VirSCAN VirSCAN

1, U kunt elk bestandstype UPLOADEN, bestandsgrootte max. 20 Mb.
2, VirSCAN ondersteunt Rar/Zip decompressie, max. 20 bestanden per Rar/Zip
3, VirSCAN kan Rar/Zip bestanden scannen die beveiligd zijn met wachtwoord 'infected' of 'virus'.

Taal
Serverbelasting
Server Load

Bestandsinformatie
Veiligheidsclassificatie:84
Gedragslijst
Basis informatie
MD5:3f94f107e481dc1d0313fa10dc9224ea
Bestandstype:EXE
Productie bedrijf:
versie:1.0.0.0
Shell- of compiler-informatie:COMPILER:Wise Installer stub [Overlay]
Sleutelgedrag
Gedrag beschrijving:修改注册表_启动项
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RServer
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LANServer
Verwerk gedrag
Gedrag beschrijving:创建本地线程
Voor meer informatie:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 3088, StartAddress = 00C71CB0, Parameter = 00C740B0
TargetProcess: CServer.exe, InheritedFromPID = 2696, ProcessID = 3236, ThreadID = 3268, StartAddress = 719CD33A, Parameter = 0019FFD0
Gedrag beschrijving:创建新文件进程
Voor meer informatie:[0x00000c9c]ImagePath = C:\PROGRA~1\LANSER~1\RServer.exe, CmdLine = "C:\PROGRA~1\LANSER~1\RServer.exe"
[0x00000ca4]ImagePath = C:\PROGRA~1\LANSER~1\CServer.exe, CmdLine = "C:\PROGRA~1\LANSER~1\CServer.exe"
Bestand gedrag
Gedrag beschrijving:创建文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLB5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG6.tmp
C:\WINDOWS\system32\GLBSINST.%$D
C:\Program Files\LANServer\~GLH0000.TMP
C:\Program Files\LANServer\~GLH0001.TMP
C:\Program Files\LANServer\temp.000
C:\Program Files\LANServer\~GLH0003.TMP
C:\Program Files\LANServer\~GLH0004.TMP
C:\Program Files\LANServer\~GLH0006.TMP
C:\Program Files\LANServer\~GLH0008.TMP
C:\Program Files\LANServer\INSTALL.LOG
Gedrag beschrijving:创建可执行文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp
C:\Program Files\LANServer\~GLH0000.TMP
C:\Program Files\LANServer\~GLH0001.TMP
C:\Program Files\LANServer\temp.000
C:\Program Files\LANServer\~GLH0003.TMP
C:\Program Files\LANServer\~GLH0004.TMP
C:\Program Files\LANServer\~GLH0006.TMP
C:\Program Files\LANServer\~GLH0008.TMP
Gedrag beschrijving:覆盖已有文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG6.tmp
Gedrag beschrijving:查找文件
Voor meer informatie:FileName = C:\Program Files
FileName = C:\Program Files\LANServer
FileName = C:\Program Files\LANServer\UNWISE.EXE
FileName = C:\PROGRA~1\LANServer
FileName = C:\PROGRA~1\LANSER~1\UNWISE.EXE
FileName = C:\PROGRA~1\LANSER~1\INSTALL.LOG
FileName = C:\PROGRA~1
FileName = C:\Program Files\LANSER~1
FileName = C:\Program Files\LANServer\CServer.exe
FileName = C:\PROGRA~1\LANSER~1
FileName = C:\PROGRA~1\LANSER~1\CServer.exe
FileName = C:\Program Files\LANServer\othread2.dll
FileName = C:\PROGRA~1\LANSER~1\othread2.dll
FileName = C:\Program Files\LANServer\vnchooks.dll
FileName = C:\PROGRA~1\LANSER~1\vnchooks.dll
Gedrag beschrijving:删除文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLB5.tmp
C:\WINDOWS\system32\GLBSINST.%$D
C:\Program Files\LANServer\~GLH0001.TMP
C:\Program Files\LANServer\~GLH0004.TMP
C:\Program Files\LANServer\~GLH0006.TMP
C:\Program Files\LANServer\UNWISE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
Gedrag beschrijving:重命名文件
Voor meer informatie:C:\Program Files\LANServer\~GLH0000.TMP ---> C:\Program Files\LANServer\UNWISE.EXE
C:\Program Files\LANServer\temp.000 ---> C:\PROGRA~1\LANSER~1\~GLH0002.TMP
C:\Program Files\LANServer\~GLH0002.TMP ---> C:\PROGRA~1\LANSER~1\CServer.exe
C:\Program Files\LANServer\~GLH0003.TMP ---> C:\Program Files\LANServer\othread2.dll
C:\Program Files\LANServer\temp.000 ---> C:\PROGRA~1\LANSER~1\~GLH0005.TMP
C:\Program Files\LANServer\~GLH0005.TMP ---> C:\PROGRA~1\LANSER~1\vnchooks.dll
C:\Program Files\LANServer\temp.000 ---> C:\PROGRA~1\LANSER~1\~GLH0007.TMP
C:\Program Files\LANServer\~GLH0007.TMP ---> C:\PROGRA~1\LANSER~1\RServer.exe
C:\Program Files\LANServer\~GLH0008.TMP ---> C:\Program Files\LANServer\Unwise.exe
Gedrag beschrijving:修改文件内容
