VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:87b65c5535ce6fe4145b199f1e605eae
file type:EXE
Production company:Www.ChaoJiZ.Com
version:2.6.5.3---2.6.5.3
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
Subfile information:upx_c_2cb2d399dumpFile / big file / EXE
Key behavior
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = C:\Program Files\VMware\Data
Behavior description:获取User基本信息
details:Level = 10.
Behavior description:获取TickCount值
details:TickCount = 5377166, SleepMilliseconds = 10.
TickCount = 5377181, SleepMilliseconds = 10.
TickCount = 5378406, SleepMilliseconds = 250.
TickCount = 5379744, SleepMilliseconds = 10.
TickCount = 5380260, SleepMilliseconds = 10.
TickCount = 5382978, SleepMilliseconds = 10.
TickCount = 5383010, SleepMilliseconds = 10.
TickCount = 5391891, SleepMilliseconds = 1.
TickCount = 5391907, SleepMilliseconds = 1.
TickCount = 5392001, SleepMilliseconds = 1.
TickCount = 5392047, SleepMilliseconds = 1.
TickCount = 5392063, SleepMilliseconds = 1.
TickCount = 5392110, SleepMilliseconds = 1.
TickCount = 5392454, SleepMilliseconds = 1.
TickCount = 5392532, SleepMilliseconds = 1.
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\%temp%\****.lnk
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType:
(FindResourceA) hModule = 0x00400000, ResName: D3DX81ab, ResType: dll
(FindResourceA) hModule = 0x00400000, ResName: Client, ResType: exe
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\*.*
FindFirstFileEx: FileName = C:\Program Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\VMware\*.*
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\Map\3.map
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\*.*
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2504, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2532, StartAddress = 00418112, Parameter = 00000001
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2536, StartAddress = 00418112, Parameter = 00000002
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2540, StartAddress = 00418112, Parameter = 00000003
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2544, StartAddress = 00418112, Parameter = 00000004
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2588, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2592, StartAddress = 00410ED8, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2396, ThreadID = 2628, StartAddress = 004025EF, Parameter = 00000000
TargetProcess: 996E.ChaoJiZ.exe, InheritedFromPID = 2396, ProcessID = 2668, ThreadID = 2776, StartAddress = 77DC845A, Parameter = 00000000
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe"
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\GameLogin_Debug.txt
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = C:\Program Files\VMware\Data
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Map\3.map
FileName = D:\\Map\3.map
FileName = D:\*.*
FileName = C:\\Map\3.map
FileName = C:\*.*
FileName = H:\\Map\3.map
FileName = X:\\Map\3.map
FileName = X:\*.*
FileName = H:\*.*
FileName = C:\222c25ed\Map\3.map
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\Map\3.map
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\Map\3.map
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\%temp%\****.lnk
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\桌面\%temp%\****.lnk ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\GameLogin_Debug.txt ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x051f3100, hConnect = 0x051f3200, Flags = 0x00000000
WinHttpConnect: ServerName = vi****om, PORT = 80, UserName = , Password = , hSession = 0x03711100, hConnect = 0x03711200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x051f3100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x03711100
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000664
URL: vi****om, IP: **.133.40.**:80, SOCKET = 0x000005b8
Behavior description:发送HTTP包
details:GET / HTTP/1.1 Accept: Accept text/html, application/xhtml+xml, */* Accept-Language: zh-CN Referer: http://www.qq.com User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: ww****om Connection: Keep-Alive
GET /CY_nwzf.txt HTTP/1.1 Accept: Accept text/html, application/xhtml+xml, */* Accept-Language: zh-CN Referer: http://viplist.98kaixin.com/CY_nwzf.txt User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: vi****om Connection: Keep-Alive
GET /CY_nwzf.txt HTTP/1.1 Accept: Accept text/html, application/xhtml+xml, */* Accept-Language: zh-CN Referer: http://viplist.caihui168.com/CY_nwzf.txt User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: vi****om Connection: Keep-Alive
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ww****om:80/, hConnect = 0x051f3200, hRequest = 0x052a0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: vi****om:80/cy_nwzf.txt, hConnect = 0x03711200, hRequest = 0x02710000, Verb: GET, Referer: , Flags = 0x00000080
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: vi****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\ChaoJiZ\ChaoJiZ_Com_107\name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RasMan\Parameters\ProhibitIpSec
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe
Other behavior
Behavior description:枚举网络共享资源
details:N/A
Behavior description:隐藏指定窗口
details:[Window,Class] = [,WindowEx]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [,ProgressbarEx]
[Window,Class] = [,ButtonEx]
[Window,Class] = [,LabelEx]
[Window,Class] = [,SuperbuttonEx]
[Window,Class] = [996E 2653ce,WTWindow]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,Static]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Remote Access Auto Connection Manager, C:\WINDOWS\system32\svchost.exe -k netsvcs
Behavior description:获取User基本信息
details:Level = 10.
