Full Disclosure mailing list archives
ZIP Attachment
From: Byron Copeland <nodialtone () comcast net>
Date: 17 Sep 2004 17:49:04 -0400
All, Just got an attachment in this afternoon. The zipped file conatins 3 files: 1. foto.jpeg 2. foto.html 3. expander.exe that will extract to its own foto directory when clicked on. Also, when clicked on, the foto (not bad :) ) will be shown while the file expander.exe is being installed. Here is the result: expander.exe places itself in the C:\winnt directory as hidden. 2 Keys are added to the registry: 1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run SVCHOST value=c:\winnt\expander.exe 2.HKEY_USERS\5-1-5-21-579898441-688789844-1957994488-500\software\microsoft\windows\currentversion\run SVCHOST value=c:\winnt\expander.exe It does install and run as a service. It doesn't seem to have any listeners running. I've look on McAfee and Symantec sites for this one, doesn't seem to be there. Anyone have an idea of what this is? I'd appreciate any feedback. If anyone wants this attachment, let me know. Thanks -b -- -- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger", "mount", "split", "unmount", "sleep". _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ZIP Attachment Byron Copeland (Sep 17)
- Re: ZIP Attachment GuidoZ (Sep 18)
- Re: ZIP Attachment Nick FitzGerald (Sep 18)
- Re: ZIP Attachment GuidoZ (Sep 18)
- Re: ZIP Attachment Nick FitzGerald (Sep 19)
- Re: ZIP Attachment GuidoZ (Sep 19)
- Re: ZIP Attachment Nick FitzGerald (Sep 19)
- Re: ZIP Attachment Ron DuFresne (Sep 19)
- Re: ZIP Attachment GuidoZ (Sep 20)
- OT: Re: ZIP Attachment Jason (Sep 19)
- Re: OT: Re: ZIP Attachment Ill will (Sep 19)
- Re: ZIP Attachment Nick FitzGerald (Sep 18)
- Re: ZIP Attachment GuidoZ (Sep 18)