VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:
Behavior list
Basic Information
MD5:0b1147a4e504a903f28b6850fc2fafa1
Package names:com.m_lbjnyycm
Minimum operating environment:Android 1.6
copyright:
Key behavior
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType: DLL
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:直接获取CPU时钟
details:EAX = 0xf2c7a858, EDX = 0x000000b4
EAX = 0xf2c7a8a4, EDX = 0x000000b4
EAX = 0xf2c7a8f0, EDX = 0x000000b4
EAX = 0xf2c7a93c, EDX = 0x000000b4
EAX = 0xf82da7e8, EDX = 0x000000b4
EAX = 0xf82da834, EDX = 0x000000b4
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\NTICE
\??\SIWVID
Behavior description:获取TickCount值
details:TickCount = 234175, SleepMilliseconds = 300.
TickCount = 234534, SleepMilliseconds = 50.
TickCount = 234628, SleepMilliseconds = 50.
TickCount = 234643, SleepMilliseconds = 50.
TickCount = 237565, SleepMilliseconds = 50.
TickCount = 237596, SleepMilliseconds = 50.
TickCount = 237721, SleepMilliseconds = 50.
TickCount = 240628, SleepMilliseconds = 50.
TickCount = 240659, SleepMilliseconds = 50.
TickCount = 240753, SleepMilliseconds = 50.
TickCount = 244221, SleepMilliseconds = 50.
TickCount = 244237, SleepMilliseconds = 50.
TickCount = 244300, SleepMilliseconds = 50.
TickCount = 244315, SleepMilliseconds = 50.
TickCount = 244409, SleepMilliseconds = 50.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 2520, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 2944, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 2948, StartAddress = 00426B8D, Parameter = 023708D0
TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 2988, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 2992, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 3008, StartAddress = 00426B8D, Parameter = 023A4CB8
TargetProcess: 热血江湖.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 3012, StartAddress = 00426B8D, Parameter = 023A4F38
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\rxjhBK.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\rxjh[1].inf
C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\rxjhBK.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\aspr_keys.ini
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Client.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Client\Client.exe
FileName =
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\Administrator\桌面\*.lnk
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxjh.inf
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\InfBack\f1a8e676.dat
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\rxjh[1].inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\rxjhBK.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat ---> Offset = 0
Behavior description:修改新生成的可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat
Network behavior
Behavior description:下载文件
details:URLDownloadToFileW: http://ww****cn/rxjh.inf ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxjh.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000390
IP: **.168.1.**:1300, SOCKET = 0x000003b4
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
Behavior description:发送HTTP包
details:GET /rxjh.inf HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****cn Connection: Keep-Alive
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****cn:80/rxjh.inf, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:rxjh bake ice Launcher
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Local\c:!documents and settings!administrator!ietldcache!
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.ANJ
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceiveConection.Event.ANJ.IC
EventName = MSCTF.SendReceive.Event.ANJ.IC
Behavior description:窗口信息
details:Pid = 2508, Hwnd=0x20402, Text = [回忆江湖] 0ms, ClassName = Button.
Pid = 2508, Hwnd=0x10404, Text = 东岳, ClassName = Button.
Pid = 2508, Hwnd=0x10406, Text = 无极, ClassName = Button.
Pid = 2508, Hwnd=0x10408, Text = 浩天, ClassName = Button.
Pid = 2508, Hwnd=0x1040a, Text = 南林, ClassName = Button.
Pid = 2508, Hwnd=0x1040c, Text = 天籁, ClassName = Button.
Pid = 2508, Hwnd=0x1040e, Text = 北越, ClassName = Button.
Pid = 2508, Hwnd=0x10410, Text = 京师, ClassName = Button.
Pid = 2508, Hwnd=0x10412, Text = SV_9, ClassName = Button.
Pid = 2508, Hwnd=0x10414, Text = SV_10, ClassName = Button.
Pid = 2508, Hwnd=0x10416, Text = Copyright@2007 bake ice game atelier, ClassName = Static.
