O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe

Tomcoyote: http://tomcoyote.org/forums/lofiversion/index.php/t43312.html

O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe

Of notable interest regarding this exploit is the methodology discovered with analysis using X-RayPC, a FaceTime process forensic tool,
The result is highlighted in yellow.

This string shows up in the downloaded files area (Active X portion) of X-RayPC.

ms-its: mhtml:file://

This search string can be chronologically located as far back?as 2003.?
The sample below is from May 26, 2004

Reference Spywareinfo.com Forums: http://forums.spywareinfo.com/lofiversion/index.php/t2561.html

Second CLSID: {11111111-1111-1111-1111-111111111157}

Reference CastleCops: http://castlecops.com/atx-200.html

Reference: WildersSecurity.com http://www.wilderssecurity.com/showthread.php?p=182524

Based on the CLSIDs and other behaviors the file exhibits it is apparent the responsible parties are related to or are controlled by the CWS family of spyware.

1. Executable Packing is the process of compressing an executable file and
prepending adecompression stub, which is responsible for decompressing the
executable and initiating execution. The decompression stub is a standalone executable,
making packed and unpacked executables indistinguishable to the casual user as they are
not required to perform any additional steps to start execution. Software distributors
use executable packing for a variety of reasons, primarily to reduce the secondary storage
requirements of their software, however as UPX is specifically designed to compress executable
code it often achieves better compression ratios than standard data compression facilities
such as gzip, zip or bzip2. Source: Wikipedia