Win32/Hupigon [Threat Name]

Detection created2004-07-22
World activity peak 2008-08-09 (1.46 %)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%variable1%.exe
  • %programfiles%\­%variable1%.exe
  • %windir%\­%variable2%\­%variable1%.exe
  • %programfiles%\­%variable2%\­%variable1%.exe

The trojan registers itself as a system service using the following name:

  • %variable3%

A string with variable content is used instead of %variable1-3% .

This causes the trojan to be executed on every system start.

The trojan launches the following processes:

  • %systemdrive%\­Program Files\­Internet Explorer\­IEXPLORE.EXE

The trojan creates and runs a new thread with its own code within these running processes.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Hupigon is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • computer name
  • CPU information
  • memory status
  • user name
  • the path to specific folders
  • current screen resolution
  • network adapter information

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The TCP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • update itself to a newer version
  • send files to a remote computer
  • capture screenshots
  • capture webcam video/voice
  • send the list of running processes to a remote computer
  • terminate running processes
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • open ports
  • set up a proxy server
  • delete folders
  • create folders
  • move files
  • delete files
  • create Registry entries
  • delete Registry entries
  • steal information from the Windows clipboard
  • start/stop services
  • shut down/restart the computer
  • log off the current user
  • uninstall itself
  • perform DoS/DDoS attacks
  • spread via removable drives

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Hupigon.NTV 2010-04-02 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.