Sample viewer

vx.netlux.org/Virus.DOS.Champaigne.585

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:49:49.246414586Z 42 PC: 140f8 | Get date 0x140f8: mov byte ptr ds:[bp + 0x303], dl
0x140fd: mov byte ptr ds:[bp + 0x302], dh
0x14102: mov byte ptr ds:[bp + 0x301], al
0x14107: cmp al, 0
0x14109: je 0x14115
0x1410b: mov di, 0x100
0x1410e: lea si, word ptr [bp + 0x28c]
0x14112: push di
0x14113: movsw word ptr es:[di], word ptr [si]
0x14114: movsw word ptr es:[di], word ptr [si]
0x14115: lea dx, word ptr [bp + 0x323]
0x14119: call 0x1421d
0x1411c: jmp 0x14208
0x1411f: cmp byte ptr ds:[bp + 0x303], 0xa
0x14125: jne 0x14132
0x14127: call 0x1415a
0x1412a: cmp byte ptr ds:[bp + 0x302], 1
0x14130: je 0x14150
0x14132: mov dx, 0x80
0x14135: call 0x1421d
2018-12-17T22:49:49.249222842Z 26 PC: 14221 | Set disk transfer address
2018-12-17T22:49:49.254462315Z 78 PC: 14213 | Find first file
2018-12-17T22:49:49.265042894Z 61 PC: 14178 | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:49:49.277792768Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.282391418Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.294005708Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.297371301Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.301742443Z 64 PC: 14262 | Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:49:49.307284005Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.309971995Z 44 PC: 141be | Get time 0x141be: mov word ptr ds:[bp + 0x30e], dx
0x141c3: mov cx, 0x12
0x141c6: lea di, word ptr [bp + 0x34e]
0x141ca: lea si, word ptr [bp + 0x310]
0x141ce: push cx
0x141cf: push si
0x141d0: rep movsb byte ptr es:[di], byte ptr [si]
0x141d2: cmp byte ptr ds:[bp + 0x301], 0
0x141d8: jne 0x141e6
0x141da: mov cx, 0xd
0x141dd: lea si, word ptr [bp + 0x251]
0x141e1: rep movsb byte ptr es:[di], byte ptr [si]
0x141e3: jmp 0x141ef
0x141e5: nop
0x141e6: mov cx, 0xb
0x141e9: lea si, word ptr [bp + 0x164]
0x141ed: rep movsb byte ptr es:[di], byte ptr [si]
0x141ef: pop si
0x141f0: pop cx
0x141f1: rep movsb byte ptr es:[di], byte ptr [si]
2018-12-17T22:49:49.315900143Z 64 PC: 1434c | Write file or device (Write 585 bytes on handle 5)
2018-12-17T22:49:49.637347285Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.639601991Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.648844975Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.652080164Z 61 PC: 14178 | Open file (Filename = 'PRINT.COM')
2018-12-17T22:49:49.65914138Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.660861362Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.669165603Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.67082462Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.679089308Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.682990748Z 61 PC: 14178 | Open file (Filename = 'HELLO.COM')
2018-12-17T22:49:49.691086478Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.692744393Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.70113723Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.703093676Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.704999266Z 64 PC: 14262 | Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:49:49.708632662Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.710729953Z 44 PC: 141be | Get time 0x141be: mov word ptr ds:[bp + 0x30e], dx
0x141c3: mov cx, 0x12
0x141c6: lea di, word ptr [bp + 0x34e]
0x141ca: lea si, word ptr [bp + 0x310]
0x141ce: push cx
0x141cf: push si
0x141d0: rep movsb byte ptr es:[di], byte ptr [si]
0x141d2: cmp byte ptr ds:[bp + 0x301], 0
0x141d8: jne 0x141e6
0x141da: mov cx, 0xd
0x141dd: lea si, word ptr [bp + 0x251]
0x141e1: rep movsb byte ptr es:[di], byte ptr [si]
0x141e3: jmp 0x141ef
0x141e5: nop
0x141e6: mov cx, 0xb
0x141e9: lea si, word ptr [bp + 0x164]
0x141ed: rep movsb byte ptr es:[di], byte ptr [si]
0x141ef: pop si
0x141f0: pop cx
0x141f1: rep movsb byte ptr es:[di], byte ptr [si]
2018-12-17T22:49:49.713504736Z 64 PC: 1434c | Write file or device (Write 585 bytes on handle 5)
2018-12-17T22:49:49.724228073Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.726537131Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.73505304Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.738372567Z 61 PC: 14178 | Open file (Filename = 'PHANG.COM')
2018-12-17T22:49:49.746101838Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.74788596Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.755083592Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.757496486Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.766363445Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.769498535Z 61 PC: 14178 | Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:49:49.778671809Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.780499954Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.788126593Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.791226928Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.799574269Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.80278919Z 61 PC: 14178 | Open file (Filename = 'MANDEL.COM')
2018-12-17T22:49:49.810968757Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.813228583Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.820977461Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.825240481Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.827470039Z 64 PC: 14262 | Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:49:49.830929389Z 66 PC: 14227 | Move file pointer
2018-12-17T22:49:49.833033732Z 44 PC: 141be | Get time 0x141be: mov word ptr ds:[bp + 0x30e], dx
0x141c3: mov cx, 0x12
0x141c6: lea di, word ptr [bp + 0x34e]
0x141ca: lea si, word ptr [bp + 0x310]
0x141ce: push cx
0x141cf: push si
0x141d0: rep movsb byte ptr es:[di], byte ptr [si]
0x141d2: cmp byte ptr ds:[bp + 0x301], 0
0x141d8: jne 0x141e6
0x141da: mov cx, 0xd
0x141dd: lea si, word ptr [bp + 0x251]
0x141e1: rep movsb byte ptr es:[di], byte ptr [si]
0x141e3: jmp 0x141ef
0x141e5: nop
0x141e6: mov cx, 0xb
0x141e9: lea si, word ptr [bp + 0x164]
0x141ed: rep movsb byte ptr es:[di], byte ptr [si]
0x141ef: pop si
0x141f0: pop cx
0x141f1: rep movsb byte ptr es:[di], byte ptr [si]
2018-12-17T22:49:49.837921576Z 64 PC: 1434c | Write file or device (Write 585 bytes on handle 5)
2018-12-17T22:49:49.847740863Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.849991762Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.859597569Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.862884524Z 61 PC: 14178 | Open file (Filename = 'PAH.COM')
2018-12-17T22:49:49.870403741Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.873232486Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.880754999Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.882827813Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.891810099Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.894717301Z 61 PC: 14178 | Open file (Filename = 'TEST.COM')
2018-12-17T22:49:49.901874758Z 87 PC: 1417e | Get or set file date and time
2018-12-17T22:49:49.903756343Z 63 PC: 1418b | Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:49:49.908909464Z 87 PC: 14200 | Get or set file date and time
2018-12-17T22:49:49.911003048Z 62 PC: 14204 | Close file
2018-12-17T22:49:49.91863674Z 79 PC: 14213 | Find next file
2018-12-17T22:49:49.922301044Z 26 PC: 14221 | Set disk transfer address
2018-12-17T22:49:49.923880882Z 48 PC: 12a63 | Get DOS version
2018-12-17T22:49:49.925388114Z 9 PC: 12a7a | Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-17T22:49:49.936405613Z 61 PC: 12cb7 | Open file (Filename = '')
2018-12-17T22:49:49.943518296Z 9 PC: 12a88 | Display string (String= 'Self test: ')
2018-12-17T22:49:49.945964332Z 93 PC: 12b24 | File sharing functions
2018-12-17T22:49:49.948951023Z 9 PC: 12b03 | Display string (String= 'Size change=+0249h/00585d. Virus might be activ? ')
2018-12-17T22:49:49.954645701Z 76 PC: 12b09 | Terminate with return code (Return code = '1')