キヤノンITソリューションズ：ESET Smart Security & ESET NOD32アンチウイルス：Win32/Delf.NRC


最新ウイルス定義ファイルバージョン : 12381 (2015/10/09 17:02)

最新ウイルス情報 : Win32/Delf.NRC	公開日：2011年6月7日
このウイルスに関する危険度 :■■■□□

定義名称	Win32/Delf.NRC
シグネチャ検査による結果だった場合	Win32/Delf.NRC
別名	Worm.Win32.AutoRun.hre（Kaspersky）、Trojan.KillAV（Symantec）、Trojan:Win32/Startpage.RH（Microsoft）
種別	ワーム
アドバンスドヒューリスティック検査による結果だった場合	このオリジナルのトロイを利用した新種、亜種が検出された場合は、「NewHeur_PE」もしくは「Win32/Delf.NRC ワームの亜種」という名称で警告が出ます。
対応時期	バージョン6042（20110414）以降
影響を受けるプラットフォーム	Microsoft Windows
概要	このワームは、特定のフォルダに自身をコピーして感染を広げます。詳しい活動内容については、解説欄をご参照ください。

検出した場合の対処方法

常駐監視を行っている各検査プログラムによって検出された場合は、駆除もしくは削除を行ってください。駆除もしくは削除ができない場合は、Windowsのシステムの復元により修復しなければならない可能性があります。

対象のファイルが身に覚えのないファイル名の場合は、そのファイル自身がウイルスそのものである可能性が高いので、駆除ではなくすべて削除をしてください。これにより2次感染、3次感染を防げます。また、自分が作成したデータ等に感染していた場合は、駆除が可能な場合もありますが、駆除のボタンが押せない状態もしくは駆除しても失敗する場合は、すでに元のデータの戻せない状態までデータが書き換えられている場合もあります。この場合もすべて削除してください。

解説での表記（用語）について

以下の説明文では、Windowsオペレーティングシステムがインストールされたディレクトリを%windir%と表記しており、インストール時の設定により異なる場合があります。%windir%のサブディレクトリである"System"や"System32"は%system%と表記しています。
%programfilescommon%は、全ユーザー用のプログラムファイルディレクトリを表記しています。
%favorites%は、"お気に入り"格納ディレクトリを表記しています。
%desktopdirectory%は、デスクトップディレクトリを表記しています。
%commondesktopdirectory%は、全ユーザー用のデスクトップディレクトリを表記しています。
%startup%は、スタートアッププログラム用ディレクトリを表記しています。
%commonstartup%は、全ユーザー用のスタートアッププログラム用ディレクトリを表記しています。
%SystemRoot%は、オペレーティングシステムがインストールされたディレクトリを表記しています。
%drive%には、任意のドライブ名が入ります。
%startmenu%は、スタートメニューディレクトリを表記しています。
%commonstartmenu%は、全ユーザー用のスタートメニューディレクトリを表記しています。

解説

■侵入（インストレーション）について
このワームは、実行時に次のフォルダを作成します。

C:\EEQQ\
%system%\fwnbsnqiuj\
%system%\icnbxbadhx\

次のファイルを作成します。

C:\EEQQ\EEQ.exe
C:\EEQQ\QQE.exe
%system%\icnbxbadhx\explorer.exe
%system%\fwnbsnqiuj\smss.exe
%programfilescommon%\ocsoss.dll
%favorites%\%filename%.url
%commondesktopdirectory%\Intennet Exploner.lnk
%commondesktopdirectory%\%filename%・.url
%commondesktopdirectory%\%filename%.url
%commondesktopdirectory%\%filename%.url
%commonstartup%\%variable%.lnk

%filename%は中国語で記述された文字列です。

次の名前のライブラリが実行中のすべてのプロセスにインジェクトされます。

%programfilescommon%\ocsoss.dll

システムが起動するたびに実行されるよう、次のレジストリエントリを登録します。

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"icnbxbadhx" = "%system%\icnbxbadhx\smss.exe"
"fwnbsnqiuj" = "%system%\fwnbsnqiuj\explorer.exe"

