Sample viewer

vx.netlux.org/Virus.DOS.Christ.483

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:31:12.188250859Z	254	PC: 1384e \| UNKNOWN!
2018-12-17T22:31:12.189930676Z	53	PC: 1386e \| Get interrupt vector (Interrupt = '32' AKA 'Reserved')
2018-12-17T22:31:12.20258152Z	53	PC: 1387b \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:31:12.203659106Z	37	PC: 1389c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:31:12.20496023Z	37	PC: 138a2 \| Set interrupt vector (Interrupt = '80' AKA 'Set current PSP')
2018-12-17T22:31:12.206432648Z	42	PC: 138a9 \| Get date 0x138a9: cmp dx, 0x401 0x138ad: jne 0x138c1 0x138af: mov ah, 9 0x138b1: add si, 0x2b0 0x138b5: push si 0x138b6: pop dx 0x138b7: mov cx, 0x18 0x138ba: not byte ptr [si] 0x138bc: inc si 0x138bd: loop 0x138ba 0x138bf: int 0x21 0x138c1: pop si 0x138c2: cmp word ptr [si + 0x2a8], 0x100 0x138c8: jne 0x138d8 0x138ca: mov ax, word ptr [si + 0x2ac] 0x138ce: mov word ptr [0x100], ax 0x138d1: mov ax, word ptr [si + 0x2ae] 0x138d5: mov word ptr [0x102], ax 0x138d8: pop es 0x138d9: pop ds
2018-12-17T22:31:12.208649457Z	48	PC: 1369b \| Get DOS version
2018-12-17T22:31:12.210125273Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5570,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:54:53.29119148Z	254	PC: 1384e \| UNKNOWN!
2018-12-25T11:54:53.292466025Z	53	PC: 1386e \| Get interrupt vector (Interrupt = '32' AKA 'Reserved')
2018-12-25T11:54:53.295382589Z	53	PC: 1387b \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:53.298651308Z	37	PC: 1389c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:53.300973692Z	37	PC: 138a2 \| Set interrupt vector (Interrupt = '80' AKA 'Set current PSP')
2018-12-25T11:54:53.304004906Z	42	PC: 138a9 \| Get date 0x138a9: cmp dx, 0x401 0x138ad: jne 0x138c1 0x138af: mov ah, 9 0x138b1: add si, 0x2b0 0x138b5: push si 0x138b6: pop dx 0x138b7: mov cx, 0x18 0x138ba: not byte ptr [si] 0x138bc: inc si 0x138bd: loop 0x138ba 0x138bf: int 0x21 0x138c1: pop si 0x138c2: cmp word ptr [si + 0x2a8], 0x100 0x138c8: jne 0x138d8 0x138ca: mov ax, word ptr [si + 0x2ac] 0x138ce: mov word ptr [0x100], ax 0x138d1: mov ax, word ptr [si + 0x2ae] 0x138d5: mov word ptr [0x102], ax 0x138d8: pop es 0x138d9: pop ds
2018-12-25T11:54:53.307514879Z	48	PC: 1369b \| Get DOS version
2018-12-25T11:54:53.309534543Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')

