Sample viewer

vx.netlux.org/Virus.DOS.Cascade.1701.e

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:54:31.038016803Z	48	PC: 14182 \| Get DOS version
2018-12-17T22:54:31.040120651Z	75	PC: 14190 \| Execute program
2018-12-17T22:54:31.041552045Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:54:31.042684297Z	80	PC: 14212 \| Set current PSP
2018-12-17T22:54:31.044846936Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:54:31.046645463Z	26	PC: 12be4 \| Set disk transfer address
2018-12-17T22:54:31.047653693Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7ca 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-17T22:54:31.049631807Z	48	PC: 13223 \| Get DOS version
2018-12-17T22:54:31.051352199Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-17T22:54:31.067808524Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-17T22:54:31.074464709Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-17T22:54:31.084646549Z	93	PC: 132e4 \| File sharing functions
2018-12-17T22:54:31.086689026Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-17T22:54:31.092658157Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":10,"Year":1994,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11580,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:30:51.310286674Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:30:51.31167806Z	75	PC: 14190 \| Execute program
2018-12-25T12:30:51.313130711Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.314590198Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:30:51.317276601Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.318444868Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:30:51.319792147Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7ca 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:30:51.407031377Z	53	PC: 12c40 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:30:51.408757993Z	37	PC: 12c55 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:30:51.410391286Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:30:51.412968615Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:30:51.422241927Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:30:51.4287817Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:30:51.433172371Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:30:51.435359092Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:30:51.439380116Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1995,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11580,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:30:51.526726583Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:30:51.52834324Z	75	PC: 14190 \| Execute program
2018-12-25T12:30:51.529622613Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.530643353Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:30:51.533356031Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.535013391Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:30:51.536074123Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7ca 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:30:51.538489359Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:30:51.539624527Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:30:51.548723732Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:30:51.555558181Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:30:51.559813876Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:30:51.561650396Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:30:51.565662762Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11580,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T13:07:19.064913573Z	48	PC: 14182 \| Get DOS version
2018-12-25T13:07:19.067175191Z	75	PC: 14190 \| Execute program
2018-12-25T13:07:19.0687038Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:07:19.071583005Z	80	PC: 14212 \| Set current PSP
2018-12-25T13:07:19.074317121Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:07:19.07578611Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T13:07:19.0771175Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7ca 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T13:07:19.07939199Z	53	PC: 12bff \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T13:07:19.081235569Z	37	PC: 12c13 \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T13:07:19.138502432Z	53	PC: 12c40 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T13:07:19.139863363Z	37	PC: 12c55 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T13:07:19.142547248Z	48	PC: 13223 \| Get DOS version
2018-12-25T13:07:19.143695671Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T13:07:19.149557949Z	42	PC: 13071 \| Get date 0x13071: cmp cx, 0x7ca 0x13075: jb 0x13084 0x13077: ja 0x1307e 0x13079: cmp dh, 0xa 0x1307c: jb 0x13084 0x1307e: and byte ptr cs:[0x157], 0xf7 0x13084: pop dx 0x13085: pop cx 0x13086: pop ax 0x13087: ljmp ptr cs:[0x13b] 0x1308c: push es 0x1308d: push bx 0x1308e: mov ah, 0x48 0x13090: mov bx, 0x6b 0x13093: int 0x21 0x13095: pop bx 0x13096: jae 0x1309b 0x13098: stc 0x13099: pop es 0x1309a: ret
2018-12-25T13:07:19.157542882Z	42	PC: 13071 \| Get date (See above)
2018-12-25T13:07:19.168054007Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T13:07:19.175671755Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T13:07:19.180410003Z	42	PC: 13071 \| Get date (See above)
2018-12-25T13:07:19.184357073Z	93	PC: 132e4 \| File sharing functions
2018-12-25T13:07:19.186312308Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T13:07:19.191104976Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1981,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11580,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:30:51.843867601Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:30:51.84592791Z	75	PC: 14190 \| Execute program
2018-12-25T12:30:51.84737116Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.848518161Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:30:51.851420559Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.852908231Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:30:51.854364544Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7ca 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:30:51.856823976Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:30:51.858434708Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:30:51.867609366Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:30:51.873941078Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:30:51.882701129Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:30:51.892304554Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:30:51.896430667Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1994,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11580,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:30:51.982879032Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:30:51.985495552Z	75	PC: 14190 \| Execute program
2018-12-25T12:30:51.987669193Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:51.989385163Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:30:51.992262124Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:30:52.000572345Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:30:52.00221685Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7ca 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:30:52.00513611Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:30:52.0071766Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:30:52.01890404Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:30:52.026845417Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:30:52.032066187Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:30:52.034276599Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:30:52.054153713Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')