Sample viewer

vx.netlux.org/Virus.DOS.Vienna.Parasite.871

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T21:59:45.741206118Z	47	PC: 12a75 \| Get disk transfer address
2018-12-17T21:59:45.743329161Z	26	PC: 12a5b \| Set disk transfer address
2018-12-17T21:59:45.744718464Z	42	PC: 12a82 \| Get date 0x12a82: cmp al, 1 0x12a84: jge 0x12a88 0x12a86: jmp 0x12ad2 0x12a88: cmp al, 1 0x12a8a: ja 0x12ad2 0x12a8c: jmp 0x12a8e 0x12a8e: mov dl, 2 0x12a90: mov ah, 5 0x12a92: mov dh, 0x80 0x12a94: mov ch, 0 0x12a96: int 0x13 0x12a98: mov cx, 0x14 0x12a9b: push cx 0x12a9c: call 0x12aa9 0x12a9f: mov cx, 0x4000 0x12aa2: loop 0x12aa2 0x12aa4: pop cx 0x12aa5: loop 0x12a9b 0x12aa7: jmp 0x12a8e 0x12aa9: mov dx, 0x140

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1078,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:32.107444188Z	47	PC: 12a75 \| Get disk transfer address
2018-12-25T11:42:32.109394278Z	26	PC: 12a5b \| Set disk transfer address
2018-12-25T11:42:32.11159251Z	42	PC: 12a82 \| Get date 0x12a82: cmp al, 1 0x12a84: jge 0x12a88 0x12a86: jmp 0x12ad2 0x12a88: cmp al, 1 0x12a8a: ja 0x12ad2 0x12a8c: jmp 0x12a8e 0x12a8e: mov dl, 2 0x12a90: mov ah, 5 0x12a92: mov dh, 0x80 0x12a94: mov ch, 0 0x12a96: int 0x13 0x12a98: mov cx, 0x14 0x12a9b: push cx 0x12a9c: call 0x12aa9 0x12a9f: mov cx, 0x4000 0x12aa2: loop 0x12aa2 0x12aa4: pop cx 0x12aa5: loop 0x12a9b 0x12aa7: jmp 0x12a8e 0x12aa9: mov dx, 0x140
2018-12-25T11:42:32.113944996Z	44	PC: 12ad6 \| Get time 0x12ad6: and dh, 0xf 0x12ad9: cmp dh, 3 0x12adc: jb 0x12a98 0x12ade: cmp dh, 3 0x12ae1: ja 0x12b0b 0x12ae3: int 0x19 0x12ae5: mov ah, 0x47 0x12ae7: xor dl, dl 0x12ae9: add si, 0 0x12aed: int 0x21 0x12aef: jb 0x12b0b 0x12af1: mov ah, 0x3b 0x12af3: mov dx, si 0x12af5: add dx, 0x40 0x12af9: int 0x21 0x12afb: mov word ptr [bx + 0x44], di 0x12afe: mov si, bx 0x12b00: add si, 0x36 0x12b04: mov cx, 6 0x12b07: rep movsb byte ptr es:[di], byte ptr [si]
2018-12-25T11:42:32.11728115Z	78	PC: 12b89 \| Find first file
2018-12-25T11:42:32.121948936Z	78	PC: 12b89 \| Find first file (See above)
2018-12-25T11:42:32.126740061Z	74	PC: 12cdc \| Reallocate memory

{"DateBased":true,"Day":6,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1078,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:32.774690641Z	64	PC: 0 \| Write file or device (Write 2 bytes on handle 1)
2018-12-25T11:42:32.781425265Z	41	PC: 94fae \| Parse filename
2018-12-25T11:42:32.783939177Z	41	PC: 9502f \| Parse filename
2018-12-25T11:42:32.792416873Z	41	PC: 9504c \| Parse filename
2018-12-25T11:42:32.79434903Z	26	PC: 984f7 \| Set disk transfer address
2018-12-25T11:42:32.797005138Z	71	PC: 986f3 \| Get current directory
2018-12-25T11:42:32.800068871Z	78	PC: 986fe \| Find first file
2018-12-25T11:42:32.809535249Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T11:42:32.812506109Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T11:42:32.822705222Z	64	PC: 9a848 \| Write file or device (Write 26 bytes on handle 2)
2018-12-25T11:42:32.828502051Z	37	PC: 123c4 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T11:42:32.831267563Z	37	PC: 123cb \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T11:42:32.832676872Z	37	PC: 123d2 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:42:32.834060572Z	62	PC: 122ab \| Close file
2018-12-25T11:42:32.836639485Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.838501103Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.840285978Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.842084801Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.843612009Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.844951533Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.847139988Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.851797661Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.853303108Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.855243867Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.857958347Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.859836768Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.861531538Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.870654349Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:32.873565349Z	99	PC: 9a5d7 \| Get DBCS lead byte table pointer
2018-12-25T11:42:32.876106755Z	56	PC: 94df9 \| Get or set country info
2018-12-25T11:42:32.879194575Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:42:32.88642358Z	25	PC: 94e62 \| Get default drive
2018-12-25T11:42:32.889165804Z	71	PC: 970dd \| Get current directory
2018-12-25T11:42:32.893734781Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:42:32.897270121Z	2	PC: 970b2 \| Character output (Char = '3e')
2018-12-25T11:42:32.89955907Z	93	PC: 94f20 \| File sharing functions
2018-12-25T11:42:32.901487271Z	93	PC: 94f27 \| File sharing functions
2018-12-25T11:42:32.904338604Z	10	PC: 94f39 \| Buffered keyboard input
2018-12-25T11:42:47.821891383Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T11:42:49.180522406Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T11:42:49.282948818Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:42:49.288786536Z	41	PC: 94fae \| Parse filename (See above)
2018-12-25T11:42:49.291845744Z	41	PC: 9502f \| Parse filename (See above)
2018-12-25T11:42:49.293556725Z	41	PC: 9504c \| Parse filename (See above)
2018-12-25T11:42:49.297059433Z	26	PC: 984f7 \| Set disk transfer address (See above)
2018-12-25T11:42:49.299890296Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T11:42:49.319018178Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T11:42:49.328067313Z	71	PC: 9856c \| Get current directory
2018-12-25T11:42:49.331951453Z	73	PC: 97c09 \| Release memory
2018-12-25T11:42:49.333410035Z	75	PC: 11821 \| Execute program
2018-12-25T11:42:49.35156673Z	9	PC: 12a47 \| Display string (String= 'Hello, World! ')
2018-12-25T11:42:49.356418566Z	76	PC: 12a4b \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":7,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1078,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:32.84816989Z	47	PC: 12a75 \| Get disk transfer address
2018-12-25T11:42:32.849565433Z	26	PC: 12a5b \| Set disk transfer address
2018-12-25T11:42:32.851858716Z	42	PC: 12a82 \| Get date 0x12a82: cmp al, 1 0x12a84: jge 0x12a88 0x12a86: jmp 0x12ad2 0x12a88: cmp al, 1 0x12a8a: ja 0x12ad2 0x12a8c: jmp 0x12a8e 0x12a8e: mov dl, 2 0x12a90: mov ah, 5 0x12a92: mov dh, 0x80 0x12a94: mov ch, 0 0x12a96: int 0x13 0x12a98: mov cx, 0x14 0x12a9b: push cx 0x12a9c: call 0x12aa9 0x12a9f: mov cx, 0x4000 0x12aa2: loop 0x12aa2 0x12aa4: pop cx 0x12aa5: loop 0x12a9b 0x12aa7: jmp 0x12a8e 0x12aa9: mov dx, 0x140