定のソフトウェアのCDキー、シリアルナンバーもしくはアプリケーションのプロダクトIDを収集します。収集された情報は、それら情報を入手したサイバー犯罪者に悪用される恐れがあります。 ワームは、ユーザのキー入力操作情報を記録し、情報を収集します。
詳細
侵入方法
ワームは、リモートサイトから他のマルウェア、グレイウェアまたはスパイウェアにダウンロードされ、コンピュータに侵入します。
ワームは、悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。
インストール
ワームは、感染したコンピュータ内に以下のように自身のコピーを作成します。
- %System%\windowsupdate.exe
(註:%System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。)
自動実行方法
ワームは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Firewall Updater = windowsupdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Windows Firewall Updater = windowsupdate.exe
他のシステム変更
ワームは、以下のレジストリキーを追加します。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
AllowUnqualifiedQuery = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
PrioritizeRecordData = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TCP1320Opts = 3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
KeepAliveTime = dword:00023280
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BcastQueryTimeout = dword:000002ee
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BcastQueryTimeout = dword:000002ee
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BcastNameQueryCount = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
CacheTimeout = dword:0000ea60
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
Size/Small/Medium/Large = dword:00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
LargeBufferSize = dword:00001000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SynAckProtect = dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
PerformRouterDiscovery = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnablePMTUBHDetect = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FastSendDatagramThreshold = dword:00000400
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
StandardAddressLength = dword:00000018
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultReceiveWindow = dword:00004000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultSendWindow = dword:00004000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BufferMultiplier = dword:00000200
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
PriorityBoost = dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
IrpStackSize = dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
IgnorePushBitOnReceives = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableAddressSharing = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
AllowUserRawAccess = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableRawSecurity = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DynamicBacklogGrowthDelta = dword:00000032
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FastCopyReceiveThreshold = dword:00000400
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
LargeBufferListDepth = dword:0000000a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxActiveTransmitFileCount = dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxFastTransmit = dword:00000040
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
OverheadChargeGranularity = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SmallBufferListDepth = dword:00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SmallerBufferSize = dword:00000080
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TransmitWorker = dword:00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DNSQueryTimeouts = {hex values}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultRegistrationTTL = dword:00000014
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableReverseAddressRegistrations = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
UpdateSecurityLevel = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisjointNameSpace = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
QueryIpMatching = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
NoNameReleaseOnDemand = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnableDeadGWDetect = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnableFastRouteLookup = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxFreeTcbs = dword:000007d0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxHashTableSize = dword:00000800
