VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:50
Behavior list
Basic Information
MD5:b5a8f571ac37c79f219c426d0ff11ce1
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Borland Delphi 6.0 - 7.0
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = iexplore.exe, WriteAddress = 0x00140000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00150000, Size = 12
TargetProcess = iexplore.exe, WriteAddress = 0x00160000, Size = 210
TargetProcess = iexplore.exe, WriteAddress = 0x00270000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00280000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00290000, Size = 20
TargetProcess = iexplore.exe, WriteAddress = 0x002a0000, Size = 142
TargetProcess = iexplore.exe, WriteAddress = 0x004a0000, Size = 15
TargetProcess = iexplore.exe, WriteAddress = 0x004b0000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x004c0000, Size = 20
TargetProcess = iexplore.exe, WriteAddress = 0x004d0000, Size = 142
TargetProcess = iexplore.exe, WriteAddress = 0x004e0000, Size = 15
TargetProcess = iexplore.exe, WriteAddress = 0x004f0000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00500000, Size = 20
TargetProcess = iexplore.exe, WriteAddress = 0x00510000, Size = 142
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies
Behavior description:创建远程线程
details:C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\ieframe.dll.mui
MSCTF.MarshalInterface.FileMap.AIK..LDLIG
MSCTF.MarshalInterface.FileMap.AIK.B.LELIG
MSCTF.MarshalInterface.FileMap.AIK.C.LELIG
MSCTF.MarshalInterface.FileMap.AIK.D.LELIG
MSCTF.MarshalInterface.FileMap.AIK.E.LELIG
MSCTF.MarshalInterface.FileMap.AIK.F.KFLIG
MSCTF.MarshalInterface.FileMap.AIK.G.KFLIG
MSCTF.Shared.SFM.AIK
MSCTF.MarshalInterface.FileMap.AIK.H.EEIMG
MSCTF.MarshalInterface.FileMap.AIK.I.EEIMG
MSCTF.MarshalInterface.FileMap.AIK.J.EEIMG
MSCTF.MarshalInterface.FileMap.AIK.K.EEIMG
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:自删除
details:C:\%temp%\1439746855.742238.exe
Behavior description:按名称获取主机地址
details:satrancali1998.zapto.org
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = iexplore.exe, WriteAddress = 0x00140000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00150000, Size = 12
TargetProcess = iexplore.exe, WriteAddress = 0x00160000, Size = 210
TargetProcess = iexplore.exe, WriteAddress = 0x00270000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00280000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00290000, Size = 20
TargetProcess = iexplore.exe, WriteAddress = 0x002a0000, Size = 142
TargetProcess = iexplore.exe, WriteAddress = 0x004a0000, Size = 15
TargetProcess = iexplore.exe, WriteAddress = 0x004b0000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x004c0000, Size = 20
TargetProcess = iexplore.exe, WriteAddress = 0x004d0000, Size = 142
TargetProcess = iexplore.exe, WriteAddress = 0x004e0000, Size = 15
TargetProcess = iexplore.exe, WriteAddress = 0x004f0000, Size = 13
TargetProcess = iexplore.exe, WriteAddress = 0x00500000, Size = 20
TargetProcess = iexplore.exe, WriteAddress = 0x00510000, Size = 142
Behavior description:创建新文件进程
details:ImagePath = c:\dir\install\install\server.exe, CmdLine = "c:\dir\install\install\server.exe"
Behavior description:创建远程线程
details:C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:枚举进程
details:N/A
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe"
ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "rundll32.exe" C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\senben.jpg
File behavior
Behavior description:创建可执行文件
details:C:\dir\install\install\server.exe
Behavior description:查找文件
details:FileName = c:\dir\install\install\server.exe
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XX--XX--XX.txt
FileName = c:\%temp%\1439746855.156208.exe
FileName = C:\Documents and Settings\Administrator\Application Data\logs.dat
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\senben.jpg
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XxX.xXx
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UuU.uUu
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\ieframe.dll.mui
MSCTF.MarshalInterface.FileMap.AIK..LDLIG
MSCTF.MarshalInterface.FileMap.AIK.B.LELIG
MSCTF.MarshalInterface.FileMap.AIK.C.LELIG
MSCTF.MarshalInterface.FileMap.AIK.D.LELIG
MSCTF.MarshalInterface.FileMap.AIK.E.LELIG
MSCTF.MarshalInterface.FileMap.AIK.F.KFLIG
MSCTF.MarshalInterface.FileMap.AIK.G.KFLIG
MSCTF.Shared.SFM.AIK
MSCTF.MarshalInterface.FileMap.AIK.H.EEIMG
MSCTF.MarshalInterface.FileMap.AIK.I.EEIMG
MSCTF.MarshalInterface.FileMap.AIK.J.EEIMG
MSCTF.MarshalInterface.FileMap.AIK.K.EEIMG
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XX--XX--XX.txt---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\logs.dat---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\senben.jpg---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XxX.xXx---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UuU.uUu---> Offset = 0
Behavior description:自删除
details:C:\%temp%\1439746855.742238.exe
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000284, TotalSize = 4, Offset = 0, ReadSize = 4.
SOCKET = 0x00000284, TotalSize = 33, Offset = 0, ReadSize = 33.
SOCKET = 0x00000284, TotalSize = 1, Offset = 0, ReadSize = 1.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:1453
Behavior description:按名称获取主机地址
details:satrancali1998.zapto.org
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\v韙ima\FirstExecution
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\v韙ima\NewIdentification
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\shimgvw.dll
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\dir\install\install\server.exe
Behavior description:修改注册表_系统动态组件
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{70LAJD5R-7TS7-E4IB-8C66-A21G5A7088B6}\StubPath
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies
Other behavior
Behavior description:创建互斥体
details:RasPbFile
_x_X_UPDATE_X_x_
_x_X_PASSWORDLIST_X_x_
_x_X_BLOCKMOUSE_X_x_
***MUTEX***
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [ShImgVw:CPreviewWnd,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 428468, SleepMilliseconds = 1000.
Behavior description:窗口信息
details:Pid = 2684, Hwnd=0x60240, Text = senben.jpg - Windows 图片和传真查看器, ClassName = ShImgVw:CPreviewWnd.
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1000.
Behavior description:打开图片文件
details:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\senben.jpg
\Documents and Settings\Administrator\Local Settings\Temp\senben.jpg
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号