TROJ_MOSERAN.BMC

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、Internet Explorer（IE）のゾーン設定を変更します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、感染したコンピュータ内に以下のように自身のコピーを作成します。

• %User Profile%\hovynqoruhup.exe

(註：%User Profile% フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\＜ユーザ名＞"、Windows Vista 、 7 、8、8.1 、Server 2008 および Server 2012の場合、"C:\Users\＜ユーザ名＞" です。.)

自動実行方法

マルウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
hovynqoruhup = "%User Profile%\hovynqoruhup.exe"

他のシステム変更

マルウェアは、以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{random values}"

HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{Random Hex Values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion
hovynqoruhupzap = "{Random Hex Values}"

マルウェアは、以下のレジストリ値を変更します。

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxUserPort = "65534"

(註：変更前の上記レジストリ値は、「{Default Value}」となります。)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "1"

(註：変更前の上記レジストリ値は、「{Default Value}」となります。)

Webブラウザのホームページおよび検索ページの変更

マルウェアは、IEのゾーン設定を変更します。

その他

マルウェアは、以下の不正なWebサイトにアクセスします。

• {BLOCKED}p.com
• {BLOCKED}k.net
• {BLOCKED}ne.com
• {BLOCKED}vestor.ca
• {BLOCKED}a.com.br
• {BLOCKED}cificrepairs.com
• {BLOCKED}ioambiente.com
• {BLOCKED}webs.net
• {BLOCKED}media.com
• {BLOCKED}ivechat.us
• {BLOCKED}e-des-druides.com
• {BLOCKED}h.com
• {BLOCKED}utions.com
• {BLOCKED}o.net
• {BLOCKED}ntal.com
• {BLOCKED}ared.com
• {BLOCKED}ills.com
• {BLOCKED}a.com
• {BLOCKED}ttesting.com
• {BLOCKED}ec.com
• {BLOCKED}4.{BLOCKED}smtp-in.l.google.com
• {BLOCKED}en-haus.de
• {BLOCKED}arm.org
• {BLOCKED}esajandek.hu
• {BLOCKED}r.com
• {BLOCKED}eturadigital.com
• {BLOCKED}fenburg-abkm.com
• {BLOCKED}j.co.jp
• {BLOCKED}sk.com.sg
• {BLOCKED}c.net
• {BLOCKED}ce-web.net
• {BLOCKED}direkt.net
• {BLOCKED}ansurfing.at
• {BLOCKED}a.it
• {BLOCKED}s.com.mv
• {BLOCKED}dge.com
• {BLOCKED}irebusiness.org
• {BLOCKED}ngle.com
• {BLOCKED}onegroup.com.my
• {BLOCKED}r.cz
• {BLOCKED}ciet.com
• {BLOCKED}rts.com
• {BLOCKED}.bluehost.com
• {BLOCKED}nternet.nl
• {BLOCKED}arm.com.au
• {BLOCKED}s.org
• {BLOCKED}inegames.com
• {BLOCKED}d.com
• {BLOCKED}lectric.com
• {BLOCKED}llmedia.com
• {BLOCKED}lcitytuxedo.com
• {BLOCKED}lle-prod.com
• {BLOCKED}u.com
• {BLOCKED}hoice.org
• {BLOCKED}nting.com.au
• {BLOCKED}l.com
• {BLOCKED}kalip.com.tr
• {BLOCKED}ldelsonido.com
• {BLOCKED}gland.com
• {BLOCKED}ol.com
• {BLOCKED}ybarry.com
• {BLOCKED}ative.com
• {BLOCKED}supplies.net
• {BLOCKED}bal.net
• {BLOCKED}all.com
• {BLOCKED}tel.com
• {BLOCKED}t.com
• {BLOCKED}tor.com
• {BLOCKED}print.nl
• {BLOCKED}iblepoker.com
• {BLOCKED}erate.com
• {BLOCKED}tingls.com
• {BLOCKED}ered.org
• {BLOCKED}tlinsenpoint.de
• {BLOCKED}permarkt.nl
• {BLOCKED}ec.de
• {BLOCKED}uilders.com
• {BLOCKED}c.org
• {BLOCKED}ocess.org
• {BLOCKED}k.com
• {BLOCKED}esh.com
• {BLOCKED}onents.com
