Sample viewer

vx.netlux.org/Virus.DOS.Nostardamus.1870

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:26:49.518042477Z	53	PC: 136ff \| Get interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:26:49.519222365Z	42	PC: 1370b \| Get date 0x1370b: shl dh, 1 0x1370d: cmp dh, dl 0x1370f: jne 0x13753 0x13711: push ds 0x13712: mov ah, 0xcd 0x13714: xor ah, 0xde 0x13717: int 0x2f 0x13719: pop ds 0x1371a: pop si 0x1371b: push si 0x1371c: mov word ptr [si + 0x3ea], bx 0x13720: mov word ptr [si + 0x3ec], es 0x13724: xor ah, ah 0x13726: mov dl, 0xe4 0x13728: xor dl, 0x64 0x1372b: call 0x2368a 0x1372e: jb 0x13752 0x13730: mov cx, 1 0x13733: mov dx, 0xec59 0x13736: xor dx, 0xecd9
2018-12-17T22:26:49.520592887Z	240	PC: 1375a \| UNKNOWN!
2018-12-17T22:26:49.521294935Z	53	PC: 1330d \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:26:49.522565656Z	53	PC: 1331d \| Get interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-17T22:26:49.523338943Z	53	PC: 1332d \| Get interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:26:49.524044364Z	37	PC: 1333c \| Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:26:49.525095353Z	37	PC: 132a6 \| Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:26:49.526010927Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-17T22:26:49.529061958Z	48	PC: 12a8f \| Get DOS version
2018-12-17T22:26:49.52996869Z	53	PC: 9efa8 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:26:49.530992647Z	37	PC: 9efbe \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:26:49.531711948Z	51	PC: 9efe0 \| Get or set Ctrl-Break
2018-12-17T22:26:49.532426631Z	51	PC: 9efef \| Get or set Ctrl-Break
2018-12-17T22:26:49.533373057Z	67	PC: 9f045 \| Get or set file attributes
2018-12-17T22:26:49.536798112Z	67	PC: 9f05c \| Get or set file attributes
2018-12-17T22:26:49.548201888Z	61	PC: 9f06c \| Open file (Filename = 'A:\TEST.COM')
2018-12-17T22:26:49.552642159Z	87	PC: 9f078 \| Get or set file date and time
2018-12-17T22:26:49.553542166Z	63	PC: 9f0a2 \| Read file or device (Read 24 bytes on handle 5)
2018-12-17T22:26:49.555124619Z	66	PC: 9f0b1 \| Move file pointer
2018-12-17T22:26:49.558388671Z	64	PC: 9f3b7 \| Write file or device (Write 1870 bytes on handle 5)
2018-12-17T22:26:49.566718235Z	66	PC: 9f3c8 \| Move file pointer
2018-12-17T22:26:49.567978683Z	64	PC: 9f114 \| Write file or device (Write 5 bytes on handle 5)
2018-12-17T22:26:49.571167865Z	87	PC: 9f186 \| Get or set file date and time
2018-12-17T22:26:49.572490592Z	62	PC: 9f18f \| Close file
2018-12-17T22:26:49.580397872Z	67	PC: 9f19b \| Get or set file attributes
2018-12-17T22:26:49.591129833Z	51	PC: 9f1aa \| Get or set Ctrl-Break
2018-12-17T22:26:49.592705705Z	37	PC: 9f1bd \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:26:49.595273852Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T22:26:49.603508576Z	93	PC: 12afe \| File sharing functions
2018-12-17T22:26:49.606347838Z	9	PC: 12a86 \| Display string (String= 'Size change=0E9Ch/03740d. ')
2018-12-17T22:26:49.611053119Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":4758,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:52:48.085329044Z	53	PC: 136ff \| Get interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T11:52:48.087218691Z	42	PC: 1370b \| Get date 0x1370b: shl dh, 1 0x1370d: cmp dh, dl 0x1370f: jne 0x13753 0x13711: push ds 0x13712: mov ah, 0xcd 0x13714: xor ah, 0xde 0x13717: int 0x2f 0x13719: pop ds 0x1371a: pop si 0x1371b: push si 0x1371c: mov word ptr [si + 0x3ea], bx 0x13720: mov word ptr [si + 0x3ec], es 0x13724: xor ah, ah 0x13726: mov dl, 0xe4 0x13728: xor dl, 0x64 0x1372b: call 0x2368a 0x1372e: jb 0x13752 0x13730: mov cx, 1 0x13733: mov dx, 0xec59 0x13736: xor dx, 0xecd9
2018-12-25T11:52:48.09686361Z	240	PC: 1375a \| UNKNOWN!
