TSPY_ZBOT.BPO

2012年10月8日

更新者 : Marfel Tiamzon

プラットフォーム:

Windows 2000, XP, Server 2003

危険度:

感染確認数:

システムへの影響:

情報漏えい:

マルウェアタイプ:
スパイウェア
破壊活動の有無:
なし
暗号化:
なし
感染報告の有無 :
はい

概要

スパイウェアは、ユーザ名およびパスワードといったオンラインバンキングに関連した個人情報を収集します。これにより、収集された情報は不正リモートユーザにより悪用される可能性があります。ユーザが監視サイトのいずれかにアクセスすると、スパイウェアは、キー入力操作情報を収集します。スパイウェアは、特定の銀行および金融機関のWebサイトで利用されるユーザ名やパスワードなどの個人情報を収集します。

スパイウェアは、銀行または金融関連機関のリストから情報を収集します。

詳細

ファイルサイズ 94,720 bytes

タイプ PE

メモリ常駐はい

発見日 2010年10月1日

ペイロードファイルのダウンロード, ファイルの作成

感染ポイント

スパイウェアは、以下のWebサイトからダウンロードされたファイルとして、コンピュータに侵入します。

http://{BLOCKED}z.com/uploads/z2.exe

インストール

スパイウェアは、以下のファイルを作成します。

%Application Data%\{random1}\{random}.exe
%Application Data%\{random2}\{random}.{random}

(註：%Application Data%フォルダは、 Windows 2000、XP、Server 2003 の場合 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" 、 Windows NTの場合 "C:\WINNT\Profiles\＜ユーザ名＞\Application Data"、Windows 98 および MEの場合、"C:\Windows\Profiles\＜ユーザ名＞\Application Data" です。)

スパイウェアは、以下のフォルダを作成します。

%Application Data%\{random1}
%Application Data%\{random2}

自動実行方法

スパイウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{B9C33BEF-0C62-B9C7-4763-F0B1CBC6BA82} = %Application Data%\{random1}\{random}.exe

他のシステム変更

スパイウェアは、以下のレジストリキーを追加します。

HKEY_CURRENT_USER\Software\Microsoft\
{random}

情報漏えい

スパイウェアは、感染したコンピュータ上でInternet Explorer（IE）の使用状況を監視します。スパイウェアは、特にIEのアドレスバーまたはタイトルバー情報を監視しますが、ユーザが銀行関連Webサイトを閲覧しそのサイトのアドレスバーまたはタイトルバーに以下の文字列が含まれていた場合、正規Webサイトを装った偽のログインページを作成します。