• {BLOCKED}p.com.ar
• {BLOCKED}d.com
• {BLOCKED}scueusa.com
• {BLOCKED}le.ca
• {BLOCKED}o.se
• {BLOCKED}eofbaker.org
• {BLOCKED}aro.com
• {BLOCKED}f.com
• {BLOCKED}ntasies.com
• {BLOCKED}pia.co.kr
• {BLOCKED}ofgreece.com
• {BLOCKED}n-ist-pink.de
• {BLOCKED}oodpcb.com
• {BLOCKED}mi.com
• {BLOCKED}kyaku.com
• {BLOCKED}ming.com
• {BLOCKED}emjewelry.com
• {BLOCKED}olicy.org
• {BLOCKED}rmations.net
• {BLOCKED}en.com
• {BLOCKED}o.net
• {BLOCKED}-group.de
• {BLOCKED}alia.com
• {BLOCKED}odrigo.com.br
• {BLOCKED}es.com
• {BLOCKED}x.com
• {BLOCKED}ons.com
• {BLOCKED}efetishzone.com
• {BLOCKED}up.com
• {BLOCKED}dows.co.uk
• {BLOCKED}online.de
• {BLOCKED}x.com
• {BLOCKED}ra.com
• {BLOCKED}tinfo.com
• {BLOCKED}rcorp.com
• {BLOCKED}iamorini.com
• {BLOCKED}e1000.ca
• {BLOCKED}-high.school.nz
• {BLOCKED}ickallergy.com
• {BLOCKED}tentauction.com
• {BLOCKED}pot.co.za
• {BLOCKED}arine.com
• {BLOCKED}esk.com
• {BLOCKED}ngonlinemagazine.com
• {BLOCKED}gypt.com
• {BLOCKED}a.com
• {BLOCKED}ks.com
• {BLOCKED}isions.com
• {BLOCKED}rmusa.com
• {BLOCKED}k.com.pl
• {BLOCKED}tels.com
• {BLOCKED}smtp-in.l.google.com
• {BLOCKED}rk-moossee.ch
• {BLOCKED}luecenter.com
• {BLOCKED}ltimedia.com
• {BLOCKED}are.nl
• {BLOCKED}t.com
• {BLOCKED}wiese.de
• {BLOCKED}ge-navi.com
• {BLOCKED}w.net
• {BLOCKED}sforesthill.com
• {BLOCKED}x.com.pl
• {BLOCKED}1.smtp.{BLOCKED}ingengine.com
• {BLOCKED}hillschurch.com
• {BLOCKED}conseils.com
• {BLOCKED}e.com
• {BLOCKED}h.com
• {BLOCKED}ultarim.com.tr
• {BLOCKED}c.ge
• {BLOCKED}ate.co.jp
• {BLOCKED}c.com
• {BLOCKED}t.com
• {BLOCKED}okuren.com
• {BLOCKED}cn.com
• {BLOCKED}ra.com
• {BLOCKED}al.com
• {BLOCKED}ipping.com
• {BLOCKED}i-hp.com
• {BLOCKED}uktor.si
• {BLOCKED}sa.com
• {BLOCKED}i.or.jp
• {BLOCKED}toff.ru
• {BLOCKED}rah.com
• {BLOCKED}ys.com
• {BLOCKED}kson.com
• {BLOCKED}idica.com
• {BLOCKED}urch.net
• {BLOCKED}ist-uk.com
• {BLOCKED}construction.com
• {BLOCKED}lookz.com
• {BLOCKED}-about.com
• {BLOCKED}l.{BLOCKED}l.net
• {BLOCKED}l57.us2.{BLOCKED}v.net
• {BLOCKED}l7.{BLOCKED}lwaves.co.nz
• {BLOCKED}imp.com
• {BLOCKED}corp.com
• {BLOCKED}man.com
• {BLOCKED}ntralaya.com
• {BLOCKED}grimes.co.uk
• {BLOCKED}hn.com
• {BLOCKED}grp-spb.ru
• {BLOCKED}ssiecologia.com
• {BLOCKED}rtapsandshowers.com
• {BLOCKED}kusa.com
• {BLOCKED}rti.com
• {BLOCKED}anco.com
• {BLOCKED}ux.ch
• {BLOCKED}s-jacquelin.com
• {BLOCKED}tga.com
• {BLOCKED}io-teatras.lt
• {BLOCKED}ch.net
• {BLOCKED}r-vacaciones.com
• {BLOCKED}mers.com
• {BLOCKED}asrols.com
• {BLOCKED}glight-net.com
• {BLOCKED}e.com.au
• {BLOCKED}a.com
• {BLOCKED}.mail.ru
• {BLOCKED}gcw.com
• {BLOCKED}ecurtiss.com
• {BLOCKED}o.org
• {BLOCKED}ictures.com
• {BLOCKED}l.com.br
• {BLOCKED}oxininstitute.com
• {BLOCKED}ictionary.com
• {BLOCKED}ay.com.cn
• {BLOCKED}e.com.br
• {BLOCKED}roya.com
• {BLOCKED}ch.com
• {BLOCKED}-yamasaki.com
• {BLOCKED}m.jp
• {BLOCKED}klam.ru
• {BLOCKED}u.net
