Home / malware Backdoor.Hupigon
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Hupigon is also known as Backdoor.Graybird, Backdoor.Pigeon.
Explanation :
Written in Delphi, often packed with various packers: Hmimys, NsPack, Svkp, UPX, AsPack and others.
When first executed Hupigon copies itself to other location (usually windows folder) and deletes itself after that.
To ensure that it will start every time Windows starts it installs its copy as a Windows service with automatic startup type.
To hide its presence from a process list viewer (taskmgr.exe, tasklist.exe ...) it starts a common Windows program (iexplore.exe, svchost.exe, services.exe ...) and overwrites the program's memory with its own code.
Some variants use user level rootkit techniques. It injects a DLL in every process which hooks some Windows API to hide its components.
As a backdoor it provides functionality like: download and execute programs, keylogging, remote shell, desktop capturing, webcam capturing.Last update 21 November 2011