Trojan.BAT.KILLAV.H

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、ワーム活動の機能を備えていません。

マルウェアは、バックドア活動の機能を備えていません。

マルウェアは、情報収集する機能を備えていません。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のプロセスを追加します。

• sc delete "swprv"
• sc stop "swprv"
• sc delete "VSS"
• sc stop "VSS"
• sc delete "BITS"
• sc stop "BITS"
• sc delete "VssEaseusProvider"
• sc stop "VssEaseusProvider"
• sc delete "afcdpsrv"
• sc stop "afcdpsrv"
• sc delete "EaseUS Agent"
• sc stop "EaseUS Agent"
• taskkill -f -im Agent.exe
• taskkill -f TodoBackupService.exe
• sc delete "Apache2.4"
• sc stop "Apache2.4"
• taskkill -f -im httpd.exe
• sc delete "AnyDesk"
• sc stop "AnyDesk"
• taskkill -f -im AnyDesk.exe
• taskkill -f -im openvpn-gui.exe
• sc delete "TeamViewer"
• sc stop "TeamViewer"
• sc delete "SBIS3Plugin"
• sc stop "SBIS3Plugin"
• taskkill -f -im sbis3plugin.exe
• taskkill -f -im Skype.exe
• taskkill -f -im TOTALCMD64.EXE
• taskkill -f -im TOTALCMD.EXE
• taskkill -f -im kpm_service.exe
• taskkill -f -im nhsrvice.exe
• sc delete "HASP Loader"
• sc stop "HASP Loader"
• sc delete "hasplms"
• sc stop "hasplms"
• taskkill -f -im hasplms.exe
• taskkill -f -im chrome.exe
• taskkill -f -im SACMonitor.exe
• sc delete "klvssbridge64_21.17"
• sc delete "klvssbridge64_21.16"
• sc delete "klvssbridge64_21.15"
• sc delete "klvssbridge64_21.14"
• sc delete "klvssbridge64_19.0.0"
• sc stop "klvssbridge64_19.0.0"
• sc stop "klvssbridge64_21.17"
• sc stop "klvssbridge64_21.16"
• sc stop "klvssbridge64_21.15"
• sc stop "klvssbridge64_21.14"
• sc delete "AdobeARMservice"
• sc stop "AdobeARMservice"
• taskkill -f -im 1cv8c.exe
• taskkill -f -im 1cv7s.exe
• taskkill -f -im officeclicktorun.exe
• sc delete "AcrSch2Svc"
• sc stop "AcrSch2Svc"
• sc delete "AcronisAgent"
• sc delete "AcrSch2Svc"
• sc delete "AMS"
• sc delete "ARSM"
• sc delete "MMS"
• sc delete "StorageNode"
• sc stop "AcronisAgent"
• sc stop "AcrSch2Svc"
• sc stop "AMS"
• sc stop "ARSM"
• sc stop "MMS"
• sc stop "StorageNode"
• taskkill -f -im Agent.exe
• taskkill -f -im schedul2.exe
• taskkill -f -im ManagementServer.exe
• taskkill -f -im StorageServer.exe
• taskkill -f -im schedhlp.exe
• taskkill -f -im TibMounterMonitor.exe
• taskkill -f -im schedhlp.exe
• sc delete "1C:Enterprise 8.3 Server Agent"
• sc stop "1C:Enterprise 8.3 Server Agent"
• sc delete "1C:Enterprise 8.3 Server Agent (x86-64)"
• sc stop "1C:Enterprise 8.3 Server Agent (x86-64)"
• taskkill -f -im ragent.exe
• taskkill -f -im browser.exe
• taskkill -f -im WINWORD.EXE
• sc delete "AmsWebServer"
• sc stop "AmsWebServer"
• sc delete "mmsminisrv"
• sc stop "mmsminisrv"
• sc delete "syncagentsrv"
• sc stop "syncagentsrv"
• sc delete "vmvss"
• sc stop "vmvss"
• sc delete "MSSQL$ACRONIS"
• sc stop "MSSQL$ACRONIS"
• sc delete "MSSQLServerADHelper"
• sc stop "MSSQLServerADHelper"
• sc delete "VGAuthService"
• sc delete "VM3DService"
• sc delete "VMTools"
• sc delete "VMwareCAFCommAmqpListener"
• sc delete "VMwareCAFManagementAgentHost"
