I've encountered something very strange, and things just don't add up. First of all, I posted this here because I'm not sure if this has anything to do with computer virusses at all. And if it does, could you please direct me to a place to find help?
So now:
I'm having some kind of weird problem here, both my anti virus and malwarebytes flag code* compiled with masm and masm examples as a virus. I've googled and found that this problem has occured before so I didn't take this too seriously and at first thought that it was a false-positive.
But I compiled the code you see on the bottom of this post to test some other things of mine out. And I ran it through ollydbg (meanwhile ignoring my comodo anti-virus) and then I saw this:
00401000 > -E9 FBEF6F71 JMP 71B00000 ; this is a weird jump I did not put there
00401005 90 NOP
00401006 8BC0 MOV EAX,EAX
00401008 . 8BD8 MOV EBX,EAX
0040100A . 33D9 XOR EBX,ECX
0040100C . 8BC3 MOV EAX,EBX
0040100E . 03CB ADD ECX,EBX
00401010 . 33C3 XOR EAX,EBX
00401012 . 2BC1 SUB EAX,ECX
00401014 . 8BCB MOV ECX,EBX
00401016 . 33D9 XOR EBX,ECX
The code below couldn't possibly compile into that jump, so I was stepping in to the code. And a while later I saw that the strange code began enumerating through api's in the ntdll.dll library. What's happening? If this is indeed a virus where to get help?
But I'm still not sure, both comodo and malwarebytes flagg only the examples as viruses, but not the file (test.exe) as a virus
Test code I was using to test...
*: include \masm32\include\masm32rt.inc
.data
.code
Start:
nop
nop
nop
nop
nop
nop
mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx
invoke ExitProcess, 0h
end Start
Update:
The code isn't on disk, but in memory, so it's probably a library of some sort doing this:
Disassembly
00401000 start:
00401000 90 nop
00401001 90 nop
00401002 90 nop
00401003 90 nop
00401004 90 nop
00401005 90 nop
And I've removed the invoke exit process and it's still there
Regarding the unexplained jump, a quick search on google lead to this thread on masm32.com which seem to provide interesting information, and most notably :
"COMODO" Internet Security is the culprit.
It is modifying executables on the fly to implement a unique partial "sanbox".
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With