Hoping that someone may provide the missing info of Barrotes variants that still have not been triggered yet...
I did not have so much study on DOS opcodes so I do not know the meaning of most of the opcodes, but at least I learned something useful from the Barrotes.1463 virus, which is failed to activate due to a programming error, by comparing the current day in month with a value of 22h (34d), it is impossible to trigger, right?
This value follows a pair of codes "80 FA", I checked the meaning of "80", it refers to a comparasion statement, meanwhile the "FA" is referring to date or something similar else.
While inspecting a sample of Barrotes.840, instead of "80 FA", "81 FA" is found, with data "05 01". This pair of codes refers to check day and month. I used the same method and found the activation day of new samples (but NOT encrypted) that I received, a Barrotes variant "Piolin", having a pair of value "08 0A", is discovered that it activates on October 8th, which many pages did not have such description or just saying that "the activation condition is unknown".
I made an important update of some variants of the page of Barrotes after I found many of those variants that still saying "do not manifest" to the day of activation and what would they do, are actually would activate in other days. My final goal is to find out the activation condition of all the listed variants.
However this is not a magic wand, not every sample that contains such code pairs may activate the virus. The following are the variants that I still cannot trigger.
Barrotes.1127 and 1292:
For this variant, unless I have the source code, a virus analyzer that can list out all the condition statements in the binary (I would give a BIG thank if someone could recommend this) or even to perform a white box testing, its payload will never be revealed due to lack of info outside.
80 FD 0C
The virus may activate and play tunes when the value of register FD is equal to 0Ch (12d), but...what does FD refer to?