English
Deutsch
Francais
Español
Italian
Home
Virus Info
BDS/Hupigon.LQ.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
BDS/Hupigon.LQ.1 - Backdoor Server
In alte limbi
Scurta descriere
Descriere completa
Statistici
How would you rate this information?
Worthless
Excellent
Nume:
BDS/Hupigon.LQ.1
Descoperit pe data de:
04/11/2005
Tip:
Backdoor Server
ITW:
Nu
Numar infectii raportate:
Scazut
Potential de raspandire:
Scazut
Potential de distrugere:
Mediu
Fisier static:
Da
Marime:
325.632 Bytes
MD5:
c4f0bfa3186d931b86fb025c02443d6d
Versiune VDF:
6.32.00.146
General
Alias:
• Symantec: Backdoor.Graybird
• Kaspersky: Backdoor.Win32.Hupigon.byu
• Sophos: Troj/Hupigo-BYU
• Bitdefender: Trojan.NSAnti.A
Sistem de operare:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
Efecte secundare:
• Creeaza fisiere malware
• Modificari in registri
• Sustrage informatii
Fisiere
Se copiaza in urmatoarea locatie:
•
%WINDIR%
\rpccall.exe
Sterge copia initiala a virusului.
Sterge urmatoarele fisiere:
•
%SYSDIR%
\
%sir de 6 caractere aleatoare%
.sys
•
%WINDIR%
\uninstal.bat
Sunt create fisierele:
–
%SYSDIR%
\j9u.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: BDS/EggDrop.h.1.A
–
%SYSDIR%
\
%sir de 6 caractere aleatoare%
.sys Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Graybird.AA.2
–
%WINDIR%
\rpccall.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Hupigon.GQ.1
–
%WINDIR%
\rpccallKey.DLL Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Hupigon.GQ.1
–
%WINDIR%
\uninstal.bat Fisierul este executat dupa ce a fost creat. Fisierul batch este folosit pentru stergerea unui fisier.
Incearca sa descarce un fisier:
– Adresa este urmatoarea:
• http://wolforsheep.sitesled.com/gengxin/**********
Registrii sistemului
Urmatoarele chei sunt adaugate in registri pentru a incarca serviciile la repornirea sistemului:
– HKLM\SYSTEM\CurrentControlSet\Services\GOOD05
• "Type"=dword:00000001
• "Start"=dword:00000003
• "ErrorControl"=dword:00000001
• "ImagePath"="
%SYSDIR%
\
%sir de 6 caractere aleatoare%
.sys "
• "DisplayName"="GOOD05"
– HKLM\SYSTEM\CurrentControlSet\Services\RPCcallServer
• "Type"=dword:00000110
• "Start"=dword:00000002
• "ErrorControl"=dword:00000000
• "ImagePath"="
%WINDIR%
\rpccall.exe"
• "DisplayName"="RPCcallServer"
• "ObjectName"="LocalSystem"
• "Description"="RPCcall Server manager"
Urmatoarele chei sunt adaugate in registrii sistemului:
– HKLM\SYSTEM\CurrentControlSet\Services\GOOD05\Security
• "Security"=%hex value%
– HKLM\SYSTEM\CurrentControlSet\Services\GOOD05\Enum
• "0"="Root\\LEGACY_GOOD05\\0000"
• "Count"=dword:00000001
• "NextInstance"=dword:00000001
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOD05
• "NextInstance"=dword:00000001
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOD05\0000
• "Service"="GOOD05"
• "Legacy"=dword:00000001
• "ConfigFlags"=dword:00000000
• "Class"="LegacyDriver"
• "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• "DeviceDesc"="GOOD05"
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOD05\0000\Control
• "*NewlyCreated*"=dword:00000000
• "ActiveService"="GOOD05"
– HKLM\SYSTEM\CurrentControlSet\Services\RPCcallServer\Security
• "Security"=%hex value%
– HKLM\SYSTEM\CurrentControlSet\Services\RPCcallServer\Enum
• "0"="Root\\LEGACY_RPCCALLSERVER\\0000"
• "Count"=dword:00000001
• "NextInstance"=dword:00000001
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCCALLSERVER
• "NextInstance"=dword:00000001
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCCALLSERVER\0000
• "Service"="RPCcallServer"
• "Legacy"=dword:00000001
• "ConfigFlags"=dword:00000000
• "Class"="LegacyDriver"
• "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• "DeviceDesc"="RPCcallServer"
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCCALLSERVER\0000\
Control
• "*NewlyCreated*"=dword:00000000
• "ActiveService"="RPCcallServer"
– HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
• @=dword:0000000c
Backdoor
Servere contactate:
Urmatorul:
•
%URL din fisierul descarcat%
Astfel se pot transmite informatii si se poate obtine control la distanta.
Injectarea codului malware in alte procese
– Injecteaza fisierul urmator intr-un proces:
%WINDIR%
\rpccallKey.DLL
– Injecteaza o rutina care supravegheaza procesele intr-un alt proces.
Urmatoarele procese:
•
%SYSDIR%
\winlogon.exe
•
%WINDIR%
\EXPLORER.exe
•
%toate procesele pornite dupa ce virusul este activ in memorie%
Tehnologie Rootkit
Ascunde urmatoarele:
– Propriile fisiere
– Propriile procese
Metoda folosita:
• Ascuns de Windows API
Detaliile fisierului
Limbaj de programare:
Limbaj de programare folosit: Delphi.
Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.
Pentru o descriere scurta click
aici
.
Descriere introdusa de Bogdan Iliuta la Thu, 28 Sep 2006 16:55 (GMT+1)
Descriere actualizata de Bogdan Iliuta la Wed, 22 Nov 2006 17:31 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
Worm/Kidala.G
Worm/Mytob.BF
Worm/Mytob.AT
Worm/Klez.E
Ebay 91
BDS/Frauder.bu
DR/Autoit.I.1
TR/Spy.ZBot.DFR
TR/VB.aei
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info BDS/Hupigon.LQ.1
Print this page
.gif)
