Installation
Backdoor:Win32/Hupigon.CN drops and runs a copy of itself in the <system folder> and %APPDATA% folders as follows:
The copies have the read-only and hidden attributes set.
The trojan modifies the following registry entries to ensure that it runs when Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Policies"
With data: "<system folder>\windows.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<random alphanumeric characters> for example, "HKLM\Software\Microsoft\Active Setup\Installed Components\2DW0SJYE-LCXY-1KR2-V0J8-4JW360NX073R"
Sets value: "StubPath"
With data: "<system folder>\windows.exe restart"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "Policies"
With data: "<system folder>\server.exe"
Payload
Allows backdoor access and control
Backdoor:Win32/Hupigon.CN allows unauthorized access and control of your computer. An attacker can perform a number of different actions once your computer is infected and connected to the internet or a network. This includes:
- Downloading files
- Uploading files to another computer or FTP server
- Logging keystrokes or stealing sensitive data
- Changing the way your computer works
- Running or terminating applications
- Deleting files
Steals information
This backdoor allows a remote attacker to steal sensitive information in a number of ways, including:
- Controlling and taking screenshots of your desktop
- Turning on your microphone to listen to and record you
- Controlling your web camera
- Recording your personal information such as usernames, passwords and the websites visited
- Controlling and seeing your clipboard content
- Searching files and directories
- Collecting a list of:
- drives
- archives
- shared drives
- active processes
- services
- window titles
Changes the way your computer works
An attacker can use this backdoor to change the way your computer works. For example, they can:
- Install and uninstall any programs they choose
- Run or execute DOS commands
- Delete, rename, and change file attributes
- Preventing you from seeing or using the taskbar, start button, system tray icons, and desktop icons
- Redirecting your web browser to or from any website
Controls your computer
This backdoor allows an attacker to remotely take control of your computer. This means they can:
- Open a web browser with or without your knowledge
- Close, suspend or resume processes
- Start, stop, disable or delete services
- Open and close your CD drive
- Restart, log off, hibernate and shut down your computer
- Launch a distributed denial of service (DDoS) attack, using user datagram protocol (UDP) flooding
- Stop security processes, such as malware detection and removal tools. Additional information includes a list of all the security processes affected by this backdoor.
Additional information
Backdoor:Win32/Hupigon.CN creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:
- _x_X_UPDATE_X_x_
- _x_X_PASSWORDLIST_X_x_
- _x_X_BLOCKMOUSE_X_x_
- ***MUTEX***
- ***MUTEX***_PERSIST
- asdfg12345
- asdfg12345_PERSIST
- Administrator5
- SPY_NET_RATMUTEX
This backdoor has been seen to block the following security processes:
- a2service.exe
- almon.exe
- ashdisp.exe
- avesvc.exe
- avfwsvc.exe
- avgcc.exe
- avgnt.exe
- avgrsx.exe
- AVKWCtl.exe
- AVKWCtlX64.exe
- avp.exe
- bdss.exe
- ca.exe
- ccapp.exe
- cclaw.exe
- ccSvcHst.exe
- ClamWin.exe
- cpf.exe
- dvpapi.exe
- egui.exe
- ekrn.exe
- ewidoctrl.exe
- fssm32.exe
- GDFwSvc.exe
- GDFwSvcx64.exe
- issvc.exe
- kavpf.exe
- kavsvc.exe
- kpf4ss.exe
- mbam.exe
- mcshield.exe
- mpfservice.exe
- nod32krn.exe
- npfmsg.exe
- oacat.exe
- op_mon.exe
- outpost.exe
- pavfires.exe
- pccntmon.exe
- persfw.exe
- PSUNMAIN.exe
- smc.exe
- spider.exe
- SSScheduler.exe
- tnbutil.exe
- tpsrv.exe
- Vba32arkit.exe
- vsmon.exe
- vsserv.exe
It also checks window titles to see if they include any of the following terms, and closes the window if this is the case:
- Anti MalwareBytes
- AntiVir
- A-squared
- Authentium Antivirus
- Avast Antivirus
- AVG
- AVG Antivirus
- Avira AntiVir
- Avira Security Suite
- BitDefender
- Bull Guard Antivirus
- ClamWin
- Comodo Firewall
- Dr.Web
- ESET Nod32
- ESET Smart Secutity
- eTrust EZ Firewall
- Ewido Security Suite
- F-Secure
- F-Secure Internet Security
- G-Data
- Kaspersky
- Kaspersky Antihacker
- Kaspersky Internet Security
- Kerio Personal Firewall
- McAfee Personal Firewall
- McAfee VirusScan
- Mcfee Security Scan
- Nod32
- Norman
- Norman Personal Firewall
- Norton
- Norton Anti Virus
- Norton Personal Firewall
- Online Armor
- Outpost Firewall pro
- Outpost Personal Firewall
- Panda Antivirus
- Panda Anti-Virus
- Panda Cloud Antivirus
- Panda Internet Security Suite
- PC-cillin Antivirus
- Sophos
- Sygate Personal Firewall
- Symantec
- Tiny Personal Firewall
- VBA32
- ZoneAlarm
Analysis by Zarestel Ferrer
