VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:21
Behavior list
Basic Information
MD5:eac084b6506caa1f035baeebfefa4f81
file type:Rar
Production company:
version:
Shell or compiler information:
Subfile information:灰鸽子黑防专版.exe / big file / Rar
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = svchost.exe, WriteAddress = 0x7ffd6008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 827392
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\svchost.exe
Behavior description:设置特殊文件属性
details:C:\WINDOWS\Hacker.com.cn.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:创建系统服务
details:[服务创建成功]: GrayPigeon_Hacker.com.cn, C:\WINDOWS\Hacker.com.cn.exe
Behavior description:按名称获取主机地址
details:wangsen113355.gicp.net
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = c:\windows\uninstal.bat
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\svchost.exe, CmdLine = C:\WINDOWS\system32\svchost.exe
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\WINDOWS\UNINSTAL.BAT
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\黑防灰鸽子12.30免杀.exe, CmdLine = "C:\WINDOWS\黑防灰鸽子12.30免杀.exe"
ImagePath = C:\WINDOWS\Server_Setup.exe, CmdLine = "C:\WINDOWS\Server_Setup.exe"
ImagePath = C:\WINDOWS\Hacker.com.cn.exe, CmdLine = C:\WINDOWS\Hacker.com.cn.exe
Behavior description:跨进程写入数据
details:TargetProcess = svchost.exe, WriteAddress = 0x7ffd6008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 827392
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\svchost.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.ALJ..FILFF
MSCTF.MarshalInterface.FileMap.ALJ.B.FILFF
MSCTF.MarshalInterface.FileMap.ALJ.C.FILFF
MSCTF.MarshalInterface.FileMap.ALJ.D.FILFF
MSCTF.MarshalInterface.FileMap.ALJ.E.FILFF
MSCTF.MarshalInterface.FileMap.ALJ.F.FJLFF
MSCTF.MarshalInterface.FileMap.ALJ.G.FJLFF
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
AtlDebugAllocator_FileMappingNameStatic3_a94
MSCTF.MarshalInterface.FileMap.IJK..CMDGF
MSCTF.MarshalInterface.FileMap.IJK.B.CNDGF
MSCTF.MarshalInterface.FileMap.IJK.C.CNDGF
Behavior description:设置特殊文件属性
details:C:\WINDOWS\Hacker.com.cn.exe
Behavior description:创建可执行文件
details:C:\WINDOWS\黑防灰鸽子12.30免杀.exe
C:\WINDOWS\Server_Setup.exe
C:\WINDOWS\Hacker.com.cn.exe
C:\WINDOWS\黑防灰鸽子12.30免杀\Cache\CServer.dat
C:\WINDOWS\黑防灰鸽子12.30免杀\dat\ResHacker.EXE
C:\WINDOWS\黑防灰鸽子12.30免杀\黑防灰鸽子脱壳版.exe
Behavior description:修改文件内容
details:C:\WINDOWS\黑防灰鸽子12.30免杀\Config\2010-06-08_192041.dat---> Offset = 0
C:\WINDOWS\黑防灰鸽子12.30免杀\Config\2010-06-08_192041.ini---> Offset = 0
C:\WINDOWS\黑防灰鸽子12.30免杀\dat\QQWry.Dat---> Offset = 196608
C:\WINDOWS\黑防灰鸽子12.30免杀\FTPIp.dat---> Offset = 0
C:\WINDOWS\黑防灰鸽子12.30免杀\Operate.ini---> Offset = 0
C:\WINDOWS\UNINSTAL.BAT---> Offset = 0
C:\WINDOWS\黑防灰鸽子12.30免杀\SOUND\downfile.wav---> Offset = 77056
C:\WINDOWS\黑防灰鸽子12.30免杀\SOUND\login.wav---> Offset = 31488
C:\WINDOWS\黑防灰鸽子12.30免杀\SOUND\offline.wav---> Offset = 30464
C:\WINDOWS\黑防灰鸽子12.30免杀\SOUND\setting.wav---> Offset = 32768
C:\WINDOWS\黑防灰鸽子12.30免杀\SOUND\upfile.wav---> Offset = 7680
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Network behavior
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:8000
Behavior description:按名称获取主机地址
details:wangsen113355.gicp.net
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\WinRAR SFX\C%%WINDOWS
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\黑防灰鸽子12.30免杀.exe
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\Server_Setup.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\黑防灰鸽子12.30免杀\DEBUG\Trace Level
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\黑防灰鸽子12.30免杀\DEBUG\Trace Level
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
_SHuassist.mtx
Local\!PrivacIE!SharedMemory!Mutex
RasPbFile
MSCTF.Shared.MUTEX.IJK
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, GrayPigeon_Hacker.com.cn, C:\WINDOWS\Hacker.com.cn.exe
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2708, Hwnd=0x20366, Text = 目标文件夹(&D), ClassName = Static.
Pid = 2708, Hwnd=0x20364, Text = C:\WINDOWS, ClassName = ComboBox.
Pid = 2708, Hwnd=0x20360, Text = C:\WINDOWS, ClassName = Edit.
Pid = 2708, Hwnd=0x2036a, Text = 浏览(&W)..., ClassName = Button.
Pid = 2708, Hwnd=0x20356, Text = 安装进度, ClassName = Static.
Pid = 2708, Hwnd=0x2035a, Text = 安装, ClassName = Button.
Pid = 2708, Hwnd=0x20354, Text = 取消, ClassName = Button.
Pid = 2708, Hwnd=0x2034c, Text = WinRAR 自解压文件, ClassName = #32770.
Behavior description:创建系统服务
details:[服务创建成功]: GrayPigeon_Hacker.com.cn, C:\WINDOWS\Hacker.com.cn.exe
Abnormal crash
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
_SHuassist.mtx
Local\!PrivacIE!SharedMemory!Mutex
RasPbFile
MSCTF.Shared.MUTEX.IJK
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, GrayPigeon_Hacker.com.cn, C:\WINDOWS\Hacker.com.cn.exe
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2708, Hwnd=0x20366, Text = 目标文件夹(&D), ClassName = Static.
Pid = 2708, Hwnd=0x20364, Text = C:\WINDOWS, ClassName = ComboBox.
Pid = 2708, Hwnd=0x20360, Text = C:\WINDOWS, ClassName = Edit.
Pid = 2708, Hwnd=0x2036a, Text = 浏览(&W)..., ClassName = Button.
Pid = 2708, Hwnd=0x20356, Text = 安装进度, ClassName = Static.
Pid = 2708, Hwnd=0x2035a, Text = 安装, ClassName = Button.
Pid = 2708, Hwnd=0x20354, Text = 取消, ClassName = Button.
Pid = 2708, Hwnd=0x2034c, Text = WinRAR 自解压文件, ClassName = #32770.
Behavior description:创建系统服务
details:[服务创建成功]: GrayPigeon_Hacker.com.cn, C:\WINDOWS\Hacker.com.cn.exe
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号