VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:37
Behavior list
Basic Information
MD5:249f3870e52968112db65564e022fd45
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Borland Delphi 6.0 - 7.0
Key behavior
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgaurd.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger
Behavior description:跨进程写入数据
details:TargetProcess = svchost.exe, WriteAddress = 0x7ffdf008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 139264
TargetProcess = iexplore.exe, WriteAddress = 0x7ffde008, Size = 4
TargetProcess = iexplore.exe, WriteAddress = 0x00400000, Size = 139264
Behavior description:常规加载驱动
details:\??\C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
\??\C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
Behavior description:对比可疑进程名
details:lstrcmpiA: [System Process] <------> 360Safe.exe 360安全卫士
lstrcmpiA: System <------> 360Safe.exe 360安全卫士
lstrcmpiA: smss.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: csrss.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: winlogon.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: services.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: lsass.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33oxService.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33acthlp.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: svchost.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: spoolsv.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33UpgradeHelper.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: alg.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: explorer.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33oxTray.exe <------> 360Safe.exe 360安全卫士
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:获取TickCount值
details:TickCount = 485362, SleepMilliseconds = 300.
TickCount = 485612, SleepMilliseconds = 300.
TickCount = 485643, SleepMilliseconds = 300.
TickCount = 485659, SleepMilliseconds = 300.
TickCount = 485675, SleepMilliseconds = 300.
TickCount = 485690, SleepMilliseconds = 300.
TickCount = 485706, SleepMilliseconds = 300.
TickCount = 485721, SleepMilliseconds = 300.
TickCount = 485753, SleepMilliseconds = 300.
TickCount = 485768, SleepMilliseconds = 300.
TickCount = 485784, SleepMilliseconds = 300.
TickCount = 485940, SleepMilliseconds = 300.
TickCount = 487003, SleepMilliseconds = 300.
Behavior description:自删除
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446461420.857698.exe
Behavior description:设置特殊文件属性
details:C:\Program Files\Common Files\SafeDrvse1.exe
C:\SafeDrvse1.exe
C:\DiskD\SafeDrvse1.exe
C:\DiskX\SafeDrvse1.exe
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Common Files\SafeDrvse1.exe
Behavior description:在根目录创建自运行文件
details:C:\AutoRun.inf
C:\DiskD\AutoRun.inf
C:\DiskX\AutoRun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:创建系统服务
details:[服务创建成功]: bvpvr, C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
[服务创建成功]: cspwv, C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\SafeDrvse1
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = c:\windows\system32\svchost.exe
ImagePath = , CmdLine = c:\program files\internet explorer\iexplore.exe -down
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\System32\Rundll32.exe, CmdLine = C:\WINDOWS\System32\Rundll32.exe
ImagePath = C:\WINDOWS\System32\Svchost.exe, CmdLine = C:\WINDOWS\System32\Svchost.exe
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c erase /F "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446461420.126103.exe" > nul
ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Down
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\SafeDrvse1.exe, CmdLine = "C:\Documents and Settings\Administrator\SafeDrvse1.exe"
ImagePath = C:\Program Files\Common Files\SafeDrvse1.exe, CmdLine = "C:\Program Files\Common Files\SafeDrvse1.exe" -One
Behavior description:跨进程写入数据
details:TargetProcess = svchost.exe, WriteAddress = 0x7ffdf008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 139264
TargetProcess = iexplore.exe, WriteAddress = 0x7ffde008, Size = 4
TargetProcess = iexplore.exe, WriteAddress = 0x00400000, Size = 139264
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:枚举进程
details:N/A
Behavior description:创建本地线程
details:N/A
Behavior description:进程退出
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe
C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
C:\Program Files\Common Files\SafeDrvse1.exe
C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
C:\SafeDrvse1.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cxats.tmp
C:\DiskD\SafeDrvse1.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\khjwm.tmp
C:\DiskX\SafeDrvse1.exe
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe
C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
C:\Program Files\Common Files\SafeDrvse1.exe
C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
C:\SafeDrvse1.exe
C:\DiskD\SafeDrvse1.exe
C:\DiskX\SafeDrvse1.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe
C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cxats.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\khjwm.tmp
Behavior description:查找文件
details:FileName = C:\WINDOWS\System32\dllcache\explorer.exe
