TROJ_KOVTER.GQA

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、実行後、自身を削除します。

侵入方法

その他は、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

その他は、以下のフォルダを作成します。

• %Application Data%\zuhar
• %System Root%\_110515_
• %System Root%\95392ff77eb92c59c3ae806fc9d9
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update
• %System Root%\_171640_
• %System Root%\18b359151e67ff728d

(註：%Application Data%フォルダは、Windows 2000、XP および Server 2003 の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data"、Windows Vista 、 7 、8、8.1 、Server 2008 および Server 2012の場合、"C:\Users\＜ユーザ名＞\AppData\Roaming" です。.. %System Root%フォルダは、オペレーティングシステム(OS)が存在する場所で、いずれのOSでも通常、 "C:" です。.)

他のシステム変更

その他は、以下のレジストリキーを追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION

HKEY_CURRENT_USER\Software\qanz

HKEY_LOCAL_MACHINE\SOFTWARE\qanz

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
OSUpgrade

HKEY_LOCAL_MACHINE\SOFTWARE\E99D78DD176CCA7E

HKEY_LOCAL_MACHINE\SOFTWARE\576D551563D22DC4F1ED

その他は、以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
regsvr32.exe = "22b8"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
iexplore.exe = "22b8"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
regsvr32.exe = "22b8"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
iexplore.exe = "22b8"

HKEY_LOCAL_MACHINE\SOFTWARE\qanz
zojewbdazo = "{random characters}"

HKEY_CURRENT_USER\Software\qanz
zojewbdazo = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate
DisableOSUpgrade = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
OSUpgrade
ReservationsAllowed = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\qanz
ltpxeirzlt = "IzkWisc+BVA1rA=="

HKEY_CURRENT_USER\Software\qanz
ltpxeirzlt = "I2pB3ZA9U3rSnw=="

HKEY_LOCAL_MACHINE\SOFTWARE\qanz
bjtkim = "JDxAjMBpBcbNz4c6SO+7Zu7KWGfdue0="

HKEY_CURRENT_USER\Software\qanz
bjtkim = "JDAX2ZU6V94fZQT50F704VO2Hu+tuJY="

HKEY_LOCAL_MACHINE\SOFTWARE\qanz
eljz = "djoSipcwVztJwilkUg1dBCo="

HKEY_CURRENT_USER\Software\qanz
eljz = "dG5MgJZtVH7qp1wXsJetONo="

HKEY_LOCAL_MACHINE\SOFTWARE\qanz
kqdg = "{random characters}"

HKEY_CURRENT_USER\Software\qanz
kqdg = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\E99D78DD176CCA7E
90884B39ACF05741BA = "90884B39ACF05741BA"

HKEY_LOCAL_MACHINE\SOFTWARE\576D551563D22DC4F1ED
22E5FFAB622BEC79D12F = "22E5FFAB622BEC79D12F"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Setup
LogLevel = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Setup
LogLevel = "0"

その他は、以下のレジストリ値を変更します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1206 = "0"

(註：変更前の上記レジストリ値は、「3」となります。)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2300 = "0"

(註：変更前の上記レジストリ値は、「1」となります。)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1809 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1206 = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
2300 = "0"

(註：変更前の上記レジストリ値は、「1」となります。)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1809 = "3"

(註：変更前の上記レジストリ値は、「3」となります。)

その他は、以下のレジストリキーを削除します。

HKEY_LOCAL_MACHINE\SOFTWARE

作成活動

その他は、以下のファイルを作成します。

• %Application Data%\zuhar\zuhar.exe
• %User Temp%\WindowsXP-KB968930-x86-ENG.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\eventforwarding.adm
• %System Root%\95392ff77eb92c59c3ae806fc9d9\windowsremotemanagement.adm
• %System Root%\95392ff77eb92c59c3ae806fc9d9\windowsremoteshell.adm
• %System Root%\95392ff77eb92c59c3ae806fc9d9\windowspowershellhelp.chm
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrm.cmd
• %System Root%\95392ff77eb92c59c3ae806fc9d9\compiledcomposition.microsoft.powershell.gpowershell.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.backgroundintelligenttransfer.management.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.backgroundintelligenttransfer.management.interop.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.backgroundintelligenttransfer.management.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.diagnostics.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.diagnostics.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.management.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.management.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.utility.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.utility.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.consolehost.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.consolehost.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.editor.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.editor.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.gpowershell.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.gpowershell.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.graphicalhost.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.graphicalhost.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.security.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.security.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.wsman.management.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.wsman.management.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.wsman.runtime.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\powershell_ise.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\pspluginwkr.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\pwrshmsg.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\pwrshplugin.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\pwrshsip.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\spmsg.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\system.management.automation.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\system.management.automation.resources.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wevtfwd.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrmprov.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrscmd.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrsmgr.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrssrv.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmauto.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmplpxy.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmres.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmsvc.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmwmipl.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\powershell.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\powershell_ise.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\pscustomsetuputil.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\pssetupnativeutils.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\spuninst.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\spupdsvc.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrs.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrshost.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmanhttpconfig.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmprovhost.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wtrinstaller.ico
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrm.ini
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrmprov.mof
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmauto.mof
• %System Root%\95392ff77eb92c59c3ae806fc9d9\powershell.exe.mui
• %System Root%\95392ff77eb92c59c3ae806fc9d9\profile.ps1
• %System Root%\95392ff77eb92c59c3ae806fc9d9\bitstransfer.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\certificate.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\diagnostics.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\dotnettypes.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\filesystem.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\getevent.types.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\help.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\powershellcore.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\powershelltrace.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\registry.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\types.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsman.format.ps1xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\bitstransfer.psd1
• %System Root%\95392ff77eb92c59c3ae806fc9d9\importallmodules.psd1
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_aliases.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_arithmetic_operators.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_arrays.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_assignment_operators.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_automatic_variables.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_bits_cmdlets.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_break.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_command_precedence.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_command_syntax.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_comment_based_help.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_commonparameters.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_comparison_operators.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_continue.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_core_commands.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_data_sections.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_debuggers.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_do.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_environment_variables.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_escape_characters.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_eventlogs.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_execution_policies.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_for.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_foreach.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_format.ps1xml.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_functions.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_functions_advanced.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_functions_advanced_methods.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_functions_advanced_parameters.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_functions_cmdletbindingattribute.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_hash_tables.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_history.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_if.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_job_details.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_jobs.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_join.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_language_keywords.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_line_editing.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_locations.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_logical_operators.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_methods.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_modules.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_objects.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_operators.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_parameters.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_parsing.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_path_syntax.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_pipelines.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_preference_variables.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_profiles.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_prompts.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_properties.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_providers.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_pssession_details.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_pssessions.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_pssnapins.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_quoting_rules.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_redirection.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_ref.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_regular_expressions.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_remote.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_remote_faq.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_remote_jobs.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_remote_output.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_remote_requirements.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_remote_troubleshooting.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_requires.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_reserved_words.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_return.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_scopes.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_script_blocks.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_script_internationalization.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_scripts.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_session_configurations.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_signing.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_special_characters.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_split.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_switch.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_throw.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_transactions.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_trap.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_try_catch_finally.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_type_operators.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_types.ps1xml.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_variables.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_while.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_wildcards.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_windows_powershell_2.0.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_windows_powershell_ise.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_wmi_cmdlets.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\about_ws-management_cmdlets.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\default.help.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\winrm.vbs
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.backgroundintelligenttransfer.management.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.diagnostics.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.management.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.commands.utility.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.consolehost.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.powershell.security.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\microsoft.wsman.management.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\system.management.automation.dll-help.xml
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmpty.xsl
• %System Root%\95392ff77eb92c59c3ae806fc9d9\wsmtxt.xsl
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\kb968930xp.cat
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\spcustom.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\updspapi.dll
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\update.exe
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\update.inf
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\eula.txt
• %System Root%\95392ff77eb92c59c3ae806fc9d9\update\update.ver
• %System Root%\95392ff77eb92c59c3ae806fc9d9\$shtdwn$.req
• %System Root%\18b359151e67ff728d\eventforwarding.adm
• %System Root%\18b359151e67ff728d\windowsremotemanagement.adm
• %System Root%\18b359151e67ff728d\windowsremoteshell.adm
• %System Root%\18b359151e67ff728d\windowspowershellhelp.chm

その他

その他は、以下の不正なWebサイトにアクセスします。

• http://{BLOCKED}7.72.90
• http://{BLOCKED}7.72.90/{random path}
• {BLOCKED}.52.78
• {BLOCKED}51.124
• {BLOCKED}.193.69
• {BLOCKED}2.103.237
• {BLOCKED}52.53
• {BLOCKED}.225.204
• {BLOCKED}5.220.135
• {BLOCKED}8.70.213
• {BLOCKED}.139.223
• {BLOCKED}.149.73
• {BLOCKED}.183.24
• {BLOCKED}.242.184
• {BLOCKED}.153.240
• {BLOCKED}2.254.177
• {BLOCKED}.23.44
• {BLOCKED}252.161
• {BLOCKED}0.12.43
• {BLOCKED}4.164.116
• {BLOCKED}148.19
• {BLOCKED}9.63.220
• {BLOCKED}0.165.52
• {BLOCKED}.169.86
• {BLOCKED}3.108.21
• {BLOCKED}.133.139
• {BLOCKED}9.164.85
• {BLOCKED}229.22
• {BLOCKED}.59.253
• {BLOCKED}183.23
• {BLOCKED}.197.200
• {BLOCKED}.20.120
• {BLOCKED}50.49
• {BLOCKED}.176.202
• {BLOCKED}3.111.19
• {BLOCKED}.149.44
• {BLOCKED}219.159
• {BLOCKED}7.26.237
• {BLOCKED}4.209.100
• {BLOCKED}3.223.105
• {BLOCKED}3.249.243
• {BLOCKED}6.100.19
• {BLOCKED}.193.34
• {BLOCKED}107.79
• {BLOCKED}4.143.239
• {BLOCKED}.9.47
• {BLOCKED}2.69.5
• {BLOCKED}.69.87
• {BLOCKED}2.229.245
• {BLOCKED}.21.201
• {BLOCKED}0.170.246
• {BLOCKED}8.212.247
• {BLOCKED}.129.191
• {BLOCKED}9.187.42
• {BLOCKED}121.243
• {BLOCKED}.204.232
• {BLOCKED}.239.6
• {BLOCKED}.108.163
• {BLOCKED}.236.238
• {BLOCKED}128.166
• {BLOCKED}.104.84
• {BLOCKED}11.236
• {BLOCKED}46.116
• {BLOCKED}130.120
• {BLOCKED}5.135.26
• {BLOCKED}8.129.73
• {BLOCKED}4.177.4
• {BLOCKED}.6.193
• {BLOCKED}.145.150
• {BLOCKED}9.125.57
• {BLOCKED}3.238.16
• {BLOCKED}1.232.36
• {BLOCKED}55.7
• {BLOCKED}.191.10
• {BLOCKED}4.251.190
• {BLOCKED}.240.14
• {BLOCKED}.241.47
• {BLOCKED}.212.228
• {BLOCKED}77.158
• {BLOCKED}1.214.137
• {BLOCKED}3.239.68
• {BLOCKED}121.120
• {BLOCKED}.221.157
• {BLOCKED}1.74.49
• {BLOCKED}.176.211
• {BLOCKED}.17.22
• {BLOCKED}.173.61
• {BLOCKED}9.83.55
• {BLOCKED}2.177.76
• {BLOCKED}107.93
• {BLOCKED}2.228.174
• {BLOCKED}.47.161
• {BLOCKED}53.208
• {BLOCKED}.180.120
• {BLOCKED}.15.9
• {BLOCKED}.26.187
• {BLOCKED}8.149.148
• {BLOCKED}.211.207
• {BLOCKED}45.85
• {BLOCKED}5.130.92
• {BLOCKED}6.160.31
• {BLOCKED}199.185
• {BLOCKED}.189.110
• {BLOCKED}.33.238
• {BLOCKED}.201.196
• {BLOCKED}.60.67
• {BLOCKED}3.79.156
• {BLOCKED}9.197.226
• {BLOCKED}.183.170
• {BLOCKED}.114.35
• {BLOCKED}.44.187
• {BLOCKED}7.69.214
• {BLOCKED}3.125.73
• {BLOCKED}.7.59
• {BLOCKED}7.196.115
• {BLOCKED}157.160
• {BLOCKED}4.29.251
