VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:60
Behavior list
Basic Information
MD5:602098883f863b303102eb96677c4e36
file type:EXE
Production company:by:阿水
version:9.0.0.0---9.0.0.0
Shell or compiler information:PACKER:PolyEnE 0.01+ by Lennart Hedlund *
Key behavior
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll
Behavior description:直接获取CPU时钟
details:EAX = 0xd4185cf7, EDX = 0x000000b6
EAX = 0xdc062ae0, EDX = 0x000000b6
EAX = 0xdc062b2c, EDX = 0x000000b6
EAX = 0xdc062b78, EDX = 0x000000b6
EAX = 0xdc062bc4, EDX = 0x000000b6
EAX = 0xdc062c10, EDX = 0x000000b6
EAX = 0xdc062c5c, EDX = 0x000000b6
EAX = 0xe3f3fa45, EDX = 0x000000b6
EAX = 0x3d886f9a, EDX = 0x000000b7
EAX = 0x3d886fe6, EDX = 0x000000b7
Behavior description:创建系统服务
details:[服务创建成功]: Wsckgk mgecisgc, C:\WINDOWS\Uyesfdm.exe
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001037c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00010386, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010384, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001037c, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010386, DC = 0x0b01066f.
Foreground window Info: HWND = 0x00010384, DC = 0x0a010375.
Behavior description:获取TickCount值
details:TickCount = 228671, SleepMilliseconds = 5000.
TickCount = 228687, SleepMilliseconds = 5000.
TickCount = 224718, SleepMilliseconds = 500.
TickCount = 224781, SleepMilliseconds = 500.
TickCount = 224469, SleepMilliseconds = 1.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2676, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: ldyzvm.dll, InheritedFromPID = 2640, ProcessID = 2844, ThreadID = 2852, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Uyesfdm.exe, InheritedFromPID = 652, ProcessID = 2880, ThreadID = 2896, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Uyesfdm.exe, InheritedFromPID = 652, ProcessID = 2880, ThreadID = 2900, StartAddress = 77DC3519, Parameter = 0018B3A0
TargetProcess: Uyesfdm.exe, InheritedFromPID = 652, ProcessID = 2880, ThreadID = 2912, StartAddress = 77C0A341, Parameter = 003F3CB8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2916, StartAddress = 00403B9F, Parameter = 00000000
Behavior description:创建新文件进程
details:[0x00000b1c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll"
[0x00000b40]ImagePath = C:\WINDOWS\Uyesfdm.exe, CmdLine = C:\WINDOWS\Uyesfdm.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll
C:\WINDOWS\Uyesfdm.exe
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll
C:\WINDOWS\Uyesfdm.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll ---> C:\WINDOWS\Uyesfdm.exe
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll ---> Offset = 0
C:\WINDOWS\Uyesfdm.exe ---> Offset = 0
C:\WINDOWS\Uyesfdm.exe ---> Offset = 4096
C:\WINDOWS\Uyesfdm.exe ---> Offset = 8192
C:\WINDOWS\Uyesfdm.exe ---> Offset = 12288
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ld****om, PORT = 80, UserName = , Password = , hSession = 0x031e3100, hConnect = 0x031e3200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x031e3100
Behavior description:建立到一个指定的套接字连接
details:URL: as****iz, IP: **.133.40.**:8989, SOCKET = 0x000000dc
URL: ld****om, IP: **.133.40.**:80, SOCKET = 0x0000022c
Behavior description:发送HTTP包
details:POST /v15/yz.php HTTP/1.1 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Content-Length: 36 Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: ld****om Connection: Keep-Alive gtc=7b7cdb44dbcb5bfa18eb91708c217ce5
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ld****om:80/v15/yz.php, hConnect = 0x031e3200, hRequest = 0x03290000, Verb: POST, Referer: , Flags = 0x00000080
Behavior description:按名称获取主机地址
details:gethostbyname: as****iz
GetAddrInfoW: ld****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Wsckgk mgecisgc\ConnectGroup
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Wsckgk mgecisgc\MarkTime
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Wsckgk mgecisgc\Description
Other behavior
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Cao360
Behavior description:打开互斥体
details:RasPbFile
ShimCacheMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Wqqcyw maqcyamw, C:\WINDOWS\Uyesfdm.exe
Behavior description:窗口信息
details:Pid = 2640, Hwnd=0x1039a, Text = 新密码:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10398, Text = 安全密码:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10396, Text = 用户账号:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10394, Text = 推荐人:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10392, Text = 充值卡号:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10390, Text = 用户账号:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x1038e, Text = 安全密码:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x1038c, Text = 常用邮箱:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x1038a, Text = 用户密码:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10388, Text = 用户账号:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2640, Hwnd=0x10366, Text = 更改, ClassName = Button.
Pid = 2640, Hwnd=0x1035e, Text = 确认, ClassName = Button.
Pid = 2640, Hwnd=0x1035c, Text = 查询, ClassName = Button(RadioButton).
Pid = 2640, Hwnd=0x1035a, Text = 充值, ClassName = Button(RadioButton).
Pid = 2640, Hwnd=0x10356, Text = 注册, ClassName = Button.
Behavior description:获取TickCount值
details:TickCount = 228671, SleepMilliseconds = 5000.
TickCount = 228687, SleepMilliseconds = 5000.
TickCount = 224718, SleepMilliseconds = 500.
TickCount = 224781, SleepMilliseconds = 500.
TickCount = 224469, SleepMilliseconds = 1.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
N/A
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001037c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00010386, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010384, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001037c, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010386, DC = 0x0b01066f.
Foreground window Info: HWND = 0x00010384, DC = 0x0a010375.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll(签名验证: 未通过)
C:\WINDOWS\Uyesfdm.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 5000.
[1]: MilliSeconds = 500.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
Behavior description:隐藏指定窗口
details:[Window,Class] = [重新连接,Button]
[Window,Class] = [,Edit]
[Window,Class] = [注册,Button]
[Window,Class] = [,Button]
[Window,Class] = [确认,Button]
[Window,Class] = [更改,Button]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [用户密码:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [常用邮箱:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [安全密码:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [用户账号:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [充值卡号:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [ 推荐人:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [ 新密码:,Afx:400000:b:10011:1900015:0]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\ldyzvm.dll ---> 0a292345a825b036a256d58e8993baa8
C:\WINDOWS\Uyesfdm.exe ---> 0a292345a825b036a256d58e8993baa8
Behavior description:直接获取CPU时钟
details:EAX = 0xd4185cf7, EDX = 0x000000b6
EAX = 0xdc062ae0, EDX = 0x000000b6
EAX = 0xdc062b2c, EDX = 0x000000b6
EAX = 0xdc062b78, EDX = 0x000000b6
EAX = 0xdc062bc4, EDX = 0x000000b6
EAX = 0xdc062c10, EDX = 0x000000b6
EAX = 0xdc062c5c, EDX = 0x000000b6
EAX = 0xe3f3fa45, EDX = 0x000000b6
EAX = 0x3d886f9a, EDX = 0x000000b7
EAX = 0x3d886fe6, EDX = 0x000000b7
Behavior description:创建系统服务
details:[服务创建成功]: Wsckgk mgecisgc, C:\WINDOWS\Uyesfdm.exe
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号