• sc stop "VGAuthService"
• sc stop "VM3DService"
• sc stop "VMTools"
• sc stop "VMwareCAFCommAmqpListener"
• sc stop "VMwareCAFManagementAgentHost"
• sc delete "svsvc"
• sc stop "svsvc"
• sc delete "vmicvmsession"
• sc stop "vmicvmsession"
• sc delete "ekrn"
• sc stop "ekrn"
• taskkill -f -im egui.exe
• taskkill -f -im ekrn.exe
• sc delete "Backupper Service"
• sc stop "Backupper Service"
• sc delete "IISADMIN"
• sc stop "IISADMIN"
• taskkill -f -im 1cv8.exe
• taskkill -f -im 1cv8s.exe
• sc delete "FileZilla Server"
• sc stop "FileZilla Server"
• sc delete "kpm_launch_service"
• sc stop "kpm_launch_service"
• sc delete "MSSQL$ASACC"
• sc stop "MSSQL$ASACC"
• sc delete "SQLAgent$ASACC"
• sc stop "SQLAgent$ASACC"
• sc delete "SDRSVC"
• sc stop "SDRSVC"
• sc delete "wbengine"
• sc stop "wbengine"
• taskkill -f -im kpm_tray.exe
• taskkill -f -im firefox.exe
• taskkill -f -im Viber.exe
• taskkill -f -im fbguard.exe
• taskkill -f -im fbserver.exe
• sc delete "RServer3"
• sc stop "RServer3"
• sc delete "DrWebAVService"
• sc stop "DrWebAVService"
• sc delete "DrWebCldSvc"
• sc stop "DrWebCldSvc"
• sc delete "DrWebEngine"
• sc stop "DrWebEngine"
• sc delete "DrWebES"
• sc stop "DrWebES"
• sc delete "DrWebNetFilter"
• sc stop "DrWebNetFilter"
• sc delete "DrWebWscService"
• sc stop "DrWebWscService"
• taskkill -f -im dwengine.exe
• sc delete "cbVSCService11"
• sc stop "cbVSCService11"
• sc delete "CobianBackup11"
• sc stop "CobianBackup11"
• taskkill -f -im cbInterface.exe
• taskkill -f -im 1cv7.exe
• taskkill -f -im EXCEL.EXE
• sc delete "RDPDefender"
• sc stop "RDPDefender"
• taskkill -f -im RDPDefender-service.exe
• taskkill -f -im TrueImageMonitor.exe
• sc delete "RdpGuardProxy"
• sc stop "RdpGuardProxy"
• sc delete "RdpGuardService"
• sc stop "RdpGuardService"
• taskkill -f -im rdpguard-svc.exe
• taskkill -f -im RDPGuardProxyServer.exe
• taskkill -f -im caller64.exe
• sc delete "Synology Drive VSS Service x64"
• sc stop "Synology Drive VSS Service x64"
• sc delete "mobile_backup_server"
• sc stop "mobile_backup_server"
• sc delete "mobile_backup_status_server"
• sc stop "mobile_backup_status_server"
• sc delete "VMUSBArbService"
• sc stop "VMUSBArbService"
• taskkill -f -im vmware-usbarbitrator64.exe
• sc delete "CipMsgProxyService"
• sc stop "CipMsgProxyService"
• sc delete "VMAuthdService"
• sc stop "VMAuthdService"
• sc delete "VMnetDHCP"
• sc stop "VMnetDHCP"
• sc delete "VMware NAT Service"
• sc stop "VMware NAT Service"
• sc delete "vmware-converter-agent"
• sc stop "vmware-converter-agent"
• sc delete "vmware-converter-server"
• sc stop "vmware-converter-server"
• sc delete "vmware-converter-worker"
• sc stop "vmware-converter-worker"
• sc delete "VMwareHostd"
• sc stop "VMwareHostd"
• taskkill -f -im vmware-authd.exe
• sc delete "AcronisActiveProtectionService"
• sc stop "AcronisActiveProtectionService"
• sc delete "Zabbix Agent"
• sc stop "Zabbix Agent"
• sc delete "vmcompute"
• sc stop "vmcompute"
• sc delete "vmms"
