Hackern.ini file ?

[Guest]

Apparently in the %System Root%\System32 folder there is an image file called
Hackern.ini
that is about 700KB in size. There is also a 'Windows XP Vista' registry
key with an ImagePath=C:\Windows\Hackern.ini entry & DisplayName=Windows XP
Vista. Is this a legitimate file and registry entry(s) ? Or could this be
malware of some sort ? TIA ...

 

[Jon]

Wasn't it "E-Double" <[email protected]> in message
, who said something
like......???

Apparently in the %System Root%\System32 folder there is an image file
called
Hackern.ini
that is about 700KB in size. There is also a 'Windows XP Vista' registry
key with an ImagePath=C:\Windows\Hackern.ini entry & DisplayName=Windows
XP
Vista. Is this a legitimate file and registry entry(s) ? Or could this be
malware of some sort ? TIA ...

Right-click it and choose edit, and see what it contains - but the name
itself is pretty suggestive of malware.

 

[Guest]

That's another thing - it won't let you open it in a text editor for some
reason. Not sure if its actually an image file or something besides ascii
text. But in that registry key it does say
'ImageFile=C:\Windows\Hackern.ini.' Would some writers of malware actually
use the word 'hacker' or 'hackern' in one of their files though ? LOL A
Yahoo! search on this file turns up nothing, and I am unable to find it on
any other WinXP machines - although this particular one is a newer one that
also came with a free upgrade to Vista when its available so I was not sure
if the file and registry entries had anything to do with that.

 

[Jon]

Yeah, you're right sorry - .ini files don't give you that option on a
right-click

If you go Start > run > sendto
and then drag a shortcut to notepad or wordpad to the folder
Then you may be able to right-click the file and choose Send to > Notepad /
Wordpad

Sounds like it could well be connected to that Vista upgrade scheme.

--
Jon




And if you're wondering why on earth I wrote that, well "E-Double"

 

[Jon]

Actually thinking about it those 2 registry keys

DisplayName
ImageFile

usually occur together with services

so if as you said, there's nothing legible when you try opening it up in
wordpad or notepad, and if you found it under a registry key similar to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

then its name may have been cunningly disguised (eg from a .sys file ).

Still probably legit though and connected with that upgrade scheme.

 

[Guest]

Yes, it is under the HKLM\System\ControlSet001\Services key and the (hive?)
is called Windows XP Vista which apparently launches the hackern.ini file.
There is also a similar (hive?) just above it called Windows XP and this
apparently launches a file called ha.ini. Both files are about 700KB and
cannot be opened with a text editor - a message to the effect of 'file cannot
be accessed' appears when trying to open it with Notepad, Wordpad, or from a
command prompt with Edit.

Actually thinking about it those 2 registry keys

DisplayName
ImageFile

usually occur together with services

so if as you said, there's nothing legible when you try opening it up in
wordpad or notepad, and if you found it under a registry key similar to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

then its name may have been cunningly disguised (eg from a .sys file ).

Still probably legit though and connected with that upgrade scheme.

 

[Jon]

Yeah the files have probably had access permissions removed from them by
Windows and / or there are running services (such as the ones you mentioned)
protecting them.

Interesting though. As you probably know those machines with the Vista
upgrade haven't been around that long so that will explain the lack of
threads on the subject (this is probably one of the first) - but it also
lends legitimacy to the fact that those files are connected with that
process.

All very interesting anyhow.

 

[Guest]

So you think that they are legit then ? If so, they picked a weird name for
a .ini file (LOL).

e.

 

[Jon]

Yeah true lol . Either someone with a sense of humour at MS (especially
given the security on the file) or was the computer salesman was wearing a
black hat?

If legit, then special prizes for whoever can guess what the 'ha' and
'hackern' stand for. I was thinking the 'kern' might be short for kernel,
but who knows?

--
Jon



Latest reports suggest that it was "E-Double"
<[email protected]> in message
who said something
like...

 

[Guest]

maybe HA = hardware abstraction ? not sure what HAC would be though ...

e.

 

[Jon]

Latest reports suggest that it was "E-Double"
<[email protected]> in message
who said something
like...

maybe HA = hardware abstraction ? not sure what HAC would be though ...

Yeah good one. Quite possible.

 

[Guest]

The plot thickens - now Symantec Antivirus is reporting the hackern.ini file
as being the Backdoor.Hupigeon trojan. Symantec kept reporting a generic
Trojan Horse virus all morning in file 3721.4.dll, but was not able to clean
the source for this file (only the file itself, in other words it kept
reappearing). Not only would it keep coming back after SAV cleaned it after a
reboot, but it would keep coming back without rebooting after SAV said it was
either quarantined or deleted. That is why I first stumbled on the
hackern.ini file. So at this point I am not sure if that is a legit file &
registry entry or a legit file that has been infected.

e.

 

[Jon]

Woooh... well yeah that does change things. Fortunately you've got a lead
with that one.
Plenty of Google hits for

Backdoor.Hupigeon

http://www.google.co.uk/search?as_q...as_dt=i&as_sitesearch=&as_rights=&safe=active

and what it does.

 

[R. McCarty]

Submit the questionable file here:
http://www.virustotal.com/en/indexf.html

 

[G.T.]

The plot thickens - now Symantec Antivirus is reporting the hackern.ini file
as being the Backdoor.Hupigeon trojan. Symantec kept reporting a generic
Trojan Horse virus all morning in file 3721.4.dll, but was not able to clean
the source for this file (only the file itself, in other words it kept
reappearing). Not only would it keep coming back after SAV cleaned it after a
reboot, but it would keep coming back without rebooting after SAV said it was
either quarantined or deleted. That is why I first stumbled on the
hackern.ini file. So at this point I am not sure if that is a legit file &
registry entry or a legit file that has been infected.

I have no hackern.ini or 3721.4.dll on any XP machine here so it's probably
illegit.

Gre

 

[Jon]

NB You can disable both of those 2 services you mentioned from starting up
at startup, by changing the value of their "Start" key to 4

Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

then to the 2 subkeys you mentioned, and change the "Start" key for both to
a value of 4, then reboot.

This will stop both those services from running at startup and may also give
you access to the files.