病毒行为：
这是个盗取用户QQ帐号的木马！

1、将自身复制为：
%WINDOWS%\Help\wshmcepts.chm
%Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dat

2、释放文件：
%Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dll

3、每个三秒就添加以下注册表项来自启动：
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2} ""
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\(Default) ""
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\InProcServer32\(Default) "%\Program Files%\Common Files\Microsoft Shared\MSINFO\F80D61C2.dll"
HKCR\CLSID\{D61CF80D-F80D-61C2-0D61-80D1C80D61C2}\InProcServer32\ThreadingModel "Apartment"

4、尝试禁用以下与安全软件相关的服务：
navapsvc、RsRavMon、RsRavMon、kavsvc、KVWSC、KVSrvXP、wscsvc、KPfwSvc、KWatchSvc、SNDSrvc、ccProxy、ccEvtMgr、ccSetMgr、SPBBCSvc、
Symantec Core LC、NPFMntor、MskService、FireSvc、McShield、McTaskManager、McAfeeFramework、RfwService、SKNFW、SkyProcs、AVP

5、尝试删除以下与安全软件相关的注册表项：
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTimer
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RavTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KAVRun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KpopMon
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Kulansyn
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ccApp
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McRegWiz
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKAGENTEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\MSKDetectorExe
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VirusScan Online
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavStart
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\RfwMain
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SonudMan
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvPpWall_autorun
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\SKYNET Personal FireWall
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Jiangmin KVFW
HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\Rapdateiyr
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\iDuba Personal FireWall
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KavPFW
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\KvXP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe

6、尝试卸载以下安全软件：
KV2006
KVFW
rising
KINGSOFT\ANTIVIRUS
Kaspersky Anti-Virus Personal
rising\Rfw
绿鹰PC万能精灵
VIRUSCAN8000

7、检测用户计算机上是否安装还原精灵，如果发现安装则进行还原精灵转存使还原精灵失效。

8、创建消息钩子。

9、当检测到QQ运行时将以下文件的后缀改为.bak: QQLiveUpdate.exe、npkcrypt.sys、BDLiveUpdate.exe。

10、查找QQ登陆窗口，获取用户帐号信息后发送到指定网站和邮箱。