Ransom.Win32.SODINOKIB.SMTH
Ransom:Win32/Sodinokibi.S!MSR(MICROSOFT); a variant of Win32/Filecoder.Sodinokibi.B trojan(NOD32); Ransom-Sodnkibi!63A945DA1A63(NAI);
Windows
- マルウェアタイプ: 身代金要求型不正プログラム(ランサムウェア)
- 破壊活動の有無: なし
- 暗号化:
- 感染報告の有無: はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
以下のファイル拡張子を持つファイルは暗号化しません。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のプロセスを追加します。
- if OS is 32-bit:
- powershell {base-64 encoded} → deletes shadow copies
- if OS is 64-bit:
- cmd "/c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /se" → deletes shadow copies
マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。
- Global\{GUID}
他のシステム変更
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
Hba = {Hex Bytes}
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
Xd6U = {Hex Bytes}
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
kwhIT = {Hex Bytes}
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
UVeq36 = {Hex Bytes}
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
lti6i68 = {Appended File Extension}
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
dDXX9zsq = {Hex Bytes}
マルウェアは、以下のレジストリ値を変更し、デスクトップの壁紙を変更します。
HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{random characters}.bmp
マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。
プロセスの終了
マルウェアは、感染コンピュータ上で確認した以下のサービスを終了します。
- backup
- memtas
- mepocs
- sophos
- sql
- svc$
- veeam
- vss
マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。
- agntsvc
- dbeng50
- dbsnmp
- encsvc
- excel
- firefox
- infopath
- isqlplussvc
- msaccess
- mspub
- mydesktopqos
- mydesktopservice
- ocautoupds
- ocomm
- ocssd
- onenote
- oracle
- outlook
- powerpnt
- sqbcoreservice
- sql
- steam
- synctime
- tbirdconfig
- thebat
- thunderbird
- visio
- winword
- wordpad
- xfssvccon
情報漏えい
マルウェアは、以下の情報を収集します。
- Computer name
- Disk Size
- Operating System name
- System Architecture
- Username
- Volume Serial-ID
- Workgroup
情報収集
マルウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。
- https://{domain}/{string 1}/{string 2}/{random characters}.{string 3}
- where {domain} can be one of the following:
- {BLOCKED}l.com
- {BLOCKED}m
- {BLOCKED}wieweiter.de
- {BLOCKED}
- {BLOCKED}ijon.es
- {BLOCKED}n-alicante.es
- {BLOCKED}cidentetraficosevilla.es
- {BLOCKED}omicilio.es
- {BLOCKED}m
- {BLOCKED}ywijchen.nl
- {BLOCKED}nl
- {BLOCKED}guidores.com
- {BLOCKED}ation.org
- {BLOCKED}tlager.de
- {BLOCKED}heet.fi
- {BLOCKED}one.com
- {BLOCKED}th.com
- {BLOCKED}et.dk
- {BLOCKED}colat-noir.com
- {BLOCKED}erencement-naturel-geneve.net
- {BLOCKED}.au
- {BLOCKED}ease.com
- {BLOCKED}
- {BLOCKED}oning-waalwijk.nl
- {BLOCKED}72.com
- {BLOCKED}et
- {BLOCKED}s.com
- {BLOCKED}edare.se
- {BLOCKED}apershow.com
- {BLOCKED}oveofyou.com
- {BLOCKED}metics.at
- {BLOCKED}dogrescue.dog
- {BLOCKED}st.com
- {BLOCKED}l63.ru
- {BLOCKED}rtz.wordpress.com
- {BLOCKED}rd.com
- {BLOCKED}stcommittee.org
- {BLOCKED}tgodis.se
- {BLOCKED}que247.com
- {BLOCKED}rgeggi.it
- {BLOCKED}estview.com
- {BLOCKED}ublica.es
- {BLOCKED}lmour.co.uk
- {BLOCKED}.wordpress.com
- {BLOCKED}t.ru
- {BLOCKED}.com
- {BLOCKED}om
- {BLOCKED}eetrimming.com
- {BLOCKED}ealthbenefits.com
- {BLOCKED}de
- {BLOCKED}der.de
- {BLOCKED}ung.com
- {BLOCKED}s.com
- {BLOCKED}audit.com
- {BLOCKED}pc.com
- {BLOCKED}m
- {BLOCKED}ralfiberglass.org
- {BLOCKED}rbuero-wagner.net
- {BLOCKED}.com.ar
- {BLOCKED}u.fund
- {BLOCKED}rieurprojecten.nl
- {BLOCKED}tdc.com
- {BLOCKED}efabbro.com
- {BLOCKED}
- {BLOCKED}terdam.com
- {BLOCKED}hen.com
- {BLOCKED}com
- {BLOCKED}com
- {BLOCKED}esportivapolitg.cat
- {BLOCKED}nanalytics.com
- {BLOCKED}alextrespaille.fr
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}ila.com
- {BLOCKED}.com
