VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :50
基本信息
MD5:e0cff807d890a7435f63c12b022c3404
文件类型:zip
出品公司:
版本:
壳或编译器信息:
子文件信息:华强呼死你短信轰炸机QQ137620296.exe / 65c359318602f834a8be68706bf0f1b7 / EXE
关键行为
行为描述:直接调用系统关键API
详情信息:Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008B8A7C
Index = 0x0000009B, Name: NtQueryInformationThread, Instruction Address = 0x0085CEA6
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008877A1
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
行为描述:直接获取CPU时钟
详情信息:EAX = 0x204871c6, EDX = 0x000000b7
EAX = 0x20487212, EDX = 0x000000b7
EAX = 0x2048725e, EDX = 0x000000b7
EAX = 0x204872aa, EDX = 0x000000b7
EAX = 0x204872f6, EDX = 0x000000b7
EAX = 0x20487342, EDX = 0x000000b7
EAX = 0x2048738e, EDX = 0x000000b7
EAX = 0x204873da, EDX = 0x000000b7
EAX = 0x20487426, EDX = 0x000000b7
EAX = 0x20487472, EDX = 0x000000b7
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: 华强呼死你短信轰炸机QQ137620296.exe, InheritedFromPID = 2000, ProcessID = 2840, ThreadID = 2852, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 华强呼死你短信轰炸机QQ137620296.exe, InheritedFromPID = 2000, ProcessID = 2840, ThreadID = 3148, StartAddress = 00816C09, Parameter = 0018B3E8
TargetProcess: 华强呼死你短信轰炸机QQ137620296.exe, InheritedFromPID = 2000, ProcessID = 2840, ThreadID = 3256, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: 华强呼死你短信轰炸机QQ137620296.exe, InheritedFromPID = 2000, ProcessID = 2840, ThreadID = 3308, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 华强呼死你短信轰炸机QQ137620296.exe, InheritedFromPID = 2000, ProcessID = 2840, ThreadID = 3312, StartAddress = 7C930230, Parameter = 00000000
文件行为
行为描述:覆盖已有文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
行为描述:查找文件
详情信息:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
网络行为
行为描述:连接指定站点
详情信息:InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述:打开HTTP连接
详情信息:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0), hSession = 0x00cc0004
行为描述:建立到一个指定的套接字连接
详情信息:URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000294
行为描述:读取网络文件
详情信息:hFile = 0x00cc000c, BytesToRead =102400, BytesRead = 102400.
行为描述:发送HTTP包
详情信息:GET /DDSD/gx.asp HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: */* Host: ww****cn Cache-Control: no-cache
行为描述:打开HTTP请求
详情信息:HttpOpenRequestA: ww****cn:80/ddsd/gx.asp, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
行为描述:按名称获取主机地址
详情信息:gethostbyname: ww****cn
GetAddrInfoW: ww****cn
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:直接调用系统关键API
详情信息:Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008B8A7C
Index = 0x0000009B, Name: NtQueryInformationThread, Instruction Address = 0x0085CEA6
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008877A1
行为描述:创建互斥体
详情信息:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
行为描述:打开互斥体
详情信息:RasPbFile
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
行为描述:直接获取CPU时钟
详情信息:EAX = 0x204871c6, EDX = 0x000000b7
EAX = 0x20487212, EDX = 0x000000b7
EAX = 0x2048725e, EDX = 0x000000b7
EAX = 0x204872aa, EDX = 0x000000b7
EAX = 0x204872f6, EDX = 0x000000b7
EAX = 0x20487342, EDX = 0x000000b7
EAX = 0x2048738e, EDX = 0x000000b7
EAX = 0x204873da, EDX = 0x000000b7
EAX = 0x20487426, EDX = 0x000000b7
EAX = 0x20487472, EDX = 0x000000b7
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号