Home / malware Backdoor:Win32/Hupigon.CK
First posted on 08 March 2020.
Source: MicrosoftAliases :
Backdoor:Win32/Hupigon.CK is also known as Win-Trojan/Hupigon.303567, Win32/PEMask, Backdoor.Hupion.YCL, Backdoor.Win32.Hupigon.cvfk, BackDoor-AWQ, Hupigon.gen103, Mal/EncPk-AP, Mal_HPGN-1.
Explanation :
Backdoor:Win32/Hupigon.CK is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK tries to connect different remote Web sites to send notification of the infection. InstallationWin32/Hupigon.CK is installed by unwanted software or by visiting a malicious Web site. The trojan may be present as the following files:
winlogo.exe
etdde.exeyyserver During installation, a clean-up batch script file is dropped as ' deleteme.bat' and then run to delete the original trojan installer. The dropped copy of Hupigon.CK ( winlogo.exe, netdde.exe ) creates additional copies of the trojan as the following: winlogo_.exe
etdde_.exe The registry is modified with the addition of the following data and value. Adds value: "Start"With data: "2"To subkey: HKLMSYSTEMCurrentControlSetServicesYYSvc Payload Stops Internet Connection Firewall ServiceWin32/Hupigon.CK tries to stop the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service by using Windows utility net.exe, as in the following example: net1 stop SharedAccess Opens Remote Access Port/BackdoorWin32/Hupigon.CK attempts to connect the remote Web site 'djisdj.vicp.net' using TCP port 3838. The backdoor component also requests access to physical memory. Analysis by Subratam BiswasLast update 08 March 2020