• {BLOCKED}.28.122
• {BLOCKED}1.47.121
• {BLOCKED}.79.59
• {BLOCKED}1.238.165
• {BLOCKED}3.50.213
• {BLOCKED}.157.119
• {BLOCKED}0.21.90
• {BLOCKED}.217.15
• {BLOCKED}.157.219
• {BLOCKED}5.5.235
• {BLOCKED}209.41
• {BLOCKED}9.250.153
• {BLOCKED}235.216
• {BLOCKED}.54.42
• {BLOCKED}4.53.23
• {BLOCKED}63.255
• {BLOCKED}130.210
• {BLOCKED}.198.151
• {BLOCKED}8.112.65
• {BLOCKED}.79.250
• {BLOCKED}.153.211
• {BLOCKED}5.198.232
• {BLOCKED}.117.169
• {BLOCKED}.251.52
• {BLOCKED}.69.208
• {BLOCKED}5.8.70
• {BLOCKED}.178.148
• {BLOCKED}8.250.212
• {BLOCKED}.14.244
• {BLOCKED}8.79.133
• {BLOCKED}.13.182
• {BLOCKED}199.148
• {BLOCKED}66.116
• {BLOCKED}133.139
• {BLOCKED}4.67.232
• {BLOCKED}62.43
• {BLOCKED}85.19
• {BLOCKED}9.67.62
• {BLOCKED}.226.186
• {BLOCKED}.89.157
• {BLOCKED}158.62
• {BLOCKED}8.156.52
• {BLOCKED}0.54.25
• {BLOCKED}.2.12
• {BLOCKED}9.193.41
• {BLOCKED}3.174.158
• {BLOCKED}.144.7
• {BLOCKED}7.21.229
• {BLOCKED}.62.101
• {BLOCKED}5.10.108
• {BLOCKED}0.123.212
• {BLOCKED}1.59.10
• {BLOCKED}122.160
• {BLOCKED}1.122.8
• {BLOCKED}5.248
• {BLOCKED}4.120.15
• {BLOCKED}1.94.54
• {BLOCKED}4.168.129
• {BLOCKED}0.75.119
• {BLOCKED}12.129
• {BLOCKED}82.107
• {BLOCKED}62.254
• {BLOCKED}7.255.53
• {BLOCKED}135.88
• {BLOCKED}2.108.112
• {BLOCKED}.87.149
• {BLOCKED}.160.157
• {BLOCKED}254.52
• {BLOCKED}.251.77
• {BLOCKED}01.193
• {BLOCKED}.116.182
• {BLOCKED}147.221
• {BLOCKED}.255.159
• {BLOCKED}99.115
• {BLOCKED}.18.70
• {BLOCKED}.194.101
• {BLOCKED}179.47
• {BLOCKED}.17.108
• {BLOCKED}.199.141
• {BLOCKED}0.203.75
• {BLOCKED}.144.95
• {BLOCKED}9.57.123
• {BLOCKED}6.128.133
• {BLOCKED}1.201.162
• {BLOCKED}2.104.127
• {BLOCKED}.59.61
• {BLOCKED}.87.123
• {BLOCKED}59.186
• {BLOCKED}.239.234
• {BLOCKED}.126.150
• {BLOCKED}.141.21
• {BLOCKED}170.159
• {BLOCKED}.129.246
• {BLOCKED}56.180
• {BLOCKED}8.147.156
• {BLOCKED}3.215
• {BLOCKED}.238.180
• {BLOCKED}.47.182
• {BLOCKED}207.63
• {BLOCKED}2.201.216
• {BLOCKED}119.170
• {BLOCKED}.182.168
• {BLOCKED}.236.77
• {BLOCKED}.97.192
• {BLOCKED}1.147.193
• {BLOCKED}6.68.34
• {BLOCKED}135.79
• {BLOCKED}7.33.85
• {BLOCKED}9.111.229
• {BLOCKED}.8.112
• {BLOCKED}0.225.126
• {BLOCKED}5.203.151
• {BLOCKED}3.203.46
• {BLOCKED}5.200.42
• {BLOCKED}.49.93
• {BLOCKED}24.38
• {BLOCKED}.43.51
• {BLOCKED}.185.118
• {BLOCKED}170.12

その他は、実行後、自身を削除します。

このウイルス情報は、自動解析システムにより作成されました。