When Installed this malware drops a dll in the system folder (C:\windows\system32\ms
Continuing the analysis from the previous part if you follow the calls and jumps there are couple of interesting instructions.
.00409FA2 B9 BE 80 FF 1F mov ecx, 1FFF80BEh
.00409FA7 EB 41 jmp short loc_409FEA
00409FF6 C1 E1 02 shl ecx, 2 ; ECX is now 7FFE02F8
00409FF9 EB 67 jmp short loc_40A062
0040A062 0F B6 09 movzx ecx, byte ptr [ecx]
Hmmm..Ecx is now 7FFE02F8 and its trying to move the contents at the ecx value back into ecx register.
So what is this 7FFE02F8 any way. 7FFE0000 is KUSER_SHARED_DATA , this address is a region of the memory mapped in every process and is called as SharedUserData.7FFE000 + 2F8 refers to TestRetInstruction .In this malware i think its mainly used for antidebugging or anti emulation purposes.
If you continue analyzing the sample on the Ollydbg , Olly gets struck at one point unable to debug any further. You need to smartly change the control flow at this point and analyze further.
I didn't have much time to unpack this malware, as the packer in the malware uses VirtualProtect api , i'm sure you should be able find the unpacking routine around this area.
Hope this analysis helps you fight the bad forces.