Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
About Hackers
About Hackers

Find out more about hackers and vulnerabilities in our About Hackers and Vulnerabilities section.
About Spam
About Spam

Read about spam and spammers in our About Spam section.

 		 

  Home / Viruses / Virus Encyclopedia

Backdoor.Win32.Hupigon.fdnv

Other versions: .a, .nh

Detection added Dec 15 2008
Update released Dec 16 2008 22:18 GMT
Description added Jan 27 2009

Technical details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 28672 bytes in size. It is packed using AsPack. The unpacked file is approximately 119KB in size. It is written in Delphi.

Installation

Once launched, the Trojan ascribes the “hidden” attribute to its executable file and copies it to the Windows directory as shown below.

%System%\wintemp.exe

%System%\syswin.exe

The malicious file is then launched for execution.

Payload

The Trojan then attempt to contact the following URL:

http://www.qq.com/***

At the moment of writing, this link was not working.

The Trojan then determines the name, and IP address of the victim machine and sends this information to the remote malicious user’s server:

http://www.75*****.com/images/ge.asp?u=<name of computer>&i=<IP
address>

The Trojan then downloads a file from the URL shown below:

http://reg.75*****.com/image/log.jpg

And substitutes this file for the contents of the files shown below:

%System%\wintemp.exe

%System%\syswin.exe

This file is 28 672 bytes in size. It will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Hupigon.fsfz. The Trojan then launches these files for execution. In order to ensure that the Trojan is launched automatically each time the system is booted, it adds the following link to the system registry: 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IeServer" = "%System%\syswin.exe"

The Trojan also injects its code into the address space of "elementclient.exe". It also tracks the entry of confidential data in the online game "Perfect World" registration form.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the “wintemp.exe” and “syswin.exe”.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter: 
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
     
"IeServer" = "%System%\syswin.exe"
  4. Delete the following files: 
    %System%\wintemp.exe
    
%System%\syswin.exe
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com