is a backdoor component of Win32/Hupigon
. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK
tries to connect different remote Web sites to send notification of the infection.
Win32/Hupigon.CK is installed by potentially unwanted software or by visiting a malicious Web site. The trojan may be present as the following files:
During installation, a clean-up batch script file is dropped as '<system folder>\deleteme.bat' and then run to delete the original trojan installer. The dropped copy of Hupigon.CK ( winlogo.exe, netdde.exe ) creates additional copies of the trojan as the following:
The registry is modified with the addition of the following data and value.
Adds value: "Start"
With data: "2"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\YYSvc
Stops Internet Connection Firewall Service
Win32/Hupigon.CK tries to stop the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service by using Windows utility net.exe, as in the following example:
net1 stop SharedAccess
Opens Remote Access Port/Backdoor
Win32/Hupigon.CK attempts to connect the remote Web site 'djisdj.vicp.net' using TCP port 3838. The backdoor component also requests access to physical memory.
Analysis by Subratam Biswas
The following system changes may indicate the presence of this malware:
The presence of the following files:
The presence of the following registry subkey: