病毒行为：
这是一个木马程序，该病毒会劫持LSP，注册BHO，下载文件，注入进程，并且会监控病毒本身的文件和注册表项，创建AutoRun.inf,并且会通过U盘传播，危害比较大.

1.生成文件：

%Windows%\java\java.dll
%Windows%\system32\%MS%HCopy.dkt
%Windows%\system32\kernel32.sys
%Windows%\system32\mfc48.dll

\RECYCLER\RECYCLER\autorun.exe

2.添加注册表:
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09} @ "Java Class"
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32 @ "C:\WINNT\java\java.dll"
HKCR\CLSID\{EDF0DC30-9393-49DE-9987-C1A4F080CB09}\InprocServer32 ThreadingModel "Apartment"

HKLM\SOFTWARE\Microsoft\Internet Explorer
GUID
DC
UT

3.修改注册表:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
原值:dword:00000001
dword:00000000

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
原值:"userinit.dll"
"kernel32.sys"

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\TcpIp_Protocol


4.设置互斥量:
"DKFSInitMutex"
5.创建事件:
“DKFSFileSpyIsRunEvent”

6.创建信号量:
DKFSRegDaemonSemaphore
DKFileSpySystemDaemonSemaphore
DKFSUsbFileTransferSemaphore
DKFSHDFileTransferSemaphore1
DKFSUSBFileCopySemaphore
DKFSHDFileCopySemaphore

7.结束进程
iparm.exe

8.连接网址
'61.128.197.212

9.注入进程:
explorer.exe
qq.exe
msmsgs.exe
kavstart.exe
svchost.exe
winlogon.exe
lsass.exe
smss.exe
alg.exe
inetinfo.exe
conime.exe
wuauclt.exe