PE_SALITY.BME

ウイルスは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

侵入方法

ウイルスは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

他のシステム変更

ウイルスは、以下のファイルを削除します。

• %User Temp%\winmatvd.exe

(註：%User Temp%フォルダは、ユーザの一時フォルダで、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"、Windows Vista 、 7 、8、8.1 、Server 2008 および Server 2012の場合、"C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。.)

ウイルスは、以下のレジストリキーを追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233

ウイルスは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:enabled:ipsec"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
1651272023 = "88"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
-992423250 = "0"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
658848773 = "0"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
-1984846500 = "23"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
-333574477 = "1b"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
1317697546 = "{random characters}"

HKEY_CURRENT_USER\Software\Afqteuv\
1926745233
-1325997727 = "{random characters}"

HKEY_CURRENT_USER\Software\Afqteuv
W1_0 = "cc96283a"

HKEY_CURRENT_USER\Software\Afqteuv
W2_0 = "158d"

HKEY_CURRENT_USER\Software\Afqteuv
W3_0 = "136a29"

HKEY_CURRENT_USER\Software\Afqteuv
W4_0 = "0"

ウイルスは、以下のレジストリ値を変更します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(註：変更前の上記レジストリ値は、「2」となります。)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

ウイルスは、以下のレジストリキーを削除します。

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
AppMgmt

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
Base

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
Boot Bus Extender

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
Boot file system

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
CryptSvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
DcomLaunch

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
dmadmin

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
dmboot.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
dmio.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
dmload.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
dmserver

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
EventLog

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
File system

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
Filter

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
HelpSvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
Netlogon

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
PCI Configuration

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
PlugPlay

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
PNP Filter

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
Primary disk

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
RpcSs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
SCSI Class

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
sermouse.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
sr.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
SRService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
System Bus Extender

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
vga.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
vgasave.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
WinMgmt

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{36FC9E60-C465-11CF-8056-444553540000}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E965-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E969-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E96A-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E96B-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E96F-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E977-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E97B-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E97D-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E980-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{71A27CDD-812A-11D0-BEC7-08002BE2092F}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
AFD

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
AppMgmt

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Base

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Boot Bus Extender

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Boot file system

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Browser

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
CryptSvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
DcomLaunch

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Dhcp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
dmadmin

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
dmboot.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
dmio.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
dmload.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
dmserver

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
DnsCache

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
EventLog

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
File system

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Filter

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
HelpSvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
ip6fw.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
ipnat.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
LanmanServer

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
LanmanWorkstation

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
LmHosts

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Messenger

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NDIS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NDIS Wrapper

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Ndisuio

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NetBIOS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NetBIOSGroup

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NetBT

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NetDDEGroup

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Netlogon

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NetMan

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Network

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NetworkProvider

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
NtLmSsp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
PCI Configuration

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
PlugPlay

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
PNP Filter

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
PNP_TDI

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Primary disk

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
rdpcdd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
rdpdd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
rdpwd.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
rdsessmgr

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
RpcSs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
SCSI Class

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
sermouse.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
SharedAccess

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
sr.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
SRService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Streams Drivers

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
System Bus Extender

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
Tcpip

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
TDI

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
tdpipe.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
tdtcp.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
termservice

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
vga.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
vgasave.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
WinMgmt

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
WZCSVC

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{36FC9E60-C465-11CF-8056-444553540000}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E965-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E969-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E96A-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E96B-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E96F-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E972-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E973-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E974-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E975-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E977-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E97B-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E97D-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E980-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{71A27CDD-812A-11D0-BEC7-08002BE2092F}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network

