Full description

Virus:	BDS/Hupigon.chz
Date discovered:	12/09/2006
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	708.608 Bytes
MD5 checksum:	9c8d5c674889597f7f5726c0c794ef04
VDF version:	6.35.01.215
IVDF version:	6.35.01.219 - Wednesday, September 13, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Mcafee: BackDoor-AWQ
   • Kaspersky: Backdoor.Win32.Hupigon.chz
   • TrendMicro: BKDR_HUPIGON.BMF
   • F-Secure: Backdoor.Win32.Hupigon.chz
   • Eset: Win32/Hupigon.CHZ

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a file
   • Drops a file
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %WINDIR%\Hacker.com.cn.exe

The following file is created:

– %WINDIR%\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

It tries to download a file:

– The location is the following:
• k2u.512j.com/**********
This file may contain further download locations and might serve as source for new threats.

Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\winfile system protect]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%WINDIR%\Hacker.com.cn.exe"
   • "DisplayName"="winfile system protect"
   • "ObjectName"="LocalSystem"
   • "Description"="ÏµÍ³ÎÄ¼þ±£»¤"

– [HKLM\SYSTEM\CurrentControlSet\Services\winfile system protect\
   Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\winfile system protect\
   Enum]
   • "0"="Root\\LEGACY_WINFILE_SYSTEM_PROTECT\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

Backdoor Contact server:
The following:
   • %URL from downloaded file%

As a result it may send information and remote control could be provided.

Sends information about:
    • Computer name
    • Information about the Windows operating system

Injection – It injects itself into a process.

Process name:
• iexplore.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• ASProtect

Description inserted by Adriana Popa on Thursday, October 26, 2006
Description updated by Adriana Popa on Friday, October 27, 2006

Back . . . .