Home / malwarePDF  

Backdoor:Win32/Hupigon.CK


First posted on 09 February 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Hupigon.CK is also known as Also Known As:Win-Trojan/Hupigon.303567 (AhnLab), Win32/PEMask (AVG), Backdoor.Hupion.YCL (BitDefender), Backdoor.Win32.Hupigon.cvfk (Kaspersky), BackDoor-AWQ (McAfee), Hupigon.gen103 (Norman), Mal/EncPk-AP (Sophos), Mal_HPGN-1 (Trend Micro).

Explanation :

Backdoor:Win32/Hupigon.CK is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK tries to connect different remote Web sites to send notification of the infection.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>winlogo.exe
    <system folder>
    etdde.exe
    <system folder>yyserver
  • The presence of the following registry subkey:
    HKLMSYSTEMCurrentControlSetServicesYYSvc


    • Backdoor:Win32/Hupigon.CK is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK tries to connect different remote Web sites to send notification of the infection.

    Installation
    Win32/Hupigon.CK is installed by potentially unwanted software or by visiting a malicious Web site. The trojan may be present as the following files: <system folder>winlogo.exe<system folder>
    etdde.exe<system folder>yyserver During installation, a clean-up batch script file is dropped as '<system folder>deleteme.bat' and then run to delete the original trojan installer. The dropped copy of Hupigon.CK ( winlogo.exe, netdde.exe ) creates additional copies of the trojan as the following: <system folder>winlogo_.exe<system folder>
    etdde_.exe The registry is modified with the addition of the following data and value. Adds value: "Start"With data: "2"To subkey: HKLMSYSTEMCurrentControlSetServicesYYSvc

    Payload
    Stops Internet Connection Firewall ServiceWin32/Hupigon.CK tries to stop the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service by using Windows utility net.exe, as in the following example: net1 stop SharedAccess Opens Remote Access Port/BackdoorWin32/Hupigon.CK attempts to connect the remote Web site 'djisdj.vicp.net' using TCP port 3838. The backdoor component also requests access to physical memory.

    Analysis by Subratam Biswas

    Last update 09 February 2009

     

    TOP

    Malware :

    Family: