Follow:

 

Backdoor:Win32/Hupigon.EX


Backdoor:Win32/Hupigon.EX is a member of Win32/Hupigon - a family of backdoor trojans. A Win32/Hupigon infection typically includes a dropper component (TrojanDropper:Win32/Hupigon) and two to three additional files that the dropper installs. These additional files include Backdoor:Win32/Hupigon, the main backdoor component, and Backdoor:Win32/Hupigon!hook, a stealth component that hides files and processes associated with Win32/Hupigon. The trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon may support other malicious plugins as well.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Hupigon.EX is a member of Win32/Hupigon - a family of backdoor trojans. A Win32/Hupigon infection typically includes a dropper component (Trojandropper:Win32/Hupigon) and two to three additional files that the dropper installs. These additional files include Backdoor:Win32/Hupigon, the main backdoor component, and Backdoor:Win32/Hupigon!hook, a stealth component that hides files and processes associated with Win32/Hupigon. The trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon may support other malicious plugins as well.

Installation

Backdoor:Win32/Hupigon.EX creates the following files on an affected computer:

  • <system folder>\tcpwalnlib.exe - detected as Backdoor:Win32/Hupigon.EX

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Payload

Allows backdoor access and control
Backdoor:Win32/Hupigon.EX allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Hupigon.EX. This could include, but is not limited to, the following actions:

  • Execute FTP commands
  • Executes commands from the command prompt
  • Add, delete, and modify registry entries
  • Download and execute files

Analysis by Francis Allan Tan Seng


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • <system folder>\tcpwalnlib.exe

Prevention


Alert level: Severe
First detected by definition: 1.109.66.0
Latest detected by definition: 1.173.2373.0 and higher
First detected on: Jul 21, 2011
This entry was first published on: Jun 22, 2011
This entry was updated on: Aug 10, 2011

This threat is also detected as:
  • W32/Redosdru.LS (Norman)
  • Mal/ResDro-B (Sophos)
  • BKDR_RBOT.SMB (Trend Micro)