• sc stop "vmms"
• taskkill -f -im vmcompute.exe
• sc delete "vmickvpexchange"
• sc delete "vmicguestinterface"
• sc delete "vmicshutdown"
• sc delete "vmicheartbeat"
• sc delete "vmicrdv"
• sc delete "storflt"
• sc delete "vmictimesync"
• sc delete "vmicvss"
• sc delete "hvdsvc"
• sc delete "nvspwmi"
• sc delete "wmms"
• sc delete "AvgAdminServer"
• sc delete "AVG Antivirus"
• sc delete "avgAdminClient"
• sc delete "SAVService"
• sc delete "SAVAdminService"
• sc delete "Sophos AutoUpdate Service"
• sc delete "Sophos Clean Service"
• sc delete "Sophos Device Control Service"
• sc delete "Sophos Endpoint Defense Service"
• sc delete "Sophos File Scanner Service"
• sc delete "Sophos Health Service"
• sc delete "Sophos MCS Agent"
• sc delete "Sophos MCS Client"
• sc delete "SntpService"
• sc delete "swc_service"
• sc delete "swi_service"
• sc delete "Sophos UI"
• sc delete "swi_update"
• sc delete "Sophos Web Control Service"
• sc delete "Sophos System Protection Service"
• sc delete "Sophos Safestore Service"
• sc delete "hmpalertsvc"
• sc delete "RpcEptMapper"
• sc delete "Sophos Endpoint Defense Service"
• sc delete "SophosFIM"
• sc delete "swi_filter"
• sc delete "FirebirdGuardianDefaultInstance"
• sc delete "FirebirdServerDefaultInstance"
• sc stop "FirebirdServerDefaultInstance"
• sc delete "MSSQLFDLauncher"
• sc delete "MSSQLSERVER"
• sc delete "SQLSERVERAGENT"
• sc delete "SQLBrowser"
• sc delete "SQLTELEMETRY"
• sc delete "MsDtsServer130"
• sc delete "SSISTELEMETRY130"
• sc delete "SQLWriter"
• sc delete "MSSQL$VEEAMSQL2012"
• sc delete "SQLAgent$VEEAMSQL2012"
• sc delete "MSSQL"
• sc delete "SQLAgent"
• sc delete "MSSQLServerADHelper100"
• sc delete "MSSQLServerOLAPService"
• sc delete "MsDtsServer100"
• sc delete "ReportServer"
• sc delete "SQLTELEMETRY$HL"
• sc delete "TMBMServer"
• sc delete "MSSQL$PROGID"
• sc delete "MSSQL$WOLTERSKLUWER"
• sc delete "SQLAgent$PROGID"
• sc delete "SQLAgent$WOLTERSKLUWER"
• sc delete "MSSQLFDLauncher$OPTIMA"
• sc delete "MSSQL$OPTIMA"
• sc delete "SQLAgent$OPTIMA"
• sc delete "ReportServer$OPTIMA"
• sc delete "msftesql$SQLEXPRESS"
• sc delete "postgresql-x64-9.4"
• sc delete "postgresql-x64-16"
• sc delete "postgresql-x64-15"
• sc delete "postgresql-x64-14"
• sc delete "postgresql-x64-13"
• sc delete "postgresql-x64-12"
• sc delete "postgresql-x64-11"
• sc delete "postgresql-x64-10"
• sc delete "WRSVC"
• sc delete "ekrn"
• sc delete "ekrnEpsw"
• sc delete "klim6"
• sc delete "AVP18.0.0"
• sc delete "KLIF"
• sc delete "klpd"
• sc delete "klflt"
• sc delete "klbackupdisk"
• sc delete "klbackupflt"
• sc delete "klkbdflt"
• sc delete "klmouflt"
• sc delete "klhk"
• sc delete "KSDE1.0.0"
• sc delete "kltap"
• sc delete "ScSecSvc"
• sc delete "Core Mail Protection"
• sc delete "Core Scanning Server"
• sc delete "Core Scanning ServerEx"
• sc delete "Online Protection System"
• sc delete "RepairService"
• sc delete "Core Browsing Protection"
• sc delete "Quick Update Service"
