Home / malwarePDF  

Backdoor:W32/Hupigon.EMV


First posted on 19 September 2008.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:W32/Hupigon.EMV.

Explanation :

A backdoor is a Remote Administration Tools (RAT) that expose infected machines to external control via the Internet by remote attackers.

right]This backdoor is detected as a member of the Hupigon family. The Backdoor:W32/Hupigon description provides additional details.

Copies itself to:

  • %Windows%dllhost.exe
  • %Windows%setuprs1.PIF

Replicates these original Windows applications with an additional "EXE" extension:

  • %Windows%system32cmd.exe to %Windows%system32cmd.exe.exe
  • %Windows%
    egedit.exe to %Windows%
    egedit.exe.exe

Hupigon.EMV attempts to disable/redirect Windows applications using the following registry entries:

  • HKLMSoftwareMicrosoftWindows NT
    CurrentVersionImage File Execution Optionscmd.exe
    Debugger = setuprs1.PIF
  • HKLMSoftwareMicrosoftWindows NT
    CurrentVersionImage File Execution Options
    egedit.exe
    Debugger = setuprs1.PIF
  • HKLMSoftwareMicrosoftWindows NT
    CurrentVersionImage File Execution Options
    egedt32.exe
    Debugger = setuprs1.PIF
  • HKLMSoftwareMicrosoftWindows NT
    CurrentVersionImage File Execution Optionsmsconfig.exe
    Debugger = 7303.PIF

Registers itself as Windows COM+ System Application service using these registry entries:

  • HKLMSystemCurrentControlSetServicesCOMSystemApp
    Type = 00000110
  • HKLMSystemCurrentControlSetServicesCOMSystemApp
    ErrorControl = 00000000
  • HKLMSystemCurrentControlSetServicesCOMSystemApp
    ImagePath = C:WINDOWSdllhost.exe -netsvcs
  • HKLMSystemCurrentControlSetServicesCOMSystemApp
    DisplayName = COM+ System Applications

Attempts to locate and terminate the following process:

  • 360tray.exe
  • autoruns.exe
  • avp.exe
  • avpcc.exe
  • cpf.exe
  • ewido.exe
  • FireTray.exe
  • FireWall.exe
  • FYFireWall.exe
  • jpf.exe
  • kav.exe
  • KAVPF.exe
  • KavPFW.EXE
  • kpf4gui.exe
  • KPFW32.EXE
  • KVCenter.kxp
  • KvMonXP.kxp
  • KVXP.kxp
  • McAfeeFire.exe
  • mmc.exe
  • outpost.exe
  • PFW.exe
  • procexp.exe
  • Ras.exe
  • RfwMain.EXE
  • RRfwMain.EXE
  • runiep.exe
  • ssgui.exe
  • SysSafe.exe
  • TrojDie.kxp
  • WoptiProcess.exe

Attempts to close windows containing these strings:

  • ZoneAlarm
  • ZoneAlarm Pro

Attempts to connect to 218.16.138.64 on TCP port 81.

Propagation

It attempts to propagate by creating "
unauto..autorun.pif" and "autorun.inf" on all available drives, including removable drives.

The autorun.inf file is detected as Worm.Win32.AutoRun.dms.

The autorun.inf appears as:

  • [AutoRun]
    open=RUNAUT~1autorun.pif
    shell1=´ò¿ª(&O)
    shell1Command=RUNAUT~1autorun.pif
    shell2=ä¯ÀÀ(&B)
    shell2Command=RUNAUT~1autorun.pif
    shellexecute=RUNAUT~1autorun.pif


To make sure it will only run once, the mutex "Red_Server_2007" is created.

Last update 19 September 2008

 

TOP

Malware :

Family: