• Email
• Facebook
• Twitter
• Google+
• Linkedin

WORM_KILLAV.AB

---

• マルウェアタイプ: ワーム
• 破壊活動の有無: なし
• 暗号化: なし
• 感染報告の有無: はい

---

  概要

ワームは、リモートサイトから他のマルウェア、グレイウェアまたはスパイウェアにダウンロードされ、コンピュータに侵入します。 ワームは、悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。

ワームは、レジストリ値を変更し、システムファイルおよび読み取り専用属性のファイルを非表示にします。 ワームは、特定のレジストリ値を追加し、セキュリティ関連のアプリケーションを無効にします。

ワームは、リムーバブルドライブ内に自身のコピーを作成します。作成されたコピーのファイル名として、上記のドライブ上に存在するフォルダ名を使用します。

ワームは、ユーザが特定のWebサイトにアクセスできないように、感染コンピュータのHOSTSファイルを改変します。

---

  詳細

侵入方法

ワームは、リモートサイトから他のマルウェア、グレイウェアまたはスパイウェアにダウンロードされ、コンピュータに侵入します。

ワームは、悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。

インストール

ワームは、以下のコンポーネントファイルを作成します。

• %Program Files%\Common Files\BOSC.dll - detected as SPYW_SPYMYPC

(註：%Program Files%は、標準設定では "C:\Program Files" です。)

ワームは、以下の無害なファイルを作成します。

• %All Users%\Desktop\Intennet Exploner.lnk
• %All Users%\Desktop\¸Ä±äÄãµÄÒ»Éú.url
• %All Users%\Desktop\ÌÔ±¦¹ºÎïA.url
• %All Users%\Desktop\Ãâ·ÑµçÓ°C.url
• %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url

(註：%User Profile% フォルダは、Windows 98 および MEの場合、"C:\Windows\Profiles\＜ユーザ名＞"、Windows NTでは、"C:\WINNT\Profiles\＜ユーザ名＞"、Windows 2000, XP, Server 2003の場合は、"C:\Documents and Settings\＜ユーザ名＞" です。)

ワームは、感染したコンピュータ内に以下のように自身のコピーを作成します。

• %System Root%\VSPS\VSPS.exe
• %Startup%\juahwcsweo.exe
• %System%\qdlajbhqqq\explorer.exe
• %System%\mohquqcbsv\smss.exe

(註：%System Root%は、標準設定では "C:" です。また、オペレーティングシステムが存在する場所です。. %System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。)

ワームは、以下のフォルダを作成します。

• %System%\qdlajbhqqq
• %System Root%\VSPS
• %System%\mohquqcbsv

(註：%System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。. %System Root%は、標準設定では "C:" です。また、オペレーティングシステムが存在する場所です。)

他のシステム変更

ワームは、インストールの過程で、以下のレジストリ値を追加します。

HKEY_CLASSES_ROOT\exefile
NeverShowExt = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
HideDesktopIcons\NewStartPanel
{871C5380-42A0-1069-A2EA-08002B30309D} = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
ModRiskFileTypes = ".exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
WriteProtect = 0

ワームは、インストールの過程で、以下のレジストリキーを追加します。

HKEY_CLASSES_ROOT\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}

ワームは、以下のレジストリ値を変更し、システムファイルおよび読み取り専用属性のファイルを非表示にします。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(註：変更前の上記レジストリ値は、「1」となります。)

