VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:40
Behavior list
Basic Information
MD5:af747414607acf5eb5e8d0ece8a3dec3
file type:EXE
Production company:VSO Software
version:3.0.3.5---3.0.3.5
Shell or compiler information:COMPILER:Borland Delphi 6.0 - 7.0 [Overlay]
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE---> Offset = 12382208
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe---> Offset = 401408
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe---> Offset = 98816
C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 253952
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1171456
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE---> Offset = 10419712
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x01bb0000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x01e40000, Size = 4096
TargetProcess = ctfmon.exe, WriteAddress = 0x009a0000, Size = 8192
C:\WINDOWS\system32\ctfmon.exe
TargetProcess = ctfmon.exe, WriteAddress = 0x009b0000, Size = 4096
TargetProcess = QQ.exe, WriteAddress = 0x00c60000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\QQ.exe
TargetProcess = QQ.exe, WriteAddress = 0x00c70000, Size = 4096
TargetProcess = TXPlatform.exe, WriteAddress = 0x01120000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TargetProcess = TXPlatform.exe, WriteAddress = 0x01130000, Size = 4096
TargetProcess = conime.exe, WriteAddress = 0x00910000, Size = 8192
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x00d30000, Size = 4096
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\microsoft office\office11\winword.exe
\device\harddiskvolume1\windows\system32\notepad.exe
\device\harddiskvolume1\windows\system32\cmb_pb_liveupdate.exe
\device\harddiskvolume1\program files\adobe\reader 9.0\reader\reader_sl.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
\device\harddiskvolume1\windows\system32\cmd.exe
\device\harddiskvolume1\program files\microsoft office\office11\excel.exe
Behavior description:设置特殊文件属性
details:C:\fpqg.exe
C:\DiskD\lflpso.pif
C:\DiskX\bprch.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:获取文件属性探测VMware
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\lgoep.sys
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x01bb0000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x01e40000, Size = 4096
TargetProcess = ctfmon.exe, WriteAddress = 0x009a0000, Size = 8192
C:\WINDOWS\system32\ctfmon.exe
TargetProcess = ctfmon.exe, WriteAddress = 0x009b0000, Size = 4096
TargetProcess = QQ.exe, WriteAddress = 0x00c60000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\QQ.exe
TargetProcess = QQ.exe, WriteAddress = 0x00c70000, Size = 4096
TargetProcess = TXPlatform.exe, WriteAddress = 0x01120000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TargetProcess = TXPlatform.exe, WriteAddress = 0x01130000, Size = 4096
TargetProcess = conime.exe, WriteAddress = 0x00910000, Size = 8192
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x00d30000, Size = 4096
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE---> Offset = 12382208
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe---> Offset = 401408
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe---> Offset = 98816
C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 253952
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1171456
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE---> Offset = 10419712
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\drivers\lgoep.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintfxy.exe
C:\fpqg.exe
C:\DiskD\lflpso.pif
C:\DiskX\bprch.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\microsoft office\office11\winword.exe
\device\harddiskvolume1\windows\system32\notepad.exe
\device\harddiskvolume1\windows\system32\cmb_pb_liveupdate.exe
\device\harddiskvolume1\program files\adobe\reader 9.0\reader\reader_sl.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
\device\harddiskvolume1\windows\system32\cmd.exe
\device\harddiskvolume1\program files\microsoft office\office11\excel.exe
Behavior description:设置特殊文件属性
details:C:\fpqg.exe
C:\DiskD\lflpso.pif
C:\DiskX\bprch.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:写权限映射文件
details:hh8geqpHJTkdns0
purity_control_90833
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hdpae.exe
\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
\WINDOWS\system32\notepad.exe
\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
\DiskX\bprch.exe
\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
\Program Files\VMware\VMware Tools\VMwareTray.exe
\Program Files\VMware\VMware Tools\VMwareUser.exe
\WINDOWS\system32\cmd.exe
\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE
\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE
\Program Files\Microsoft Office 2007\Office12\EXCEL.EXE
\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\system.ini---> Offset = 231
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hdpae.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwioj.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qbjis.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xjesv.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uipuq.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xoby.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winygyos.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\edwc.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ahjld.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winoclvrx.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ulxidr.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nwhpk.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fclb.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrgug.exe---> Offset = 0