- {BLOCKED}bution.co.uk
- {BLOCKED}m
- {BLOCKED}
- {BLOCKED}liere.de
- {BLOCKED}.au
- {BLOCKED}e.com.au
- {BLOCKED}rch.com
- {BLOCKED}agenijmegen.nl
- {BLOCKED}lt
- {BLOCKED}ung-lu.de
- {BLOCKED}4.de
- {BLOCKED}rch.org
- {BLOCKED}pub.com
- {BLOCKED}g
- {BLOCKED}ists.com
- {BLOCKED}atology.lt
- {BLOCKED}ernacle.com
- {BLOCKED}esta.se
- {BLOCKED}rnosand.se
- {BLOCKED}org
- {BLOCKED}ldezonnewijzer.nl
- {BLOCKED}n.se
- {BLOCKED}com
- {BLOCKED}expo.jp
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}uk
- {BLOCKED}se
- {BLOCKED}thsystem.org
- {BLOCKED}ce.se
- {BLOCKED}m
- {BLOCKED}medicinespecialists.com
- {BLOCKED}boo-bikes.org
- {BLOCKED}ersicherungsvergleich.de
- {BLOCKED}m
- {BLOCKED}.com
- {BLOCKED}n
- {BLOCKED}omdotcom.wordpress.com
- {BLOCKED}.com
- {BLOCKED}hing.fr
- {BLOCKED}akkramen.nl
- {BLOCKED}com
- {BLOCKED}es.eu
- {BLOCKED}onsulting.ch
- {BLOCKED}derlebnis.haus
- {BLOCKED}ca.com
- {BLOCKED}rotechnik.at
- {BLOCKED}e.org
- {BLOCKED}aldelsa.com
- {BLOCKED}d.com
- {BLOCKED}s.de
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}ionsarchitect.guru
- {BLOCKED}orros.com
- {BLOCKED}ga.net
- {BLOCKED}ts.net
- {BLOCKED}ond50.com
- {BLOCKED}wegleitner.at
- {BLOCKED}m
- {BLOCKED}r.online
- {BLOCKED}s.it
- {BLOCKED}e.com
- {BLOCKED}com
- {BLOCKED}ine.ro
- {BLOCKED}ng.net
- {BLOCKED}wntown.com
- {BLOCKED}eplaces.com
- {BLOCKED}com
- {BLOCKED}d.com.au
- {BLOCKED}ie-nim.nl
- {BLOCKED}ovations.com
- {BLOCKED}e-wuppertal.de
- {BLOCKED}t-muenchen-west.de
- {BLOCKED}nanza.com
- {BLOCKED}-roses.com
- {BLOCKED}.com.au
- {BLOCKED}.com
- {BLOCKED}ry.com
- {BLOCKED}ylawfirm.com
- {BLOCKED}men.de
- {BLOCKED}ny.com
- {BLOCKED}re.net
- {BLOCKED}a.com
- {BLOCKED}slenders.com
- {BLOCKED}rler.com
- {BLOCKED}oclub.co.uk
- {BLOCKED}com
- {BLOCKED}m
- {BLOCKED}ightservices.com.au
- {BLOCKED}yeclinic.com.au
- {BLOCKED}eenreich.de
- {BLOCKED}l
- {BLOCKED}.biz
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}rs.com
- {BLOCKED}rand.com
- {BLOCKED}era.com
- {BLOCKED}net.it
- {BLOCKED}igest.com
- {BLOCKED}u
- {BLOCKED}.de
- {BLOCKED}each.org
- {BLOCKED}r.com
- {BLOCKED}usa.com
- {BLOCKED}unpoker.com
- {BLOCKED}r.org
- {BLOCKED}om
- {BLOCKED}nn.com
- {BLOCKED}usesalonvt.com
- {BLOCKED}s.nl
- {BLOCKED}lduz.es
- {BLOCKED}sicfest.com
- {BLOCKED}nd.com
- {BLOCKED}tr
- {BLOCKED}rg
- {BLOCKED}.com
- {BLOCKED}salud.com
- {BLOCKED}lega.com
- {BLOCKED}com
- {BLOCKED}rce.net
- {BLOCKED}au
- {BLOCKED}.com
- {BLOCKED}com
- {BLOCKED}er.com
- {BLOCKED}oudroux-photographie.fr
- {BLOCKED}aysage.fr
- {BLOCKED}eeiro.com
- {BLOCKED}e
- {BLOCKED}fr
- {BLOCKED}rry.com
- {BLOCKED}hael.net
- {BLOCKED}ebuffetcourses.com
- {BLOCKED}erescorts.co.uk
- {BLOCKED}tra.es
- {BLOCKED}g
- {BLOCKED}.com
- {BLOCKED}dhtx.com
- {BLOCKED}ainsltd.co.uk
- {BLOCKED}o.online
- {BLOCKED}t.com
- {BLOCKED}
- {BLOCKED}dgeadvisors.com
- {BLOCKED}hine.com
- {BLOCKED}king.com
- {BLOCKED}z
- {BLOCKED}iveclassroom.org
- {BLOCKED}ses.com
- {BLOCKED}prises.com
- {BLOCKED}boatbuilding.com
- {BLOCKED}nd-stories.com
- {BLOCKED}-lave-linge.fr
- {BLOCKED}ddingkansas.com
- {BLOCKED}solutionsstrategies.com
- {BLOCKED}ement.de
- {BLOCKED}ers.trade
- {BLOCKED}ce.com
- {BLOCKED}ctadenacimiento.com
- {BLOCKED}k.com
- {BLOCKED}o.uk
- {BLOCKED}trition.com
- {BLOCKED}tels.com
- {BLOCKED}
- {BLOCKED}dles.com
- {BLOCKED}ro.com
- {BLOCKED}m
- {BLOCKED}cox.net
- {BLOCKED}ermnl.com
- {BLOCKED}e.fun
- {BLOCKED}tineacademy.com
- {BLOCKED}coutgroup.org
- {BLOCKED}1.com
- {BLOCKED}aves.co.uk
- {BLOCKED}.com
- {BLOCKED}sion.co.uk
- {BLOCKED}efellowship.church
- {BLOCKED}.com
- {BLOCKED}h.co.uk
- {BLOCKED}ps.se
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}lanatoliquido.online
- {BLOCKED}uitosnainternet.com
