Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Hupigon.fdnv
Backdoor.Win32.Hupigon.fdnv
| Detected | Dec 15 2008 18:09 GMT |
| Released | Dec 15 2008 23:38 GMT |
| Published | Jan 27 2009 06:50 GMT |
Payload
Removal instructions
Technical Details
This malicious program is a Trojan. It is a Windows PE EXE file. It is 28672 bytes in size. It is packed using AsPack. The unpacked file is approximately 119KB in size. It is written in Delphi.
Installation
Once launched, the Trojan ascribes the “hidden” attribute to its executable file and copies it to the Windows directory as shown below.
%System%\wintemp.exe
%System%\syswin.exe
The malicious file is then launched for execution.
Payload
The Trojan then attempt to contact the following URL:
http://www.qq.com/***
At the moment of writing, this link was not working.
The Trojan then determines the name, and IP address of the victim machine and sends this information to the remote malicious user’s server:
http://www.75*****.com/images/ge.asp?u=<name of computer>&i=<IP address>
The Trojan then downloads a file from the URL shown below:
http://reg.75*****.com/image/log.jpg
And substitutes this file for the contents of the files shown below:
%System%\wintemp.exe
%System%\syswin.exe
This file is 28 672 bytes in size. It will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Hupigon.fsfz. The Trojan then launches these files for execution. In order to ensure that the Trojan is launched automatically each time the system is booted, it adds the following link to the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IeServer" = "%System%\syswin.exe"
The Trojan also injects its code into the address space of "elementclient.exe". It also tracks the entry of confidential data in the online game "Perfect World" registration form.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the “wintemp.exe” and “syswin.exe”.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IeServer" = "%System%\syswin.exe" - Delete the following files:
%System%\wintemp.exe
%System%\syswin.exe - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
Backdoor.
- Trojan:
generic!bg. bts (McAfee) - Mal/Behav-010 (Sophos)
- Heuristic.
WinPE-Statistical (Panda) - W32/Injector.
A. gen!Eldorado (FPROT) - Trojan:
Win32/Sisproc (MS(OneCare)) - Trojan.
DownLoad. 28149 (DrWeb) - a variant of Win32/Genetik trojan (Nod32)
- Dropped:
Trojan. PWS. OnLineGames. WOJ (BitDef7) - Backdoor.
Hupigon. EMFR (VirusBuster) - Win32:
Trojan-gen (AVAST) - Backdoor.
Win32. Hupigon (Ikarus) - BackDoor.
Hupigon4. BAHS (AVG) - TR/Dldr.
Delphi. Gen (AVIRA) - Infostealer.
Gampass (NAV) - W32/Hupigon.
ETGS (Norman) - Trojan.
Win32. Generic. 51E9100E (Rising) - Backdoor.
Win32. Hupigon. fdnv [AVP] (FSecure) - BKDR_Generic.
DMS (TrendMicro) - BehavesLike.
Win32. Malware (v) (Sunbelt) - Backdoor.
Hupigon. EMFR (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.