• sc delete "McAfeeFramework"
• sc delete "macmnsvc"
• sc delete "masvc"
• sc delete "mfemms"
• sc delete "mfevtp"
• sc delete "TmFilter"
• sc delete "TMLWCSService"
• sc delete "tmusa"
• sc delete "TmPreFilter"
• sc delete "TMSmartRelayService"
• sc delete "TMiCRCScanService"
• sc delete "VSApiNt"
• sc delete "TmCCSF"
• sc delete "tmlisten"
• sc delete "TmProxy"
• sc delete "ntrtscan"
• sc delete "ofcservice"
• sc delete "TmPfw"
• sc delete "PccNTUpd"
• sc delete "PandaAetherAgent"
• sc delete "PSUAService"
• sc delete "NanoServiceMain"
• sc delete "EPIntegrationService"
• sc delete "EPProtectedService"
• sc delete "EPRedline"
• sc delete "EPSecurityService"
• sc delete "EPUpdateService"
• sc delete "UniFi"
• taskkill -f -im PccNTMon.exe
• taskkill -f -im NTRtScan.exe
• taskkill -f -im TmListen.exe
• taskkill -f -im TmCCSF.exe
• taskkill -f -im TmProxy.exe
• taskkill -f -im TMBMSRV.exe
• taskkill -f -im TMBMSRV.exe
• taskkill -f -im TmPfw.exe
• taskkill -f -im CNTAoSMgr.exe
• taskkill -f -im sqlbrowser.exe
• taskkill -f -im sqlwriter.exe
• taskkill -f -im sqlservr.exe
• taskkill -f -im msmdsrv.exe
• taskkill -f -im MsDtsSrvr.exe
• taskkill -f -im sqlceip.exe
• taskkill -f -im fdlauncher.exe
• taskkill -f -im Ssms.exe
• taskkill -f -im SQLAGENT.EXE
• taskkill -f -im fdhost.exe
• taskkill -f -im fdlauncher.exe
• taskkill -f -im sqlservr.exe
• taskkill -f -im ReportingServicesService.exe
• taskkill -f -im msftesql.exe
• taskkill -f -im pg_ctl.exe
• taskkill -f -im postgres.exe
• net stop MSSQLServerADHelper100
• net stop MSSQL$ISARS
• net stop MSSQL$MSFW
• net stop SQLAgent$ISARS
• net stop SQLAgent$MSFW
• net stop SQLBrowser
• net stop ReportServer$ISARS
• net stop SQLWriter
• net stop WinDefend
• net stop mr2kserv
• net stop MSExchangeADTopology
• net stop MSExchangeFBA
• net stop MSExchangeIS
• net stop MSExchangeSA
• net stop ShadowProtectSvc
• net stop SPAdminV4
• net stop SPTimerV4
• net stop SPTraceV4
• net stop SPUserCodeV4
• net stop SPWriterV4
• net stop SPSearch4
• net stop MSSQLServerADHelper100
• net stop IISADMIN
• net stop firebirdguardiandefaultinstance
• net stop ibmiasrw
• net stop QBCFMonitorService
• net stop QBVSS
• net stop QBPOSDBServiceV12
• net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
• net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
• net stop IISADMIN
• net stop "Simply Accounting Database Connection Manager"
• net stop QuickBooksDB1
• net stop QuickBooksDB2
• net stop QuickBooksDB3
• net stop QuickBooksDB4
• net stop QuickBooksDB5
• taskkill -f -im UniFi.exe
• tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender
• tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security
• tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security
• tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot
• tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET
• tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast
• TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"

