Sample viewer

vx.netlux.org/Virus.DOS.Patoruzu.931

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T23:03:02.784903873Z 53 PC: 12e68 | Get interrupt vector (Interrupt = '253' AKA 'UNKNOWN!')
2018-12-17T23:03:02.787421521Z 37 PC: 130d5 | Set interrupt vector (Interrupt = '253' AKA 'UNKNOWN!')
2018-12-17T23:03:02.788839775Z 53 PC: 130dc | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:03:02.790284232Z 74 PC: 13107 | Reallocate memory
2018-12-17T23:03:02.791887245Z 72 PC: 1310e | Allocate memory
2018-12-17T23:03:02.795922572Z 37 PC: 13137 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:03:02.797619811Z 42 PC: 9f5dc | Get date 0x9f5dc: cmp dx, 0xb11
0x9f5e0: jne 0x9f5ee
0x9f5e2: mov ah, 9
0x9f5e4: mov dx, 0x41b
0x9f5e7: int 0x21
0x9f5e9: mov ax, 0x4c00
0x9f5ec: int 0x21
0x9f5ee: pop bx
0x9f5ef: pop ds
0x9f5f0: inc bx
0x9f5f1: cmp byte ptr [bx], 0
0x9f5f4: jne 0x9f5f0
0x9f5f6: cmp word ptr [bx - 4], 0x432e
0x9f5fb: je 0x9f607
0x9f5fd: popaw
0x9f5fe: pop ss
0x9f5ff: pop es
0x9f600: pop ds
0x9f601: popf
0x9f602: ljmp ptr cs:[0x4ab]
2018-12-17T23:03:02.8005018Z 53 PC: 9f60e | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:03:02.804222684Z 37 PC: 9f61e | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:03:02.805373003Z 67 PC: 9f62c | Get or set file attributes
2018-12-17T23:03:02.809174122Z 67 PC: 9f63a | Get or set file attributes
2018-12-17T23:03:03.149082663Z 61 PC: 9f63f | Open file (Filename = '�`��X�N�O������I�!��')
2018-12-17T23:03:03.153926848Z 87 PC: 9f64a | Get or set file date and time
2018-12-17T23:03:03.155264903Z 63 PC: 9f66f | Read file or device (Read 5 bytes on handle 5)
2018-12-17T23:03:03.158353595Z 66 PC: 9f683 | Move file pointer
2018-12-17T23:03:03.160961716Z 64 PC: 9f6c5 | Write file or device (Write 931 bytes on handle 5)
2018-12-17T23:03:03.17055816Z 66 PC: 9f6de | Move file pointer
2018-12-17T23:03:03.172296498Z 64 PC: 9f6ec | Write file or device (Write 3 bytes on handle 5)
2018-12-17T23:03:03.174382952Z 62 PC: 9f6f6 | Close file
2018-12-17T23:03:03.179484864Z 67 PC: 9f707 | Get or set file attributes
2018-12-17T23:03:03.186298365Z 61 PC: 9f70c | Open file (Filename = 'C:\COMMAND.COM')
2018-12-17T23:03:03.191769675Z 87 PC: 9f716 | Get or set file date and time
2018-12-17T23:03:03.193244069Z 62 PC: 9f71b | Close file
2018-12-17T23:03:03.198255269Z 37 PC: 9f72a | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:03:03.199676047Z 205 PC: 1313e | UNKNOWN!
2018-12-17T23:03:03.20119811Z 76 PC: 12e28 | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":14420,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:40:39.605958336Z 53 PC: 12e68 | Get interrupt vector (Interrupt = '253' AKA 'UNKNOWN!')
2018-12-25T12:40:39.60849779Z 37 PC: 130d5 | Set interrupt vector (Interrupt = '253' AKA 'UNKNOWN!')