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SackOpts = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
Tcp1323Opts = dword:00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpMaxDupAcks = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpRecvSegmentSize = dword:00000585
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpSendSegmentSize = dword:00000585
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultTTL = dword:00000030
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpMaxHalfOpen = dword:0000004b
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpMaxHalfOpenRetried = dword:00000050
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpTimedWaitDelay = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxNormLookupMemory = dword:00030d40
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FFPControlFlags = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FFPFastForwardingCacheSize = dword:00030d40
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxForwardBufferMemory = dword:00019df7
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxFreeTWTcbs = dword:000007d0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
GlobalMaxTcpWindowSize = dword:0007d200
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnablePMTUDiscovery = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
ForwardBufferMemory = dword:00019df7
HKEY_CURRENT_USER\Software\Microsoft\
OLE
Windows Firewall Updater = windowsupdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableRemoteConnect = N
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareServer = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareWks = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = dword:00000004
ワームは、以下のレジストリ値を作成し、Windowsのファイアウォールを回避します。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
C:\\WINDOWS\\System32\\windowsupdate.exe = C:\WINDOWS\System32\windowsupdate.exe:*:Enabled:Windows Firewall Updater
感染活動
ワームは、以下のユーザ名およびパスワードのリストを用いて、パスワード保護された共有ファイルにアクセスします。
- Administrator
- administrator
- administrador
- administrateur
- administrat
- admins
- admin
- staff
- computer
- owner
- student
- teacher
- wwwadmin
- guest
- default
- database
- oracle
- ADMINISTRATOR
- Administrator
- administrator
- fubar
- GUEST
- ADMIN
- PASSWORD
- SHARE
- ladeda
- FILES
- OWNER
- Owner
- ACCESS
- BACKUP
- SYSTEM
- SERVER
- pepsi
- LOCAL
- linux
- changeme
- Changeme
- temp123
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 654321
- 54321
- 11111111
- 88888888
- passwd
- database
- abc123
- oracle
- sybase
- 123qwe
- computer
- Internet
- super
- 123asd
- ihavenopass
- godblessyou
- enable
- 111111
- 121212
- 123123
- 1234qwer
- 123abc
- alpha
- patrick
- foobar
- Nilez
- devil
- netdevil
- net-devil
- 0wned
- owned
- irule
- netfuck
- fucked
- crash
- test123
- secret
- login
- mypc123
- admin123
- pw123
- mypass
- mypass123
- Matthew
- satan
- satanik
- satanic
- spaceman
- heaven
- 0wn3d
- killer
- hacker
- hax0r
- script
- scriptkiddie
- kiddie
- uwontguessme
- youwontguessme
- guessme
- xxxxx
- xxxxxx
- xxxxxxx
- xxxxxxxx
- xxxxxxxxx
- death
- testing
- 00000
- 000000
- academia
- academic
- accept
- account
- action
- adrian
- adrianna
- adult
- aerobics
- airplane
- alaska
- albany
- albatros
- albert
- alert
- alexande
- algebra
- alias
- aliases
- alice
- alicia
- alisa
- alison
- allison
- allow
- alphabet
- amadeus
- amanda
- amber
- america
- amorphou
- analog
- anarchis
- anarchy
- anchor
- andrea
- android
- andromac
- angela
- angerine
- angie
- animal
- animals
- anita
- annette
- anonymou
- answer
- anthrax
- anthropo
- anvils
- anything
- apollo13
- april
- ariadne
- arlene
- arrow
- arthur
- artist
- asian
- asshole
- athena
- atmosphe
- attack
- authoriz
- aztecs
- azure
- bacchus
- backdoor
- badass
- bailey
- banana
- bananas
- bandit
- banks
- barbara
- barber
- baritone
