| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1095457744.4000.21.camel@Stargate> From: nodialtone at comcast.net (Byron Copeland) Subject: ZIP Attachment All, Just got an attachment in this afternoon. The zipped file conatins 3 files: 1. foto.jpeg 2. foto.html 3. expander.exe that will extract to its own foto directory when clicked on. Also, when clicked on, the foto (not bad :) ) will be shown while the file expander.exe is being installed. Here is the result: expander.exe places itself in the C:\winnt directory as hidden. 2 Keys are added to the registry: 1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run SVCHOST value=c:\winnt\expander.exe 2.HKEY_USERS\5-1-5-21-579898441-688789844-1957994488-500\software\microsoft\windows\currentversion\run SVCHOST value=c:\winnt\expander.exe It does install and run as a service. It doesn't seem to have any listeners running. I've look on McAfee and Symantec sites for this one, doesn't seem to be there. Anyone have an idea of what this is? I'd appreciate any feedback. If anyone wants this attachment, let me know. Thanks -b -- -- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger", "mount", "split", "unmount", "sleep".
Powered by blists - more mailing lists