Sample viewer

vx.netlux.org/Virus.DOS.Cascade.1704.s

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:44:40.13712247Z	48	PC: 14182 \| Get DOS version
2018-12-17T22:44:40.142453931Z	75	PC: 14190 \| Execute program
2018-12-17T22:44:40.145067102Z	53	PC: 141a9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:44:40.146736425Z	80	PC: 14215 \| Set current PSP
2018-12-17T22:44:40.149904562Z	37	PC: 12bdf \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:44:40.152021875Z	26	PC: 12be7 \| Set disk transfer address
2018-12-17T22:44:40.153615481Z	42	PC: 12bee \| Get date 0x12bee: cmp cx, 0x7c8 0x12bf2: ja 0x12c59 0x12bf4: je 0x12c20 0x12bf6: cmp cx, 0x7bc 0x12bfa: jne 0x12c59 0x12bfc: push ds 0x12bfd: mov ax, 0x3528 0x12c00: int 0x21 0x12c02: mov word ptr cs:[0x13b], bx 0x12c07: mov word ptr cs:[0x13d], es 0x12c0c: mov ax, 0x2528 0x12c0f: mov dx, 0x725 0x12c12: push cs 0x12c13: pop ds 0x12c14: int 0x21 0x12c16: pop ds 0x12c17: or byte ptr cs:[0x157], 8 0x12c1d: jmp 0x12c25 0x12c1f: nop 0x12c20: cmp dh, 0xa
2018-12-17T22:44:40.164255605Z	48	PC: 13223 \| Get DOS version
2018-12-17T22:44:40.166029611Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-17T22:44:40.175552022Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-17T22:44:40.183094725Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-17T22:44:40.186570424Z	93	PC: 132e4 \| File sharing functions
2018-12-17T22:44:40.188613826Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A8h/01704d. Virus might be activ? ')
2018-12-17T22:44:40.194310522Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1981,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8290,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:08.398767048Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:04:08.401189231Z	75	PC: 14190 \| Execute program
2018-12-25T12:04:08.402958903Z	53	PC: 141a9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:08.404400954Z	80	PC: 14215 \| Set current PSP
2018-12-25T12:04:08.407511181Z	37	PC: 12bdf \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:08.408743959Z	26	PC: 12be7 \| Set disk transfer address
2018-12-25T12:04:08.410420658Z	42	PC: 12bee \| Get date 0x12bee: cmp cx, 0x7c8 0x12bf2: ja 0x12c59 0x12bf4: je 0x12c20 0x12bf6: cmp cx, 0x7bc 0x12bfa: jne 0x12c59 0x12bfc: push ds 0x12bfd: mov ax, 0x3528 0x12c00: int 0x21 0x12c02: mov word ptr cs:[0x13b], bx 0x12c07: mov word ptr cs:[0x13d], es 0x12c0c: mov ax, 0x2528 0x12c0f: mov dx, 0x725 0x12c12: push cs 0x12c13: pop ds 0x12c14: int 0x21 0x12c16: pop ds 0x12c17: or byte ptr cs:[0x157], 8 0x12c1d: jmp 0x12c25 0x12c1f: nop 0x12c20: cmp dh, 0xa
2018-12-25T12:04:08.413545755Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:04:08.416095493Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:04:08.434331277Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:04:08.441729998Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:04:08.446267274Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:04:08.448706403Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A8h/01704d. Virus might be activ? ')
2018-12-25T12:04:08.453653903Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1992,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8290,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:08.496497061Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:04:08.499026575Z	75	PC: 14190 \| Execute program
2018-12-25T12:04:08.501117221Z	53	PC: 141a9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:08.502637695Z	80	PC: 14215 \| Set current PSP
