The file infector is a 2 part infection type. Each executable is infected with a piece of code that tryes to download from the address: http://www.365xinyu.com/... a file that actualy makes the infection. The infection creates the directory C:\windows\temp\ if it doesn't exist and copyes itself there and starts the execution.
It also copyes itself in C:\Windows\ as alg.exe and in C:\lsass.bbb. The file stores in at the position 0xDA the current generation of the infection.
It then creates the key:
HK_LM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsass that stores the path of the downloaded file to be executed at startup. This file is executed and infects all the executables from all accesible drives with the code that is responsable for the download.