is a member of Win32/Hupigon - a family of backdoor trojans. A Win32/Hupigon infection typically includes a dropper component (Trojandropper:Win32/Hupigon) and two to three additional files that the dropper installs. These additional files include Backdoor:Win32/Hupigon, the main backdoor component, and Backdoor:Win32/Hupigon!hook, a stealth component that hides files and processes associated with Win32/Hupigon. The trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon may support other malicious plugins as well.
creates the following files on an affected computer:
<system folder>\tcpwalnlib.exe - detected as Backdoor:Win32/Hupigon.EX
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Allows backdoor access and control
allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Hupigon.EX. This could include, but is not limited to, the following actions:
- Execute FTP commands
- Executes commands from the command prompt
- Add, delete, and modify registry entries
- Download and execute files
Analysis by Francis Allan Tan Seng
The following system changes may indicate the presence of this malware:
- The presence of the following files:
- <system folder>\tcpwalnlib.exe