Pid = 2508, Hwnd=0x10418, Text = 请选择一个游戏分区, ClassName = Static.
Pid = 2508, Hwnd=0x1041a, Text = 最新版本:, ClassName = Static.
Pid = 2508, Hwnd=0x1041c, Text = 当前版本:, ClassName = Static.
Pid = 2508, Hwnd=0x1042a, Text = 更新登陆器 ◆ , ClassName = Button.
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\c:!documents and settings!administrator!ietldcache!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\NTICE
\??\SIWVID
Behavior description:获取TickCount值
details:TickCount = 234175, SleepMilliseconds = 300.
TickCount = 234534, SleepMilliseconds = 50.
TickCount = 234628, SleepMilliseconds = 50.
TickCount = 234643, SleepMilliseconds = 50.
TickCount = 237565, SleepMilliseconds = 50.
TickCount = 237596, SleepMilliseconds = 50.
TickCount = 237721, SleepMilliseconds = 50.
TickCount = 240628, SleepMilliseconds = 50.
TickCount = 240659, SleepMilliseconds = 50.
TickCount = 240753, SleepMilliseconds = 50.
TickCount = 244221, SleepMilliseconds = 50.
TickCount = 244237, SleepMilliseconds = 50.
TickCount = 244300, SleepMilliseconds = 50.
TickCount = 244315, SleepMilliseconds = 50.
TickCount = 244409, SleepMilliseconds = 50.
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x004fa74f
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType: DLL
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\rxjhBK.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 300.
[2]: MilliSeconds = 300.
[3]: MilliSeconds = 50.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Shell Embedding]
[Window,Class] = [,tooltips_class32]
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 300.
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\rxjhBK.dll ---> a2e50644d2f2b8a3e988b427386b1ad4
C:\Documents and Settings\Administrator\Local Settings\Temp\rxjh.dat ---> fe1d0ee5901dd167ee9b28eece31786c
Behavior description:直接获取CPU时钟
details:EAX = 0xf2c7a858, EDX = 0x000000b4
EAX = 0xf2c7a8a4, EDX = 0x000000b4
EAX = 0xf2c7a8f0, EDX = 0x000000b4
EAX = 0xf2c7a93c, EDX = 0x000000b4
EAX = 0xf82da7e8, EDX = 0x000000b4
EAX = 0xf82da834, EDX = 0x000000b4
Behavior description:加载新释放的文件
details:Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\rxjhBK.dll.
Activities
Activity nameTypes of
.SortActivity2android.intent.action.MAIN
.SearchActivityandroid.intent.action.MAIN
.ManagerActivityandroid.intent.action.MAIN
.GameInfoandroid.intent.action.MAIN
.TableClassandroid.intent.action.MAIN
DevelopmentSettingscom.android.settings.APPLICATION_DEVELOPMENT_SETTINGS
.image.ImageTestActivityandroid.intent.action.MAIN
.image.ImageTestActivityandroid.intent.category.LAUNCHER
Dangerous function
Function nameinformation
HttpClient;->execute请求远程服务器
DefaultHttpClient;->execute发送HTTP请求
android/app/NotificationManager;->notify信息通知栏
getRuntime获取命令行环境
java/lang/Runtime;->exec执行字符串命令
java/net/URL;->openConnection连接URL
TelephonyManager;->getDeviceId搜集用户手机IMEI码、电话号码、系统版本号等信息
TelephonyManager;->getSimSerialNumber获取SIM序列号
TelephonyManager;->getLine1Number获取手机号
java/net/HttpURLConnection;->connect连接URL
Startup mode
nameinformation
com.m_lbjnyycm.GameBootReceiver开机启动服务
Permission list