作成活動

ウイルスは、以下のファイルを作成します。

• %User Temp%\winbnbhit.exe
• %System%\drivers\kksio.sys
• %User Temp%\wingjpyed.exe
• %User Temp%\winlxlgtx.exe
• %User Temp%\winefqfy.exe
• %User Temp%\efasr.exe
• %User Temp%\winsecgdj.exe
• %User Temp%\winwdeos.exe
• %User Temp%\winxyai.exe
• %User Temp%\cbxow.exe
• %User Temp%\vmkybk.exe
• %User Temp%\egjq.exe
• %User Temp%\boiiek.exe
• %User Temp%\winhxhaop.exe
• %User Temp%\swlcmi.exe
• %User Temp%\uxrb.exe
• %User Temp%\dpxcmk.exe
• %User Temp%\winybpqo.exe
• %User Temp%\winbfyiay.exe
• %User Temp%\winxyfapf.exe
• %User Temp%\winfmbjqa.exe
• %User Temp%\hnexc.exe
• %User Temp%\winbqsoob.exe
• %User Temp%\kyml.exe
• %User Temp%\cbhe.exe
• %User Temp%\winthojx.exe
• %User Temp%\winaknll.exe
• %User Temp%\uewibg.exe
• %User Temp%\kuxwcc.exe
• %User Temp%\jyka.exe
• %User Temp%\winvvoe.exe
• %User Temp%\drnr.exe
• %User Temp%\winplwtr.exe
• %User Temp%\qjqaws.exe
• %User Temp%\rila.exe
• %User Temp%\edduht.exe
• %User Temp%\winhgpo.exe
• %User Temp%\mkjv.exe
• %User Temp%\winlnqmk.exe
• %User Temp%\wintvxtbu.exe
• %User Temp%\qilim.exe
• %User Temp%\pavy.exe
• %User Temp%\winocra.exe
• %User Temp%\vmscq.exe
• %User Temp%\winokxs.exe
• %User Temp%\winoymdwg.exe
• %User Temp%\winwgxex.exe
• %User Temp%\winjhlrxn.exe
• %User Temp%\winkjurvd.exe
• %User Temp%\winugdmeo.exe
• %User Temp%\wrmnuv.exe
• %User Temp%\winxgkhg.exe
• %User Temp%\ntht.exe
• %User Temp%\uxopn.exe
• %User Temp%\uxxor.exe
• %User Temp%\rlne.exe
• %User Temp%\cgix.exe
• %User Temp%\mxjf.exe
• %User Temp%\vipmb.exe
• %User Temp%\winsyigkr.exe
• %User Temp%\winkjdr.exe
• %User Temp%\fbbvs.exe
• %User Temp%\winmwdeyy.exe
• %User Temp%\tmsg.exe
• %User Temp%\winvsxym.exe
• %User Temp%\teakyb.exe
• %User Temp%\winnlolt.exe
• %User Temp%\xalj.exe
• %User Temp%\winewjw.exe
• %User Temp%\winmemn.exe
• %User Temp%\windfkln.exe
• %User Temp%\winenmpwl.exe
• %User Temp%\ewbiqs.exe
• %User Temp%\winmolfq.exe
• %User Temp%\winugeeqa.exe
• %User Temp%\ckjnve.exe
• %User Temp%\winpmee.exe
• %User Temp%\winvehlg.exe
• %User Temp%\kybbav.exe
• %User Temp%\winhhulmt.exe
• %User Temp%\gotlk.exe
• %User Temp%\winmquymq.exe
• %User Temp%\winbhywga.exe
• %User Temp%\wfika.exe
• %User Temp%\winarnl.exe
• %User Temp%\sdmsk.exe
• %User Temp%\wintdeg.exe
• %User Temp%\winidff.exe
• %User Temp%\fegim.exe
• %User Temp%\winusfq.exe
• %User Temp%\cmwo.exe
• %User Temp%\wintjeiue.exe
• %User Temp%\winxvoko.exe
• %User Temp%\winofpl.exe
• %User Temp%\winudxt.exe
• %User Temp%\winsfce.exe
• %User Temp%\winwxlc.exe
• %User Temp%\ipdofx.exe
• %User Temp%\winclqdjv.exe
• %User Temp%\windlhias.exe
• %User Temp%\winrpgvg.exe
• %User Temp%\wingvcqh.exe
• %User Temp%\uqjr.exe
• %User Temp%\winmioxlj.exe
• %User Temp%\clps.exe
• %User Temp%\oaoy.exe
• %User Temp%\winaeotd.exe
• %User Temp%\wingjvbk.exe
• %User Temp%\winkima.exe
• %User Temp%\winncbke.exe
• %User Temp%\btwcc.exe
• %User Temp%\sliqgu.exe
• %User Temp%\winnnlmv.exe
• %User Temp%\winprie.exe
• %User Temp%\xpkwfc.exe
• %User Temp%\wgoip.exe
• %User Temp%\winolvpc.exe
• %User Temp%\winfdvm.exe
• %User Temp%\enwq.exe
• %User Temp%\jabfgd.exe
• %User Temp%\winxwvgc.exe
• %User Temp%\mpllii.exe
• %User Temp%\winakbs.exe
• %User Temp%\tbqki.exe
• %User Temp%\mfna.exe
• %User Temp%\wingvonkx.exe
• %User Temp%\winmgqyba.exe
• %User Temp%\ccquw.exe
• %User Temp%\winiymgmk.exe
• %User Temp%\winxkcvu.exe
• %User Temp%\vuldp.exe
• %User Temp%\winxglngs.exe
• %User Temp%\whmqb.exe
• %User Temp%\wingdwej.exe
• %User Temp%\fgjs.exe
• %User Temp%\winbwebms.exe
• %User Temp%\tstvja.exe
• %User Temp%\wintsmyxs.exe

