ADW_ADLOAD
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
- マルウェアタイプ: スパイウェア
- 破壊活動の有無: なし
- 暗号化:
- 感染報告の有無: はい
概要
スパイウェアは、ユーザの手動インストールにより、コンピュータに侵入します。
詳細
侵入方法
スパイウェアは、ユーザの手動インストールにより、コンピュータに侵入します。
インストール
スパイウェアは、以下のファイルを作成します。
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\bl
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\BrowserDefender.dll
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\BrowserDefender.exe
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\BrowserDefender.settings
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\dm
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\FirefoxExtension\bprotector.js
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\traking_settings\{number}
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\uninstall.exe
- %All Users Profile%\Desktop\Open It!.lnk
- %All Users Profile%\Start Menu\Programs\Open It!
- %All Users Profile%\Start Menu\Programs\Open It!\Open It!.lnk
- %All Users Profile%\Start Menu\Programs\Open It!\uninstall.lnk
- %Application Data%\BabSolution\CR\Delta.crx
- %Application Data%\BabSolution\Shared\BabMaint.exe
- %Application Data%\BabSolution\Shared\BUSolution.dll
- %Application Data%\BabSolution\Shared\Delta.ico
- %Application Data%\BabSolution\Shared\GUninstaller.exe
- %Application Data%\BabSolution\Shared\SetupParams.ini
- %Application Data%\BabSolution\Shared\sqlite3.dll
- %Application Data%\Babylon\log_file.txt
- %Application Data%\Delta\sqlite3.dll
- %Application Data%\Open It! - Zip Extractor Packages\uninstaller.exe
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\bProtector_extensions.rdf
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\bProtector_prefs.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\searchplugins\babylon.xml
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\searchplugins\delta.xml
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\user.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@babylon.com\defaults\preferences\dflt.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\chrome.manifest
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\components\FFDisp.dll
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\delta.css
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\delta.xul
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\dpk.htm
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\hlprs.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\arwDwn.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\closeo.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\ae.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\bg.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\ch.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\cn.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\cz.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\de.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\eg.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\en.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\es.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\fr.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\gr.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\he.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\il.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\it.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\ja.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\jp.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\nl.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\no.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\pl.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\pt.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\ro.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\ru.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\sa.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\se.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\sv.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\tr.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\ua.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs\us.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\help_16.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\home.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\icon_seperator.png
