Trend Micro Security

BKDR_JADTRE.AI

2012年10月16日
 解析者: Nikko Tamana   
 別名:

W32/Agent.JH!tr (Fortinet), W32/QQhelper.C.gen!Eldorado (FProt), Exploit.Win32.ShellCode (Ikarus), TrojanDownloader:Win32/Jadtre.B (Microsoft), a variant of Win32/Wapomi.AO virus (NOD32), Infostealer.Gampass (Norton)

 プラットフォーム:

Windows 2000, Windows XP, Server 2003

 危険度:
 ダメージ度:
 感染力:
 感染確認数:


  • マルウェアタイプ: バックドア型
  • 破壊活動の有無: なし
  • 暗号化:  
  • 感染報告の有無: はい

  概要


マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

  詳細

ファイルサイズ 83,968 bytes
タイプ EXE
発見日 2012年10月13日

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のファイルを作成します。

  • %System%\{random file name}.sys

(註:%System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。)

マルウェアは、感染したコンピュータ内に以下のように自身のコピーを作成します。

  • %System%\{random file name}.tmp
  • %System%\appmgmts.dll

(註:%System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。)

他のシステム変更

マルウェアは、以下のファイルを削除します。

  • %System%\appmgmts.dll

(註:%System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。)

マルウェアは、インストールの過程で、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrsx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avguard.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avmailc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avshadow.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avwebgrd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bdagent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dwengine.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
egui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FilMsg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kmailmon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdwsc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfw32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfwsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpopserver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmgui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kswebshield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvexpert.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvxp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwatch.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwsupd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxedefend.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxesapp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxescore.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxeserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxetray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
livesrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcagent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcmscsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McNASvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcods.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McSACore.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcshield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcsysmon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcvsshld.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mfefire.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MOBKbackup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MpfSrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC1.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC2.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msksrver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MsSvHost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCAddWidget.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr_tz_Setup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCUPDATE.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qutmserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsmgrsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sched.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
seccenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SfCtlCom.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spideragent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SpIDerMl.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spidernt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spiderui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SuperKiller.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TMBMSRV.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TmProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Twister.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UfSeAgnt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3PScan.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3SP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vgchsvx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
VPSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ÐÞ¸´¹¤¾ß.exe
Debugger = "ntsd -d"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Start = "3"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Type = "1"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
ImagePath = "%System%\{random file name}.sys"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360hotfix.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SAFE_INSTALLER.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugge = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360se.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SoftMgrSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360speedld.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
afwServ.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ast.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastUI.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avcenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avfwsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgcsrvx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgemc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnsx.exe
Debugger = "ntsd -d"

その他

マルウェアは、以下の不正なWebサイトにアクセスします。

  • {BLOCKED}0.{BLOCKED}9.92.248
  • {BLOCKED}0.{BLOCKED}9.92.245
  • {BLOCKED}0.{BLOCKED}9.92.244
  • {BLOCKED}0.{BLOCKED}9.92.242
  • {BLOCKED}0.{BLOCKED}9.92.239
  • {BLOCKED}0.{BLOCKED}9.92.248
  • {BLOCKED}0.{BLOCKED}9.92.236
  • {BLOCKED}0.{BLOCKED}9.92.250
  • {BLOCKED}0.{BLOCKED}9.92.251
  • {BLOCKED}0.{BLOCKED}9.92.254
  • {BLOCKED}0.{BLOCKED}9.92.249
  • {BLOCKED}0.{BLOCKED}9.92.240
  • {BLOCKED}0.{BLOCKED}9.92.243
  • {BLOCKED}0.{BLOCKED}9.92.253
  • {BLOCKED}0.39.92.241
  • {BLOCKED}0.{BLOCKED}9.92.246
  • {BLOCKED}0.{BLOCKED}9.92.245
  • {BLOCKED}0.{BLOCKED}9.92.237
  • {BLOCKED}3.{BLOCKED}4.193.128
  • {BLOCKED}3.{BLOCKED}4.193.125
  • {BLOCKED}2.{BLOCKED}6.167.95
  • {BLOCKED}d.{BLOCKED}v.com
  • www.{BLOCKED}u.com
  • www.{BLOCKED}4.info