- bartman
- baseball
- basic
- bassoon
- batch
- batman
- beach
- beammeup
- beast
- beater
- beauty
- beaver
- becky
- beethove
- begin
- behead
- beloved
- beowulf
- berkeley
- berlin
- berliner
- beryl
- betsie
- betty
- beverly
- bible
- bicamera
- bigfoot
- binary
- bishop
- bitch
- bitmap
- bitnet
- black
- blonde
- blondie
- blood
- bloodaxe
- blowjob
- blues
- board
- boner
- boobs
- boyscout
- bradley
- brandi
- brandy
- bravo
- break
- breast
- brenda
- brian
- bridget
- broadway
- brothel
- brunette
- brute
- brutefor
- bulls
- bullshit
- bumbling
- burgess
- butch
- butthead
- californ
- camille
- campanil
- camping
- candi
- candy
- cantor
- captain
- capture
- cardinal
- caren
- carla
- carmen
- carol
- carole
- carolina
- caroline
- carrie
- carson
- cascades
- castle
- catherin
- catholic
- cathy
- cayuga
- cecily
- celtic
- celtics
- cerulean
- change
- charity
- charles
- charlie
- charming
- charon
- chemistr
- chess
- chester
- chris
- christin
- christy
- cigar
- cigarett
- cindy
- class
- classes
- classic
- claudia
- claymore
- cleavage
- clinton
- cluster
- clusters
- coast
- cocacola
- cocainco
- codename
- codeword
- coffee
- collins
- color
- combat
- comics
- commit
- commrade
- company
- computin
- comrade
- comrades
- condo
- condom
- connect
- connie
- conserva
- console
- continue
- cookbook
- cookie
- cooper
- copper
- corneliu
- correct
- counters
- country
- couscous
- cowboy
- crack
- crackpot
- cream
- create
- creation
- creature
- credit
- creosote
- cretin
- crime
- criminal
- cristina
- crystal
- cshrc
- customer
- cyber
- cyberpun
- cyberspa
- cynthia
- daemon
- daisy
- dancer
- daniel
- danielle
- danny
- dapper
- darkaven
- deathsta
- debbie
- deborah
- debug
- december
- default
- DEFAULT
- defoe
- delta
- deluge
- democrat
- denise
- dennis
- desiree
- desktop
- desperat
- develop
- device
- diamond
- diana
- diane
- diehard
- dieter
- digital
- dinosaur
- dipshit
- direct
- director
- dirty
- discipli
- disclose
- discover
- diskette
- disney
- display
- doctor
- dollar
- doom2
- doomii
- doomsday
- doonesbu
- doors
- download
- dragon
- drdoom
- drive
- drought
- duelist
- dulce
- duncan
- dungeon
- eager
- eagle
- earth
- easier
- eatme
- eddie
- edges
- edinburg
- edition
- education
- educatio
- edwin
- edwina
- egghead
- eiderdow
- eileen
- einsiein
- einstein
- elaine
- elanor
- electron
- elephant
- elizabet
- ellen
- emerald
- emily
- emmanuel
- enemy
- engine
- engineer
- england
- english
- enter
- enterpri
- enzyme
- erenity
- erica
- erika
- erotic
- ersatz
- establis
- estate
- eternity
- euclid
- evelyn
- expert
- explode
- explore
- explorer
- explosiv
- extensio
- fairway
- faith
- falcon
- false
- family
- farad
- faraday
- felicia
- fender
- fermat
- ferrari
- fidelity
- field
- fight
- finite
- firewall
- fishers
- flakes
- float
- florida
- flower
- flowers
- foolproo
- football
- force
- foresigh
- forever
- format
- fornicat
- forsythe
- fourier
- foxtrot
- france
- frank
- freak
- freedom
- french
- friday
- friend
- friends
- frighten
- fryguy
- fucker
- fucking
- fuckme
- fuckyou
- fudge
- function
- fungible
- gabriel
- games
- gardner
- garfield
- gateway
- gatherin
- gauss
- george
- gertrude
- ghost
- gibson
- gigabyte
- ginger
- glacier
- golden
- golfer
- gorgeous
- gorges
- gosling
- gouge
- govermen
- grades
- graham
- grahm
- grand
- grant
- great
- green
- group
- gryphon
- guardian
- gucci
- guess
- guitar
- gumption
- guntis
- hacked
- hagar
- hallowee
- hamlet
- hamster
- handel
- handily
- handjob
- happenin
- hardcore
- harddriv
- harmony
- harold
- harvey
- haven
- hawaii
- headbang
- heathen
- heather
- hebrides
- heidi
- heinlein
- hello
- herbert
- heroin
- hewlett
- hexadeci
- hiawatha
- hibernia
- hidden
- highland
- hitler
- holly
- hollywoo
- homepage
- homer
- homework
- honey
- hooker
- hooters
- horny
- horrible
- horror
- horse
- horus
- hotdog
- hotel
- hunter
- hutchins
- hydrogen
- hyper
- hypertxt
- icecream
- illumina
- image
- imbrogli
- immortal
