Home / malware Backdoor:Win32/Hupigon.ZAH
First posted on 25 January 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Hupigon.ZAH is also known as Backdoor.Hupigon.GEN (VirusBuster), BackDoor.Hupigon5.BMRF (AVG).
Explanation :
Backdoor:Win32/Hupigon.ZAH is a backdoor trojan that allows remote access and control of the affected computer.
Top
Backdoor:Win32/Hupigon.ZAH is a backdoor trojan that allows remote access and control of the affected computer.
Installation
When executed, Backdoor:Win32/Hupigon.ZAH drops the following files in the Windows system folder:
- system64.exe - copy of itself
- kme.bat - batch file used to delete the currently running copy of Backdoor:Win32/Hupigon.ZAH once it has performed its malicious routine
Backdoor:Win32/Hupigon.ZAH also creates a mutex named "RAT20122024" to ensure there is only one running process of itself.
It injects itself into the running process "<system folder>\userinit.exe" to hide itself and avoid detection.
It creates the following registry entry as part of its installation process:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion
Sets value: "WinXpMemory"
With data: "drat2011"
Payload
Allows remote access and control
Backdoor:Win32/Hupigon.ZAH connects to "momea.<removed>22.org" via port 2011 to receive commands.
Based on commands received from this server, it may perform any of the following actions:
- Collect the affected computer's processor's information
- Delete a file
- Download other files
- Enumerate running processes on the affected computer
- Get DLL information
- Retrieve folder names in the affected computer
- Retrieve information on currently running threads on the affected computer
- Run a DLL file
- Start Task Manager
- Stop a DLL file
Analysis by Hong Jia
Last update 25 January 2012