- {BLOCKED}.com
- {BLOCKED}ces.co.uk
- {BLOCKED}
- {BLOCKED}e.com
- {BLOCKED}g.co.uk
- {BLOCKED}
- {BLOCKED}n.com
- {BLOCKED}rmann-architektur-und-planung.ch
- {BLOCKED}.info
- {BLOCKED}system.dk
- {BLOCKED}d.com
- {BLOCKED}inistries.com
- {BLOCKED}lbeing.org.uk
- {BLOCKED}erministries.com
- {BLOCKED}s-in-europe.com
- {BLOCKED}lothingcompany.com
- {BLOCKED}nnel.com
- {BLOCKED}.com
- {BLOCKED}t
- {BLOCKED}rporatelaw.com
- {BLOCKED}com.ar
- {BLOCKED}.cat
- {BLOCKED}sulting.at
- {BLOCKED}sgroup.com
- {BLOCKED}skernnoordwijk.nl
- {BLOCKED}elp.com
- {BLOCKED}
- {BLOCKED}ils.com
- {BLOCKED}costablanca.es
- {BLOCKED}nclients.fr
- {BLOCKED}m
- {BLOCKED}
- {BLOCKED}rg
- {BLOCKED}
- {BLOCKED}ts.com
- {BLOCKED}
- {BLOCKED}e
- {BLOCKED}owco.com
- {BLOCKED}itario.biz
- {BLOCKED}
- {BLOCKED}ebsforschung.de
- {BLOCKED}icologia.es
- {BLOCKED}
- {BLOCKED}id.com.ua
- {BLOCKED}epepper.com
- {BLOCKED}ervice.com
- {BLOCKED}
- {BLOCKED}v.com
- {BLOCKED}rednitzhembach.de
- {BLOCKED}om.wordpress.com
- {BLOCKED}m
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}.org
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}tive.com
- {BLOCKED}sHomes.com
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}ngcoffee.com
- {BLOCKED}.nl
- {BLOCKED}
- {BLOCKED}pugh.com
- {BLOCKED}tiger.de
- {BLOCKED}com.au
- {BLOCKED}.nl
- {BLOCKED}frica.com
- {BLOCKED}mulhouse.fr
- {BLOCKED}to.com
- {BLOCKED}n
- {BLOCKED}
- {BLOCKED}tates.org
- {BLOCKED}ervices.nl
- {BLOCKED}
- {BLOCKED}e
- {BLOCKED}promo.com
- {BLOCKED}online
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}iscall.com
- {BLOCKED}rveys.com
- {BLOCKED}
- {BLOCKED}m
- {BLOCKED}m.wordpress.com
- {BLOCKED}io.com
- {BLOCKED}sadvokaterne.dk
- {BLOCKED}ation.fr
- {BLOCKED}.pl
- {BLOCKED}he-pfarrgemeinde-tuniberg.de
- {BLOCKED}fishing.com
- {BLOCKED}echnologies.com
- {BLOCKED}irllc.com
- {BLOCKED}.at
- {BLOCKED}k
- {BLOCKED}aison.info
- {BLOCKED}aryoutdoors.com
- {BLOCKED}ich27.de
- {BLOCKED}s18.de
- {BLOCKED}h.com
- {BLOCKED}
- {BLOCKED}40.com
- {BLOCKED}.com
- {BLOCKED}om
- {BLOCKED}ttransfers.net
- {BLOCKED}om
- {BLOCKED}gmachines.com
- {BLOCKED}-loans.com
- {BLOCKED}ions.com
- {BLOCKED}at
- {BLOCKED}-ziegler.de
- {BLOCKED}culoma.info
- {BLOCKED}m
- {BLOCKED}ingvfcomplet.be
- {BLOCKED}eb.com
- {BLOCKED}recard.com
- {BLOCKED}e-marke.de
- {BLOCKED}week.pl
- {BLOCKED}d-u.com
- {BLOCKED}ntservices.com
- {BLOCKED}.com
- {BLOCKED}aar.com
- {BLOCKED}byjessica.com
- {BLOCKED}rum.com
- {BLOCKED}
- {BLOCKED}.hk
- {BLOCKED}uca.org.au
- {BLOCKED}e.ca
- {BLOCKED}a.org
- {BLOCKED}lth.live
- {BLOCKED}edia.es
- {BLOCKED}on.com
- {BLOCKED}gels.nl
- {BLOCKED}utachterpraxis.de
- {BLOCKED}rkschaften.de
- {BLOCKED}brgrs.com
- {BLOCKED}ldingllc.com
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}regal.org
- {BLOCKED}g.gt
- {BLOCKED}s.com
- {BLOCKED}
- {BLOCKED}fair.com
- {BLOCKED}pl
- {BLOCKED}.info
- {BLOCKED}unciakrilikbandung.com
- {BLOCKED}ompte-rouen.fr
- {BLOCKED}om
- {BLOCKED}alisten.se
- {BLOCKED}de
- {BLOCKED}l
- {BLOCKED}ler.de
- {BLOCKED}tkompas.nl
- {BLOCKED}uli.com
- {BLOCKED}rketing.com
- {BLOCKED}ts.co.nz
- {BLOCKED}s.info
- {BLOCKED}s.wordpress.com
- {BLOCKED}
- {BLOCKED}rnes.es
- {BLOCKED}covery.com
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}ent.se
- {BLOCKED}optimaldentalcare.com
- {BLOCKED}
- {BLOCKED}ch
- {BLOCKED}e.com
- {BLOCKED}s.com
- {BLOCKED}yssinet.fr
- {BLOCKED}lhoerodrigues.com.br
- {BLOCKED}org
- {BLOCKED}anagement.com
- {BLOCKED}e.com
- {BLOCKED}wordpress.com
- {BLOCKED}now.site
- {BLOCKED}-llc.com
- {BLOCKED}k.de
- {BLOCKED}rimages.org
- {BLOCKED}up.com
- {BLOCKED}com
- {BLOCKED}ogram.wordpress.com
- {BLOCKED}om
- {BLOCKED}tindo.com
