Virus:BDS/Hupigon.KM
Date discovered:09/11/2005
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:382.976 Bytes
MD5 checksum:99092bbe3a758b5c5187beabc022a5a2
VDF version:6.32.00.110

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Hupigon.km
   •  TrendMicro: BKDR_GRAYBIRD.DJ
   •  Sophos: Troj/Feutel-Gen
   •  Bitdefender: Backdoor.Hupigon.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\G_Server.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • %WINDIR%\uninstal.bat



The following files are created:

%WINDIR%\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\G_Server.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Feutel.A.2

%WINDIR%\G_ServerKey.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Hupigon.FA.1




It tries to download a file:

– The location is the following:
   • vip.hui**********.com:8004/user/41365.htm
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeonServer\Security]
   • "Security"=hex:%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEONSERVER]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeonServer]
   • "Type"=dword:00000110
     "Start"=dword:00000002
     "ErrorControl"=dword:00000000
     "ImagePath"=hex(2):%WINDIR%\G_Server.exe
     "DisplayName"="Gray_Pigeon_Server"
     "ObjectName"="LocalSystem"
     "Description"="Gray_Pigeon_Server"

– [HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeonServer\Enum]
   • "0"="Root\\LEGACY_GRAYPIGEONSERVER\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEONSERVER\
   0000]
   • "Service"="GrayPigeonServer"
     "Legacy"=dword:00000001
     "ConfigFlags"=dword:00000000
     "Class"="LegacyDriver"
     "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
     "DeviceDesc"="Gray_Pigeon_Server"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEONSERVER\
   0000\Control]
   • "*NewlyCreated*"=dword:00000000
     "ActiveService"="GrayPigeonServer"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Internet Connection Wizard]
   Old value:
   • "Completed"=hex:%user defined settings%
   New value:
   • "Completed"=hex:01,00,00,00

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Check_Associations"="%user defined settings%"
   New value:
   • "Check_Associations"="no"

 Backdoor Contact server:
The following:
   • %IP address taken from downloaded file%:8000



Sends information about:
    • Capture screen
    • Computer name
    • Free disk space
    • Platform ID


Remote control capabilities:
    • Download file
    • Start keylog

 Injection –  It injects the following file into a process: G_Server.dll

    Process name:
   • IEXPLORE.exe



–  It injects the following file into a process: G_ServerKey.dll

    Process name:
   • %all running processes%


 Miscellaneous Mutex:
It creates the following Mutexes:
   • GPigeon5_Shared_HIDE
   • GPigeon5_Shared
   • GPigeon5_Shared_09-12-2005

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Thursday, November 10, 2005
Description updated by Iulia Diaconescu on Tuesday, November 29, 2005

Back . . . .