Trojan.Win32.FORTNET.A
HEUR:Trojan.MSIL.Startun.gen (Kaspersky); Trojan.Win32.Generic!BT (Sunbelt)
Windows
![](/vinfo/imgFiles/JPlegend.jpg)
マルウェアタイプ:
トロイの木馬型
破壊活動の有無:
なし
暗号化:
感染報告の有無 :
はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のプロセスを追加します。
- "{malware file name}.exe" /1
- %Windows%\Microsoft.NET\Framework64\v2.0.50727\installutil.exe /name=LTService /account=localsystem %Windows%\LTSVC\LTSVC.exe
- "%Windows%\LTSVC\LTSVC.exe" -sLTService
- %Windows%\LTSVC\LTTray.exe
(註:%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.)
マルウェアは、以下のフォルダを作成します。
- %Windows%\LTSvc\Plugins
- %Windows%\LTSvc
- %All Users Profile%\Labtech
- %All Users Profile%\Labtech\Tickets
- %Windows%\Temp\LTCache
- %All Users Profile%\Labtech\Responses
- %All Users Profile%\Labtech\Inbox
(註:%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %All Users Profile%フォルダは、ユーザの共通プロファイルフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\All Users” です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\ProgramData” です。)
自動実行方法
マルウェアは、自身をシステムサービスとして登録し、Windows起動時に自動実行されるよう以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LTService
ImagePath = "%Windows%\LTSVC\LTSVC.exe -sLTService"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LTService
ImagePath = "%Windows%\LTSVC\LTSVC.exe"
他のシステム変更
マルウェアは、以下のファイルを改変します。
- %Windows%\Temp\Cab7AAB.tmp
- %Windows%\Temp\Cab9F5C.tmp
- %Windows%\Temp\TarA7D7.tmp
- %Windows%\Temp\CabA7D6.tmp
- %Windows%\Temp\CabBDF7.tmp
- %Windows%\Temp\TarBDF8.tmp
- %Windows%\Temp\Tar9F5D.tmp
- %Windows%\Temp\Tar7AAC.tmp
(註:%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.)
マルウェアは、以下のレジストリキーを追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\eventlog\Application\
LTService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\eventlog\Application\
LTService\EventMessageFile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LTService\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\AutoStartup
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\VirusScanners
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\CleanUp
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Trackers
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\SNMPTraps
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\SyslogTraps
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\PushAccounts
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Subnets
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC\default
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\DeviceLibrary
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\DetectionTemplates
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\CollectionTemplates
HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\SOFTWARE\
Software\Sysinternals\PsExec
HKEY_CURRENT_USER\Software\Sysinternals\
PsExec
HKEY_CURRENT_USER\Software\Sysinternals\
PsKill
HKEY_CURRENT_USER\Software\Sysinternals\
C
HKEY_CURRENT_USER\Software\Wow6432Node\
Sysinternals\C
HKEY_CURRENT_USER\Software\Wow6432Node\
Sysinternals\PsExec
HKEY_LOCAL_MACHINE\Software\Wow6432Node\
Sysinternals\PsExec
HKEY_LOCAL_MACHINE\Software\Sysinternals\
PsExec
HKEY_LOCAL_MACHINE\Software\Sysinternals\
PsKill
HKEY_LOCAL_MACHINE\Software\UltraVNC\
WinVNC3
HKEY_LOCAL_MACHINE\Software\ORL\
WinVNC3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LTSvcMon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
LTService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
LabVNC
HKEY_CURRENT_USER\SOFTWARE\LabTech\
Service\Tray
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
LocationID = "8"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
ServerPassword = "fnpassword"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
Server Address = "lts.fortressnetworks.com"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
UpdateTime = "1/23/2007 9:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
BackupTime = "1/12/2007 9:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ServerAddress = "lts.fortressnetworks.com"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
TrayText = "Fortress Networks"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ShowTicket = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
HelpURL = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ShowHelp = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ShowTray = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
AddRemDesc = "Fortress Networks Monitoring Service"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ShowTicketStatus = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
VerifyLookupEmail = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
DisablePoweredBy = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\eventlog\Application
AutoBackupLogFiles = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\eventlog\Application\
LTService
EventMessageFile = "%Windows%\Microsoft.NET\Framework64\v2.0.50727\EventLogMessages.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LTService
DisplayName = "LabTech Monitoring Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LTService
Description = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC
AllowLoopback = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC
LoopbackOnly = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC
AuthRequired = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC
DisableTrayIcon = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC\default
AutoPortSelect = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC\default
RemoveWallpaper = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC\default
PortNumber = "4999"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
LabVNC\default
HTTPConnect = "0"
HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\
Software\Sysinternals\PsExec
EulaAccepted = "1"
HKEY_USERS\.DEFAULT\SOFTWARE\
Sysinternals\PsExec
EulaAccepted = "1"
HKEY_USERS\.DEFAULT\SOFTWARE\
Sysinternals\PsKill
EulaAccepted = "1"
HKEY_USERS\.DEFAULT\SOFTWARE\
Sysinternals\C
EulaAccepted = "1"
HKEY_USERS\.DEFAULT\SOFTWARE\
Wow6432Node\Sysinternals\C
EulaAccepted = "1"
HKEY_USERS\.DEFAULT\SOFTWARE\
Wow6432Node\Sysinternals\PsExec
EulaAccepted = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Sysinternals\PsExec
EulaAccepted = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Sysinternals\
PsExec
EulaAccepted = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Sysinternals\
PsKill
EulaAccepted = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\UltraVNC\
WinVNC3
AllowLoopback = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\UltraVNC
AllowLoopback = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\ORL\
WinVNC3
AllowLoopback = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LTSvcMon
Start = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
Version = "40.193"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
ServerPassword = "RHtqDpZZp8/Zh2ZY2vbWFw=="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
MasterPC = "False"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
CommunityStrings = "public,"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
SnmpCollectionTemplate = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
SNMPCommunity = "public"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
SyslogFilter = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
TFTPFilter = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
Usernames = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
StartupNew = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
Probe = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
TFTPUpload = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
LabtechPush = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
VirtualHost = "False"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
VirtualMachine = "False"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
ClientID = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
1 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
2 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
3 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
4 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
5 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
6 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
7 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
8 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
9 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
10 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
11 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
12 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
13 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
14 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
15 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\LastScan
16 = "8/30/2019 11:53:55 PM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
AllowVNCDisable = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
BackupPass = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
BackupServer = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
BackupUser = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CacheDir = "%windir%\Temp\LTCache"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CachePatch = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CacheSoftware = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CacheUpdate = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CustomURL = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
Debuging = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
PatchTime = "1/4/2007 4:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RebootMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ReportFreq = "300"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ShowCustom = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
SoftwareTime = "1/4/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
SupportURL = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
TempDir = "%windir%\Temp"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
VNCMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
NewMessageText = "New Message Received"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
NewRSSFeedText = "RSS Feed Updated"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
EnableRSS = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RSSFeedAddress1 = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RSSFeedAddress2 = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RSSFeedAddress3 = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RSSFeedAddress4 = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
BalloonTipTitleText = "LabTech"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
VNCConnectMessage = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
TicketFromName = "From:"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
TicketSubjectName = "Subject:"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
TechConnectedTitle = "A Technician is Connected"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
SystemMessageTitle = "LabTech System Message"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ServiceTicketTitle = "Create Service Ticket"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
InterruptUserWithChat = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
NewTechChatMessage = "A Technician wants to chat with you."
