HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan Hupigon

Original issue date: September 17, 2008

It has been observed that a Backdoor named Hupigon is spreading in the wild. It propagates by copying itself to the system directory as winreg.exe and notepod.exe.

The Trojan opens UDP port 8310 and several other random TCP ports to listen commands from the remote attacker. The remote commands performs any of the following actions on the compromised machine:

  • File operations
  • Format the disk
  • Log keystrokes etc
  • Open/close CD-ROM drive
  • Steal ICQ configurations
  • Steal system information

Aliases:

Backdoor.Win32.Hupigon.a (Kaspersky Lab), BackDoor-ALC (McAfee), Backdoor.Hupigeon (Symantec), BackDoor.Pigeon.3 (Doctor Web), Troj/Hupigon (Sophos), Backdoor:Win32/Hupigon (RAV), BKDR_HUPIGON.A (Trend Micro)

Upon execution, the Trojan :
  • Copies itself as:
    %system%\Winndow386.exe
    %windows%\N0tepad.exe

  • Creates the value
    winndow386 %system%\Winndow386.exe
    in the registry keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunService
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run

  • Modifies the value
    (Default) %windows%\N0tepad.exe %1
    in the registry keys:
    • HKEY_CLASSES_ROOT\txtfile\shell\open\command
    • HKEY_CLASSES_ROOT\inifile\shell\open\command

  • Modifies the value
    (Default) %system%\Winndow386.exe %1 %*
    in the registry key:
    • HKEY_CLASSES_ROOT\exefile\shell\open\command

In view of rapid propagation of the Hupigon Trojan, users are advised to implement the following countermeasures:

  • Search for the malicious files and processes created/initiated by the Trojan and delete the same.
  • Search for the registry entries mentioned above made by the Trojan and delete the same.
  • Remain cautious while visiting trusted / untrusted websites.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.

References

http://www.symantec.com/security_response/writeup.jsp?
docid=2002-100914-4859-99&tabid=2
http://www.viruslist.com/en/viruses/encyclopedia?virusid=44430
http://research.sunbelt-software.com/threatdisplay.aspx?
name=Backdoor.Win32.Hupigon.efk&threatid=128868

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003