Troj/Rustock-C copies itself to the Temp folder with a TMP extension and creates a randomly named file SYS in the Windows system folder. The TMP file may be deleted after a reboot.
The SYS file is installed as a service with the same name as the file itself, excluding the SYS extension.
Copies of the SYS file may also be installed as <System>\glaide32.sys or <System>\null.sys. A copy may also be written over the legitimate file <System>\beep.sys.
The following registry modifications is made, in each case replacing the string "SystemRoot" with "fystemRoot":
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
ImagePath
%fystemRoot%\system32\svchost.exe -k netsvcs
HKLM\SYSTEM\CurrentControlSet\Services\BITS
ImagePath
%fystemRoot%\System32\svchost.exe -k netsvcs