VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:86
Behavior list
Basic Information
MD5:2f56a80e9a77c38dac237824638303bb
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 SPx Method 1 [Overlay]
Key behavior
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x00060340, Text = , ClassName = #32770.
Behavior description:获取TickCount值
details:TickCount = 245650, SleepMilliseconds = 10.
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Process behavior
Behavior description:创建新文件进程
details:[0x00000b44]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\source.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\source.exe
[0x00000d0c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe"
[0x00000d60]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\DynPlay.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\DynPlay.exe" 1440 68624 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\DYNAMiCS.mp3"
Behavior description:创建本地线程
details:TargetProcess: Electri-Q v1.8.4 Setup.exe, InheritedFromPID = 2704, ProcessID = 3340, ThreadID = 3404, StartAddress = 4AEA7456, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\Militaristicus.skf
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\NSIS_SkinCrafter_Plugin.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\SkinNsis.skf
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\SkinCrafter.dll
C:\WINDOWS\system32\gdiplus.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\WizardImage.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\DYNAMiCS.mp3
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\DynPlay.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\bass.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\NSIS_SkinCrafter_Plugin.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\SkinCrafter.dll
C:\WINDOWS\system32\gdiplus.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\DynPlay.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\bass.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\System.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\source.exe
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\DynPlay.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe ---> Offset = 12799
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe ---> Offset = 45567
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe ---> Offset = 78335
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe ---> Offset = 111103
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp ---> Offset = 41498
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp ---> Offset = 74266
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy4.tmp ---> Offset = 78711
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\Militaristicus.skf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\Militaristicus.skf ---> Offset = 16384
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.IEL
oleacc-msaa-loaded
DirectSound DllMain mutex (0x00000D60)
MSCTF.Shared.MUTEX.ABN
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.IEL.IC
EventName = MSCTF.SendReceiveConection.Event.IEL.IC
EventName = MSCTF.SendReceive.Event.ABN.IC
EventName = MSCTF.SendReceiveConection.Event.ABN.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
Behavior description:打开事件
details:Global\crypt32LogoffEvent
HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000012
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000012
Behavior description:获取TickCount值
details:TickCount = 245650, SleepMilliseconds = 10.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x00060340, Text = , ClassName = #32770.
Behavior description:窗口信息
details:Pid = 2884, Hwnd=0x10344, Text = Team ROGUE, ClassName = Edit.
Pid = 2884, Hwnd=0x10346, Text = PLEASE PLACE KEYMAKER IN INSTALLDIR!!!, ClassName = Edit.
Pid = 2884, Hwnd=0x10348, Text = &Make, ClassName = Button.
Pid = 2884, Hwnd=0x1034a, Text = &Copy, ClassName = Button.
Pid = 2884, Hwnd=0x1034c, Text = &About, ClassName = Button.
Pid = 2884, Hwnd=0x1034e, Text = &X, ClassName = Button.
Pid = 2884, Hwnd=0x10352, Text = stx!ROGUE, ClassName = Static.
Pid = 2884, Hwnd=0x10354, Text = 0000-0000, ClassName = Edit.
Pid = 3424, Hwnd=0x10448, Text = 确定, ClassName = Button.
Pid = 3424, Hwnd=0x1044a, Text = Error initializing audio! (Error code: 23), ClassName = Static.
Pid = 3424, Hwnd=0x10446, Text = 错误, ClassName = #32770.
Pid = 3340, Hwnd=0x3034e, Text = &Next >, ClassName = Button.
Pid = 3340, Hwnd=0x2034a, Text = Cancel, ClassName = Button.
Pid = 3340, Hwnd=0x703ea, Text = Team DYNAMiCS 2008 , ClassName = Static.
Pid = 3340, Hwnd=0x2042c, Text = Team DYNAMiCS 2008, ClassName = Static.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\NSIS_SkinCrafter_Plugin.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\SkinCrafter.dll(签名验证: 未通过)
C:\WINDOWS\system32\gdiplus.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\DynPlay.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\bass.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\nsDialogs.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\System.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 10.
[2]: MilliSeconds = 10.
[3]: MilliSeconds = 10.
[4]: MilliSeconds = 10.
[5]: MilliSeconds = 10.
[6]: MilliSeconds = 10.
[7]: MilliSeconds = 10.
[8]: MilliSeconds = 10.
[9]: MilliSeconds = 10.
[10]: MilliSeconds = 9.
[1]: MilliSeconds = 1440.
[2]: MilliSeconds = 1440.
[3]: MilliSeconds = 1440.
[4]: MilliSeconds = 1440.
[5]: MilliSeconds = 1440.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\source.exe ---> 2eb339b88fa623b463c763a7d49baee7
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Electri-Q v1.8.4 Setup.exe ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\NSIS_SkinCrafter_Plugin.dll ---> 065d72e70e51716c36a21a5d2cae29d7
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\SkinCrafter.dll ---> 400cb1276ccebd004e091fb2101666fd
C:\WINDOWS\system32\gdiplus.dll ---> d0aaae16ba162dd89d646887f1539855
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\DynPlay.exe ---> 4e30192dda60f18883440e0129eaab88
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\bass.dll ---> 9a508892af83099bce8e6dea9e6d030c
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\nsDialogs.dll ---> e01c7e624af3a1372ce8e671c2d37ccf
C:\Documents and Settings\Administrator\Local Settings\Temp\nso5.tmp\System.dll ---> 32465a07028b927b22c38e642c2cb836
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\NSIS_SkinCrafter_Plugin.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\SkinCrafter.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\bass.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\nsDialogs.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nso5.tmp\System.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号