VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:94
Behavior list
Basic Information
MD5:39f5a9eb9620ca4a69bfa34fe498d661
file type:Rar
Production company:
version:
Shell or compiler information:
Subfile information:下载更多QQ辅助.url / 10fef126e13750838624e2ed63a815f5 / Unknown
留言.exe / becc8e24a9201bea4dd2cb343e2505cd / EXE
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.EL..BOAKH
MSCTF.MarshalInterface.FileMap.EL.B.BPAKH
MSCTF.MarshalInterface.FileMap.EL.C.BPAKH
MSCTF.MarshalInterface.FileMap.EL.D.BPAKH
MSCTF.MarshalInterface.FileMap.EL.E.BPAKH
MSCTF.MarshalInterface.FileMap.EL.F.BPAKH
MSCTF.MarshalInterface.FileMap.EL.G.BPAKH
MSCTF.Shared.SFM.EL
Behavior description:在QQ目录下创建PE文件
details:C:\Program Files\Tencent\QQ\Bin\auclt.exe
C:\Program Files\Tencent\QQ\Bin\bugreport.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\QQExternal.exe
C:\Program Files\Tencent\QQ\Bin\QQPI.exe
C:\Program Files\Tencent\QQ\Bin\QQScLauncher.exe
C:\Program Files\Tencent\QQ\Bin\StorageTool.exe
C:\Program Files\Tencent\QQ\Bin\Timwp.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\Program Files\Tencent\QQ\Bin\Ark\bugreport.exe
C:\Program Files\Tencent\QQ\Bin\Ark\QQApp.exe
C:\Program Files\Tencent\QQ\Bin\SetupEx\QQSetupEx.exe
Behavior description:隐藏指定窗口
details:[Window,Class] = [,_EL_Timer]
[Window,Class] = [,SysListView32]
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x24010301, DC = 0x24010301.
Foreground window Info: HWND = 0x01010055, DC = 0x01010055.
Behavior description:按名称获取主机地址
details:918.7701.net
Process behavior
Behavior description:创建新文件进程
details:ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.EL..BOAKH
MSCTF.MarshalInterface.FileMap.EL.B.BPAKH
MSCTF.MarshalInterface.FileMap.EL.C.BPAKH
MSCTF.MarshalInterface.FileMap.EL.D.BPAKH
MSCTF.MarshalInterface.FileMap.EL.E.BPAKH
MSCTF.MarshalInterface.FileMap.EL.F.BPAKH
MSCTF.MarshalInterface.FileMap.EL.G.BPAKH
MSCTF.Shared.SFM.EL
Behavior description:重命名文件
details:C:\install.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\76705.tmp
C:\%temp%\1445458685.758703.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\767a2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7690a.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7693a.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7696a.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\769c9.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\769f9.tmp
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Temp\sogouexplorerup.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\76ac5.tmp
C:\Documents and Settings\Administrator\Application Data\SogouPY\SogouExplorer.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\76bb0.tmp
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\76c2e.tmp
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\STemp\SetupEx~0\QQSetupEx.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\76d0a.tmp
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\770b4.tmp
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\77132.tmp
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\771d0.tmp
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7724e.tmp
Behavior description:创建可执行文件
details:C:\install.exe
C:\%temp%\1445458685.322770.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Temp\sogouexplorerup.exe
C:\Documents and Settings\Administrator\Application Data\SogouPY\SogouExplorer.exe
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\STemp\SetupEx~0\QQSetupEx.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
Behavior description:查找文件
details:FileName = x:\*.exe
FileName = x:\*.*
FileName = h:\*.exe
FileName = h:\*.*
FileName = d:\*.exe
FileName = d:\*.*
FileName = c:\*.exe
FileName = c:\install.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\76705.tmp
FileName = c:\*.*
FileName = c:\222c25ed\*.exe
FileName = c:\222c25ed\*.*
FileName = c:\222c25ed\IE8-Setup-Full\*.exe
FileName = c:\222c25ed\IE8-Setup-Full\IE-REDIST.EXE
FileName = c:\222c25ed\IE8-Setup-Full\installservices.exe
Behavior description:在QQ目录下创建PE文件
details:C:\Program Files\Tencent\QQ\Bin\auclt.exe
C:\Program Files\Tencent\QQ\Bin\bugreport.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\QQExternal.exe
C:\Program Files\Tencent\QQ\Bin\QQPI.exe
C:\Program Files\Tencent\QQ\Bin\QQScLauncher.exe
C:\Program Files\Tencent\QQ\Bin\StorageTool.exe
C:\Program Files\Tencent\QQ\Bin\Timwp.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\Program Files\Tencent\QQ\Bin\Ark\bugreport.exe
C:\Program Files\Tencent\QQ\Bin\Ark\QQApp.exe
C:\Program Files\Tencent\QQ\Bin\SetupEx\QQSetupEx.exe
Network behavior
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:8808
183.60.48.30:443
112.90.83.35:443
219.133.40.1:8888
Behavior description:按名称获取主机地址
details:918.7701.net
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x16(565 0)
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.EL
Behavior description:隐藏指定窗口
details:[Window,Class] = [,_EL_Timer]
[Window,Class] = [,SysListView32]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 168, Hwnd=0x5026e, Text = QQ选择[Tips:选择要留言的QQ号码], ClassName = Button(GroupBox).
Pid = 168, Hwnd=0x302da, Text = 广告内容:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 168, Hwnd=0x202c6, Text = - [QQ空间自动留言软件], ClassName = Edit.
Pid = 168, Hwnd=0x202ca, Text = 植入广告(留言内容后加广告), ClassName = Button(CheckBox).
Pid = 168, Hwnd=0x202c8, Text = 0, ClassName = Edit.
Pid = 168, Hwnd=0x202c4, Text = 速度(1000=1秒)默认1000, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 168, Hwnd=0x302bc, Text = 返回消息, ClassName = Button(GroupBox).
Pid = 168, Hwnd=0x202b2, Text = 要留言的QQ号码:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 168, Hwnd=0x202cc, Text = 要留言的内容, ClassName = Button(GroupBox).
Pid = 168, Hwnd=0x302dc, Text = 自动随机留言内容, ClassName = Button(CheckBox).
Pid = 168, Hwnd=0x702a8, Text = 失败数量, ClassName = _EL_Label.
Pid = 168, Hwnd=0x3015a, Text = 留言失败:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 168, Hwnd=0x40294, Text = 留言成功:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 168, Hwnd=0x50274, Text = 成功数量, ClassName = _EL_Label.
Pid = 168, Hwnd=0x5026c, Text = 开始留言, ClassName = Button.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x24010301, DC = 0x24010301.
Foreground window Info: HWND = 0x01010055, DC = 0x01010055.
Behavior description:内联HOOK
details:C:\WINDOWS\system32\ntdll.dll--->LdrFindResource_U Offset = 0x0
C:\WINDOWS\system32\ntdll.dll--->LdrAccessResource Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->LoadStringA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->LoadStringW Offset = 0x0
C:\WINDOWS\system32\GDI32.dll--->ExtTextOutA Offset = 0x0
C:\WINDOWS\system32\GDI32.dll--->ExtTextOutW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowLongA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowLongA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowLongW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowLongW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->BeginPaint Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->EndPaint Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->ReleaseDC Offset = 0x0
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号