{"DateBased":true,"Day":1,"Month":4,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5570,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:54:53.718577887Z	254	PC: 1384e \| UNKNOWN!
2018-12-25T11:54:53.719515696Z	53	PC: 1386e \| Get interrupt vector (Interrupt = '32' AKA 'Reserved')
2018-12-25T11:54:53.721677655Z	53	PC: 1387b \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:53.723059195Z	37	PC: 1389c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:53.724378787Z	37	PC: 138a2 \| Set interrupt vector (Interrupt = '80' AKA 'Set current PSP')
2018-12-25T11:54:53.72654403Z	42	PC: 138a9 \| Get date 0x138a9: cmp dx, 0x401 0x138ad: jne 0x138c1 0x138af: mov ah, 9 0x138b1: add si, 0x2b0 0x138b5: push si 0x138b6: pop dx 0x138b7: mov cx, 0x18 0x138ba: not byte ptr [si] 0x138bc: inc si 0x138bd: loop 0x138ba 0x138bf: int 0x21 0x138c1: pop si 0x138c2: cmp word ptr [si + 0x2a8], 0x100 0x138c8: jne 0x138d8 0x138ca: mov ax, word ptr [si + 0x2ac] 0x138ce: mov word ptr [0x100], ax 0x138d1: mov ax, word ptr [si + 0x2ae] 0x138d5: mov word ptr [0x102], ax 0x138d8: pop es 0x138d9: pop ds
2018-12-25T11:54:53.729531136Z	9	PC: 138c1 \| Display string (Could not find end pointer)
2018-12-25T11:54:53.733166048Z	48	PC: 1369b \| Get DOS version
2018-12-25T11:54:53.735468181Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5570,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:54:53.817543371Z	254	PC: 1384e \| UNKNOWN!
2018-12-25T11:54:53.819393192Z	53	PC: 1386e \| Get interrupt vector (Interrupt = '32' AKA 'Reserved')
2018-12-25T11:54:53.822029487Z	53	PC: 1387b \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:53.823836909Z	37	PC: 1389c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:53.827225246Z	37	PC: 138a2 \| Set interrupt vector (Interrupt = '80' AKA 'Set current PSP')
2018-12-25T11:54:53.829300057Z	42	PC: 138a9 \| Get date 0x138a9: cmp dx, 0x401 0x138ad: jne 0x138c1 0x138af: mov ah, 9 0x138b1: add si, 0x2b0 0x138b5: push si 0x138b6: pop dx 0x138b7: mov cx, 0x18 0x138ba: not byte ptr [si] 0x138bc: inc si 0x138bd: loop 0x138ba 0x138bf: int 0x21 0x138c1: pop si 0x138c2: cmp word ptr [si + 0x2a8], 0x100 0x138c8: jne 0x138d8 0x138ca: mov ax, word ptr [si + 0x2ac] 0x138ce: mov word ptr [0x100], ax 0x138d1: mov ax, word ptr [si + 0x2ae] 0x138d5: mov word ptr [0x102], ax 0x138d8: pop es 0x138d9: pop ds
2018-12-25T11:54:53.832180083Z	48	PC: 1369b \| Get DOS version
2018-12-25T11:54:53.833880047Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')

{"DateBased":true,"Day":1,"Month":4,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5570,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:54:54.136082356Z	254	PC: 1384e \| UNKNOWN!
2018-12-25T11:54:54.13758769Z	53	PC: 1386e \| Get interrupt vector (Interrupt = '32' AKA 'Reserved')
2018-12-25T11:54:54.138589854Z	53	PC: 1387b \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:54.139563476Z	37	PC: 1389c \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:54:54.140634354Z	37	PC: 138a2 \| Set interrupt vector (Interrupt = '80' AKA 'Set current PSP')
2018-12-25T11:54:54.141852229Z	42	PC: 138a9 \| Get date 0x138a9: cmp dx, 0x401 0x138ad: jne 0x138c1 0x138af: mov ah, 9 0x138b1: add si, 0x2b0 0x138b5: push si 0x138b6: pop dx 0x138b7: mov cx, 0x18 0x138ba: not byte ptr [si] 0x138bc: inc si 0x138bd: loop 0x138ba 0x138bf: int 0x21 0x138c1: pop si 0x138c2: cmp word ptr [si + 0x2a8], 0x100 0x138c8: jne 0x138d8 0x138ca: mov ax, word ptr [si + 0x2ac] 0x138ce: mov word ptr [0x100], ax 0x138d1: mov ax, word ptr [si + 0x2ae] 0x138d5: mov word ptr [0x102], ax 0x138d8: pop es 0x138d9: pop ds
2018-12-25T11:54:54.143417182Z	9	PC: 138c1 \| Display string (Could not find end pointer)
2018-12-25T11:54:54.145012448Z	48	PC: 1369b \| Get DOS version
2018-12-25T11:54:54.146388391Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')