FileName = C:\WINDOWS\ServicePackFiles\i386\explorer.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446461420.798049.exe
FileName = C:\Program Files\Common Files\SafeDrvse1.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\System32
FileName = C:\WINDOWS\System32\Svchost.exe
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\svchost.exe
FileName =
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Behavior description:设置特殊文件属性
details:C:\Program Files\Common Files\SafeDrvse1.exe
C:\SafeDrvse1.exe
C:\DiskD\SafeDrvse1.exe
C:\DiskX\SafeDrvse1.exe
Behavior description:在根目录创建自运行文件
details:C:\AutoRun.inf
C:\DiskD\AutoRun.inf
C:\DiskX\AutoRun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\AutoRun.inf---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cxats.tmp---> Offset = 0
C:\DiskD\AutoRun.inf---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\khjwm.tmp---> Offset = 0
C:\DiskX\AutoRun.inf---> Offset = 0
Behavior description:自删除
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446461420.857698.exe
Behavior description:修改新生成的可执行文件
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe---> Offset = 45057
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = 98.126.10.46, PORT = 80
Behavior description:联网打开网址
details:InternetOpenUrlA: http://98.126.208.84/se1.txt hInternet = 0x00000158
InternetOpenUrlA: http://x.ring3.info/shell.asp?id=CC1E550C03&mac=00-00-00-00-00-00&os=Windows+XP&ver=20101003 hInternet = 0x00000158
Behavior description:打开HTTP请求
details:HttpOpenRequestA: 98.126.10.46:80/cpa/count.asp, hConnect = 0x000006a0
Registry behavior
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgaurd.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Common Files\SafeDrvse1.exe
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\SafeDrvse1
Other behavior
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:创建互斥体
details:SHIMLIB_LOG_MUTEX
SnowDownVip2010
SnowDownVip2010-Down
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description:常规加载驱动
details:\??\C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
\??\C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
Behavior description:对比可疑进程名
details:lstrcmpiA: [System Process] <------> 360Safe.exe 360安全卫士
lstrcmpiA: System <------> 360Safe.exe 360安全卫士
lstrcmpiA: smss.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: csrss.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: winlogon.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: services.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: lsass.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33oxService.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33acthlp.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: svchost.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: spoolsv.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33UpgradeHelper.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: alg.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: explorer.exe <------> 360Safe.exe 360安全卫士
lstrcmpiA: 33oxTray.exe <------> 360Safe.exe 360安全卫士
Behavior description:修改后的可执行文件MD5
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe ---> c0bf3d02f0b2eca5e4264c8891b414b1
C:\Documents and Settings\Administrator\SafeDrvse1.exe ---> 49a70cf06b8a0c223edcd566c7afdb0d
Behavior description:启动系统服务
details:[服务启动成功]: , bvpvr, \??\C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
[服务启动成功]: , cspwv, \??\C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 485362, SleepMilliseconds = 300.
TickCount = 485612, SleepMilliseconds = 300.
TickCount = 485643, SleepMilliseconds = 300.
TickCount = 485659, SleepMilliseconds = 300.
TickCount = 485675, SleepMilliseconds = 300.
TickCount = 485690, SleepMilliseconds = 300.
TickCount = 485706, SleepMilliseconds = 300.
TickCount = 485721, SleepMilliseconds = 300.
TickCount = 485753, SleepMilliseconds = 300.
TickCount = 485768, SleepMilliseconds = 300.
TickCount = 485784, SleepMilliseconds = 300.
TickCount = 485940, SleepMilliseconds = 300.
TickCount = 487003, SleepMilliseconds = 300.
Behavior description:修改后的可执行文件签名信息
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt(签名验证: 通过)
C:\Program Files\Common Files\SafeDrvse1.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\~cspwv.txt(签名验证: 通过)
C:\SafeDrvse1.exe(签名验证: 未通过)
C:\DiskD\SafeDrvse1.exe(签名验证: 未通过)
C:\DiskX\SafeDrvse1.exe(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\SafeDrvse1.exe ---> b9fce512292b401bf1487f5bbc6fe937
C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt ---> 0aacc48a218030508b5e422cd3a88841
C:\Program Files\Common Files\SafeDrvse1.exe ---> 249f3870e52968112db65564e022fd45
C:\Documents and Settings\Administrator\Application Data\~cspwv.txt ---> 0aacc48a218030508b5e422cd3a88841
C:\SafeDrvse1.exe ---> 249f3870e52968112db65564e022fd45
C:\DiskD\SafeDrvse1.exe ---> 249f3870e52968112db65564e022fd45
C:\DiskX\SafeDrvse1.exe ---> 249f3870e52968112db65564e022fd45
Behavior description:创建系统服务
details:[服务创建成功]: bvpvr, C:\Documents and Settings\Administrator\Application Data\~bvpvr.txt
[服务创建成功]: cspwv, C:\Documents and Settings\Administrator\Application Data\~cspwv.txt
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号