Sample viewer

vx.netlux.org/Virus.DOS.Billiard.2658

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:51:07.248645331Z 42 PC: 17bd2 | Get date 0x17bd2: and dx, 0x1f
0x17bd5: cmp dx, 0x1f
0x17bd8: jne 0x17c23
0x17bda: push cs
0x17bdb: pop ds
0x17bdc: mov ax, 0xb800
0x17bdf: mov es, ax
0x17be1: mov cx, 0x64
0x17be4: push es
0x17be5: pop ds
0x17be6: std
0x17be7: mov si, 0xf9e
0x17bea: lodsw ax, word ptr [si]
0x17beb: cmp al, 0x20
0x17bed: je 0x17bea
0x17bef: cmp si, 0x3e8
0x17bf3: jb 0x17bf7
0x17bf5: loop 0x17bea
0x17bf7: cld
0x17bf8: mov ax, si
2018-12-17T22:51:07.254479988Z 74 PC: 12b13 | Reallocate memory
2018-12-17T22:51:07.256293573Z 48 PC: 12b46 | Get DOS version
2018-12-17T22:51:07.257602798Z 47 PC: 12d32 | Get disk transfer address
2018-12-17T22:51:07.258776667Z 26 PC: 12d44 | Set disk transfer address
2018-12-17T22:51:07.260427075Z 78 PC: 12d4e | Find first file
2018-12-17T22:51:07.267787075Z 67 PC: 12df5 | Get or set file attributes
2018-12-17T22:51:07.274811885Z 67 PC: 12e03 | Get or set file attributes
2018-12-17T22:51:07.291590554Z 61 PC: 12e0a | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:51:07.297793731Z 82 PC: 12e3a | Get DOS internal pointers (SYSVARS)
2018-12-17T22:51:07.300266171Z 87 PC: 12e16 | Get or set file date and time
2018-12-17T22:51:07.30259414Z 66 PC: 12e29 | Move file pointer
2018-12-17T22:51:07.303889644Z 87 PC: 12e96 | Get or set file date and time
2018-12-17T22:51:07.305474095Z 62 PC: 12e9a | Close file
2018-12-17T22:51:07.311703086Z 67 PC: 12ea7 | Get or set file attributes
2018-12-17T22:51:07.318738595Z 26 PC: 12dae | Set disk transfer address
2018-12-17T22:51:07.319690477Z 75 PC: 12b5f | Execute program
2018-12-17T22:51:07.338483315Z 42 PC: 18792 | Get date 0x18792: and dx, 0x1f
0x18795: cmp dx, 0x1f
0x18798: jne 0x187e3
0x1879a: push cs
0x1879b: pop ds
0x1879c: mov ax, 0xb800
0x1879f: mov es, ax
0x187a1: mov cx, 0x64
0x187a4: push es
0x187a5: pop ds
0x187a6: std
0x187a7: mov si, 0xf9e
0x187aa: lodsw ax, word ptr [si]
0x187ab: cmp al, 0x20
0x187ad: je 0x187aa
0x187af: cmp si, 0x3e8
0x187b3: jb 0x187b7
0x187b5: loop 0x187aa
0x187b7: cld
0x187b8: mov ax, si
2018-12-17T22:51:07.341283127Z 99 PC: 142e6 | Get DBCS lead byte table pointer
2018-12-17T22:51:07.342474951Z 68 PC: 14300 | I/O control for devices (Set for = '')
2018-12-17T22:51:07.343849318Z 68 PC: 1430b | I/O control for devices (Set for = '')
2018-12-17T22:51:07.346239701Z 68 PC: 14316 | I/O control for devices (Set for = '')
2018-12-17T22:51:07.348616736Z 68 PC: 1431e | I/O control for devices (Set for = '��b���g�t�S3����[r�2��W�<t�<u�6�u����>��>W')
2018-12-17T22:51:07.350550738Z 48 PC: 14323 | Get DOS version
2018-12-17T22:51:07.355340691Z 37 PC: 1722f | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:51:07.356927485Z 53 PC: 17238 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:51:07.358979104Z 37 PC: 1724f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:51:07.361648816Z 25 PC: 171ad | Get default drive
2018-12-17T22:51:07.364087794Z 71 PC: 171b7 | Get current directory