感染活動

マルウェアは、ワーム活動の機能を備えていません。

バックドア活動

マルウェアは、バックドア活動の機能を備えていません。

ルートキット機能

マルウェアは、ルートキット機能を備えていません。

プロセスの終了

マルウェアは、感染コンピュータ上で確認した以下のサービスを終了します。

• firebirdguardiandefaultinstance
• IBM Domino Diagnostics (CProgramFilesIBMDomino)
• IBM Domino Server (CProgramFilesIBMDominodata)
• ibmiasrw
• mr2kserv
• MSExchangeADTopology
• MSExchangeFBA
• MSExchangeIS
• MSExchangeSA
• MSSQL$ISARS
• MSSQL$MSFW
• MSSQLServerADHelper100
• QBCFMonitorService
• QBPOSDBServiceV12
• QBVSS
• QuickBooksDB1
• QuickBooksDB2
• QuickBooksDB3
• QuickBooksDB4
• QuickBooksDB5
• ReportServer$ISARS
• ShadowProtectSvc
• Simply Accounting Database Connection Manager
• SPAdminV4
• SPSearch4
• SPTimerV4
• SPTraceV4
• SPUserCodeV4
• SPWriterV4
• SQLAgent$ISARS
• SQLAgent$MSFW
• SQLBrowser
• SQLWriter
• WinDefend

マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。

• 1cv7.exe
• 1cv7s.exe
• 1cv8.exe
• 1cv8c.exe
• 1cv8s.exe
• Agent.exe
• Agent.exe
• AnyDesk.exe
• browser.exe
• caller64.exe
• cbInterface.exe
• chrome.exe
• dwengine.exe
• egui.exe
• ekrn.exe
• EXCEL.EXE
• fbguard.exe
• fbserver.exe
• firefox.exe
• hasplms.exe
• httpd.exe
• kpm_service.exe
• kpm_tray.exe
• ManagementServer.exe
• nhsrvice.exe
• officeclicktorun.exe
• openvpn-gui.exe
• ragent.exe
• RDPDefender-service.exe
• rdpguard-svc.exe
• RDPGuardProxyServer.exe
• SACMonitor.exe
• sbis3plugin.exe
• schedhlp.exe
• schedhlp.exe
• schedul2.exe
• Skype.exe
• StorageServer.exe
• TibMounterMonitor.exe
• TOTALCMD.EXE
• TOTALCMD64.EXE
• TrueImageMonitor.exe
• TodoBackupService.exe
• UniFi.exe
• Viber.exe
• vmcompute.exe
• vmware-authd.exe
• vmware-usbarbitrator64.exe
• WINWORD.EXE
• Trend Micro:
  • CNTAoSMgr.exe
  • NTRtScan.exe
  • PccNTMon.exe
  • TMBMSRV.exe
  • TMBMSRV.exe
  • TmCCSF.exe
  • TmListen.exe
  • TmPfw.exe
  • TmProxy.exe
• SQL:
  • fdhost.exe
  • fdlauncher.exe
  • fdlauncher.exe
  • MsDtsSrvr.exe
  • msftesql.exe
  • msmdsrv.exe
  • pg_ctl.exe
  • postgres.exe
  • ReportingServicesService.exe
  • SQLAGENT.EXE
  • sqlbrowser.exe
  • sqlceip.exe
  • sqlservr.exe
  • sqlservr.exe
  • sqlwriter.exe
  • Ssms.exe