2018-12-25T12:40:39.611071736Z 53 PC: 130dc | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:40:39.61290244Z 74 PC: 13107 | Reallocate memory
2018-12-25T12:40:39.614833585Z 72 PC: 1310e | Allocate memory
2018-12-25T12:40:39.625040534Z 37 PC: 13137 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:40:39.626717879Z 42 PC: 9f5dc | Get date 0x9f5dc: cmp dx, 0xb11
0x9f5e0: jne 0x9f5ee
0x9f5e2: mov ah, 9
0x9f5e4: mov dx, 0x41b
0x9f5e7: int 0x21
0x9f5e9: mov ax, 0x4c00
0x9f5ec: int 0x21
0x9f5ee: pop bx
0x9f5ef: pop ds
0x9f5f0: inc bx
0x9f5f1: cmp byte ptr [bx], 0
0x9f5f4: jne 0x9f5f0
0x9f5f6: cmp word ptr [bx - 4], 0x432e
0x9f5fb: je 0x9f607
0x9f5fd: popaw
0x9f5fe: pop ss
0x9f5ff: pop es
0x9f600: pop ds
0x9f601: popf
0x9f602: ljmp ptr cs:[0x4ab]
2018-12-25T12:40:39.62963666Z 53 PC: 9f60e | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:40:39.632164092Z 37 PC: 9f61e | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:40:39.63361986Z 67 PC: 9f62c | Get or set file attributes
2018-12-25T12:40:39.640230387Z 67 PC: 9f63a | Get or set file attributes
2018-12-25T12:40:39.984083893Z 61 PC: 9f63f | Open file (Filename = '�`��X�N�O������I�!��')
2018-12-25T12:40:39.99141128Z 87 PC: 9f64a | Get or set file date and time
2018-12-25T12:40:39.993347611Z 63 PC: 9f66f | Read file or device (Read 5 bytes on handle 5)
2018-12-25T12:40:39.997820112Z 66 PC: 9f683 | Move file pointer
2018-12-25T12:40:40.000613535Z 64 PC: 9f6c5 | Write file or device (Write 931 bytes on handle 5)
2018-12-25T12:40:40.012497184Z 66 PC: 9f6de | Move file pointer
2018-12-25T12:40:40.014231289Z 64 PC: 9f6ec | Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:40:40.01848194Z 62 PC: 9f6f6 | Close file
2018-12-25T12:40:40.027679468Z 67 PC: 9f707 | Get or set file attributes
2018-12-25T12:40:40.0376359Z 61 PC: 9f70c | Open file (Filename = 'C:\COMMAND.COM')
2018-12-25T12:40:40.045282436Z 87 PC: 9f716 | Get or set file date and time
2018-12-25T12:40:40.047218061Z 62 PC: 9f71b | Close file
2018-12-25T12:40:40.054030027Z 37 PC: 9f72a | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:40:40.056233974Z 205 PC: 1313e | UNKNOWN!
2018-12-25T12:40:40.057820772Z 76 PC: 12e28 | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":17,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":14420,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:40:39.853101895Z 53 PC: 12e68 | Get interrupt vector (Interrupt = '253' AKA 'UNKNOWN!')
2018-12-25T12:40:39.854565853Z 37 PC: 130d5 | Set interrupt vector (Interrupt = '253' AKA 'UNKNOWN!')
2018-12-25T12:40:39.856830731Z 53 PC: 130dc | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:40:39.858682113Z 74 PC: 13107 | Reallocate memory
2018-12-25T12:40:39.860665996Z 72 PC: 1310e | Allocate memory
2018-12-25T12:40:39.86369439Z 37 PC: 13137 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:40:39.865825514Z 42 PC: 9f5dc | Get date 0x9f5dc: cmp dx, 0xb11
0x9f5e0: jne 0x9f5ee
0x9f5e2: mov ah, 9
0x9f5e4: mov dx, 0x41b
0x9f5e7: int 0x21
0x9f5e9: mov ax, 0x4c00
0x9f5ec: int 0x21
0x9f5ee: pop bx
0x9f5ef: pop ds
0x9f5f0: inc bx
0x9f5f1: cmp byte ptr [bx], 0
0x9f5f4: jne 0x9f5f0
0x9f5f6: cmp word ptr [bx - 4], 0x432e
0x9f5fb: je 0x9f607
0x9f5fd: popaw
0x9f5fe: pop ss
0x9f5ff: pop es
0x9f600: pop ds
0x9f601: popf
0x9f602: ljmp ptr cs:[0x4ab]
2018-12-25T12:40:39.868838446Z 9 PC: 9f5e9 | Display string (String= 'Huijaaa !! La proxima vez sera tarde... Si sos MENEMISTA reza por tus discos. >> Virus PatoruzU 2.0 - Argentina << ')
2018-12-25T12:40:39.87927571Z 76 PC: 9f5ee | Terminate with return code (Return code = '0')