- {BLOCKED}
- {BLOCKED}willtravel2017.wordpress.com
- {BLOCKED}rkout.com
- {BLOCKED}
- {BLOCKED}artstudio.gallery
- {BLOCKED}lsky.com
- {BLOCKED}vluchtnewyork.nl
- {BLOCKED}n.com
- {BLOCKED}com
- {BLOCKED}per.com
- {BLOCKED}.com
- {BLOCKED}staefa.ch
- {BLOCKED}auer.at
- {BLOCKED}es.co
- {BLOCKED}com
- {BLOCKED}secrets.com.au
- {BLOCKED}oweb.com
- {BLOCKED}outdoors.net
- {BLOCKED}uthasc.com
- {BLOCKED}
- {BLOCKED}de
- {BLOCKED}.dk
- {BLOCKED}e.com
- {BLOCKED}studio.com
- {BLOCKED}r.com
- {BLOCKED}
- {BLOCKED}adova.it
- {BLOCKED}.com.br
- {BLOCKED}al.at
- {BLOCKED}s.com
- {BLOCKED}fon.hr
- {BLOCKED}l
- {BLOCKED}e-entfernen.de
- {BLOCKED}uppe.de
- {BLOCKED}hert.de
- {BLOCKED}reteil.com
- {BLOCKED}tion.com
- {BLOCKED}us.org
- {BLOCKED}tid.dk
- {BLOCKED}are.com
- {BLOCKED}m.com
- {BLOCKED}e
- {BLOCKED}
- {BLOCKED}n.com
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}a.com
- {BLOCKED}te.com
- {BLOCKED}p
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}de
- {BLOCKED}tore.com
- {BLOCKED}china.info
- {BLOCKED}
- {BLOCKED}sional.ru
- {BLOCKED}ge.pl
- {BLOCKED}g.com
- {BLOCKED}
- {BLOCKED}net
- {BLOCKED}m
- {BLOCKED}nter.org
- {BLOCKED}nal-sound-awards.com
- {BLOCKED}vizbudapest.hu
- {BLOCKED}tific.com
- {BLOCKED}r.com
- {BLOCKED}neryauctions.com
- {BLOCKED}om
- {BLOCKED}com
- {BLOCKED}ciliegie.it
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}l
- {BLOCKED}acharlotte.com
- {BLOCKED}m
- {BLOCKED}quettes.com
- {BLOCKED}net.info
- {BLOCKED}.com
- {BLOCKED}e.com
- {BLOCKED}e.com
- {BLOCKED}ystudio.com
- {BLOCKED}
- {BLOCKED}ibomana.com
- {BLOCKED}dersonwriter.com
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}enya.com
- {BLOCKED}
- {BLOCKED}ilyfarmblog.wordpress.com
- {BLOCKED}ts.com
- {BLOCKED}
- {BLOCKED}la.com
- {BLOCKED}ktolife.com
- {BLOCKED}ndia.com
- {BLOCKED}
- {BLOCKED}en.com
- {BLOCKED}de
- {BLOCKED}idworkgroup.org
- {BLOCKED}
- {BLOCKED}ra.com
- {BLOCKED}ichter.nl
- {BLOCKED}com
- {BLOCKED}dbuild.co.uk
- {BLOCKED}
- {BLOCKED}.jp
- {BLOCKED}-oszczednosci.pl
- {BLOCKED}net
- {BLOCKED}ywan24.pl
- {BLOCKED}om
- {BLOCKED}er.gives
- {BLOCKED}
- {BLOCKED}omz.com
- {BLOCKED}.nl
- {BLOCKED}com
- {BLOCKED}e-gera.de
- {BLOCKED}co.uk
- {BLOCKED}net.fi
- {BLOCKED}
- {BLOCKED}tgo.com
- {BLOCKED}.com
- {BLOCKED}mond.nl
- {BLOCKED}ist.com.au
- {BLOCKED}eira.com
- {BLOCKED}e-vergleich.de
- {BLOCKED}.construction
- {BLOCKED}er.dk
- {BLOCKED}g.com.au
- {BLOCKED}
- {BLOCKED}info
- {BLOCKED}nl
- {BLOCKED}g.co.uk
- {BLOCKED}useumbd.com
- {BLOCKED}hou.com
- {BLOCKED}i.info
- {BLOCKED}-baby.nl
- {BLOCKED}dk
- {BLOCKED}-webcams.com
- {BLOCKED}om
- {BLOCKED}y.eu
- {BLOCKED}.com
- {BLOCKED}srok.fi
- {BLOCKED}bilien.de
- {BLOCKED}
- {BLOCKED}hiet.nl
- {BLOCKED}e.fr
- {BLOCKED}
- {BLOCKED}ennus.fi
- {BLOCKED}at.fi
- {BLOCKED}.info.vn
- {BLOCKED}l
- {BLOCKED}apks.com
- {BLOCKED}entielle.com
- {BLOCKED}.com
- {BLOCKED}eu
- {BLOCKED}electrical.com
- {BLOCKED}ctory.co.jp
- {BLOCKED}.fr
- {BLOCKED}oworking.com
- {BLOCKED}ne.com.ua
- {BLOCKED}
- {BLOCKED}studentcity.nl
- {BLOCKED}dombes.com
- {BLOCKED}-shop.ru
- {BLOCKED}
- {BLOCKED}emean.be
- {BLOCKED}.se
- {BLOCKED}pa.fi
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}er-sachsen.de
- {BLOCKED}mo.fi
- {BLOCKED}eauties.org
- {BLOCKED}palais.com
- {BLOCKED}iving.com
- {BLOCKED}ari.fi
- {BLOCKED}e
- {BLOCKED}.salon
- {BLOCKED}rte.de
- {BLOCKED}life.jp
- {BLOCKED}t.com
- {BLOCKED}ruction.com
- {BLOCKED}ons.com
- {BLOCKED}-blomberg.de
- {BLOCKED}elderlaw.com
- {BLOCKED}
- {BLOCKED}ero.com
- {BLOCKED}nko.com
- {BLOCKED}diacompanies.com
- {BLOCKED}tbank.com
- {BLOCKED}er-apkz.com
- {BLOCKED}y.wordpress.com
- {BLOCKED}
- {BLOCKED}p
- {BLOCKED}et
- {BLOCKED}herd.co.uk