- imperial
- include
- india
- indian
- indiana
- indians
- ingres
- ingress
- ingrid
- innocuou
- input
- inside
- integer
- invent
- irene
- irishman
- jackie
- janet
- janice
- janie
- japan
- jasmin
- jeanne
- jenni
- jennifer
- jenny
- jerry
- jerusale
- jessica
- jester
- jewelry
- jixian
- joanne
- johndoe
- johnny
- joseph
- joshua
- journal
- joyce
- judith
- juggle
- juicy
- julia
- julie
- juliet
- jupiter
- karen
- karie
- karina
- katana
- kathleen
- kathrine
- kathy
- katina
- katrina
- kelly
- kermit
- kernel
- kerri
- kerrie
- kerry
- kevin
- keybord
- keyin
- keyword
- killthem
- kimberly
- kirkland
- kissmyas
- kitten
- klingon
- knife
- knight
- knightma
- known
- krista
- kristen
- kristi
- kristie
- kristin
- kristine
- kristy
- ladies
- ladle
- lakers
- lambda
- laminati
- laptop
- larkin
- larry
- laser
- laura
- lazarus
- lazer
- lebesgue
- leftwing
- legal
- leland
- leroy
- lesbian
- leslie
- letmein
- lewis
- lexluthe
- liberal
- library
- licker
- light
- lightsab
- limbaugh
- limited
- linda
- literatu
- lockout
- lockword
- logic
- loginwor
- logout
- lolopc
- loose
- lorin
- lorraine
- loser
- louis
- lovebug
- lover
- lucus
- lynne
- machine
- macintos
- macro
- maggot
- magic
- magnet
- maint
- malcolm
- malcom
- manager
- marci
- marcy
- maria
- mariens
- marietta
- marijuan
- marines
- markus
- marni
- marriage
- marty
- marvin
- mason
- master
- maurice
- meagan
- megabyte
- megadeth
- megan
- melissa
- mellon
- melrose
- member
- memory
- menace
- mercury
- merlin
- metal
- metalhea
- metalica
- michael
- michel
- michelan
- michele
- michelle
- mickey
- micro
- microchi
- micropro
- microsof
- midieval
- minimum
- minsky
- misfit
- mission
- modem
- mogul
- moguls
- monday
- monica
- moose
- morley
- morris
- mortal
- mortalco
- mortgage
- mosaic
- mountain
- mouse
- movie
- movies
- mozart
- msdos
- muppets
- mutant
- nagel
- nancy
- napoleon
- nepenthe
- neptune
- netscape
- network
- newborn
- newsgrou
- newton
- newyork
- nicole
- nicotine
- night
- nightmar
- nintendo
- nnaacp
- noble
- nobody
- noreen
- notes
- novel
- november
- noxious
- nuclear
- nukem
- number
- nutritio
- nyquist
- obscurit
- oceanogr
- ocelot
- office
- oldage
- olivetti
- olivia
- omega
- opening
- openlock
- opensesa
- operator
- orient
- orwell
- oscar
- osiris
- outdoors
- outlaw
- output
- outside
- oxford
- pacific
- packard
- packer
- painless
- paint
- pakistan
- pamela
- paper
- papers
- pascal
- passphra
- paste
- patricia
- patriot
- patty
- paula
- peanuts
- pecker
- pencil
- penelope
- penguin
- penis
- penname
- pentagon
- pentagra
- penthous
- pentium
- peoria
- pepper
- percolat
- perfect
- permit
- persimmo
- persona
- pervert
- peter
- philip
- phoenix
- phone
- photon
- phrack
- phrase
- phreak
- phuck
- pierre
- pinname
- pizza
- plane
- playboy
- plover
- pluto
- plymouth
- poetry
- police
- polly
- polynomi
- ponderin
- porno
- porsche
- poster
- power
- praise
- precious
- prelude
- presto
- prince
- princeto
- printer
- private
- privs
- proceed
- processo
- professo
- profile
- program
- prompt
- protect
- protozoa
- psycho
- psychopa
- public
- pumpkin
- puneet
- punisher
- puppet
- pussy
- quebec
- qwert
- qwerty
- rabbit
- rachel
- rachelle
- rachmani
- rainbow
- raindrop
- raleigh
- random
- rascal
- razor
- reagan
- reality
- really
- reaper
- rebal
- rebecca
- rebel
- record
- reddawn
- redhead
- referenc
- regional
- release
- remote
- renee
- report
- republic
- resistan
- reveal
- rhino
- riffraff
- right
- rightwin
- ripple
- roach
- robert
- robin
- robot
- robotics
- robyn
- rochelle
- rocheste
- rocky
- rockyhor
- rodent
- rolex
- romano
- romeo
- romulan
- ronald
- rosebud
- rosemary
- roses
- rough
- rubber
- ruben
- rules
- running
- salami
- samantha
- sample
- sandra
- sandy
- sarah
- saturday
- saturn
- saxon
- scamper
- scheme
- school
- schoolsucks
- scifi
- scorpion
- scott
- scotty
- scout
- search
- security
- sensor
- sentinel
- sentry
- serenity
- serial
- service
- sesame
- shannon
