English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Backdoor.Win32.Hupigon.fdnv

Detected Dec 15 2008 18:09 GMT
Released Dec 15 2008 23:38 GMT
Published Jan 27 2009 06:50 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 28672 bytes in size. It is packed using AsPack. The unpacked file is approximately 119KB in size. It is written in Delphi.

Installation

Once launched, the Trojan ascribes the “hidden” attribute to its executable file and copies it to the Windows directory as shown below.

%System%\wintemp.exe
%System%\syswin.exe

The malicious file is then launched for execution.


Payload

The Trojan then attempt to contact the following URL:

http://www.qq.com/***

At the moment of writing, this link was not working.

The Trojan then determines the name, and IP address of the victim machine and sends this information to the remote malicious user’s server:

http://www.75*****.com/images/ge.asp?u=<name of computer>&i=<IP address> 

The Trojan then downloads a file from the URL shown below:

http://reg.75*****.com/image/log.jpg

And substitutes this file for the contents of the files shown below:

%System%\wintemp.exe
%System%\syswin.exe

This file is 28 672 bytes in size. It will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Hupigon.fsfz. The Trojan then launches these files for execution. In order to ensure that the Trojan is launched automatically each time the system is booted, it adds the following link to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IeServer" = "%System%\syswin.exe"

The Trojan also injects its code into the address space of "elementclient.exe". It also tracks the entry of confidential data in the online game "Perfect World" registration form.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the “wintemp.exe” and “syswin.exe”.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
    "IeServer" = "%System%\syswin.exe"
  4. Delete the following files:
    %System%\wintemp.exe
    %System%\syswin.exe
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions

Aliases

Backdoor.Win32.Hupigon.fdnv (Kaspersky Lab) is also known as:

  • Trojan: generic!bg.bts (McAfee)
  • Mal/Behav-010 (Sophos)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Injector.A.gen!Eldorado (FPROT)
  • Trojan:Win32/Sisproc (MS(OneCare))
  • Trojan.DownLoad.28149 (DrWeb)
  • a variant of Win32/Genetik trojan (Nod32)
  • Dropped:Trojan.PWS.OnLineGames.WOJ (BitDef7)
  • Backdoor.Hupigon.EMFR (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Backdoor.Win32.Hupigon (Ikarus)
  • BackDoor.Hupigon4.BAHS (AVG)
  • TR/Dldr.Delphi.Gen (AVIRA)
  • Infostealer.Gampass (NAV)
  • W32/Hupigon.ETGS (Norman)
  • Trojan.Win32.Generic.51E9100E (Rising)
  • Backdoor.Win32.Hupigon.fdnv [AVP] (FSecure)
  • BKDR_Generic.DMS (TrendMicro)
  • BehavesLike.Win32.Malware (v) (Sunbelt)
  • Backdoor.Hupigon.EMFR (VirusBusterBeta)