- {BLOCKED}.nl
- {BLOCKED}paysflechois.com
- {BLOCKED}.com
- {BLOCKED}ymentlawyerblog.com
- {BLOCKED}s.ru
- {BLOCKED}t.at
- {BLOCKED}eheard.com
- {BLOCKED}ruchomoscipremium.com
- {BLOCKED}glab.com
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}assage.com
- {BLOCKED}om
- {BLOCKED}paolo.com
- {BLOCKED}ubedeportugal.com
- {BLOCKED}loboda.com
- {BLOCKED}ten.site
- {BLOCKED}fordshire-pc.gov.uk
- {BLOCKED}rnoudts.nl
- {BLOCKED}opaneaz.com
- {BLOCKED}h.com
- {BLOCKED}ulweb.com
- {BLOCKED}lor.com
- {BLOCKED}engineering.com
- {BLOCKED}ezedancetheater.org
- {BLOCKED}ondon
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}esign.de
- {BLOCKED}my-iraq.org
- {BLOCKED}info
- {BLOCKED}rtest.net
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}fiori.com
- {BLOCKED}
- {BLOCKED}nithome.wordpress.com
- {BLOCKED}om.ru
- {BLOCKED}so.de
- {BLOCKED}riglioracing.com
- {BLOCKED}mation.de
- {BLOCKED}net
- {BLOCKED}man.com
- {BLOCKED}zcpa.com
- {BLOCKED}i.it
- {BLOCKED}hows.com
- {BLOCKED}.aberdeen.sch.uk
- {BLOCKED}
- {BLOCKED}udios.com
- {BLOCKED}om
- {BLOCKED}anku.com
- {BLOCKED}t.fun
- {BLOCKED}m.de
- {BLOCKED}eman.nl
- {BLOCKED}eman.nl
- {BLOCKED}er.de
- {BLOCKED}r
- {BLOCKED}.com
- {BLOCKED}g.nl
- {BLOCKED}gement.com
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}m
- {BLOCKED}garden.com
- {BLOCKED}om
- {BLOCKED}eger.de
- {BLOCKED}ptinyhomes.com
- {BLOCKED}de
- {BLOCKED}irekt.de
- {BLOCKED}.com
- {BLOCKED}c.com
- {BLOCKED}et
- {BLOCKED}e
- {BLOCKED}e
- {BLOCKED}s.com
- {BLOCKED}ouse.net
- {BLOCKED}et.au
- {BLOCKED}d.com
- {BLOCKED}m
- {BLOCKED}uesky.com
- {BLOCKED}ex.com
- {BLOCKED}us.com
- {BLOCKED}y.com
- {BLOCKED}
- {BLOCKED}e.com
- {BLOCKED}unterricht.com
- {BLOCKED}r.de
- {BLOCKED}undation.org
- {BLOCKED}rmatique.fr
- {BLOCKED}ution.nl
- {BLOCKED}m
- {BLOCKED}g
- {BLOCKED}ssels.com
- {BLOCKED}ulas.com
- {BLOCKED}ids.com
- {BLOCKED}l.hr
- {BLOCKED}-hotte.de
- {BLOCKED}lautooverseas.com
- {BLOCKED}
- {BLOCKED}c-studio.com
- {BLOCKED}
- {BLOCKED}ss.ch
- {BLOCKED}trical.co.za
- {BLOCKED}gov.uk
- {BLOCKED}m.ng
- {BLOCKED}
- {BLOCKED}o247.com
- {BLOCKED}hbachorg.wordpress.com
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}h
- {BLOCKED}m.fr
- {BLOCKED}dentistry.com
- {BLOCKED}ratgeber.de
- {BLOCKED}hting.com
- {BLOCKED}teria.com
- {BLOCKED}gasgovernment.com
- {BLOCKED}out.com
- {BLOCKED}d.org
- {BLOCKED}
- {BLOCKED}isdom.com
- {BLOCKED}
- {BLOCKED}s.com
- {BLOCKED}ios.com
- {BLOCKED}org
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}sts.com
- {BLOCKED}n.com
- {BLOCKED}com
- {BLOCKED}un.net
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}rriors.at
- {BLOCKED}ource.org
- {BLOCKED}nk.com
- {BLOCKED}smarketing.com
- {BLOCKED}dboulevards.com
- {BLOCKED}e-ako.sk
- {BLOCKED}kia.sk
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}fi
- {BLOCKED}at
- {BLOCKED}om
- {BLOCKED}ann.de
- {BLOCKED}nds.wordpress.com
- {BLOCKED}ncome.com
- {BLOCKED}ichmadrid.es
- {BLOCKED}cks.com
- {BLOCKED}tla.fr
- {BLOCKED}
- {BLOCKED}tgateway.eu
- {BLOCKED}nberg.de
- {BLOCKED}auto.net
- {BLOCKED}i.sk
- {BLOCKED}o.uk
- {BLOCKED}se
- {BLOCKED}ndation.net
- {BLOCKED}hop.de
- {BLOCKED}overs.com
- {BLOCKED}.net
- {BLOCKED}guru
- {BLOCKED}
- {BLOCKED}r.com
- {BLOCKED}oup
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}com
- {BLOCKED}hancementcenter.com
- {BLOCKED}os.com
- {BLOCKED}
- {BLOCKED}ter.de
- {BLOCKED}.com
- {BLOCKED}broca.com
- {BLOCKED}her.de
- {BLOCKED}n.dk
- {BLOCKED}com
- {BLOCKED}ll.org
- {BLOCKED}.com
- {BLOCKED}com
- {BLOCKED}.fr
- {BLOCKED}es.com
- {BLOCKED}por.net
- {BLOCKED}
- {BLOCKED}com.ar
- {BLOCKED}r.com
- {BLOCKED}eative.com
- {BLOCKED}
- {BLOCKED}es.de
- {BLOCKED}com
- {BLOCKED}ra.de
