VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:79
Behavior list
Basic Information
MD5:967109d0e8545713ab5dd93c0a4c811a
file type:zip
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *
Subfile information:SWSS.exedumpFile / d84ac903aeaa80e2fa507c926ac0dd2e / EXE
SWSS.exe / d84ac903aeaa80e2fa507c926ac0dd2e / EXE
Spider.dlldumpFile / 2d20553c0fb880e6a7e2ee9ec48693e2 / DLL
Spider.dll / 2d20553c0fb880e6a7e2ee9ec48693e2 / DLL
avtss.dlldumpFile / a82da5432d7697502f82267ec5a60135 / DLL
avtss.dll / a82da5432d7697502f82267ec5a60135 / DLL
Downloader.dll / b9d4895a876d7dab47de7474723aad0e / DLL
Downloader.dlldumpFile / b9d4895a876d7dab47de7474723aad0e / DLL
scansvc.exedumpFile / 3227d270ac319eabdcfad310782dd401 / EXE
scansvc.exe / 3227d270ac319eabdcfad310782dd401 / EXE
AvtUrl.dlldumpFile / d151bb3a9f31b01fd88fde2d8e603f9e / DLL
AvtUrl.dll / d151bb3a9f31b01fd88fde2d8e603f9e / DLL
site4.libdumpFile / 60d595c05aeaa8470a93825d7b3e6817 / Unknown
site4.lib / 60d595c05aeaa8470a93825d7b3e6817 / Unknown
site3.libdumpFile / d991b5e9b51c680b2dce9773745422f7 / Unknown
site3.lib / d991b5e9b51c680b2dce9773745422f7 / Unknown
MDScan.dlldumpFile / 499703bbc4edf17bd00b66fd6914f929 / DLL
MDScan.dll / 499703bbc4edf17bd00b66fd6914f929 / DLL
site2.libdumpFile / 3ace99e03d5c145edd0a0e27d0564822 / Unknown
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll
Behavior description:获取TickCount值
details:TickCount = 5354475, SleepMilliseconds = 100.
TickCount = 5354615, SleepMilliseconds = 100.
TickCount = 5354791, SleepMilliseconds = 10.
TickCount = 5354822, SleepMilliseconds = 10.
TickCount = 5354838, SleepMilliseconds = 10.
TickCount = 5354869, SleepMilliseconds = 10.
TickCount = 5354885, SleepMilliseconds = 10.
TickCount = 5363556, SleepMilliseconds = 10.
TickCount = 5378619, SleepMilliseconds = 10.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3668, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3688, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3700, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3704, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3712, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3716, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3724, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3732, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3736, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3740, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3756, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3760, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3764, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3768, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: SWSS.exe, InheritedFromPID = 1944, ProcessID = 3612, ThreadID = 3772, StartAddress = 00474D2F, Parameter = 012BEF40
File behavior
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\config.ini ---> Offset = 18
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\config.ini ---> Offset = 88
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\config.ini ---> Offset = 105
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\config.ini ---> Offset = 231
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\config.ini ---> Offset = 256
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\config.ini ---> Offset = 0
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: a1****om, IP: **.133.40.**:80, SOCKET = 0x000006ac
Behavior description:按名称获取主机地址
details:gethostbyname: a1****om
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ACO
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.ACO.IC
EventName = MSCTF.SendReceiveConection.Event.ACO.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 3612, Hwnd=0x1902ce, Text = 超级巡警挂马检测系统 V1.0, ClassName = Static.
Pid = 3612, Hwnd=0x7038a, Text = 正在检查版本信息..., ClassName = Static.
Pid = 3612, Hwnd=0x1d02bc, Text = 本地路径:, ClassName = Static.
Pid = 3612, Hwnd=0x603ac, Text = 开始扫描, ClassName = Button.
Pid = 3612, Hwnd=0xc03a0, Text = List1, ClassName = SysListView32.
Pid = 3612, Hwnd=0xf037c, Text = ..., ClassName = Button.
Pid = 3612, Hwnd=0x13033a, Text = 停止扫描, ClassName = Button.
Pid = 3612, Hwnd=0xe039e, Text = Progress1, ClassName = msctls_progress32.
Pid = 3612, Hwnd=0xb0398, Text = 扫描进度:, ClassName = Static.
Pid = 3612, Hwnd=0x7038e, Text = 检测文件:0, ClassName = Static.
Pid = 3612, Hwnd=0x10032e, Text = 用时:0 秒, ClassName = Static.
Pid = 3612, Hwnd=0xe02aa, Text = 状态:, ClassName = Static.
Pid = 3612, Hwnd=0x1203be, Text = 发现病毒:0, ClassName = Static.
Pid = 3612, Hwnd=0x503b8, Text = 100%, ClassName = Static.
Pid = 3612, Hwnd=0x1302b8, Text = 网站地址:, ClassName = Static.
Behavior description:获取TickCount值
details:TickCount = 5354475, SleepMilliseconds = 100.
TickCount = 5354615, SleepMilliseconds = 100.
TickCount = 5354791, SleepMilliseconds = 10.
TickCount = 5354822, SleepMilliseconds = 10.
TickCount = 5354838, SleepMilliseconds = 10.
TickCount = 5354869, SleepMilliseconds = 10.
TickCount = 5354885, SleepMilliseconds = 10.
TickCount = 5363556, SleepMilliseconds = 10.
TickCount = 5378619, SleepMilliseconds = 10.
Behavior description:获取光标位置
details:CursorPos = (71,18468), SleepMilliseconds = 100.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000040
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000040
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Behavior description:修改后的可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
Behavior description:隐藏指定窗口
details:[Window,Class] = [软件设置,Static]
[Window,Class] = [联系我们,Static]
[Window,Class] = [扫描浏览器缓存,Static]
[Window,Class] = [查看扫描报告,Static]
[Window,Class] = [zx@nitsc.cn,Static]
[Window,Class] = [www.nitsc.cn,Static]
[Window,Class] = [,#32770]
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:修改后的可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\swss\Downloader.dll ---> b9d4895a876d7dab47de7474723aad0e
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号