1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.
| MD5:55f6945302a5baa49f32ef25425b793c |
| 文件大小:5.58MB |
| 上传时间: 2014-09-22 10:36:30 (CST) |
| Package names: |
| Minimum operating environment: |
| copyright: |
| Behavior description: | 设置特殊文件夹属性 |
| details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\Administrator\Local Settings\History | |
| C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\Administrator\Cookies | |
| C:\Documents and Settings\All Users\Application Data\Fomesaod | |
| C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files | |
| C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\LocalService\Local Settings\History | |
| C:\Documents and Settings\LocalService\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\LocalService\Cookies | |
| Behavior description: | 创建系统服务 |
| details: | [服务创建成功]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
| Behavior description: | 设置消息钩子 |
| details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
| Behavior description: | 创建新文件进程 |
| details: | ImagePath = C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe" |
| ImagePath = C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe" | |
| ImagePath = C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/ |
| Behavior description: | 创建可执行文件 |
| details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
| C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe | |
| C:\WINDOWS\regedit.exe | |
| C:\WINDOWS\RCX3.tmp | |
| C:\WINDOWS\RCX4.tmp | |
| C:\WINDOWS\RCX5.tmp | |
| C:\WINDOWS\RCX6.tmp | |
| C:\WINDOWS\RCX7.tmp | |
| C:\WINDOWS\winhelp.exe | |
| C:\WINDOWS\winhlp32.exe | |
| C:\WINDOWS\RCX8.tmp | |
| C:\WINDOWS\RCX9.tmp | |
| C:\WINDOWS\RCXA.tmp | |
| C:\WINDOWS\RCXB.tmp | |
| C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
| Behavior description: | 写权限映射文件 |
| details: | Local\b7b7bc2512ee1fedcd76bdc68926d4f7b |
| Global\c1128acc29a2f4c564400859e81d4b5b3 | |
| VIDEOMEMORY | |
| AMResourceMapping2-0x0000-0x0000051e | |
| Behavior description: | 重命名文件 |
| details: | C:\WINDOWS\RCX3.tmp ---> C:\WINDOWS\regedit.exe |
| C:\WINDOWS\RCX4.tmp ---> C:\WINDOWS\regedit.exe | |
| C:\WINDOWS\RCX5.tmp ---> C:\WINDOWS\regedit.exe | |
| C:\WINDOWS\RCX6.tmp ---> C:\WINDOWS\regedit.exe | |
| C:\WINDOWS\RCX7.tmp ---> C:\WINDOWS\regedit.exe | |
| C:\WINDOWS\RCX8.tmp ---> C:\WINDOWS\winhlp32.exe | |
| C:\WINDOWS\RCX9.tmp ---> C:\WINDOWS\winhlp32.exe | |
| C:\WINDOWS\RCXA.tmp ---> C:\WINDOWS\winhlp32.exe | |
| C:\WINDOWS\RCXB.tmp ---> C:\WINDOWS\winhlp32.exe | |
| C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXC.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
| C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXD.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
| C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXE.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
| C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXF.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\RCX10.tmp ---> C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\RCX11.tmp ---> C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe | |
| Behavior description: | 设置特殊文件夹属性 |
| details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\Administrator\Local Settings\History | |
| C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\Administrator\Cookies | |
| C:\Documents and Settings\All Users\Application Data\Fomesaod | |
| C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files | |
| C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\LocalService\Local Settings\History | |
| C:\Documents and Settings\LocalService\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\LocalService\Cookies | |
| Behavior description: | 修改文件内容 |
| details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\febamero.cat---> Offset = 4118 |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\uqboumxuuc.ocx---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\uhfogeend.cat---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\hesehaq.ocx---> Offset = 4108 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\icxobanet.bin---> Offset = 4108 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\epfegohab.mui---> Offset = 4108 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\adigapog.drv---> Offset = 4112 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\abqaqebi.mui---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\iqkeusohlu.bin---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omicxahemu\raerebw.cat---> Offset = 4114 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omicxahemu\kasoi.bin---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Application Data\Fomesaod\omicxahemu\buatosud.drv---> Offset = 0 | |
| C:\Documents and Settings\All Users\Application Data\Fomesaod\tuuxosoc.bin---> Offset = 0 | |
| C:\Documents and Settings\All Users\Application Data\Fomesaod\giarigw.ocx---> Offset = 8221 | |
| C:\Documents and Settings\All Users\Application Data\Fomesaod\koe\edb.dmp---> Offset = 4113 | |
| Behavior description: | 修改新生成的可执行文件 |
| details: | C:\WINDOWS\regedit.exe---> Offset = 293888 |
| C:\WINDOWS\winhelp.exe---> Offset = 290816 | |
| C:\WINDOWS\winhlp32.exe---> Offset = 293376 | |