- {BLOCKED}.ru
- {BLOCKED}k
- {BLOCKED}m
- {BLOCKED}labs.com
- {BLOCKED}dk
- {BLOCKED}t
- {BLOCKED}izzeria.de
- {BLOCKED}go.com
- {BLOCKED}arrobo.com
- {BLOCKED}tners.nl
- {BLOCKED}rderdiagnostik.de
- {BLOCKED}agement-plus.de
- {BLOCKED}evel.com
- {BLOCKED}-magdeburg.de
- {BLOCKED}rieel.nl
- {BLOCKED}oyage.net
- {BLOCKED}de
- {BLOCKED}turin.fr
- {BLOCKED}es
- {BLOCKED}rtorico.com
- {BLOCKED}d.org
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}.in
- {BLOCKED}de
- {BLOCKED}net.hr
- {BLOCKED}c.es
- {BLOCKED}com
- {BLOCKED}isorsolutions.com
- {BLOCKED}de
- {BLOCKED}
- {BLOCKED}tag.de
- {BLOCKED}om
- {BLOCKED}a.net
- {BLOCKED}s.com
- {BLOCKED}e.com
- {BLOCKED}.de
- {BLOCKED}s.nl
- {BLOCKED}
- {BLOCKED}o.uk
- {BLOCKED}r.de
- {BLOCKED}homegoods.com
- {BLOCKED}k.com
- {BLOCKED}e-experts.com
- {BLOCKED}her.com
- {BLOCKED}ry.com
- {BLOCKED}cer.com
- {BLOCKED}tioncentersinhouston.net
- {BLOCKED}com
- {BLOCKED}ution.com
- {BLOCKED}om
- {BLOCKED}com
- {BLOCKED}esszimmer.de
- {BLOCKED}studio.com
- {BLOCKED}e.com
- {BLOCKED}ballacademy.com
- {BLOCKED}lix.co.uk
- {BLOCKED}
- {BLOCKED}ncario.net
- {BLOCKED}s.com
- {BLOCKED}r.app
- {BLOCKED}com
- {BLOCKED}kcolumbia.com
- {BLOCKED}visit.com
- {BLOCKED}dahr.com
- {BLOCKED}ings.co.uk
- {BLOCKED}llations.co.uk
- {BLOCKED}com
- {BLOCKED}aching.nl
- {BLOCKED}gberdaya.com
- {BLOCKED}com
- {BLOCKED}ris.com
- {BLOCKED}pliances.com
- {BLOCKED}hermen-resort.com
- {BLOCKED}om
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}t
- {BLOCKED}
- {BLOCKED}x.com
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}safoundation.org
- {BLOCKED}de
- {BLOCKED}er.info
- {BLOCKED}
- {BLOCKED}que.net
- {BLOCKED}-test.net
- {BLOCKED}t.de
- {BLOCKED}t.de
- {BLOCKED}mer.com
- {BLOCKED}ssivewealth.com
- {BLOCKED}e
- {BLOCKED}info.nl
- {BLOCKED}reecharters.com
- {BLOCKED}m.com
- {BLOCKED}r-sturm.at
- {BLOCKED}.com
- {BLOCKED}.com
- {BLOCKED}m
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}.pl
- {BLOCKED}.net
- {BLOCKED}tising.com
- {BLOCKED}enjoon.wordpress.com
- {BLOCKED}dgrillorlando.com
- {BLOCKED}w.com
- {BLOCKED}ration.com
- {BLOCKED}dential.com
- {BLOCKED}om
- {BLOCKED}rcut.com
- {BLOCKED}ch-realestate.com
- {BLOCKED}or.ru
- {BLOCKED}.de
- {BLOCKED}wards.co.uk
- {BLOCKED}om
- {BLOCKED}sedbykeepingitreal.com
- {BLOCKED}ain.com
- {BLOCKED}
- {BLOCKED}chi.ru
- {BLOCKED}
- {BLOCKED}nt.no
- {BLOCKED}com
- {BLOCKED}m
- {BLOCKED}t
- {BLOCKED}erbal.com
- {BLOCKED}om
- {BLOCKED}at
- {BLOCKED}
- {BLOCKED}ciens.nl
- {BLOCKED}deamill.wordpress.com
- {BLOCKED}t.co.uk
- {BLOCKED}tice.com
- {BLOCKED}.th
- {BLOCKED}om
- {BLOCKED}m.pl
- {BLOCKED}strategies.com
- {BLOCKED}com
- {BLOCKED}ves.com
- {BLOCKED}da.com
- {BLOCKED}edia.com
- {BLOCKED}g
- {BLOCKED}nh.com
- {BLOCKED}ctkey.com
- {BLOCKED}dy.com
- {BLOCKED}i-allart.ch
- {BLOCKED}
- {BLOCKED}hic.com
- {BLOCKED}ptv.com
- {BLOCKED}ia.ee
- {BLOCKED}rnacademyofprosthodontics.org
- {BLOCKED}
- {BLOCKED}isters.org
- {BLOCKED}chen.de
- {BLOCKED}en.de
- {BLOCKED}.ru
- {BLOCKED}u
- {BLOCKED}r.com
- {BLOCKED}ortfondsen.nl
- {BLOCKED}oren.com
- {BLOCKED}n-tambach.de
- {BLOCKED}rkhelp.com
- {BLOCKED}om
- {BLOCKED}com
- {BLOCKED}n.se
- {BLOCKED}ica.es
- {BLOCKED}rcular.org
- {BLOCKED}arpetandfloors.com
- {BLOCKED}h.me
- {BLOCKED}te.nl
- {BLOCKED}ademy.com
- {BLOCKED}say.com
- {BLOCKED}ach.com
- {BLOCKED}uv.de
- {BLOCKED}alle.de
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}se
- {BLOCKED}ingdoonbeg.com
- {BLOCKED}tatements.com
- {BLOCKED}adio1.site
- {BLOCKED}no
- {BLOCKED}etingstrategies.com
- {BLOCKED}binets.ca
- {BLOCKED}ba.nl
- {BLOCKED}org.uk
- {BLOCKED}
- {BLOCKED}r
- {BLOCKED}vironmental.com
- {BLOCKED}sphaltfieber.de
- {BLOCKED}