*.co-operativebank.co.uk/CBIBSWeb/login.do
*.co-operativebank.co.uk/CBIBSWeb/start.do
*.fidelity.com/ftgw/fbc/*/*
*.hsbc.co.uk/1/2/*
*.lloydstsb.co.uk/*
*/atl.osmp.ru/*
*/login.osmp.ru/*
*/surf.*
*193.104.12.127*
*allianzbank.it/s*
*anz.com/INETBANK*
*apps.standardlife.com/content/applications/portal/customer/*
*avivacustomer.co.uk/existing/site/public*
*bancopostaonline.poste.it/bpol*
*banking*.anz.com*
*bankofamerica.com/*
*bcp.pt*
*blinkx.com*
*cahoot.co*
*cardservicing.mint.co.uk/*
*cardservicing.tescofinance.com/*
*cardsonline-commercial.com/RBSG_Commercial/*
*cariprato.it*
*chase.com*
*clients.google.com*
*corp.millenniumbcp.pt*
*csebanking.it*
*csebo.it*
*dab-bank.de*
*discovercard.com/cardmembersvcs/achome/homepage*
*eset.com*
*get_flash_info*
*grupobanif.pt*
*hottraffic*
*ipko.pl*
*jump2*
*kiwibank.co.nz/banking/login.asp
*libertyreserve.com/EN/customer/account/
*libertyreserve.com/EN/customer/login2/choice/*
*managerland.pl*LanguageID=pl-PL*
*managerland.pl*LanguageID=pl-US*
*mcafee.com*
*meine.norisbank.de/
*messagebroker*
*mochibot.com*
*montepio.pt*
*mybank.alliance-leicester.co.uk/index.*
*myonlineaccounts2.abbeynational.co.uk*
*myspace.com*
*myspacecdn.com*
*northernrock.co.uk*
*online.westpac.com.au/esis/Login/SrvPage*
*poste.it/
*processplace.com*
*scanscout.com*
*secure.inteligo.com.pl*
*secure.tdwaterhouse.co.uk/webbroker2/*
*slashkey.com*
*tescofinance.com/personal/finance/register_insecure/*
*texanscu.org*
*tube.com*
*wamu.com*
*wfrtube.net*
*ya.ru*
*zango.com*
URLs from webinject scripts:
http*://*altergold.com/login.php*
http*://*bancamediolanum.it*
http*://*bankofinternet.com*
http*://*bbvanetcash.com*
http*://*bcaixanet-empresas.bancocaixageral.es*
http*://*coventrybuildingsociety.co.uk/onlineservices/login*
http*://*credem.it/OneToOne/ebank/functions*
http*://*e-gold.com/acct/login.asp*
http*://*first-direct.com*
http*://*icesave.co.uk/*
http*://*lloydstsb.co.uk*
http*://*mbna.co.uk/*
http*://*mybusinessbank.co.uk*
http*://*scibinet.com/bus/security/Welcome.do?action=form&UserRoleID=*
http*://*unfcu.org*
http*://*usaa.com/*
http*://*wellsfargo.com/*
http://allianzbank.it/rasbankit/js/login.js
http://fundtech.com/AccessPro
http://fundtech.com/AccessPro/Admin
http://fundtech.com/AccessPro/Common
http://fundtech.com/AccessPro/Security
http://www.bebo.com/*
http://www.caixatarragona.es/esp/sec_20/codigos.html
http://www.firstbankpr.com/
http://www.macromedia.com/go/getflashplayer
http://www.natweststockbrokers.co.uk/securehelp/loginsecurity.htm
http://www.natweststockbrokers.co.uk/securehelp/loginsecurity.htm#savetime
http://www.pkobp.pl/redirect.php?id=bezpieczenstwo_ipko
http://www.pkobp.pl/redirect.php?id=certyfikat_ipko
http://www.pkobp.pl/redirect.php?id=placowki_ipko
http://www.pkobp.pl/redirect.php?id=praktycznewskazowki_ipko
http://www.pkobp.pl/redirect.php?id=przegladarki_ipko
http://www.pkobp.pl/redirect.php?id=zabezpieczenia_ipko
http://www.synovus.com/
http://www.w3.org/TR/REC-html40
https://*.alaskausa.org/*
https://*.ameritrade.com/cgi-bin/apps/SecurityChallenge
https://*.banking.first-direct.com/1/2/*
https://*.bankofthewest.com/BOW/CustInfo/Challenge.aspx*
https://*.bbvanetlatam.com/*
https://*.cajamurcia.es/*
https://*.calcoastcu.org/cgi-bin/mcw000.cgi*
https://*.cedacri.it/*
https://*.cey-ebanking.com/*/Site/Index-m.asp
https://*.cey-ebanking.com/*/challenge/default.asp
https://*.coastcapitalsavings.com/Online_Banking/Accounts*
https://*.ebanking-services.com/nubi/StrongAuth/SignInContinue_Register.aspx
https://*.egg.com/*
https://*.etrade.com.au/*
https://*.fidelity.com/netbenefits/employeeservices/homepage*
https://*.hsbc.co.uk/*/IBLogon.jsp
https://*.ibanking-services.com/cib/*
https://*.lacaixa.es/*
https://*.libertyreserve.com/en/customer/login2/choice/*
https://*.nationalcity.com/*
https://*.navyfcu.org/nfoaa/accounts/summary*
https://*.onlinebanking.pnc.com/alservlet/MyAccountsServlet*
https://*.principal.com/fiprin_Banking/pb*
https://*.royalbank.com/cgi-bin/rbaccess/*
https://*.schwab.com/*
https://*.schwab.com/*BrokerageBalances.aspx*
https://*.scotiabank.com/*
https://*.smile.co.uk/*/start.do*
https://*.tdcanadatrust.com/servlet/ca.tdbank.banking.servlet.FinancialSummaryServlet*
