* Decompressing UPX.<br /> * Creating several executable files on hard-drive.<br /> * File length: 91648 bytes.<br /><br /> [ changes to filesystem ]<br /> * Deletes file C:\WINDOWS\TEMP\rundll32.exe.<br /> * Deletes file C:\WINDOWS\svchost.exe.<br /> * Deletes existing software modules.<br /> * Creates file C:\WINDOWS\svchost.exe.<br /> * Deletes file C:\WINDOWS\SYSTEM32\DirectX.exe.<br /> * Creates file C:\WINDOWS\SYSTEM32\DirectX.exe.<br /> * Deletes file C:\WINDOWS\SYSTEM32\N0TEPAD.exe.<br /> * Creates file C:\WINDOWS\SYSTEM32\N0TEPAD.exe.<br /> * Creates file C:\WINDOWS\SYSTEM32\a.bat.<br /> * Deletes file c:\sample.exe.<br /> * Creates file C:\WINDOWS\TEMP\rundll32.exe.<br /> * Creates file C:\WINDOWS\TEMP\svchost.j<br /> * .<br /> * Creates file C:\WINDOWS\TEMP\svchost.____.<br /><br /> [ changes to registry ]<br /> * Creates value \"DirectX\"=\"C:\WINDOWS\SYSTEM32\DirectX.exe\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\".<br /> * Creates value \"Winset\"=\"C:\WINDOWS\svchost.exe c:\sample.exe\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\".<br /> * Modifies value \"default\"=\"C:\WINDOWS\SYSTEM32\N0TEPAD.exe /n \"%1\"\" in key \"HKCR\txtfile\shell\open\command\".<br /> * Modifies value \"Winset\"=\"C:\WINDOWS\svchost.exe C:\WINDOWS\TEMP\rundll32.exe\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\".<br /><br /> [ process/window information ]<br /> * Creates a mutex my lovely wood.<br /> * Will automatically restart after boot (I'll be back...).<br /> * Attemps to open C:\WINDOWS\TEMP\svchost.j NULL.<br /> * Attemps to open C:\WINDOWS\TEMP\svchost.____ NULL.<br /><br />