病毒行为：
这是个盗取用户多个网游帐号的木马！

1、将自身复制为以下文件：
%WINDOWS%\WINLOGON.EXE
%WINDOWS%\explorer.com
%WINDOWS%\1.com
%WINDOWS%\ExERoute.exe
%WINDOWS%\Debug\DebugProgram.exe
%system%\rundll32.com
%system%\finder.com
%system%\command.pif
%system%\MSCONFIG.COM
%system%\dxdiag.com
%program Files%\Internet Explorer\iexplore.com
%program Files%\Common Files\iexplore.pif

2、修改以下注册表项来更改文件关联，使其指向病毒文件：
HKCR\.lnk\ShellNew\command "rundll32.com appwiz.cpl,NewLinkHere %1"
HKCR\.bfc\shellnew\command "%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1"
HKCR\cplfile\shell\cplopen\command\(Default) "rundll32.com shell32.dll,Control_RunDLL "%1",%*"
HKCR\htmlfile\shell\print\command\(Default) "rundll32.com %SystemRoot%\system32\mshtml.dll,PrintHTML "%1""
HKCR\inffile\shell\Install\command\(Default) "%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"
HKCR\InternetShortcut\shell\open\command\(Default) "finder.com shdocvw.dll,OpenURL %l"
HKCR\scrfile\shell\install\command\(Default) "finder.com desk.cpl,InstallScreenSaver %l"
HKCR\scriptletfile\Shell\Generate Typelib\command\(Default) ""%system%\finder.com" %system%\scrobj.dll,GenerateTypeLib "%1""
HKCR\telnet\shell\open\command\(Default) "finder.com url.dll,TelnetProtocolHandler %l"
HKCR\Unknown\shell\openas\command\(Default) "%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\(Default) "%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\(Default) "finder.com shdocvw.dll,OpenURL %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\(Default) "finder.com desk.cpl,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\(Default) "%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\(Default) ""%Program Files%\Internet Explorer\iexplore.com" -nohome"
HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations "No"
HKCR\Applications\iexplore.exe\shell\open\command\(Default) ""%Program Files%\Internet Explorer\iexplore.com" %1"
HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\(Default) ""%Program Files%\Internet Explorer\iexplore.com""
HKCR\ftp\shell\open\command\(Default) ""%Program Files%\Internet Explorer\iexplore.com" %1"
HKCR\htmlfile\shell\open\command\(Default) ""%Program Files%\Internet Explorer\iexplore.com" -nohome"
HKCR\htmlfile\shell\opennew\command\(Default) ""%Program Files%\Common Files\iexplore.pif" %1"
HKCR\http\shell\open\command\(Default) ""%Program Files%\Common Files\iexplore.pif" -nohome"
HKLM\SOFTWARE\Classes\http\shell\open\command\(Default) ""%Program Files%\Common Files\iexplore.pif" -nohome"
HKCR\Drive\shell\find\command\(Default) "%SystemRoot%\explorer.com"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe 1"
HKCR\winfiles\defaulticon\(Default) "%1"
HKCR\winfiles\shell\open\command\(Default) "%WINDOWS%\ExERoute.exe "%1" %*"
HKCR\.exe\(Default) "winfiles"

3、添加以下启动项：
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Torjan Program "%WINDOWS%\WINLOGON.EXE"

4、关闭与以下字符串相匹配的进程，并将该进程的可执行文件的从文件偏移284字节开始的20个字节修改掉，使该可执行文件再次执行时可能出错：
RAVMON*
TROJDIE*
KPOP*
CCENTER*
*ASSISTSE*
KPFW*
AGENTSVR*
KV*
KREG*
IEFIND*
IPARMOR*
SVI.EXE
UPHC*
RULEWIZE*
FYGT*
RFWSRV*
MMSK*

5、创建两个消息钩子来截获键盘和窗口消息。

6、当检测到用户运行QQ时将QQ的键盘保护文件npkcrypt.vxd改名为：qqpnpp.sys

7、盗取用户的霸王大陆、征途、魔兽世界、传奇世界等多个网游帐号和QQ帐号并发送给种植者。