https://*.wachovia.com/myAccounts.aspx
https://*.web-cashplus.com/Cashplus/
https://*/IBWS/checkUser.do
https://*/efs/servlet/efs/*
https://*/efs/servlet/efsonline/*
https://*/efs/servlet/efsonline/index.jsp*
https://*/efs/servlet/efsonline/myprofile.jsp*
https://*/onlineserv/HB/Summary.cgi?primaryButton=ACCOUNT_ACCESS&secondaryButton=ACCOUNT_SUMMARY
https://*/pbi_pbi1961/PBI1961.asp?WCI=NextLoginOption&SPTN=*
https://*53.com/servlet/*
https://*addisonavenue.com*
https://*americanexpress.com/*
https://*appliedbank.com/accountSummary.do*
https://*bankcardservices.co.uk/*
https://*bmo.com/cgi-bin/netbnx/NBmain/Password*
https://*bvi.bnc.ca/bnc*
https://*bwin.com/*/Default.aspx*
https://*cajamar.es/BE/extern/htm/login.html*
https://*citizensbankonline.com/efs/servlet/efs/login-*.jsp
https://*clavenet.net*
https://*credem.it/OneToOne/ebank/functions/login/loginChecker.jsp*
https://*dcu.com*
https://*egold.com*
https://*empresas.santandertotta.pt/canalempresas/finance/login.jsp*
https://*first-direct.com/*
https://*gbw2.it/cbl/jspPages/form_login_AV.jsp*
https://*gbw3.it/cbl/jspPages/form_login_SEC.jsp*
https://*gruppocarige.it/*/jsp/login.jsp*
https://*halifax-online.co.uk*
https://*halifax-online.co.uk/*
https://*halifax-online.co.uk/_mem_bin/*
https://*hanza.net/*
https://*hsbc.co.uk/1/2/*
https://*memberdirect.net/direct/mainmenu.jsp*
https://*money.yandex.ru/*
https://*mybank.alliance-leicester.co.uk/*
https://*mybusinessbank.co.uk/*
https://*myonlineaccounts*.abbeynational.co.uk*
https://*net24.montepio.pt*
https://*npbs.co.uk/*
https://*online.lloydstsb.co.uk*
https://*particulares.santandertotta.pt*
https://*securecy.hellenicnetbanking.com/personal*
https://*ulsterbankanytimebanking.*/login.aspx*
https://*usbank.com/internetBanking/LoginRouter
https://*vancity.com/MyMoney/OnlineBanking/Accounts/*
https://*welcome*.co-operativebank.co.uk*
https://*westpac.com.au/wtwt/startpage*
https://accounts.key.com/*
https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/jquery-ui.min.js
https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/themes/blitzer/ui.all.css
https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/themes/smoothness/ui.all.css
https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/themes/start/ui.all.css
https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/start/ui.all.css
https://ajax.googleapis.com/ajax/libs/yui/2.7.0/build/cookie/cookie-min.js
https://ajax.googleapis.com/ajax/libs/yui/2.7.0/build/json/json-min.js
https://ajax.googleapis.com/ajax/libs/yui/2.7.0/build/yahoo/yahoo-min.js
https://apps.standardlife.com/sladmincia2/check?strSubsite=slac&siteRequest=forgot_password
https://areasegura.banif.es/bog/bogbsn*
https://banca.cajaen.es/ISMC/Jaen/C@JAENdirecto.jsp*
https://bancaincasa.sba.bcc.it/*
https://bancaincasa.sba.bcc.it/htdocs/homemain_ita.html*
https://bancopostaimpresaonline.poste.it/*
https://bancopostaonline.poste.it/*
https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp
https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp*
https://banesnet.banesto.es/*/loginEmpresas.htm
https://banking*.anz.com/*
https://banking.chevychasebank.com/cgi-bin/Banking/3/signin/so3BLogin2.jsp
https://banking.firstcitizens.com/efs/servlet/efs/jsp-ns/auth-login2.jsp*
https://banking.firsttennessee.com/*/summary.jsp*
https://banking.zionsbank.com/zfnb/userServlet/app/bank/user/viewaccountsbysubtype/viewAccount*
https://banklinknet2.cariparma.it/*
https://banklinknet2.cariparma.it/NET2/Log*
https://bankwithpremieronline.evault.ws/*
https://bbank.cbonline.co.uk/images/clydesdale-bank-logo.gif
https://bcol.barclaycard.co.uk/*/*/myAccount*
https://bcol.barclaycard.co.uk/ecom/as/*
https://bcol.barclaycard.co.uk/ecom/as/images/logo.jpg
https://bob.sovereignbank.com/wcmfd/wcmpw/CustomerLogin
https://caonline.credito-agricola.pt*
https://cardsonline-commercial.com/RBSG_Commercial/PasswordStep1.do
https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
https://chaseonline.chase.com/*
https://chaseonline.chase.com/MyAccounts.aspx
https://chaseonline.chase.com/secure/Profile/MailingAddress/SelectProfileMailingAddress.aspx