ワームは、以下のレジストリ値を追加し、セキュリティ関連のアプリケーションを無効にします。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvDetect.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvfwMcl.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP_1.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvolself.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvReport.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVScan.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVStub.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvupload.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvwsc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP_1.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch9x.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatchX.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSUpd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
loaddll.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
logogo.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MagicSet.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcconsol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmqczj.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmsk.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapw32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NAVSetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
niu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32krn.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32kui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NPFMntor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.pif
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pfserver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFW.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFWLiveUpdate.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qheart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QHSET.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorRtp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQKav.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCSmashFile.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQSC.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qsetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Ras.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rav.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ravcopy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavStub.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RegClean.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwcfg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwmain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwsrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsaupd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rstrui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
runiep.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safelive.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
scan32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanU3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SDGames.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SelfUpdate.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
servet.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
shcfg32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SmartUp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sos.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREng.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREngPS.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stormii.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sxgame.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
symlcsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SysSafe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
tmp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TNT.Exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojanDetector.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Trojanwall.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojDie.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TxoMoU.Exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UFO.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UIHost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sdrun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
799d.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
adam.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AgentSvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AntiU.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AoYun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
appdllman.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AppSvc32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp2.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AST.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
atpup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
auto.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AutoRun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
autoruns.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
av.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastU3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avconsol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrssvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvMonitor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.com
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvU3Launcher.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
cross.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Discovery.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
DSMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
EGHOST.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FileDsty.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
filmst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FTCleanerShell.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FYFireWall.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ghost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
guangd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
HijackThis.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
IceSword.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
iparmo.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Iparmor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
irsetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
isPwdSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jisu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kabaload.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KaScrScn.SCR
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAV32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVDX.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPF.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPFW.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVSetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kernelwind32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KISLnchr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMailMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMFilter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdave.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32X.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPfwSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRegEx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRepair.com
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KsLoader.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSWebShield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVCenter.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAttachment.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxCfg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxFwHlp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxPol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upiea.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UpLive.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
USBCleaner.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsstat.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbapp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
webscanx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
WoptiClean.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Wsyscheck.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XDelBox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zjb.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zxsweep.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
~.exe
Debugger = "ntsd -d"

