The package of files can be found here:\n\nhttp://www.fileden.com/files/2008/7/19/2010382/DEC_8.ZIP\n\nPassword is "a" (no quotes). Unzips to a rar file. Unpack that to get:\n\n==========\n4e94e.pdf\nMVOLEE48.GIF\n24bce92d.hst\ng43kb6j34kblq6jh34kb6j3kl4.jar-3ba7d41d-68772f99.hst\ng43kb6j34kblq6jh34kb6j3kl4.jar-3ba7d41d-68772f99.idx\ng43kb6j34kblq6jh34kb6j3kl4.jar-3ba7d41d-68772f99.zip\n0.2573132007008251.exe\nindex.html\n===========\n\nBackground:\n\nReceived spam containing this link:\n\nhxxp://shores.net/0bcefb/index.html\n\nFollowing that link caused this error in my firefox 184.108.40.206 browser:\n\nFirefox doesn't know how to open this address, because the\nprotocol (hcp) isin't associated with any program.\n\nNo idea what that's all about. The exe file is downloaded but not\nexecuted (on my win-98 system).\n\nThe pdf file is then pushed at me, which I gladly download. The actual\nlink to the pdf file is:\n\nhxxp://combijump.com/content/fdp1.php?f=43\n\nI was served up something from here (don't recall what it was):\n\nhxxp://combijump.com/main.php?page=2cd37516bfc47eba\n\nThe index.html file contains links to these js files:\n\nhxxp://robinsharma.com/stcounter.js\nhxxp://serviciu-clienti.ro/ajaxam.js\nhxxp://olcsoautogumi.hu/ajaxam.js\n\nThe first scan of the exe file by Virus Total resulted in a detection\nrate of 4/43 (9%) as of Dec 8, 2:25 pm EST. The first scan of the pdf\nfile resulted in a detection rate of 15/43 (35%).\n\nVT says the exe file is ZBOT, the PDF is some varient of Pidief.\n\nI don't know what the purpose is of the gif file - I haven't submitted\nit to VT (are there known gif vulnerabilities?).\n\nThe small hst file contains an IP address (220.127.116.11). What is the\npurpose of that?\n\nhxxp://18.104.22.168/ is currently serving a simple "ok!!!" text\nmessage.