Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Backdoor:W32/Hupigon
[Summary] | [Detailed Description]

Name : Backdoor:W32/Hupigon
Alias:Backdoor.Gpigeon.GEN, BDS/Hupigon.Gen, Backdoor.Graybird, BKDR_HUPIGON.EVG, Mal/GrayBird
Type:Backdoor
Category:Malware
Platform:W32
Origin:CHINA
Radar

Summary
Backdoor:W32/Hupigon is a family of backdoor trojans. It allows a remote user access to the computer.
Back to the Top

Detailed Description
The backdoor's file is a PE executable. It is very rare if the variant is smaller than 299kB. The kit used to make this family of malware has default settings to pack the code as UPX. Unpacked the code size is 710kB. Hupigons are written with Borland Delphi.

When the backdoor's file is started, it copies itself as a file named something similar to "Hacker.com.cn.exe" in the Windows System folder and then creates the following startup key value in the Registry:

  • HKLM\System\CurrentControlSet\Services\system32
    ImagePath = C:\WINDOWS\Hacker.com.cn.exe

And it creates these keys:

  • HKLM\System\CurrentControlSet\Services\system32
  • HKLM\System\CurrentControlSet\Services\system32\Security

Overall, Hupigon variants have several different types of features. The following list is an example of some:

  • It allows others to access the computer
  • Allows for recording with the user's webcam
  • Can make the user's computer to attack various servers
  • Send victim's computer messages
  • Has rootkit functionality so it has a stealth component that hides files
  • Create logs from keystrokes, steals passwords, and sends this information to remote servers.

Typically, Hupigon clones itself to some installation path such as system32 and uses the following processes to make itself to look like a valid Windows program:

  • calc.exe
  • cmd.exe
  • mmc.exe
  • mspaint.exe
  • mstsc.exe
  • notepad.exe
  • osk.exe
  • sndrec.exe
  • sndvol32.exe
  • svchost.exe
  • winchat.exe

The kit that creates Hupigon variants has default settings to create mutexes. So many Hupigons have created mutexes which are in the following format:
  • xxx.com.cn_MUTEX
The "xxx" being a variable. Example: Hacker.com.cn_MUTEX

The following strings can typically be found in a Hupigon variant:

  • 6600.org
  • BEI_ZHU
  • GrayPigeon
  • Hacker.com.cn.exe
  • huaihuaitudou
  • Rejoice2007
  • woainisisi

Hupigon doesn't have any automatic mechanisms to spread itself, so it must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.

Hupigon Kit

As noted above, Hupigon variants are created using a kit. This kit software is maintained in a very professional fashion with a highly developed User Interface (UI).

The main UI of the kit can be seen below:



Many options can be set. The "Fast Configuration" shown below enable the following options:

  • Service name is rejoice44.exe
  • Installation path is Msinfo…
  • Password is 1234
  • Icon is taken from MS Media Player
  • Uses Internet Explorer to bypass firewall
  • Create mutex and remove installer from installer folder
  • Pack code by using UPX
  • Self/auto-clone protected installation path is "system32"
  • Executable is calc.exe



There is also a "rootkit" option available.

Other options including URL to DDoS:
Back to the Top



F-Secure Corporation

Last Modified: January 02, 2008