(註：%User Temp%フォルダは、ユーザの一時フォルダで、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"、Windows Vista 、 7 、8、8.1 、Server 2008 および Server 2012の場合、"C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。.. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.)

その他

ウイルスは、以下の不正なWebサイトにアクセスします。

• http://{BLOCKED}ry.org/images/xs.jpg?3d766=2517500
• http://www.{BLOCKED}desk.org/images/xs.jpg?4001b=262171
• http://arthur.{BLOCKED}a.biz/xs.jpg?40646=1846250
• http://{BLOCKED}x.com/xs.jpg?408c6=264390
• http://{BLOCKED}pie.in/images/xs.jpg?41420=801888
• http://{BLOCKED}ye.net/xs.jpg?41624=1874684
• http://g2.{BLOCKED}itech.com/xs.jpg?41866=2415510
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?418e3=1342575
• http://{BLOCKED}ry.org/images/xs.jpg?41bb2=538468
• http://www.{BLOCKED}desk.org/images/xs.jpg?41d19=2695930
• http://arthur.{BLOCKED}a.biz/xs.jpg?41ecf=810093
• http://{BLOCKED}x.com/xs.jpg?42121=541250
• http://{BLOCKED}pie.in/images/xs.jpg?42c6b=273515
• http://{BLOCKED}ye.net/xs.jpg?42e21=1369765
• http://g2.{BLOCKED}itech.com/xs.jpg?42f4a=274250
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?42f98=274328
• http://{BLOCKED}ry.org/images/xs.jpg?43218=1649808
• http://www.{BLOCKED}desk.org/images/xs.jpg?433ed=550874
• http://arthur.{BLOCKED}a.biz/xs.jpg?4364e=552092
• http://{BLOCKED}x.com/xs.jpg?43777=829029
• http://{BLOCKED}pie.in/images/xs.jpg?454c3=1703058
• http://{BLOCKED}ye.net/xs.jpg?456a8=1990296
• http://g2.{BLOCKED}itech.com/xs.jpg?457ff=854013
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?457ff=1708026
• http://{BLOCKED}ry.org/images/xs.jpg?45a51=1426325
• http://www.{BLOCKED}desk.org/images/xs.jpg?45b8a=1713468
• http://arthur.{BLOCKED}a.biz/xs.jpg?45d20=2859840
• http://{BLOCKED}x.com/xs.jpg?45e58=2576664
• http://{BLOCKED}pie.in/images/xs.jpg?46936=578156
• http://{BLOCKED}ye.net/xs.jpg?46a3f=1736058
• http://g2.{BLOCKED}itech.com/xs.jpg?46bd6=2607750
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?46bd6=1448750
• http://{BLOCKED}ry.org/images/xs.jpg?46d7b=1160684
• http://www.{BLOCKED}desk.org/images/xs.jpg?46e27=2903430
• http://arthur.{BLOCKED}a.biz/xs.jpg?46fec=872388
• http://{BLOCKED}x.com/xs.jpg?4721f=582718
• http://{BLOCKED}pie.in/images/xs.jpg?47ced=1764750
• http://{BLOCKED}ye.net/xs.jpg?48a2b=2677635
• http://g2.{BLOCKED}itech.com/xs.jpg?48e04=298500
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?48e52=1194312
• http://{BLOCKED}ry.org/images/xs.jpg?493c0=2699712
• http://www.{BLOCKED}desk.org/images/xs.jpg?494da=2702250
