Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Hupigon.a
Backdoor.Win32.Hupigon.a
| Detected | Jun 24 2009 13:29 GMT |
| Released | Jul 22 2009 14:50 GMT |
| Published | Jul 28 2005 15:23 GMT |
Technical Details
This Trojan backdoor is 294076 bytes in size, written in Delphi, and packed using Aspack.
Installation
The program copies itself to the system directory as winreg.exe and notepod.exe.
It then registers this file in the system directory, ensure that the file will be executed each time Windows is rebooted on the victim machine.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "LoadWindowsFile" = "<system directory>\winreg.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "LoadWindowsFile" = "<system directory>\winreg.exe"
It also changes launch parameters for executable and text files so that the Trojan file will automatically be launched at the same time:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command] (Default) = "Notepod.exe "%1"" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] (Default) = "<system directory>\winreg.exe "%1" %*"
Payload
The program opens UDP port 8310 and several random TCP ports to listen for commands. The remote malicious user is able to use the program to conduct file operations, format the disk, log keystrokes etc.
The program contains text strings in Chinese.
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
Backdoor.
- Rootkit.
Win32. Hupigon. a (Kaspersky Lab) - Constructor.
Win32. Hupigon. a (Kaspersky Lab) - HackTool.
Win32. Hupigon. a (Kaspersky Lab) - Trojan-Spy.
Win32. Hupigon. a (Kaspersky Lab) - Trojan-Proxy.
Win32. Hupigon. a (Kaspersky Lab) - Trojan-Banker.
Win32. Hupigon. a (Kaspersky Lab) - Net-Worm.
Win32. Hupigon. a (Kaspersky Lab) - Backdoor.
Win32. Hupigon. fhad (Kaspersky Lab) - Backdoor.
Win32. Hupigon. fgzz (Kaspersky Lab) - Backdoor.
Hupigon. a (Kaspersky Lab) - Backdoor.
Hupigon (Kaspersky Lab) - Trojan:
BackDoor-AWQ. gen. r (McAfee) - Mal/Frethog-B (Sophos)
- Trojan.
WoW-560 (ClamAV) - Heuristic.
WinPE-Statistical (Panda) - W32/SuspPack.
AC. gen!Eldorado (FPROT) - Backdoor:
Win32/Hupigon. gen!B (MS(OneCare)) - Trojan.
Packed. 551 (DrWeb) - Win32/Kryptik.
NX trojan (Nod32) - Trojan.
Delf. Inject. Z (BitDef7) - Backdoor.
Hupigon. 209938 (BitDef7) - Trojan.
Hupigon. Gen!Pac. 6 (VirusBuster) - Trojan-Downloader.
Win32. Apher (Ikarus) - BackDoor.
Generic12. BBPP (AVG) - vx_123.
exe <<< BDS/Hupigon. Gen (AVIRA) - BDS/Hupigon.
Gen (AVIRA) - Suspicious.
Graybird. 1 (NAV) - SandBox found 'W32/Obfuscated.
R'. Infection details: [ General information ] (Norman) - Packer.
Win32. Agent. bd (Rising) - Backdoor.
Win32. Hupigon. a [AVP] (FSecure) - Backdoor.
Win32. Hupigon (Sunbelt) - Backdoor.
Win32. Hupigon (v) (Sunbelt) - Trojan.
Hupigon. Gen!Pac. 6 (VirusBusterBeta)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.