Sample viewer

vx.netlux.org/Virus.DOS.Wanderer_M.1884

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:35:07.823579774Z	255	PC: 130f5 \| UNKNOWN!
2018-12-17T22:35:07.824506546Z	53	PC: 13100 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:35:07.826486605Z	240	PC: 1312f \| UNKNOWN!
2018-12-17T22:35:07.827873173Z	42	PC: 12fe5 \| Get date 0x12fe5: cmp cx, 0x7cb 0x12fe9: jne 0x12ff6 0x12feb: cmp dh, 4 0x12fee: jne 0x12ff6 0x12ff0: mov byte ptr cs:[0x74c], 1 0x12ff6: call 0x1313e 0x12ff9: nop 0x12ffa: mov word ptr cs:[0x721], es 0x12fff: nop 0x13000: mov word ptr cs:[0x725], es 0x13005: mov word ptr cs:[0x729], es 0x1300a: mov byte ptr cs:[0x805], 0 0x13010: mov cx, 0x807 0x13013: xor si, si 0x13015: push es 0x13016: pop ax 0x13017: add ax, 0x10 0x1301a: mov es, ax 0x1301c: nop 0x1301d: xor di, di
2018-12-17T22:35:07.831767572Z	74	PC: 1303d \| Reallocate memory
2018-12-17T22:35:07.833891358Z	75	PC: 13089 \| Execute program
2018-12-17T22:35:07.849744415Z	255	PC: 13a85 \| UNKNOWN!
2018-12-17T22:35:07.851131546Z	53	PC: 13a90 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:35:07.853586007Z	76	PC: 133d5 \| Terminate with return code (Return code = '0')
2018-12-17T22:35:07.857284805Z	73	PC: 12cbf \| Release memory
2018-12-17T22:35:07.859298198Z	44	PC: 13097 \| Get time 0x13097: cmp cl, 5 0x1309a: je 0x130a4 0x1309c: mov al, 0x31 0x1309e: mov dx, 0x91 0x130a1: call 0x22cb6 0x130a4: mov si, 0xe8 0x130a7: mov bx, 0x8f 0x130aa: int 9 0x130ac: cld 0x130ad: lodsb al, byte ptr [si] 0x130ae: or al, al 0x130b0: je 0x130c6 0x130b2: mov cx, 0x7b 0x130b5: loop 0x130b5 0x130b7: inc cx 0x130b8: cmp al, 0x10 0x130ba: jb 0x130c0 0x130bc: mov ah, 9 0x130be: int 0x10 0x130c0: mov ah, 0xe
2018-12-17T22:35:07.863439913Z	49	PC: 12cbf \| Terminate and stay resident (Return code = '44' \| Memory size = '145')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":6306,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:04.428468919Z	255	PC: 130f5 \| UNKNOWN!
2018-12-25T11:59:04.429736827Z	53	PC: 13100 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:04.430945164Z	240	PC: 1312f \| UNKNOWN!
2018-12-25T11:59:04.431766829Z	42	PC: 12fe5 \| Get date 0x12fe5: cmp cx, 0x7cb 0x12fe9: jne 0x12ff6 0x12feb: cmp dh, 4 0x12fee: jne 0x12ff6 0x12ff0: mov byte ptr cs:[0x74c], 1 0x12ff6: call 0x1313e 0x12ff9: nop 0x12ffa: mov word ptr cs:[0x721], es 0x12fff: nop 0x13000: mov word ptr cs:[0x725], es 0x13005: mov word ptr cs:[0x729], es 0x1300a: mov byte ptr cs:[0x805], 0 0x13010: mov cx, 0x807 0x13013: xor si, si 0x13015: push es 0x13016: pop ax 0x13017: add ax, 0x10 0x1301a: mov es, ax 0x1301c: nop 0x1301d: xor di, di
2018-12-25T11:59:04.434776295Z	74	PC: 1303d \| Reallocate memory
2018-12-25T11:59:04.436177945Z	75	PC: 13089 \| Execute program
2018-12-25T11:59:04.450028238Z	255	PC: 13a85 \| UNKNOWN!
2018-12-25T11:59:04.451622515Z	53	PC: 13a90 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:04.45416646Z	76	PC: 133d5 \| Terminate with return code (Return code = '0')
2018-12-25T11:59:04.457719428Z	73	PC: 12cbf \| Release memory
2018-12-25T11:59:04.466396885Z	44	PC: 13097 \| Get time 0x13097: cmp cl, 5 0x1309a: je 0x130a4 0x1309c: mov al, 0x31 0x1309e: mov dx, 0x91 0x130a1: call 0x22cb6 0x130a4: mov si, 0xe8 0x130a7: mov bx, 0x8f 0x130aa: int 9 0x130ac: cld 0x130ad: lodsb al, byte ptr [si] 0x130ae: or al, al 0x130b0: je 0x130c6 0x130b2: mov cx, 0x7b 0x130b5: loop 0x130b5 0x130b7: inc cx 0x130b8: cmp al, 0x10 0x130ba: jb 0x130c0 0x130bc: mov ah, 9 0x130be: int 0x10 0x130c0: mov ah, 0xe
2018-12-25T11:59:04.469675093Z	49	PC: 12cbf \| Terminate and stay resident (See above)

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":6306,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:05.350262324Z	255	PC: 130f5 \| UNKNOWN!
2018-12-25T11:59:05.352317301Z	53	PC: 13100 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:05.353449744Z	240	PC: 1312f \| UNKNOWN!
2018-12-25T11:59:05.355654751Z	42	PC: 12fe5 \| Get date 0x12fe5: cmp cx, 0x7cb 0x12fe9: jne 0x12ff6 0x12feb: cmp dh, 4 0x12fee: jne 0x12ff6 0x12ff0: mov byte ptr cs:[0x74c], 1 0x12ff6: call 0x1313e 0x12ff9: nop 0x12ffa: mov word ptr cs:[0x721], es 0x12fff: nop 0x13000: mov word ptr cs:[0x725], es 0x13005: mov word ptr cs:[0x729], es 0x1300a: mov byte ptr cs:[0x805], 0 0x13010: mov cx, 0x807 0x13013: xor si, si 0x13015: push es 0x13016: pop ax 0x13017: add ax, 0x10 0x1301a: mov es, ax 0x1301c: nop 0x1301d: xor di, di
2018-12-25T11:59:05.35991187Z	74	PC: 1303d \| Reallocate memory
2018-12-25T11:59:05.361574213Z	75	PC: 13089 \| Execute program
2018-12-25T11:59:05.375248272Z	255	PC: 13a85 \| UNKNOWN!
2018-12-25T11:59:05.378750801Z	53	PC: 13a90 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:05.380241804Z	76	PC: 133d5 \| Terminate with return code (Return code = '0')
2018-12-25T11:59:05.383943199Z	73	PC: 12cbf \| Release memory
2018-12-25T11:59:05.3920777Z	44	PC: 13097 \| Get time 0x13097: cmp cl, 5 0x1309a: je 0x130a4 0x1309c: mov al, 0x31 0x1309e: mov dx, 0x91 0x130a1: call 0x22cb6 0x130a4: mov si, 0xe8 0x130a7: mov bx, 0x8f 0x130aa: int 9 0x130ac: cld 0x130ad: lodsb al, byte ptr [si] 0x130ae: or al, al 0x130b0: je 0x130c6 0x130b2: mov cx, 0x7b 0x130b5: loop 0x130b5 0x130b7: inc cx 0x130b8: cmp al, 0x10 0x130ba: jb 0x130c0 0x130bc: mov ah, 9 0x130be: int 0x10 0x130c0: mov ah, 0xe
2018-12-25T11:59:05.394249536Z	49	PC: 12cbf \| Terminate and stay resident (See above)

