Re: [Full-Disclosure] ZIP Attachment

[GuidoZ <uberguidoz@xxxxxxxxx>]

I did a little Google digging and came up with this:
http://www.windowsstartup.com/wso/detail.php?id=4239

Filename:        expander.exe 
Program Title:  HiJaak Expander
Rating:             3 (application need to be run at startup, but is not
system critical)
Comments:      Part of the HiJaak graphics tools.

There were a number of hits (even things like Stuffit Expander), which
could be related. What caught my eye about this one is the "HiJaak
graphics tools". Hijack? Graphics? Sound fitting. =)

--
Peace. ~G


On 17 Sep 2004 17:49:04 -0400, Byron Copeland <nodialtone@xxxxxxxxxxx> wrote:
> All,
> 
> Just got an attachment in this afternoon.  The zipped file conatins 3
> files:
> 
> 1. foto.jpeg
> 2. foto.html
> 3. expander.exe
> 
> that will extract to its own foto directory when clicked on.  Also, when
> clicked on, the foto (not bad :) ) will be shown while the file
> expander.exe is being installed.
> 
> Here is the result:
> 
> expander.exe places itself in the C:\winnt directory as hidden.
> 
> 2 Keys are added to the registry:
> 
> 1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
>         SVCHOST value=c:\winnt\expander.exe
> 
> 2.HKEY_USERS\5-1-5-21-579898441-688789844-1957994488-500\software\microsoft\windows\currentversion\run
> 
>         SVCHOST value=c:\winnt\expander.exe
> 
> It does install and run as a service.
> 
> It doesn't seem to have any listeners running.
> 
> I've look on McAfee and Symantec sites for this one, doesn't seem to be
> there.
> 
> Anyone have an idea of what this is?  I'd appreciate any feedback.
> 
> If anyone wants this attachment, let me know.
> 
> Thanks
> -b
> 
> --
> 
> -- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger",
> "mount", "split", "unmount", "sleep".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html