Win32/Hupigon [Threat Name]
Detection created | 2004-07-22 |
World activity peak | 2008-08-09 (1.46 %) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %windir%\%variable1%.exe
- %programfiles%\%variable1%.exe
- %windir%\%variable2%\%variable1%.exe
- %programfiles%\%variable2%\%variable1%.exe
The trojan registers itself as a system service using the following name:
- %variable3%
A string with variable content is used instead of %variable1-3% .
This causes the trojan to be executed on every system start.
The trojan launches the following processes:
- %systemdrive%\Program Files\Internet Explorer\IEXPLORE.EXE
The trojan creates and runs a new thread with its own code within these running processes.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Hupigon is a trojan that steals sensitive information.
The trojan collects the following information:
- operating system version
- computer name
- CPU information
- memory status
- user name
- the path to specific folders
- current screen resolution
- network adapter information
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The TCP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- update itself to a newer version
- send files to a remote computer
- capture screenshots
- capture webcam video/voice
- send the list of running processes to a remote computer
- terminate running processes
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- open ports
- set up a proxy server
- delete folders
- create folders
- move files
- delete files
- create Registry entries
- delete Registry entries
- steal information from the Windows clipboard
- start/stop services
- shut down/restart the computer
- log off the current user
- uninstall itself
- perform DoS/DDoS attacks
- spread via removable drives
Threat Variants with Description
Threat Variant Name | Date Added | Threat Type | |
Win32/Hupigon.NTV | 2010-04-02 | trojan |