File Behavior
HIYO_INSTALL[n].EXE has been seen to perform the following behavior:
- Executes Processes stored in Temporary Folders
- This process creates other processes on disk
- Executes a Process
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Terminates Processes
- Writes to another Process's Virtual Memory (Process Hijacking)
- Found on infected systems and resists interrogation by security products
- Uses low level functions to hide itself from the user and from system/security processes
HIYO_INSTALL[n].EXE has been the subject of the following behavior:
- Deleted as a process from disk
- Created as a process on disk
- Executed as a Process
- Terminated as a Process
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry auto start to load Program on Boot up
- Executed by Internet Explorer
- Executed from Temporary Folders
Country Of Origin
The filename HIYO_INSTALL[n].EXE was first seen on Oct 22 2008 in the following geographical regions of the Prevx community:
- SPAIN on Oct 22 2008
- COSTA RICA on Oct 22 2008
- ITALY on Oct 29 2008
- GREECE on Jan 22 2009
- COLOMBIA on Apr 16 2009
File Name Aliases
HIYO_INSTALL[n].EXE can also use the following file names:
- 24256501.SVD
- 39015712.EXE
- 76251407.EXE
- 25981836.EXE
- HIYO_INSTALL.EXE
- HIYO_INSTALL(n).EXE
- HIYO_INSTALL_2.EXE
- HIYO_INSTALL_1.EXE
- HIYO_INSTALL_4.EXE
- HIYO_INSTALL_3.EXE
- البر.EXE
- 49396496.EXE
- 70957197.EXE
- 49636268.EXE
- HIYO_INSTALL_5.EXE
- HIYO_INSTALL (n).EXE
- HIYO_INSTALL-001.EXE
- HIWO 2.EXE
- كاركتور.EXE
- 69226373.EXE
- 91720141.EXE
- WINKS.EXE
- HIYO_INSTALL-11022008.EXE
- HIYO_INSTALL1.EXE
Filesizes
The following file size has been seen:
- 8,192 bytes
- 595,144 bytes
- 599,560 bytes
- 673,912 bytes
- 575,728 bytes
File Type
The filename HIYO_INSTALL[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name HIYO_INSTALL[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\documents and settings\user\local settings\temp\iminstaller\HiYo_Installer.exe
- Creates c:\documents and settings\user\local settings\temp\iminstaller\InstallerParamsFromSfx.txt
- Opens/modifes c:\autoexec.bat
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\setupscript[1].cab to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\setupscript.cab
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\hiyo[1].ico to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\hiyo.ico
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\HiYo_installer_image[1].bmp to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\HiYo_installer_image.bmp
- Creates c:\documents and settings\user\local settings\temp\iminstaller\candybar_flash
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\HiYo_Terms[1].cab to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\Lic.txt
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\gethiyo[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\gethiyo.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\emoticons[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\emoticons.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\text[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\text.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\animations[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\animations.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\sounds[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\sounds.swf
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\67acpgmg\winks[1].swf to c:\documents and settings\user\local settings\temp\iminstaller\hiyo\winks.swf
Website Activity
One or more files with the name HIYO_INSTALL[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1077 Port:20
- Port 80 IP:87.248.212.27
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.