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\logo.PNG
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\privecy_16_hot.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\sign.jpg
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\specialoffer.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\tellafriend.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\uninstall.gif
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\loader.xul
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\mtstart.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\serp.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\tmplt.js
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\install.rdf
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\META-INF\manifest.mf
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\META-INF\zigbert.rsa
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\META-INF\zigbert.sf
- %AppDataLocal%\Google\Chrome\User Data\Default\bProtectorPreferences
- %User Temp%\{GUID}\Latest\bab033.tbinst.dat
- %User Temp%\{GUID}\Latest\bab091.norecovericon.dat
- %User Temp%\{GUID}\Latest\bab098.claroico.dat
- %User Temp%\{GUID}\Latest\bab098.claroico.zpb
- %User Temp%\{GUID}\Latest\bab138.deltatb_dmn.dat
- %User Temp%\{GUID}\Latest\bab138.deltatb_dmn.zpb
- %User Temp%\{GUID}\Latest\bab148.spreg.dat
- %User Temp%\{GUID}\Latest\bab149.spreg.dat
- %User Temp%\{GUID}\Latest\bab149.spreg.zpb
- %User Temp%\{GUID}\Latest\bab187.wl.dat
- %User Temp%\{GUID}\Latest\bab307.sp_pop0.dat
- %User Temp%\{GUID}\Latest\bab327.ff_2.dat
- %User Temp%\{GUID}\Latest\bab456.TB_OldWay.dat
- %User Temp%\{GUID}\Latest\bab457.TB_NewWay.dat
- %User Temp%\{GUID}\Latest\BabMaint.exe
- %User Temp%\{GUID}\Latest\Babylon.dat
- %User Temp%\{GUID}\Latest\BExternal.dll
- %User Temp%\{GUID}\Latest\BUSolForMontiera.dll
- %User Temp%\{GUID}\Latest\BUSolForMontiera.inf
- %User Temp%\{GUID}\Latest\BUSolution.dll
- %User Temp%\{GUID}\Latest\BUsolution.zpb
- %User Temp%\{GUID}\Latest\ccp.exe
- %User Temp%\{GUID}\Latest\ccp.inf
- %User Temp%\{GUID}\Latest\ccp.zpb
- %User Temp%\{GUID}\Latest\ChromeToolbarSetup.dll
- %User Temp%\{GUID}\Latest\ChromeToolbarSetup.inf
- %User Temp%\{GUID}\Latest\CrxInstaller.dll
- %User Temp%\{GUID}\Latest\CrxInstaller.inf
- %User Temp%\{GUID}\Latest\Delta.crx
- %User Temp%\{GUID}\Latest\Delta.ico
- %User Temp%\{GUID}\Latest\DeltaChromeTB_1001.zpb
- %User Temp%\{GUID}\Latest\DeltaTB.zpb
- %User Temp%\{GUID}\Latest\GUninstaller.exe
- %User Temp%\{GUID}\Latest\GUninstaller_cat.zpb
- %User Temp%\{GUID}\Latest\HtmlScreens\loading.html
- %User Temp%\{GUID}\Latest\HtmlScreens\navError.html
- %User Temp%\{GUID}\Latest\HtmlScreens\pBar.gif
- %User Temp%\{GUID}\Latest\IEHelper.dll
- %User Temp%\{GUID}\Latest\junk.txt
- %User Temp%\{GUID}\Latest\latest.zpb
- %User Temp%\{GUID}\Latest\MntrDLLInstall.dll
- %User Temp%\{GUID}\Latest\MntrDLLInstall.inf
- %User Temp%\{GUID}\Latest\MyDeltaTB.exe
- %User Temp%\{GUID}\Latest\Setup.exe
- %User Temp%\{GUID}\Latest\SetupParams.ini
- %User Temp%\{GUID}\Latest\SetupStrings.dat
- %User Temp%\{GUID}\Latest\sqlite3.dll
- %User Temp%\is{random number 1}\{random number).cfg
- %User Temp%\is{random number 1}\{random number)_Setup.CIS
- %User Temp%\is{random number 1}\DeltaTB.exe
- %User Temp%\is{random number 1}\OpenItSetup.exe
- %User Temp%\is{random number 1}\uninstaller.exe
- %User Temp%\ish{random number 2}\blank.gif
- %User Temp%\ish{random number 2}\css\buttons.css
- %User Temp%\ish{random number 2}\css\ie6_main.css
- %User Temp%\ish{random number 2}\css\main.css
- %User Temp%\ish{random number 2}\css\sdk-ui\browse.css
- %User Temp%\ish{random number 2}\css\sdk-ui\button.css
- %User Temp%\ish{random number 2}\css\sdk-ui\checkbox.css
- %User Temp%\ish{random number 2}\css\sdk-ui\images
- %User Temp%\ish{random number 2}\css\sdk-ui\images\button-bg.png
- %User Temp%\ish{random number 2}\css\sdk-ui\images\progress-bg.png
- %User Temp%\ish{random number 2}\css\sdk-ui\progress-bar.css
