VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:88
Behavior list
Basic Information
MD5:2ff4a898f615e88a81ad7720fab5103b
file type:Nsis
Production company:Power Software Ltd
version:4.0.0.0---4.0.0.0
Shell or compiler information:
Subfile information:WinArchiver.exe / e173a80a55d5b9ddd2d5855882e3b8df / EXE
WinArchiver.chm / f000294465740c67539747c297e321e2 / Chm
$0 / bc7496939388974947e9973d33c3eb45 / DLL
WASHELL.DLL / bc7496939388974947e9973d33c3eb45 / DLL
7z.dll / aecef77725f3ee0b84b6b8046efe5ac0 / DLL
WAHELPER.EXE / ad68846a0719018b73808c8b9e98e306 / EXE
$R0 / ad68846a0719018b73808c8b9e98e306 / EXE
unicows.dll / f8d176db5b14aed7c9b25e0640226bd1 / DLL
lame_enc.dll / b415d99733681b7ebd6f0cb923adc27b / DLL
WAService.exe / 9beb3f143dca854e7efed0028d7a21f7 / EXE
MACDll.dll / 30ae564b315b18be68d4975a083939d5 / DLL
libFLAC.dll / ebbc719e881f2311d352ade3b5e48aee / DLL
$R0 / 15f6f93ed57536a802131e4fafad679d / SYS
waemu.sys / 15f6f93ed57536a802131e4fafad679d / SYS
Hungarian.lng / 9b7c774c002e390a162e9cf01b182db8 / Unknown
Indonesian.lng / 1f26a109e4fe33da73015c18a5fd7d39 / Unknown
German.lng / 1ad48fedc2ad0805dc7ad084cbc73f19 / Unknown
Turkish.lng / e701181f60f7cb1a5e7d02c76c83c150 / Unknown
Spanish.lng / 853b86b9ca9f8beb9aab8dee97b0510f / Unknown
Key behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\WinArchiver\Install_Dir
\REGISTRY\USER\S-*\Software\WinArchiver\Install_Dir
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\VersionMajor
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\VersionMinor
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\NoModify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\NoRepair
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a4, Text = WinArchiver 4.0 安装 , ClassName = #32770.
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\WinArchiver.lnk
Process behavior
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32.exe /s /u "C:\Program Files\WinArchiver\WASHELL.DLL"
Behavior description:创建本地线程
details:N/A
Behavior description:进程退出
details:N/A
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsh5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp\System.dll
C:\Program Files\WinArchiver\WAService.exe
C:\Program Files\WinArchiver\WAHELPER.EXE
C:\WINDOWS\system32\drivers\waemu.sys
C:\Program Files\WinArchiver\Lang\cn_sc.lng
C:\Program Files\WinArchiver\Lang\cn_tc.lng
C:\Program Files\WinArchiver\Lang\Bulgarian.lng
C:\Program Files\WinArchiver\Lang\Dutch.lng
C:\Program Files\WinArchiver\Lang\Bosnian.lng
C:\Program Files\WinArchiver\Lang\Italian.lng
C:\Program Files\WinArchiver\Lang\Spanish.lng
C:\Program Files\WinArchiver\Lang\Belarusian.lng
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\WinArchiver\Uninstall WinArchiver.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\WinArchiver\WinArchiver Help.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\WinArchiver\WinArchiver.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\WinArchiver\WinArchiver Virtual Drive.lnk
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp\System.dll
C:\Program Files\WinArchiver\WAService.exe
C:\Program Files\WinArchiver\WAHELPER.EXE
C:\WINDOWS\system32\drivers\waemu.sys
C:\Program Files\WinArchiver\WinArchiver.exe
C:\Program Files\WinArchiver\7z.dll
C:\Program Files\WinArchiver\lame_enc.dll
C:\Program Files\WinArchiver\libFLAC.dll
C:\Program Files\WinArchiver\MACDll.dll
C:\Program Files\WinArchiver\wacmd.exe
C:\Program Files\WinArchiver\WASHELL.DLL
C:\Program Files\WinArchiver\uninstall.exe
Behavior description:覆盖已有文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsh5.tmp
C:\Program Files\WinArchiver\WAService.exe
C:\Program Files\WinArchiver\WAHELPER.EXE
C:\WINDOWS\system32\drivers\waemu.sys
C:\Program Files\WinArchiver\WinArchiver.exe
C:\Program Files\WinArchiver\7z.dll
C:\Program Files\WinArchiver\WASHELL.DLL
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp
FileName = C:\Program Files\WinArchiver
FileName = C:\Program Files
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\regsvr32.exe
FileName = C:\Program Files\WinArchiver\WAService.exe
FileName = C:\Program Files\WinArchiver\WAHELPER.exe
FileName = C:\Program Files\WinArchiver\WASHELL.DLL
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\WinArchiver Virtual Drive\.