- sharc
- shark
- sharks
- sharon
- sheffiel
- sheldon
- shell
- sherri
- shift
- shirley
- shitpot
- shiva
- shivers
- short
- shuttle
- sierra
- signatur
- silver
- simcity
- simon
- simple
- simpsons
- simulati
- singer
- single
- skull
- slave
- slick
- sliders
- small
- smart
- smile
- smiles
- smooch
- smother
- snach
- snafu
- snake
- snatch
- snoopy
- social
- socrates
- sodomy
- software
- somebody
- sondra
- sonia
- sonic
- sonya
- sossina
- source
- south
- spaceshi
- sparrows
- spear
- spell
- spice
- spider
- spiderma
- spred
- spring
- springer
- spunk
- squires
- stacey
- staci
- stacie
- stacy
- starship
- start
- startrek
- startup
- starwars
- steak
- steal
- steel
- steph
- stephani
- stereo
- steve
- stoneage
- stoned
- stones
- strange
- strangle
- stratfor
- streetfi
- string
- strip
- student
- stuttgar
- subscrib
- subway
- success
- suckmydi
- sucks
- summer
- sunday
- superman
- superson
- supersta
- superuse
- supervis
- support
- supporte
- surfer
- surfing
- susan
- susanne
- susie
- suzanne
- suzie
- swearer
- sweat
- switch
- sword
- sybil
- symmetry
- sysadmin
- sysop
- tabasco
- tamara
- tamie
- tammy
- tangerin
- tango
- target
- tarragon
- taylor
- teacher
- teapot
- tears
- teenage
- telephon
- telnet
- temptati
- tennis
- terminal
- terminat
- tetris
- thailand
- theresa
- thursday
- tiffany
- tiger
- toggle
- token
- tokenrin
- tomato
- topograp
- tortoise
- toxic
- toyota
- traci
- tracie
- tracy
- trails
- transfer
- trapdoor
- trisha
- trivial
- trojan
- trombone
- truth
- tubas
- tuesday
- tuttle
- umesh
- uncle
- unhappy
- unicorn
- uniform
- universa
- universe
- universi
- unknown
- unlock
- upload
- uranus
- urchin
- ursula
- usenet
- usermane
- username
- utility
- vagina
- valerie
- vampire
- vasant
- venus
- veronica
- vertigo
- vicky
- victor
- video
- videogam
- village
- virgin
- virginia
- virus
- visitor
- visual
- visualba
- vodka
- warez
- warfare
- wargames
- warren
- watchwor
- water
- webpage
- wednesda
- weenie
- wendi
- wendy
- werewolf
- western
- whatever
- whatnot
- whisky
- white
- whiting
- whitney
- wholesal
- whore
- william
- williams
- willie
- wilma
- windows
- winston
- wired
- wisconsi
- wiseass
- within
- wizard
- wolverin
- woman
- wombat
- women
- woodwind
- wordperf
- wormwood
- wyoming
- xmodem
- xyzzy
- yankee
- yellow
- yellowst
- yolanda
- yosemite
- young
- zebra
- zeitgeis
- ziggy
- zimmerma
- zmodem
- zombie
- 00000000
- tester
- testin
- Rosco
- RoscoP
- RoscoPColtrane
- dudette
- Alexander
- donaldduck
- wileecoyote
- windowz
- windoze
- windose
- billy
- WindowsXP
- windows2k
- windowsME
- windows98
- windows95
- windozexp
- windoze2k
- windozeME
- windoze98
- windoze95
- wh0r3
- wh0re
- haxing
- h4x1ng
- h4x0r1ng
- h4x0ring
- albatross
- amorphous
- andromache
- anthropogenic
- atmosphere
- beethoven
- bicameral
- campanile
- catherine
- chemistry
- christina
- christine
- commrades
- cornelius
- desperate
- discovery
- edinburgh
- eiderdown
- elizabeth
- enterprise
- establish
- extension
- foolproof
- foresight
- happening
- imbroglio
- innocuous
- lamination
- macintosh
- nutrition
- oceanography
- percolate
- persimmon
- polynomial
- pondering
- princeton
- professor
- rachmaninoff
- rochester
- sheffield
- signature
- stephanie
- stratford
- stuttgart
- superstage
- superuser
- supported
- tangerine
- telephone
- temptation
- topography
- wholesale
- williamsburg
- wisconsin
- yellowstone
- zimmerman
ワームは、以下のソフトウェアに存在する脆弱性を利用して、ネットワーク上で感染活動をします。
- MS03-039 Buffer Overrun In RPCSS Service
バックドア活動
ワームは、以下のポートを開き、不正リモートユーザからのコマンドを待機します。
- TCP port 4003
ワームは、以下のいずれかのIRCサーバに接続します。
- {BLOCKED}.pwnz.org
ワームは、不正リモートユーザからの以下のコマンドを実行します。
- Download and execute files
- Send files
- Launch DDOS attack
- Terminate antivirus/firewall processes
- Obtain certain system information
Denial of Service(DoS)攻撃
ワームは、対象とするWebサイトに以下のフラッド攻撃を実行します。
- Ping Flood
- SYN Flood
- UDP Flood
情報漏えい
ワームは、以下のWebサイトを対象とします。
- e-gold
- PayPal
- StormPay
- Vodafone
- Poste Italiane
- Yahoo!