- %User Temp%\ish{random number 2}\DAT\DSiteU.dat
- %User Temp%\ish{random number 2}\images\back-button.png
- %User Temp%\ish{random number 2}\images\back-over.png
- %User Temp%\ish{random number 2}\images\back.png
- %User Temp%\ish{random number 2}\images\Bg.gif
- %User Temp%\ish{random number 2}\images\close-button.png
- %User Temp%\ish{random number 2}\images\close_button.png
- %User Temp%\ish{random number 2}\images\finish-button.png
- %User Temp%\ish{random number 2}\images\icon.png
- %User Temp%\ish{random number 2}\images\loader.gif
- %User Temp%\ish{random number 2}\images\next-button-disabled.png
- %User Temp%\ish{random number 2}\images\next-button-es.png
- %User Temp%\ish{random number 2}\images\next-button-over.png
- %User Temp%\ish{random number 2}\images\next-button.png
- %User Temp%\ish{random number 2}\images\progress-bg.png
- %User Temp%\ish{random number 2}\images\Progress.png
- %User Temp%\ish{random number 2}\images\ProgressBar.png
- %User Temp%\ish{random number 2}\license\DE.license.txt
- %User Temp%\ish{random number 2}\license\EN.license.txt
- %User Temp%\ish{random number 2}\locale\EN.locale
- %User Temp%\ish{random number 2}\sdk\exceptlist.txt
- %User Temp%\ish{random number 3}\csshover3.htc
- %User Temp%\ns{random}\Time.dll
- %User Temp%\upd2B\BabMaint.x
- %User Temp%\upd2B\BabScheduler2000201.exe
- %User Temp%\upd2B\BUSltnDLL_02000201.zpb
- %User Temp%\upd2B\BUSolution.x
- %User Temp%\upd2B\GUninstaller.x
- %Start Menu%\Programs\BrowserDefender\Uninstall BrowserDefender.lnk
- %Program Files%\Delta\delta\1.8.21.5\bh\delta.dll
- %Program Files%\Delta\delta\1.8.21.5\deltaApp.dll
- %Program Files%\Delta\delta\1.8.21.5\deltaEng.dll
- %Program Files%\Delta\delta\1.8.21.5\deltasrv.exe
- %Program Files%\Delta\delta\1.8.21.5\deltaTlbr.dll
- %Program Files%\Delta\delta\1.8.21.5\GUninstaller.exe
- %Program Files%\Delta\delta\1.8.21.5\uninstall.exe
- %Program Files%\OpenIt\Open It!\7z.dll
- %Program Files%\OpenIt\Open It!\libgcc_s_dw2-1.dll
- %Program Files%\OpenIt\Open It!\libstdc++-6.dll
- %Program Files%\OpenIt\Open It!\mingwm10.dll
- %Program Files%\OpenIt\Open It!\openit.exe
- %Program Files%\OpenIt\Open It!\QtCore4.dll
- %Program Files%\OpenIt\Open It!\QtGui4.dll
- %Program Files%\OpenIt\Open It!\uninstall.exe
スパイウェアは、以下のフォルダを作成します。
- %All Users Profile%\Application Data\Babylon
- %All Users Profile%\Application Data\BrowserDefender
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\FirefoxExtension
- %All Users Profile%\Application Data\BrowserDefender\2.6.1339.144\{GUID}\traking_settings
- %Application Data%\BabSolution
- %Application Data%\BabSolution\CR
- %Application Data%\BabSolution\Shared
- %Application Data%\Babylon
- %Application Data%\Delta
- %Application Data%\Open It! - Zip Extractor Packages
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\searchplugins
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@babylon.com
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@babylon.com\defaults
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@babylon.com\defaults\preferences
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\components
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\content\imgs\flgs
- %Application Data%\Mozilla\Firefox\Profiles\1o2kn33k.default\extensions\ffxtlbr@delta.com\META-INF
- %User Temp%\{GUID}
- %User Temp%\{GUID}\Latest
- %User Temp%\{GUID}\Latest\HtmlScreens
- %User Temp%\is{random number 1}
- %User Temp%\ish{random number 2}
- %User Temp%\ish{random number 2}\css
- %User Temp%\ish{random number 2}\css\sdk-ui
- %User Temp%\ish{random number 2}\DAT
- %User Temp%\ish{random number 2}\images
- %User Temp%\ish{random number 2}\license
- %User Temp%\ish{random number 2}\locale
- %User Temp%\ish{random number 2}\sdk
- %User Temp%\ish{random number 3}
- %User Temp%\mt_ffx
- %User Temp%\mt_ffx\Delta
- %User Temp%\mt_ffx\Delta\delta
- %User Temp%\mt_ffx\Delta\delta\1.8.21.5
- %User Temp%\upd2B
- %Start Menu%\Programs\BrowserDefender
- %Program Files%\Delta
- %Program Files%\Delta\delta
- %Program Files%\Delta\delta\1.8.21.5
- %Program Files%\Delta\delta\1.8.21.5\bh
- %Program Files%\OpenIt
- %Program Files%\OpenIt\Open It!
