Home / malwarePDF  

Backdoor:W32/Hupigon


First posted on 07 November 2007.
Source: SecurityHome

Aliases :

Backdoor:W32/Hupigon is also known as Backdoor.Graybird, Backdoor.Gpigeon.GEN, BKDR_HUPIGON.EVG, BDS/Hupigon.Gen, Mal/GrayBird.

Explanation :

Backdoor:W32/Hupigon is a family of backdoor trojans. It allows a remote user access to the computer.

The backdoor's file is a PE executable. It is very rare if the variant is smaller than 299kB. The kit used to make this family of malware has default settings to pack the code as UPX. Unpacked the code size is 710kB. Hupigons are written with Borland Delphi.

When the backdoor's file is started, it copies itself as a file named something similar to "Hacker.com.cn.exe" in the Windows System folder and then creates the following startup key value in the Registry:


And it creates these keys:


Overall, Hupigon variants have several different types of features. The following list is an example of some:


Typically, Hupigon clones itself to some installation path such as system32 and uses the following processes to make itself to look like a valid Windows program:


The kit that creates Hupigon variants has default settings to create mutexes. So many Hupigons have created mutexes which are in the following format:
The "xxx" being a variable. Example: Hacker.com.cn_MUTEX

The following strings can typically be found in a Hupigon variant:


Hupigon doesn't have any automatic mechanisms to spread itself, so it must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.

Last update 07 November 2007

 

TOP

Malware :

Family: