Threat behavior
Backdoor:Win32/Hupigon.DZ is a backdoor component of
Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.DZ tries to connect different remote Web sites to send notification of the infection.
Installation
This trojan component may be installed by other malicious software and has a file icon resembling a picture image to possibly trick the user into running the trojan. The trojan component Backdoor:Win32/Hupigon.DZ may be first copied as a randomly-named file in the Temporary files folder and then copied as the following:
%ProgramFiles%\Common Files\Microsoft Shared\Source Engine\bmms
It creates a service to run the malware component at each Windows start. The following registry data may be created as an indication of the presence of the trojan component:
Sets value: "99999"
With data: <Backdoor:Win32/Hupigon.DZ installation file path>
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Setup
Additional Information
For more information about
Win32/Hupigon, see the family description elsewhere in the encyclopedia.
Analysis by Jingli Li
Prevention
