1、添加如下注册表项使病毒自启动:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Timer Service "%当前病毒文件全路径%"
2、通过查询注册表项:SOFTWARE\Blizzard Entertainment\World of Warcraft\InstallPath 来获得魔兽世界的安装路径,在该路径下搜索名为realmlist.wtf的文件,
判断该文件中是否有以下字符串来确定是否为国服一到六区的帐号,有则盗取帐号:
SET realmlist "cn1.grunt.wowchina.com"
SET realmlist "cn2.grunt.wowchina.com"
SET realmlist "cn3.grunt.wowchina.com"
SET realmlist "cn4.grunt.wowchina.com"
SET realmlist "cn5.grunt.wowchina.com"
SET realmlist "cn6.grunt.wowchina.com"
