VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:60
Behavior list
Basic Information
MD5:e3c1f368d6927b2d1bcdd6e65b0de5a3
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
Subfile information:upx30_a4d483f6dumpFile / bf68e0efb34e56ab2681233661840aab / EXE
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
DfSharedHeap3D40C7
DFMap0-4014305
DfRoot0003D40C7
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:隐藏指定窗口
details:[Window,Class] = [csdfasdf,ThunderRT6Main]
[Window,Class] = [,ThunderRT6FormDC]
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\ntvdm.exe
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = regsvr32 /s "c:\windows\system32\mswinsck.ocx"
ImagePath = , CmdLine = regsvr32 /s "c:\docume~1\admini~1\locals~1\temp\~dfa3515.tmp"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\ntvdm.exe, CmdLine = "C:\WINDOWS\system32\ntvdm.exe" -f -i1 -o
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\WINDOWS\system32\mswinsck.ocx"
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA3515.tmp"
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\ntvdm.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
DfSharedHeap3D40C7
DFMap0-4014305
DfRoot0003D40C7
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\sys.dat---> Offset = 0
C:\WINDOWS\sys.dat---> Offset = 450
C:\WINDOWS\system32\xvqcv.exe---> Offset = 12288
C:\WINDOWS\win.ini---> Offset = 0
C:\WINDOWS\win.ini---> Offset = 492
C:\WINDOWS\sys.dat---> Offset = 162
C:\WINDOWS\Temp\scs3.tmp---> Offset = 36
C:\WINDOWS\sys.dat---> Offset = 408
C:\WINDOWS\Temp\scs4.tmp---> Offset = 77
C:\WINDOWS\sys.dat---> Offset = 1226
C:\WINDOWS\sys.dat---> Offset = 1264
C:\WINDOWS\sys.dat---> Offset = 2938
C:\WINDOWS\sys.dat---> Offset = 2940
C:\WINDOWS\sys.dat---> Offset = 3406
C:\WINDOWS\sys.dat---> Offset = 3916
Behavior description:查找文件
details:FileName = C:\WINDOWS\system32\xvqcv.exe
FileName = C:\WINDOWS\system32\xvqcv.exebak
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\sys.dat
FileName = C:\WINDOWS\system32\mswinsck.ocx
FileName = C:*.*
FileName = C:\MSDOS.SYS
FileName = C:\IO.SYS
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA3515.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\Documents and Settings
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\mswinsck.ocx
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA3515.tmp
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://www.zgwm.net/ahjw-hnhnrwdong.txt hInternet = 0x0000067c
Behavior description:下载文件
details:URLDownloadToFileW: http://www.zgwm.net/ahjw-hnhnrwdong.exe ---> C:\WINDOWS\system32\xvqcv.exebak
C:\WINDOWS\system32\xvqcv.exebak
URLDownloadToFileW: http://www.pc918.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.yswm.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.v138.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.v345.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://www.ahwm.net/file.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DFA8130.tmp
URLDownloadToFileW: http://user.yswm.net/yswm/hnhnrwdong.ini ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4537.dat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4537.dat
Behavior description:读取网络文件
details:hFile = 0x0000067c, BytesToRead =256, BytesRead = 256.
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
SHIMLIB_LOG_MUTEX
Behavior description:隐藏指定窗口
details:[Window,Class] = [csdfasdf,ThunderRT6Main]
[Window,Class] = [,ThunderRT6FormDC]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [ConsoleWindowClass,ntvdm-824.828.3c0002]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号