https://cm.firstbankpr.com/cashplus/
https://cm.firstbankpr.com/error
https://cm.netteller.com/login*/Authentication/Views/LoginCM.aspx
https://commerceconnections.commercebank.com/ibank/cmserver/welcome/default/verify.cfm
https://corporate.bancatoscana.it/*
https://corporate.bpn.pt/corporatebanking/v10/PT/aspx/empresas/recenseamento/autenticacao/emissao.aspx*
https://corporate.friuladria.it/*
https://database.acornmediauk.com/*
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0
https://easyweb*.tdcanadatrust.com/servlet/*
https://ebank.dibpak.com/ebank/getPasswordLenth.do*
https://ebanking.clarisbanca.it/JMCPortale/WebBrowsers/Layout/*
https://ebanking.clarisbanca.it/jsp/clarisbanca.sec*
https://empresas.gruposantander.es/WebEmpresas/nueva_imagen/index.jsp
https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
https://finanzportal.fiducia.de/ebpp03/*
https://goldleafach.com/ach/Login.aspx*
https://hb.quiubi.it/newSSO/x11logon.htm
https://hbnet*.cedacri.it/*
https://hbnet*.cedacri.it/HBNET/login.nsf/03043_iframe*
https://hbnet*.cedacri.it/HBNET/login.nsf/03124_iframe*
https://hbnet*.cedacri.it/HBNET/login.nsf/03177_iframe*
https://hbnet*.cedacri.it/HBNET/login.nsf/05704_iframe*
https://hbnet*.cedacri.it/HBNET/login.nsf/06045_iframeITA*
https://hbnet*.cedacri.it/HBNET/login.nsf/06115_iframe*
https://hbnet*.cedacri.it/HBNET/login.nsf/06120-iframe*
https://hbnet*.cedacri.it/HBNET/login.nsf/06155*
https://hbnet*.cedacri.it/HBNET/login.nsf/06205-iframe*
https://hbnet*1.cedacri.it/HBNET/login.nsf/03124_iframe*
https://home.americanexpress.com/home/navigation/shared/nav/images06/img_bluebox.gif
https://home.cbonline.co.uk/cbib/cbib/*
https://home.ingdirect.com/images/ingdirect_logo.gif
https://home.ybonline.co.uk/*
https://home.ybonline.co.uk/*/fullPassword.ctl*
https://home.ybonline.co.uk/ral/loginmgr/*
https://homebanking.bpn.pt*
https://homebanking.cariparma.it/*
https://homebanking.cariparma.it/HBPR/Login
https://homebanking.cariparma.it/HBPR/hbdoc/LoginApplicazione.jsp
https://homebanking.cariparma.it/HBPR/images/ElencoPrimoAccesso1.JPG
https://homebanking.fccu.org/*
https://homebanking.fccu.org/commonfiles/HBLogins/Loginv50.asp
https://ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html
https://ibank.cahoot.com/Aquarius/web/images/buttons/continue_cerulean_text.gif
https://ibank.cahoot.com/Aquarius/web/images/misc/spacer.gif
https://ibank.cahoot.com/servlet/com*
https://ibank.scnb.com/inets/Login.cfm
https://ibanking.banksa.com.au/InternetBanking/viewAccountPortfolio.do*
https://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do*
https://ibanking.warwickcreditunion.com.au/*
https://internetbanking.*/scripts/ibank.dll
https://internetbanking.suncorpmetway.com.au/*
https://login.fidelity.com/*
https://login.umb.com/mfa/do/login/challenge*
https://mail.yandex.ru/*
https://meine.norisbank.de/mod/WebObjects/nb.woa*
https://mfa.usafed.org/SecureAuth1/SecureAuth.aspx?*
https://my.if.com/PlanReviewAct/plan.asp
https://my.if.com/logon_conf/logo_medium.gif
https://myonlineaccounts*.abbeynational.co.uk/CentralLogonWeb/MyPersonalHomepage*
https://myonlineaccounts2.abbeynational.co.uk/ffStatic/images/abbey_blue_logo.gif
https://navyfcu.org/hpssl/images/3_logo_home.gif
https://netconnect.bokf.com/bbw/cmserver/welcome/default/login_brandimages/logo.gif
https://netconnect.bokf.com/bbw/cmserver/welcome/default/verify.cfm
https://new.egg.com/customer*
https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login*
https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login*
https://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*
https://olb2.nationet.com/signon/signon*
https://onb.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
https://onb.webcashmgmt.com/wcmfd/wcmpw/ResetPassword%
https://onb.webcashmgmt.com/wcmfd/wcmpw/ResetPassword9
https://ondemand.ufcu.org/HBNET/accountinfo/balances.aspx*
https://online*.lloydstsb.co.uk/logon.ibc
https://online.citibank.com/US/JPS/portal/Home.do
https://online.islamic-bank.com/online/aspscripts/Logon.asp
https://online.lloydstsb.co.uk/*
https://online.schoolsfirstfcu.org/Onlinebanking/AcAccounts.aspx
https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
