Sample viewer

vx.netlux.org/Virus.DOS.Wench.2537

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:18:54.900026998Z 42 PC: 147a1 | Get date 0x147a1: cmp dh, 6
0x147a4: je 0x147a9
0x147a6: jmp 0x149d2
0x147a9: cmp dl, 0x11
0x147ac: je 0x147b1
0x147ae: jmp 0x149d2
0x147b1: mov ah, 6
0x147b3: mov al, 0x19
0x147b5: mov bh, 7
0x147b7: mov ch, 0
0x147b9: mov cl, 0
0x147bb: mov dh, 0x18
0x147bd: mov dl, 0x4f
0x147bf: int 0x10
0x147c1: mov ah, 0xf
0x147c3: int 0x10
0x147c5: mov byte ptr cs:[0xfc], bh
0x147ca: mov ah, 3
0x147cc: mov bh, byte ptr cs:[0xfc]
0x147d1: int 0x10
2018-12-17T22:18:54.902659557Z 53 PC: 14227 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:18:54.903768395Z 37 PC: 1423a | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:18:54.904831145Z 25 PC: 14240 | Get default drive
2018-12-17T22:18:54.907008312Z 61 PC: 1425a | Open file (Filename = 'A:\��������')
2018-12-17T22:18:54.913777024Z 71 PC: 14770 | Get current directory
2018-12-17T22:18:54.91664128Z 25 PC: 14774 | Get default drive
2018-12-17T22:18:54.918262006Z 47 PC: 142a4 | Get disk transfer address
2018-12-17T22:18:54.926825554Z 26 PC: 142b5 | Set disk transfer address
2018-12-17T22:18:54.927814909Z 78 PC: 142c4 | Find first file
2018-12-17T22:18:54.933459457Z 26 PC: 1430b | Set disk transfer address
2018-12-17T22:18:54.935693333Z 61 PC: 14351 | Open file (Filename = 'A:\TEST.EXE')
2018-12-17T22:18:54.942330798Z 63 PC: 14369 | Read file or device (Read 28 bytes on handle 5)
2018-12-17T22:18:54.945225269Z 66 PC: 14404 | Move file pointer
2018-12-17T22:18:54.947204938Z 64 PC: 14413 | Write file or device (Write 28 bytes on handle 5)
2018-12-17T22:18:54.9499923Z 66 PC: 1442b | Move file pointer
2018-12-17T22:18:54.957746779Z 72 PC: 1443b | Allocate memory
2018-12-17T22:18:54.960309807Z 44 PC: 14452 | Get time 0x14452: mov dl, dh
0x14454: sub dh, dh
0x14456: mov si, dx
0x14458: add si, 0x1aa
0x1445c: mov di, 0x15c
0x1445f: mov cx, 0xa
0x14462: rep movsb byte ptr es:[di], byte ptr [si]
0x14464: mov ax, word ptr cs:[0x113]
0x14468: mov ds, ax
0x1446a: mov di, 0
0x1446d: mov dx, 0x15c
0x14470: call 0x14a02
0x14473: mov di, 0x1de
0x14476: mov dx, 0x9c2
0x14479: call 0x14a02
0x1447c: push cs
0x1447d: pop ds
0x1447e: mov ah, 0x40
0x14480: mov bx, word ptr cs:[0x81]
0x14485: mov cx, word ptr cs:[0x53]
2018-12-17T22:18:54.963040828Z 64 PC: 14496 | Write file or device (Write 2537 bytes on handle 5)
2018-12-17T22:18:54.976942694Z 73 PC: 144a2 | Release memory
2018-12-17T22:18:54.979686989Z 87 PC: 144bc | Get or set file date and time
2018-12-17T22:18:54.98149496Z 62 PC: 144c5 | Close file
2018-12-17T22:18:54.989256507Z 67 PC: 144d5 | Get or set file attributes
2018-12-17T22:18:54.999739939Z 25 PC: 144e9 | Get default drive
2018-12-17T22:18:55.001611695Z 61 PC: 14503 | Open file (Filename = 'A:\��������')
2018-12-17T22:18:55.008041161Z 60 PC: 1450f | Create or truncate file
2018-12-17T22:18:55.020021587Z 64 PC: 14524 | Write file or device (Write 78 bytes on handle 5)
2018-12-17T22:18:55.024160854Z 62 PC: 1452d | Close file
2018-12-17T22:18:55.032131503Z 37 PC: 1453f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:18:55.034294539Z 9 PC: 12aa9 | Display string (Could not find end pointer)
2018-12-17T22:18:55.038322971Z 76 PC: 12aae | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3238,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:48:44.08968753Z 42 PC: 147a1 | Get date 0x147a1: cmp dh, 6
0x147a4: je 0x147a9
0x147a6: jmp 0x149d2
0x147a9: cmp dl, 0x11
0x147ac: je 0x147b1
0x147ae: jmp 0x149d2
