Known status of different versions of dxmasf.dll: Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4 CD.) Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe version 6.4. dunno more.) Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version that comes in wmqfe33955.exe.) (Got the time stamps using File Viewer.) Some nice analysis data is attached. These are in no way complete and even some false information might appear here or there. --8<------------------------Cut-here---------------------------8<------------- Execution path of DXMASF.DLL (Time stamp 0x3a2ed2f1.) in detail follows. This is the recently patched one. 1D3612BD : MSDXM!0x1D3197F0( 0x00298678, 0x0009e724, 0x002a015c ) { 1D3197F0 : 1D319843 : Kernel32!LoadLibraryA("dxmasf.dll") 1D319858 : Kernel32!GetProcAddress("UtilLoadImage",0x11f00000,0) 1D31987A : Kernel32!0x77F350A3(0,0,0x9e724,-1,0x6f13c,0x825,0,0) 1D319895 : DXMASF!UtilLoadImage( ? ) 1FF26708 : 1FF26731 : 1FF26A97() 1FF2673C : 1FF26AA1() 1FF26AA1 : 1FF26AB5 : 1FF26C2A() 1FF26ACC : Kernel32!0x77F1297C() 1FF010D8 1FF26AD4 : 1FF3EFA6() 1FF26AE0 : Kernel32!0x77F127E6() 1FF0108C 1FF26AFE : 1FF3F3E8() 1FF26B44 : 1FF3F2B4() 1FF26B5C : 1FF3F260() 1FF26BB5 : Wininet!0x702079AB() 1FF012F0 1FF26BF3 : Kernel32!0x77F1297C() 1FF010D8 1FF26BFB : 1FF3EFA6() 1FF26C0C : Kernel32!0x77F127E6() 1FF0108C 1FF26C19 : } <- Let the parties begin! 1FF26741 : 1D319898 : 1D3612C0 : --8<------------------------Cut-here---------------------------8<------------- Execution path of DXMASF.DLL (Time stamp 0x382cbe58.) in detail follows. 1D319895 : DXMASF!UtilLoadImage( ? ) { 1FF26716 : 1FF2674A : 1FF26AAF( x ) { 1FF26ADA : Kernel32!0x77F1297C( x ) 1FF010D8 1FF26AE2 : 1FF3EFB6() 1FF26AEE : Kernel32!0x77F127E6() 1FF0108C 1FF26B0C : 1FF3F3F8() (retrieve the string address at heap?) 1FF26B3B : movs 1FF26B52 : 1FF3F2C4:7801FAAD:fopen() (fails) 1FF26B6A : 1FF3F270:780252FE:strrchr() (strip "C:\") 1FF26BAC : movs 1FF26BC3 : WININET!0x702079AB() 1FF012F0 (try if it's an URL?) 1FF26BE8 : movs (copy back the stripped string) 1FF26C01 : Kernel32!0x77F1297C() 1FF010D8 1FF26C09 : 1FF3EFB6:780037CA:new() 1FF26C1A : Kernel32!0x77F127E6() 1FF0108C 1FF26C27 : } <- Let the parties begin! 1FF2674F : } 1D319898 : --8<------------------------Cut-here---------------------------8<------------- Execution path of DXMASF.DLL (Time stamp 0x35ed5d3d.) in detail follows. This is the SP4 one. 1D319895 : DXMASF!UtilLoadImage=1FF34CCD() { 1FF34CF6 : 1FF3505C() (dummy init) 1FF34D01 : 1FF35066( 0x0006F13C ) { 1FF3507A : 1FF351BF() 1FF35091 : Kernel32!0x77F1297C( 0x0006F13C ) 1FF010E8 1FF35099 : 1FF368A6:780037CA:new( 0x178 ) 1FF011E8 1FF350A5 : Kernel32!0x77F127E6( heapbuf(0x002A8C90), 0x0006F13C )1FF01080 { 77F1282F : movs } 1FF350AB : 1FF350C4 : URLMON!0x702B7BC2( 0, 0x2A8C90, 0x6EFA0, 0x104 ) 1FF01328 { 702B7BE0 : Kernel32!0x77F1297C() (strlen) 702B7BF1 : URLMON!0x702B753C( 0x44 ) 702B7C15 : to_wide_char( 0, 0, 0x2A8FD0, -1, 0x6EDF0 ) 702712B8 702B7C26 : OLE32!0x77B2122C( 0x208, 0x6EDF0 ) 702B7C44 : 702B77F8() 702B7C65 : Kernel32!0x77F12AE7() 702B7C72 : Kernel32!0x77F350A3() } 1FF350EB : 1FF36D9E:7801FAAD:fopen( 0x6EFA0, 0x1FF057A0 ) 1FF350CF : 1FF368A0:78003C6E:delete( 0x2A8C90 ) 1FF011E0 } 1D319898 : --8<------------------------Cut-here---------------------------8<-------------