ZIP Attachment

[Byron Copeland <nodialtone () comcast net>]

All,

Just got an attachment in this afternoon.  The zipped file conatins 3
files:

1. foto.jpeg
2. foto.html
3. expander.exe

that will extract to its own foto directory when clicked on.  Also, when
clicked on, the foto (not bad :) ) will be shown while the file
expander.exe is being installed.


Here is the result:

expander.exe places itself in the C:\winnt directory as hidden.

2 Keys are added to the registry:

1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
        SVCHOST value=c:\winnt\expander.exe

2.HKEY_USERS\5-1-5-21-579898441-688789844-1957994488-500\software\microsoft\windows\currentversion\run

        SVCHOST value=c:\winnt\expander.exe

It does install and run as a service.

It doesn't seem to have any listeners running.

I've look on McAfee and Symantec sites for this one, doesn't seem to be
there.

Anyone have an idea of what this is?  I'd appreciate any feedback.

If anyone wants this attachment, let me know.

Thanks
-b

-- 

-- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger", 
"mount", "split", "unmount", "sleep".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html