VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:76
behaviorlist
Basic Information
MD5:b1760e948fe39b606e16a9d2169348df
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00404908
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:获取TickCount值
details:TickCount = 238768, SleepMilliseconds = 50.
TickCount = 238831, SleepMilliseconds = 50.
TickCount = 238878, SleepMilliseconds = 50.
TickCount = 238893, SleepMilliseconds = 50.
TickCount = 238940, SleepMilliseconds = 50.
TickCount = 238956, SleepMilliseconds = 50.
TickCount = 239018, SleepMilliseconds = 50.
TickCount = 239081, SleepMilliseconds = 50.
TickCount = 239112, SleepMilliseconds = 50.
TickCount = 239190, SleepMilliseconds = 50.
TickCount = 239268, SleepMilliseconds = 50.
TickCount = 239331, SleepMilliseconds = 50.
TickCount = 239393, SleepMilliseconds = 50.
TickCount = 239456, SleepMilliseconds = 50.
TickCount = 239518, SleepMilliseconds = 50.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2688, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2692, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2928, StartAddress = 00430EFB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2932, StartAddress = 01A5A77E, Parameter = 00271A28
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3156, StartAddress = 03907790, Parameter = 03994238
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3232, StartAddress = 04629DB3, Parameter = 040763E0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3236, StartAddress = 04629DB3, Parameter = 04076600
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3240, StartAddress = 04629DB3, Parameter = 04077AE0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3244, StartAddress = 0459CC40, Parameter = 039D34C0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3276, StartAddress = 04629DB3, Parameter = 0407C660
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3280, StartAddress = 04629DB3, Parameter = 0407CAA8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3284, StartAddress = 045BA2A0, Parameter = 04716CD0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3288, StartAddress = 00430EFB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3292, StartAddress = 77E56C7D, Parameter = 001F74E8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 3296, StartAddress = 769AE43B, Parameter = 0028AFD0
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini
C:\Documents and Settings\Administrator\My Documents\Mydm\MydmTask.db
C:\Documents and Settings\Administrator\My Documents\Mydm\MydmTask.db-journal
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Application Data\Tencent
FileName = C:\Documents and Settings\Administrator\Application Data\Tencent\QQ
FileName = C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\STemp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\*_PlugIn.dll
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\My Documents\Mydm\MydmTask.db-journal
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 0
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 102
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 116
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 135
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 155
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 166
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 188
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 202
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 214
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 233
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 253
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 250
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 415
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 445
C:\Documents and Settings\Administrator\My Documents\Mydm\Mydm_Config.ini ---> Offset = 431
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = my****om, PORT = 80, UserName = , Password = , hSession = 0x03d63100, hConnect = 0x03d63200, Flags = 0x00000000
WinHttpConnect: ServerName = my****om, PORT = 80, UserName = , Password = , hSession = 0x05393100, hConnect = 0x05393200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x03d63100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x05393100
Behavior description:建立到一个指定的套接字连接
details:URL: my****om, IP: **.133.40.**:80, SOCKET = 0x0000025c
URL: my****om, IP: **.133.40.**:80, SOCKET = 0x00000450
Behavior description:发送HTTP包
details:GET /bit.txt HTTP/1.1 Accept: */* Referer: http://mydmplus.com/bit.txt Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: my****om Connection: Keep-Alive
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: my****om:80/bit.txt, hConnect = 0x03d63200, hRequest = 0x03ee0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: my****om:80/bit.txt, hConnect = 0x05393200, hRequest = 0x036c0000, Verb: GET, Referer: , Flags = 0x00000080
Behavior description:按名称获取主机地址
details:GetAddrInfoW: my****om
GetAddrInfoW: ro****om
GetAddrInfoW: ro****et
gethostbyname: computer
Registry behavior
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Mydm_By_Mike
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00404908
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:窗口信息
details:Pid = 2676, Hwnd=0x40420, Text = 20180601修订基础问题解答:, ClassName = Mydm.
Pid = 2676, Hwnd=0x70342, Text = Mydm, ClassName = Mydm.
Behavior description:获取TickCount值
details:TickCount = 238768, SleepMilliseconds = 50.
TickCount = 238831, SleepMilliseconds = 50.
TickCount = 238878, SleepMilliseconds = 50.
TickCount = 238893, SleepMilliseconds = 50.
TickCount = 238940, SleepMilliseconds = 50.
TickCount = 238956, SleepMilliseconds = 50.
TickCount = 239018, SleepMilliseconds = 50.
TickCount = 239081, SleepMilliseconds = 50.
TickCount = 239112, SleepMilliseconds = 50.
TickCount = 239190, SleepMilliseconds = 50.
TickCount = 239268, SleepMilliseconds = 50.
TickCount = 239331, SleepMilliseconds = 50.
TickCount = 239393, SleepMilliseconds = 50.
TickCount = 239456, SleepMilliseconds = 50.
TickCount = 239518, SleepMilliseconds = 50.
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 50.
CursorPos = (6373,26501), SleepMilliseconds = 50.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.2676
MSFT.VSA.IEC.STATUS.6c736db0
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceive.Event.IOH.IC
MSCTF.SendReceiveConection.Event.IOH.IC
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
[3]: MilliSeconds = 50.
[4]: MilliSeconds = 50.
[5]: MilliSeconds = 50.
[6]: MilliSeconds = 50.
[7]: MilliSeconds = 50.
[8]: MilliSeconds = 50.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 50.
Behavior description:打开互斥体
details:ShimCacheMutex
DBWinMutex
Mydm_By_Mike
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号