VirSCAN VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。

选择语言
服务器负载
Server Load

文件信息
安全评分:70
行为列表
基本信息
MD5:aa47b4b3ce384850d6589e61e60272ff
文件类型:EXE
出品公司:非凡登陆网关
版本:1.7.2.0---1.7.2.0
壳或编译器信息:COMPILER:Borland Delphi 6.0 - 7.0
关键行为
行为描述:屏蔽窗口关闭消息
详细信息:hWnd = 0x000f034a, Text = 登陆网关 - 非凡登陆器(7000), ClassName = TFormMain.
hWnd = 0x000f033c, Text = 996e, ClassName = TApplication.
行为描述:设置特殊文件夹属性
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:直接获取CPU时钟
详细信息:EAX = 0xf626fce8, EDX = 0x00001190
EAX = 0xf626fd34, EDX = 0x00001190
EAX = 0xf626fd80, EDX = 0x00001190
EAX = 0xf626fdcc, EDX = 0x00001190
EAX = 0xf626fe18, EDX = 0x00001190
EAX = 0xf626fe64, EDX = 0x00001190
EAX = 0xf626feb0, EDX = 0x00001190
EAX = 0xf626fefc, EDX = 0x00001190
EAX = 0xf626ff48, EDX = 0x00001190
EAX = 0xf626ff94, EDX = 0x00001190
行为描述:获取窗口截图信息
详细信息:Foreground window Info: HWND = 0x00000000, DC = 0x13010632.
进程行为
行为描述:创建本地线程
详细信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 1844, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 824, StartAddress = 71A2D161, Parameter = 00A76090
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 196, StartAddress = 719CD33A, Parameter = 001A0B68
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 564, StartAddress = 004053D4, Parameter = 00F451C0
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 412, StartAddress = 004053D4, Parameter = 00F451C0
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 1664, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 896, ThreadID = 1136, StartAddress = 7C930230, Parameter = 00000000
文件行为
行为描述:创建文件
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\cgi_rss_out[1]
行为描述:删除文件
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\cgi_rss_out[1]
行为描述:设置特殊文件夹属性
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:查找文件
详细信息:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
网络行为
行为描述:连接指定站点
详细信息:InternetConnectA: ServerName = fe****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述:打开HTTP连接
详细信息:InternetOpenA: UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; 360SE), hSession = 0x00cc0004
行为描述:建立到一个指定的套接字连接
详细信息:URL: , IP: **.0.0.**:5600, SOCKET = 0x00000184
URL: , IP: **.0.0.**:5500, SOCKET = 0x00000144
URL: fe****om, IP: **.133.40.**:80, SOCKET = 0x000002ec
URL: , IP: **.0.0.**:5500, SOCKET = 0x00000218
URL: , IP: **.0.0.**:5500, SOCKET = 0x00000284
URL: , IP: **.0.0.**:5500, SOCKET = 0x00000288
URL: , IP: **.0.0.**:5500, SOCKET = 0x00000194
URL: , IP: **.0.0.**:5500, SOCKET = 0x000002f4
URL: , IP: **.0.0.**:5500, SOCKET = 0x000002ec
URL: , IP: **.0.0.**:5500, SOCKET = 0x000002f0
URL: , IP: **.0.0.**:5500, SOCKET = 0x000002f8
URL: , IP: **.0.0.**:5500, SOCKET = 0x000002fc
行为描述:读取网络文件
详细信息:hFile = 0x00cc000c, BytesToRead =1025, BytesRead = 1025.
行为描述:发送HTTP包
详细信息:GET /cgi-bin/cgi_rss_out?uin=7237230 HTTP/1.1 Accept: */* Accept-Language: zh-cn UA-CPU: x86 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; 360SE) Host: fe****om Connection: Keep-Alive Cache-Control: no-cache
行为描述:打开HTTP请求
详细信息:HttpOpenRequestA: fe****om:80/cgi-bin/cgi_rss_out?uin=7237230, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80400000
行为描述:按名称获取主机地址
详细信息:gethostbyname: we****om
GetAddrInfoW: fe****om
注册表行为
行为描述:修改注册表
详细信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:删除注册表键值
详细信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:创建互斥体
详细信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.MMH
行为描述:创建事件对象
详细信息:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MMH.IC
EventName = MSCTF.SendReceiveConection.Event.MMH.IC
行为描述:窗口信息
详细信息:Pid = 896, Hwnd=0x8036e, Text = 禁止广告注册, ClassName = TCheckBox.
Pid = 896, Hwnd=0xb037c, Text = 显示非法封包, ClassName = TCheckBox.
Pid = 896, Hwnd=0x503ae, Text = 显示封包, ClassName = TCheckBox.
Pid = 896, Hwnd=0x303d4, Text = 开启攻击保护, ClassName = TCheckBox.
Pid = 896, Hwnd=0x303d0, Text = [16-14:12:02] 端口绑定(0.0.0.0:7000)... , ClassName = TMemo.
Pid = 896, Hwnd=0xf034a, Text = 登陆网关 - 非凡登陆器(7000), ClassName = TFormMain.
Pid = 896, Hwnd=0x130354, Text = 是(&Y), ClassName = Button.
Pid = 896, Hwnd=0xf02da, Text = 否(&N), ClassName = Button.
Pid = 896, Hwnd=0x3045e, Text = 是否确定关闭登陆网关?, ClassName = Static.
Pid = 896, Hwnd=0x703ce, Text = 提示信息, ClassName = #32770.
Pid = 896, Hwnd=0xe0396, Text = 是(&Y), ClassName = Button.
Pid = 896, Hwnd=0x100356, Text = 否(&N), ClassName = Button.
Pid = 896, Hwnd=0x503fe, Text = 是否确定关闭登陆网关?, ClassName = Static.
Pid = 896, Hwnd=0x2302f8, Text = 提示信息, ClassName = #32770.
行为描述:直接获取CPU时钟
详细信息:EAX = 0xf626fce8, EDX = 0x00001190
EAX = 0xf626fd34, EDX = 0x00001190
EAX = 0xf626fd80, EDX = 0x00001190
EAX = 0xf626fdcc, EDX = 0x00001190
EAX = 0xf626fe18, EDX = 0x00001190
EAX = 0xf626fe64, EDX = 0x00001190
EAX = 0xf626feb0, EDX = 0x00001190
EAX = 0xf626fefc, EDX = 0x00001190
EAX = 0xf626ff48, EDX = 0x00001190
EAX = 0xf626ff94, EDX = 0x00001190
行为描述:查找指定窗口
详细信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
行为描述:打开事件
详细信息:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000052
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000052
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
行为描述:屏蔽窗口关闭消息
详细信息:hWnd = 0x000f034a, Text = 登陆网关 - 非凡登陆器(7000), ClassName = TFormMain.
hWnd = 0x000f033c, Text = 996e, ClassName = TApplication.
行为描述:枚举窗口
详细信息:N/A
行为描述:获取窗口截图信息
详细信息:Foreground window Info: HWND = 0x00000000, DC = 0x13010632.
行为描述:打开互斥体
详细信息:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
运行截图
VirSCAN

关于VirSCAN | 免责声明 | 联系我们 | 友情链接 | 帮助我们
计算机网络与信息安全技术研究中心
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号