VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :71
基本信息
MD5:b339de14bae1157e652b0ea7d070113e
文件类型:DLL
出品公司:
版本:
壳或编译器信息:COMPILER:Microsoft Visual C++
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = svchost.exe, WriteAddress = 0x7ffdd008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 53248
行为描述:设置特殊文件属性
详情信息:C:\AnalyzeControl\lpk.dll
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\lpk.dll
C:\WINDOWS\Temp\IRA98.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRA98.tmp\ANALYZ~1\lpk.dll
C:\WINDOWS\Temp\IRAC58.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAC58.tmp\ANALYZ~1\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\lpk.dll
C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\a2865dcec9c5d3cc9c55f026cbad6fcc\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\9469981a17c01dd154c540127e678b35\lpk.dll
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Temp\lpk.dll
C:\Documents and Settings\Administrator\Application Data\SogouPY\lpk.dll
行为描述:按名称获取主机地址
详情信息:asz111.3322.org
行为描述:设置线程上下文
详情信息:C:\WINDOWS\system32\svchost.exe
行为描述:创建系统服务
详情信息:[服务创建成功]: Distribulgs, C:\WINDOWS\system32\jabfaq.exe
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = c:\windows\temp\hrl2.tmp
ImagePath = , CmdLine = cmd /c c:\progra~1\winrar\rar.exe vb "c:\analyzecontrol.rar" lpk.dll|find /i "lpk.dll"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\analyzecontrol.rar" *.exe "c:\windows\temp\ira98.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" a -r -ep1"c:\windows\temp\ira98.tmp" "c:\analyzecontrol.rar" "c:\windows\temp\ira98.tmp\lpk.dll"
ImagePath = , CmdLine = cmd /c rd /s /q "c:\windows\temp\ira98.tmp"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\analyzecontrol.rar" *.exe "c:\windows\temp\irac58.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" a -r -ep1"c:\windows\temp\irac58.tmp" "c:\analyzecontrol.rar" "c:\windows\temp\irac58.tmp\lpk.dll"
ImagePath = , CmdLine = cmd /c rd /s /q "c:\windows\temp\irac58.tmp"
ImagePath = , CmdLine = cmd /c c:\progra~1\winrar\rar.exe vb "c:\documents and settings\administrator\application data\sogouexplorer\localpage\error404.zip" lpk.dll|find /i "lpk.dll"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\documents and settings\administrator\application data\sogouexplorer\localpage\error404.zip" *.exe "c:\windows\temp\ira98.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\documents and settings\administrator\application data\sogouexplorer\localpage\error404.zip" *.exe "c:\windows\temp\irac58.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" a -r -ep1"c:\windows\temp\irac58.tmp" "c:\documents and settings\administrator\application data\sogouexplorer\localpage\error404.zip" "c:\windows\temp\irac58.tmp\lpk.dll"
ImagePath = , CmdLine = cmd /c c:\progra~1\winrar\rar.exe vb "c:\documents and settings\administrator\application data\sogouexplorer\localpage\myfavorstartpage.zip" lpk.dll|find /i "lpk.dll"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\documents and settings\administrator\application data\sogouexplorer\localpage\myfavorstartpage.zip" *.exe "c:\windows\temp\irac58.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" a -r -ep1"c:\windows\temp\irac58.tmp" "c:\documents and settings\administrator\application data\sogouexplorer\localpage\myfavorstartpage.zip" "c:\windows\temp\irac58.tmp\lpk.dll"
行为描述:跨进程写入数据
详情信息:TargetProcess = svchost.exe, WriteAddress = 0x7ffdd008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 53248
行为描述:创建新文件进程
详情信息:ImagePath = C:\WINDOWS\TEMP\hrl2.tmp, CmdLine = C:\WINDOWS\TEMP\hrl2.tmp
ImagePath = C:\WINDOWS\system32\jabfaq.exe, CmdLine = C:\WINDOWS\system32\jabfaq.exe
行为描述:创建进程
详情信息:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\PROGRA~1\WinRAR\rar.exe vb "C:\AnalyzeControl.rar" lpk.dll|find /i "lpk.dll"
ImagePath = C:\WINDOWS\system32\svchost.exe, CmdLine = svchost.exe
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb "C:\AnalyzeControl.rar" lpk.dll
