VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:60
Behavior list
Basic Information
MD5:f7557941b56d09172c81371b9def0c80
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
Subfile information:upx30_cdd305e8dumpFile / 168c3ceb7abdf2fafe9db6f79a25c094 / EXE
Key behavior
Behavior description:修改HOST文件
details:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1164
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1199
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1233
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1283
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1333
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1377
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1405
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1433
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1467
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1495
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1522
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1551
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1580
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1611
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1644
Behavior description:获取TickCount值
details:TickCount = 239431, SleepMilliseconds = 25.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat" "C:/Documents and Settings/Administrator/Local Settings/Temp/EB93A6/%temp%\****.exe"
Behavior description:创建进程
details:[0x00000b28]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat" "C:/Documents and Settings/Administrator/Local Settings/Temp/EB93A6/%temp%\****.exe""
[0x00000b30]ImagePath = C:\WINDOWS\system32\attrib.exe, CmdLine = attrib C:\WINDOWS\SYSTEM32\drivers\etc\hosts -r
[0x00000b38]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000b44]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000b68]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000b74]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000b80]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000ba8]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000bb4]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000bc0]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000be4]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000bf0]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000c4c]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000c88]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
[0x00000cb0]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = C:\WINDOWS\system32\ipconfig /flushdns
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2716, ThreadID = 2852, StartAddress = 765E964D, Parameter = 001C64E8
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
Behavior description:修改BAT脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat ---> Offset = 11
C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat ---> Offset = 8007
Behavior description:修改HOST文件
details:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1164
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1199
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1233
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1283
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1333
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1377
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1405
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1433
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1467
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1495
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1522
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1551
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1580
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1611
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 1644
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp\广联达屏蔽软件.bat
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
Behavior description:获取TickCount值
details:TickCount = 239431, SleepMilliseconds = 25.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 25.
[2]: MilliSeconds = 25.
[3]: MilliSeconds = 25.
[4]: MilliSeconds = 25.
[5]: MilliSeconds = 25.
[6]: MilliSeconds = 25.
[7]: MilliSeconds = 25.
[8]: MilliSeconds = 25.
[9]: MilliSeconds = 25.
[10]: MilliSeconds = 25.
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号