他のシステム変更
スパイウェアは、以下のレジストリキーを追加します。
HKEY_CLASSES_ROOT\d
HKEY_CLASSES_ROOT\delta.deltaappCore
HKEY_CLASSES_ROOT\delta.deltadskBnd
HKEY_CLASSES_ROOT\delta.deltaHlpr
HKEY_CLASSES_ROOT\escort.escortIEPane
HKEY_CLASSES_ROOT\escort.escortIEPane.1
HKEY_CLASSES_ROOT\esrv.deltaESrvc
HKEY_CLASSES_ROOT\Prod.cap
HKEY_CLASSES_ROOT\AppID\escort.DLL
HKEY_CLASSES_ROOT\AppID\escortApp.DLL
HKEY_CLASSES_ROOT\AppID\escortEng.DLL
HKEY_CLASSES_ROOT\AppID\escorTlbr.DLL
HKEY_CLASSES_ROOT\AppID\esrv.EXE
HKEY_CURRENT_USER\Software\BabSolution
HKEY_CURRENT_USER\Software\DataMngr
HKEY_CURRENT_USER\Software\Delta
HKEY_CURRENT_USER\Software\InstallCore
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{GUID}
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
bProtectSettings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_BROWSERDEFENDERT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BrowserDefendert
HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr
HKEY_LOCAL_MACHINE\SOFTWARE\Delta
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
d
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Prod.cap
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escort.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortApp.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortEng.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escorTlbr.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\esrv.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{GUID}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{GUID}
スパイウェアは、インストールの過程で、以下のレジストリ値を追加します。
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes
bProtectorDefaultScope = "{GUID}"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{GUID}
FaviconURL = "search.{BLOCKED}n.com/favicon.ico"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{GUID}
URL = "http://www.{BLOCKED}earch.com/?q={searchTerms}&babsrc=SP_ss&mntrId=B0B2000C296817CC&affID=119357&tt=300613_dlt&tsp=4931"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{GUID}
DisplayName = "Delta Search"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\TabbedBrowsing
bProtectNewTabPageShow = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\TabbedBrowsing
bProtectShowTabsWelcome = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
bProtector Start Page = "http://www.{BLOCKED}earch.com/?babsrc=HP_ss&mntrId=B0B2000C296817CC&affID=119357&tt=300613_dlt&tsp=4931"
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
path = "%Application Data%\BabSolution\CR\Delta.crx"
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
version = "1.4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{GUID}
Policy = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{GUID}
AppName = "deltasrv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{GUID}
AppPath = "%Program Files%\Delta\delta\1.8.21.5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Toolbar
{GUID} = "Delta Toolbar"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{GUID}
{Default} = "delta Helper Object"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{GUID}
NoExplorer = "1"
スパイウェアは、以下のレジストリ値を変更します。