ワームは、以下のレジストリキーを削除します。

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

感染活動

ワームは、リムーバブルドライブ内に自身のコピーを作成します。作成されたコピーのファイル名として、上記のドライブ上に存在するフォルダ名を使用します。

HOSTSファイルの改変

ワームは、ユーザが以下のWebサイトにアクセスできないように、感染コンピュータのHOSTSファイルを改変します。

• iq123.com
• yijidh.com
• 250dh.cn
• 223.la
• kuku123.com
• 930930.com
• 9123.com
• hao123e.com
• 020.com
• youxi777.com
• 1616.net
• 1188.com
• urldh.com
• daohang.la
• pp55.com
• 9605.com
• 05505.cn
• 7055.net
• 0056.com
• 6655.com
• 1166.com
• 5kip.com
• 114xia.com
• 265dh.com
• 3567.com
• 6565.cn
• 666t.com
• 9223.com
• dduu.com
• hao123.cn
• 5snow.com
• 2523.com
• 5599.net
• tt98.com
• zhaodao123.com
• kuhao123.com
• 5151la.net
• 6h.com.cn
• zeibi.com
• 6e8e.com
• th123.com
• 9991.com
• hao123ol.com
• wu123.com
• t220.cn
• ttver.net
• 188HI.com
• go2000.com
• 5igb.com
• bb2000.net
• 9wa.com
• qq5.com
• 365j.com
• 7345.com
• 2760.com
• 361la.com
• haojs.com
• 5zd.com
• i8866.com
• 100wz.com
• 114hi.com
• 234.la
• 657.com
• 339.la
• 365wz.net
• 7792.com
• 9495.com
• dazuimao.com
• 71314.com
• 265.com
• gouwo.com
• huai456.com
• ku256.com
• my180.com
• 2522.cn
• 405.cn
• 44244.com
• 111dh.com
• 115ku.com
• 13387.com
• 163yes.com
• 256s.com
• 2676.com
• 3355.net
• 365lo.com
• 4168.com
• 4545.cn
• 4688.com
• 566.net
• 5666.net
• 5733.com
• 6461.cn
• 7356.com
• 800186.com
• 85851.com
• asp51.com
• 361dh.com
• 5566.net
• yulinweb.com
• 6296.com.cn
• mianfeia.com
• ai1234.com
• k369.com
• msncn.com
• ss256.com
• min513.com
• 88-888.com
• lggg.cn
• 7771.cn
• leeboo.com
• jjol.cn
• 5566.com
• 9166.net
• hao253.com
• 7b.com.cn
• haoei.com
• 77114.com
• 21310.cn
• weiduomei.net
• kk3000.cn
• 7241.cn
• 44384.com
• daohang1234.com
• 131.cc
• 223224.com
• 537.com
• 9348.cn
• bju123.cn
• i4455.com
• jia123.com
• 0666.com.cn
• 553.la
• 5566.org
• 37021.com
• 88488.com
• 99986.net
• 37021.net
• k986.com
• cc62.com
• 5518.cn
• 55620.com
• 52416.com
• 7357.cn
• 8c8c.net
• 9999q.com
• 123shi123.com
• yl234.cn
• 3322.com
• hao222.com
• 6313.com
• f127.com
• 5599cn.cn
• 99499.com
• 2548.cn
• 133.net
• ie30.com
• 8751.com
• se:home
• haidaowan.net
• 160dh.com
• 114115.com
• 1322.cn
• hh361.com
• 2800.cc
• 52daohang.com
• 186.me
• diyidh.com
• zaodezhu.com
• 7832.com
• 3073.com
• 2058.cc
• 3456.cc
• 7771.com
• q6789.com
• 7k.cc
• dianzi88.com
• 7802.com
• xinbut.com
• 59688.com
• gjj.cc
• youla.com
• ok1616.com
• i2345.cn
• gg8000.com
• daohang12345.cn
• inina.cn
• dowei.com
• 1515.net
• 41119.cn
• 21230.cn
• 97youku.com
• fast35.net
• m32.cn
• tom155.cn
• 668yo.com
• online.cq.cn
• shagua.cn
• 007247.cn
• 603467.cn
• 197326.cn
• wwwoj.cn
• xp22.cn
• 84022.cn
• 520593.cn
• 448789.cn
• 141321.cn
• 36gggg.cn
• 427842.cn
• niubihao123.cn
• ovooo.cn
• rtys520.net
• rtxzw.com
• uurenti.cc
• bo.dy288.com
• renti11.com
• 123.cd
• 336655.com
• 9978.net
• 520.com
• 6l.cn
• 420.cn
• v989.com
• 16551.com
• 2tvv.com
• m4455.com
• mylovewebs.com
• 5987.net
• 7999.com
• caipopo.com
• wndhw.com
• henku123.com
• qu123.com
• 94176.com
