Threat behavior
Backdoor:Win32/Hupigon.gen!F is a generic detection for variants of Win32/Hupigon, a family of backdoor trojans. Win32/Hupigon.gen!F is installed to run as a service and allows remote unauthorized access to an affected machine.
Installation
This trojan may be installed by a trojan dropper or installer program and is dropped to either the Windows or Windows system folders. The name of the dropped trojan file differs among variants as in the following examples:
g_server2.03.exe
upsutup.exe
g_server.exe
The following registry entries are modified to run the dropped trojan as a service:
HKLM\SYSTEM\CurrentControlSet\Services\rayPigeonServer
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RAYPIGEONSERVER
Payload
Notifies Remote Site
Hupigon.gen!F starts the Web browser Internet Explorer and hijacks the process to connect to a hardcoded Web site to receive another URL where an attacker can be notified of the infection. For example, the trojan may retrieve a short text such as:
<site>/a/hui.txt
The text contains a link to another site
<site>/wwwroot
The trojan may connect to the second site to notify an attacker of the trojan installation.
Backdoor Functionality
Hupigon.gen!F may open a backdoor server allowing connection from a remote attacker. Once connected, a remote attacker can perform various actions on the infected machine, such as downloading, uploading and executing files.
Analysis by Vincent Tiu
Prevention
