VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:c730e39fa3cc2ffd832b9b3f5aa4c876
file type:RTF文档
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\Temp\~DFA18BB59C1707522D.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot
C:\Users\Administrator\AppData\Local\%temp%\****.rtf
C:\Users\Administrator\AppData\Local\Temp\~WRF0000.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\templater[1].doc
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\Temp\~DFA18BB59C1707522D.TMP
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 54
C:\Users\Administrator\AppData\Local\%temp%\****.rtf ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\****.rtf ---> Offset = 54
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\templater[1].doc ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\templater[1].doc ---> Offset = 1024
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\templater[1].doc ---> Offset = 1042
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\templater[1].doc ---> Offset = 1060
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\templater[1].doc ---> Offset = 1078
Behavior description:查找文件
details:FileName = C:\Program Files\Common Files\Microsoft Shared\office11
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\*.*
FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office
FileName = C:\Program Files\Microsoft Office\OFFICE11\Normal.dot
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\Normal.dot
FileName = C:\Users\Administrator\AppData\Local\%temp%\****.rtf
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
Network behavior
Behavior description:建立到一个指定的套接字连接
details:IP: **.0.0.**:49155, SOCKET = 0x00000454
IP: **.200.194.**:80, SOCKET = 0x000004b0
Behavior description:发送HTTP包
details:GET //templater.doc HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: **.200.194.** Connection: Keep-Alive
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\{(
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\U)
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WORDFiles
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\u,
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\WINWORD_RASMANCS\FileTracingMask
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\U)
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:创建事件对象
details:EventName = PrimaryWord11Mutex
EventName = OleDfRoot8E58A4D43473C4A4
EventName = OleDfRoot80313B2AE487B1FC
EventName = OleDfRoot2F48DD11D9A50AE6
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Behavior description:打开事件
details:Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.736
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Behavior description:窗口信息
details:Pid = 736, Hwnd=0x40192, Text = MsoDockTop, ClassName = MsoCommandBarDock.
Pid = 736, Hwnd=0x40196, Text = 格式, ClassName = MsoCommandBar.
Pid = 736, Hwnd=0x70204, Text = 常用, ClassName = MsoCommandBar.
Pid = 736, Hwnd=0x40184, Text = 菜单栏, ClassName = MsoCommandBar.
Pid = 736, Hwnd=0xa015c, Text = Microsoft Word, ClassName = OpusApp.
Behavior description:打开互斥体
details:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Local\MU_ACBPIDS08
Local\MSCTF.Asm.MutexDefault1
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号