https://online.wellsfargo.com/das/cgi-bin/session.cgi*
https://online.westpac.com.au/esis/Login/SrvPage
https://online.westpac.com.au/esis/Login/SrvPage*
https://online.westpac.com.au/esis/images/aln_westpacprotect_26x100.gif
https://online.ybs.co.uk/public/authentication/*
https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
https://onlinebanking*.bankofamerica.com/balanceSheet.jsp
https://onlinebanking.capitalone.com/CAPITALONE/Accounts/*
https://onlinebanking.capitalone.com/CAPITALONE/Accounts/Summary.aspx*
https://onlinebanking.cedarsecurity.com/Pages/Login.aspx
https://onlinebanking.firsttrustbank.co.uk/*
https://onlinebanking.huntington.com/*
https://onlinebanking.mandtbank.com/*/*.aspx
https://onlinebanking.mandtbank.com/summary/AccountSummary.aspx
https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
https://onlinebanking.tcfexpress.com/*
https://onlinebanking.tdbank.com/images/TDBankLogo.gif
https://onlinebanking.tdbank.com/login.asp?*
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/CustomerServiceMenuEntryPoint?custAction=75
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*GotoWelcome
https://onlinetreasurymanager.suntrust.com/ibswebsuntrust/cmserver/welcome/default/verify.cfm
https://pastornetparticulares.bancopastor.es/SrPd*
https://pb.friuladria.it/BPFA/Home
https://pb.friuladria.it/BPFA/Login
https://prepaid.bankofamerica.com/CashPay/Pages/AccountSummary.aspx
https://prepaid.bankofamerica.com/CashPay/Pages/SignInCVV2.aspx
https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
https://rb.sffirecu.org/Transform/mfa_login.aspx*
https://resources.chase.com/MyAccounts.aspx
https://scrigno.popso.it/*
https://secure.*cu.org/auth/Authorize?fiid=1 !*facebook.com*
https://secure.ally.com/allyWebClient/accountList.do
https://secure.ally.com/allyWebClient/authChallenges.do
https://secure.fundsxpress.com/piles/fxweb.pile/custom_login?template=login&no_top_url=1&iid=ABMWI
https://secure.ingdirect.co.uk/InitialINGDirect.html*
https://secure.ingdirect.com/myaccount/INGDirect.html
https://secure.ingdirect.com/myaccount/INGDirect/*
https://secure.ingdirect.com/myaccount/INGDirect/security_questions.vm
https://secure.natweststockbrokers.co.uk/nws-secure2/*
https://secure.tcfexpress.com/tcf/images/logo.gif
https://securebank.regions.com/*
https://securebank.regions.com/balances/AccountSummary.aspx
https://securebank.regions.com/custservices/ChangeQuestionAnswers.aspx
https://securentry.zionsbank.com/Authentication/zbf*
https://service.oneaccount.com/onlineV*event=logi*
https://servizi.allianzbank.it/*
https://sitekey.bankofamerica.com/sas/maint.do
https://sitekey.bankofamerica.com/sas/sas-docs/js/commonscript.js
https://ssl.bsk.com.pl*
https://ssl.bsk.com.pl/*
https://ssl.clickbank.net/order/orderform.html?*
https://sunnet.suncoastfcu.org/SignIn/InitialUserSignIn.aspx*
https://telematic.caixamanlleu.es/*
https://trading.scottrade.com/home/Default.aspx
https://trading.scottrade.com/images/scottrade_logo_square.gif
https://uk.virginmoney.com/virgin/service/credit-card/*
https://verifiedbyvisa.barclays.co.uk/barclays/images/barclays/debit/logo_for_receipt.gif
https://verifiedbyvisa.barclays.co.uk/generic/images/new_receipt_vbv.gif
https://verifiedbyvisa.barclays.co.uk/generic/images/new_receipt_vbv.gif
https://wbank2.fmbcc.bcc.it/htdocs/index2.html*
https://web.secservizi.it/siteminderagent/forms/login.fcc
https://www#.citizensbankonline.com/*/index-wait.jsp
https://www#.usbank.com/internetBanking/LoginRouter
https://www*.americanexpress.com/myca/acctsumm/*
https://www.365online.co.uk/servlet/Dispatcher/login.htm*
https://www.365online.com/servlet/Dispatcher/login.htm
https://www.365online.com/servlet/Dispatcher/login2.htm
https://www.365online.com/servlet/Dispatcher/validate.htm
https://www.aacuaccess.org/onlineserv/HB/Summary.cgi?primaryButton=ACCOUNT_ACCESS&secondaryButton=ACCOUNT_SUMMARY
https://www.accessmycardonline.com/RBS_Consumer/*
https://www.accountonline.com/cards/svc/Dashboard.do
https://www.accountonline.com/cards/svc/Dashboard.do*
https://www.accountonline.com/cards/svc/img/hdr/hdr_citi_never_sleeps.gif
https://www.alertpay.com/AccountOverview.aspx
