Follow:

 

Backdoor:Win32/Hupigon


Backdoor:Win32/Hupigon is the main backdoor component of Win32/Hupigon, a family of backdoor Trojans. TrojanDropper:Win32/Hupigon registers this component as a service. The service then opens a backdoor server that allows other computers to connect to and control the infected computer in various ways.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Backdoor:Win32/Hupigon is the main backdoor component of Win32/Hupigon, a family of backdoor Trojans. A Win32/Hupigon infection includes TrojanDropper:Win32/Hupigon and two to three dynamic-link library (DLL) files that the dropper installs.
 
TrojanDropper:Win32/Hupigon copies itself to the Windows system folder and runs itself from there. The Trojan dropper then drops the following DLL files:
  • Backdoor:Win32/Hupigon. This is the main backdoor component of Win32/Hupigon. TrojanDropper:Win32/Hupigon registers this component as a service. The service opens a backdoor server that allows other computers to connect to and control the infected computer in various ways. Backdoor:Win32/Hupigon connects to a specified Web site to notify the attacker of the infection. This backdoor component may have other functionality, such as the ability to host a telnet server and the means to connect to a video source such as a Web cam to spy on the user using Windows API functions for audio-video interleave (AVI) capture.
  • Backdoor:Win32/Hupigon!hook. This is the stealth component of Win32/Hupigon. This component hides files and processes associated with Win32/Hupigon by intercepting certain Windows API function calls. Backdoor:Win32/Hupigon!hook is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.
 
TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It too is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.

Symptoms

Win32/Hupigon hides its files and processes. A manual system inspection may not readily show signs of a Win32/Hupigon infection. It is best to use an up-to-date antivirus scanner or the Microsoft Windows Malicious Software Removal Tool to detect a Win32/Hupigon infection.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.191.758.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Mar 27, 2006
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • BKDR_HUPIGON (Trend Micro)
  • Win32/Pigeon (CA)
  • Backdoor.Win32.Hupigon (Kaspersky)
  • W32/Hupigon (Norman)
  • Troj/Feutel (Sophos)