- Banca Sella
- Bank Of America
- Benvenuto a gmail
- banca
- poker
- rapidshare
ワームは、特定のソフトウェアのCDキー、シリアルナンバーもしくはアプリケーションのプロダクトIDを収集します。
ワームは、ユーザのキー入力操作情報を記録し、情報を収集します。
対応方法
手順 1
Windows XP および Windows Server 2003 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
このレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\Software\Microsoft\OLE
- Windows Firewall Updater = windowsupdate.exe
- Windows Firewall Updater = windowsupdate.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- EnableRemoteConnect = N
- EnableRemoteConnect = N
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Windows Firewall Updater = windowsupdate.exe
- Windows Firewall Updater = windowsupdate.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Windows Firewall Updater = windowsupdate.exe
- Windows Firewall Updater = windowsupdate.exe
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareServer = 0
- AutoShareServer = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareWks = 0
- AutoShareWks = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\WINDOWS\System32\windowsupdate.exe = C:\WINDOWS\System32\windowsupdate.exe:*:Enabled:Windows Firewall Updater
- C:\WINDOWS\System32\windowsupdate.exe = C:\WINDOWS\System32\windowsupdate.exe:*:Enabled:Windows Firewall Updater
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- AllowUnqualifiedQuery = dword:00000000
- AllowUnqualifiedQuery = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PrioritizeRecordData = dword:00000001
- PrioritizeRecordData = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TCP1320Opts = dword:00000003
- TCP1320Opts = dword:00000003
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- KeepAliveTime = dword:00023280
- KeepAliveTime = dword:00023280
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BcastQueryTimeout = dword:000002ee
- BcastQueryTimeout = dword:000002ee
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BcastNameQueryCount = dword:00000001
- BcastNameQueryCount = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- CacheTimeout = dword:0000ea60
- CacheTimeout = dword:0000ea60
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Size/Small/Medium/Large = dword:00000003
- Size/Small/Medium/Large = dword:00000003
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- LargeBufferSize = dword:00001000
- LargeBufferSize = dword:00001000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SynAckProtect = dword:00000002
- SynAckProtect = dword:00000002
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PerformRouterDiscovery = dword:00000000
- PerformRouterDiscovery = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnablePMTUBHDetect = dword:00000000
- EnablePMTUBHDetect = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FastSendDatagramThreshold = dword:00000400
- FastSendDatagramThreshold = dword:00000400
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- StandardAddressLength = dword:00000018
- StandardAddressLength = dword:00000018
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultReceiveWindow = dword:00004000
- DefaultReceiveWindow = dword:00004000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultSendWindow = dword:00004000
- DefaultSendWindow = dword:00004000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BufferMultiplier = dword:00000200
- BufferMultiplier = dword:00000200
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PriorityBoost = dword:00000002
- PriorityBoost = dword:00000002
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- IrpStackSize = dword:00000004
- IrpStackSize = dword:00000004
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- IgnorePushBitOnReceives = dword:00000000
- IgnorePushBitOnReceives = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableAddressSharing = dword:00000000
- DisableAddressSharing = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- AllowUserRawAccess = dword:00000000
- AllowUserRawAccess = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableRawSecurity = dword:00000000
- DisableRawSecurity = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DynamicBacklogGrowthDelta = dword:00000032
- DynamicBacklogGrowthDelta = dword:00000032
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FastCopyReceiveThreshold = dword:00000400
- FastCopyReceiveThreshold = dword:00000400
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- LargeBufferListDepth = dword:0000000a
- LargeBufferListDepth = dword:0000000a
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxActiveTransmitFileCount = dword:00000002
- MaxActiveTransmitFileCount = dword:00000002
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFastTransmit = dword:00000040
- MaxFastTransmit = dword:00000040