2018-12-25T12:04:08.506015967Z	37	PC: 12bdf \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:08.523686712Z	26	PC: 12be7 \| Set disk transfer address
2018-12-25T12:04:08.530498217Z	42	PC: 12bee \| Get date 0x12bee: cmp cx, 0x7c8 0x12bf2: ja 0x12c59 0x12bf4: je 0x12c20 0x12bf6: cmp cx, 0x7bc 0x12bfa: jne 0x12c59 0x12bfc: push ds 0x12bfd: mov ax, 0x3528 0x12c00: int 0x21 0x12c02: mov word ptr cs:[0x13b], bx 0x12c07: mov word ptr cs:[0x13d], es 0x12c0c: mov ax, 0x2528 0x12c0f: mov dx, 0x725 0x12c12: push cs 0x12c13: pop ds 0x12c14: int 0x21 0x12c16: pop ds 0x12c17: or byte ptr cs:[0x157], 8 0x12c1d: jmp 0x12c25 0x12c1f: nop 0x12c20: cmp dh, 0xa
2018-12-25T12:04:08.532849734Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:04:08.542083864Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:04:08.554312476Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:04:08.562503276Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:04:08.566654298Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:04:08.568627686Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A8h/01704d. Virus might be activ? ')
2018-12-25T12:04:08.572804355Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":10,"Year":1992,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8290,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:08.632816898Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:04:08.635090402Z	75	PC: 14190 \| Execute program
2018-12-25T12:04:08.636480598Z	53	PC: 141a9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:08.637665989Z	80	PC: 14215 \| Set current PSP
2018-12-25T12:04:08.640456973Z	37	PC: 12bdf \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:08.641527614Z	26	PC: 12be7 \| Set disk transfer address
2018-12-25T12:04:08.642585602Z	42	PC: 12bee \| Get date 0x12bee: cmp cx, 0x7c8 0x12bf2: ja 0x12c59 0x12bf4: je 0x12c20 0x12bf6: cmp cx, 0x7bc 0x12bfa: jne 0x12c59 0x12bfc: push ds 0x12bfd: mov ax, 0x3528 0x12c00: int 0x21 0x12c02: mov word ptr cs:[0x13b], bx 0x12c07: mov word ptr cs:[0x13d], es 0x12c0c: mov ax, 0x2528 0x12c0f: mov dx, 0x725 0x12c12: push cs 0x12c13: pop ds 0x12c14: int 0x21 0x12c16: pop ds 0x12c17: or byte ptr cs:[0x157], 8 0x12c1d: jmp 0x12c25 0x12c1f: nop 0x12c20: cmp dh, 0xa
2018-12-25T12:04:08.706747229Z	53	PC: 12c43 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:04:08.708069316Z	37	PC: 12c58 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:04:08.709504238Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:04:08.711845166Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:04:08.724068875Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:04:08.730460498Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:04:08.734285502Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:04:08.73687376Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A8h/01704d. Virus might be activ? ')
2018-12-25T12:04:08.740912136Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1993,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8290,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:09.485049219Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:04:09.488135961Z	75	PC: 14190 \| Execute program
2018-12-25T12:04:09.489638107Z	53	PC: 141a9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:09.491257209Z	80	PC: 14215 \| Set current PSP
2018-12-25T12:04:09.494410643Z	37	PC: 12bdf \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:09.496404406Z	26	PC: 12be7 \| Set disk transfer address