情報漏えい

マルウェアは、情報収集する機能を備えていません。

その他

マルウェアは、以下を実行します。

• It terminates and deletes the following services:
  • 1C:Enterprise 8.3 Server Agent (x86-64)
  • 1C:Enterprise 8.3 Server Agent
  • AcronisActiveProtectionService
  • AcronisAgent
  • AcrSch2Svc
  • AcrSch2Svc
  • AdobeARMservice
  • afcdpsrv
  • AMS
  • AmsWebServer
  • AnyDesk
  • Apache2.4
  • ARSM
  • Backupper Service
  • BITS
  • cbVSCService11
  • CipMsgProxyService
  • CobianBackup11
  • DrWebAVService
  • DrWebCldSvc
  • DrWebEngine
  • DrWebES
  • DrWebNetFilter
  • DrWebWscService
  • EaseUS Agent
  • ekrn
  • FileZilla Server
  • HASP Loader
  • hasplms
  • IISADMIN
  • klvssbridge64_19.0.0
  • klvssbridge64_21.14
  • klvssbridge64_21.15
  • klvssbridge64_21.16
  • klvssbridge64_21.17
  • kpm_launch_service
  • MMS
  • mmsminisrv
  • mobile_backup_server
  • mobile_backup_status_server
  • MSSQL$ACRONIS
  • MSSQL$ASACC
  • MSSQLServerADHelper
  • RDPDefender
  • RdpGuardProxy
  • RdpGuardService
  • RServer3
  • SBIS3Plugin
  • SDRSVC
  • SQLAgent$ASACC
  • StorageNode
  • svsvc
  • swprv
  • syncagentsrv
  • Synology Drive VSS Service x64
  • TeamViewer
  • VGAuthService
  • VM3DService
  • VMAuthdService
  • vmcompute
  • vmicvmsession
  • vmms
  • VMnetDHCP
  • VMTools
  • VMUSBArbService
  • vmvss
  • VMware NAT Service
  • vmware-converter-agent
  • vmware-converter-server
  • vmware-converter-worker
  • VMwareCAFCommAmqpListener
  • VMwareCAFManagementAgentHost
  • VMwareHostd
  • VSS
  • VssEaseusProvider
  • wbengine
  • Zabbix Agent
• It deletes the following services:
  • AVG
    • AVG Antivirus
    • avgAdminClient
    • AvgAdminServer
  • ESET
    • ekrn
    • ekrnEpsw
  • Firebird
    • FirebirdGuardianDefaultInstance
    • FirebirdServerDefaultInstance
  • Hyper-V
    • hvdsvc
    • nvspwmi
    • storflt
    • vmicguestinterface
    • vmicheartbeat
    • vmickvpexchange
    • vmicrdv
    • vmicshutdown
    • vmictimesync
    • vmicvss
    • wmms
  • Kaspersky
    • hvdsvc
    • nvspwmi
    • storflt
    • vmicguestinterface
    • vmicheartbeat
    • vmickvpexchangeaAVP18.0.0
    • klbackupdisk
    • klbackupflt
    • klflt
    • klhk
    • KLIF
    • klim6
    • klkbdflt
    • klmouflt
    • klpd
    • kltap
    • KSDE1.0.0
    • vmicrdv
    • vmicshutdown
    • vmictimesync
    • vmicvss
    • wmms
  • McAfee
    • macmnsvc
    • masvc
    • McAfeeFramework
    • mfemms
    • Mfevtp
  • Panda
    • EPIntegrationService
    • EPProtectedService
    • EPRedline
    • EPSecurityService
    • EPUpdateService
    • NanoServiceMain
    • PandaAetherAgent
    • PSUAService
  • Quick Heal
    • Core Browsing Protection
    • Core Mail Protection
    • Core Scanning Server
    • Core Scanning ServerEx
    • Online Protection System
    • Quick Update Service
    • RepairService
    • ScSecSvc
  • Sophos
    • hmpalertsvc
    • RpcEptMapper
    • SAVAdminService
    • SAVService
    • SntpService
    • Sophos AutoUpdate Service
    • Sophos Clean Service
    • Sophos Device Control Service
    • Sophos Endpoint Defense Service
    • Sophos File Scanner Service
    • Sophos Health Service
    • Sophos MCS Agent
    • Sophos MCS Client
    • Sophos Safestore Service
    • Sophos System Protection Service
    • Sophos UI
    • Sophos Web Control Service
    • SophosFIM
    • swc_service
    • swi_filter
    • swi_service
    • swi_update
  • SQL
    • MsDtsServer100
    • MsDtsServer130
    • msftesql$SQLEXPRESS
    • MSSQL
    • MSSQL$OPTIMA
    • MSSQL$PROGID
    • MSSQL$VEEAMSQL2012
    • MSSQL$WOLTERSKLUWER
    • MSSQLFDLauncher
    • MSSQLFDLauncher$OPT
    • MSSQLSERVER
    • MSSQLServerADHelper
    • MSSQLServerOLAPServ
    • postgresql-x64-10
    • postgresql-x64-11
    • postgresql-x64-12
    • postgresql-x64-13
    • postgresql-x64-14
    • postgresql-x64-15
    • postgresql-x64-16
    • postgresql-x64-9.4
    • ReportServer
    • ReportServer$OPTIMA
    • SQLAgent
    • SQLAgent$OPTIMA
    • SQLAgent$PROGID
    • SQLAgent$VEEAMSQL20
    • SQLAgent$WOLTERSKLU
    • SQLBrowser
    • SQLSERVERAGENT
    • SQLTELEMETRY
    • SQLTELEMETRY$HL
    • SQLWriter
    • SSISTELEMETRY130
  • Trend Micro
    • ntrtscan
    • ofcservice
    • PccNTUpd
    • TMBMServer
    • TmCCSF
    • TmFilter
    • TMiCRCScanService
    • tmlisten
    • TMLWCSService
    • TmPfw
    • TmPreFilter
    • TmProxy
    • TMSmartRelayService
    • tmusa
    • VSApiNt
  • Webroot
    • WRSVC
• It lists the number of running processes with the following security-related software process names:
  • AvastUI.exe → Avast
  • avp.exe → Kaspersky Endpoint Security
  • egui.exe → ESET
  • MsMpEng.exe → Windows Defender
  • ntrtscan.exe → Trend Micro Security
  • WRSA.exe → Webroot
• It forcefully terminates all processes with a Process ID greater than or equal to 1000 and whose window titles does not start with "untitle".

