Follow:

You have been re-routed to the Backdoor:Win32/Hupigon.FK write up because Backdoor%3aWin32%2fHupigon.FK has been renamed to Backdoor:Win32/Hupigon.FK
 

Backdoor:Win32/Hupigon.FK


Backdoor:Win32/Hupigon.FK is a member of Win32/Hupigon - a family of backdoor trojans. A Win32/Hupigon infection typically includes a dropper component (Trojandropper:Win32/Hupigon) and two to three additional files that the dropper installs. These additional files include Backdoor:Win32/Hupigon, the main backdoor component, and Backdoor:Win32/Hupigon!hook, a stealth component that hides files and processes associated with Win32/Hupigon. The trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon may support other malicious plugins as well.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Hupigon.FK is a member of Win32/Hupigon - a family of backdoor trojans. A Win32/Hupigon infection typically includes a dropper component (Trojandropper:Win32/Hupigon) and two to three additional files that the dropper installs. These additional files include Backdoor:Win32/Hupigon, the main backdoor component, and Backdoor:Win32/Hupigon!hook, a stealth component that hides files and processes associated with Win32/Hupigon. The trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon may support other malicious plugins as well.
Installation
This trojan is installed by TrojanDropper:Win32/Agent.RH as a DLL trojan component in the Windows recycle bin as the following:
 
\recycler\<file name>.dll
 
The dropped component may be moved to the same folder where the trojan TrojanDropper:Win32/Agent.RH is stored (as a file named "NetBios"). During installation, the trojan modifies its export function "QgptkagOckl" as "ServiceMain" accessed via its entry point so that the Windows system process "Svchost.exe" invoke the "ServiceMain" function on every system start.
 
The trojan also creates a global mutex named "Global\\cyl %d"  where %d is an random number.
Payload
Allows limited remote access and control
Backdoor:Win32/Hupigon.FK allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Hupigon.FK. This could include, but is not limited to, the following actions:
  • Download and execute arbitrary files
  • Upload files
  • Spread to other computers using various methods of propagation
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files
 
Backdoor:Win32/Hupigon.FK creates a shared file mapping named "_kaspersky". It also installs a procedure "WH_GETMESSAGE" that monitors messages posted to the message queue.

Analysis by Jingli Li

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.95.1172.0
Latest detected by definition: 1.169.2371.0 and higher
First detected on: Dec 04, 2010
This entry was first published on: Dec 03, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TR/PSW.Magania.cxyx (Avira)
  • Trojan-GameThief.Win32.Magania.cxyx (Kaspersky)
  • BackDoor-EPK (McAfee)
  • Backdoor.Win32.Drwolf.hnc (Rising AV)
  • TROJ_GAMETH.SML1 (Trend Micro)