Sample viewer

vx.netlux.org/Virus.DOS.Gorb.4670

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:47:39.583832751Z 44 PC: 1330b | Get time 0x1330b: cmp dl, 0x10
0x1330e: jne 0x1337d
0x13310: call 0x139e5
0x13313: mov ax, 2
0x13316: int 0x10
0x13318: mov ah, 9
0x1331a: mov dx, 0xc50
0x1331d: int 0x21
0x1331f: mov ax, 0x200
0x13322: mov dx, 0x9999
0x13325: mov bx, 0
0x13328: int 0x10
0x1332a: mov cx, 2
0x1332d: xor dx, dx
0x1332f: mov ah, 0x86
0x13331: int 0x15
0x13333: call 0x13452
0x13336: mov ah, 0
0x13338: int 0x16
0x1333a: call 0x139e5
2018-12-17T22:47:39.586092529Z 250 PC: 1338e | UNKNOWN!
2018-12-17T22:47:39.586898994Z 53 PC: 1339b | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:47:39.588389365Z 53 PC: 133a8 | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:47:39.590392804Z 53 PC: 133b5 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:47:39.59253218Z 53 PC: 133c2 | Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:47:39.593790288Z 82 PC: 133db | Get DOS internal pointers (SYSVARS)
2018-12-17T22:47:39.595552196Z 37 PC: 1342e | Set interrupt vector (Interrupt = '102' AKA 'Get or set code page')
2018-12-17T22:47:39.59680083Z 37 PC: 13436 | Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:47:39.597925263Z 37 PC: 1343e | Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:47:39.599472399Z 37 PC: 13446 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:47:39.601063139Z 37 PC: 9d93f | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:47:39.60237471Z 9 PC: 12a86 | Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-17T22:47:39.608567978Z 48 PC: 12a8f | Get DOS version
2018-12-17T22:47:39.610134728Z 61 PC: 12b5c | Open file (Filename = '')
2018-12-17T22:47:39.617391436Z 93 PC: 12afe | File sharing functions
2018-12-17T22:47:39.619408269Z 9 PC: 12a86 | Display string (String= 'Size change=124Ah/04682d. ')
2018-12-17T22:47:39.624110186Z 76 PC: 12ae3 | Terminate with return code (Return code = '1')