マルウェアは、脆弱性を利用した感染活動を行いません。

<補足>
その他

マルウェアは、以下を実行します。

• 以下のサービスを終了し、削除します。
  • 1C:Enterprise 8.3 Server Agent (x86-64)
  • 1C:Enterprise 8.3 Server Agent
  • AcronisActiveProtectionService
  • AcronisAgent
  • AcrSch2Svc
  • AcrSch2Svc
  • AdobeARMservice
  • afcdpsrv
  • AMS
  • AmsWebServer
  • AnyDesk
  • Apache2.4
  • ARSM
  • Backupper Service
  • BITS
  • cbVSCService11
  • CipMsgProxyService
  • CobianBackup11
  • DrWebAVService
  • DrWebCldSvc
  • DrWebEngine
  • DrWebES
  • DrWebNetFilter
  • DrWebWscService
  • EaseUS Agent
  • ekrn
  • FileZilla Server
  • HASP Loader
  • hasplms
  • IISADMIN
  • klvssbridge64_19.0.0
  • klvssbridge64_21.14
  • klvssbridge64_21.15
  • klvssbridge64_21.16
  • klvssbridge64_21.17
  • kpm_launch_service
  • MMS
  • mmsminisrv
  • mobile_backup_server
  • mobile_backup_status_server
  • MSSQL$ACRONIS
  • MSSQL$ASACC
  • MSSQLServerADHelper
  • RDPDefender
  • RdpGuardProxy
  • RdpGuardService
  • RServer3
  • SBIS3Plugin
  • SDRSVC
  • SQLAgent$ASACC
  • StorageNode
  • svsvc
  • swprv
  • syncagentsrv
  • Synology Drive VSS Service x64
  • TeamViewer
  • VGAuthService
  • VM3DService
  • VMAuthdService
  • vmcompute
  • vmicvmsession
  • vmms
  • VMnetDHCP
  • VMTools
  • VMUSBArbService
  • vmvss
  • VMware NAT Service
  • vmware-converter-agent
  • vmware-converter-server
  • vmware-converter-worker
  • VMwareCAFCommAmqpListener
  • VMwareCAFManagementAgentHost
  • VMwareHostd
  • VSS
  • VssEaseusProvider
  • wbengine
  • Zabbix Agent
• 以下のサービスを削除します。
  • AVG
    • AVG Antivirus
    • avgAdminClient
    • AvgAdminServer
  • ESET
    • ekrn
    • ekrnEpsw
  • Firebird
    • FirebirdGuardianDefaultInstance
    • FirebirdServerDefaultInstance
  • Hyper-V
    • hvdsvc
    • nvspwmi
    • storflt
    • vmicguestinterface
    • vmicheartbeat
    • vmickvpexchange
    • vmicrdv
    • vmicshutdown
    • vmictimesync
    • vmicvss
    • wmms
  • Kaspersky
    • hvdsvc
    • nvspwmi
    • storflt
    • vmicguestinterface
    • vmicheartbeat
    • vmickvpexchangeaAVP18.0.0
    • klbackupdisk
    • klbackupflt
    • klflt
    • klhk
    • KLIF
    • klim6
    • klkbdflt
    • klmouflt
    • klpd
    • kltap
    • KSDE1.0.0
    • vmicrdv
    • vmicshutdown
    • vmictimesync
    • vmicvss
    • wmms
  • McAfee
    • macmnsvc
    • masvc
    • McAfeeFramework
