Microsoft security software detects and removes this backdoor trojan. Backdoor trojans can give a remote attacker access and control of your computer.

If you have Microsoft security software you should download the latest updates.

Installation

Backdoor:Win32/Hupigon.CN drops and runs a copy of itself in the <system folder> and %APPDATA% folders as follows:

• <system folder> \taskmrg.exe (not taskmgr.exe)
• <system folder> \windows.exe
• <system folder> \ windowsapplication1.exe
• %APPDATA% \svchost.exe
• %APPDATA% \svchost.exe\multistarter.exe

The copies have the read-only and hidden attributes set.

The trojan modifies the following registry entries to ensure that it runs when Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Policies"
With data: "<system folder>\windows.exe"

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<random alphanumeric characters> for example, "HKLM\Software\Microsoft\Active Setup\Installed Components\2DW0SJYE-LCXY-1KR2-V0J8-4JW360NX073R"
Sets value: "StubPath"
With data: "<system folder>\windows.exe restart"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "Policies"
With data: "<system folder>\server.exe"

Payload

Allows backdoor access and control

Backdoor:Win32/Hupigon.CN allows unauthorized access and control of your computer. An attacker can perform a number of different actions once your computer is infected and connected to the internet or a network. This includes:

• Downloading files
• Uploading files to another computer or FTP server
• Logging keystrokes or stealing sensitive data
• Changing the way your computer works
• Running or terminating applications
• Deleting files

Steals information

This backdoor allows a remote attacker to steal sensitive information in a number of ways, including: 

• Controlling and taking screenshots of your desktop
• Turning on your microphone to listen to and record you
• Controlling your web camera
• Recording your personal information such as usernames, passwords and the websites visited
• Controlling and seeing your clipboard content
• Searching files and directories
• Collecting a list of: 
• drives
• archives
• shared drives
• active processes
• services
• window titles

Changes the way your computer works

An attacker can use this backdoor to change the way your computer works. For example, they can:

• Install and uninstall any programs they choose
• Run or execute DOS commands
• Delete, rename, and change file attributes
• Preventing you from seeing or using the taskbar, start button, system tray icons, and desktop icons
• Redirecting your web browser to or from any website

Controls your computer

This backdoor allows an attacker to remotely take control of your computer. This means they can: 

• Open a web browser with or without your knowledge 
• Close, suspend or resume processes
• Start, stop, disable or delete services
• Open and close your CD drive
• Restart, log off, hibernate and shut down your computer
• Launch a distributed denial of service (DDoS) attack, using user datagram protocol (UDP) flooding
• Stop security processes, such as malware detection and removal tools. Additional information includes a list of all the security processes affected by this backdoor.

Additional information

Backdoor:Win32/Hupigon.CN creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:

• _x_X_UPDATE_X_x_
• _x_X_PASSWORDLIST_X_x_
• _x_X_BLOCKMOUSE_X_x_
• ***MUTEX***
• ***MUTEX***_PERSIST
• asdfg12345
• asdfg12345_PERSIST
• Administrator5
• SPY_NET_RATMUTEX

This backdoor has been seen to block the following security processes:

• a2service.exe
• almon.exe
• ashdisp.exe
• avesvc.exe
• avfwsvc.exe
• avgcc.exe
• avgnt.exe
• avgrsx.exe
• AVKWCtl.exe
• AVKWCtlX64.exe
• avp.exe
• bdss.exe
• ca.exe
• ccapp.exe
• cclaw.exe
• ccSvcHst.exe
• ClamWin.exe
• cpf.exe
• dvpapi.exe
• egui.exe
• ekrn.exe
• ewidoctrl.exe
• fssm32.exe
• GDFwSvc.exe
• GDFwSvcx64.exe
• issvc.exe
• kavpf.exe
• kavsvc.exe
• kpf4ss.exe
• mbam.exe
• mcshield.exe
• mpfservice.exe
• nod32krn.exe
• npfmsg.exe
• oacat.exe
• op_mon.exe
• outpost.exe
• pavfires.exe
• pccntmon.exe
• persfw.exe
• PSUNMAIN.exe
• smc.exe
• spider.exe
• SSScheduler.exe
• tnbutil.exe
• tpsrv.exe
• Vba32arkit.exe
• vsmon.exe
• vsserv.exe

• Anti MalwareBytes
• AntiVir
• A-squared
• Authentium Antivirus
• Avast Antivirus
• AVG
• AVG Antivirus
• Avira AntiVir
• Avira Security Suite
• BitDefender
• Bull Guard Antivirus
• ClamWin
• Comodo Firewall
• Dr.Web
• ESET Nod32
• ESET Smart Secutity
• eTrust EZ Firewall
• Ewido Security Suite
• F-Secure
• F-Secure Internet Security
• G-Data
• Kaspersky
• Kaspersky Antihacker
• Kaspersky Internet Security
• Kerio Personal Firewall
• McAfee Personal Firewall
• McAfee VirusScan
• Mcfee Security Scan
• Nod32
• Norman
• Norman Personal Firewall
• Norton
• Norton Anti Virus
• Norton Personal Firewall
• Online Armor
• Outpost Firewall pro
• Outpost Personal Firewall
• Panda Antivirus
• Panda Anti-Virus
• Panda Cloud Antivirus
• Panda Internet Security Suite
• PC-cillin Antivirus
• Sophos
• Sygate Personal Firewall
• Symantec
• Tiny Personal Firewall
• VBA32
• ZoneAlarm

Analysis by Zarestel Ferrer