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://www.delta-search.com/?babsrc=HP_ss&mntrId=B0B2000C296817CC&affID=119357&tt=300613_dlt&tsp=4931"
(註:変更前の上記レジストリ値は、「"{Preffered Home Page}"」となります。)
その他
スパイウェアは、以下の不正なWebサイトにアクセスします。
- http://cdneu.{BLOCKED}zipextractorapp.com/app/Cmp/openit.cis
- http://cdneu.{BLOCKED}zipextractorapp.com/ofr/Babylon/Babylon_Delta.cis
- http://cdneu.{BLOCKED}zipextractorapp.com/ofr/UninstallPackage.cis
- http://cdnus.{BLOCKED}zipextractorapp.com/ofr/Babylon/Babylon_Delta.cis
- http://cdnus.{BLOCKED}zipextractorapp.com/ofr/UninstallPackage.cis
- http://counter.d.{BLOCKED}d.com/blank.gif?t=137370898270&h=291d74a6c4dd4eefc6b67166282b9714&emp=1
- http://counter.d.{BLOCKED}d.com/blank.gif?t=138193660331&h=9a4aab3f2010f5a54cb36bbe97158bbb&emp=1
- http://d.adapd.com/widget/render/hash/291d74a6c4dd4eefc6b67166282b9714
- http://d.adapd.com/widget/render/hash/9a4aab3f2010f5a54cb36bbe97158bbb
- http://d1js21szq85hyn.cloudfront.net/builds/2063B90/wl.bin
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/BUsolution/BUsolution.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/Category/delta/bab138.deltatb_dmn.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/Category/delta/bab149.spreg.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/Category/delta/bab457.TB_NewWay.dat
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/Category/delta/DeltaChromeTB_1001.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/Category/delta/DeltaTB.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/ClaroTB/Claro/bab098.claroico.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/latest/latest.zpb
- http://dl.{BLOCKED}n.com/site/files/Setup9/dwr/prt/ccp/ccp.zpb
- http://dl.{BLOCKED}vices.com/site/files/Setup9/dwr/BUSol/2121/BUSltnDLL_02000201.zpb
- http://dl.{BLOCKED}vices.com/site/files/Setup9/dwr/GUninstaller/latest/GUninstaller_cat.zpb
- http://os.{BLOCKED}extractorapp.com/v1.0.1/?v=3.0&c=1271067606
- http://protectorlb-1556088852.{BLOCKED}t-1.elb.amazonaws.com/service/dwl.php?version=2063B90
- http://protectorlb-1556088852.{BLOCKED}t-1.elb.amazonaws.com/service/kbl.php?version=2063B90
- http://protectorlb-1556088852.{BLOCKED}t-1.elb.amazonaws.com/service/kstats.php?sv=2
- http://protectorlb-1556088852.{BLOCKED}t-1.elb.amazonaws.com/service/kupdater.php?cmpid=61&subid=3652&version=2063B90
- http://reports.{BLOCKED}ra.com/reports/jsRprt.srf?rid=nsis&nsisState=0&prdct=delta&tlbrId=base&aflt=babsst&vrsn=1.8.21.5&instlRef=sst&hardId=b0b2d6e3000000000000000c296817cc&hostApp=IE&smplGrp=none&bho=0&tlbr=0&ie=6.0.2900.5512&ffx=3.6.8%20(en-US)&os=5.1&hp=&ds=&nt=&
- http://rp.{BLOCKED}zipextractorapp.com/?pcrc=1537852661
- http://rp.{BLOCKED}zipextractorapp.com/?pcrc=174087402
- http://rp.{BLOCKED}zipextractorapp.com/?pcrc=887475432
- http://stat.{BLOCKED}eam.net/report.php?no_policy=1&lang=0&source=setup-end&stage=90&ver=9.1.1.14&affilID=119357&trkInfo=[TType:300613_dlt]&guid={93F48163-6626-40CF-A423-57A4DCDE796F}&mntrId=B0B2000C296817CC&moldid=b0b2d6e3000000000000000c296817cc&sufn=DeltaTB.exe&iev=6&ffv=3&crv=6&dwb=ie&dlb=cr&wbr=7&tsn=11736085&ibprs=NA&ibprv=2.6.1339.144&sutp=50&sufl=74&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=501&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=0&osp=hp0:-1926003865;hp1:0;hp2:927461885;dsp0:0;dsp1:0;dsp2:-425396809;&dnt=1.1,2.0,3.0,3.5,4.0&spbi=&IE1_shps&CR1_shps&hp=7&dsp=7&tb=7&hpx=1&dspx=1&rvrt=0&excd=1111&stm=77&nvs=0&dnld=100&dcnt=9&dtot=9&dlerr=200&dltm=7&dlsz=227453&dsflr=0&errurl=ccp.zpb&tbx=1&dltb=0&crxdlt=0&dltbbbus=15&ccp=259&hpc=-991522159&spc=-991522159
