VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:72
Behavior list
Basic Information
MD5:1e1faba1da79bf9dca9674094f98b2e0
file type:EXE
Production company:Microsoft Corporation
version:5.1.2600.2180---5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Shell or compiler information:
Key behavior
Behavior description:写权限映射文件
details:MagnifyShared
CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MFF..HFJGH
MSCTF.MarshalInterface.FileMap.MFF.B.GIJGH
MSCTF.MarshalInterface.FileMap.MFF.C.GIJGH
MSCTF.MarshalInterface.FileMap.MFF.D.GIJGH
MSCTF.MarshalInterface.FileMap.MFF.E.GJJGH
MSCTF.MarshalInterface.FileMap.MFF.F.GJJGH
MSCTF.MarshalInterface.FileMap.MFF.G.GJJGH
MSCTF.Shared.SFM.MFF
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Outlook Express\msimn.exe---> Offset = 131072
C:\Program Files\Windows Media Player\wmplayer.exe---> Offset = 196608
C:\Program Files\WinRAR\WinRAR.exe---> Offset = 262144
C:\WINDOWS\system32\eudcedit.exe---> Offset = 262144
C:\WINDOWS\system32\mobsync.exe---> Offset = 262144
C:\WINDOWS\system32\cmd.exe---> Offset = 262144
C:\WINDOWS\system32\notepad.exe---> Offset = 196608
C:\WINDOWS\system32\osk.exe---> Offset = 262144
C:\WINDOWS\system32\magnify.exe---> Offset = 196608
C:\WINDOWS\system32\utilman.exe---> Offset = 131072
C:\Program Files\Outlook Express\wab.exe---> Offset = 131072
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\taskmgr.exe
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202b0, Text = Magnifier, ClassName = #32770.
hWnd = 0x000202b4, Text = Magnifier Settings, ClassName = #32770.
Process behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\taskmgr.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:MagnifyShared
CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MFF..HFJGH
MSCTF.MarshalInterface.FileMap.MFF.B.GIJGH
MSCTF.MarshalInterface.FileMap.MFF.C.GIJGH
MSCTF.MarshalInterface.FileMap.MFF.D.GIJGH
MSCTF.MarshalInterface.FileMap.MFF.E.GJJGH
MSCTF.MarshalInterface.FileMap.MFF.F.GJJGH
MSCTF.MarshalInterface.FileMap.MFF.G.GJJGH
MSCTF.Shared.SFM.MFF
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Outlook Express\msimn.exe---> Offset = 131072
C:\Program Files\Windows Media Player\wmplayer.exe---> Offset = 196608
C:\Program Files\WinRAR\WinRAR.exe---> Offset = 262144
C:\WINDOWS\system32\eudcedit.exe---> Offset = 262144
C:\WINDOWS\system32\mobsync.exe---> Offset = 262144
C:\WINDOWS\system32\cmd.exe---> Offset = 262144
C:\WINDOWS\system32\notepad.exe---> Offset = 196608
C:\WINDOWS\system32\osk.exe---> Offset = 262144
C:\WINDOWS\system32\magnify.exe---> Offset = 196608
C:\WINDOWS\system32\utilman.exe---> Offset = 131072
C:\Program Files\Outlook Express\wab.exe---> Offset = 131072
Behavior description:创建可执行文件
details:C:\Program Files\Outlook Express\msimn.ivr
C:\Program Files\Windows Media Player\wmplayer.ivr
C:\Program Files\WinRAR\WinRAR.ivr
C:\WINDOWS\system32\eudcedit.ivr
C:\WINDOWS\system32\mobsync.ivr
C:\WINDOWS\system32\cmd.ivr
C:\WINDOWS\system32\notepad.ivr
C:\WINDOWS\system32\osk.ivr
C:\WINDOWS\system32\magnify.ivr
C:\WINDOWS\system32\utilman.ivr
C:\Program Files\Outlook Express\wab.ivr
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\wsr9zt32.dll---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\桌面\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\desktop.ini\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Internet Explorer.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\Microsoft Office 2007 控制中心.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\Microsoft Office Excel 2007.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\Microsoft Office PowerPoint 2007.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\Microsoft Office Word 2007.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\Microsoft Office 文档关联中心.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\Microsoft Office 语言设置.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Office\VBA项目数字证书.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Uninstall.lnk\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Website.lnk\*
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\AppBar