2018-12-17T22:51:07.368960248Z 64 PC: 145a5 | Write file or device (Write 30 bytes on handle 2)
2018-12-17T22:51:07.376125355Z 64 PC: 145a5 | Write file or device (Write 9 bytes on handle 1)
2018-12-17T22:51:07.380951654Z 64 PC: 145a5 | Write file or device (Write 17 bytes on handle 1)
2018-12-17T22:51:07.385756303Z 76 PC: 153b8 | Terminate with return code (Return code = '4')
2018-12-17T22:51:07.388846672Z 73 PC: 12b68 | Release memory
2018-12-17T22:51:07.39054947Z 77 PC: 12b6c | Get program return code
2018-12-17T22:51:07.392211325Z 49 PC: 12b7a | Terminate and stay resident (Return code = '4' | Memory size = '182')

{"DateBased":true,"Day":31,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10451,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:28:06.808150654Z 42 PC: 17bd2 | Get date 0x17bd2: and dx, 0x1f
0x17bd5: cmp dx, 0x1f
0x17bd8: jne 0x17c23
0x17bda: push cs
0x17bdb: pop ds
0x17bdc: mov ax, 0xb800
0x17bdf: mov es, ax
0x17be1: mov cx, 0x64
0x17be4: push es
0x17be5: pop ds
0x17be6: std
0x17be7: mov si, 0xf9e
0x17bea: lodsw ax, word ptr [si]
0x17beb: cmp al, 0x20
0x17bed: je 0x17bea
0x17bef: cmp si, 0x3e8
0x17bf3: jb 0x17bf7
0x17bf5: loop 0x17bea
0x17bf7: cld
0x17bf8: mov ax, si
2018-12-25T12:28:08.122900958Z 76 PC: 17c23 | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10451,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:28:07.426504137Z 42 PC: 17bd2 | Get date 0x17bd2: and dx, 0x1f
0x17bd5: cmp dx, 0x1f
0x17bd8: jne 0x17c23
0x17bda: push cs
0x17bdb: pop ds
0x17bdc: mov ax, 0xb800
0x17bdf: mov es, ax
0x17be1: mov cx, 0x64
0x17be4: push es
0x17be5: pop ds
0x17be6: std
0x17be7: mov si, 0xf9e
0x17bea: lodsw ax, word ptr [si]
0x17beb: cmp al, 0x20
0x17bed: je 0x17bea
0x17bef: cmp si, 0x3e8
0x17bf3: jb 0x17bf7
0x17bf5: loop 0x17bea
0x17bf7: cld
0x17bf8: mov ax, si
2018-12-25T12:28:07.431625593Z 74 PC: 12b13 | Reallocate memory
2018-12-25T12:28:07.433419164Z 48 PC: 12b46 | Get DOS version
2018-12-25T12:28:07.434663031Z 47 PC: 12d32 | Get disk transfer address
2018-12-25T12:28:07.436428821Z 26 PC: 12d44 | Set disk transfer address
2018-12-25T12:28:07.438120703Z 78 PC: 12d4e | Find first file
2018-12-25T12:28:07.445244633Z 67 PC: 12df5 | Get or set file attributes
2018-12-25T12:28:07.451975569Z 67 PC: 12e03 | Get or set file attributes
2018-12-25T12:28:07.480660365Z 61 PC: 12e0a | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:28:07.488052974Z 82 PC: 12e3a | Get DOS internal pointers (SYSVARS)
2018-12-25T12:28:07.489885418Z 87 PC: 12e16 | Get or set file date and time
2018-12-25T12:28:07.491927711Z 66 PC: 12e29 | Move file pointer
2018-12-25T12:28:07.493637678Z 87 PC: 12e96 | Get or set file date and time
2018-12-25T12:28:07.49550599Z 62 PC: 12e9a | Close file
2018-12-25T12:28:07.504385865Z 67 PC: 12ea7 | Get or set file attributes
2018-12-25T12:28:07.51535462Z 26 PC: 12dae | Set disk transfer address
2018-12-25T12:28:07.516648013Z 75 PC: 12b5f | Execute program
2018-12-25T12:28:07.545561614Z 42 PC: 18792 | Get date 0x18792: and dx, 0x1f
0x18795: cmp dx, 0x1f
0x18798: jne 0x187e3
0x1879a: push cs
0x1879b: pop ds
0x1879c: mov ax, 0xb800
0x1879f: mov es, ax
0x187a1: mov cx, 0x64
0x187a4: push es
0x187a5: pop ds
0x187a6: std
0x187a7: mov si, 0xf9e
0x187aa: lodsw ax, word ptr [si]
0x187ab: cmp al, 0x20
0x187ad: je 0x187aa
0x187af: cmp si, 0x3e8
0x187b3: jb 0x187b7
0x187b5: loop 0x187aa
0x187b7: cld
0x187b8: mov ax, si
2018-12-25T12:28:07.547825498Z 99 PC: 142e6 | Get DBCS lead byte table pointer
2018-12-25T12:28:07.549316435Z 68 PC: 14300 | I/O control for devices (Set for = '')
2018-12-25T12:28:07.551403774Z 68 PC: 1430b | I/O control for devices (Set for = '')
2018-12-25T12:28:07.553341137Z 68 PC: 14316 | I/O control for devices (Set for = '')
2018-12-25T12:28:07.554991583Z 68 PC: 1431e | I/O control for devices (Set for = '��b���g�t�S3����[r�2��W�<t�<u�6�u����>��>W')
2018-12-25T12:28:07.557214091Z 48 PC: 14323 | Get DOS version
2018-12-25T12:28:07.558574079Z 37 PC: 1722f | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:28:07.559765182Z 53 PC: 17238 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:07.562626252Z 37 PC: 1724f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:07.564415798Z 25 PC: 171ad | Get default drive
2018-12-25T12:28:07.565957521Z 71 PC: 171b7 | Get current directory
2018-12-25T12:28:07.570742811Z 64 PC: 145a5 | Write file or device (Write 30 bytes on handle 2)
2018-12-25T12:28:07.577529608Z 64 PC: 145a5 | Write file or device (See above)
2018-12-25T12:28:07.582832383Z 64 PC: 145a5 | Write file or device (See above)
2018-12-25T12:28:07.589191596Z 76 PC: 153b8 | Terminate with return code (Return code = '4')
2018-12-25T12:28:07.592539522Z 73 PC: 12b68 | Release memory
2018-12-25T12:28:07.594063755Z 77 PC: 12b6c | Get program return code
2018-12-25T12:28:07.595607962Z 49 PC: 12b7a | Terminate and stay resident (Return code = '4' | Memory size = '182')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10451,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:28:07.817342756Z 42 PC: 17bd2 | Get date 0x17bd2: and dx, 0x1f
0x17bd5: cmp dx, 0x1f
0x17bd8: jne 0x17c23
0x17bda: push cs
0x17bdb: pop ds
0x17bdc: mov ax, 0xb800
0x17bdf: mov es, ax
0x17be1: mov cx, 0x64
0x17be4: push es
0x17be5: pop ds
0x17be6: std
0x17be7: mov si, 0xf9e
0x17bea: lodsw ax, word ptr [si]
0x17beb: cmp al, 0x20
0x17bed: je 0x17bea
0x17bef: cmp si, 0x3e8
0x17bf3: jb 0x17bf7
0x17bf5: loop 0x17bea
0x17bf7: cld
0x17bf8: mov ax, si
2018-12-25T12:28:07.821095629Z 74 PC: 12b13 | Reallocate memory
2018-12-25T12:28:07.82249642Z 48 PC: 12b46 | Get DOS version
2018-12-25T12:28:07.823605458Z 47 PC: 12d32 | Get disk transfer address
2018-12-25T12:28:07.825128917Z 26 PC: 12d44 | Set disk transfer address
2018-12-25T12:28:07.826185761Z 78 PC: 12d4e | Find first file
2018-12-25T12:28:07.830485519Z 67 PC: 12df5 | Get or set file attributes
2018-12-25T12:28:07.837038066Z 67 PC: 12e03 | Get or set file attributes
2018-12-25T12:28:07.854503845Z 61 PC: 12e0a | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:28:07.861765463Z 82 PC: 12e3a | Get DOS internal pointers (SYSVARS)
2018-12-25T12:28:07.863021075Z 87 PC: 12e16 | Get or set file date and time
2018-12-25T12:28:07.864952341Z 66 PC: 12e29 | Move file pointer
2018-12-25T12:28:07.866608085Z 87 PC: 12e96 | Get or set file date and time
2018-12-25T12:28:07.868274168Z 62 PC: 12e9a | Close file
2018-12-25T12:28:07.879267915Z 67 PC: 12ea7 | Get or set file attributes
2018-12-25T12:28:07.890047047Z 26 PC: 12dae | Set disk transfer address
2018-12-25T12:28:07.891176243Z 75 PC: 12b5f | Execute program
2018-12-25T12:28:07.921037202Z 42 PC: 18792 | Get date 0x18792: and dx, 0x1f
0x18795: cmp dx, 0x1f
0x18798: jne 0x187e3
0x1879a: push cs
0x1879b: pop ds
0x1879c: mov ax, 0xb800
0x1879f: mov es, ax
0x187a1: mov cx, 0x64
0x187a4: push es
0x187a5: pop ds
0x187a6: std
0x187a7: mov si, 0xf9e
0x187aa: lodsw ax, word ptr [si]
0x187ab: cmp al, 0x20
0x187ad: je 0x187aa
0x187af: cmp si, 0x3e8
0x187b3: jb 0x187b7
0x187b5: loop 0x187aa
0x187b7: cld
0x187b8: mov ax, si
2018-12-25T12:28:07.924529427Z 99 PC: 142e6 | Get DBCS lead byte table pointer
2018-12-25T12:28:07.925921152Z 68 PC: 14300 | I/O control for devices (Set for = '')
2018-12-25T12:28:07.928816316Z 68 PC: 1430b | I/O control for devices (Set for = '')
2018-12-25T12:28:07.930960002Z 68 PC: 14316 | I/O control for devices (Set for = '')
2018-12-25T12:28:07.932853279Z 68 PC: 1431e | I/O control for devices (Set for = '��b���g�t�S3����[r�2��W�<t�<u�6�u����>��>W')
2018-12-25T12:28:07.935621241Z 48 PC: 14323 | Get DOS version
2018-12-25T12:28:07.937555776Z 37 PC: 1722f | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:28:07.939131907Z 53 PC: 17238 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:07.94095515Z 37 PC: 1724f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:28:07.942725755Z 25 PC: 171ad | Get default drive
2018-12-25T12:28:07.944487281Z 71 PC: 171b7 | Get current directory
2018-12-25T12:28:07.949565993Z 64 PC: 145a5 | Write file or device (Write 30 bytes on handle 2)
2018-12-25T12:28:07.956658341Z 64 PC: 145a5 | Write file or device (See above)
2018-12-25T12:28:07.961395984Z 64 PC: 145a5 | Write file or device (See above)
2018-12-25T12:28:07.966574724Z 76 PC: 153b8 | Terminate with return code (Return code = '4')
2018-12-25T12:28:07.970330825Z 73 PC: 12b68 | Release memory
2018-12-25T12:28:07.97170477Z 77 PC: 12b6c | Get program return code
2018-12-25T12:28:07.972713019Z 49 PC: 12b7a | Terminate and stay resident (Return code = '4' | Memory size = '182')

{"DateBased":true,"Day":31,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10451,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:28:08.114316062Z 42 PC: 17bd2 | Get date 0x17bd2: and dx, 0x1f
0x17bd5: cmp dx, 0x1f
0x17bd8: jne 0x17c23
0x17bda: push cs
0x17bdb: pop ds
0x17bdc: mov ax, 0xb800
0x17bdf: mov es, ax
0x17be1: mov cx, 0x64
0x17be4: push es
0x17be5: pop ds
0x17be6: std
0x17be7: mov si, 0xf9e
0x17bea: lodsw ax, word ptr [si]
0x17beb: cmp al, 0x20
0x17bed: je 0x17bea
0x17bef: cmp si, 0x3e8
0x17bf3: jb 0x17bf7
0x17bf5: loop 0x17bea
0x17bf7: cld
0x17bf8: mov ax, si
2018-12-25T12:28:09.436743048Z 76 PC: 17c23 | Terminate with return code (Return code = '0')