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find /i "lpk.dll"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" x "C:\AnalyzeControl.rar" *.exe "C:\WINDOWS\TEMP\IRA98.tmp\"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" a -r -ep1"C:\WINDOWS\TEMP\IRA98.tmp" "C:\AnalyzeControl.rar" "C:\WINDOWS\TEMP\IRA98.tmp\lpk.dll"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c RD /s /q "C:\WINDOWS\TEMP\IRA98.tmp"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" x "C:\AnalyzeControl.rar" *.exe "C:\WINDOWS\TEMP\IRAC58.tmp\"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" a -r -ep1"C:\WINDOWS\TEMP\IRAC58.tmp" "C:\AnalyzeControl.rar" "C:\WINDOWS\TEMP\IRAC58.tmp\lpk.dll"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c RD /s /q "C:\WINDOWS\TEMP\IRAC58.tmp"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\PROGRA~1\WinRAR\rar.exe vb "C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\Error404.zip" lpk.dll|find /i "lpk.dll"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb "C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\Error404.zip" lpk.dll
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" x "C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\Error404.zip" *.exe "C:\WINDOWS\TEMP\IRA98.tmp\"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" x "C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\Error404.zip" *.exe "C:\WINDOWS\TEMP\IRAC58.tmp\"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" a -r -ep1"C:\WINDOWS\TEMP\IRAC58.tmp" "C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\Error404.zip" "C:\WINDOWS\TEMP\IRAC58.tmp\lpk.dll"
行为描述:设置线程上下文
详情信息:C:\WINDOWS\system32\svchost.exe
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:设置特殊文件属性
详情信息:C:\AnalyzeControl\lpk.dll
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\lpk.dll
C:\WINDOWS\Temp\IRA98.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRA98.tmp\ANALYZ~1\lpk.dll
C:\WINDOWS\Temp\IRAC58.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAC58.tmp\ANALYZ~1\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\lpk.dll
C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\a2865dcec9c5d3cc9c55f026cbad6fcc\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\9469981a17c01dd154c540127e678b35\lpk.dll
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Temp\lpk.dll
C:\Documents and Settings\Administrator\Application Data\SogouPY\lpk.dll
行为描述:重命名文件
详情信息:C:\WINDOWS\Temp\hrl2.tmp ---> C:\WINDOWS\Temp\SOFTWARE.LOG
C:\WINDOWS\system32\__rar_42.4818496 ---> C:\AnalyzeControl.rar
C:\RCX3.tmp ---> C:\WINDOWS\system32\hra33.dll
C:\WINDOWS\system32\__rar_42.4438496 ---> C:\AnalyzeControl.rar
行为描述:创建可执行文件
详情信息:C:\WINDOWS\Temp\hrl2.tmp
C:\WINDOWS\system32\jabfaq.exe
C:\AnalyzeControl\lpk.dll
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\lpk.dll
C:\WINDOWS\Temp\IRA98.tmp\%temp%\1415845405.633725.exe
C:\WINDOWS\Temp\IRA98.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\system32\hra33.dll
C:\RCX3.tmp
C:\WINDOWS\Temp\IRAC58.tmp\%temp%\1415845405.799105.exe
C:\WINDOWS\Temp\IRAC58.tmp\AnalyzeControl\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\lpk.dll
C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\lpk.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\a2865dcec9c5d3cc9c55f026cbad6fcc\lpk.dll
行为描述:修改文件内容
详情信息:C:\WINDOWS\system32\__rar_42.4818496---> Offset = 20
C:\WINDOWS\system32\__rar_42.4438496---> Offset = 20
网络行为
行为描述:发送一个已连接的套接字数据
详情信息:SOCKET = 0x00000138, TotalSize = 364, Offset = 0, ReadSize = 364.
行为描述:建立到一个指定的套接字连接
详情信息:219.133.40.1:2323
行为描述:按名称获取主机地址
详情信息:asz111.3322.org
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\X\BaseClass
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Distribulgs\Description
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
行为描述:修改注册表_延迟重命名项
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations
其他行为
行为描述:创建互斥体
详情信息:Distribulgs
SHIMLIB_LOG_MUTEX
行为描述:启动系统服务
详情信息:[服务启动成功]: LocalSystem, Distribuoax Transaction Coordinator Service, C:\WINDOWS\system32\jabfaq.exe
行为描述:创建系统服务
详情信息:[服务创建成功]: Distribulgs, C:\WINDOWS\system32\jabfaq.exe
行为描述:获取系统权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号