Sample viewer

vx.netlux.org/Virus.DOS.Cascade.1701.c

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:58:26.981440053Z	48	PC: 14182 \| Get DOS version
2018-12-17T22:58:26.983005749Z	75	PC: 14190 \| Execute program
2018-12-17T22:58:26.984232969Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:26.98527757Z	80	PC: 14212 \| Set current PSP
2018-12-17T22:58:26.988269486Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:26.989276246Z	26	PC: 12be4 \| Set disk transfer address
2018-12-17T22:58:26.990269438Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7c4 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-17T22:58:26.992838688Z	48	PC: 13223 \| Get DOS version
2018-12-17T22:58:26.993874341Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-17T22:58:27.005117717Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-17T22:58:27.011832456Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-17T22:58:27.014857712Z	93	PC: 132e4 \| File sharing functions
2018-12-17T22:58:27.016945776Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-17T22:58:27.022473899Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1981,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12890,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:36:44.323500709Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:36:44.325292505Z	75	PC: 14190 \| Execute program
2018-12-25T12:36:44.328009135Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:44.329889695Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:36:44.336960126Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:44.338508363Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:36:44.340045465Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7c4 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:36:44.343180231Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:36:44.34450347Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:36:44.354086839Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:36:44.36090133Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:36:44.364604137Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:36:44.366269427Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:36:44.370604336Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1988,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12890,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:36:44.952436286Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:36:44.954140104Z	75	PC: 14190 \| Execute program
2018-12-25T12:36:44.955946707Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:44.957079076Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:36:44.960257246Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:44.96707077Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:36:44.968452869Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7c4 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:36:44.971456643Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:36:44.973648044Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:36:44.984026172Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:36:44.99095565Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:36:44.994790143Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:36:44.996909104Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:36:45.001167727Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":10,"Year":1988,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12890,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:36:45.432300897Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:36:45.434891481Z	75	PC: 14190 \| Execute program
2018-12-25T12:36:45.436602971Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:45.437961344Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:36:45.441130614Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:45.443085796Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:36:45.444430354Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7c4 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:36:45.507087882Z	53	PC: 12c40 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:36:45.509885856Z	37	PC: 12c55 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:36:45.511649185Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:36:45.513303968Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:36:45.525767528Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:36:45.533606711Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:36:45.537945142Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:36:45.540954897Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:36:45.546321086Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1989,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12890,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:36:45.434707523Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:36:45.436499661Z	75	PC: 14190 \| Execute program
2018-12-25T12:36:45.438156664Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:45.439534366Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:36:45.442224621Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:45.443798525Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:36:45.445160244Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7c4 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:36:45.447708607Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:36:45.449738751Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:36:45.460497036Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:36:45.468440688Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:36:45.47320084Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:36:45.476202964Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:36:45.48081295Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12890,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:36:45.813345101Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:36:45.815922603Z	75	PC: 14190 \| Execute program
2018-12-25T12:36:45.818064371Z	53	PC: 141ab \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:45.819721255Z	80	PC: 14212 \| Set current PSP
2018-12-25T12:36:45.822596052Z	37	PC: 12bdc \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:36:45.824805828Z	26	PC: 12be4 \| Set disk transfer address
2018-12-25T12:36:45.827163825Z	42	PC: 12beb \| Get date 0x12beb: cmp cx, 0x7c4 0x12bef: ja 0x12c56 0x12bf1: je 0x12c1d 0x12bf3: cmp cx, 0x7bc 0x12bf7: jne 0x12c56 0x12bf9: push ds 0x12bfa: mov ax, 0x3528 0x12bfd: int 0x21 0x12bff: mov word ptr cs:[0x13b], bx 0x12c04: mov word ptr cs:[0x13d], es 0x12c09: mov ax, 0x2528 0x12c0c: mov dx, 0x722 0x12c0f: push cs 0x12c10: pop ds 0x12c11: int 0x21 0x12c13: pop ds 0x12c14: or byte ptr cs:[0x157], 8 0x12c1a: jmp 0x12c22 0x12c1c: nop 0x12c1d: cmp dh, 0xa
2018-12-25T12:36:45.829963414Z	53	PC: 12bff \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T12:36:45.833680943Z	37	PC: 12c13 \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T12:36:45.894769664Z	53	PC: 12c40 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:36:45.895973959Z	37	PC: 12c55 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:36:45.897650423Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:36:45.898617257Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:36:45.90197477Z	42	PC: 13071 \| Get date 0x13071: cmp cx, 0x7c4 0x13075: jb 0x13084 0x13077: ja 0x1307e 0x13079: cmp dh, 0xa 0x1307c: jb 0x13084 0x1307e: and byte ptr cs:[0x157], 0xf7 0x13084: pop dx 0x13085: pop cx 0x13086: pop ax 0x13087: ljmp ptr cs:[0x13b] 0x1308c: push es 0x1308d: push bx 0x1308e: mov ah, 0x48 0x13090: mov bx, 0x6b 0x13093: int 0x21 0x13095: pop bx 0x13096: jae 0x1309b 0x13098: stc 0x13099: pop es 0x1309a: ret
2018-12-25T12:36:45.906514324Z	42	PC: 13071 \| Get date (See above)
2018-12-25T12:36:45.91104889Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:36:45.915663356Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:36:45.920784189Z	42	PC: 13071 \| Get date (See above)
2018-12-25T12:36:45.924514942Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:36:45.926609796Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A5h/01701d. Virus might be activ? ')
2018-12-25T12:36:45.932242067Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')