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\StationaryTrackText
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\StationaryTrackSecondaryFocus
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\StationaryTrackCursor
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\StationaryTrackFocus
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\StationaryInvertColors
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0ModifiersToggleMouseTracking
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0VirtKeyToggleMouseTracking
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0ModifiersToggleInvertColors
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0VirtKeyToggleInvertColors
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0ModifiersCopyToClipboard
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0VirtKeyCopyToClipboard
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0ModifiersCopyToClipboard2
\REGISTRY\USER\S-*\Software\Microsoft\Magnify\HotKeyVer0VirtKeyCopyToClipboard2
Other behavior
Behavior description:创建互斥体
details:MagnifyMutex
kkq-vx_mtx1
kkq-vx_mtx9
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
oleacc-msaa-loaded
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MFF
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [TabWindowClass,]
NtUserFindWindowEx: [Class,Window] = [msctls_statusbar32,]
Behavior description:获取系统权限
details:SE_TAKE_OWNERSHIP_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 484751, SleepMilliseconds = 1.
TickCount = 484766, SleepMilliseconds = 1.
TickCount = 484782, SleepMilliseconds = 1.
TickCount = 484954, SleepMilliseconds = 1.
TickCount = 484969, SleepMilliseconds = 1.
TickCount = 484985, SleepMilliseconds = 1.
TickCount = 485001, SleepMilliseconds = 1.
TickCount = 485016, SleepMilliseconds = 1.
TickCount = 485079, SleepMilliseconds = 1.
TickCount = 485235, SleepMilliseconds = 1.
TickCount = 485376, SleepMilliseconds = 1.
TickCount = 485719, SleepMilliseconds = 1.
TickCount = 485766, SleepMilliseconds = 1.
TickCount = 485782, SleepMilliseconds = 1.
TickCount = 485797, SleepMilliseconds = 1.
Behavior description:获取光标位置
details:CursorPos = (106,18467), SleepMilliseconds = 1.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202b0, Text = Magnifier, ClassName = #32770.
hWnd = 0x000202b4, Text = Magnifier Settings, ClassName = #32770.
Behavior description:窗口信息
details:Pid = 416, Hwnd=0x202b0, Text = Magnifier, ClassName = #32770.
Pid = 416, Hwnd=0x702c0, Text = OK, ClassName = Button.
Pid = 416, Hwnd=0x502ce, Text = Magnifier is intended to provide a minimum level of functionality for users with slight visual impairments. Most users with visua, ClassName = Static.
Pid = 416, Hwnd=0x302b6, Text = Do not show this message again, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202d0, Text = <A HREF="http://www.microsoft.com/isapi/redir.dll?prd=accessibility&ar=enable" TITLE="http://www.microsoft.com/" TARGET="_new">Mi, ClassName = Link Window.
Pid = 416, Hwnd=0x202d2, Text = For a list of Windows-based magnification utilities, see, ClassName = Static.
Pid = 416, Hwnd=0x202ac, Text = Microsoft Magnifier, ClassName = #32770.
Pid = 416, Hwnd=0x202b2, Text = Magnification &level:, ClassName = Static.
Pid = 416, Hwnd=0x302ba, Text = 2, ClassName = ComboBox.
Pid = 416, Hwnd=0x202d4, Text = Follow &mouse cursor, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x302dc, Text = Follow &keyboard focus, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202d6, Text = Follow &text editing, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202d8, Text = &Invert colors, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202c2, Text = &Start Minimized, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202c4, Text = Sh&ow Magnifier, ClassName = Button(CheckBox).
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 7200000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 120000.
[4]: MilliSeconds = 7200000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 7200000.
[7]: MilliSeconds = 120000.
[8]: MilliSeconds = 7200000.
[9]: MilliSeconds = 7200000.
[10]: MilliSeconds = 120000.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号