VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:22f3e4eee5c4e1078414be6956dd5e57
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 创建系统服务
details: [服务创建成功]: host Generic process, C:\WINDOWSsvc host.exe

Process behavior

Behavior description: 创建新文件进程
details: ImagePath = C:\WINDOWSsvc host.exe, CmdLine = "C:\WINDOWSsvc host.exe"
Behavior description: 创建本地线程
details: TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1204, StartAddress = 77DC3519, Parameter = 0018A8A8
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1844, StartAddress = 0040681C, Parameter = 00000000
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1568, StartAddress = 0040803C, Parameter = 00000000
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1456, StartAddress = 00406258, Parameter = 00000000
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1532, StartAddress = 00406258, Parameter = 00000001
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 412, StartAddress = 00406258, Parameter = 00000002
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 160, StartAddress = 00406258, Parameter = 00000003
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1392, StartAddress = 00406258, Parameter = 00000004
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1664, StartAddress = 00406258, Parameter = 00000005
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 740, StartAddress = 00406258, Parameter = 00000006
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 408, StartAddress = 00406258, Parameter = 00000007
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 2012, StartAddress = 00406258, Parameter = 00000008
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1136, StartAddress = 00406258, Parameter = 00000009
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1412, StartAddress = 00406258, Parameter = 0000000A
TargetProcess: WINDOWSsvc host.exe, InheritedFromPID = 656, ProcessID = 1528, ThreadID = 1956, StartAddress = 00406258, Parameter = 0000000B

File behavior

Behavior description: 创建文件
details: C:\WINDOWSsvc host.exe
C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini
C:\Documents and Settings\All Users\Application Data\systemskey.ini
Behavior description: 创建可执行文件
details: C:\WINDOWSsvc host.exe
Behavior description: 修改文件内容
details: C:\WINDOWSsvc host.exe ---> Offset = 0
C:\WINDOWSsvc host.exe ---> Offset = 4096
C:\WINDOWSsvc host.exe ---> Offset = 8192
C:\WINDOWSsvc host.exe ---> Offset = 12288
C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini ---> Offset = 0
C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini ---> Offset = 1
C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini ---> Offset = 2
C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini ---> Offset = 3
C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini ---> Offset = 4
C:\Documents and Settings\All Users\Application Data\systemskey.ini ---> Offset = 0
Behavior description: 查找文件
details: FileName = C:\WINDOWSsvc host.exe
FileName = C:\Documents and Settings\LocalService\Application Data\ffifssssfdfsf4f.ini
FileName = C:\Documents and Settings\All Users\Application Data\systemskey.ini
Behavior description: 复制文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\WINDOWSsvc host.exe

Network behavior

Behavior description: 建立到一个指定的套接字连接
details: URL: 3vtx-tpq, IP: **.133.40.**:80, SOCKET = 0x000000a4
Behavior description: 发送HTTP包
details: POST - HTTP/1.1 Host: 3vtx-tpq User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.525274; .NET CLR 3.5.525274; .NET CLR 3.0.525274 Accept: text/html Connection: Keep-Alive Content-Length: 17 Content-Type: application/x-www-form-urlencoded k=440av557fjndui9
Behavior description: 按名称获取主机地址
details: gethostbyname: 3vtx-tpq

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Other behavior

Behavior description: 启动系统服务
details: [服务启动成功]: LocalSystem, host Generic process, C:\WINDOWSsvc host.exe
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
Behavior description: 可执行文件签名信息
details: C:\WINDOWSsvc host.exe(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
[3]: MilliSeconds = 50.
[4]: MilliSeconds = 50.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 1000.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 1000.
Behavior description: 可执行文件MD5
details: C:\WINDOWSsvc host.exe ---> 22f3e4eee5c4e1078414be6956dd5e57
Behavior description: 创建系统服务
details: [服务创建成功]: host Generic process, C:\WINDOWSsvc host.exe