Home / malware

PDF

Backdoor:W32/Hupigon.OGA

First posted on 15 October 2008.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:W32/Hupigon.OGA.

Explanation :

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.

right]Upon execution, this Hupigon variant creates the following files:

• %windir% empa.exe
• %windir% emp.exe

Only the file called "b.exe" is executed, which is detected as Backdoor:W32/Hupigon.OGA.

It modifies and executes the driver %systemdir%driverseep.sys with its own kernel rootkit component.

The modified beep.sys file is detected as Rootkit:W32/Agent.UI.

After the execution of Rootkit:W32/Agent.UI, Hupigon.OGA then restores the original data of the beep.sys file.

It then drops a copy itself to the following directory:

• %Programdir%imesodata.exe

It executes sodata.exe as a driver.

The following Registry key are then created:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows data
  Type = dword:00000110
  Start = dword:00000002
  ErrorControl = dword:00000000
  ImagePath = "%programdir%imesodata.exe"
  DisplayName = "Windows data"
  ObjectName = "LocalSystem"
  Description = "

Last update 15 October 2008

 

TOP