Home / malware Backdoor:W32/Hupigon.EMV
First posted on 19 September 2008.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:W32/Hupigon.EMV.
Explanation :
A backdoor is a Remote Administration Tools (RAT) that expose infected machines to external control via the Internet by remote attackers.
right]This backdoor is detected as a member of the Hupigon family. The Backdoor:W32/Hupigon description provides additional details.
Copies itself to:
- %Windows%dllhost.exe
- %Windows%setuprs1.PIF
Replicates these original Windows applications with an additional "EXE" extension:
- %Windows%system32cmd.exe to %Windows%system32cmd.exe.exe
- %Windows%
egedit.exe to %Windows%
egedit.exe.exe
Hupigon.EMV attempts to disable/redirect Windows applications using the following registry entries:
- HKLMSoftwareMicrosoftWindows NT
CurrentVersionImage File Execution Optionscmd.exe
Debugger = setuprs1.PIF- HKLMSoftwareMicrosoftWindows NT
CurrentVersionImage File Execution Options
egedit.exe
Debugger = setuprs1.PIF- HKLMSoftwareMicrosoftWindows NT
CurrentVersionImage File Execution Options
egedt32.exe
Debugger = setuprs1.PIF- HKLMSoftwareMicrosoftWindows NT
CurrentVersionImage File Execution Optionsmsconfig.exe
Debugger = 7303.PIF
Registers itself as Windows COM+ System Application service using these registry entries:
- HKLMSystemCurrentControlSetServicesCOMSystemApp
Type = 00000110- HKLMSystemCurrentControlSetServicesCOMSystemApp
ErrorControl = 00000000- HKLMSystemCurrentControlSetServicesCOMSystemApp
ImagePath = C:WINDOWSdllhost.exe -netsvcs- HKLMSystemCurrentControlSetServicesCOMSystemApp
DisplayName = COM+ System Applications
Attempts to locate and terminate the following process:
- 360tray.exe
- autoruns.exe
- avp.exe
- avpcc.exe
- cpf.exe
- ewido.exe
- FireTray.exe
- FireWall.exe
- FYFireWall.exe
- jpf.exe
- kav.exe
- KAVPF.exe
- KavPFW.EXE
- kpf4gui.exe
- KPFW32.EXE
- KVCenter.kxp
- KvMonXP.kxp
- KVXP.kxp
- McAfeeFire.exe
- mmc.exe
- outpost.exe
- PFW.exe
- procexp.exe
- Ras.exe
- RfwMain.EXE
- RRfwMain.EXE
- runiep.exe
- ssgui.exe
- SysSafe.exe
- TrojDie.kxp
- WoptiProcess.exe
Attempts to close windows containing these strings:
- ZoneAlarm
- ZoneAlarm Pro
Attempts to connect to 218.16.138.64 on TCP port 81.
Propagation
It attempts to propagate by creating "
unauto..autorun.pif" and "autorun.inf" on all available drives, including removable drives.
The autorun.inf file is detected as Worm.Win32.AutoRun.dms.
The autorun.inf appears as:
- [AutoRun]
open=RUNAUT~1autorun.pif
shell1=´ò¿ª(&O)
shell1Command=RUNAUT~1autorun.pif
shell2=ä¯ÀÀ(&B)
shell2Command=RUNAUT~1autorun.pif
shellexecute=RUNAUT~1autorun.pif
To make sure it will only run once, the mutex "Red_Server_2007" is created.Last update 19 September 2008