Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Infected compiler, or malfunction?

I've encountered something very strange, and things just don't add up. First of all, I posted this here because I'm not sure if this has anything to do with computer virusses at all. And if it does, could you please direct me to a place to find help?

So now:

I'm having some kind of weird problem here, both my anti virus and malwarebytes flag code* compiled with masm and masm examples as a virus. I've googled and found that this problem has occured before so I didn't take this too seriously and at first thought that it was a false-positive.

But I compiled the code you see on the bottom of this post to test some other things of mine out. And I ran it through ollydbg (meanwhile ignoring my comodo anti-virus) and then I saw this:

00401000 >  -E9 FBEF6F71    JMP 71B00000  ; this is a weird jump I did not put there
00401005     90             NOP
00401006     8BC0           MOV EAX,EAX
00401008   . 8BD8           MOV EBX,EAX
0040100A   . 33D9           XOR EBX,ECX
0040100C   . 8BC3           MOV EAX,EBX
0040100E   . 03CB           ADD ECX,EBX
00401010   . 33C3           XOR EAX,EBX
00401012   . 2BC1           SUB EAX,ECX
00401014   . 8BCB           MOV ECX,EBX
00401016   . 33D9           XOR EBX,ECX

The code below couldn't possibly compile into that jump, so I was stepping in to the code. And a while later I saw that the strange code began enumerating through api's in the ntdll.dll library. What's happening? If this is indeed a virus where to get help?

But I'm still not sure, both comodo and malwarebytes flagg only the examples as viruses, but not the file (test.exe) as a virus

Test code I was using to test...

*: include \masm32\include\masm32rt.inc

.data

.code

Start:

nop
nop
nop
nop
nop
nop

mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx

invoke ExitProcess, 0h


end Start

Update:

The code isn't on disk, but in memory, so it's probably a library of some sort doing this:

Disassembly

00401000                    start:
00401000 90                     nop
00401001 90                     nop
00401002 90                     nop
00401003 90                     nop
00401004 90                     nop
00401005 90                     nop

And I've removed the invoke exit process and it's still there

like image 221
Rick Avatar asked Jan 09 '11 19:01

Rick


1 Answers

Regarding the unexplained jump, a quick search on google lead to this thread on masm32.com which seem to provide interesting information, and most notably :

"COMODO" Internet Security is the culprit.
It is modifying executables on the fly to implement a unique partial "sanbox".

like image 148
icecrime Avatar answered Dec 11 '22 10:12

icecrime