My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Hupigon

MEDIUM
HIGH
> 200k
(Backdoor.Graybird, Backdoor.Pigeon)

Symptoms

Internet traffic while no user program is accessing the network.
Presence of common Windows processes (iexplore.exe, calc.exe ...) that have no window.
Presence of a Windows service that have description string containing Chinese characters.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Vlad Constantin Ilie, virus researcher

Technical Description:

Written in Delphi, often packed with various packers: Hmimys, NsPack, Svkp, UPX, AsPack and others.

When first executed Hupigon copies itself to other location (usually windows folder) and deletes itself after that.
To ensure that it will start every time Windows starts it installs its copy as a Windows service with automatic startup type.

To hide its presence from a process list viewer (taskmgr.exe, tasklist.exe ...) it starts a common Windows program (iexplore.exe, svchost.exe, services.exe ...) and overwrites the program's memory with its own code.

Some variants use user level rootkit techniques. It injects a DLL in every process which hooks some Windows API to hide its components.

As a backdoor it provides functionality like: download and execute programs, keylogging, remote shell, desktop capturing, webcam capturing.