From: uberguidoz at gmail.com (GuidoZ)
Subject: ZIP Attachment

I did a little Google digging and came up with this:
http://www.windowsstartup.com/wso/detail.php?id=4239

Filename:        expander.exe 
Program Title: 	HiJaak Expander
Rating: 	    3 (application need to be run at startup, but is not
system critical)
Comments:      Part of the HiJaak graphics tools.

There were a number of hits (even things like Stuffit Expander), which
could be related. What caught my eye about this one is the "HiJaak
graphics tools". Hijack? Graphics? Sound fitting. =)

--
Peace. ~G


On 17 Sep 2004 17:49:04 -0400, Byron Copeland <nodialtone@...cast.net> wrote:
> All,
> 
> Just got an attachment in this afternoon.  The zipped file conatins 3
> files:
> 
> 1. foto.jpeg
> 2. foto.html
> 3. expander.exe
> 
> that will extract to its own foto directory when clicked on.  Also, when
> clicked on, the foto (not bad :) ) will be shown while the file
> expander.exe is being installed.
> 
> Here is the result:
> 
> expander.exe places itself in the C:\winnt directory as hidden.
> 
> 2 Keys are added to the registry:
> 
> 1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
>         SVCHOST value=c:\winnt\expander.exe
> 
> 2.HKEY_USERS\5-1-5-21-579898441-688789844-1957994488-500\software\microsoft\windows\currentversion\run
> 
>         SVCHOST value=c:\winnt\expander.exe
> 
> It does install and run as a service.
> 
> It doesn't seem to have any listeners running.
> 
> I've look on McAfee and Symantec sites for this one, doesn't seem to be
> there.
> 
> Anyone have an idea of what this is?  I'd appreciate any feedback.
> 
> If anyone wants this attachment, let me know.
> 
> Thanks
> -b
> 
> --
> 
> -- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger",
> "mount", "split", "unmount", "sleep".

Powered by blists - more mailing lists