    • mfemms
    • Mfevtp
  • Panda
    • EPIntegrationService
    • EPProtectedService
    • EPRedline
    • EPSecurityService
    • EPUpdateService
    • NanoServiceMain
    • PandaAetherAgent
    • PSUAService
  • Quick Heal
    • Core Browsing Protection
    • Core Mail Protection
    • Core Scanning Server
    • Core Scanning ServerEx
    • Online Protection System
    • Quick Update Service
    • RepairService
    • ScSecSvc
  • Sophos
    • hmpalertsvc
    • RpcEptMapper
    • SAVAdminService
    • SAVService
    • SntpService
    • Sophos AutoUpdate Service
    • Sophos Clean Service
    • Sophos Device Control Service
    • Sophos Endpoint Defense Service
    • Sophos File Scanner Service
    • Sophos Health Service
    • Sophos MCS Agent
    • Sophos MCS Client
    • Sophos Safestore Service
    • Sophos System Protection Service
    • Sophos UI
    • Sophos Web Control Service
    • SophosFIM
    • swc_service
    • swi_filter
    • swi_service
    • swi_update
  • SQL
    • MsDtsServer100
    • MsDtsServer130
    • msftesql$SQLEXPRESS
    • MSSQL
    • MSSQL$OPTIMA
    • MSSQL$PROGID
    • MSSQL$VEEAMSQL2012
    • MSSQL$WOLTERSKLUWER
    • MSSQLFDLauncher
    • MSSQLFDLauncher$OPT
    • MSSQLSERVER
    • MSSQLServerADHelper
    • MSSQLServerOLAPServ
    • postgresql-x64-10
    • postgresql-x64-11
    • postgresql-x64-12
    • postgresql-x64-13
    • postgresql-x64-14
    • postgresql-x64-15
    • postgresql-x64-16
    • postgresql-x64-9.4
    • ReportServer
    • ReportServer$OPTIMA
    • SQLAgent
    • SQLAgent$OPTIMA
    • SQLAgent$PROGID
    • SQLAgent$VEEAMSQL20
    • SQLAgent$WOLTERSKLU
    • SQLBrowser
    • SQLSERVERAGENT
    • SQLTELEMETRY
    • SQLTELEMETRY$HL
    • SQLWriter
    • SSISTELEMETRY130
  • Trend Micro
    • ntrtscan
    • ofcservice
    • PccNTUpd
    • TMBMServer
    • TmCCSF
    • TmFilter
    • TMiCRCScanService
    • tmlisten
    • TMLWCSService
    • TmPfw
    • TmPreFilter
    • TmProxy
    • TMSmartRelayService
    • tmusa
    • VSApiNt
  • Webroot
    • WRSVC
• 以下のセキュリティソフトウェアに関連するプロセス名を持つ実行中のプロセス数を一覧表示します。
  • AvastUI.exe → Avast
  • avp.exe → Kaspersky社のエンドポイントセキュリティ
  • egui.exe → ESET
  • MsMpEng.exe → Windows Defender
  • ntrtscan.exe → Trend Microのセキュリティ機能
  • WRSA.exe → Webroot
• プロセスID が1000以上で、ウインドウタイトルが「untitle」で始まらないすべてのプロセスを強制的に終了します。