Upon execution, this Hupigon variant creates the following files:
Only the file called "b.exe" is executed, which is detected as Backdoor:W32/Hupigon.OGA.
It modifies and executes the driver %systemdir%\drivers\beep.sys with its own kernel rootkit component.
The modified beep.sys file is detected as Rootkit:W32/Agent.UI
After the execution of Rootkit:W32/Agent.UI, Hupigon.OGA then restores the original data of the beep.sys file.
It then drops a copy itself to the following directory:
It executes sodata.exe as a driver.
The following Registry key are then created:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows data
Type = dword:00000110
Start = dword:00000002
ErrorControl = dword:00000000
ImagePath = "%programdir%\ime\sodata.exe"
DisplayName = "Windows data"
ObjectName = "LocalSystem"
Description = "