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\WinArchiver.lnk
Behavior description:删除文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp
Behavior description:修改文件内容
details:C:\Program Files\WinArchiver\Lang\cn_sc.lng---> Offset = 0
C:\Program Files\WinArchiver\Lang\cn_tc.lng---> Offset = 0
C:\Program Files\WinArchiver\Lang\Bulgarian.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Dutch.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Bosnian.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Italian.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Spanish.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Belarusian.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Arabic.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Czech.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Farsi.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\German.lng---> Offset = 32768
C:\Program Files\WinArchiver\Lang\Turkish.lng---> Offset = 16384
C:\Program Files\WinArchiver\Lang\Hungarian.lng---> Offset = 32768
C:\Program Files\WinArchiver\Lang\Indonesian.lng---> Offset = 32768
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\WinArchiver\Install_Dir
\REGISTRY\USER\S-*\Software\WinArchiver\Install_Dir
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\VersionMajor
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\VersionMinor
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\NoModify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinArchiver\NoRepair
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AJL
SHIMLIB_LOG_MUTEX
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.AJL.IC
EventName = MSCTF.SendReceiveConection.Event.AJL.IC
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a4, Text = WinArchiver 4.0 安装 , ClassName = #32770.
Behavior description:窗口信息
details:Pid = 2956, Hwnd=0x202cc, Text = 我接受(&I), ClassName = Button.
Pid = 2956, Hwnd=0x202b4, Text = 取消(&C), ClassName = Button.
Pid = 2956, Hwnd=0x202d6, Text = Power Software Ltd , ClassName = Static.
Pid = 2956, Hwnd=0x202d8, Text = Power Software Ltd, ClassName = Static.
Pid = 2956, Hwnd=0x202c4, Text = 许可证协议, ClassName = Static.
Pid = 2956, Hwnd=0x202c8, Text = 在安装“WinArchiver 4.0”之前,请阅读授权协议。, ClassName = Static.
Pid = 2956, Hwnd=0x302b8, Text = 按 [PgDn] 阅读“授权协议”的其余部分。, ClassName = Static.
Pid = 2956, Hwnd=0x202b0, Text = END-USER LICENSE AGREEMENT FOR WinArchiver. IMPORTANT - READ CAREFULLY: This End-User License Agreement is a legal agreement b, ClassName = RichEdit20A.
Pid = 2956, Hwnd=0x202ae, Text = 如果你接受协议中的条款,单击 [我接受(I)] 继续安装。如果你选定 [取消(C)] ,安装程序将会关闭。必须接受协议才能安装“WinArchiver 4.0, ClassName = Static.
Pid = 2956, Hwnd=0x202a4, Text = WinArchiver 4.0 安装 , ClassName = #32770.
Pid = 2956, Hwnd=0x202a8, Text = < 上一步(&P), ClassName = Button.
Pid = 2956, Hwnd=0x202cc, Text = 安装(&I), ClassName = Button.
Pid = 2956, Hwnd=0x202c4, Text = 选择安装位置, ClassName = Static.
Pid = 2956, Hwnd=0x202c8, Text = 选择“WinArchiver 4.0”的安装文件夹。, ClassName = Static.
Pid = 2956, Hwnd=0x302ae, Text = C:\Program Files\WinArchiver, ClassName = Edit.
Behavior description:可执行文件签名信息
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp\System.dll(签名验证: 未通过)
C:\Program Files\WinArchiver\WAService.exe(签名验证: 通过)
C:\Program Files\WinArchiver\WAHELPER.EXE(签名验证: 通过)
C:\WINDOWS\system32\drivers\waemu.sys(签名验证: 通过)
C:\Program Files\WinArchiver\WinArchiver.exe(签名验证: 通过)
C:\Program Files\WinArchiver\7z.dll(签名验证: 未通过)
C:\Program Files\WinArchiver\lame_enc.dll(签名验证: 未通过)
C:\Program Files\WinArchiver\libFLAC.dll(签名验证: 未通过)
C:\Program Files\WinArchiver\MACDll.dll(签名验证: 未通过)
C:\Program Files\WinArchiver\wacmd.exe(签名验证: 通过)
C:\Program Files\WinArchiver\WASHELL.DLL(签名验证: 通过)
C:\Program Files\WinArchiver\uninstall.exe(签名验证: 未通过)
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
Behavior description:可执行文件MD5
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp\System.dll ---> c17103ae9072a06da581dec998343fc1
C:\Program Files\WinArchiver\WAService.exe ---> 9beb3f143dca854e7efed0028d7a21f7
C:\Program Files\WinArchiver\WAHELPER.EXE ---> ad68846a0719018b73808c8b9e98e306
C:\WINDOWS\system32\drivers\waemu.sys ---> 15f6f93ed57536a802131e4fafad679d
C:\Program Files\WinArchiver\WinArchiver.exe ---> e173a80a55d5b9ddd2d5855882e3b8df
C:\Program Files\WinArchiver\7z.dll ---> aecef77725f3ee0b84b6b8046efe5ac0
C:\Program Files\WinArchiver\lame_enc.dll ---> b415d99733681b7ebd6f0cb923adc27b
C:\Program Files\WinArchiver\libFLAC.dll ---> ebbc719e881f2311d352ade3b5e48aee
C:\Program Files\WinArchiver\MACDll.dll ---> 30ae564b315b18be68d4975a083939d5
C:\Program Files\WinArchiver\wacmd.exe ---> 3c122fbdc3c4ad56d4333bf61c693677
C:\Program Files\WinArchiver\WASHELL.DLL ---> 2b2dfbc56b1f3e074179a417e6bf0fdf
C:\Program Files\WinArchiver\uninstall.exe ---> a080b155d864d9ef7e59d41bd7259222
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp\System.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号