English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsBackdoor.Win32.Hupigon.cpu

Backdoor.Win32.Hupigon.cpu

Detected Feb 06 2007 11:33 GMT
Released Jul 18 2007 14:27 GMT
Published Feb 06 2007 11:33 GMT

Technical Details
Payload
Removal instructions

Technical Details

This backdoor has a malicious payload. The program itself is a Windows PE EXE file. The file is approximately 730KB in size. It is written in Borland Delphi.

Installation

The malicious payload consists of a range of options which are defined when the program is generated.

Once the Trojan is launched, it will compare its name with the string “IEXPLORE.EXE”. If the malicious code is not located within the infected process, then the following will take place:

The backdoor gets the letter of the logical disk (%SysChar%) where the Windows system directory is located. Using this logical disk letter, the program formulates the following string:

%SysChar%:\Program Files\Common Files\Microsoft Shared\MSINFO\Ahntdce.exe

The name of the launched program is compared to this string.

If the names are not the same, then the malicious program will be installed on the system. If the names are the same, then the backdoor will deliver its malicious payload.

The installation process is as follows:

A copy of the malicious program file called "Ahntdce.exe" will be created in the following folder:

%SysChar%:\Program Files\Common Files\Microsoft Shared\MSINFO\Ahntdce.exe

If such a file already exists, it will be deleted before a copy of the malicious program is made. The copied file has “Read-only” and "System" attributes.

The program then checks which family the current operating system belongs to. This is done to determine how copies of the malicious program will be automatically launched.

For the Windows NT operating system family, a system service will be created. This will be visible in the list of services:

"AhnLab Tdce Scheduler"

This will be automatically launched when the system is launched and is an interactive service.

For the Windows 9X operating system family, the following entry will be made in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ahntdce.exe" = "%SysChar%:\Program Files\Common Files\
Microsoft Shared\MSINFO\Ahntdce.exe"

A copy of the malicious program will then be launched, regardless of the type of operating system.

A command interpreter packet file will then be created and launched in the same directory as the copy of the malicious program. This packet file is called “Delet.bat” and will delete itself and the original backdoor file:

%SysChar%:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

Payload

If the malicious program has determined that it is, itself, a copy, and not the original file, then the Internet Explorer browser will be called:

%SysChar%:\Program Files\Internet Explorer\IEXPLORE.EXE

The malicious program will then be read to memory, corrected, and injected into the "IEXPLORE.EXE" process.

The backdoor will then check for an Internet connection. If access to the Internet is available, the backdoor will analyse the Internet address defined in the code of the malicious program. If this is a link to a file, the link will be read, and the strings where the server name and port will be located are got. Alternatively, the server name and port may be defined.

In this case:

sx.code***.org:8080

A connection will then be established to this remote server.

The backdoor then forms strings which contain information about the user’s computer:

%SomeString1%%IsCaptureDriver%%ComputerName%
%DefaultNetworkPassword%%OsName%%CpuSpeed% MHz
%MemorySize%MB%SomeString2%%SomeString3%

This string will be encrypted and sent to the remote server.

A thread is then creating to listen for commands originating from the server.

The malicious program may intercept window messages in order to create a keylog, and may take screenshots.

The backdoor may modify the browser homepage:

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel] 
"HomePage"

It may also allow terminals to be launched. These will provide remote access to the machine.

[HKLM\System\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections" = 0x00000000

It will also get a list of processes, terminate a specific process, search for files, get a list of files and transmit designated files, create and delete designated files, download additional modules etc.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Terminate the malicious program service: 
    net stop "AhnLab Tdce Scheduler"
  2. Use Task Manager to terminate all copies of the “iexplore.exe” process, the “ahntdce.exe” process, and the original malicious file process.
  3. Delete the original malicious file, and also the file shown below: 
    %SysChar%:\Program Files\Common Files\Microsoft Shared\MSINFO\Ahntdce.exe
  4. Delete the following key from the system registry:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Ahntdce.exe" = "%SysChar%:\Program Files\Common Files\Microsoft Shared\MSINFO\Ahntdce.exe"
  5. Revert the following parameter values:
    [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
    "HomePage"
    [HKLM\System\CurrentControlSet\Control\Terminal Server]
    "fDenyTSConnections"
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions
Backdoor.Win32.Hupigon.bns
Backdoor.Win32.Hupigon.brit
Backdoor.Win32.Hupigon.edoc
Backdoor.Win32.Hupigon.fdnv

Aliases

Backdoor.Win32.Hupigon.cpu (Kaspersky Lab) is also known as:

  • Rootkit.Win32.Prostor.cpu (Kaspersky Lab)
  • Trojan: Generic Malware.bb (McAfee)
  • Mal/EncPk-AT (Sophos)
  • Malicious Packer (Panda)
  • W32/Heuristic-210!Eldorado (FPROT)
  • Backdoor:Win32/Hupigon.DG (MS(OneCare))
  • BackDoor.Beizhu (DrWeb)
  • Win32/Hupigon trojan (Nod32)
  • Gen:Trojan.Heur.qmGirH33Tahbi (BitDef7)
  • Packed/hmimys (VirusBuster)
  • Trojan-Dropper.Win32.Small.YY (Ikarus)
  • Win32/NSAnti.A (AVG)
  • BDS/Hupigon.Gen (AVIRA)
  • Trojan.Packed.18 (NAV)
  • Suspicious_H.gen (Norman)
  • Packer.Win32.PePatch.d (Rising)
  • Mal_Mlwr-15 (TrendMicro)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search