VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:79
behaviorlist
Basic Information
MD5:3947e242e119d1135ad9ae6dd0fe54ad
file type:Rar
Production company:
version:
Shell or compiler information:
Subfile information:1085306448.exe / 1d44f97f81b2bfe0e0c9d1d8dbf681a4 / EXE
3142844954.exe / 58d268c404cc5703f148fa43882a9b22 / EXE
3368116605(1).exe / a780530d8f7fcc5758db768590286d86 / EXE
894396784.exe / f650552db8745d62ed779b19c3585162 / EXE
3142844954.exe / 58d268c404cc5703f148fa43882a9b22 / EXE
测试.exe / a780530d8f7fcc5758db768590286d86 / EXE
hh.rar / b3687db962fa1515a81379aedfbec381 / Rar
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:直接获取CPU时钟
details:EAX = 0x3b47e7a0, EDX = 0x000000b6
EAX = 0x3b47e7ec, EDX = 0x000000b6
EAX = 0x3b47e838, EDX = 0x000000b6
EAX = 0x3b47e884, EDX = 0x000000b6
EAX = 0x3b47e8d0, EDX = 0x000000b6
EAX = 0x3b47e91c, EDX = 0x000000b6
EAX = 0x3b47e968, EDX = 0x000000b6
EAX = 0x3b47e9b4, EDX = 0x000000b6
EAX = 0x3b47ea00, EDX = 0x000000b6
EAX = 0x3b47ea4c, EDX = 0x000000b6
Process behavior
Behavior description:创建本地线程
details:TargetProcess: 1085306448.exe, InheritedFromPID = 2000, ProcessID = 3284, ThreadID = 3296, StartAddress = 719CD33A, Parameter = 0019FD10
TargetProcess: 1085306448.exe, InheritedFromPID = 2000, ProcessID = 3284, ThreadID = 3300, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 1085306448.exe, InheritedFromPID = 2000, ProcessID = 3284, ThreadID = 3304, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 1085306448.exe, InheritedFromPID = 2000, ProcessID = 3284, ThreadID = 3308, StartAddress = 7C930230, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\pt_get_uins[1]
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\pt_get_uins[1]
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = lo****om, PORT = 4300, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:IP: **.241.50.**:1001, SOCKET = 0x000000bc
URL: lo****om, IP: **.133.40.**:4300, SOCKET = 0x000001d4
URL: lo****om, IP: **.133.40.**:4300, SOCKET = 0x000002dc
URL: lo****om, IP: **.133.40.**:4300, SOCKET = 0x000002d0
URL: lo****om, IP: **.133.40.**:4300, SOCKET = 0x000002e4
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET /pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.3858416392467916 HTTP/1.1 Accept: */* Referer: http://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.3858416392467916 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Cookie: pt_local_token=0.3858416392467916; User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: lo****om:4300 Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: lo****om:4300/pt_get_uins?callback=ptui_getuins_cb&r=0.7478418888058513&pt_local_tk=0.3858416392467916, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80084010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: lo****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Behavior description:隐藏指定窗口
details:[Window,Class] = [,_EL_ClientSock]
[Window,Class] = [,_EL_Timer]
Behavior description:直接获取CPU时钟
details:EAX = 0x3b47e7a0, EDX = 0x000000b6
EAX = 0x3b47e7ec, EDX = 0x000000b6
EAX = 0x3b47e838, EDX = 0x000000b6
EAX = 0x3b47e884, EDX = 0x000000b6
EAX = 0x3b47e8d0, EDX = 0x000000b6
EAX = 0x3b47e91c, EDX = 0x000000b6
EAX = 0x3b47e968, EDX = 0x000000b6
EAX = 0x3b47e9b4, EDX = 0x000000b6
EAX = 0x3b47ea00, EDX = 0x000000b6
EAX = 0x3b47ea4c, EDX = 0x000000b6
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号