• {BLOCKED}r.com.au
• {BLOCKED}networks.net
• {BLOCKED}l.com
• {BLOCKED}e.net
• {BLOCKED}-school.com
• {BLOCKED}w.com
• {BLOCKED}osis.com
• {BLOCKED}all-pilot.de
• {BLOCKED}nicas.com
• {BLOCKED}nna.com
• {BLOCKED}a.com
• {BLOCKED}eds.com
• {BLOCKED}sion.co.in
• {BLOCKED}c.ca
• {BLOCKED}r.net
• {BLOCKED}li.com
• {BLOCKED}iauno.cz
• {BLOCKED}s.ba
• {BLOCKED}toscorydon.com
• {BLOCKED}club.de
• {BLOCKED}uting.com
• {BLOCKED}tackwarehouse.com.au
• {BLOCKED}efield.co.uk
• {BLOCKED}ft.ru
• {BLOCKED}odfoodplc.co.uk
• {BLOCKED}chre.com
• {BLOCKED}ence.com
• {BLOCKED}hits.com
• {BLOCKED}le.com.br
• {BLOCKED}mcintyre.com.au
• {BLOCKED}s.fr
• {BLOCKED}connection.ca
• {BLOCKED}aire.net
• {BLOCKED}avid.com
• {BLOCKED}y.com
• {BLOCKED}andswanson.com
• {BLOCKED}spizza.ph
• {BLOCKED}il.com
• {BLOCKED}iteexpress.com
• {BLOCKED}lumi.com
• {BLOCKED}les.co.uk
• {BLOCKED}etalsinc.com
• {BLOCKED}o.org
• {BLOCKED}p.{BLOCKED}con.net
• {BLOCKED}p.live.com
• {BLOCKED}p.mail.yahoo.com
• {BLOCKED}p.sbcglobal.{BLOCKED}o.com
• {BLOCKED}re.com
• {BLOCKED}ac.com
• {BLOCKED}i.org
• {BLOCKED}ot.net
• {BLOCKED}aginggroup.com
• {BLOCKED}ysaturday.com
• {BLOCKED}dia.ca
• {BLOCKED}pbizhub.com
• {BLOCKED}m.nl
• {BLOCKED}ennygames.com
• {BLOCKED}ildlifeart.com
• {BLOCKED}rance.com
• {BLOCKED}g-navigator.com
• {BLOCKED}amgirl.com
• {BLOCKED}stka.com
• {BLOCKED}di.com
• {BLOCKED}kon.com
• {BLOCKED}g-video.com
• {BLOCKED}oraphilippines.com
• {BLOCKED}vis.com
• {BLOCKED}a.co.jp
• {BLOCKED}ospas.com
• {BLOCKED}aldsongroup.com
• {BLOCKED}ntinghouseltd.co.uk
• {BLOCKED}gery.com
• {BLOCKED}ylizards.com
• {BLOCKED}rkey.com
• {BLOCKED}pe.com
• {BLOCKED}sondesign.com
• {BLOCKED}icemills.com
• {BLOCKED}arthcare.com.au
• {BLOCKED}meuse.com
• {BLOCKED}chiimpianti.com
• {BLOCKED}teurs.com
• {BLOCKED}lau.com
• {BLOCKED}y-works.com
• {BLOCKED}dra.net
• {BLOCKED}ting.com
• {BLOCKED}u.org
• {BLOCKED}edu.bo
• {BLOCKED}n89.com
• {BLOCKED}aproject.com
• {BLOCKED}u.net
• {BLOCKED}ia.com.pl
• {BLOCKED}r.by
• {BLOCKED}am.com
• {BLOCKED}a.cz
• {BLOCKED}gwithleaders.com
• {BLOCKED}llsstl.org
• {BLOCKED}semarketing.com
• {BLOCKED}ms.uk.com
• {BLOCKED}f.{BLOCKED}na.gov
• {BLOCKED}ndhillwinery.com
• {BLOCKED}pteam.com
• {BLOCKED}erontheweb.com
• www.{BLOCKED}-ime.com
• www.{BLOCKED}s-edge.com
• www.{BLOCKED}ro.jp
• www.{BLOCKED}ows.co.uk
• www.{BLOCKED}b.net
• www.{BLOCKED}al.or.id
• www.{BLOCKED}n.com
• www.{BLOCKED}or.com
• www.{BLOCKED}nect.co.za
• www.{BLOCKED}us.com
• www.{BLOCKED}a.com
• www.{BLOCKED}oto.com
• www.{BLOCKED}nter.com
• www.{BLOCKED}r.com
• www.{BLOCKED}uction.com
• www.{BLOCKED}ubs.com
• www.{BLOCKED}pe.com
• www.{BLOCKED}s.net
• www.{BLOCKED}o-ind.com
• www.{BLOCKED}ero.com
• www.{BLOCKED}hino.com
• www.{BLOCKED}ush.com
• www.{BLOCKED}rdpkg.com
• {BLOCKED}roup.com
• {BLOCKED}to-sr.com
• {BLOCKED}ash.com
• {BLOCKED}nc.com
• {BLOCKED}rbatului.ro