0x147b1: mov ah, 6
0x147b3: mov al, 0x19
0x147b5: mov bh, 7
0x147b7: mov ch, 0
0x147b9: mov cl, 0
0x147bb: mov dh, 0x18
0x147bd: mov dl, 0x4f
0x147bf: int 0x10
0x147c1: mov ah, 0xf
0x147c3: int 0x10
0x147c5: mov byte ptr cs:[0xfc], bh
0x147ca: mov ah, 3
0x147cc: mov bh, byte ptr cs:[0xfc]
0x147d1: int 0x10
2018-12-25T11:48:44.092781662Z 53 PC: 14227 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:48:44.094453902Z 37 PC: 1423a | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:48:44.095676365Z 25 PC: 14240 | Get default drive
2018-12-25T11:48:44.097192275Z 61 PC: 1425a | Open file (Filename = 'A:\��������')
2018-12-25T11:48:44.104649289Z 71 PC: 14770 | Get current directory
2018-12-25T11:48:44.107865243Z 25 PC: 14774 | Get default drive
2018-12-25T11:48:44.109104149Z 47 PC: 142a4 | Get disk transfer address
2018-12-25T11:48:44.110531084Z 26 PC: 142b5 | Set disk transfer address
2018-12-25T11:48:44.111789937Z 78 PC: 142c4 | Find first file
2018-12-25T11:48:44.116000901Z 26 PC: 1430b | Set disk transfer address
2018-12-25T11:48:44.11759737Z 61 PC: 14351 | Open file (Filename = 'A:\TEST.EXE')
2018-12-25T11:48:44.122092569Z 63 PC: 14369 | Read file or device (Read 28 bytes on handle 5)
2018-12-25T11:48:44.124143326Z 66 PC: 14404 | Move file pointer
2018-12-25T11:48:44.125762285Z 64 PC: 14413 | Write file or device (Write 28 bytes on handle 5)
2018-12-25T11:48:44.127611436Z 66 PC: 1442b | Move file pointer
2018-12-25T11:48:44.128730563Z 72 PC: 1443b | Allocate memory
2018-12-25T11:48:44.130368209Z 44 PC: 14452 | Get time 0x14452: mov dl, dh
0x14454: sub dh, dh
0x14456: mov si, dx
0x14458: add si, 0x1aa
0x1445c: mov di, 0x15c
0x1445f: mov cx, 0xa
0x14462: rep movsb byte ptr es:[di], byte ptr [si]
0x14464: mov ax, word ptr cs:[0x113]
0x14468: mov ds, ax
0x1446a: mov di, 0
0x1446d: mov dx, 0x15c
0x14470: call 0x14a02
0x14473: mov di, 0x1de
0x14476: mov dx, 0x9c2
0x14479: call 0x14a02
0x1447c: push cs
0x1447d: pop ds
0x1447e: mov ah, 0x40
0x14480: mov bx, word ptr cs:[0x81]
0x14485: mov cx, word ptr cs:[0x53]
2018-12-25T11:48:44.132001474Z 64 PC: 14496 | Write file or device (Write 2537 bytes on handle 5)
2018-12-25T11:48:44.47620953Z 73 PC: 144a2 | Release memory
2018-12-25T11:48:44.484189392Z 87 PC: 144bc | Get or set file date and time
2018-12-25T11:48:44.485969548Z 62 PC: 144c5 | Close file
2018-12-25T11:48:44.497206359Z 67 PC: 144d5 | Get or set file attributes
2018-12-25T11:48:44.511749339Z 25 PC: 144e9 | Get default drive
2018-12-25T11:48:44.513348531Z 61 PC: 14503 | Open file (Filename = 'A:\��������')
2018-12-25T11:48:44.520577182Z 60 PC: 1450f | Create or truncate file
2018-12-25T11:48:44.532772961Z 64 PC: 14524 | Write file or device (Write 78 bytes on handle 5)
2018-12-25T11:48:44.537472889Z 62 PC: 1452d | Close file
2018-12-25T11:48:44.54633657Z 37 PC: 1453f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:48:44.5476659Z 9 PC: 12aa9 | Display string (Could not find end pointer)
2018-12-25T11:48:44.55409141Z 76 PC: 12aae | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3238,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:48:44.43069706Z 42 PC: 147a1 | Get date 0x147a1: cmp dh, 6
0x147a4: je 0x147a9
0x147a6: jmp 0x149d2
0x147a9: cmp dl, 0x11
0x147ac: je 0x147b1
0x147ae: jmp 0x149d2
0x147b1: mov ah, 6
0x147b3: mov al, 0x19
0x147b5: mov bh, 7
0x147b7: mov ch, 0
0x147b9: mov cl, 0
0x147bb: mov dh, 0x18
0x147bd: mov dl, 0x4f
0x147bf: int 0x10
0x147c1: mov ah, 0xf
0x147c3: int 0x10
0x147c5: mov byte ptr cs:[0xfc], bh
0x147ca: mov ah, 3
0x147cc: mov bh, byte ptr cs:[0xfc]
0x147d1: int 0x10
2018-12-25T11:48:44.43271666Z 53 PC: 14227 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:48:44.434923133Z 37 PC: 1423a | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:48:44.436353771Z 25 PC: 14240 | Get default drive
2018-12-25T11:48:44.438421973Z 61 PC: 1425a | Open file (Filename = 'A:\��������')
2018-12-25T11:48:44.446416814Z 71 PC: 14770 | Get current directory
2018-12-25T11:48:44.449440389Z 25 PC: 14774 | Get default drive
2018-12-25T11:48:44.451078424Z 47 PC: 142a4 | Get disk transfer address
2018-12-25T11:48:44.45233667Z 26 PC: 142b5 | Set disk transfer address
2018-12-25T11:48:44.453570643Z 78 PC: 142c4 | Find first file
2018-12-25T11:48:44.459991155Z 26 PC: 1430b | Set disk transfer address
2018-12-25T11:48:44.466048569Z 61 PC: 14351 | Open file (Filename = 'A:\TEST.EXE')
2018-12-25T11:48:44.471057579Z 63 PC: 14369 | Read file or device (Read 28 bytes on handle 5)
2018-12-25T11:48:44.475460051Z 66 PC: 14404 | Move file pointer
2018-12-25T11:48:44.479676765Z 64 PC: 14413 | Write file or device (Write 28 bytes on handle 5)
2018-12-25T11:48:44.484300654Z 66 PC: 1442b | Move file pointer
2018-12-25T11:48:44.485954758Z 72 PC: 1443b | Allocate memory
2018-12-25T11:48:44.491903106Z 44 PC: 14452 | Get time 0x14452: mov dl, dh
0x14454: sub dh, dh
0x14456: mov si, dx
0x14458: add si, 0x1aa
0x1445c: mov di, 0x15c
0x1445f: mov cx, 0xa
0x14462: rep movsb byte ptr es:[di], byte ptr [si]
0x14464: mov ax, word ptr cs:[0x113]
0x14468: mov ds, ax
0x1446a: mov di, 0
0x1446d: mov dx, 0x15c
0x14470: call 0x14a02
0x14473: mov di, 0x1de
0x14476: mov dx, 0x9c2
0x14479: call 0x14a02
0x1447c: push cs
0x1447d: pop ds
0x1447e: mov ah, 0x40
0x14480: mov bx, word ptr cs:[0x81]
0x14485: mov cx, word ptr cs:[0x53]
2018-12-25T11:48:44.494583043Z 64 PC: 14496 | Write file or device (Write 2537 bytes on handle 5)
2018-12-25T11:48:44.510441013Z 73 PC: 144a2 | Release memory
2018-12-25T11:48:44.513235356Z 87 PC: 144bc | Get or set file date and time
2018-12-25T11:48:44.515353849Z 62 PC: 144c5 | Close file
2018-12-25T11:48:44.52518865Z 67 PC: 144d5 | Get or set file attributes
2018-12-25T11:48:44.53803454Z 25 PC: 144e9 | Get default drive
2018-12-25T11:48:44.539968892Z 61 PC: 14503 | Open file (Filename = 'A:\��������')
2018-12-25T11:48:44.547260789Z 60 PC: 1450f | Create or truncate file
2018-12-25T11:48:44.560057013Z 64 PC: 14524 | Write file or device (Write 78 bytes on handle 5)
2018-12-25T11:48:44.56495024Z 62 PC: 1452d | Close file
2018-12-25T11:48:44.574361676Z 37 PC: 1453f | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:48:44.576928275Z 9 PC: 12aa9 | Display string (Could not find end pointer)
2018-12-25T11:48:44.584781607Z 76 PC: 12aae | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":17,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3238,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:48:44.708008712Z 42 PC: 147a1 | Get date 0x147a1: cmp dh, 6
0x147a4: je 0x147a9
0x147a6: jmp 0x149d2
0x147a9: cmp dl, 0x11
0x147ac: je 0x147b1
0x147ae: jmp 0x149d2
0x147b1: mov ah, 6
0x147b3: mov al, 0x19
0x147b5: mov bh, 7
0x147b7: mov ch, 0
0x147b9: mov cl, 0
0x147bb: mov dh, 0x18
0x147bd: mov dl, 0x4f
0x147bf: int 0x10
0x147c1: mov ah, 0xf
0x147c3: int 0x10
0x147c5: mov byte ptr cs:[0xfc], bh
0x147ca: mov ah, 3
0x147cc: mov bh, byte ptr cs:[0xfc]
0x147d1: int 0x10
2018-12-25T11:48:44.71204239Z 53 PC: 147e8 | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:48:44.713308255Z 37 PC: 147fb | Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')