File Investigation Report
HIYO_INSTALL[n].EXECurrently being reviewed
The filename HIYO_INSTALL[n].EXE is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.
If you are concerned that your PC might be infected why not try our Free Prevx CSI Scanner. It will thoroughly check your PC for millions of active Spyware and malware infections and takes less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
File Behavior
HIYO_INSTALL[n].EXE has been seen to perform the following behavior:
- Executes Processes stored in Temporary Folders
- This process creates other processes on disk
- Executes a Process
- This Process Deletes Other Processes From Disk
HIYO_INSTALL[n].EXE has been the subject of the following behavior:
- Created as a process on disk
- Deleted as a process from disk
- Has code inserted into its Virtual Memory space by other programs
- Executed as a Process
- Executed by Internet Explorer
- Added as a Registry auto start to load Program on Boot up
- Executed from Temporary Folders
Country Of Origin
The filename HIYO_INSTALL[n].EXE was first seen on Oct 22 2008 in the following geographical regions of the Prevx community:
- SPAIN on Oct 22 2008
- ITALY on Oct 29 2008
File Name Aliases
HIYO_INSTALL[n].EXE can also use the following file names:
- HIYO_INSTALL.EXE
- 91720141.EXE
- WINKS.EXE
- HIYO_INSTALL(n).EXE
- HIYO_INSTALL-11022008.EXE
- HIYO_INSTALL (n).EXE
- HIYO_INSTALL1.EXE
- HIYO_INSTALL_1.EXE
- HIYO_INSTALL_3.EXE
- HIYO_INSTALL_4.EXE
Filesizes
The following file size has been seen:
- 8,192 bytes
- 558,930 bytes
- 575,728 bytes
Vendor, Product and Version Information
Files with the name HIYO_INSTALL[n].EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- ; HiYo installer; 7, 0, 0, 1579
- IncrediMail Ltd.; VeriSign Class 3 Code Signing 2004 CA;
- ; VeriSign Class 3 Code Signing 2004 CA;
File Type
The filename HIYO_INSTALL[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name HIYO_INSTALL[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\documents and settings\user\local settings\temp\iminstaller\HiYo_Installer.exe
- Creates c:\documents and settings\user\local settings\temp\iminstaller\InstallerParamsFromSfx.txt
- Opens/modifes c:\autoexec.bat
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\setupscript[1].cab to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\setupscript.cab
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\hiyo[1].ico to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\hiyo.ico
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\HiYo_installer_image[1].bmp to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\HiYo_installer_image.bmp
- Creates c:\documents and settings\user\local settings\temp\iminstaller\candybar_flash
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\HiYo_Terms[1].cab to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\Lic.txt
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\gethiyo[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\gethiyo.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\emoticons[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\emoticons.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\text[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\text.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\animations[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\animations.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\sounds[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\sounds.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\winks[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\winks.swf
Registry Activity
One or more files with the name HIYO_INSTALL[n].EXE creates or modifies the following registry keys and values:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Documents and Settings\user\Local Settings\Temp\ImInstaller\HiYo_Installer.exe C:\Documents and Settings\user\Local Settings\Temp\ImInstaller\HiYo_Installer.exe:*:Enabled:IncrediMail Installer
Website Activity
One or more files with the name HIYO_INSTALL[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1077 Port:20
- Port 80 IP:87.248.212.27