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ChatTitle = "Chat"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
NoExit = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RegEditMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
FileExMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ScreenShotMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
WindowsUpdateMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RestartLogoffMessage = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ShutdownMessage = "The system is requesting to shutdown the computer would you like to proceed?"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
FileExpMessage = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RegExpMessage = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ScreenShotMessage = "A Technician is requesting a screen capture would you like to Allow this?"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
EventLogMode = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ProxyServerURL = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ProxyUsername = "8Uf/gRm9AxM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ProxyPassword = "8Uf/gRm9AxM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CacheUsername = "8Uf/gRm9AxM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CachePassword = "8Uf/gRm9AxM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
SSLPolicy = "16"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
0 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
1 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
2 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
3 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
4 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
5 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
6 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
7 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
8 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
9 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
10 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
11 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
12 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
13 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
14 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings\Schedule
15 = "1/1/2007 5:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
ID = "823"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
ClientID = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
Password = "YLaYs1IR9VnyHOfUCtdwg6HbUfQ9MeNk"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service
Server Address = "https://lts.{BLOCKED}ssnetworks.com"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
AllowVNCDisable = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
BackupTime = "1/12/2007 1:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CacheUpdate = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
Debuging = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
PatchTime = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
RebootMode = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ServerAddress = "https://lts.{BLOCKED}ssnetworks.com"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
SoftwareTime = ""
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
UpdateTime = "1/6/2007 1:00:00 AM"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
InterruptUserWithChat = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ProxyUsername = "CXbeA/htBmM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
ProxyPassword = "CXbeA/htBmM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CacheUsername = "CXbeA/htBmM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
CachePassword = "CXbeA/htBmM="
HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\
Service\Settings
SSLPolicy = "0"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
AllowLoopback = "1"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
AuthRequired = "0"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
AutoPortSelect = "0"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
LoopbackOnly = "1"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
RemoveWallpaper = "0"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
HTTPConnect = "0"
HKEY_CURRENT_USER\Software\LabTech\
LabVNC
PortNumber = "4998"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LTService
DisplayName = ""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LTService
Start = "SERVICE_AUTO_START"
作成活動
マルウェアは、以下のファイルを作成します。
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %Windows%\LTSvc\nsoftware.ipworks.dll
- %Windows%\LTSvc\PS.exe
- %Windows%\LTSvc\nsoftware.IPWorksSSNMP.dll
- %Windows%\LTSvc\vnchooks.dll
- %All Users Profile%\Start Menu\Programs\Startup\Network Monitoring Tray.lnk
- %Windows%\LTSvc\LTTray.exe
- %User Temp%\InstallUtil.InstallLog
- %Windows%\Temp\CabBDF7.tmp
- %Windows%\LTSvc\ICSharpCode.SharpZipLib.dll
- %Windows%\LTSvc\LTErrors.txt
- %Windows%\LTSvc\nsoftware.System.dll
- %Windows%\Temp\Cab7AAB.tmp
- %Windows%\Temp\Cab9F5C.tmp
- %Windows%\LTSvc\labvnc.exe
- %Windows%\Temp\CabA7D6.tmp
- %Windows%\LTSvc\LTSVC.InstallState
- %Windows%\LTSvc\nsoftware.IPWorksSSH.dll
- %Windows%\LTSvc\LabTech.ico
- %Windows%\LTSvc\Interfaces.dll
- %User Temp%\LTErrors.txt
- %User Temp%\LTTray.dat
- %Windows%\LTSvc\Interop.WUApiLib.dll
- %Windows%\LTSvc\SCHook.dll
- %Windows%\LTSvc\LTSVC.InstallLog
- %Windows%\LTSvc\cad.exe
- %Windows%\LTSvc\LTSVC.exe
- %Windows%\Temp\TarA7D7.tmp
- %Windows%\LTSvc\LTSvcMon.exe
- %Windows%\Temp\TarBDF8.tmp
- %Windows%\Temp\Tar9F5D.tmp
- %Windows%\Temp\Tar7AAC.tmp
(註:%AppDataLocal%フォルダは、ローカルアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local" です。. %Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %All Users Profile%フォルダは、ユーザの共通プロファイルフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\All Users” です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\ProgramData” です。. %User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。)
その他
マルウェアは、以下の不正なWebサイトにアクセスします。
- http://csc3-2010-crl.{BLOCKED}gn.com/CSC3-2010.crl
- http://crl.{BLOCKED}e.com/ThawtePremiumServerCA.crl
- http://lts.{BLOCKED}ssnetworks.com/LabTech/agent.aspx?0c17
- http://crl.{BLOCKED}e.com/ThawteCodeSigningCA.crl
- http://lts.{BLOCKED}ssnetworks.com/LabTech/agent.aspx?823c16
このウイルス情報は、自動解析システムにより作成されました。
対応方法
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
「Trojan.Win32.FORTNET.A」で検出したファイル名を確認し、そのファイルを終了します。
- すべての実行中プロセスが、Windows のタスクマネージャに表示されない場合があります。この場合、"Process Explorer" などのツールを使用しマルウェアのファイルを終了してください。"Process Explorer" については、こちらをご参照下さい。
- 検出ファイルが、Windows のタスクマネージャまたは "Process Explorer" に表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
セーフモードについては、こちらをご参照下さい。 - 検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。
手順 3
不明なレジストリキーを削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech
- Service
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Settings
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
- LTService
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\LTService
- EventMessageFile
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LTService
- Parameters
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- LastScan
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- AutoStartup
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- VirusScanners
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- CleanUp
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Trackers
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Monitors
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- SNMPTraps
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- SyslogTraps
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- PushAccounts
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Subnets
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech
- LabVNC
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC
- default
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- Schedule
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- DeviceLibrary
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- DetectionTemplates
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- CollectionTemplates
- In HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\SOFTWARE\Software\Sysinternals
- PsExec
- In HKEY_CURRENT_USER\Software\Sysinternals
- PsExec
- In HKEY_CURRENT_USER\Software\Sysinternals
- PsKill
- In HKEY_CURRENT_USER\Software\Sysinternals
- C
- In HKEY_CURRENT_USER\Software\Wow6432Node\Sysinternals
- C
- In HKEY_CURRENT_USER\Software\Wow6432Node\Sysinternals
- PsExec
- In HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sysinternals
- PsExec
- In HKEY_LOCAL_MACHINE\Software\Sysinternals
- PsExec
- In HKEY_LOCAL_MACHINE\Software\Sysinternals
- PsKill
- In HKEY_LOCAL_MACHINE\Software\UltraVNC
- WinVNC3
- In HKEY_LOCAL_MACHINE\Software\ORL
- WinVNC3
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- LTSvcMon
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
- LTService
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
- LabVNC
- In HKEY_CURRENT_USER\SOFTWARE\LabTech\Service
- Tray
- In HKEY_CURRENT_USER\Software\LabTech
- LabVNC
手順 4
このレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- LocationID = "8"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- ServerPassword = "fnpassword"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Server Address = "lts.fortressnetworks.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- UpdateTime = "1/23/2007 9:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- BackupTime = "1/12/2007 9:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ServerAddress = "lts.fortressnetworks.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- TrayText = "Fortress Networks"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ShowTicket = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- HelpURL = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ShowHelp = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ShowTray = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- AddRemDesc = "Fortress Networks Monitoring Service"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ShowTicketStatus = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- VerifyLookupEmail = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- DisablePoweredBy = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
- AutoBackupLogFiles = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\LTService
- EventMessageFile = "%Windows%\Microsoft.NET\Framework64\v2.0.50727\EventLogMessages.dll"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LTService
- DisplayName = "LabTech Monitoring Service"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LTService
- Description = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC
- AllowLoopback = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC
- LoopbackOnly = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC
- AuthRequired = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC
- DisableTrayIcon = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC\default
- AutoPortSelect = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC\default
- RemoveWallpaper = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC\default
- PortNumber = "4999"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\LabVNC\default
- HTTPConnect = "0"
- In HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\Software\Sysinternals\PsExec
- EulaAccepted = "1"
- In HKEY_USERS\.DEFAULT\SOFTWARE\Sysinternals\PsExec
- EulaAccepted = "1"
- In HKEY_USERS\.DEFAULT\SOFTWARE\Sysinternals\PsKill
- EulaAccepted = "1"
- In HKEY_USERS\.DEFAULT\SOFTWARE\Sysinternals\C
- EulaAccepted = "1"
- In HKEY_USERS\.DEFAULT\SOFTWARE\Wow6432Node\Sysinternals\C
- EulaAccepted = "1"
- In HKEY_USERS\.DEFAULT\SOFTWARE\Wow6432Node\Sysinternals\PsExec
- EulaAccepted = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sysinternals\PsExec
- EulaAccepted = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Sysinternals\PsExec
- EulaAccepted = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Sysinternals\PsKill
- EulaAccepted = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\UltraVNC\WinVNC3
- AllowLoopback = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\UltraVNC
- AllowLoopback = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3
- AllowLoopback = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LTSvcMon
- Start = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Version = "40.193"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- ServerPassword = "RHtqDpZZp8/Zh2ZY2vbWFw=="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- MasterPC = "False"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- CommunityStrings = "public,"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- SnmpCollectionTemplate = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- SNMPCommunity = "public"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- SyslogFilter = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- TFTPFilter = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Usernames = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- StartupNew = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Probe = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- TFTPUpload = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- LabtechPush = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- VirtualHost = "False"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- VirtualMachine = "False"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- ClientID = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 1 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 2 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 3 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 4 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 5 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 6 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 7 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 8 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 9 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 10 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 11 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 12 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 13 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 14 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 15 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\LastScan
- 16 = "8/30/2019 11:53:55 PM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- AllowVNCDisable = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- BackupPass = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- BackupServer = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- BackupUser = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CacheDir = "%windir%\Temp\LTCache"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CachePatch = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CacheSoftware = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CacheUpdate = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CustomURL = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- Debuging = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- PatchTime = "1/4/2007 4:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RebootMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ReportFreq = "300"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ShowCustom = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- SoftwareTime = "1/4/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- SupportURL = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- TempDir = "%windir%\Temp"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- VNCMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- NewMessageText = "New Message Received"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- NewRSSFeedText = "RSS Feed Updated"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- EnableRSS = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RSSFeedAddress1 = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RSSFeedAddress2 = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RSSFeedAddress3 = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RSSFeedAddress4 = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- BalloonTipTitleText = "LabTech"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- VNCConnectMessage = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- TicketFromName = "From:"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- TicketSubjectName = "Subject:"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- TechConnectedTitle = "A Technician is Connected"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- SystemMessageTitle = "LabTech System Message"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ServiceTicketTitle = "Create Service Ticket"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- InterruptUserWithChat = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- NewTechChatMessage = "A Technician wants to chat with you."
