VirSCAN VirSCAN

1, Vous pouvez ENVOYER tout fichier mais il y a une limite de 20 Mo par fichier.
2, VirSCAN supporte la décompression Rar/Zip mais il doit y avoir moins de 20 fichiers.
3, VirSCAN peut détecter un fichier compressé avec le mot de passe 'infected' ou 'virus'.

La langue
Charge du serveur
Server Load

Informations sur les fichiers
Cote de sécurité:19
Liste de comportement
Informations de base
MD5:76ff145cd3b3f0fbb40b3320eb6cbb81
Type de fichier:EXE
Société de production:Microsoft Corporation
Version:11.0.9600.16428---11.00.9600.16428 (winblue_gdr.131013-1700)
Informations sur le shell ou le compilateur:COMPILER:FASM v1.5x *
Informations de sous-fichier:CDS.exe / 424bf196deaeb4ddcafb78e137fa560a / EXE
c.dat / 38754f69679935789676851279ffea5c / Unknown
cdd.zip / 1d5698b4e2dd3435d103865e881aa2dd / zip
lua5.1.dll / c3256800dce47c14acc83ccca4c3e2ac / DLL
CDS.cdd / 3e7ecaeb51c2812d13b07ec852d74aaf / zip
lua51.dll / 7fa818f532effd80cf7c1c54676e5a0d / DLL
ap1.dat / 93270c4fa492e4e4edee872a2b961dde / Unknown
ap2.dat / fc2a595f574b1ead82a6dcf06492c985 / Unknown
ap3.dat / 967fdfe0a01c083804673b4976ad6730 / zip
630_10.png / 340b294efc691d1b20c64175d565ebc7 / Unknown
fs.settings / 68934a3e9455fa72420237eb05902327 / Unknown
Comportement clé
Description du comportement:跨进程写入数据
Détails:TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x000a0000, Size = 0x0000000d TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00200000, Size = 0x0000000b TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00210000, Size = 0x00000006 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00220000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00230000, Size = 0x0000000b TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00240000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00250000, Size = 0x0000000d TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00260000, Size = 0x00000011 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00270000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00280000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00290000, Size = 0x00000013 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x002a0000, Size = 0x0000003a TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x002b0000, Size = 0x00000060 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x002c0000, Size = 0x000003b2 TargetPID = 0x00000c68
Description du comportement:设置消息钩子
Détails:C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:创建远程线程
Détails:TargetProcess: notepad.exe, InheritedFromPID = 3144, ProcessID = 3176, ThreadID = 3184, StartAddress = 002C0000, Parameter = 002B0000
Description du comportement:获取TickCount值
Détails:TickCount = 225781, SleepMilliseconds = 1000.
TickCount = 225246, SleepMilliseconds = 200.
Description du comportement:设置特殊文件属性
Détails:C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:设置特殊文件夹属性
Détails:C:\Documents and Settings\Administrator\My Documents\MSDCSC
Description du comportement:修改注册表_启动项
Détails:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Comportement du processus
Description du comportement:隐藏窗口创建进程
Détails:ImagePath = , CmdLine = notepad
Description du comportement:跨进程写入数据
Détails:TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x000a0000, Size = 0x0000000d TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00200000, Size = 0x0000000b TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00210000, Size = 0x00000006 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00220000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00230000, Size = 0x0000000b TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00240000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00250000, Size = 0x0000000d TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00260000, Size = 0x00000011 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00270000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00280000, Size = 0x0000000c TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x00290000, Size = 0x00000013 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x002a0000, Size = 0x0000003a TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x002b0000, Size = 0x00000060 TargetPID = 0x00000c68
TargetProcess = C:\WINDOWS\system32\notepad.exe, WriteAddress = 0x002c0000, Size = 0x000003b2 TargetPID = 0x00000c68
Description du comportement:创建新文件进程
Détails:[0x00000be8]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.exe
[0x00000c48]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe"
[0x00000c9c]ImagePath = C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe, CmdLine = "C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe"
Description du comportement:创建进程
Détails:[0x00000c68]ImagePath = C:\WINDOWS\system32\notepad.exe, CmdLine = notepad
Description du comportement:创建远程线程
Détails:TargetProcess: notepad.exe, InheritedFromPID = 3144, ProcessID = 3176, ThreadID = 3184, StartAddress = 002C0000, Parameter = 002B0000
Description du comportement:枚举进程
Détails:N/A
Description du comportement:创建本地线程
Détails:TargetProcess: crypted.exe, InheritedFromPID = 3048, ProcessID = 3144, ThreadID = 3160, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: crypted.exe, InheritedFromPID = 3048, ProcessID = 3144, ThreadID = 3172, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: msdcsc.exe, InheritedFromPID = 3144, ProcessID = 3228, ThreadID = 3236, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: msdcsc.exe, InheritedFromPID = 3144, ProcessID = 3228, ThreadID = 3240, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: msdcsc.exe, InheritedFromPID = 3144, ProcessID = 3228, ThreadID = 3244, StartAddress = 0048E340, Parameter = 00000000
TargetProcess: msdcsc.exe, InheritedFromPID = 3144, ProcessID = 3228, ThreadID = 3248, StartAddress = 00482028, Parameter = 00000000
