Threat behavior
Backdoor:Win32/Hupigon is the main backdoor component of Win32/Hupigon, a family of backdoor Trojans. A Win32/Hupigon infection includes TrojanDropper:Win32/Hupigon and two to three dynamic-link library (DLL) files that the dropper installs.
TrojanDropper:Win32/Hupigon copies itself to the Windows system folder and runs itself from there. The Trojan dropper then drops the following DLL files:
-
Backdoor:Win32/Hupigon. This is the main backdoor component of Win32/Hupigon. TrojanDropper:Win32/Hupigon registers this component as a service. The service opens a backdoor server that allows other computers to connect to and control the infected computer in various ways. Backdoor:Win32/Hupigon connects to a specified Web site to notify the attacker of the infection. This backdoor component may have other functionality, such as the ability to host a telnet server and the means to connect to a video source such as a Web cam to spy on the user using Windows API functions for audio-video interleave (AVI) capture.
-
Backdoor:Win32/Hupigon!hook. This component provides stealth for Win32/Hupigon. This component hides files and processes associated with Win32/Hupigon by intercepting certain Windows API function calls. Backdoor:Win32/Hupigon!hook is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.
TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
