Sample viewer

vx.netlux.org/Virus.DOS.Cuareim.800

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:10:50.244398989Z	44	PC: 14203 \| Get time 0x14203: cmp ch, 0x16 0x14206: jb 0x1420b 0x14208: jmp 0x14391 0x1420b: cld 0x1420c: mov cx, 7 0x1420f: lea si, word ptr [bp + 0x2b4] 0x14213: lea di, word ptr [bp + 0x2bb] 0x14217: rep movsb byte ptr es:[di], byte ptr [si] 0x14219: mov cx, 0x2b 0x1421c: lea di, word ptr [bp + 0x2ed] 0x14220: mov si, 0x80 0x14223: rep movsb byte ptr es:[di], byte ptr [si] 0x14225: mov ah, 0x47 0x14227: mov dl, 0 0x14229: lea si, word ptr [bp + 0x31b] 0x1422d: int 0x21 0x1422f: mov ah, 0x4e 0x14231: lea dx, word ptr [bp + 0x3d8] 0x14235: mov cx, 0x10 0x14238: int 0x21
2018-12-17T23:10:50.247796716Z	71	PC: 1422f \| Get current directory
2018-12-17T23:10:50.251235369Z	78	PC: 1423a \| Find first file
2018-12-17T23:10:50.258580067Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.26181338Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.266047542Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.26984346Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.273472944Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.278876548Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.282328491Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.285724838Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.28969485Z	79	PC: 142ad \| Find next file
2018-12-17T23:10:50.292984831Z	59	PC: 14297 \| Change current directory
2018-12-17T23:10:50.298359135Z	59	PC: 14373 \| Change current directory
2018-12-17T23:10:50.304354595Z	25	PC: 1416a \| Get default drive
2018-12-17T23:10:50.323021698Z	51	PC: 12da8 \| Get or set Ctrl-Break
2018-12-17T23:10:50.324358451Z	82	PC: 12db0 \| Get DOS internal pointers (SYSVARS)
2018-12-17T23:10:50.327095806Z	65	PC: 12c2b \| Delete file (Filename = 'TBDRVXXX')
2018-12-17T23:10:50.335201501Z	54	PC: 12ca0 \| Get free disk space
2018-12-17T23:10:50.349134677Z	47	PC: 9f29f \| Get disk transfer address
2018-12-17T23:10:50.35732799Z	26	PC: 9f38c \| Set disk transfer address
2018-12-17T23:10:50.359381381Z	78	PC: 9f309 \| Find first file
2018-12-17T23:10:50.366268256Z	67	PC: 9f387 \| Get or set file attributes
2018-12-17T23:10:50.384816056Z	61	PC: 9f37e \| Open file (Filename = 'TEST.COM')
2018-12-17T23:10:50.393375568Z	63	PC: 9f374 \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T23:10:50.397211191Z	66	PC: 9f395 \| Move file pointer
2018-12-17T23:10:50.399491607Z	87	PC: 9f290 \| Get or set file date and time
2018-12-17T23:10:50.402433998Z	62	PC: 9f379 \| Close file
2018-12-17T23:10:50.41079606Z	67	PC: 9f387 \| Get or set file attributes
2018-12-17T23:10:50.422809482Z	26	PC: 9f38c \| Set disk transfer address
2018-12-17T23:10:50.42786268Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=0000014Dh/0000000333d bytes. ')
2018-12-17T23:10:50.432862394Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":16992,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T13:07:40.857518467Z	44	PC: 14203 \| Get time 0x14203: cmp ch, 0x16 0x14206: jb 0x1420b 0x14208: jmp 0x14391 0x1420b: cld 0x1420c: mov cx, 7 0x1420f: lea si, word ptr [bp + 0x2b4] 0x14213: lea di, word ptr [bp + 0x2bb] 0x14217: rep movsb byte ptr es:[di], byte ptr [si] 0x14219: mov cx, 0x2b 0x1421c: lea di, word ptr [bp + 0x2ed] 0x14220: mov si, 0x80 0x14223: rep movsb byte ptr es:[di], byte ptr [si] 0x14225: mov ah, 0x47 0x14227: mov dl, 0 0x14229: lea si, word ptr [bp + 0x31b] 0x1422d: int 0x21 0x1422f: mov ah, 0x4e 0x14231: lea dx, word ptr [bp + 0x3d8] 0x14235: mov cx, 0x10 0x14238: int 0x21
