VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:faf88fa540da8001a40dcc81d3cb4267
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Subfile information:upx_c_bed5b647dumpFile / big file / EXE
武动乾坤.exedumpFile / big file / EXE
武动乾坤.exe / big file / EXE
Key behavior
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = C:\Program Files\VMware\Data
Behavior description:获取TickCount值
details:TickCount = 5379728, SleepMilliseconds = 10.
TickCount = 5379744, SleepMilliseconds = 10.
TickCount = 5379760, SleepMilliseconds = 10.
TickCount = 5379775, SleepMilliseconds = 10.
TickCount = 5379791, SleepMilliseconds = 10.
TickCount = 5388181, SleepMilliseconds = 10.
TickCount = 5388188, SleepMilliseconds = 1.
TickCount = 5388204, SleepMilliseconds = 1.
TickCount = 5397376, SleepMilliseconds = 1.
TickCount = 5397485, SleepMilliseconds = 1.
TickCount = 5397547, SleepMilliseconds = 1.
TickCount = 5397563, SleepMilliseconds = 1.
TickCount = 5397594, SleepMilliseconds = 1.
TickCount = 5397985, SleepMilliseconds = 1.
TickCount = 5398001, SleepMilliseconds = 1.
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\武动乾坤.lnk
C:\Documents and Settings\Administrator\桌面\武动乾坤-鉴定.lnk
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType:
(FindResourceA) hModule = 0x00400000, ResName: D3DX81ab, ResType: dll
(FindResourceA) hModule = 0x00400000, ResName: Client, ResType: exe
Behavior description:直接获取CPU时钟
details:N/A
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\*.*
FindFirstFileEx: FileName = C:\Program Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\VMware\*.*
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\Map\3.map
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\*.*
Process behavior
Behavior description:创建本地线程
details:TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2508, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2544, StartAddress = 0041D5D4, Parameter = 00000001
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2548, StartAddress = 0041D5D4, Parameter = 00000002
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2552, StartAddress = 0041D5D4, Parameter = 00000003
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2556, StartAddress = 0041D5D4, Parameter = 00000004
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2604, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2608, StartAddress = 00415EE8, Parameter = 00000000
TargetProcess: 武动乾坤.exe, InheritedFromPID = 1944, ProcessID = 2492, ThreadID = 2652, StartAddress = 00409C27, Parameter = 00000000
TargetProcess: 武动乾坤.ChaoJiZ.exe, InheritedFromPID = 2492, ProcessID = 2804, ThreadID = 2824, StartAddress = 77DC845A, Parameter = 00000000
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe"
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\GameLogin_Debug.txt
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = C:\Program Files\VMware\Data
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\桌面\武动乾坤.lnk
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Map\3.map
FileName = C:\\Map\3.map
FileName = D:\\Map\3.map
FileName = H:\\Map\3.map
FileName = X:\\Map\3.map
FileName = C:\*.*
FileName = X:\*.*
FileName = H:\*.*
FileName = D:\*.*
FileName = C:\222c25ed\Map\3.map
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\Map\3.map
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\Map\3.map
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\武动乾坤.lnk
C:\Documents and Settings\Administrator\桌面\武动乾坤-鉴定.lnk
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\桌面\武动乾坤.lnk ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\GameLogin_Debug.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\GameLogin_Debug.txt ---> Offset = 128
C:\Documents and Settings\Administrator\桌面\武动乾坤-鉴定.lnk ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x05383100, hConnect = 0x05383200, Flags = 0x00000000
WinHttpConnect: ServerName = nw****om, PORT = 80, UserName = , Password = , hSession = 0x036a1100, hConnect = 0x036a1200, Flags = 0x00000000
WinHttpConnect: ServerName = bl****cn, PORT = 80, UserName = , Password = , hSession = 0x036a1100, hConnect = 0x036a1200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x05383100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x036a1100
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000664
URL: nw****om, IP: **.133.40.**:80, SOCKET = 0x000005b4
URL: bl****cn, IP: **.133.40.**:80, SOCKET = 0x000005b4
Behavior description:发送HTTP包
details:GET / HTTP/1.1 Accept: Accept text/html, application/xhtml+xml, */* Accept-Language: zh-CN Referer: http://www.qq.com User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: ww****om Connection: Keep-Alive
GET /nwzf.txt HTTP/1.1 Accept: Accept text/html, application/xhtml+xml, */* Accept-Language: zh-CN Referer: http://nwzf.029sf.com/nwzf.txt User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: nw****om Connection: Keep-Alive
GET /rss/1749290824.xml HTTP/1.1 Accept: Accept text/html, application/xhtml+xml, */* Accept-Language: zh-CN Referer: http://blog.sina.com.cn/rss/1749290824.xml User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: bl****cn Connection: Keep-Alive
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ww****om:80/, hConnect = 0x05383200, hRequest = 0x05430000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: nw****om:80/nwzf.txt, hConnect = 0x036a1200, hRequest = 0x026a0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: bl****cn:80/rss/1749290824.xml, hConnect = 0x036a1200, hRequest = 0x026a0000, Verb: GET, Referer: , Flags = 0x00000080
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: nw****om
GetAddrInfoW: bl****cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\ChaoJiZ\ChaoJiZ_Com_19\name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RasMan\Parameters\ProhibitIpSec
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\ChaoJiZ\ChaoJiZ_Com_19\name
Other behavior
Behavior description:获取光标位置
details:CursorPos = (71,18468), SleepMilliseconds = 10.