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- OverheadChargeGranularity = dword:00000001
- OverheadChargeGranularity = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SmallBufferListDepth = dword:00000020
- SmallBufferListDepth = dword:00000020
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SmallerBufferSize = dword:00000080
- SmallerBufferSize = dword:00000080
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TransmitWorker = dword:00000020
- TransmitWorker = dword:00000020
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DNSQueryTimeouts = {hex values}
- DNSQueryTimeouts = {hex values}
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultRegistrationTTL = dword:00000014
- DefaultRegistrationTTL = dword:00000014
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableReplaceAddressesInConflicts = dword:00000000
- DisableReplaceAddressesInConflicts = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableReverseAddressRegistrations = dword:00000001
- DisableReverseAddressRegistrations = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- UpdateSecurityLevel = dword:00000000
- UpdateSecurityLevel = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisjointNameSpace = dword:00000001
- DisjointNameSpace = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- QueryIpMatching = dword:00000000
- QueryIpMatching = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- NoNameReleaseOnDemand = dword:00000001
- NoNameReleaseOnDemand = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnableDeadGWDetect = dword:00000000
- EnableDeadGWDetect = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnableFastRouteLookup = dword:00000001
- EnableFastRouteLookup = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFreeTcbs = dword:000007d0
- MaxFreeTcbs = dword:000007d0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxHashTableSize = dword:00000800
- MaxHashTableSize = dword:00000800
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SackOpts = dword:00000001
- SackOpts = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Tcp1323Opts = dword:00000003
- Tcp1323Opts = dword:00000003
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxDupAcks = dword:00000001
- TcpMaxDupAcks = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpRecvSegmentSize = dword:00000585
- TcpRecvSegmentSize = dword:00000585
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpSendSegmentSize = dword:00000585
- TcpSendSegmentSize = dword:00000585
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultTTL = dword:00000030
- DefaultTTL = dword:00000030
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxHalfOpen = dword:0000004b
- TcpMaxHalfOpen = dword:0000004b
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxHalfOpenRetried = dword:00000050
- TcpMaxHalfOpenRetried = dword:00000050
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpTimedWaitDelay = dword:00000000
- TcpTimedWaitDelay = dword:00000000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxNormLookupMemory = dword:00030d40
- MaxNormLookupMemory = dword:00030d40
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FFPControlFlags = dword:00000001
- FFPControlFlags = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FFPFastForwardingCacheSize = dword:00030d40
- FFPFastForwardingCacheSize = dword:00030d40
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxForwardBufferMemory = dword:00019df7
- MaxForwardBufferMemory = dword:00019df7
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFreeTWTcbs = dword:000007d0
- MaxFreeTWTcbs = dword:000007d0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- GlobalMaxTcpWindowSize = dword:0007d200
- GlobalMaxTcpWindowSize = dword:0007d200
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnablePMTUDiscovery = dword:00000001
- EnablePMTUDiscovery = dword:00000001
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- ForwardBufferMemory = dword:00019df7
- ForwardBufferMemory = dword:00019df7
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
- Start = dword:00000004
- Start = dword:00000004
手順 3
変更されたレジストリ値を修正します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- From: EnableDCOM = N
To: EnableDCOM = Y
- From: EnableDCOM = N
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- From: restrictanonymous = 1
To: restrictanonymous = 0
- From: restrictanonymous = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
- From: Start = 4
To: Start = 2
- From: Start = 4
手順 4
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「WORM_IRCBOT.ABJ」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 5
以下の修正パッチをダウンロードし適用します。この脆弱性に対する修正パッチを適用するまで、該当製品の使用をお控えください。この製品の製造元が公開する正式な修正パッチをダウンロードし適用することをお勧めします。
ご利用はいかがでしたか? アンケートにご協力ください