Sample viewer

vx.netlux.org/Virus.DOS.Storm.1218

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:12:12.886082537Z	48	PC: 13e5d \| Get DOS version
2018-12-17T23:12:12.888430973Z	53	PC: 13e66 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:12:12.890417989Z	53	PC: 13e87 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:12:12.892151279Z	75	PC: 13ea4 \| Execute program
2018-12-17T23:12:12.895208808Z	80	PC: 9f83b \| Set current PSP
2018-12-17T23:12:12.896564167Z	26	PC: 9f847 \| Set disk transfer address
2018-12-17T23:12:12.898239066Z	37	PC: 9f892 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T23:12:12.899988807Z	42	PC: 9f896 \| Get date 0x9f896: cmp dh, 3 0x9f899: jne 0x9f8c4 0x9f89b: cmp dh, dl 0x9f89d: jne 0x9f8c4 0x9f89f: mov si, 0x18c 0x9f8a2: mov cx, 0x4b 0x9f8a5: mov es, word ptr [0x598] 0x9f8a9: mov di, 0x640 0x9f8ac: mov ah, 4 0x9f8ae: nop 0x9f8af: nop 0x9f8b0: lodsb al, byte ptr [si] 0x9f8b1: xor al, 0xff 0x9f8b3: stosw word ptr es:[di], ax 0x9f8b4: loop 0x9f8b0 0x9f8b6: mov word ptr [0x58c], 0x3f48 0x9f8bc: mov dx, 0x42c 0x9f8bf: mov ax, 0x2508 0x9f8c2: int 0x21 0x9f8c4: mov bx, ss
2018-12-17T23:12:12.903676251Z	9	PC: 13065 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-17T23:12:12.909587808Z	0	PC: 13069 \| Program terminate

{"DateBased":true,"Day":1,"Month":3,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":17447,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:55:48.859191252Z	48	PC: 13e5d \| Get DOS version
2018-12-25T12:55:48.860832691Z	53	PC: 13e66 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:55:48.862256209Z	53	PC: 13e87 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:55:48.863586698Z	75	PC: 13ea4 \| Execute program
2018-12-25T12:55:48.865872236Z	80	PC: 9f83b \| Set current PSP
2018-12-25T12:55:48.866930819Z	26	PC: 9f847 \| Set disk transfer address
2018-12-25T12:55:48.867846542Z	37	PC: 9f892 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:55:48.868941545Z	42	PC: 9f896 \| Get date 0x9f896: cmp dh, 3 0x9f899: jne 0x9f8c4 0x9f89b: cmp dh, dl 0x9f89d: jne 0x9f8c4 0x9f89f: mov si, 0x18c 0x9f8a2: mov cx, 0x4b 0x9f8a5: mov es, word ptr [0x598] 0x9f8a9: mov di, 0x640 0x9f8ac: mov ah, 4 0x9f8ae: nop 0x9f8af: nop 0x9f8b0: lodsb al, byte ptr [si] 0x9f8b1: xor al, 0xff 0x9f8b3: stosw word ptr es:[di], ax 0x9f8b4: loop 0x9f8b0 0x9f8b6: mov word ptr [0x58c], 0x3f48 0x9f8bc: mov dx, 0x42c 0x9f8bf: mov ax, 0x2508 0x9f8c2: int 0x21 0x9f8c4: mov bx, ss
2018-12-25T12:55:48.87064448Z	9	PC: 13065 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:55:48.873877415Z	0	PC: 13069 \| Program terminate

{"DateBased":true,"Day":3,"Month":3,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":17447,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:55:48.888471175Z	48	PC: 13e5d \| Get DOS version
2018-12-25T12:55:48.89083414Z	53	PC: 13e66 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:55:48.892501198Z	53	PC: 13e87 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:55:48.893918556Z	75	PC: 13ea4 \| Execute program
2018-12-25T12:55:48.897460617Z	80	PC: 9f83b \| Set current PSP
2018-12-25T12:55:48.898658128Z	26	PC: 9f847 \| Set disk transfer address
2018-12-25T12:55:48.900300652Z	37	PC: 9f892 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:55:48.901929403Z	42	PC: 9f896 \| Get date 0x9f896: cmp dh, 3 0x9f899: jne 0x9f8c4 0x9f89b: cmp dh, dl 0x9f89d: jne 0x9f8c4 0x9f89f: mov si, 0x18c 0x9f8a2: mov cx, 0x4b 0x9f8a5: mov es, word ptr [0x598] 0x9f8a9: mov di, 0x640 0x9f8ac: mov ah, 4 0x9f8ae: nop 0x9f8af: nop 0x9f8b0: lodsb al, byte ptr [si] 0x9f8b1: xor al, 0xff 0x9f8b3: stosw word ptr es:[di], ax 0x9f8b4: loop 0x9f8b0 0x9f8b6: mov word ptr [0x58c], 0x3f48 0x9f8bc: mov dx, 0x42c 0x9f8bf: mov ax, 0x2508 0x9f8c2: int 0x21 0x9f8c4: mov bx, ss
2018-12-25T12:55:48.905059327Z	37	PC: 9f8c4 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:55:48.906611051Z	9	PC: 13065 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:55:48.91288059Z	0	PC: 13069 \| Program terminate

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":17447,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:55:48.953818818Z	48	PC: 13e5d \| Get DOS version
2018-12-25T12:55:48.955074966Z	53	PC: 13e66 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T12:55:48.956123808Z	53	PC: 13e87 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:55:48.95704437Z	75	PC: 13ea4 \| Execute program
2018-12-25T12:55:48.958758726Z	80	PC: 9f83b \| Set current PSP
2018-12-25T12:55:48.959410254Z	26	PC: 9f847 \| Set disk transfer address
2018-12-25T12:55:48.960368857Z	37	PC: 9f892 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:55:48.961610139Z	42	PC: 9f896 \| Get date 0x9f896: cmp dh, 3 0x9f899: jne 0x9f8c4 0x9f89b: cmp dh, dl 0x9f89d: jne 0x9f8c4 0x9f89f: mov si, 0x18c 0x9f8a2: mov cx, 0x4b 0x9f8a5: mov es, word ptr [0x598] 0x9f8a9: mov di, 0x640 0x9f8ac: mov ah, 4 0x9f8ae: nop 0x9f8af: nop 0x9f8b0: lodsb al, byte ptr [si] 0x9f8b1: xor al, 0xff 0x9f8b3: stosw word ptr es:[di], ax 0x9f8b4: loop 0x9f8b0 0x9f8b6: mov word ptr [0x58c], 0x3f48 0x9f8bc: mov dx, 0x42c 0x9f8bf: mov ax, 0x2508 0x9f8c2: int 0x21 0x9f8c4: mov bx, ss
2018-12-25T12:55:48.963859368Z	9	PC: 13065 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T12:55:48.969646904Z	0	PC: 13069 \| Program terminate