- {BLOCKED}dk
- {BLOCKED}om
- {BLOCKED}er.com
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}aktijkhartjegroningen.nl
- {BLOCKED}aktijkheesch.nl
- {BLOCKED}t.com
- {BLOCKED}-kieber.de
- {BLOCKED}del.com
- {BLOCKED}amsburg.com
- {BLOCKED}ge.dk
- {BLOCKED}et.com
- {BLOCKED}ina.bytom.pl
- {BLOCKED}
- {BLOCKED}nfold.com
- {BLOCKED}etten.nl
- {BLOCKED}dia.org
- {BLOCKED}ohealthuk.com
- {BLOCKED}kmetmening.online
- {BLOCKED}
- {BLOCKED}lic.com
- {BLOCKED}
- {BLOCKED}-trader.com
- {BLOCKED}lizer.com
- {BLOCKED}reedge.com
- {BLOCKED}ory.com
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}ie.com
- {BLOCKED}
- {BLOCKED}rk
- {BLOCKED}com
- {BLOCKED}company
- {BLOCKED}er.com
- {BLOCKED}veme.com
- {BLOCKED}eexperience.com.au
- {BLOCKED}smimi.com
- {BLOCKED}pital.de
- {BLOCKED}no.com
- {BLOCKED}m
- {BLOCKED}bayl.ru
- {BLOCKED}.com
- {BLOCKED}ology
- {BLOCKED}les.com
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}.nl
- {BLOCKED}haiphong.net
- {BLOCKED}rvicescourses.com
- {BLOCKED}asinosuk.co.uk
- {BLOCKED}
- {BLOCKED}ollnas.se
- {BLOCKED}onstruction.com
- {BLOCKED}pro.com.au
- {BLOCKED}altribe.wordpress.com
- {BLOCKED}sycementoshidalgo.es
- {BLOCKED}ue.it
- {BLOCKED}ne.com
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}.co.uk
- {BLOCKED}om
- {BLOCKED}k.eu
- {BLOCKED}nl
- {BLOCKED}heaterinstallation.com
- {BLOCKED}ariatrics.com
- {BLOCKED}.fi
- {BLOCKED}os.com
- {BLOCKED}thlena.wordpress.com
- {BLOCKED}
- {BLOCKED}eting.com
- {BLOCKED}
- {BLOCKED}rna.se
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}ar.se
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}tyr.ru
- {BLOCKED}iiuniri.ro
- {BLOCKED}committee.us
- {BLOCKED}print.ca
- {BLOCKED}nstruct.be
- {BLOCKED}mdesign.com
- {BLOCKED}oimport.nl
- {BLOCKED}.ar
- {BLOCKED}ne.com
- {BLOCKED}apital.de
- {BLOCKED}e
- {BLOCKED}om
- {BLOCKED}com.vn
- {BLOCKED}.fr
- {BLOCKED}ter.de
- {BLOCKED}rw
- {BLOCKED}net
- {BLOCKED}images.com
- {BLOCKED}festival.co.uk
- {BLOCKED}ting.pro
- {BLOCKED}sultancy.com
- {BLOCKED}rssi.fi
- {BLOCKED}akesch.de
- {BLOCKED}ndustry.fr
- {BLOCKED}ter.es
- {BLOCKED}
- {BLOCKED}.nl
- {BLOCKED}u
- {BLOCKED}s.com
- {BLOCKED}lebino-24.ru
- {BLOCKED}r.com
- {BLOCKED}cher-berechnen.de
- {BLOCKED}dnj.com
- {BLOCKED}m.de
- {BLOCKED}e
- {BLOCKED}infonds.at
- {BLOCKED}ercentre.co.uk
- {BLOCKED}m
- {BLOCKED}ds.net
- {BLOCKED}
- {BLOCKED}tudio.com
- {BLOCKED}srbija.rs
- {BLOCKED}peloton.com
- {BLOCKED}se
- {BLOCKED}nl
- {BLOCKED}rdbuyrite.com
- {BLOCKED}.com
- {BLOCKED}tingly.ru
- {BLOCKED}.co.at
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}om
- {BLOCKED}und-kunst.de
- {BLOCKED}demy.org
- {BLOCKED}solution.com
- {BLOCKED}de
- {BLOCKED}hbasicinfo.com
- {BLOCKED}om
- {BLOCKED}sg
- {BLOCKED}at
- {BLOCKED}sult.no
- {BLOCKED}przedszkolne.pl
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}.no
- {BLOCKED}putssollentuna-39b.se
- {BLOCKED}ie-leverkusen-kwb.de
- {BLOCKED}-bua.online
- {BLOCKED}brsen-vergleich-nec.com
- {BLOCKED}tc-13a1357egba.com
- {BLOCKED}-pua.biz
- {BLOCKED}com
- {BLOCKED}om
- {BLOCKED}com
- {BLOCKED}s.com
- {BLOCKED}
- {BLOCKED}g.uk
- {BLOCKED}com.au
- {BLOCKED}net
- {BLOCKED}e
- {BLOCKED}ender.com
- {BLOCKED}i.co.th
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}aezisionsteile.de
- {BLOCKED}thers.de
- {BLOCKED}eboer.de
- {BLOCKED}l.de
- {BLOCKED}1.net
- {BLOCKED}im.de
- {BLOCKED}tives.nl
- {BLOCKED}com
- {BLOCKED}a
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}salon.com
- {BLOCKED}nline
- {BLOCKED}tsu.net
- {BLOCKED}com
- {BLOCKED}ru
- {BLOCKED}m.hk
- {BLOCKED}ns.org
- {BLOCKED}.org
- where {string 1} can be one of the following:
- admin
- content
- data
- include
- news
- static
- uploads
