Home / malware Backdoor:Win32/Hupigon.FN
First posted on 11 October 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Hupigon.FN is also known as not-a-virus:NetTool.Win32.ZXProxy.a (Kaspersky), TR/Stealer.2ns1.A (Avira), Trojan.Popuper.40110 (Dr.Web), Win32/NetTool.ZxShell.A application (ESET), not-a-virus:NetTool.Win32.ZXProxy.a (Ikarus), BackDoor-EGR (McAfee), Hack.Win32.ArpCheater.b (Rising AV).
Explanation :
Backdoor:Win32/Hupigon.FN is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server in your computer.
Installation
Backdoor:Win32/Hupigon.FN drops a DLL file as "%SystemRoot%\system32\sdna.flasher.dll". This DLL file is also detected as Backdoor:Win32/Hupigon.FN.
It creates the following registry entries so that the DLL file automatically runs every time Windows starts:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%SystemRoot%\system32\sdna.flasher.dll"
Sets value: "ImagePath"
With data: "%SystemRoot%\System32\svchost.exe -k netsvcs"
Payload
Allows backdoor access and control
Backdoor:Win32/Hupigon.FN connects to a remote server to receive instructions from an attacker. It connects to the server located in "8.8.ki" via port 53.
The commands it receives include, but are not limited to:
- Controlling Windows services: creating, deleting, starting, and stopping services, and modifying service settings
- Configuring Windows Terminal Services: enabling or disabling desktop sharing, modifying the listening port
- Opening a Windows console, with the attacker controlling input and output of the console
- Logging off, restarting, or shutting down the system
- Performing port scans
- Injecting a DLL into a specified process
- Creating a process with elevated privileges
- Listing the processes running in your computer
- Downloading or uploading arbitrary files
- Uninstalling itself
Analysis by Horea Coroiu
Last update 11 October 2012
