Isomorphic behaviors :

On XP:

Time : 00:05

No activity confirmed

Reboot

Relaod MAP

Reload Network Analyzer

No Scheduled taks were created or modified.

No activities on mutex processes or registries or files creation / modification

Reinjection of sample.

''NOTA : It seems that for few second, the sample stays on /WINDOWS/SYSTEM32 and is deleted after its injection on the system to be on active activities (only in RAM).''

On WIN2003:

The activity seems stabilized and proceed to infection and get external sites / Internal network each 2 hours.

No file were modified or created on the system, the infection is active in RAM