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://althawry.org/images/xs.jpg?5677b=1770855 hInternet = 0x0000057c
InternetOpenUrlA: http://www.careerdesk.org/images/xs.jpg?567f8=1417184 hInternet = 0x0000057c
InternetOpenUrlA: http://arthur.niria.biz/xs.jpg?56818=2834624 hInternet = 0x0000057c
InternetOpenUrlA: http://amsamex.com/xs.jpg?56837=1063077 hInternet = 0x0000057c
InternetOpenUrlA: http://apple-pie.in/images/xs.jpg?56866=708812 hInternet = 0x0000057c
InternetOpenUrlA: http://ahmediye.net/xs.jpg?56885=3189933 hInternet = 0x0000057c
InternetOpenUrlA: http://g2.arrowhitech.com/xs.jpg?568b4=1772420 hInternet = 0x0000057c
InternetOpenUrlA: http://ampyazilim.com.tr/images/xs2.jpg?56912=1418312 hInternet = 0x00000570
InternetOpenUrlA: http://althawry.org/images/xs.jpg?56d38=2133840 hInternet = 0x0000061c
InternetOpenUrlA: http://www.careerdesk.org/images/xs.jpg?56d86=2845744 hInternet = 0x0000061c
InternetOpenUrlA: http://arthur.niria.biz/xs.jpg?56e51=3559210 hInternet = 0x0000061c
InternetOpenUrlA: http://amsamex.com/xs.jpg?56eaf=2492105 hInternet = 0x0000061c
InternetOpenUrlA: http://apple-pie.in/images/xs.jpg?56f0d=712218 hInternet = 0x0000061c
InternetOpenUrlA: http://ahmediye.net/xs.jpg?56fc8=1781480 hInternet = 0x0000061c
InternetOpenUrlA: http://g2.arrowhitech.com/xs.jpg?57084=1782420 hInternet = 0x00000550
Behavior description:下载文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwioj.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qbjis.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xjesv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uipuq.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xoby.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winygyos.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\edwc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ahjld.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winoclvrx.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ulxidr.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nwhpk.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fclb.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrgug.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsgyuc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrnckb.exe
Behavior description:读取网络文件
details:hFile = 0x0000057c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000570, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000061c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000550, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000568, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000548, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000540, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000534, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000538, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000528, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000520, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000052c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004f8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000500, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004f0, BytesToRead =1024, BytesRead = 1024.
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\%temp%\1424777982.919947.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\1768776769
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\-757413758
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\1011363011
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\-1514827516
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\253949253
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\-503464505
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A4_0
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon
Behavior description:修改注册表_安全中心相关属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A4_0
Other behavior
Behavior description:创建驱动文件镜像
details:C:\WINDOWS\system32\drivers\ipfltdrv.sys
C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_540_
csrss.exeM_596_
winlogon.exeM_620_
services.exeM_664_
lsass.exeM_676_
vboxservice.exeM_836_
33acthlp.exeM_848_
svchost.exeM_892_
svchost.exeM_956_
svchost.exeM_996_
svchost.exeM_1080_
svchost.exeM_1144_
spoolsv.exeM_1236_
33upgradehelper.exeM_1516_
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:获取文件属性探测VMware
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\lgoep.sys
Abnormal crash
Behavior description:创建驱动文件镜像
details:C:\WINDOWS\system32\drivers\ipfltdrv.sys
C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_540_
csrss.exeM_596_
winlogon.exeM_620_
services.exeM_664_
lsass.exeM_676_
vboxservice.exeM_836_
33acthlp.exeM_848_
svchost.exeM_892_
svchost.exeM_956_
svchost.exeM_996_
svchost.exeM_1080_
svchost.exeM_1144_
spoolsv.exeM_1236_
33upgradehelper.exeM_1516_
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\lgoep.sys
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:获取文件属性探测VMware
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\lgoep.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号