- http://stat.{BLOCKED}eam.net/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.8&affilID=119357&guid={4F6F3BDE-6A73-4AEC-ADC1-02B0CA7CA4D8}&mntrId=B0B2000C296817CC&moldid=b0b2d6e3000000000000000c296817cc&sufn=ICReinstall_ZipExtractorSetup.exe&iev=6&ffv=3&crv=6&dwb=ie&dlb=cr&wbr=4&ibprs=NA&ibprv=2.6.1339.144&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=501&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=0&osp=hp0:-1926003865;hp1:0;hp2:927461885;dsp0:0;dsp1:0;dsp2:-425396809;&dnt=1.1,2.0,3.0,3.5,4.0&hp=4&dsp=4&tb=4&hpx=0&dspx=0&rvrt=0&excd=0&stm=92&nvs=0&dnld=100&dcnt=1&dtot=1&dlerr=200&dltm=11&dlsz=432084&errurl=latest.zpb&hpc=1998245871&spc=1998245871&tbx=0
- http://stat.{BLOCKED}eam.net/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.14&affilID=119357&guid={93F48163-6626-40CF-A423-57A4DCDE796F}&mntrId=B0B2000C296817CC&moldid=b0b2d6e3000000000000000c296817cc&sufn=DeltaTB.exe&iev=6&ffv=3&crv=6&dwb=ie&dlb=cr&wbr=4&tsn=11736085&ibprs=NA&ibprv=0&sutp=50&sufl=74&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=501&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=0&osp=hp0:-1926003865;hp1:0;hp2:927461885;dsp0:0;dsp1:0;dsp2:-425396809;&dnt=1.1,2.0,3.0,3.5,4.0
- http://stat.{BLOCKED}eam.net/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.8&affilID=119357&guid={4F6F3BDE-6A73-4AEC-ADC1-02B0CA7CA4D8}&mntrId=B0B2000C296817CC&moldid=b0b2d6e3000000000000000c296817cc&sufn=ICReinstall_ZipExtractorSetup.exe&iev=6&ffv=3&crv=6&dwb=ie&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=501&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=0&osp=hp0:-1926003865;hp1:0;hp2:927461885;dsp0:0;dsp1:0;dsp2:-425396809;&dnt=1.1,2.0,3.0,3.5,4.0
- http://stat.{BLOCKED}eam.net/report.php?no_policy=1&source=chrome-ext&ver=2.0.2.1&wvr=501&mntrId=B0B2000C296817CC&iev=6&ffv=3&crv=6&dwb=ie&uac=0&admin=1&rdir=upd2B&inst=crtbdlt;&sched=1&rpt_tsk=cpyMnt&rgsmgt=6&cpyMntS=1
- http://stat2.{BLOCKED}eam.net/report.php?no_policy=1&source=schbugupd&stage=1&mntrId=B0B2000C296817CC
- http://stp.{BLOCKED}n.com/downloader.php?ver=9.1.1.14&affilID=119357&guid={93F48163-6626-40CF-A423-57A4DCDE796F}&mntrId=B0B2000C296817CC&moldid=b0b2d6e3000000000000000c296817cc&sufn=DeltaTB.exe&iev=6&ffv=3&crv=6&dwb=ie&dlb=cr&wbr=4&tsn=11736085&ibprs=NA&ibprv=0&sutp=50&sufl=74&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=501&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=0&osp=hp0:-1926003865;hp1:0;hp2:927461885;dsp0:0;dsp1:0;dsp2:-425396809;&dnt=1.1,2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1
- http://stp.{BLOCKED}n.com/downloader.php?ver=9.1.1.8&affilID=119357&guid={4F6F3BDE-6A73-4AEC-ADC1-02B0CA7CA4D8}&mntrId=B0B2000C296817CC&moldid=b0b2d6e3000000000000000c296817cc&sufn=ICReinstall_ZipExtractorSetup.exe&iev=6&ffv=3&crv=6&dwb=ie&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=501&tbtp=def&tbinst=1&cntry=US&cat=delta&uac=0&osp=hp0:-1926003865;hp1:0;hp2:927461885;dsp0:0;dsp1:0;dsp2:-425396809;&dnt=1.1,2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1