2018-12-25T11:52:48.098107846Z	53	PC: 1330d \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:52:48.099617129Z	53	PC: 1331d \| Get interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-25T11:52:48.10129438Z	53	PC: 1332d \| Get interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T11:52:48.103068079Z	37	PC: 1333c \| Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T11:52:48.104492189Z	37	PC: 132a6 \| Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T11:52:48.106886535Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T11:52:48.113516167Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:52:48.115432227Z	53	PC: 9efa8 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:52:48.118462291Z	37	PC: 9efbe \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:52:48.120411131Z	51	PC: 9efe0 \| Get or set Ctrl-Break
2018-12-25T11:52:48.121657946Z	51	PC: 9efef \| Get or set Ctrl-Break
2018-12-25T11:52:48.123938231Z	67	PC: 9f045 \| Get or set file attributes
2018-12-25T11:52:48.130777645Z	67	PC: 9f05c \| Get or set file attributes
2018-12-25T11:52:48.148375323Z	61	PC: 9f06c \| Open file (Filename = 'A:\TEST.COM')
2018-12-25T11:52:48.159135629Z	87	PC: 9f078 \| Get or set file date and time
2018-12-25T11:52:48.161027481Z	63	PC: 9f0a2 \| Read file or device (Read 24 bytes on handle 5)
2018-12-25T11:52:48.164009268Z	66	PC: 9f0b1 \| Move file pointer
2018-12-25T11:52:48.172139848Z	64	PC: 9f3b7 \| Write file or device (Write 1870 bytes on handle 5)
2018-12-25T11:52:48.182995753Z	66	PC: 9f3c8 \| Move file pointer
2018-12-25T11:52:48.184598942Z	64	PC: 9f114 \| Write file or device (Write 5 bytes on handle 5)
2018-12-25T11:52:48.187795953Z	87	PC: 9f186 \| Get or set file date and time
2018-12-25T11:52:48.190050584Z	62	PC: 9f18f \| Close file
2018-12-25T11:52:48.207453768Z	67	PC: 9f19b \| Get or set file attributes
2018-12-25T11:52:48.218307553Z	51	PC: 9f1aa \| Get or set Ctrl-Break
2018-12-25T11:52:48.220339662Z	37	PC: 9f1bd \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:52:48.223464915Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:52:48.231588843Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:52:48.239000001Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:52:48.243987587Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":2,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":4758,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:52:48.453231257Z	53	PC: 136ff \| Get interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-25T11:52:48.454904823Z	42	PC: 1370b \| Get date 0x1370b: shl dh, 1 0x1370d: cmp dh, dl 0x1370f: jne 0x13753 0x13711: push ds 0x13712: mov ah, 0xcd 0x13714: xor ah, 0xde 0x13717: int 0x2f 0x13719: pop ds 0x1371a: pop si 0x1371b: push si 0x1371c: mov word ptr [si + 0x3ea], bx 0x13720: mov word ptr [si + 0x3ec], es 0x13724: xor ah, ah 0x13726: mov dl, 0xe4 0x13728: xor dl, 0x64 0x1372b: call 0x2368a 0x1372e: jb 0x13752 0x13730: mov cx, 1 0x13733: mov dx, 0xec59 0x13736: xor dx, 0xecd9