VirSCAN VirSCAN

1, Podés SUBIR cualquier archivo de hasta 20MB.
2, VirSCAN soporta descompresión Rar/Zip de hasta 20 archivos.
3, VirSCAN puede escanear archivos comprimidos con la contraseña 'infected' o 'virus'.
4, Si su navegador no puede cargar el archivo, por favor descargue el archivo virscan.

Idioma
Carga del Servidor
Server Load

VirSCAN
VirSCAN

1, Podés SUBIR cualquier archivo de hasta 20MB.
2, VirSCAN soporta descompresión Rar/Zip de hasta 20 archivos.
3, VirSCAN puede escanear archivos comprimidos con la contraseña 'infected' o 'virus'.

   Información del archivo

Informe de escaneo de motores múltiples de Virscan.org
Informe de análisis de comportamiento:         Análisis de archivos Habo

Información básica

MD5:4a3c8ae076f1656c68aac35a9cec87a2
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Nombre del paquete:
Ambiente operativo mínimo:
Copyright:

Comportamiento clave

Descripción del comportamiento: 设置特殊文件夹属性
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Descripción del comportamiento: 获取TickCount值
Detalles: TickCount = 278328, SleepMilliseconds = 60000.
TickCount = 278343, SleepMilliseconds = 60000.
TickCount = 278375, SleepMilliseconds = 60000.
TickCount = 278390, SleepMilliseconds = 60000.
TickCount = 218506, SleepMilliseconds = 100.
TickCount = 218553, SleepMilliseconds = 100.
TickCount = 218568, SleepMilliseconds = 100.
TickCount = 218615, SleepMilliseconds = 100.
TickCount = 218662, SleepMilliseconds = 100.
TickCount = 218678, SleepMilliseconds = 100.
TickCount = 218693, SleepMilliseconds = 100.
TickCount = 218740, SleepMilliseconds = 100.
TickCount = 278703, SleepMilliseconds = 60000.
TickCount = 278718, SleepMilliseconds = 60000.
TickCount = 278734, SleepMilliseconds = 60000.

Comportamiento del proceso

Descripción del comportamiento: 创建本地线程
Detalles: TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2684, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2688, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2692, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2700, StartAddress = 77E56C7D, Parameter = 001BF9F0
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2704, StartAddress = 769AE43B, Parameter = 001C3188
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2708, StartAddress = 00DE507F, Parameter = 00128540
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2736, StartAddress = 6359727B, Parameter = 002687F0
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2740, StartAddress = 6359727B, Parameter = 028771A0
TargetProcess: 大漠后台系统.exe, InheritedFromPID = 2000, ProcessID = 2668, ThreadID = 2744, StartAddress = 6359727B, Parameter = 02877240

Comportamiento del archivo

Descripción del comportamiento: 创建文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\index[1].asp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Descripción del comportamiento: 覆盖已有文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Descripción del comportamiento: 查找文件
Detalles: FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\urlmon.dll
FileName = C:\WINDOWS\system32\ieframe.dll
Descripción del comportamiento: 删除文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\index[1].asp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2]
Descripción del comportamiento: 设置特殊文件夹属性
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Descripción del comportamiento: 修改文件内容
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] ---> Offset = 0

Comportamiento de la red

Descripción del comportamiento: 连接指定站点
Detalles: InternetConnectA: ServerName = **.133.40.**, PORT = 8088, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Descripción del comportamiento: 打开HTTP连接
Detalles: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
Descripción del comportamiento: 建立到一个指定的套接字连接
Detalles: URL: ma****et, IP: **.133.40.**:8088, SOCKET = 0x00000358
URL: ma****et, IP: **.133.40.**:8088, SOCKET = 0x00000450
Descripción del comportamiento: 读取网络文件
Detalles: hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
Descripción del comportamiento: 发送HTTP包
Detalles: GET /index.asp?bcheck=2017101622 HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: **.133.40.**:8088 Connection: Keep-Alive
Descripción del comportamiento: 打开HTTP请求
Detalles: HttpOpenRequestA: **.133.40.**:8088/index.asp?bcheck=2017101622, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x04400d00
HttpOpenRequestA: **.133.40.**:8088/index.asp?bcheck=2017101622, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
Descripción del comportamiento: 按名称获取主机地址
Detalles: gethostbyname: ma****et