https://www.amalgamatedbank.com/onlineserv/HB/Summary.cgi?primaryButton=ACCOUNT_ACCESS&secondaryButton=ACCOUNT_SUMMARY
https://www.anz.com/INETBANK/login.asp*
https://www.bancamediolanum.it/*
https://www.bancoherrero.com/es/*
https://www.bankofamerica.com//www/global/mvc_objects/images/mhd_reg_logo.gif
https://www.bankofscotlandhalifax-online.co.uk/MyAccounts/MyAccounts.aspx*
https://www.bankunitedbusinessexpress.blilk.com/Core/Authentication/MFAUsername.aspx
https://www.bbva.es/TLBS/fbin/bbva_logo_tcm11-13047.gif
https://www.bbva.es/TLBS/tlbs/jsp/esp/home/
https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
https://www.bgnetplus.com/niloinet/login.jsp
https://www.bpmbanking.it/img/lg_bank.gif
https://www.bpmbanking.it/img/str_login_submit.gif) no-repeat;display: block;height: 22px;line-height: 500px;margin: 0px;overflow: ;width: 68px;
https://www.brownshipley-online.com/*
https://www.businesse-cashmanager.web-access.com/natpenn/cgi-bin/welcome.cgi
https://www.businesse-cashmanager.web-access.com/natpenn/images/natpennbank/loginban.gif
https://www.businessonlineaccess.web-cashplus.com/Cashplus/1
https://www.businessonlineaccess.web-cashplus.com/pub/js/utilities.js
https://www.businessonlineaccess.web-cashplus.com/pub/js/validation.js
https://www.businessonlineaccess.web-cashplus.com/pub/product_brands/synovus/css/brand.css
https://www.businessonlineaccess.web-cashplus.com/pub/product_brands/synovus/images/BOA%20Logo.jpg
https://www.caixagirona.es/cgi-bin/INclient_2030*
https://www.caixalaietana.es*
https://www.caixaontinyent.es/cgi-bin/INclient_2045*
https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp*
https://www.cajabadajoz.es/cgi-bin/INclient_6010*
https://www.cajacanarias.es/cgi-bin/INclient*
https://www.cajadeavila.es*
https://www.cajadeavila.es/cgi-bin/INclient_6094*
https://www.cajaespana.net/*
https://www.cajalaboral.com/home/acceso.asp*
https://www.cajasoldirecto.es/2106/*
https://www.cajavital.es/Appserver/vitalnet*
https://www.capitaloneonline.co.uk/CapitalOne_Consumer/Transactions.do
https://www.capitaloneonline.co.uk/CapitalOne_Consumer/images/capitalone_banner.jpg
https://www.cashu.com/CLogin/welcome
https://www.caterallenonline.co.uk/WebAccess.dll
https://www.ccm.es/cgi-bin/INclient_6105
https://www.chevychasebank.com/home.html
https://www.cibconline.cibc.com/*
https://www.citbank.co.uk/JSO/chcq/questandansw.php
https://www.citibank.co.in/ibank/*
https://www.citibank.co.uk/GBGCB/JPS/apps/challques/MainValidateFailure.d*
https://www.citibank.co.uk/GBGCB/JSO/signon/uname/HomePage.do*
https://www.citibank.de/DEGCB/JSO/signon/uname/Next.do*
https://www.columbiabankonline.com/onlineserv/CM/
https://www.columbiabankonline.com/onlineserv/CM/index.cgi
https://www.credem.it/OneToOne/ebank/functions/home/*
https://www.creditonebank.com/Index.aspx
https://www.csebanking.it/LogonEntry*
https://www.csebanking.it/ibportal/home-LOGIN_CLIENTE.do*
https://www.discovercard.com/images/logo-discover-financial-services.gif
https://www.e-gold.com/acct/balance.asp*
https://www.e-gold.com/acct/li.asp
https://www.ebank.hsbc.co.uk/main/IBLogon.jsp
https://www.ecathay.com/onlineserv/CM/
https://www.fibancmediolanum.es/BasePage.aspx*
https://www.fidelity.co.uk/investor/default.page*
https://www.firstmidwest.com/bankanytime/_bankaccountRandomQuestions.asp*
https://www.flagstarbanking2.com/onlineserv/*
https://www.flagstarbanking2.com/onlineserv/HB/images/logo.gif
https://www.gbw3.it*
https://www.google.com/accounts/ig.gif
https://www.gruposantander.es/bog/sbi*?ptns=acceso*
https://www.gruppocarige.it/grps/vbank/jsp/login.jsp
https://www.gruppocarige.it/vbank/servlet/*
https://www.halifax-online.co.uk/MyAccounts/*
https://www.halifax.co.uk/common/images/hxlogo.gif
https://www.hsbc.co.uk/1/2/*
https://www.hsbccreditcard.com/*
https://www.hsbccreditcard.com/ecare/*
https://www.hsbccreditcard.com/ecare/images/logo_en_US_HB.gif
https://www.huntington.com/images/layout/huntington_logo.gif
https://www.ibsnetaccess.com/NASApp/*
https://www.ibsnetaccess.com/NASApp/NetAccess/*
https://www.iceplc.com/images/banks-logos/bank-of-scotland.jpg
https://www.in-biz.it*
https://www.independentcm.com/onlineserv/CM/
