Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Method of propagation:
• No own spreading routine
• Mcafee: BackDoor-AWQ.b
• Kaspersky: Backdoor.Win32.Hupigon.ccy
• F-Secure: Backdoor.Win32.Hupigon.ccy
• Eset: Win32/Hupigon
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a file
• Drops malicious files
• Records keystrokes
• Registry modification
• Steals information
• Third party control
It copies itself to the following location:
It deletes the initially executed copy of itself.
The following files are created:
\svchost.DLL Further investigation pointed out that this file is malware, too. Detected as: BDS/Hupigon.E.1
\svchost_Hook.DLL Further investigation pointed out that this file is malware, too. Detected as: BDS/Hupigon.BB.1
\svchostKey.DLL Further investigation pointed out that this file is malware, too. Detected as: BDS/Hupigon.BB
\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
It tries to download a file:
– The location is the following:
This file may contain further download locations and might serve as source for new threats.
The following registry keys are added in order to load the services after reboot:
The following registry keys are changed:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
%user defined settings%
– [HKCU\Software\Microsoft\Internet Connection Wizard]
%URL from downloaded file%
As a result remote control capability is provided.
Remote control capabilities:
• Start keylog
– It injects the following file into a process: svchost.DLL
– It injects the following file into a process: svchostKey.DLL
%all running processes%
– It injects the following file into a process: svchost_Hook.DLL
%all running processes%
It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.
Hides the following:
– Its own files
• Hidden from Windows API
The malware program was written in Delphi.
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
Description inserted by Adriana Popa on Wednesday, November 29, 2006
Description updated by Adriana Popa on Wednesday, November 29, 2006