CursorPos = (6364,26501), SleepMilliseconds = 10.
CursorPos = (19199,15725), SleepMilliseconds = 1.
CursorPos = (11508,29359), SleepMilliseconds = 1.
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AMJ
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:枚举网络共享资源
details:N/A
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceiveConection.Event.AMJ.IC
EventName = MSCTF.SendReceive.Event.AMJ.IC
EventName = Global\crypt32LogoffEvent
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000042
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000042
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000043
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000043
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000044
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000044
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000045
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000045
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
DBWinMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,0.0.0.0->0.0.0.0]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Remote Access Auto Connection Manager, C:\WINDOWS\system32\svchost.exe -k netsvcs
Behavior description:枚举窗口
details:N/A
Behavior description:获取TickCount值
details:TickCount = 5379728, SleepMilliseconds = 10.
TickCount = 5379744, SleepMilliseconds = 10.
TickCount = 5379760, SleepMilliseconds = 10.
TickCount = 5379775, SleepMilliseconds = 10.
TickCount = 5379791, SleepMilliseconds = 10.
TickCount = 5388181, SleepMilliseconds = 10.
TickCount = 5388188, SleepMilliseconds = 1.
TickCount = 5388204, SleepMilliseconds = 1.
TickCount = 5397376, SleepMilliseconds = 1.
TickCount = 5397485, SleepMilliseconds = 1.
TickCount = 5397547, SleepMilliseconds = 1.
TickCount = 5397563, SleepMilliseconds = 1.
TickCount = 5397594, SleepMilliseconds = 1.
TickCount = 5397985, SleepMilliseconds = 1.
TickCount = 5398001, SleepMilliseconds = 1.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2492, Hwnd=0xc03a8, Text = 确定, ClassName = Button.
Pid = 2492, Hwnd=0x1702b6, Text = 没有在您的电脑上发现传奇客户端,如有请手动将登录器复制到客户端目录下运行!!, ClassName = Static.
Pid = 2492, Hwnd=0x120340, Text = 信息:, ClassName = #32770.
Pid = 2492, Hwnd=0x1203be, Text = 请双击选择客户端, ClassName = _EL_Label.
Pid = 2492, Hwnd=0xe02aa, Text = 自动选择客户端, ClassName = Button.
Pid = 2492, Hwnd=0x10032e, Text = 手动选择客户端, ClassName = Button.
Pid = 2492, Hwnd=0xe039e, Text = 正在寻找客户端,请稍后..., ClassName = WTWindow.
Pid = 2492, Hwnd=0x603b0, Text = 武动乾坤 5400cq, ClassName = WTWindow.
Pid = 2804, Hwnd=0x20446, Text = 1024 X 768, ClassName = TComboBox.
Pid = 2804, Hwnd=0xc0330, Text = 是(&Y), ClassName = Button.
Pid = 2804, Hwnd=0x903ba, Text = 否(&N), ClassName = Button.
Pid = 2804, Hwnd=0x1a02ce, Text = 目录不正确,是否自动搜索传奇客户端?, ClassName = Static.
Pid = 2804, Hwnd=0x303ce, Text = 提示信息, ClassName = #32770.
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType:
(FindResourceA) hModule = 0x00400000, ResName: D3DX81ab, ResType: dll
(FindResourceA) hModule = 0x00400000, ResName: Client, ResType: exe
Behavior description:直接操作物理设备
details:\??\PHYSICALDRIVE0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe(签名验证: 未通过)
Behavior description:隐藏指定窗口
details:[Window,Class] = [,WindowEx]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [,ProgressbarEx]
[Window,Class] = [,ButtonEx]
[Window,Class] = [,LabelEx]
[Window,Class] = [,SuperbuttonEx]
[Window,Class] = [武动乾坤 5400cq,WTWindow]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,Static]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\武动乾坤.ChaoJiZ.exe ---> 文件过大!
Behavior description:直接获取CPU时钟
details:N/A
Behavior description:使用SCSI指令读写硬盘
details:LBA = 0x4000 SCSIOP = 0x12
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\Common Files\VMware\*.*
FindFirstFileEx: FileName = C:\Program Files\VMware\Map\3.map
FindFirstFileEx: FileName = C:\Program Files\VMware\*.*
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\Map\3.map
FindFirstFileEx: FileName = C:\WINDOWS\Temp\vmware-SYSTEM\*.*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号