• http://arthur.{BLOCKED}a.biz/xs.jpg?4971c=300828
• http://{BLOCKED}x.com/xs.jpg?498c2=2410000
• http://{BLOCKED}pie.in/images/xs.jpg?4a303=2431000
• http://{BLOCKED}ye.net/xs.jpg?4a41c=912468
• http://g2.{BLOCKED}itech.com/xs.jpg?4a574=304500
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?4a583=1218060
• http://{BLOCKED}ry.org/images/xs.jpg?4a823=1831122
• http://www.{BLOCKED}desk.org/images/xs.jpg?4a8bf=1221372
• http://arthur.{BLOCKED}a.biz/xs.jpg?4aad3=1529375
• http://{BLOCKED}x.com/xs.jpg?4abec=2143092
• http://{BLOCKED}pie.in/images/xs.jpg?4b5ee=2469744
• http://{BLOCKED}ye.net/xs.jpg?4b7b3=3091710
• http://g2.{BLOCKED}itech.com/xs.jpg?4b86f=2474872
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?4b88e=928170
• http://{BLOCKED}ry.org/images/xs.jpg?4bae0=3099840
• http://www.{BLOCKED}desk.org/images/xs.jpg?4bc09=1861686
• http://arthur.{BLOCKED}a.biz/xs.jpg?4bdde=2175250
• http://{BLOCKED}x.com/xs.jpg?4bf64=1555700
• http://{BLOCKED}pie.in/images/xs.jpg?4c9f3=313843
• http://{BLOCKED}ye.net/xs.jpg?4cb2c=2199092
• http://g2.{BLOCKED}itech.com/xs.jpg?4ccb2=314546
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?4ccb2=1258184
• http://{BLOCKED}ry.org/images/xs.jpg?4cf72=315250
• http://www.{BLOCKED}desk.org/images/xs.jpg?4d06c=631000
• http://arthur.{BLOCKED}a.biz/xs.jpg?4d211=1579605
• http://{BLOCKED}x.com/xs.jpg?4d32b=316203
• http://{BLOCKED}pie.in/images/xs.jpg?4de27=1595075
• http://{BLOCKED}ye.net/xs.jpg?4dfae=2555248
• http://g2.{BLOCKED}itech.com/xs.jpg?4e125=1598905
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?4e125=319781
• http://{BLOCKED}ry.org/images/xs.jpg?4ea5c=966420
• http://www.{BLOCKED}desk.org/images/xs.jpg?4eb27=3223430
• http://arthur.{BLOCKED}a.biz/xs.jpg?4ecdd=322781
• http://{BLOCKED}x.com/xs.jpg?4eed1=2262967
• http://{BLOCKED}pie.in/images/xs.jpg?4f98f=2608248
• http://{BLOCKED}ye.net/xs.jpg?4fac7=326343
• http://g2.{BLOCKED}itech.com/xs.jpg?4fc4e=1306936
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?4fc5e=3267500
• http://{BLOCKED}ry.org/images/xs.jpg?4ff2c=2619744
• http://www.{BLOCKED}desk.org/images/xs.jpg?50c4c=661656
• http://arthur.{BLOCKED}a.biz/xs.jpg?50e11=2981529
• http://{BLOCKED}x.com/xs.jpg?50fc6=1658590
• http://{BLOCKED}pie.in/images/xs.jpg?51a27=668750
• http://{BLOCKED}ye.net/xs.jpg?51b6f=1338812
• http://g2.{BLOCKED}itech.com/xs.jpg?51cd6=2680496
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?51cd6=1005186
• http://{BLOCKED}ry.org/images/xs.jpg?51f66=671436
• http://www.{BLOCKED}desk.org/images/xs.jpg?520ed=2688872
