Threat behavior
Backdoor:Win32/Hupigon.CK is a backdoor component of
Win32/Hupigon. It runs as a service and opens a backdoor server on the host computer. Backdoor:Win32/Hupigon.CK tries to connect different remote Web sites to send notification of the infection.
Installation
Win32/Hupigon.CK is installed by unwanted software or by visiting a malicious Web site. The trojan may be present as the following files:
<system folder>\winlogo.exe
<system folder>\netdde.exe
<system folder>\yyserver
During installation, a clean-up batch script file is dropped as '<system folder>\deleteme.bat' and then run to delete the original trojan installer. The dropped copy of Hupigon.CK ( winlogo.exe, netdde.exe ) creates additional copies of the trojan as the following:
<system folder>\winlogo_.exe
<system folder>\netdde_.exe
The registry is modified with the addition of the following data and value.
Adds value: "Start"
With data: "2"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\YYSvc
Payload
Stops Internet Connection Firewall Service
Win32/Hupigon.CK tries to stop the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service by using Windows utility net.exe, as in the following example:
net1 stop SharedAccess
Opens Remote Access Port/Backdoor
Win32/Hupigon.CK attempts to connect the remote Web site 'djisdj.vicp.net' using TCP port 3838. The backdoor component also requests access to physical memory.
Analysis by Subratam Biswas
Prevention