VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:84
Behavior list
Basic Information
MD5:13d694bc466cd59f2bffe6daf8977c54
file type:EXE
Production company:南京市建邺区七巧软件工作室 www.jpwb.cc
version:2012.12.30.22---2012.12.30.22
Shell or compiler information:COMPILER:Borland Delphi 2.0 [Overlay]
Key behavior
Behavior description:修改注册表_安装输入法项
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Keyboard Layout\Preload\2
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\2345网址导航.lnk
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [安装 - 极品五笔WinXP|7|8-(32|64bit)通用型,TWizardForm]
[Window,Class] = [2345浏览器在线安装程序,#32770]
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\windows\system32\cmd.exe" /c echo y|cacls "c:\windows\system32\jpwb.*" /c /g administrators:f users:f guests:f
ImagePath = , CmdLine = "c:\windows\system32\cmd.exe" /c icacls.exe "c:\windows\system32\jpwb.*" /setintegritylevel level:l
ImagePath = , CmdLine = "c:\program files\jpwb\regjpwb32.exe"
ImagePath = , CmdLine = "c:\documents and settings\administrator\my documents\2345_15688_desk.exe"
ImagePath = , CmdLine = "c:\program files\jpwb\browser_2345.exe"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c echo y|cacls "C:\WINDOWS\system32\jpwb.*" /C /G Administrators:F Users:F Guests:F
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" echo y"
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = cacls "C:\WINDOWS\system32\jpwb.*" /C /G Administrators:F Users:F Guests:F
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c icacls.exe "C:\WINDOWS\system32\jpwb.*" /SetIntegrityLevel Level:L
ImagePath = C:\WINDOWS\notepad.exe, CmdLine = "C:\WINDOWS\notepad.exe" C:\Program Files\jpwb\Readme.txt
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-SO5KG.tmp\sample.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-SO5KG.tmp\sample.tmp" /SL5="$1034C,1369168,51712,c:\%temp%\1422622163.749102.exe"
ImagePath = C:\Program Files\jpwb\RegJpwb32.exe, CmdLine = "C:\Program Files\jpwb\RegJpwb32.exe"
ImagePath = C:\Documents and Settings\Administrator\My Documents\2345_15688_desk.exe, CmdLine = "C:\Documents and Settings\Administrator\My Documents\2345_15688_desk.exe"
ImagePath = C:\Program Files\2345desk\2345_15688_desk.exe, CmdLine = "C:\Program Files\2345desk\2345_15688_desk.exe" jifen_install
ImagePath = C:\Program Files\jpwb\browser_2345.exe, CmdLine = "C:\Program Files\jpwb\browser_2345.exe"
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\Administrator\「开始」菜单\现代五笔──挑战极限.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\向初学者推荐:现代五笔.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\极品五笔2012珍藏版自述.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\极品五笔2012珍藏版帮助.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\极品五笔输入法发布主页.url
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\卸载极品五笔2012珍藏版.lnk
C:\Documents and Settings\Administrator\「开始」菜单\2345网址导航.lnk
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-SO5KG.tmp\sample.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-5C6EO.tmp\_isetup\_RegDLL.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-5C6EO.tmp\_isetup\_shfoldr.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-5C6EO.tmp\_isetup\_isdecmp.dll
C:\Program Files\jpwb\is-AKN5C.tmp
C:\WINDOWS\system32\is-JI2DQ.tmp
C:\Program Files\jpwb\is-OTDA2.tmp
C:\Program Files\jpwb\is-FLUP0.tmp
C:\Documents and Settings\Administrator\My Documents\is-U0PUI.tmp
C:\Program Files\jpwb\is-CESM1.tmp
C:\Program Files\2345desk\2345desk.exe
C:\Documents and Settings\Administrator\Application Data\2345.com\2345_15688_desk.exe
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\2345网址导航.lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.IIK..MPMFF
MSCTF.MarshalInterface.FileMap.IIK.B.MPMFF
MSCTF.MarshalInterface.FileMap.IIK.C.MPMFF
MSCTF.MarshalInterface.FileMap.IIK.D.MPMFF
MSCTF.MarshalInterface.FileMap.IIK.E.MPMFF
MSCTF.MarshalInterface.FileMap.IIK.F.MANFF
MSCTF.MarshalInterface.FileMap.IIK.G.MANFF
MSCTF.Shared.SFM.IIK
MSCTF.MarshalInterface.FileMap.MAI..ALPKF
MSCTF.MarshalInterface.FileMap.MAI.B.ALPKF
MSCTF.MarshalInterface.FileMap.MAI.C.ALPKF
MSCTF.MarshalInterface.FileMap.MAI.D.ALPKF
MSCTF.MarshalInterface.FileMap.MAI.E.ALPKF
MSCTF.MarshalInterface.FileMap.MAI.F.ALPKF
Behavior description:重命名文件
details:C:\Program Files\jpwb\is-AKN5C.tmp ---> C:\Program Files\jpwb\unins000.exe
C:\WINDOWS\system32\is-JI2DQ.tmp ---> C:\WINDOWS\system32\jpwb.IME
C:\WINDOWS\system32\is-C1PCA.tmp ---> C:\WINDOWS\system32\jpwb.MB
C:\Program Files\jpwb\is-OTDA2.tmp ---> C:\Program Files\jpwb\duoduo.EXE
C:\Program Files\jpwb\is-FLUP0.tmp ---> C:\Program Files\jpwb\RegJpwb32.exe
C:\WINDOWS\Help\is-TR36T.tmp ---> C:\WINDOWS\Help\xiandai.chm
C:\WINDOWS\Help\is-MK2SN.tmp ---> C:\WINDOWS\Help\jpwb.chm
C:\Program Files\jpwb\is-A5OR3.tmp ---> C:\Program Files\jpwb\Readme.txt
