Name :	Backdoor:W32/Hupigon.OET
Aliases :	BDS/Hupigon.Gen (Other) TrojanSpy:Win32/Logsnif.gen (Microsoft) BackDoor-AWQ.svr.gen.a (McAfee)
Size:	326656
Category:	Malware
Type:	Backdoor
Platform:	W32
Date of Discovery:	September 02, 2008

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

File System Changes
Creates these files:




Process Changes
Creates these processes:



These modules were loaded into other processes:



Creates these mutexes:




Network Connections
Attempts to download files from:



Attempts to connect to:




Registry Modifications
Sets these values:

HKLM\System\CurrentControlSet\Services\setuplog
Type = 00000110
Start = 00000002
ErrorControl = 00000000
ImagePath = C:\WINDOWS\setuplog.bat
DisplayName = setuplog
ObjectName = LocalSystem
Description = setuplog

HKLM\System\CurrentControlSet\Services\setuplog\Security
Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\x00\x14\x00\x00\x00\x30\x00\x00\x00\x02\x00\x1C\x00\x01\x00\x00\x00\x02\x80\x14\x00\xFF\x01\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x02\x00\x60\x00\x04\x00\x00\x00\x00\x00\x14\x00\xFD\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x00\x18\x00\xFF\x01\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x00\x14\x00\x8D\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0B\x00\x00\x00\x00\x00\x18\x00\xFD\x01\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x23\x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00

HKCU\Software\Microsoft\Internet Connection Wizard
Completed = \x01\x00\x00\x00

HKCU\Software\Microsoft\Internet Explorer\Main
Check_Associations = no

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Cache = C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
Cookies = C:\Documents and Settings\LocalService\Cookies
History = C:\Documents and Settings\LocalService\Local Settings\History

Creates these keys:

HKLM\System\CurrentControlSet\Services\setuplog
HKLM\System\CurrentControlSet\Services\setuplog\Security
HKCU\Software\Microsoft\Internet Connection Wizard

This backdoor program may arrive as an executable file via direct download from the Internet, or as part of a trojan-downloader or trojan-dropper payload. This malware is compressed with BeRoEXEPacker v1.00.

Upon installation, the malware will create a setuplog.DLL file to contain the main malware files. It will also create a copy of itself in the setuplog.bat file, in an attempt to protect the main malware file from detection and destruction by antivirus programs. After execution, an additional created uninstal.bat file will remove the original malware files, leaving only the setuplog.dll and setuplog.bat files.

Once installed, the backdoor program first attempts to connect to a remote server, to notify the malware author that an infection has taken place. If successfully connected, it then incrementally scans one port after another on the host machine to find an open one that would allow a remote user to connect to the infected system.

Once a remote user has gained access, any of the following actions can be performed on the infected system:

* Retrieve system information (Registeredorganization, RegisteredOwner, productID, productkey, ProductName, Date and Time)
* Retrieve registry information
* Download files
* Log keystrokes
* Communicate via telnet
* Capture screen into picture file (BMP)
* Capture screen into video (AVI)