License nameinformation
android.permission.SET_WALLPAPER设置桌面壁纸
android.permission.READ_PHONE_STATE读取电话状态
android.permission.READ_LOGS读取系统日志
android.permission.DELETE_CACHE_FILES删除缓存文件
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.ACCESS_NETWORK_STATE读取网络状态(2G或3G)
android.permission.INTERNET连接网络(2G或3G)
android.permission.WRITE_EXTERNAL_STORAGE写外部存储器(如:SD卡)
com.android.launcher.permission.INSTALL_SHORTCUT创建快捷方式
com.android.launcher.permission.UNINSTALL_SHORTCUT删除快捷方式
android.permission.RECEIVE_BOOT_COMPLETED接收开机启动广播
Service list
name
com.m_lbjnyycm.GameService
File List
file name Check code
META-INF/MANIFEST.MF 0x50da22d
META-INF/PICSHOW1.SF 0x574d8300
META-INF/PICSHOW1.RSA 0x6ae59972
res/anim/loading.xml 0xdd2924d4
res/layout/ad_layout.xml 0x3432a87b
res/layout/adgrid_item.xml 0xdf7ee10b
res/layout/game_alert_dialog.xml 0x685dec57
res/layout/game_info.xml 0x4cd29fd8
res/layout/game_info_listitem.xml 0x7a2f8c45
res/layout/home.xml 0x54d14a24
res/layout/home_griditem.xml 0x53fdc8b4
res/layout/image_gallery.xml 0x2915bd0b
res/layout/image_gallery_item.xml 0xe52dc49c
res/layout/manager.xml 0x338e5a1
res/layout/manager_downfinish_listitem.xml 0x2de91a95
res/layout/manager_downloading_listitem.xml 0xff1100f9
res/layout/manager_tab.xml 0x59f909f3
res/layout/search.xml 0xf4b94e66
res/layout/search_keyword.xml 0xf73c0a1d
res/layout/search_listitem.xml 0x10addecc
res/layout/sort1_class_griditem.xml 0xa7f66fae
res/layout/sort1_pop_griditem.xml 0xe0cdbb84
res/layout/sort2.xml 0xa7087394
res/layout/sort_app_listitem.xml 0xef16ee1
res/layout/tab.xml 0x4ba60900
res/layout/tableclass.xml 0x268cad9b
res/layout/tableclass_griditem.xml 0xb874669a
res/layout/test_view.xml 0x8153207d
res/layout/web.xml 0xcaa993c9
AndroidManifest.xml 0x1979bc73
resources.arsc 0x751f8ff5
res/drawable-hdpi/back.png 0x6083b1b8
res/drawable-hdpi/background.png 0x37a195f8
res/drawable-hdpi/button_install_all.png 0xa2fba885
res/drawable-hdpi/def_app.9.png 0x1249b3b
res/drawable-hdpi/folder.png 0xe75a6c61
res/drawable-hdpi/home_btn_bg.xml 0x10bb710
res/drawable-hdpi/home_btn_bg_d.png 0x4a53b740
res/drawable-hdpi/home_btn_bg_n.png 0x89855024
res/drawable-hdpi/home_btn_bg_s.png 0x28bc2b22
res/drawable-hdpi/image_icon.png 0xfd9411bd
res/drawable-hdpi/index_normal.png 0xd82d7415
res/drawable-hdpi/logo.jpg 0x87c20a35
res/drawable-hdpi/maintab_toolbar_bg.png 0x7dc472b4
res/drawable-hdpi/manage_normal.png 0x52af3235
res/drawable-hdpi/manager_tab_item.xml 0x97f56b60
res/drawable-hdpi/new_normal.png 0x4121f3ce
res/drawable-hdpi/new_selected.png 0x7a73ab46
res/drawable-hdpi/progress.xml 0x9ab0beb1
res/drawable-hdpi/refurbish.png 0xd57e18cb
res/drawable-hdpi/search_btn.png 0xf85586d0
res/drawable-hdpi/search_normal.png 0x4d061284
res/drawable-hdpi/sort_normal.png 0x4a28dc5b
res/drawable-hdpi/sort_tab_item.xml 0x922e8c89
res/drawable-hdpi/title_backgroud.png 0xef995e98
res/drawable-hdpi/warning.png 0xf67a3c81
res/drawable-ldpi/folder.png 0x411083e3
res/drawable-mdpi/folder.png 0x411083e3
classes.dex 0x4019fbdb
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号