2018-12-25T12:04:09.498754855Z	42	PC: 12bee \| Get date 0x12bee: cmp cx, 0x7c8 0x12bf2: ja 0x12c59 0x12bf4: je 0x12c20 0x12bf6: cmp cx, 0x7bc 0x12bfa: jne 0x12c59 0x12bfc: push ds 0x12bfd: mov ax, 0x3528 0x12c00: int 0x21 0x12c02: mov word ptr cs:[0x13b], bx 0x12c07: mov word ptr cs:[0x13d], es 0x12c0c: mov ax, 0x2528 0x12c0f: mov dx, 0x725 0x12c12: push cs 0x12c13: pop ds 0x12c14: int 0x21 0x12c16: pop ds 0x12c17: or byte ptr cs:[0x157], 8 0x12c1d: jmp 0x12c25 0x12c1f: nop 0x12c20: cmp dh, 0xa
2018-12-25T12:04:09.50106881Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:04:09.50285781Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:04:09.512064228Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:04:09.518548245Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:04:09.523240142Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:04:09.52508308Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A8h/01704d. Virus might be activ? ')
2018-12-25T12:04:09.529040135Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":8290,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:04:10.069489313Z	48	PC: 14182 \| Get DOS version
2018-12-25T12:04:10.071280685Z	75	PC: 14190 \| Execute program
2018-12-25T12:04:10.073295524Z	53	PC: 141a9 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:10.074560127Z	80	PC: 14215 \| Set current PSP
2018-12-25T12:04:10.077340449Z	37	PC: 12bdf \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:04:10.079099133Z	26	PC: 12be7 \| Set disk transfer address
2018-12-25T12:04:10.080681186Z	42	PC: 12bee \| Get date 0x12bee: cmp cx, 0x7c8 0x12bf2: ja 0x12c59 0x12bf4: je 0x12c20 0x12bf6: cmp cx, 0x7bc 0x12bfa: jne 0x12c59 0x12bfc: push ds 0x12bfd: mov ax, 0x3528 0x12c00: int 0x21 0x12c02: mov word ptr cs:[0x13b], bx 0x12c07: mov word ptr cs:[0x13d], es 0x12c0c: mov ax, 0x2528 0x12c0f: mov dx, 0x725 0x12c12: push cs 0x12c13: pop ds 0x12c14: int 0x21 0x12c16: pop ds 0x12c17: or byte ptr cs:[0x157], 8 0x12c1d: jmp 0x12c25 0x12c1f: nop 0x12c20: cmp dh, 0xa
2018-12-25T12:04:10.08427316Z	53	PC: 12c02 \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T12:04:10.085881178Z	37	PC: 12c16 \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T12:04:10.164686018Z	53	PC: 12c43 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:04:10.166388685Z	37	PC: 12c58 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:04:10.168427055Z	48	PC: 13223 \| Get DOS version
2018-12-25T12:04:10.169857179Z	9	PC: 1323a \| Display string (String= ' --=[ Selfchecking AntiStealth Goat COM/EXE file, 01/06/01 ]=------------------ (c) 1995-2001 by ROSE SWE, Dipl.-Ing. Ralph Roth - Version 1.18 - Freeware ')
2018-12-25T12:04:10.177182299Z	42	PC: 13074 \| Get date 0x13074: cmp cx, 0x7c4 0x13078: jb 0x13087 0x1307a: ja 0x13081 0x1307c: cmp dh, 0xa 0x1307f: jb 0x13087 0x13081: and byte ptr cs:[0x157], 0xf7 0x13087: pop dx 0x13088: pop cx 0x13089: pop ax 0x1308a: ljmp ptr cs:[0x13b] 0x1308f: push es 0x13090: push bx 0x13091: mov ah, 0x48 0x13093: mov bx, 0x6b 0x13096: int 0x21 0x13098: pop bx 0x13099: jae 0x1309e 0x1309b: stc 0x1309c: pop es 0x1309d: ret
2018-12-25T12:04:10.187065135Z	42	PC: 13074 \| Get date (See above)
2018-12-25T12:04:10.194525688Z	61	PC: 13477 \| Open file (Filename = '')
2018-12-25T12:04:10.201928575Z	9	PC: 13248 \| Display string (String= 'Self test: ')
2018-12-25T12:04:10.216761316Z	42	PC: 13074 \| Get date (See above)
2018-12-25T12:04:10.220563185Z	93	PC: 132e4 \| File sharing functions
2018-12-25T12:04:10.222683904Z	9	PC: 132c3 \| Display string (String= 'Size change=+06A8h/01704d. Virus might be activ? ')
2018-12-25T12:04:10.228019929Z	76	PC: 132c9 \| Terminate with return code (Return code = '1')