Just got this e-mail from the SecurityFocus mailing list... Take note of the second-last paragraph.



-----Original Message-----
From: User [mailto:user666@cryogen.com]
Sent: Tuesday, April 23, 2002 1:13 AM
To: csanterre@MerchantsOverseas.com
Subject: I can't post to securityfocus.com, so I'm emailing you


I just read your post here:

http://online.securityfocus.com/archive/100/268868

regarding MNSVC.EXE

I found the file on my system this evening. It had been created at 9:28pm
and my firewall had been alerting me to its attempts to contact
www.wwws1.com Luckily, my firewall hadn't permitted any connections.

I wanted to find out how this .exe had gotten on my machine, since I hadn't
downloaded anything, run any new programs or gotten any e-mail
attachments. I found your post through a thread on anandtech. My
temporary internet files contained 8 items from either www.wwws1.com or
www.online1net.com as indicated in your post.

I didn't directly visit either one of those sites, but I believe I was hit
by their pop ups when I went to the site www.vcdhelper.com That domain
actually redirects to www.vcdhelp.com but with the addition of a TON of
popups. vcdhelper and vcdhelp are not registered to the same people, and
going directly to www.vcdhelp.com (not helper) seems to avoid all the
popups.

In any case, I don't have any interest in experimenting to see if I get hit
again by visiting that site, but for me the file didn't come from Webshots
or any other installed software, it came from hitting some website and I'd
guess, as Larry Mecca noted, an active X control/exploit.