C:\Program Files\jpwb\is-UV494.tmp ---> C:\Program Files\jpwb\卸载说明.txt
C:\Documents and Settings\Administrator\My Documents\is-U0PUI.tmp ---> C:\Documents and Settings\Administrator\My Documents\2345_15688_desk.exe
C:\Program Files\jpwb\is-CESM1.tmp ---> C:\Program Files\jpwb\browser_2345.exe
C:\Program Files\2345desk\2345desk.exe ---> C:\Program Files\2345desk\2345_15688_desk.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\system32\is-C1PCA.tmp---> Offset = 262144
C:\WINDOWS\Help\is-TR36T.tmp---> Offset = 0
C:\WINDOWS\Help\is-MK2SN.tmp---> Offset = 0
C:\Program Files\jpwb\is-A5OR3.tmp---> Offset = 0
C:\Program Files\jpwb\is-UV494.tmp---> Offset = 0
C:\Documents and Settings\Administrator\「开始」菜单\现代五笔──挑战极限.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\向初学者推荐:现代五笔.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\极品五笔2012珍藏版自述.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\极品五笔2012珍藏版帮助.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\极品五笔输入法发布主页.url---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\极品五笔\卸载极品五笔2012珍藏版.lnk---> Offset = 0
C:\Program Files\jpwb\unins000.dat---> Offset = 460
C:\Documents and Settings\Administrator\Application Data\2345.com\url.ini---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\2345.com\url.ini---> Offset = 38
C:\Documents and Settings\Administrator\Application Data\2345.com\url.ini---> Offset = 61
Behavior description:修改新生成的可执行文件
details:C:\Program Files\jpwb\is-AKN5C.tmp---> Offset = 716728
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = union2.50bang.org, PORT = 80
Behavior description:联网打开网址
details:InternetOpenUrlA: http://download.2345.cn/background/2345explorer_249981.exe?18467.41 hInternet = 0x00000164
Behavior description:打开HTTP请求
details:HttpOpenRequestA: union2.50bang.org:80/web/ajax57?uid2=sptnpqrlsx&uid=9018013399965456402344&r=&lo=uniondeskinstall_k_version=5.0.0.25, hConnect = 0x00000244
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\<ENTER>
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\<SPACE>
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\FC aid
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\FC Input
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\GB/GBK
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\词语联想
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\词语输入
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\光标跟随
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\外码提示
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\极品五笔\逐渐提示
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{JPWB2012-QQ11-4C5F-B97C-BF6706BA594E}_is1\Inno Setup: Setup Version
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{JPWB2012-QQ11-4C5F-B97C-BF6706BA594E}_is1\Inno Setup: App Path
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{JPWB2012-QQ11-4C5F-B97C-BF6706BA594E}_is1\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{JPWB2012-QQ11-4C5F-B97C-BF6706BA594E}_is1\Inno Setup: Icon Group
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{JPWB2012-QQ11-4C5F-B97C-BF6706BA594E}_is1\Inno Setup: User
Behavior description:修改注册表_安装输入法项
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Keyboard Layout\Preload\2
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.IIK
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.MAI
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [安装 - 极品五笔WinXP|7|8-(32|64bit)通用型,TWizardForm]
[Window,Class] = [2345浏览器在线安装程序,#32770]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 2692, Hwnd=0x10376, Text = 访问主页:www.Jpwb.cc, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x10374, Text = 极品五笔输入法安装向导 , ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x10372, Text = 请单击“下一步”安装极品五笔 2012 珍藏版。 如果您的系统中已经安装有本输入法的前期版本,安装程序将试图替换它。如果前期版本在本次, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x1036e, Text = 下一步(&N) >, ClassName = TNewButton.
Pid = 2692, Hwnd=0x1036c, Text = 取消, ClassName = TNewButton.
Pid = 2692, Hwnd=0x2035c, Text = 安装 - 极品五笔WinXP|7|8-(32|64bit)通用型, ClassName = TWizardForm.
Pid = 2692, Hwnd=0x10382, Text = 许可协议, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x10380, Text = 继续安装前请阅读下列重要信息。, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x1037c, Text = 请仔细阅读下列许可协议。您在继续安装前必须同意这些协议条款。, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x1037a, Text = 我同意此协议(&A), ClassName = TNewRadioButton.
Pid = 2692, Hwnd=0x10378, Text = 我不同意此协议(&D), ClassName = TNewRadioButton.
Pid = 2692, Hwnd=0x10384, Text = < 上一步(&B), ClassName = TNewButton.
Pid = 2692, Hwnd=0x10382, Text = 选择目标位置, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x10380, Text = 您想将 极品五笔WinXP|7|8-(32|64bit)通用型 安装在什么地方?, ClassName = TNewStaticText.
Pid = 2692, Hwnd=0x10390, Text = 安装程序将安装 极品五笔WinXP|7|8-(32|64bit)通用型 到下列文件夹中。, ClassName = TNewStaticText.
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号