2018-12-25T13:07:40.86088853Z	71	PC: 1422f \| Get current directory
2018-12-25T13:07:40.8635232Z	78	PC: 1423a \| Find first file
2018-12-25T13:07:40.869401594Z	79	PC: 142ad \| Find next file
2018-12-25T13:07:40.872118915Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.874464142Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.876802792Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.88020804Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.882608518Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.884933725Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.889214938Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.892006882Z	79	PC: 142ad \| Find next file (See above)
2018-12-25T13:07:40.894323175Z	59	PC: 14297 \| Change current directory
2018-12-25T13:07:40.898805293Z	59	PC: 14373 \| Change current directory
2018-12-25T13:07:40.902676783Z	25	PC: 1416a \| Get default drive
2018-12-25T13:07:40.91845501Z	51	PC: 12da8 \| Get or set Ctrl-Break
2018-12-25T13:07:40.919776301Z	82	PC: 12db0 \| Get DOS internal pointers (SYSVARS)
2018-12-25T13:07:40.921424337Z	65	PC: 12c2b \| Delete file (Filename = 'TBDRVXXX')
2018-12-25T13:07:40.925056835Z	54	PC: 12ca0 \| Get free disk space
2018-12-25T13:07:40.931797742Z	47	PC: 9f29f \| Get disk transfer address
2018-12-25T13:07:40.933632157Z	26	PC: 9f38c \| Set disk transfer address
2018-12-25T13:07:40.934461516Z	78	PC: 9f309 \| Find first file
2018-12-25T13:07:40.938109419Z	67	PC: 9f387 \| Get or set file attributes
2018-12-25T13:07:41.246990972Z	61	PC: 9f37e \| Open file (Filename = 'TEST.COM')
2018-12-25T13:07:41.25384997Z	63	PC: 9f374 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T13:07:41.256754273Z	66	PC: 9f395 \| Move file pointer
2018-12-25T13:07:41.259091183Z	87	PC: 9f290 \| Get or set file date and time
2018-12-25T13:07:41.260634545Z	62	PC: 9f379 \| Close file
2018-12-25T13:07:41.26744223Z	67	PC: 9f387 \| Get or set file attributes (See above)
2018-12-25T13:07:41.280430966Z	26	PC: 9f38c \| Set disk transfer address (See above)
2018-12-25T13:07:41.282155628Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=0000014Dh/0000000333d bytes. ')
2018-12-25T13:07:41.287759988Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":22,"Min":0,"Second":0,"TimeBased":true,"OriginalID":16992,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:54:35.625044666Z	44	PC: 14203 \| Get time 0x14203: cmp ch, 0x16 0x14206: jb 0x1420b 0x14208: jmp 0x14391 0x1420b: cld 0x1420c: mov cx, 7 0x1420f: lea si, word ptr [bp + 0x2b4] 0x14213: lea di, word ptr [bp + 0x2bb] 0x14217: rep movsb byte ptr es:[di], byte ptr [si] 0x14219: mov cx, 0x2b 0x1421c: lea di, word ptr [bp + 0x2ed] 0x14220: mov si, 0x80 0x14223: rep movsb byte ptr es:[di], byte ptr [si] 0x14225: mov ah, 0x47 0x14227: mov dl, 0 0x14229: lea si, word ptr [bp + 0x31b] 0x1422d: int 0x21 0x1422f: mov ah, 0x4e 0x14231: lea dx, word ptr [bp + 0x3d8] 0x14235: mov cx, 0x10 0x14238: int 0x21
2018-12-25T12:54:35.628345221Z	9	PC: 14399 \| Display string (String= 'ei-cuareim 1.5 By: V90d90A time to stop working - 22pm Lucky, I dont do anything')
2018-12-25T12:54:35.635079055Z	76	PC: 1439d \| Terminate with return code (Return code = '36')