次のレジストリを登録します。

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravcopy.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanU3.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvU3Launcher.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCMgr.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SelfUpdate.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCRTP.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atpup.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSMain.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DSMain.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwstray.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsd.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp2.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp3.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsdave.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSUpd.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sdrun.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XDelBox.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsdtray.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appdllman.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AoYun.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Discovery.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernelwind32.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\799d.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stormii.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmp.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jisu.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filmst.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qheart.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qsetup.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sxgame.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbapp.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfserver.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCSmashFile.exe]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger" = "ntsd -d"
[HKEY_CLASSES_ROOT\exefile]
"NeverShowExt" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"ModRiskFileTypes" = ".exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StorageDevicePolicies]
"WriteProtect" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}]
"InfoTip" = "@shdoclc.dll,-881"
"LocalizedString" = "@shdoclc.dll,-880"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage\Command]
"(Default)" = "iexplore.exe
http://www.sfc006.com/?Activex"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\-(-+(&R)\Command]
"(default)" = "rundll32.exe shell32.dll,Control_RunDLL
inetcpl.cpl,,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage]
"(Default)" = "|=+￢+?-|(&H)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage]
"MUIVerb" = "@shdoclc.dll,-10241"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\Shellex\ContextMenuHandlers\ieframe]
"(Default)" = "{871C5380-42A0-1069-A2EA-08002B30309D}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\ShellFolder]
"Attributes" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell]
"OpenHomePage" = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32]
"(Default)" = "%SystemRoot%\system32\shdocvw.dll"
"ThreadingModel" = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\DefaultIcon]
"(Default)" = "shdoclc.dll,-190"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InfoTip]
"(Default)" = "@shdoclc.dll,-881"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\LocalizedString]
"(Default)" = "@shdoclc.dll,-880"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32]

次のレジストリを削除します。

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SD360]
[HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\SD360]
[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SD360]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Safe360Ext]
[HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\Safe360Ext]
[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Safe360Ext]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RisingRavExt]
[HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\RisingRavExt]
[HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\RisingRavExt]

■感染について
このワームは、ローカルまたはリモートドライブのルートフォルダに自身をコピーします。さらに、リムーバブルドライブのルートフォルダにも自身をコピーします。

その際、次のファイル名を使用します。

%drive%\My Documamts.exe

また、ローカルドライブでフォルダを探します。

対象のフォルダを見つけると、自身のコピーを新たに作成します。

名前に次の文字列のいずれかが含まれているフォルダは避けます。

Windows
Program files
Documents and Settigns
System Volume Information

新たに作成されるファイルの名前には、検出されたフォルダの名前が利用されます。

ファイルの拡張子は".exe"になります。

■その他の情報
このワームは、次のファイルを削除する場合があります。

%startup%\*.vbe
%startup%\*.jse
%startup%\*.bat
%startup%\*.url
%startup%\*.exe
%startup%\*.scr
%startup%\*.com
%startup%\*.pif
%startup%\*.htm
%startup%\*.html
%startup%\*.lnk
%commonstartup%\*.vbe
%commonstartup%\*.jse
%commonstartup%\*.bat
%commonstartup%\*.url
%commonstartup%\*.exe
%commonstartup%\*.scr
%commonstartup%\*.com
%commonstartup%\*.pif
%commonstartup%\*.htm
%commonstartup%\*.html
%commonstartup%\*.lnk
%system%\drivers\etc\hosts
C:\RECYCLER\winlogon.exe
%system%\RavExt.dll
%system%\bsmain.exe
%commondesktopdirectory%\360*.lnk
%desktopdirectory%\360*.lnk
%desktopdirectory%\QQS*.lnk
%startmenu%\QQS*.lnk
%commonstartmenu%\360*.lnk
%desktopdirectory%\*.url
%commondesktopdirectory%\*.lnk
%commondesktopdirectory%\360*.lnk

次のファイルを作成する場合があります。

C:\%variable%.txt
C:\%variable%.jpg
C:\%variable%.bmp
C:\%variable%.gif
C:\%variable%.doc

%variable%には可変の文字列が入ります。

次のプログラムを終了させます。

netsh.exe
conime.exe
regedit.exe
wscript.exe
regsvr32.exe
rundll32.exe
wmiprvse.exe
ipconfig.exe

次のシステムドライバをインストールする場合があります（パス、名前）。

%system%\drivers\kpscc.sys

次のレジストリを設定する場合があります。

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DMusic]
ImagePath="%system%\drivers\kpscc.sys"

次の命令を実行する場合があります。

explorer.exe http://www.sfc008.com/?TJ-%variable%
explorer.exe
http://www.sfc008.com/index.html?TJ-%variable%

次のアプリケーションの動作に影響を及ぼします。

Tencent QQ
Xunlei Thunder

システム上で自身の存在を隠そうとする場合があります。

次のWindows APIをフックして、入力データやメッセージを横取りします。

NtQuerySystemInformation (ntdll.dll)