- wp-content
- where {string 2} can be one of the following:
- assets
- game
- graphic
- image
- images
- pics
- pictures
- temp
- tmp
- where {string 3} can be one of the following:
- jpg
- png
- gif
- where {domain} can be one of the following:
その他
マルウェアは、以下のレジストリキーを追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
マルウェアは、以下を実行します。
- Avoids encrypting machines with the following keyboard layout language:
- ARMENIAN_ARMENIA
- AZERI_CYRILLIC
- BELARUSIAN_BELARUS
- ESTONIAN_ESTONIA
- GEORGIAN_GEORGIA
- KAZAK_KAZAKHSTAN
- KYRGYZ_KYRGYZSTAN
- LATVIAN_LATVIA
- LITHUANIAN_LITHUANIA
- PERSIAN_IRAN
- ROMANIAN_ROMANIA
- RUSSIAN_RUSSIA
- TAJIK_TAJIKISTAN
- TATAR_RUSSIA
- TURKMEN_TURKMENISTAN
- UKRAINIAN_UKRAINE
- UZBEK_CYRILLIC
- It searches for files to encrypt in remote drives, fixed drives, removable drives, and network resources.
マルウェアは、以下のパラメータを受け取ります。
- -silent → skips the following:
- Termination of blacklisted processes and services
- Removal of shadow copies
- -path → specifies directory to be encrypted
- -nolocal → avoids encrypting fixed and removable drives
- -nolan → avoids encrypting network and shared drives
- -fast → fast encryption mode
ランサムウェアの不正活動
マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db
- {Appended File Extension}-readme.txt
マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。
- $recycle.bin
- $windows.~bt
- $windows.~ws
- appdata
- application data
- boot
- intel
- mozilla
- msocache
- perflogs
- program files
- program files (x86)
- programdata
- system volume information
- tor browser
- windows.old
マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。
- .{random characters}
マルウェアは、以下の内容を含む脅迫状のテキストファイルを残します。
- {Encrypted Directory}\{Appended File Extension}-readme.txt
以下のファイル拡張子を持つファイルについては暗号化しません:
- 386
- adv
- ani
- bat
- bin
- cab
- cmd
- com
- cpl
- cur
- deskthemepack
- diagcab
- diagcfg
- diagpkg
- dll
- drv
- exe
- hlp
- hta
- icl
- icns
- ico
- ics
- idx
- key
- ldf
- lnk
- lock
- mod
- mpa
- msc
- msi
- msp
- msstyles
- msu
- nls
- nomedia
- ocx
- prf
- ps1
- rom
- rtp
- scr
- shs
- spl
- sys
- theme
- themepack
- wpx
対応方法
手順 1
トレンドマイクロの機械学習型検索は、マルウェアの存在を示す兆候が確認された時点で検出し、マルウェアが実行される前にブロックします。機械学習型検索が有効になっている場合、弊社のウイルス対策製品はこのマルウェアを以下の機械学習型検出名として検出します。
- Troj.Win32.TRX.XXPE50FFF035
手順 2
Windows XP、Windows Vista 、Windows 7、および Windows 10 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 3
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 4
Windowsをセーフモードで再起動します。
手順 5
このレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- Hba = {Hex Bytes}
- Hba = {Hex Bytes}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- Xd6U = {Hex Bytes}
- Xd6U = {Hex Bytes}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- kwhIT = {Hex Bytes}
- kwhIT = {Hex Bytes}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- UVeq36 = {Hex Bytes}
- UVeq36 = {Hex Bytes}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- lti6i68 = {Appended File Extension}
- lti6i68 = {Appended File Extension}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- dDXX9zsq = {Hex Bytes}
- dDXX9zsq = {Hex Bytes}
手順 6
このレジストリキーを削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Facebook_Assistant
- (null)
- (null)
手順 7
以下のファイルを検索し削除します。
- {Encrypted Directory}\{Appended File Extension}-readme.txt
手順 8
コンピュータを通常モードで再起動し、最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、「Ransom.Win32.SODINOKIB.SMTH」と検出したファイルの検索を実行してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 9
デスクトッププロパティを修正します。
手順 10
暗号化されたファイルをバックアップから復元します。
手順 11
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Ransom.Win32.SODINOKIB.SMTH」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
ご利用はいかがでしたか? アンケートにご協力ください