Known status of different versions of dxmasf.dll:
Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4
CD.)
Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe
version 6.4. dunno more.)
Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version
that comes in wmqfe33955.exe.)
(Got the time stamps using File Viewer.)

Some nice analysis data is attached. These are in no way complete and even
some false information might appear here or there.

--8<------------------------Cut-here---------------------------8<-------------

Execution path of DXMASF.DLL (Time stamp 0x3a2ed2f1.) in detail follows.
This is the recently patched one.

1D3612BD : MSDXM!0x1D3197F0( 0x00298678, 0x0009e724, 0x002a015c ) {
	1D3197F0 :
	1D319843 : Kernel32!LoadLibraryA("dxmasf.dll")
	1D319858 : Kernel32!GetProcAddress("UtilLoadImage",0x11f00000,0)
	1D31987A : Kernel32!0x77F350A3(0,0,0x9e724,-1,0x6f13c,0x825,0,0)
	1D319895 : DXMASF!UtilLoadImage( ? )
		1FF26708 :
		1FF26731 : 1FF26A97()
		1FF2673C : 1FF26AA1()
			1FF26AA1 :
			1FF26AB5 : 1FF26C2A()
			1FF26ACC : Kernel32!0x77F1297C() 1FF010D8
			1FF26AD4 : 1FF3EFA6()
			1FF26AE0 : Kernel32!0x77F127E6() 1FF0108C
			1FF26AFE : 1FF3F3E8()
			1FF26B44 : 1FF3F2B4()
			1FF26B5C : 1FF3F260()
			1FF26BB5 : Wininet!0x702079AB() 1FF012F0
			1FF26BF3 : Kernel32!0x77F1297C() 1FF010D8
			1FF26BFB : 1FF3EFA6()
			1FF26C0C : Kernel32!0x77F127E6() 1FF0108C
			1FF26C19 : } <- Let the parties begin!
		1FF26741 :
	1D319898 :
1D3612C0 :

--8<------------------------Cut-here---------------------------8<-------------

Execution path of DXMASF.DLL (Time stamp 0x382cbe58.) in detail follows.

1D319895 : DXMASF!UtilLoadImage( ? ) {
	1FF26716 :
	1FF2674A : 1FF26AAF( x ) {
		1FF26ADA : Kernel32!0x77F1297C( x ) 1FF010D8
		1FF26AE2 : 1FF3EFB6()
		1FF26AEE : Kernel32!0x77F127E6() 1FF0108C
		1FF26B0C : 1FF3F3F8() (retrieve the string address at heap?)
		1FF26B3B : movs
		1FF26B52 : 1FF3F2C4:7801FAAD:fopen() (fails)
		1FF26B6A : 1FF3F270:780252FE:strrchr() (strip "C:\")
		1FF26BAC : movs
		1FF26BC3 : WININET!0x702079AB() 1FF012F0 (try if it's an URL?)
		1FF26BE8 : movs (copy back the stripped string)
		1FF26C01 : Kernel32!0x77F1297C() 1FF010D8
		1FF26C09 : 1FF3EFB6:780037CA:new()
		1FF26C1A : Kernel32!0x77F127E6() 1FF0108C
		1FF26C27 : } <- Let the parties begin!
	1FF2674F :
	}
1D319898 :

--8<------------------------Cut-here---------------------------8<-------------

Execution path of DXMASF.DLL (Time stamp 0x35ed5d3d.) in detail follows.
This is the SP4 one.

1D319895 : DXMASF!UtilLoadImage=1FF34CCD() {
	1FF34CF6 : 1FF3505C() (dummy init)
	1FF34D01 : 1FF35066( 0x0006F13C ) {
		1FF3507A : 1FF351BF()
		1FF35091 : Kernel32!0x77F1297C( 0x0006F13C ) 1FF010E8
		1FF35099 : 1FF368A6:780037CA:new( 0x178 ) 1FF011E8
		1FF350A5 : Kernel32!0x77F127E6( heapbuf(0x002A8C90), 0x0006F13C )1FF01080
{
			77F1282F : movs
			}
		1FF350AB :
		1FF350C4 : URLMON!0x702B7BC2( 0, 0x2A8C90, 0x6EFA0, 0x104 ) 1FF01328 {
			702B7BE0 : Kernel32!0x77F1297C() (strlen)
			702B7BF1 : URLMON!0x702B753C( 0x44 )
			702B7C15 : to_wide_char( 0, 0, 0x2A8FD0, -1, 0x6EDF0 ) 702712B8
			702B7C26 : OLE32!0x77B2122C( 0x208, 0x6EDF0 )
			702B7C44 : 702B77F8()
			702B7C65 : Kernel32!0x77F12AE7()
			702B7C72 : Kernel32!0x77F350A3()
			}
		1FF350EB : 1FF36D9E:7801FAAD:fopen( 0x6EFA0, 0x1FF057A0 )
		1FF350CF : 1FF368A0:78003C6E:delete( 0x2A8C90 ) 1FF011E0

	}
1D319898 :

--8<------------------------Cut-here---------------------------8<-------------