VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:ddef376a2fdb072e0c436ab14feecb16
file type:zip
Production company:
version:
Shell or compiler information:
Subfile information:!绿化.bat / 6d72c5981af23ad23ce57cccb92ef1b0 / Unknown
!卸载.bat / 17ce642872bf4531cc9c9c7543a9d5c1 / Unknown
Key behavior
Behavior description:杀掉QQ进程
details:TASKKILL = taskkill /f /im QQ.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\%temp%\****.exe
Behavior description:在桌面创建文件
details:C:\Documents and Settings\Administrator\桌面\腾讯QQ.lnk
Behavior description:杀掉进程
details:TASKKILL = taskkill /f /im TXP*
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TASKKILL = taskkill /f /im tad*
TASKKILL = taskkill /f /im QQP*
TASKKILL = taskkill /f /im QQC*
Process behavior
Behavior description:创建进程
details:[0x00000a78]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im TXP*
[0x00000ae4]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im tad*
[0x00000b40]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im QQP*
[0x00000b5c]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im QQC*
[0x00000b78]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im QQ.exe
[0x00000bbc]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKLM\SYSTEM\CurrentControlSet\services\QQProtect /F
[0x00000bc8]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v personal
[0x00000bd8]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v personal
[0x00000be0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c echo Folders
[0x00000bfc]ImagePath = C:\WINDOWS\system32\xcopy.exe, CmdLine = xcopy /i/y/e Bin\TXSSO\Bin "C:\Program Files\Common Files\Tencent\TXSSO\Bin"
[0x00000c0c]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll"
[0x00000c3c]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKLM\Software\Tencent\TXSSO /f /v version /d "1.2.4.2"
[0x00000c9c]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s Bin\TXSSO\Npchrome\npactivex.dll
[0x00000ca4]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s Bin\TXSSO\Bin\SSOCommon.dll
[0x00000cac]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s Bin\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll
Behavior description:创建本地线程
details:TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2680, ThreadID = 2688, StartAddress = 77E56C7D, Parameter = 000EAC20
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2680, ThreadID = 2692, StartAddress = 769AE43B, Parameter = 000ED5C8
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2680, ThreadID = 2696, StartAddress = 77E56C7D, Parameter = 000EDD50
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2788, ThreadID = 2820, StartAddress = 77E56C7D, Parameter = 000EAC20
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2788, ThreadID = 2824, StartAddress = 769AE43B, Parameter = 000ED4B0
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2788, ThreadID = 2840, StartAddress = 77E56C7D, Parameter = 000EDB78
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2880, ThreadID = 2888, StartAddress = 77E56C7D, Parameter = 000EAC20
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2880, ThreadID = 2892, StartAddress = 769AE43B, Parameter = 000ED4B0
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2880, ThreadID = 2896, StartAddress = 77E56C7D, Parameter = 000EDC68
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2908, ThreadID = 2924, StartAddress = 77E56C7D, Parameter = 000EAC20
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2908, ThreadID = 2928, StartAddress = 769AE43B, Parameter = 000ED5C8
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2908, ThreadID = 2932, StartAddress = 77E56C7D, Parameter = 000EDC90
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2936, ThreadID = 2956, StartAddress = 77E56C7D, Parameter = 000EAC20
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2936, ThreadID = 2960, StartAddress = 769AE43B, Parameter = 000ED5C0
TargetProcess: taskkill.exe, InheritedFromPID = 2660, ProcessID = 2936, ThreadID = 2964, StartAddress = 77E56C7D, Parameter = 000EDC58
Behavior description:杀掉QQ进程
details:TASKKILL = taskkill /f /im QQ.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\%temp%\****.exe
Behavior description:杀掉进程
details:TASKKILL = taskkill /f /im TXP*
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TASKKILL = taskkill /f /im tad*
TASKKILL = taskkill /f /im QQP*
TASKKILL = taskkill /f /im QQC*
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Application Data\Tencent\Logs\regsvr32.tlg
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\DR\st072500003.dr
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\InstallPackageDR\1219343.dr1
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\InstallPackageDR\1301640.dr2
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\Misc\EnvirConf.ini
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\QQSafeUD.exe
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TF000001.tsd
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TM000001.TSD
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TSEH.DAT
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TSEHRes.dat
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TSELoder.DAT
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TSEngine.DAT
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TSEPB.DAT
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\SafeBase\TSSafeEdit.dat
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\Skins\system\1.45_1\logon_preview.png
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\桌面\腾讯QQ.lnk ---> Offset = 0
Behavior description:在桌面创建文件
details:C:\Documents and Settings\Administrator\桌面\腾讯QQ.lnk
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\!绿化.bat
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\taskkill.*
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\taskkill
FileName = C:\Python27\taskkill.*
FileName = C:\Python27\taskkill
FileName = C:\Python27\Scripts\taskkill.*
FileName = C:\Python27\Scripts\taskkill
FileName = C:\WINDOWS\system32\taskkill.*
FileName = C:\WINDOWS\system32\taskkill.COM
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\AppID
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ToolboxBitmap32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\1\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\TypeLib\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Version\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\0\win32\
\REGISTRY\MACHINE\SOFTWARE\Tencent\TXSSO\version
\REGISTRY\MACHINE\SOFTWARE\Tencent\QQ2009\Install
\REGISTRY\MACHINE\SOFTWARE\Tencent\QQ2009\version
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Control\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\1\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Programmable\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ToolboxBitmap32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\TypeLib\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Version\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
Behavior description:打开事件
details:MSFT.VSA.COM.DISABLE.2680
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.2788
MSFT.VSA.COM.DISABLE.2880
MSFT.VSA.COM.DISABLE.2908
MSFT.VSA.COM.DISABLE.2936
Global\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.3348
_fCanRegisterWithShellService
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:枚举窗口
details:N/A
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2660, Hwnd=0x10340, Text = 绿化, ClassName = ConsoleWindowClass.
Behavior description:隐藏指定窗口
details:[Window,Class] = [loger command window,TXLOGGER_BYCORETEAM_SSO]
Behavior description:打开互斥体
details:ShimCacheMutex
RasPbFile
DBWinMutex
Local\!IETld!Mutex
CtfmonInstMutexDefaultS-*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号