VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:30
Behavior list
Basic Information
MD5:1e08b5130185cfd6447f66de950ef3b0
file type:EXE
Production company:Microsoft Corporation
version:5.1.2600.5512---5.1.2600.5512 (xpsp.080413-2105)
Shell or compiler information:
Key behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1446037741.229027.exe
C:\%temp%\1446037741.236114.exe
C:\%temp%\1446037741.243168.exe
Behavior description:设置消息钩子
details:C:\WINDOWS\system32\NARRHOOK.dll
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
Behavior description:关闭系统文件保护
details:N/A
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Behavior description:写权限映射文件
details:NarratorShared0
CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MFF..ELKGH
MSCTF.MarshalInterface.FileMap.MFF.B.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.C.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.D.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.E.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.F.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.G.EMKGH
MSCTF.Shared.SFM.MFF
MSCTF.MarshalInterface.FileMap.MFF.H.DKOKH
MSCTF.MarshalInterface.FileMap.MFF.I.BPOKH
MSCTF.MarshalInterface.FileMap.MFF.J.BPOKH
MSCTF.MarshalInterface.FileMap.MFF.K.BPOKH
MSCTF.MarshalInterface.FileMap.MFF.L.BPOKH
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
Behavior description:按名称获取主机地址
details:ilo.brenz.pl
ant.trenz.pl
Process behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1446037741.229027.exe
C:\%temp%\1446037741.236114.exe
C:\%temp%\1446037741.243168.exe
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:NarratorShared0
CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MFF..ELKGH
MSCTF.MarshalInterface.FileMap.MFF.B.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.C.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.D.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.E.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.F.EMKGH
MSCTF.MarshalInterface.FileMap.MFF.G.EMKGH
MSCTF.Shared.SFM.MFF
MSCTF.MarshalInterface.FileMap.MFF.H.DKOKH
MSCTF.MarshalInterface.FileMap.MFF.I.BPOKH
MSCTF.MarshalInterface.FileMap.MFF.J.BPOKH
MSCTF.MarshalInterface.FileMap.MFF.K.BPOKH
MSCTF.MarshalInterface.FileMap.MFF.L.BPOKH
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Speech\Files\UserLexicons\SP_B292F84F7D1E45159EE3E46016B5A7AD.dat---> Offset = 540
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000318, TotalSize = 20, Offset = 0, ReadSize = 20.
SOCKET = 0x00000318, TotalSize = 40, Offset = 0, ReadSize = 40.
SOCKET = 0x00000494, TotalSize = 20, Offset = 0, ReadSize = 20.
SOCKET = 0x00000494, TotalSize = 40, Offset = 0, ReadSize = 40.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:80
Behavior description:按名称获取主机地址
details:ilo.brenz.pl
ant.trenz.pl
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Speech\Voices\DefaultTokenId
\REGISTRY\USER\S-*\Software\Microsoft\Speech\PhoneConverters\DefaultTokenId
\REGISTRY\USER\S-*\Software\Microsoft\Speech\CurrentUserLexicon\CLSID
\REGISTRY\USER\S-*\Software\Microsoft\Speech\CurrentUserLexicon\
\REGISTRY\USER\S-*\Software\Microsoft\Speech\CurrentUserLexicon\FlushRate
\REGISTRY\USER\S-*\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Other behavior
Behavior description:创建互斥体
details:oleacc-msaa-loaded
NarratorMutex0
AK:NarratorRunning
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_Voices_Tokens_MSSam_Mutex
HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_Chinese_Mutex
HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_English_Mutex
HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_Japanese_Mutex
HKEY_CURRENT_USER_SOFTWARE_Microsoft_Speech_CurrentUserLexicon_Mutex
30F1B4D6-EEDA-11d2-9C23-00C04F8EF87C
Behavior description:设置消息钩子
details:C:\WINDOWS\system32\NARRHOOK.dll
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MSAA_DA_Class,MSAA_DA_1a0]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 416, Hwnd=0x202c8, Text = 确定, ClassName = Button.
Pid = 416, Hwnd=0x202ca, Text = “讲述人”是帮助视力低的用户安装自己的计算机或使用其他人的计算机的文字语音转换程序。“讲述人”可能跟有些程序一起使用不便,而且只有, ClassName = Static.
Pid = 416, Hwnd=0x202c6, Text = 大多数患有视觉障碍的人需要更高功能的屏幕阅读器来满足日常所需。 , ClassName = Static.
Pid = 416, Hwnd=0x302da, Text = 有关基于 Windows 的屏幕阅读器列表,参见, ClassName = Static.
Pid = 416, Hwnd=0x302b8, Text = <A HREF="http://www.microsoft.com/isapi/redir.dll?prd=accessibility&ar=enable" TITLE="http://www.microsoft.com/" TARGET="_new">Mi, ClassName = Link Window.
Pid = 416, Hwnd=0x202b0, Text = 要“讲述人”再次阅读这个或任何文字,按 CTRL + SHIFT + SPACEBAR。, ClassName = Static.
Pid = 416, Hwnd=0x202ae, Text = 不再显示这个消息(&D), ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202c4, Text = Microsoft 讲述人, ClassName = #32770.
Pid = 416, Hwnd=0x202a8, Text = 帮助(&H), ClassName = Button.
Pid = 416, Hwnd=0x202cc, Text = 声音(&V)..., ClassName = Button.
Pid = 416, Hwnd=0x202b4, Text = 退出(&X), ClassName = Button.
Pid = 416, Hwnd=0x302ba, Text = “讲述人”可高声阅读菜单命令、对话框选项等等。, ClassName = Static.
Pid = 416, Hwnd=0x302bc, Text = 在屏幕通告事件(&A), ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202d4, Text = 阅读输入字符(&R), ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x302dc, Text = 将鼠标指针移动到活动项目上(&M), ClassName = Button(CheckBox).
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 484994, SleepMilliseconds = 10.
TickCount = 485010, SleepMilliseconds = 10.
TickCount = 485025, SleepMilliseconds = 10.
TickCount = 485041, SleepMilliseconds = 10.
TickCount = 485072, SleepMilliseconds = 10.
TickCount = 485135, SleepMilliseconds = 10.
TickCount = 485150, SleepMilliseconds = 10.
TickCount = 485166, SleepMilliseconds = 10.
TickCount = 485181, SleepMilliseconds = 10.
TickCount = 485197, SleepMilliseconds = 10.
TickCount = 485213, SleepMilliseconds = 10.
TickCount = 485228, SleepMilliseconds = 10.
TickCount = 485244, SleepMilliseconds = 10.
TickCount = 485260, SleepMilliseconds = 10.
TickCount = 485275, SleepMilliseconds = 10.
Behavior description:关闭系统文件保护
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号