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG6.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG6.tmp ---> Offset = 190
C:\Program Files\LANServer\~GLH0000.TMP ---> Offset = 0
C:\Program Files\LANServer\~GLH0000.TMP ---> Offset = 32768
C:\Program Files\LANServer\~GLH0000.TMP ---> Offset = 65536
C:\Program Files\LANServer\~GLH0000.TMP ---> Offset = 98304
C:\Program Files\LANServer\~GLH0000.TMP ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG6.tmp ---> Offset = 228
Netwerk gedrag
Gedrag beschrijving:建立到一个指定的套接字连接
Voor meer informatie:URL: localhost, IP: **.133.40.**:5900, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5901, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5902, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5903, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5904, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5905, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5906, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5907, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5908, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5909, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5910, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5911, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5912, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5913, SOCKET = 0x000000ac
URL: localhost, IP: **.133.40.**:5914, SOCKET = 0x000000ac
Gedrag beschrijving:按名称获取主机地址
Voor meer informatie:gethostbyname: localhost
gethostbyname: computer
Register gedrag
Gedrag beschrijving:修改注册表
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LANServer\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LANServer\UninstallString
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\LANSER~1\RServer.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\LANSER~1\CServer.exe
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\SocketConnect
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\HTTPConnect
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\AutoPortSelect
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\InputsEnabled
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\LocalInputsDisabled
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\IdleTimeout
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\QuerySetting
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\QueryTimeout
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\LockSetting
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\RemoveWallpaper
\REGISTRY\USER\S-*\Software\ORL\WinVNC3\Password
Gedrag beschrijving:修改注册表_启动项
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RServer
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LANServer
Ander gedrag
Gedrag beschrijving:调整进程token权限
Voor meer informatie:SE_LOAD_DRIVER_PRIVILEGE
Gedrag beschrijving:创建互斥体
Voor meer informatie:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MIK
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
WinVNC_Win32_Instance_Mutex
MSCTF.Shared.MUTEX.AKM
Gedrag beschrijving:创建事件对象
Voor meer informatie:EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.MIK.IC
EventName = MSCTF.SendReceiveConection.Event.MIK.IC
EventName = MSCTF.SendReceive.Event.AKM.IC
EventName = MSCTF.SendReceiveConection.Event.AKM.IC
Gedrag beschrijving:查找指定窗口
Voor meer informatie:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Gedrag beschrijving:枚举窗口
Voor meer informatie:N/A
Gedrag beschrijving:打开事件
Voor meer informatie:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
Gedrag beschrijving:窗口信息
Voor meer informatie:Pid = 2696, Hwnd=0x10342, Text = LANServer 安装, ClassName = GLBSInstall.
Pid = 2696, Hwnd=0x2037a, Text = 下一步(&N) >, ClassName = Button.
Pid = 2696, Hwnd=0x20380, Text = 取消, ClassName = Button.
Pid = 2696, Hwnd=0x10382, Text = 欢迎使用“LANServer”安装程序。本程序将安装“LANServer”到您的计算机。, ClassName = Static.
Pid = 2696, Hwnd=0x10384, Text = 强烈建议您在运行本安装程序之前退出所有其他运行中的程序。 单击“取消”可关闭安装程序并关闭其他运行中的程序。单击“下一步”继续安装程序。 警告:本计算机程序受版权法和国际条约保护。 未经授权复制或散播本计算机程序或其中的一部分,将受到严厉的民事或刑事处罚,并将在法律许可的范围内受到最大可能的起诉。, ClassName = Static.
Pid = 2696, Hwnd=0x20374, Text = LANServer, ClassName = GLBSWizard.
Pid = 2696, Hwnd=0x50334, Text = LANServer 安装, ClassName = GLBSInstall.
Pid = 2696, Hwnd=0x20384, Text = 下一步(&N) >, ClassName = Button.
Pid = 2696, Hwnd=0x20382, Text = <上一步(&B), ClassName = Button.
Pid = 2696, Hwnd=0x3037e, Text = 取消, ClassName = Button.
Pid = 2696, Hwnd=0x3037a, Text = 安装程序将安装“LANServer”到下边的目录中。 若想安装到不同的目录,请单击“浏览”,并选择另外的目录。 您可以选择“取消”退出安装程序从而不安装“LANServer”。, ClassName = Static.
Pid = 2696, Hwnd=0x4037c, Text = 目标目录, ClassName = Button(GroupBox).
Pid = 2696, Hwnd=0x50342, Text = 浏览(&R)..., ClassName = Button.
Pid = 2696, Hwnd=0x20388, Text = C:\Program Files\LANServer, ClassName = Static.
Pid = 2696, Hwnd=0x2038a, Text = 请选择目标目录, ClassName = Static.
Gedrag beschrijving:可执行文件签名信息
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp(签名验证: 未通过)
C:\Program Files\LANServer\~GLH0000.TMP(签名验证: 未通过)
C:\Program Files\LANServer\~GLH0001.TMP(签名验证: 未通过)
C:\Program Files\LANServer\temp.000(签名验证: 未通过)
C:\Program Files\LANServer\~GLH0003.TMP(签名验证: 未通过)
C:\Program Files\LANServer\~GLH0004.TMP(签名验证: 未通过)
C:\Program Files\LANServer\~GLH0006.TMP(签名验证: 未通过)
C:\Program Files\LANServer\~GLH0008.TMP(签名验证: 未通过)
Gedrag beschrijving:隐藏指定窗口
Voor meer informatie:[Window,Class] = [ ,GLBSInstall]
[Window,Class] = [,Static]
[Window,Class] = [LANServer,#32770]
[Window,Class] = [,AnimateWindow]
[Window,Class] = [Enable CORBA,Button]
[Window,Class] = [LANServer,TApplication]
Gedrag beschrijving:可执行文件MD5
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> 315f8d68ff1a414806e7344ac8dd8b6d
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK4.tmp ---> a6601202dda81c941e14dd79878ca61d
C:\Program Files\LANServer\~GLH0000.TMP ---> 8ba66e5f392d9b89f137d6ff4a62ae1d
C:\Program Files\LANServer\~GLH0001.TMP ---> bd9ae8748bdb67cfec1bd4b55c5df00f
C:\Program Files\LANServer\temp.000 ---> bd9ae8748bdb67cfec1bd4b55c5df00f
C:\Program Files\LANServer\~GLH0003.TMP ---> 5f1bfc73062358de1a24119db5cde154
C:\Program Files\LANServer\~GLH0004.TMP ---> 1d2c3c910dc9cd219d806b311e891d2a
C:\Program Files\LANServer\temp.000 ---> 1d2c3c910dc9cd219d806b311e891d2a
C:\Program Files\LANServer\~GLH0006.TMP ---> 52bc30aa7a467c8db4e3dc7bd21184e3
C:\Program Files\LANServer\temp.000 ---> 52bc30aa7a467c8db4e3dc7bd21184e3
C:\Program Files\LANServer\~GLH0008.TMP ---> 47324d81c5e5893242b4ec876e8427e9
Gedrag beschrijving:打开互斥体
Voor meer informatie:ShimCacheMutex
Local\!IETld!Mutex
Gedrag beschrijving:加载新释放的文件
Voor meer informatie:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLC3.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLK4.tmp.
Image: C:\PROGRA~1\LANSER~1\vnchooks.dll.
Image: C:\PROGRA~1\LANSER~1\othread2.dll.
Screenshot uitvoeren
VirSCAN

Over VirSCAN | Privacybeleid | Neem contact met ons op | Vriendelijke link | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号