VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:739dc424ce24e24b5b231ba397ac4603
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Upack 0.3.9 beta2s -> Dwing
Subfile information:DVCLALdumpFile / cdfdb59602f10c905bf916939a2ef3fc / DLL
upack0.34_34d03abcdumpFile / 711382c45a4dbd609aebe3baeb6098df / EXE
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = [System Process], WriteAddress = 0x7ff90000, Size = 31
C:\WINDOWS\system32\winlogon.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:按名称获取主机地址
details:update.microsoft.com
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = [System Process], WriteAddress = 0x7ff90000, Size = 31
C:\WINDOWS\system32\winlogon.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.IBK..CMGFF
MSCTF.MarshalInterface.FileMap.IBK.B.CMGFF
MSCTF.MarshalInterface.FileMap.IBK.C.CMGFF
MSCTF.MarshalInterface.FileMap.IBK.D.CMGFF
MSCTF.MarshalInterface.FileMap.IBK.E.CMGFF
MSCTF.MarshalInterface.FileMap.IBK.F.CMGFF
MSCTF.MarshalInterface.FileMap.IBK.G.CMGFF
Behavior description:创建可执行文件
details:C:\WINDOWS\349609.dll
C:\WINDOWS\system32\Systen.dll
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = getmeg.go.8866.org, PORT = 80
InternetConnectA: ServerName = 127.0.0.1, PORT = 80
Behavior description:读取网络文件
details:hFile = 0x00000444, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000624, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000480, BytesToRead =1024, BytesRead = 1024.
Behavior description:打开HTTP请求
details:HttpOpenRequestA: getmeg.go.8866.org:80/, hConnect = 0x00000448
HttpOpenRequestA: 127.0.0.1:80/, hConnect = 0x00000620
HttpOpenRequestA: 127.0.0.1:80/, hConnect = 0x00000614
Behavior description:按名称获取主机地址
details:update.microsoft.com
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Tencent\QQ\BITS
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\Asynchronous
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\Impersonate
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\Startup
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1482476501-1645522239-1417001333-500\RefCount
Behavior description:修改注册表_系统登录管理
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS\DllName
Other behavior
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:窗口信息
details:Pid = 2580, Hwnd=0x10352, Text = 是(&Y), ClassName = Button.
Pid = 2580, Hwnd=0x10354, Text = 否(&N), ClassName = Button.
Pid = 2580, Hwnd=0x10358, Text = 守望者远程控制安装开始:1你的电脑准备安装[守望者2007fly]远程控制软件; [确定]继续安装;[取消]放弃安装; 非法连接卸载命令:[rundll32, ClassName = Static.
Pid = 2580, Hwnd=0x10350, Text = 守望者远程控制-安装提示, ClassName = #32770.
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
1127.0.0.1
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号