• u526.com
• haokan123.com
• uusee.net
• 9733.com
• 173com
• qnrwz.com
• 999w.com
• h935.com
• 33250.com
• tz911.net
• 639e.com
• 920xx.cn
• 13393.com
• tncdh.com
• sou185.com
• 3566.cc
• 580so.com
• 2001.cc
• hnhao123.com
• zz5.net.cn
• abc123.name
• ekan123.com
• 1266.cc
• hao123.cc
• 126.cc
• ie1788.com
• 58daohang.com
• 6dh.com
• 991.cn
• 114la.me
• 1133.cc
• ads8.com
• haoz.com
• jsing.net
• 123.sogou.com
• 3321.com
• 1155.cc
• hao123.com
• hao123.net
• 6700.cn
• 168.com
• uu881.com
• 6264.cn
• 606600.com
• 2345.com
• 5607.cn
• 1111116.com
• v7799.com
• ie7.com.cn
• 365t.cc
• 89679.com
• se:blank
• 35029.com
• 8d9a.cn
• 400zm.com
• 58816.com
• 727dh.cn
• hao123w.com
• 114td.com
• 28101.cn
• 03336.cn
• 79001.cn
• 133132.com
• 3434.com.cn
• 828dh.cn
• 64500.cn
• 22q.cc
• jj77.com
• vvyy.net
• ie567.com
• 5d5e.com
• 212dh.cn
• 911g.cn
• 1616.la
• tomatolei.com
• 96nn.com
• 5543.com
• 2288.org
• 3322.org
• 9966.org
• 8800.org
• 8866.org
• 7766.org
• 22409.com
• se-se.info
• 26043.com
• 34414.com
• gaoav1.info
• 0558114.com
• 3333dh.cn
• zjialin.com
• 22dao.com
• soupay.com
• langlangdoor.com
• 99cu.com
• 5555dh.cn
• wang123.net
• hxdlink
• haaoo123.com
• 3645.com
• hao123q.com
• tvsooo.com
• gaituba.com
• 45566.net
• 2298.cn
• iexx.com
• dh115.com
• 97sp.cn
• 39r.cn
• f8f8.cn
• 391kk.cn
• 266.cc
• jysoso.net
• wg510.cn
• 114d.org
• ie3721.com
• 2142.cn
• go2000.cc
• go2000.cn
• 99521.com
• yeooo.com
• haha123.com
• hao.360.cn
• 07707.cn
• yy2000.net
• 1111118.com
• 26281.com
• 960dh.cn
• 300.cc
• 163333333.com.cn
• kz300.cn
• i3525.cn
• 67881.net
• t2t2.net
• mm4000.cn
• 669dh.cn
• k58n.com
• haoha123.com
• ab99.com
• i2255.com
• 054.cc
• fffggqq.cn
• k2345.net
• vv33.com
• tuku6.com
• mmpp654.com
• 228dh.cn
• seibb.com
• 14164.com
• 552dh.cn
• hao969.com
• lalamao.com
• 21225.cn
• 5k5.net
• 65630.cn
• at46.cn
• 98928.cn
• ads.eorezo.com
• 661dh.cn
• 6320.com
• henbianjie.com
• xiushe.com
• 5mqxmq.com
• 989228.com
• i8844.cn
• g1476.cn
• 4j4j.cn
• 1777zzw5.com
• 989228.cn
• henbucuo.com
• 886dh.cn
• 2255.net
• 160yes.com
• u8s.cn
• 16711.com
• 626dh.cn
• rfwow.cn
• baiyici.cn
• lalamao.cn
• 136s.com
• huhuyy.cn
• 8diq.com
• d2fs.cn
• 0229.com
• yy4000.com
• 9934.cn
• 3883.net
• 151dh.com
• 26dh.cn
• kkwwxx.com
• t67.net
• 29dao.cn
• 58ju.com
• dnc8.net
• yl177.com.cn
• xj.cn
• 950990.cn
• 114.com.cn
• xxxip.cn
• 3628.com
• 265.cc
• 26.la
• 5654.com
• zg115.com
• 969dh.cn
• 111555.com.cn
• pic.jinti.com
• kk8000.com
• wokaokao.cn
• duoxxppmmkoo.com
• kanlink.cn
• 91youa.com
• shinia.cn
• pp9pp9.cn
• ma80.com
• 556dh.cn
• bu4.cn
• 8555.com
• e23.la
• flash678.cn
• yy4000.cn
• wo333.com
• mv700.com
• xcwhgx.cn
• 3s11.cn
• sp16888.com
• k7k7.com
• zzw5.com
• okdianying.com
• 789bb.com
• antuoo.com
• so06.com
• 665532.cn
• 7f7f.com
• k261.com
• fanbaidu.org.cn
• iu888.cn
• 977k.com
• 93w.com
• 68566.com.cn
• zhidao163.cn
• it958.cn
• lx8000.cn
• sc.cn
• ucuc.cc
• kkdowns.com
• 189189.com
• 0002.com
• 4737.cn
• 226dh.cn