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":5,"Second":0,"TimeBased":true,"OriginalID":6306,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:05.906132594Z	255	PC: 130f5 \| UNKNOWN!
2018-12-25T11:59:05.907480133Z	53	PC: 13100 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:05.908637812Z	240	PC: 1312f \| UNKNOWN!
2018-12-25T11:59:05.909396784Z	42	PC: 12fe5 \| Get date 0x12fe5: cmp cx, 0x7cb 0x12fe9: jne 0x12ff6 0x12feb: cmp dh, 4 0x12fee: jne 0x12ff6 0x12ff0: mov byte ptr cs:[0x74c], 1 0x12ff6: call 0x1313e 0x12ff9: nop 0x12ffa: mov word ptr cs:[0x721], es 0x12fff: nop 0x13000: mov word ptr cs:[0x725], es 0x13005: mov word ptr cs:[0x729], es 0x1300a: mov byte ptr cs:[0x805], 0 0x13010: mov cx, 0x807 0x13013: xor si, si 0x13015: push es 0x13016: pop ax 0x13017: add ax, 0x10 0x1301a: mov es, ax 0x1301c: nop 0x1301d: xor di, di
2018-12-25T11:59:05.912901866Z	74	PC: 1303d \| Reallocate memory
2018-12-25T11:59:05.914260751Z	75	PC: 13089 \| Execute program
2018-12-25T11:59:05.924512876Z	255	PC: 13a85 \| UNKNOWN!
2018-12-25T11:59:05.925736392Z	53	PC: 13a90 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:05.926781302Z	76	PC: 133d5 \| Terminate with return code (Return code = '0')
2018-12-25T11:59:05.92873423Z	73	PC: 12cbf \| Release memory
2018-12-25T11:59:05.929933359Z	44	PC: 13097 \| Get time 0x13097: cmp cl, 5 0x1309a: je 0x130a4 0x1309c: mov al, 0x31 0x1309e: mov dx, 0x91 0x130a1: call 0x22cb6 0x130a4: mov si, 0xe8 0x130a7: mov bx, 0x8f 0x130aa: int 9 0x130ac: cld 0x130ad: lodsb al, byte ptr [si] 0x130ae: or al, al 0x130b0: je 0x130c6 0x130b2: mov cx, 0x7b 0x130b5: loop 0x130b5 0x130b7: inc cx 0x130b8: cmp al, 0x10 0x130ba: jb 0x130c0 0x130bc: mov ah, 9 0x130be: int 0x10 0x130c0: mov ah, 0xe

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":5,"Second":0,"TimeBased":true,"OriginalID":6306,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:06.584136509Z	255	PC: 130f5 \| UNKNOWN!
2018-12-25T11:59:06.585117242Z	53	PC: 13100 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:06.587026752Z	240	PC: 1312f \| UNKNOWN!
2018-12-25T11:59:06.587916107Z	42	PC: 12fe5 \| Get date 0x12fe5: cmp cx, 0x7cb 0x12fe9: jne 0x12ff6 0x12feb: cmp dh, 4 0x12fee: jne 0x12ff6 0x12ff0: mov byte ptr cs:[0x74c], 1 0x12ff6: call 0x1313e 0x12ff9: nop 0x12ffa: mov word ptr cs:[0x721], es 0x12fff: nop 0x13000: mov word ptr cs:[0x725], es 0x13005: mov word ptr cs:[0x729], es 0x1300a: mov byte ptr cs:[0x805], 0 0x13010: mov cx, 0x807 0x13013: xor si, si 0x13015: push es 0x13016: pop ax 0x13017: add ax, 0x10 0x1301a: mov es, ax 0x1301c: nop 0x1301d: xor di, di
2018-12-25T11:59:06.591448207Z	74	PC: 1303d \| Reallocate memory
2018-12-25T11:59:06.593554023Z	75	PC: 13089 \| Execute program
2018-12-25T11:59:06.612889068Z	255	PC: 13a85 \| UNKNOWN!
2018-12-25T11:59:06.613749212Z	53	PC: 13a90 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:59:06.623478901Z	76	PC: 133d5 \| Terminate with return code (Return code = '0')
2018-12-25T11:59:06.625590514Z	73	PC: 12cbf \| Release memory
2018-12-25T11:59:06.626694024Z	44	PC: 13097 \| Get time 0x13097: cmp cl, 5 0x1309a: je 0x130a4 0x1309c: mov al, 0x31 0x1309e: mov dx, 0x91 0x130a1: call 0x22cb6 0x130a4: mov si, 0xe8 0x130a7: mov bx, 0x8f 0x130aa: int 9 0x130ac: cld 0x130ad: lodsb al, byte ptr [si] 0x130ae: or al, al 0x130b0: je 0x130c6 0x130b2: mov cx, 0x7b 0x130b5: loop 0x130b5 0x130b7: inc cx 0x130b8: cmp al, 0x10 0x130ba: jb 0x130c0 0x130bc: mov ah, 9 0x130be: int 0x10 0x130c0: mov ah, 0xe