VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:35
Behavior list
Basic Information
MD5:475706b3790088837a703fc920f44a5b
file type:EXE
Production company:BAIDU.COM
version:1.1.0.7---1.1.0.7
Shell or compiler information:
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
Behavior description:跨进程写入数据
details:TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Behavior description:跨进程写代码段数据
details:C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
Behavior description:设置特殊文件夹属性
details:C:\DiskX\RECYCLER
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
Process behavior
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
Behavior description:跨进程写入数据
details:TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12
Behavior description:枚举进程
details:N/A
Behavior description:跨进程写代码段数据
details:C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
Behavior description:创建本地线程
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\1457920919.395171.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1457920919.395496.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:进程退出
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\dmlconf.dat
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
Behavior description:覆盖已有文件
details:C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Internet Explorer\dmlconf.dat
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll
Behavior description:删除文件
details:C:\Program Files\Microsoft\px3.tmp
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*
Behavior description:设置特殊文件夹属性
details:C:\DiskX\RECYCLER
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 4096
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 8192
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 12288
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 2787
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 873
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html ---> Offset = 39547
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html ---> Offset = 1227
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html ---> Offset = 5201
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\background.html ---> Offset = 924
Behavior description:修改新生成的可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: google.com, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x00000128
URL: fget-career.com, IP: <FAKE_SERVER_IP>:443, SOCKET = 0x00000120
Behavior description:按名称获取主机地址
details:gethostbyname: google.com
gethostbyname: fget-career.com
Registry behavior
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Other behavior
Behavior description:创建互斥体
details:KyUffThOkYwRRtgPP
Behavior description:修改后的可执行文件MD5
details:C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll ---> 721ffd39b756bf7b9df203574f6f492f
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> 216862d7d0e359444372916e8954cad3
Behavior description:修改后的可执行文件签名信息
details:C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayer.exe(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> ff5e1f27193ce51eec318714ef038bef
C:\Program Files\Microsoft\DesktopLayer.exe ---> ff5e1f27193ce51eec318714ef038bef
Behavior description:样本控制台输出内容
details:N/A
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号