is a member of Win32/Hupigon
- a family of backdoor trojans. A Win32/Hupigon
infection typically includes a dropper component (Trojandropper:Win32/Hupigon) and two to three additional files that the dropper installs. These additional files include Backdoor:Win32/Hupigon, the main backdoor component, and Backdoor:Win32/Hupigon!hook, a stealth component that hides files and processes associated with Win32/Hupigon. The trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon
may support other malicious plugins as well.
The dropped component may be moved to the same folder where the trojan TrojanDropper:Win32/Agent.RH
is stored (as a file named "NetBios
"). During installation, the trojan modifies its export function "QgptkagOckl" as "ServiceMain" accessed via its entry point so that the Windows system process "Svchost.exe" invoke the "ServiceMain" function on every system start.
The trojan also creates a global mutex named "Global\\cyl %d" where %d is an random number.
Allows limited remote access and control
Backdoor:Win32/Hupigon.FK allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Hupigon.FK. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
Backdoor:Win32/Hupigon.FK creates a shared file mapping named "_kaspersky". It also installs a procedure "WH_GETMESSAGE" that monitors messages posted to the message queue.
Analysis by Jingli Li
Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.