- http://www.{BLOCKED}ystem.com/builds/2063B90/bl.bin
- http://www.{BLOCKED}ystem.com/builds/2063B90/dwl.bin
- http://www.{BLOCKED}ystem.com/builds/2063B90/pack.7z
- http://www.{BLOCKED}ystem.com/updates/update_33962897.cf
対応方法
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
起動中ブラウザのウインドウを全て閉じてください。
手順 3
自身のアンインストールオプションを使用し、「ADW_ADLOAD」を削除します。
手順 4
以下のフォルダを検索し削除します。
- %All Users Profile%\Application Data\Babylon
- %All Users Profile%\Application Data\BrowserDefender
- %Application Data%\BabSolution
- %Application Data%\Babylon
- %Application Data%\Delta
- %Application Data%\Open It! - Zip Extractor Packages
- %User Temp%\{GUID}
- %User Temp%\is{random number 1}
- %User Temp%\ish{random number 2}
- %User Temp%\ish{random number 3}
- %User Temp%\mt_ffx
- %User Temp%\upd2B
- %Start Menu%\Programs\BrowserDefender
- %Program Files%\Delta
- %Program Files%\OpenIt
手順 5
このレジストリキーを削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- HKEY_CLASSES_ROOT\d
- HKEY_CLASSES_ROOT\delta.deltaappCore
- HKEY_CLASSES_ROOT\delta.deltadskBnd
- HKEY_CLASSES_ROOT\delta.deltaHlpr
- HKEY_CLASSES_ROOT\escort.escortIEPane
- HKEY_CLASSES_ROOT\escort.escortIEPane.1
- HKEY_CLASSES_ROOT\esrv.deltaESrvc
- HKEY_CLASSES_ROOT\Prod.cap
- HKEY_CLASSES_ROOT\AppID\escort.DLL
- HKEY_CLASSES_ROOT\AppID\escortApp.DLL
- HKEY_CLASSES_ROOT\AppID\escortEng.DLL
- HKEY_CLASSES_ROOT\AppID\escorTlbr.DLL
- HKEY_CLASSES_ROOT\AppID\esrv.EXE
- HKEY_CURRENT_USER\Software\BabSolution
- HKEY_CURRENT_USER\Software\DataMngr
- HKEY_CURRENT_USER\Software\Delta
- HKEY_CURRENT_USER\Software\InstallCore
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{GUID}
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BROWSERDEFENDERT
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserDefendert
- HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr
- HKEY_LOCAL_MACHINE\SOFTWARE\Delta
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\d
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaappCore
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltadskBnd
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaHlpr
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.deltaESrvc
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{GUID}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{GUID}
手順 6
変更されたレジストリ値を修正します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
事前に意図的に対象の設定を変更していた場合は、意図するオリジナルの設定に戻してください。変更する値が分からない場合は、システム管理者にお尋ねいただき、レジストリの編集はお客様の責任として行なって頂くようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- From: Start Page = "http://www.{BLOCKED}earch.com/?babsrc=HP_ss&mntrId=B0B2000C296817CC&affID=119357&tt=300613_dlt&tsp=4931"
To: Start Page = "{Preffered Home Page}"
- From: Start Page = "http://www.{BLOCKED}earch.com/?babsrc=HP_ss&mntrId=B0B2000C296817CC&affID=119357&tt=300613_dlt&tsp=4931"
手順 7
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「ADW_ADLOAD」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
ご利用はいかがでしたか? アンケートにご協力ください