https://www.isbnj.com/home/home
https://www.isideonline.it/*
https://www.isideonline.it/relaxbankingwas/sso*Dispatcher*
https://www.iwbank.it
https://www.iwbank.it/private/index_pub.jhtml*
https://www.iwbank.it/private/index_pub.jhtml?_DARGS=/private/login_priv_form_component_compact_0.jhtml
https://www.iwizardonline.com/onlineserv/HB/HomeBanking.cgi*
https://www.iwizardonline.com/onlineserv/HB/Summary.cgi?primaryButton=ACCOUNT_ACCESS
https://www.iwizardonline.com/onlineserv/HB/layoutParameters/FlexGUI/images/logo_tfcu.gif
https://www.jefferson-bank.com/business/*
https://www.jefferson-bank.com/login/*
https://www.key.com/images/logo_rebrand.gif
https://www.macromedia.com/go/getflashplayer
https://www.memberconnectweb.org/*
https://www.memberconnectweb.org/ns-icons/mcwicon2.gif
https://www.moneybookers.com/app/*
https://www.moneybookers.com/app/login.pl
https://www.moneybookers.com/app/my_account.pl
https://www.mtb.com/PublishingImages/CustomerServiceZoneImage1.gif
https://www.mybank.alliance-leicester.co.uk*
https://www.mybank.alliance-leicester.co.uk/login/PM5.asp
https://www.mybank.alliance-leicester.co.uk/view_accounts/*
https://www.myfinancialresources.org/onlineserv/HB/Summary.cgi?primaryButton=ACCOUNT_ACCESS&secondaryButton=SUMMARY
https://www.nashvillecitizensbank.com/olbb/Login2FA.asp
https://www.netspend.com/
https://www.netspend.com/account/authenticate*
https://www.netspend.com/account/authenticate.m
https://www.netteller.com/*/hbMain.cfm*
https://www.nmsb.com/home/diFiles/skins/default/images/logo.gif
https://www.nmsb.com/onlineserv/*
https://www.nochex.com/*
https://www.nordstromcard.com/fdr_nr.service*
https://www.onlinebanking.pnc.com/alservlet/ModifySecurityQuestionsServlet?page=modifySecurityQuestions
https://www.onlinebanking.pnc.com/alservlet/MyAccountsServlet
https://www.onlinebanking.pnc.com/alservlet/SignonInitServlet*
https://www.paypal.com/*/cgi-bin/webscr*
https://www.paypal.com/*/cgi-bin/webscr?cmd=*
https://www.paypal.com/*/cgi-bin/webscr?cmd=_profile-address*
https://www.paypal.com/*cgi-bin/webscr?*
https://www.pcsbanking.net/onlinebanking*/login.r?t-bank=*
https://www.pcsbanking.net/onlinebanking2/acctlist.w
https://www.poste.it/online/personale/login*
https://www.poste.it/online/personale/login-home.fcc
https://www.quiubi.it/SIT/img/QUI_logo.gif
https://www.regions.com/img/logoRegions_213x45.gif
https://www.scotiaonline.scotiabank.com/*
https://www.secure.bnpparibas.net/*
https://www.sharebuilder.com/sharebuilder/Home.aspx
https://www.sharebuilder.com/sharebuilder/Login.aspx
https://www.shellfcuonline.com/onlineserv/HB/Signon.cgi*
https://www.skagitonlinebanking.com/onlineserv/CM/
https://www.smcu.com/onlineserv/HB/FrameNavigationComponent.cgi?*ACCOUNT_SUMMARY*
https://www.smcu.com/onlineserv/HB/layoutParameters/FlexGUI/images/logo-smcu.gif
https://www.starone.org/onlineserv/HB/FrameNavigationComponent.cgi?layoutstyle=A&mode=primary&primaryButton=ACCOUNT_ACCESS&secondaryButton=ACCOUNT_SUMMARY
https://www.sterlingwires.com/
https://www.sunnb.blilk.com/Core/Authentication/MFAUsername.aspx
https://www.suntrust.com/portal/server.pt*parentname=Login*
https://www.svbconnect.com/*
https://www.tabbank.com/onlineBanking/viewAcctSummary.do*
https://www.txn.banking.pcfinancial.ca/a/authentication*
https://www.txn.banking.pcfinancial.ca/a/banking/accounts/accountSummary.ams
https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
https://www.us.hsbc.com/*
https://www.usaa.com/inet/ent_home/CpHome
https://www.usfed.org/onlineserv/HB/FrameNavigationComponent.cgi?*SUMMARY*
https://www.usfed.org/onlineserv/HB/layoutParameters/FlexGUI/images/logo.gif
https://www.verisign.com/assets/home/shared/images/vlogo.gif
https://www.wffcuonline.com/onlineserv/HB/Summary.cgi*
https://www.wffcuonline.com/onlineserv/HB/Summary.cgi?*
https://www.wffcuonline.com/onlineserv/HB/layoutParameters/FlexGUI/images/logo_topleft.gif
https://www.xoom.com/sendmoneynow/myaccount*
https://www2.csebo.it/webcontoc/08883login*
https://www3.netbank.commbank.com.au/netbank/bankmain*
https://www8.comerica.com/cma/portal/mybusinessconnect
https://your.egg.com/security/customer/login.aspx*