TargetProcess: msdcsc.exe, InheritedFromPID = 3144, ProcessID = 3228, ThreadID = 3252, StartAddress = 0040547C, Parameter = 00F24F40
TargetProcess: msdcsc.exe, InheritedFromPID = 3144, ProcessID = 3228, ThreadID = 3256, StartAddress = 0040547C, Parameter = 00F24F40
Comportement du fichier
Description du comportement:创建文件
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.cdd
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap1.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap2.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap3.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\fs.settings
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\c.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\cdd.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe
C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:创建可执行文件
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe
C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:复制文件
Détails:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe ---> C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:设置特殊文件属性
Détails:C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:删除文件
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\cdd.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\c.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\fs.settings
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap3.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap2.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap1.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.cdd
Description du comportement:查找文件
Détails:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.cdd
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe
Description du comportement:设置特殊文件夹属性
Détails:C:\Documents and Settings\Administrator\My Documents\MSDCSC
Description du comportement:修改文件内容
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.cdd ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 18972
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 51740
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 84508
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 117276
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 13852
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 46620
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 79388
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 112156
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png ---> Offset = 316
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap1.dat ---> Offset = 0
Comportement du réseau
Description du comportement:建立到一个指定的套接字连接
Détails:URL: ji****rg, IP: **.133.40.**:1604, SOCKET = 0x00000198
Description du comportement:按名称获取主机地址
Détails:gethostbyname: ji****rg
Comportement du registre
Description du comportement:修改注册表
Détails:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe
Description du comportement:删除注册表键值
Détails:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Description du comportement:修改注册表_启动项
Détails:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Autre comportement
Description du comportement:创建互斥体
Détails:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
DirectSound DllMain mutex (0x00000BE8)
DirectSound Administrator shared thread array (lock)
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.IOH
SHIMLIB_LOG_MUTEX
DC_MUTEX-ZF8GEV3
Description du comportement:创建事件对象
Détails:EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.MOL.IC
EventName = MSCTF.SendReceiveConection.Event.MOL.IC
Description du comportement:查找指定窗口
Détails:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Description du comportement:窗口信息
Détails:Pid = 3048, Hwnd=0x10342, Text = CDSA, ClassName = Afx:00400000:3:00000000:00000006:000203BB.
Description du comportement:获取TickCount值
Détails:TickCount = 225781, SleepMilliseconds = 1000.
TickCount = 225246, SleepMilliseconds = 200.
Description du comportement:调整进程token权限
Détails:SE_LOAD_DRIVER_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_SYSTEMTIME_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_REMOTE_SHUTDOWN_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_SYSTEM_ENVIRONMENT_PRIVILEGE
SE_SYSTEM_PROFILE_PRIVILEGE
SE_PROF_SINGLE_PROCESS_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
SE_CREATE_PAGEFILE_PRIVILEGE
Description du comportement:打开事件
Détails:HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Description du comportement:可执行文件签名信息
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe(签名验证: 未通过)
Description du comportement:调用Sleep函数
Détails:[1]: MilliSeconds = 1000.
[1]: MilliSeconds = 10000.
[2]: MilliSeconds = 200.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 10000.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 10000.
[10]: MilliSeconds = 1000.
Description du comportement:隐藏指定窗口
Détails:[Window,Class] = [Debug,#32770]
[Window,Class] = [无标题 - 记事本,Notepad]
[Window,Class] = [CDSA,Afx:00400000:3:00000000:00000006:000203BB]
Description du comportement:可执行文件MD5
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> c3256800dce47c14acc83ccca4c3e2ac
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll ---> 7fa818f532effd80cf7c1c54676e5a0d
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe ---> 50a807f9cbaa66ee521b126484223bff
C:\Documents and Settings\Administrator\My Documents\MSDCSC\msdcsc.exe ---> 50a807f9cbaa66ee521b126484223bff
Description du comportement:打开互斥体
Détails:ShimCacheMutex
Local\!IETld!Mutex
Description du comportement:加载新释放的文件
Détails:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\lua5.1.dll.
Exécuter une capture d'écran
VirSCAN

Au sujet de VirSCAN | Politique de confidentialité | Contacts | Lien amical | Aider VirSCAN
Traduit par Gérard Mélone (Paris)
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号