- Skip to navigation
- Skip to content
- Skip to secondary-content
Backdoor:W32/Hupigon.OET
| |
| Name : | Backdoor:W32/Hupigon.OET |
| Aliases : | BDS/Hupigon.Gen (Other)
TrojanSpy:Win32/Logsnif.gen (Microsoft)
BackDoor-AWQ.svr.gen.a (McAfee) |
| Size: | 326656 |
| Category: | Malware |
| Type: | Backdoor |
| Platform: | W32 |
| Date of Discovery: | September 02, 2008 |
Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Details
File System Changes Creates these files:
- %windir%\setuplog.bat
- %windir%\setuplog.DLL
- %windir%\uninstal.bat
Process Changes Creates these processes:
- %windir%\setuplog.bat
- %windir%\system32\services.exe
- %windir%\system32\cmd.exe
These modules were loaded into other processes:
Creates these mutexes:
Network Connections Attempts to download files from:
- http://www.cnrmbcn.com/www/[...]/w.txt
Attempts to connect to:
- http://news.huigezi.com/[...]2006.htm
Registry Modifications Sets these values:
HKLM\System\CurrentControlSet\Services\setuplog
Type = 00000110
Start = 00000002
ErrorControl = 00000000
ImagePath = C:\WINDOWS\setuplog.bat
DisplayName = setuplog
ObjectName = LocalSystem
Description = setuplog
HKLM\System\CurrentControlSet\Services\setuplog\Security
Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\x00\x14\x00\x00\x00\x30\x00\x00\x00\x02\x00\x1C\x00\x01\x00\x00\x00\x02\x80\x14\x00\xFF\x01\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x02\x00\x60\x00\x04\x00\x00\x00\x00\x00\x14\x00\xFD\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x00\x18\x00\xFF\x01\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x00\x14\x00\x8D\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0B\x00\x00\x00\x00\x00\x18\x00\xFD\x01\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x23\x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00
HKCU\Software\Microsoft\Internet Connection Wizard
Completed = \x01\x00\x00\x00
HKCU\Software\Microsoft\Internet Explorer\Main
Check_Associations = no
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cache = C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
Cookies = C:\Documents and Settings\LocalService\Cookies
History = C:\Documents and Settings\LocalService\Local Settings\History
Creates these keys:
HKLM\System\CurrentControlSet\Services\setuplog
HKLM\System\CurrentControlSet\Services\setuplog\Security
HKCU\Software\Microsoft\Internet Connection Wizard
Additional Details
This backdoor program may arrive as an executable file via direct download from the Internet, or as part of a trojan-downloader or trojan-dropper payload. This malware is compressed with BeRoEXEPacker v1.00.
Upon installation, the malware will create a setuplog.DLL file to contain the main malware files. It will also create a copy of itself in the setuplog.bat file, in an attempt to protect the main malware file from detection and destruction by antivirus programs. After execution, an additional created uninstal.bat file will remove the original malware files, leaving only the setuplog.dll and setuplog.bat files.
Once installed, the backdoor program first attempts to connect to a remote server, to notify the malware author that an infection has taken place. If successfully connected, it then incrementally scans one port after another on the host machine to find an open one that would allow a remote user to connect to the infected system.
Once a remote user has gained access, any of the following actions can be performed on the infected system:
* Retrieve system information (Registeredorganization, RegisteredOwner, productID, productkey, ProductName, Date and Time)
* Retrieve registry information
* Download files
* Log keystrokes
* Communicate via telnet
* Capture screen into picture file (BMP)
* Capture screen into video (AVI)