Comportamiento del registro

Descripción del comportamiento: 修改注册表
Detalles: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Descripción del comportamiento: 删除注册表键值
Detalles: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Otro comportamiento

Descripción del comportamiento: 调整进程token权限
Detalles: SE_LOAD_DRIVER_PRIVILEGE
Descripción del comportamiento: 创建互斥体
Detalles: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Local\!PrivacIE!SharedMemory!Mutex
CritOpMutex
MSCTF.Shared.MUTEX.IOH
MSIMGSIZECacheMutex
Descripción del comportamiento: 创建事件对象
Detalles: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.EJK.IC
EventName = MSCTF.SendReceiveConection.Event.EJK.IC
Descripción del comportamiento: 查找指定窗口
Detalles: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Descripción del comportamiento: 窗口信息
Detalles: Pid = 2668, Hwnd=0x30340, Text = 大漠后台系统 7.0, ClassName = Afx:400000:b:10011:6:47038d.
Pid = 2668, Hwnd=0x103de, Text = 您想运行或保存此文件吗?, ClassName = Static.
Pid = 2668, Hwnd=0x103e2, Text = 名称:, ClassName = Static.
Pid = 2668, Hwnd=0x103e4, Text = update.exe, ClassName = SysLink.
Pid = 2668, Hwnd=0x103e6, Text = 发行者:, ClassName = Static.
Pid = 2668, Hwnd=0x103ea, Text = 类型:, ClassName = Static.
Pid = 2668, Hwnd=0x103ec, Text = 应用程序, 358KB, ClassName = Static.
Pid = 2668, Hwnd=0x103ee, Text = 从:, ClassName = Static.
Pid = 2668, Hwnd=0x103f0, Text = **.133.40.**, ClassName = Static.
Pid = 2668, Hwnd=0x103f2, Text = 运行(&R), ClassName = Button.
Pid = 2668, Hwnd=0x103f4, Text = 保存(&S), ClassName = Button.
Pid = 2668, Hwnd=0x103f6, Text = 取消, ClassName = Button.
Pid = 2668, Hwnd=0x103f8, Text = 打开此类文件前总是询问(&W), ClassName = Button(CheckBox).
Pid = 2668, Hwnd=0x103fe, Text = 来自 Internet 的文件可能对您有所帮助,但此文件类型可能危害您的计算机。如果您不信任其来源,请不要运行或保存该软件。<A>有何风险?</A>, ClassName = SysLink.
Pid = 2668, Hwnd=0x103dc, Text = 文件下载 - 安全警告, ClassName = #32770.
Descripción del comportamiento: 获取TickCount值
Detalles: TickCount = 278328, SleepMilliseconds = 60000.
TickCount = 278343, SleepMilliseconds = 60000.
TickCount = 278375, SleepMilliseconds = 60000.
TickCount = 278390, SleepMilliseconds = 60000.
TickCount = 218506, SleepMilliseconds = 100.
TickCount = 218553, SleepMilliseconds = 100.
TickCount = 218568, SleepMilliseconds = 100.
TickCount = 218615, SleepMilliseconds = 100.
TickCount = 218662, SleepMilliseconds = 100.
TickCount = 218678, SleepMilliseconds = 100.
TickCount = 218693, SleepMilliseconds = 100.
TickCount = 218740, SleepMilliseconds = 100.
TickCount = 278703, SleepMilliseconds = 60000.
TickCount = 278718, SleepMilliseconds = 60000.
TickCount = 278734, SleepMilliseconds = 60000.
Descripción del comportamiento: 获取光标位置
Detalles: CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
Descripción del comportamiento: 打开事件
Detalles: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.2668
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IO
MSCTF.SendReceive.Event.IOH.IO
Descripción del comportamiento: 调用Sleep函数
Detalles: [1]: MilliSeconds = 60000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
Descripción del comportamiento: 隐藏指定窗口
Detalles: [Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
[Window,Class] = [大漠后台系统 7.0,Afx:400000:b:10011:6:47038d]
[Window,Class] = [,Internet Explorer_Server]
Descripción del comportamiento: 打开互斥体
Detalles: ShimCacheMutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
RasPbFile
CtfmonInstMutexDefaultS-*