VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:d39ede97035340a7cb2e98eccf998291
file type:Rar
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:停止系统服务
details:ServiceName = Print Spooler
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Assistant 7.0
Process behavior
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\Program Files\Adobe_PDF_Printer\install.bat" "
ImagePath = C:\WINDOWS\regedit.exe, CmdLine = regedit /S reg.reg
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add "HKLM\SOFTWARE\Adobe\Acrobat Distiller\7.0" /v InstallPath /t REG_SZ /d "C:\Program Files\Adobe_PDF_Printer\Distillr" /f
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add "HKLM\SOFTWARE\Adobe\Acrobat Distiller\7.0" /v JobOptionsFolder /t REG_SZ /d "C:\Program Files\Adobe_PDF_Printer\Settings\\" /f
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add "HKLM\SOFTWARE\Adobe\Acrobat Distiller\7.0\InstallPath" /ve /t REG_SZ /d "C:\Program Files\Adobe_PDF_Printer\Distillr" /f
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKLM\SOFTWARE\Classes\AcroDist\shell\Open\command /ve /t REG_SZ /d "\"C:\Program Files\Adobe_PDF_Printer\Distillr\AcroDist.exe\" "\"%1\" /f
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Acrobat Assistant 7.0" /t REG_SZ /d "C:\Program Files\Adobe_PDF_Printer\Distillr\Acrotray.exe" /f
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add "HKLM\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port" /v Driver /t REG_SZ /d "C:\Program Files\Adobe_PDF_Printer\Driver\AdobePDF.dll" /f
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net stop spooler
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 stop spooler
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net start spooler
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 start spooler
Behavior description:创建新文件进程
details:ImagePath = C:\Program Files\Adobe_PDF_Printer\Rar.exe, CmdLine = rar.exe x Drivers.rar C:\WINDOWS\System32\spool\drivers -o- -idq
File behavior
Behavior description:写权限映射文件
details:\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
Local\UrlZonesSM_Administrator
AtlDebugAllocator_FileMappingNameStatic3_7b4
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Behavior description:创建可执行文件
details:C:\Program Files\Adobe_PDF_Printer\Distillr\acrodist.exe
C:\Program Files\Adobe_PDF_Printer\Distillr\acrotray.exe
C:\Program Files\Adobe_PDF_Printer\Rar.exe
C:\Program Files\Adobe_PDF_Printer\Distillr\ace.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\acrodistdll.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\adist32.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\adistres.dll
C:\Program Files\Adobe_PDF_Printer\Driver\AdobePDF.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\AdobeXMP.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\agm.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\ARE.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\AXE16SharedExpat.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\AXE8SharedExpat.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\BIB.dll
C:\Program Files\Adobe_PDF_Printer\Distillr\BibUtils.dll
Behavior description:修改文件内容
details:C:\Program Files\Adobe_PDF_Printer\install.bat---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\卸载虚拟打印机.bat---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\PSDisk\Resource\CIDFont\SMMyungjo-Medium---> Offset = 84736
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\PSDisk\Resource\CIDFont\STFangsong-Light---> Offset = 50176
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\PSDisk\Resource\CIDFont\STHeiti-Regular---> Offset = 57600
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\PSDisk\Resource\CIDFont\STKaiti-Regular---> Offset = 50176
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\PSDisk\Resource\CIDFont\STSong-Light---> Offset = 98304
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\PSDisk\Resource\CIDFont\Taipei---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Settings\High Quality Print.joboptions---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Settings\Press Quality.joboptions---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Settings\Smallest File Size.joboptions---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Settings\Standard.joboptions---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\Fonts\cob_____.pfb---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\Fonts\cobo____.pfb---> Offset = 0
C:\Program Files\Adobe_PDF_Printer\Distillr\Data\Fonts\com_____.pfb---> Offset = 0
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG\Trace Level
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\WinRAR SFX\C%%Program Files%Adobe_PDF_Printer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\X\BaseClass
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Adobe_PDF_Printer\install.bat
\REGISTRY\MACHINE\SOFTWARE\Adobe\Acrobat Distiller\7.0\DefaultPDFOutput
\REGISTRY\MACHINE\SOFTWARE\Adobe\Acrobat Distiller\7.0\JobOptions
\REGISTRY\MACHINE\SOFTWARE\Adobe\Acrobat Distiller\7.0\RunFromLocalDisk
\REGISTRY\MACHINE\SOFTWARE\Adobe\Acrobat Distiller\7.0\PrinterName\
\REGISTRY\MACHINE\SOFTWARE\Adobe\Acrobat Distiller\7.0\Language\UI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\Action
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\Attributes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\ChangeID
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\Datatype
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\Default Priority
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\Description
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG\Trace Level
Behavior description:修改注册表_打印机支持程序
details:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows NT x86\Drivers\Version-3\Adobe PDF Converter\Configuration File
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows NT x86\Drivers\Version-3\Adobe PDF Converter\Driver
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port\Driver
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Assistant 7.0
Other behavior
Behavior description:创建互斥体
details:Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
SHIMLIB_LOG_MUTEX
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Print Spooler, C:\WINDOWS\system32\spoolsv.exe
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 1972, Hwnd=0xb016a, Text = 目标文件夹(&D), ClassName = Static.
Pid = 1972, Hwnd=0xb01de, Text = C:\Program Files\Adobe_PDF_Printer, ClassName = ComboBox.
Pid = 1972, Hwnd=0xd01c8, Text = C:\Program Files\Adobe_PDF_Printer, ClassName = Edit.
Pid = 1972, Hwnd=0xc01c2, Text = 浏览(&W)..., ClassName = Button.
Pid = 1972, Hwnd=0xb0184, Text = 安装进度, ClassName = Static.
Pid = 1972, Hwnd=0xa018c, Text = 安装, ClassName = Button.
Pid = 1972, Hwnd=0xe016e, Text = 取消, ClassName = Button.
Pid = 1972, Hwnd=0xa0186, Text = WinRAR 自解压文件, ClassName = #32770.
Pid = 2208, Hwnd=0xe01a4, Text = C:\WINDOWS\system32\cmd.exe, ClassName = ConsoleWindowClass.
Pid = 1872, Hwnd=0xa039e, Text = C:\WINDOWS\system32\net.exe, ClassName = ConsoleWindowClass.
Pid = 2688, Hwnd=0xb039e, Text = C:\WINDOWS\system32\net.exe, ClassName = ConsoleWindowClass.
Behavior description:停止系统服务
details:ServiceName = Print Spooler
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号