• bb115.cn
• 06000.cn
• u87.cn
• sohao123.com
• k887.com
• hao602.com
• t7t7.net
• ku4000.cn
• v6677.cn
• hong666.com
• 4000a.com
• kk4000.cn
• 7767.com
• 11227.cn
• u9u9.net
• 28113.cn
• rr55.com
• a4000.cn
• yunfujkw.cn
• 886.com
• 2800.cer.cn
• zyyu.com
• 49la.com
• hi3000.cn
• sogouliulanqi.com
• 888ge.com
• 00333.cn
• 29wz.com
• soso126.com
• 180wan.com
• kan888.com
• 4929.cn
• v2233.com
• m345.cn
• tt265.net
• 18ttt.com
• 153.cc
• 00664.cn
• gugogo.com
• kk4000.com
• 185b.com
• uuent.com
• 6666dh.cn
• 25dao.com
• shangla.com
• 77177.cn
• about:blank
• haoq123.com
• baiduo.org
• lejiu.net
• dianxin.cn
• u7758.com
• dao234.com
• 85692.com
• xiaosb.com
• soso313.cn
• 939dh.com
• 85952.com
• 31346.com
• 71528.com
• 788dh.com
• 91695.com
• 5566x.com
• 131u.com
• 1149.cn
• 9281.net
• my115.net
• 4119.cn
• 9m1.net
• dh818.com
• iehwz.com
• wa200.com
• hao234.cc
• 6781.com
• 652dh.com
• 16811.com
• zhongshu.net
• 992k.com
• 71628.com
• 6701.com
• diyou.net
• iehao123.com
• laidao123.com
• yinfen.net
• wz4321.com
• shangqu.info
• 5121.net
• 668g.com
• 51150.com
• 53ff.com
• dada123.com
• you2000.com
• 884599.cn
• kuaijiong.com
• 398.cn
• 32387.com
• 82vv.com
• 09tao.com
• 977dh.com
• 598.net
• 211dh.com
• 9365.info
• wblive.com
• e722.com
• v232.com
• 7400.net
• 62106.com
• ll4xi.com
• 3932.com
• puZeng.com
• 97199.com
• 447.cc
• 0749.com
• 6656.net
• niebai.com
• 447.com
• uuchina.net
• hao123cn.info
• dao666.com
• 9813.org
• 91kk.com
• freedh.info
• yidaba.com
• 161111111.com
• 009dh.com
• qsxx.cn
• geyuan.net
• 8t8.net
• xorg.pl
• bij.pl
• qqnz.com
• srpkw.com
• gggdu.com
• baiduo.com
• wys99.com
• leilei.cc
• 3633.net
• fjta.com
• so11.cn
• 522dh.com
• 9249.com
• 3110.cn
• 300cc.com
• 7669.cn
• 5c6.com
• 7993.cn
• 8336.cn
• 03m.net
• ou33.com
• bv0.net
• 163333333.cn
• 45575.com
• 2637.cn
• skyhouse.com.cn
• 98453.com
• 65642.net
• 776la.com
• 256.CC
• 114king.cn
• yyyqq.com
• huhu123.com
• gyyx.cn
• 2888.me
• 4444dh.cn
• 191pk.com
• 118.com
• 57xswz.com
• how18.cn
• sohu12333333.com
• xz26.com
• 654v.com
• 280580.cn
• fjgqw.com
• 49558.cn
• pp8000.cn
• 265it.com
• soolaa.com
• 9899.cn
• 18143.com
• haoxyz.com
• 4555.net
• 10du.net
• 528988.com
• wahahaha123.com
• c256.cn
• chinaih.com
• mnv.cn
• 633dh.com
• ncjxx.com
• 51721.net
• 556w.com
• 114cc.net
• 5go.com.cn
• pp4000.com
• 8844.com
• dd335.cn
• qu163.net
• itwenba.cn
• dou2game.cn
• h220.com
• neng123.com
• pleoc.cn
• 6006.cc
• 987654.com
• 39903.com
• ddoowwnn.cn
• 788111.com
• zhidao001.com
• 5hao123.com
• 978.la
• 135968.cn
• bb112.com
• r220.cn
• 365kong.com
• woainame.cn
• okgouwu.cn
• hao006.com
• jipinla.com
• 99467.com
• wawamm.cn
• qian14.cn
• ip27.cn
• 56dh.cn
• 2966.com
• game333.net
• kukuwz.com
• 1-xiu.cn
• 92hao123.com
• lian9.cn
• 222q.cn
• jj98.com
• 73vv.com
• mubanw.com
• t262.com
• x1258.cn
• weishi66.cn
• hao990.com
• 68la.com
• sowang123.cn
• 3929.cn
• 5665.cn
• 81sf.com
• kz123.cn
• qq806.cn
• ffwyt.com

---

  対応方法

ご利用はいかがでしたか？　アンケートにご協力ください