The July 2009 DDoS activity began against major U.S. sites and then affected Korean public, government, and private-sector services from July 7 through July 10. The malware chain used Windows Installer msiexec.exe to download and run msiexec variants that created files such as wmiconf.dll, uregvs.nls, and vme.bat, then registered wmiconf.dll as the WmiConfig service to perform HTTP GET flooding against targets listed in uregvs.nls. Related components including wmcfg.exe and mstimer.dll supported spam-mail activity and downloaded flash.gif, which contained executable content used with wversion.exe. On a date-based condition, wversion.exe overwrote local disks and the MBR with the string "Memory of the Independence Day" after encrypting many document-type files, making recovery difficult. The analysis matters because it ties the DDoS operation to a multi-stage Windows malware workflow that combined service persistence, target-list updates, spam traffic, and destructive disk-wiping behavior.