Microsoft security software detects and removes this family of threats.
This family of backdoor trojans can steal your personal information, such as your online user names and passwords. They can also give a malicious hacker access and control of your PC.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Hupigon is a family of backdoor Trojans. A Win32/Hupigon infection includes TrojanDropper:Win32/Hupigon and two to three dynamic-link library (DLL) files that the dropper installs.
TrojanDropper:Win32/Hupigon copies itself to the Windows system folder and runs itself from there. The Trojan dropper then drops the following DLL files: 
  • Backdoor:Win32/Hupigon. This is the main backdoor component of Win32/Hupigon. TrojanDropper:Win32/Hupigon registers this component as a service. The service opens a backdoor server that allows other computers to connect to and control the infected computer in various ways. Backdoor:Win32/Hupigon connects to a specified Web site to notify the attacker of the infection. This backdoor component may have other functionality, such as the ability to host a telnet server and the means to connect to a video source such as a Web cam to spy on the user using Windows API functions for audio-video interleave (AVI) capture.
  • Backdoor:Win32/Hupigon!hook. This is the stealth component of Win32/Hupigon. This component hides files and processes associated with Win32/Hupigon by intercepting certain Windows API function calls. Backdoor:Win32/Hupigon!hook is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.
TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It too is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.


Alerts from your security software may be the only symptom.


Alert level: High
This entry was first published on: Jun 26, 2006
This entry was updated on: May 13, 2014

This threat is also detected as:
No known aliases