Behavior description:获取光标位置
details:CursorPos = (71,18468), SleepMilliseconds = 10.
CursorPos = (6364,26501), SleepMilliseconds = 10.
CursorPos = (19199,15725), SleepMilliseconds = 10.
CursorPos = (11508,29359), SleepMilliseconds = 10.
CursorPos = (26992,24465), SleepMilliseconds = 10.
CursorPos = (5735,28146), SleepMilliseconds = 10.
CursorPos = (23311,16828), SleepMilliseconds = 10.
CursorPos = (9991,492), SleepMilliseconds = 10.
CursorPos = (3025,11943), SleepMilliseconds = 10.
CursorPos = (4857,5437), SleepMilliseconds = 10.
CursorPos = (32421,14605), SleepMilliseconds = 10.
CursorPos = (3932,154), SleepMilliseconds = 10.
CursorPos = (322,12383), SleepMilliseconds = 10.
CursorPos = (17451,18717), SleepMilliseconds = 10.
CursorPos = (19748,19896), SleepMilliseconds = 10.
Behavior description:直接操作物理设备
details:\??\PHYSICALDRIVE0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe(签名验证: 未通过)
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\*.*
FindFirstFileEx: FileName = C:\Program Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\VMware\*.*
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\Map\3.map
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\*.*
Behavior description:使用SCSI指令读写硬盘
details:LBA = 0x4000 SCSIOP = 0x12
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.ChaoJiZ.exe ---> 文件过大!
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AGJ
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.AHK
Global\winlogon: Logon UserProfileMapping Mutex
Behavior description:获取TickCount值
details:TickCount = 5377166, SleepMilliseconds = 10.
TickCount = 5377181, SleepMilliseconds = 10.
TickCount = 5378406, SleepMilliseconds = 250.
TickCount = 5379744, SleepMilliseconds = 10.
TickCount = 5380260, SleepMilliseconds = 10.
TickCount = 5382978, SleepMilliseconds = 10.
TickCount = 5383010, SleepMilliseconds = 10.
TickCount = 5391891, SleepMilliseconds = 1.
TickCount = 5391907, SleepMilliseconds = 1.
TickCount = 5392001, SleepMilliseconds = 1.
TickCount = 5392047, SleepMilliseconds = 1.
TickCount = 5392063, SleepMilliseconds = 1.
TickCount = 5392110, SleepMilliseconds = 1.
TickCount = 5392454, SleepMilliseconds = 1.
TickCount = 5392532, SleepMilliseconds = 1.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000042
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000042
Global\SvcctrlStartEvent_A3752DX
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000043
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000043
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000044
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000044
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000045
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000045
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType:
(FindResourceA) hModule = 0x00400000, ResName: D3DX81ab, ResType: dll
(FindResourceA) hModule = 0x00400000, ResName: Client, ResType: exe
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.AGJ.IC
EventName = MSCTF.SendReceiveConection.Event.AGJ.IC
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.AHK.IC
EventName = MSCTF.SendReceiveConection.Event.AHK.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,0.0.0.0->0.0.0.0]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [,GINA Logon]
Behavior description:窗口信息
details:Pid = 2396, Hwnd=0x120340, Text = 确定, ClassName = Button.
Pid = 2396, Hwnd=0xc03a8, Text = 没有在您的电脑上发现传奇客户端,如有请手动将登录器复制到客户端目录下运行!!, ClassName = Static.
Pid = 2396, Hwnd=0x503b8, Text = 信息:, ClassName = #32770.
Pid = 2396, Hwnd=0x10032e, Text = 请双击选择客户端, ClassName = _EL_Label.
Pid = 2396, Hwnd=0x7038e, Text = 自动选择客户端, ClassName = Button.
Pid = 2396, Hwnd=0x110342, Text = 手动选择客户端, ClassName = Button.
Pid = 2396, Hwnd=0x10034c, Text = 正在寻找客户端,请稍后..., ClassName = WTWindow.
Pid = 2396, Hwnd=0xe035e, Text = 996E 2653ce, ClassName = WTWindow.
Pid = 2668, Hwnd=0x20432, Text = 1024 X 768, ClassName = TComboBox.
Pid = 2668, Hwnd=0x1902fe, Text = 是(&Y), ClassName = Button.
Pid = 2668, Hwnd=0xe02b2, Text = 否(&N), ClassName = Button.
Pid = 2668, Hwnd=0x902da, Text = 目录不正确,是否自动搜索传奇客户端?, ClassName = Static.
Pid = 2668, Hwnd=0x1202c8, Text = 提示信息, ClassName = #32770.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 250.
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
DBWinMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号