VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:21
Behavior list
Basic Information
MD5:db92102c142a97620d0f02b3321d235b
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
Subfile information:upx_c_382829a5dumpFile / f851f590d909b6e89efab0ec55b54c8b / EXE
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe---> Offset = 176128
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe---> Offset = 221184
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe---> Offset = 176128
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe---> Offset = 221184
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe---> Offset = 221184
Behavior description:跨进程写入数据
details:TargetProcess = iexplore.exe, WriteAddress = 0x20070000, Size = 81920
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00030000, Size = 223
TargetProcess = iexplore.exe, WriteAddress = 0x00040000, Size = 165
TargetProcess = iexplore.exe, WriteAddress = 0x00050000, Size = 312
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12
TargetProcess = iexplore.exe, WriteAddress = 0x20070000, Size = 45056
TargetProcess = System, WriteAddress = 0x20080000, Size = 45056
TargetProcess = smss.exe, WriteAddress = 0x20080000, Size = 45056
C:\WINDOWS\system32\smss.exe
TargetProcess = smss.exe, WriteAddress = 0x00300000, Size = 563
TargetProcess = smss.exe, WriteAddress = 0x00310000, Size = 223
TargetProcess = smss.exe, WriteAddress = 0x00320000, Size = 48
TargetProcess = smss.exe, WriteAddress = 0x00330000, Size = 132
TargetProcess = csrss.exe, WriteAddress = 0x20080000, Size = 45056
Behavior description:设置启动项
details:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\arpproducticon.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut1_edd4abb1c1b34a9d84ce33fbfb5d3639.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut2_e88611396ff84afcb2ee5c1594058e02.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut311_0951773981fa4ab2bc21b7dcec95892a.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut31_2f252077ba3f4362913955273a708467.exe
\device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll
Behavior description:跨进程写代码段数据
details:C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\documents and settings\all users\application data\vmware\*.*
Behavior description:按名称获取主机地址
details:supnewdmn.com
google.com
tvrstrynyvwstrtve.com
rtvwerjyuver.com
wqerveybrstyhcerveantbe.com
Process behavior
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Behavior description:跨进程写代码段数据
details:C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
Behavior description:枚举进程
details:N/A
Behavior description:跨进程写入数据
details:TargetProcess = iexplore.exe, WriteAddress = 0x20070000, Size = 81920
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00030000, Size = 223
TargetProcess = iexplore.exe, WriteAddress = 0x00040000, Size = 165
TargetProcess = iexplore.exe, WriteAddress = 0x00050000, Size = 312
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12
TargetProcess = iexplore.exe, WriteAddress = 0x20070000, Size = 45056
TargetProcess = System, WriteAddress = 0x20080000, Size = 45056
TargetProcess = smss.exe, WriteAddress = 0x20080000, Size = 45056
C:\WINDOWS\system32\smss.exe
TargetProcess = smss.exe, WriteAddress = 0x00300000, Size = 563
TargetProcess = smss.exe, WriteAddress = 0x00310000, Size = 223
TargetProcess = smss.exe, WriteAddress = 0x00320000, Size = 48
TargetProcess = smss.exe, WriteAddress = 0x00330000, Size = 132
TargetProcess = csrss.exe, WriteAddress = 0x20080000, Size = 45056
File behavior
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe---> Offset = 176128
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe---> Offset = 221184
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe---> Offset = 176128
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe---> Offset = 221184
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe---> Offset = 221184
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
C:\DiskX\RECYCLER\S-1-6-34-3175845737-2638803514-038416050-2745\JVTmZASl.exe
C:\DiskX\RECYCLER\S-1-6-34-3175845737-2638803514-038416050-2745\dZMlPFlE.cpl
Behavior description:设置启动项
details:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\arpproducticon.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut1_edd4abb1c1b34a9d84ce33fbfb5d3639.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut2_e88611396ff84afcb2ee5c1594058e02.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut311_0951773981fa4ab2bc21b7dcec95892a.exe
\device\harddiskvolume1\documents and settings\administrator\application data\microsoft\installer\{052cfb79-9d62-42e3-8a15-de66c2c97c3e}\newshortcut31_2f252077ba3f4362913955273a708467.exe
\device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll
Behavior description:修改原系统的可执行文件
details:C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll---> Offset = 491520
Behavior description:写权限映射文件
details:{2872B863-CECA-E562-CC5C-4F1A2BD10E1C}
\222c25ed\IE8-Setup-Full\IE-REDIST.EXE
\222c25ed\IE8-Setup-Full\ieakcust.dll
\222c25ed\IE8-Setup-Full\iedkcs32.dll
\222c25ed\IE8-Setup-Full\installservices.exe
\DiskX\RECYCLER\S-1-6-34-3175845737-2638803514-038416050-2745\JVTmZASl.exe
\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
\Documents and Settings\Administrator\Application Data\SogouExplorer\Bin\flash_wk.dll
\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
\Documents and Settings\Administrator\Application Data\SogouExplorer\seupdater.dll
Behavior description:修改文件内容
details:C:\Program Files\Internet Explorer\dmlconf.dat---> Offset = 0
C:\DiskX\autorun.inf---> Offset = 6504
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html---> Offset = 220767
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html---> Offset = 218962
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html---> Offset = 257499
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html---> Offset = 219191
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html---> Offset = 223300
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\background.html---> Offset = 219019
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\callback.html---> Offset = 220818
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\pop.html---> Offset = 230799
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\signin.html---> Offset = 218822
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\ translate.html---> Offset = 220746
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\backgroundpage.html---> Offset = 221457
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\google_translate.html---> Offset = 221521
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\translate.html---> Offset = 223322
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x000000d8, TotalSize = 6, Offset = 0, ReadSize = 6.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:447
219.133.40.1:80
Behavior description:按名称获取主机地址
details:supnewdmn.com
google.com
tvrstrynyvwstrtve.com
rtvwerjyuver.com
wqerveybrstyhcerveantbe.com
Other behavior
Behavior description:创建互斥体
details:{2872BAEB-CECA-E562-CC5C-4F1A2BD10E1C}
{2872C6F9-CECA-E562-CC5C-4F1A36A90E1C}
{2872C0E2-CECA-E562-CC5C-4F1A2BD10E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2BD10E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2BD50E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2DED0E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2E250E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2E3D0E1C}
{2872C6F9-CECA-E562-CC5C-4F1A36410E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2E690E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2E750E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2F150E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2F210E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2F4D0E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2F8D0E1C}
Behavior description:内联HOOK
details:C:\WINDOWS\system32\ntdll.dll--->ZwWriteVirtualMemory Offset = 0x0
C:\WINDOWS\system32\ntdll.dll--->NtResumeThread Offset = 0x0
C:\WINDOWS\system32\WS2_32.dll--->sendto Offset = 0x0
C:\WINDOWS\system32\WS2_32.dll--->recvfrom Offset = 0x0
C:\WINDOWS\system32\WS2_32.dll--->WSASend Offset = 0x0
C:\WINDOWS\system32\WS2_32.dll--->WSASendTo Offset = 0x0
C:\WINDOWS\system32\WS2_32.dll--->WSARecvFrom Offset = 0x0
C:\WINDOWS\system32\WS2_32.dll--->closesocket Offset = 0x0
C:\WINDOWS\system32\ntdll.dll--->LdrLoadDll Offset = 0x0
C:\WINDOWS\system32\ntdll.dll--->NtQueryDirectoryFile Offset = 0x0
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\documents and settings\all users\application data\vmware\*.*
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号