Very much thanks for the binary !
The binary itself seems packed with UPX, but simply unpacking seems not to work - maybe it scans for a Debugger attached ?
But I've created a Procmon Log and so I could verify that the Virus replaces 'C:\windows\explorer.exe' and 'C:\windows\system32\dllcache\explorer.exe' with itself. The computer can be booted in Safe Mode (with Command Line - simple Windows Safe Mode loads explorer.exe and so fails) and you can start c:\windows\system32\restore\rstrui.exe to recover explorer.exe.
Looking a little bit closer at the procmon File reveals that the Virus safes explorer.exe.
It's simply copied to 'C:\windows\twexx32.dll'.
After creating twexx32.dll the Timestamp of it is changed to '14.04.2008 13:00:00'.
I think it's all clear on the attached screenshot.
The second File is Procmon Log.
I haven't analyzed the Logfile to the end, if someone want's to do so ...
It also seems that the Virus ist known as 'Trojan:Win32/Ransom.FL', see here:
[Register or log in to view the URL]
Thomas