As observed, simply browsing the 2 poc files is not enough to make a dbgview report, and you have either to right or left click, reducing somewhat the threat, notably in the second event (why would one want to do that?)
I have added lnk and tmp files to the defense+ protected files list.
There are two ways to stop the malware (xp pro, cis v3, proactive, firewall custom, defense+ paranoid).
The first one is “generic” and not very realistic: you have to know before being attacked by the malware that, depending if you right click or left click the suckme file, it will be loaded either by explorer or rundll32, and you have of course no way to know that, next time, other executables might be involved if the malware doesn’t involve a specific dll.
If you set in defense+ explorer and rundll32 to ask for everything, you of course shall be warned of everything happening, including the malware loading.
But you shall have so many alerts that you might not see the “good one”, and it is moreover very uncomfortable.
Another way is quite as uncomfortable, at least temporarily, as it won’t ask any “normal” thing anymore once the learning process is achieved.
It is enough to set image execution in defense+ to agressive.
In these last conditions, left or right clicking the suckme me thing clearly warns you that rundll32 or explorer wants to execute dll.dll, and even before the end of the learning process, you have no reason to allow a dll with such a dubious name.
Note that either right or left clicking the dll.dll file of the poc doesn’t report anything (and of course, whatever left click is intercepted by the system, complaining it does not know how to open a dll file).
The turnabout is of course that it is very tedious and requires a very good knowledge of normal windows process.
Taken as examples, you need in these conditions to allow 6 or 7 permissions to run dgbview, more than 10 to run a random choosen link (registrar lite) or 15 to reach this forum from Firefox.