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ChatTitle = "Chat"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- NoExit = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RegEditMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- FileExMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ScreenShotMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- WindowsUpdateMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RestartLogoffMessage = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ShutdownMessage = "The system is requesting to shutdown the computer would you like to proceed?"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- FileExpMessage = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RegExpMessage = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ScreenShotMessage = "A Technician is requesting a screen capture would you like to Allow this?"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- EventLogMode = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ProxyServerURL = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ProxyUsername = "8Uf/gRm9AxM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ProxyPassword = "8Uf/gRm9AxM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CacheUsername = "8Uf/gRm9AxM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CachePassword = "8Uf/gRm9AxM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- SSLPolicy = "16"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 0 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 1 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 2 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 3 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 4 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 5 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 6 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 7 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 8 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 9 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 10 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 11 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 12 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 13 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 14 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings\Schedule
- 15 = "1/1/2007 5:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- ID = "823"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- ClientID = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Password = "YLaYs1IR9VnyHOfUCtdwg6HbUfQ9MeNk"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service
- Server Address = "https://lts.{BLOCKED}ssnetworks.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- AllowVNCDisable = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- BackupTime = "1/12/2007 1:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CacheUpdate = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- Debuging = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- PatchTime = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- RebootMode = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ServerAddress = "https://lts.{BLOCKED}ssnetworks.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- SoftwareTime = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- UpdateTime = "1/6/2007 1:00:00 AM"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- InterruptUserWithChat = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ProxyUsername = "CXbeA/htBmM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- ProxyPassword = "CXbeA/htBmM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CacheUsername = "CXbeA/htBmM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- CachePassword = "CXbeA/htBmM="
- In HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Service\Settings
- SSLPolicy = "0"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- AllowLoopback = "1"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- AuthRequired = "0"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- AutoPortSelect = "0"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- LoopbackOnly = "1"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- RemoveWallpaper = "0"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- HTTPConnect = "0"
- In HKEY_CURRENT_USER\Software\LabTech\LabVNC
- PortNumber = "4998"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LTService
- DisplayName = ""
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LTService
- Start = "SERVICE_AUTO_START"
手順 5
以下のファイルを検索し削除します。
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %Windows%\LTSvc\nsoftware.ipworks.dll
- %Windows%\LTSvc\PS.exe
- %Windows%\LTSvc\nsoftware.IPWorksSSNMP.dll
- %Windows%\LTSvc\vnchooks.dll
- %All Users Profile%\Start Menu\Programs\Startup\Network Monitoring Tray.lnk
- %Windows%\LTSvc\LTTray.exe
- %User Temp%\InstallUtil.InstallLog
- %Windows%\Temp\CabBDF7.tmp
- %Windows%\LTSvc\ICSharpCode.SharpZipLib.dll
- %Windows%\LTSvc\LTErrors.txt
- %Windows%\LTSvc\nsoftware.System.dll
- %Windows%\Temp\Cab7AAB.tmp
- %Windows%\Temp\Cab9F5C.tmp
- %Windows%\LTSvc\labvnc.exe
- %Windows%\Temp\CabA7D6.tmp
- %Windows%\LTSvc\LTSVC.InstallState
- %Windows%\LTSvc\nsoftware.IPWorksSSH.dll
- %Windows%\LTSvc\LabTech.ico
- %Windows%\LTSvc\Interfaces.dll
- %User Temp%\LTErrors.txt
- %User Temp%\LTTray.dat
- %Windows%\LTSvc\Interop.WUApiLib.dll
- %Windows%\LTSvc\SCHook.dll
- %Windows%\LTSvc\LTSVC.InstallLog
- %Windows%\LTSvc\cad.exe
- %Windows%\LTSvc\LTSVC.exe
- %Windows%\Temp\TarA7D7.tmp
- %Windows%\LTSvc\LTSvcMon.exe
- %Windows%\Temp\TarBDF8.tmp
- %Windows%\Temp\Tar9F5D.tmp
- %Windows%\Temp\Tar7AAC.tmp
手順 6
以下のフォルダを検索し削除します。
- %Windows%\LTSvc\Plugins
- %Windows%\LTSvc
- %All Users Profile%\Labtech
- %All Users Profile%\Labtech\Tickets
- %Windows%\Temp\LTCache
- %All Users Profile%\Labtech\Responses
- %All Users Profile%\Labtech\Inbox
手順 7
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Trojan.Win32.FORTNET.A」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 8
以下のファイルをバックアップを用いて修復します。マイクロソフト製品に関連したファイルのみに修復されます。このマルウェアが同社製品以外のプログラムをも削除した場合には、該当プログラムを再度インストールする必要があります。
- %Windows%\Temp\Cab7AAB.tmp
- %Windows%\Temp\Cab9F5C.tmp
- %Windows%\Temp\TarA7D7.tmp
- %Windows%\Temp\CabA7D6.tmp
- %Windows%\Temp\CabBDF7.tmp
- %Windows%\Temp\TarBDF8.tmp
- %Windows%\Temp\Tar9F5D.tmp
- %Windows%\Temp\Tar7AAC.tmp
ご利用はいかがでしたか? アンケートにご協力ください