| C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe---> Offset = 293376 | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\6781b87c8d3b55e6120b1e86bea6e040\ServiceModelReg.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\b9c1a29e684bc02e49226ff1e9eec253\SMSvcHost.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\7d2a3adbdcb675f872eb2dbf21f73596\WsatConfig.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2b3bb967d405eb9e0c95b184f7ae8979\ComSvcConfig.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\MSBuild\e2799fc6d0e3b74e8fa3c2ce0225a940\MSBuild.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\SMSvcHost\048beed5824506fe8ac3453e5d71edb2\SMSvcHost.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\WsatConfig\d44ea63953312a5b92800127d1f48932\WsatConfig.ni.exe---> Offset = 292352 | |
| C:\WINDOWS\ie8\spuninst\spuninst.exe---> Offset = 293376 | |
| C:\WINDOWS\inf\unregmp2.exe---> Offset = 292864 |
| Behavior description: | 连接指定站点 |
| details: | InternetConnectA: ServerName = icanhazip.com, PORT = 80 |
| InternetConnectA: ServerName = example.com, PORT = 80 | |
| InternetConnectA: ServerName = z3mm6cupmtw5b2xx.onion, PORT = 80 | |
| InternetConnectA: ServerName = urasahrenaheen.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = xoegfeima.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = niubsacaosuce.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = egaggioxipme.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = miqookleugoc.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = ivowqiutulqa.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = paegekreaho.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = sulauhovmi.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = nigiqohe.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = ogvehobiqute.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = ifoxtameavrih.ddns.net, PORT = 80 | |
| InternetConnectA: ServerName = ixqiguiwfe.ddns.net, PORT = 80 | |
| Behavior description: | 读取网络文件 |
| details: | hFile = 0x000002dc, BytesToRead =1023, BytesRead = 1023. |
| hFile = 0x000001a8, BytesToRead =1023, BytesRead = 1023. | |
| hFile = 0x000001b8, BytesToRead =1023, BytesRead = 1023. | |
| hFile = 0x0000024c, BytesToRead =1023, BytesRead = 1023. | |
| hFile = 0x00000230, BytesToRead =1023, BytesRead = 1023. | |
| hFile = 0x00000224, BytesToRead =1023, BytesRead = 1023. | |
| hFile = 0x00000278, BytesToRead =1023, BytesRead = 1023. | |
| hFile = 0x000001f0, BytesToRead =1023, BytesRead = 1023. | |
| Behavior description: | 打开HTTP请求 |
| details: | HttpOpenRequestA: z3mm6cupmtw5b2xx.onion:80/si.php?xd={"f6226":""}, hConnect = 0x000002d0 |
| HttpOpenRequestA: urasahrenaheen.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002d0 | |
| HttpOpenRequestA: xoegfeima.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: niubsacaosuce.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: egaggioxipme.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: miqookleugoc.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: ivowqiutulqa.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: paegekreaho.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: sulauhovmi.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: nigiqohe.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: ogvehobiqute.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: ifoxtameavrih.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: ixqiguiwfe.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: veugihivirhiaqi.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
| HttpOpenRequestA: hedaitoms.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc |
| Behavior description: | 修改注册表 |
| details: | \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\ |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\DefaultIcon\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\IsShortcut | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\NeverShowExt | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\open\command\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command\IsolatedCommand | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\open\command\IsolatedCommand | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas\command\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\runas\command\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\runas\command\IsolatedCommand | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas\command\IsolatedCommand | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shellex\IconHandler\ | |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.exe\ | |
| Behavior description: | 修改注册表_组策略 |
| details: | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisablePCA |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\AppCompat\DisablePCA |
| Behavior description: | 创建驱动文件镜像 |
| details: | C:\WINDOWS\system32\drivers\fastfat.sys |
| Behavior description: | 创建互斥体 |
| details: | AMResourceMutex2 |
| VideoRenderer | |
| eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-1482476501-1645522239-1417001333-500 | |
| Behavior description: | 设置消息钩子 |
| details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
| Behavior description: | 启动系统服务 |
| details: | [服务启动成功]: LocalSystem, GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
| Behavior description: | 获取系统权限 |
| details: | SE_INC_BASE_PRIORITY_PRIVILEGE |
| SE_LOAD_DRIVER_PRIVILEGE | |
| SE_ASSIGNPRIMARYTOKEN_PRIVILEGE | |
| Behavior description: | 枚举窗口 |
| details: | N/A |
| Behavior description: | 创建系统服务 |
| details: | [服务创建成功]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
HOME
