Follow:

You have been re-routed to the Backdoor:Win32/Hupigon.CK write up because Backdoor%3aWin32%2fHupigon.CK has been renamed to Backdoor:Win32/Hupigon.CK
 

Backdoor:Win32/Hupigon.CK


Backdoor:Win32/Hupigon.CK is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK tries to connect different remote Web sites to send notification of the infection.


What to do now

Manual removal is not recommended for this threat. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Backdoor:Win32/Hupigon.CK is a backdoor component of Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK tries to connect different remote Web sites to send notification of the infection.
Installation
Win32/Hupigon.CK is installed by potentially unwanted software or by visiting a malicious Web site. The trojan may be present as the following files:
 
<system folder>\winlogo.exe
<system folder>\netdde.exe
<system folder>\yyserver
 
During installation, a clean-up batch script file is dropped as '<system folder>\deleteme.bat' and then run to delete the original trojan installer. The dropped copy of Hupigon.CK ( winlogo.exe, netdde.exe ) creates additional copies of the trojan as the following:
 
<system folder>\winlogo_.exe
<system folder>\netdde_.exe
 
The registry is modified with the addition of the following data and value.
 
Adds value: "Start"
With data: "2"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\YYSvc
Payload
Stops Internet Connection Firewall Service
Win32/Hupigon.CK tries to stop the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service by using Windows utility net.exe, as in the following example:
 
net1 stop SharedAccess
 
Opens Remote Access Port/Backdoor
Win32/Hupigon.CK attempts to connect the remote Web site 'djisdj.vicp.net' using TCP port 3838. The backdoor component also requests access to physical memory.
 
Analysis by Subratam Biswas

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    <system folder>\winlogo.exe
    <system folder>\netdde.exe
    <system folder>\yyserver
  • The presence of the following registry subkey:
    HKLM\SYSTEM\CurrentControlSet\Services\YYSvc

Prevention


Alert level: Severe
First detected by definition: 1.49.643.0
Latest detected by definition: 1.179.1354.0 and higher
First detected on: Dec 17, 2008
This entry was first published on: Feb 02, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Hupigon.303567 (AhnLab)
  • Win32/PEMask (AVG)
  • Backdoor.Hupion.YCL (BitDefender)
  • Backdoor.Win32.Hupigon.cvfk (Kaspersky)
  • BackDoor-AWQ (McAfee)
  • Hupigon.gen103 (Norman)
  • Mal/EncPk-AP (Sophos)
  • Mal_HPGN-1 (Trend Micro)