• http://arthur.{BLOCKED}a.biz/xs.jpg?52283=1682575
• http://{BLOCKED}x.com/xs.jpg?5239c=2020776
• http://{BLOCKED}pie.in/images/xs.jpg?52e99=1018827
• http://{BLOCKED}ye.net/xs.jpg?53010=2719872
• http://g2.{BLOCKED}itech.com/xs.jpg?53148=2382072
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?531e5=2723624
• http://{BLOCKED}ry.org/images/xs.jpg?533f8=3409840
• http://www.{BLOCKED}desk.org/images/xs.jpg?5357f=3072375
• http://arthur.{BLOCKED}a.biz/xs.jpg?53744=3076452
• http://{BLOCKED}x.com/xs.jpg?538ab=1368748
• http://{BLOCKED}pie.in/images/xs.jpg?543c7=3105279
• http://{BLOCKED}ye.net/xs.jpg?5452e=690780
• http://g2.{BLOCKED}itech.com/xs.jpg?546f3=2075058
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?546f3=1383372
• http://{BLOCKED}ry.org/images/xs.jpg?54955=3464530
• http://www.{BLOCKED}desk.org/images/xs.jpg?55626=349734
• http://arthur.{BLOCKED}a.biz/xs.jpg?55839=2802120
• http://{BLOCKED}x.com/xs.jpg?56549=2121654
• http://{BLOCKED}pie.in/images/xs.jpg?56fa9=1781325
• http://{BLOCKED}ye.net/xs.jpg?5717e=713468
• http://g2.{BLOCKED}itech.com/xs.jpg?57278=2498888
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?57324=714312
• http://{BLOCKED}ry.org/images/xs.jpg?57508=2861120
• http://www.{BLOCKED}desk.org/images/xs.jpg?57670=2148000
• http://arthur.{BLOCKED}a.biz/xs.jpg?57900=1075968
• http://{BLOCKED}x.com/xs.jpg?57a19=2871496
• http://{BLOCKED}pie.in/images/xs.jpg?58516=723500
• http://{BLOCKED}ye.net/xs.jpg?586cb=3621870
• http://g2.{BLOCKED}itech.com/xs.jpg?587b5=1087263
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?587c5=2537059
• http://{BLOCKED}ry.org/images/xs.jpg?5896b=725718
• http://www.{BLOCKED}desk.org/images/xs.jpg?58b6f=726750
• http://arthur.{BLOCKED}a.biz/xs.jpg?58d53=3274731
• http://{BLOCKED}x.com/xs.jpg?58eba=2913744
• http://{BLOCKED}pie.in/images/xs.jpg?59959=2201622
• http://{BLOCKED}ye.net/xs.jpg?59ac0=1836480
• http://g2.{BLOCKED}itech.com/xs.jpg?59c09=1102875
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?59c18=1838200
• http://{BLOCKED}ry.org/images/xs.jpg?59e1c=3681560
• http://www.{BLOCKED}desk.org/images/xs.jpg?59e99=2946248
• http://arthur.{BLOCKED}a.biz/xs.jpg?5a129=3320433
• http://{BLOCKED}x.com/xs.jpg?5a233=3692030
• http://{BLOCKED}pie.in/images/xs.jpg?5ad4e=1488184
• http://{BLOCKED}ye.net/xs.jpg?5aeb6=2234436
• http://g2.{BLOCKED}itech.com/xs.jpg?5b02d=1491124
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?5b02d=2609467
• http://{BLOCKED}ry.org/images/xs.jpg?5b2fc=1120500
• http://www.{BLOCKED}desk.org/images/xs.jpg?5b3b7=3363183
• http://arthur.{BLOCKED}a.biz/xs.jpg?5b5ca=1122654
• http://{BLOCKED}x.com/xs.jpg?5b6e4=749000
• http://{BLOCKED}pie.in/images/xs.jpg?5c182=2640526
• http://{BLOCKED}ye.net/xs.jpg?5c396=2644250
• http://g2.{BLOCKED}itech.com/xs.jpg?5c4de=2646546
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?5c55b=2269218
• http://{BLOCKED}ry.org/images/xs.jpg?5c79d=1515124
• http://www.{BLOCKED}desk.org/images/xs.jpg?5c8e5=1137327
• http://arthur.{BLOCKED}a.biz/xs.jpg?5ca8b=759062
• http://{BLOCKED}x.com/xs.jpg?5cc21=2279622
• http://{BLOCKED}pie.in/images/xs.jpg?5d79b=765750
• http://{BLOCKED}ye.net/xs.jpg?5d940=1533184
• http://g2.{BLOCKED}itech.com/xs.jpg?5db44=2686684
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?5db54=3070624
• http://{BLOCKED}ry.org/images/xs.jpg?5ddd4=1153404
• http://www.{BLOCKED}desk.org/images/xs.jpg?5df0d=3078248
• http://arthur.{BLOCKED}a.biz/xs.jpg?5e0c2=3081744
• http://{BLOCKED}x.com/xs.jpg?5e22a=1156734
• http://{BLOCKED}pie.in/images/xs.jpg?5ecf7=1941715
• http://{BLOCKED}ye.net/xs.jpg?5ee30=3886560
• http://g2.{BLOCKED}itech.com/xs.jpg?5ef68=1166904
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?5ef68=3889680
• http://{BLOCKED}ry.org/images/xs.jpg?5f276=2338500
• http://www.{BLOCKED}desk.org/images/xs.jpg?5f331=1169811
• http://arthur.{BLOCKED}a.biz/xs.jpg?5f535=2342718
• http://{BLOCKED}x.com/xs.jpg?5f67d=781562
• http://{BLOCKED}pie.in/images/xs.jpg?601c7=787342
• http://{BLOCKED}ye.net/xs.jpg?60419=2365590
• http://g2.{BLOCKED}itech.com/xs.jpg?604d5=1183359
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?604d5=1972265
• http://{BLOCKED}ry.org/images/xs.jpg?60717=1580124
• http://www.{BLOCKED}desk.org/images/xs.jpg?608dc=2768388
• http://arthur.{BLOCKED}a.biz/xs.jpg?60b1e=3960620
• http://{BLOCKED}x.com/xs.jpg?60cd4=3172000
• http://{BLOCKED}pie.in/images/xs.jpg?61734=2394936
• http://{BLOCKED}ye.net/xs.jpg?6183d=3195368
• http://g2.{BLOCKED}itech.com/xs.jpg?61a03=799750
• http://ampyazilim.{BLOCKED}m.tr/images/xs2.jpg?61a22=2799342
• http://{BLOCKED}ry.org/images/xs.jpg?61c64=800968
• http://www.{BLOCKED}desk.org/images/xs.jpg?61d7d=400765
• http://arthur.{BLOCKED}a.biz/xs.jpg?61fa0=3611808
• http://{BLOCKED}x.com/xs.jpg?621f2=401906
• http://{BLOCKED}pie.in/images/xs.jpg?62c62=3236624
• http://{BLOCKED}ye.net/xs.jpg?62d7b=1619436
• http://g2.{BLOCKED}itech.com/xs.jpg?62e85=1215375
• {BLOCKED}8.221.44
• {BLOCKED}.248.123
• {BLOCKED}.26.252
• {BLOCKED}226.16
• {BLOCKED}.80.214

このウイルス情報は、自動解析システムにより作成されました。