スパイウェアは、ユーザ名およびパスワードといったオンラインバンキングに関連した個人情報を収集します。これにより、収集された情報は不正リモートユーザにより悪用される可能性があります。

スパイウェアは、以下のWebサイトにアクセスし、自身の環境設定ファイルをダウンロードします。

http://{BLOCKED}ump67.tk/z2.nrg
http://{BLOCKED}2.tk/z2.nrg
http://{BLOCKED}z3.tk/z2.nrg
http://{BLOCKED}zz.com/uploads/z2.nrg

ユーザが監視サイトのいずれかにアクセスすると、スパイウェアは、キー入力操作情報を収集します。

なお、このファイルの内容である監視Webサイトのリストは、常時変更されます。

スパイウェアは、以下の銀行もしくは金融機関で利用される個人情報を収集します。

ANZ
Abbey National
Alertpay
Alliance & Leicester
American Express
Ameritrade
BBVA
BG Net Plus
Banca Intesa
Banco Bilbao Vizcaya Argentaria
Banco Caixa Geral
Banco Herrero
Banco Pastor
Banesto
Banif
Bank of America
Bank of the West
Barclays
Bebo
CCM
Caixa Girona
Caixa Laietana
Caixa Manlleu
Caixa Ontinyent
Caixa Tarragona
Caja Badajoz
Caja Canarias
Caja España
Caja Laboral
Caja Madrid
Caja Mar
Caja Murcia
Caja Vital
Caja de Avila
Caja de Jaen
Cajasol
Capital One
Chase
Citibank
Citizens
Citizens Bank
Clavenet
Clydesdale
Co-Operativebank
Crédito Agrícola On-Line
DAB
E-Gold
ETrade
Facebook
Fibanc Mediolanum
Fiducia
Fifth Third
First Direct
Gruppo Carige
HSBC
Halifax
ING Direct
IS Bank
IW Bank
Iside
La Caixa
Liberty Reserve
Lloyds
M&T Bank
MBNA Europe Bank Limited
McAfee
Moneybookers
Myspace
National City
Nationwide
Navy Federal Credit Union
Net Banking
OSPM
PNC
PayPal
PosteItaliane
Qui UBI
RBS
Raiffeisen
SEB
Santander
Scotiabank
Scrigno
Secservizi
Silicon Valley Bank
Smile
Star One Credit Union
Suntrust
TD Canada Trust
US Bank
USAA
Uno-E
Wachovia
Washington Mutual
Wells Fargo
Westpac Banking Corporation
Yandex
Yorkshire
Zions Bank

攻撃対象

スパイウェアは、銀行または金融関連機関のリストから情報を収集します。

情報収集

スパイウェアは、HTTPポストを介して、収集した情報を以下のURLに送信します。

http://{BLOCKED}z.com/stat/counter.php

その他

解析の結果、スパイウェアによるバックドア活動は確認されませんでした。

ハッシュ値情報

スパイウェアは、以下のMD5ハッシュ値を含んでいます。

1a4be815a7c08de7960b13fdb1b3ba8f

スパイウェアは、以下のSHA1ハッシュ値を含んでいます

f14dea4c641dbdc768c22f74a59bac55675f0659

対応方法

対応検索エンジン: 8.900

手順 1

Windows XP および Windows Server 2003 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。

手順 2

回復コンソールを使用して、TSPY_ZBOT.BPO として検出されるファイルを確認し、削除します。

[ 詳細 ]

手順 3

このレジストリキーを削除します。

[ 詳細 ]

警告：レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。

In HKEY_CURRENT_USER\Software\Microsoft\
- {random}

手順 4

このレジストリ値を削除します。

[ 詳細 ]

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {B9C33BEF-0C62-B9C7-4763-F0B1CBC6BA82}=%Application Data%\{random1}\{random}.exe

手順 5

以下のフォルダを検索し削除します。

[ 詳細 ]

註：このフォルダは、隠しフォルダとして設定されている場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。

%Application Data%\{random1}
%Application Data%\{random2}

手順 6

最新のバージョン（エンジン、パターンファイル）を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「TSPY_ZBOT.BPO」と検出したファイルはすべて削除してください。検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。

ご利用はいかがでしたか？　アンケートにご協力ください

TSPY_ZBOT.BPO

概要

詳細

対応方法

関連URL

リソース

サポート

会社概要

東京本社

TSPY_ZBOT.BPO

概要

詳細

対応方法

関連URL

リソース

サポート

会社概要

東京本社

The Americas

Asia Pacific

Europe, Middle East & Africa