Threat Description

Backdoor:​W32/Hupigon.OGA

Details

Aliases:Backdoor.Win32.Hupigon.dsbm
Category:Malware
Type:Backdoor
Platform:W32

Summary



A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Upon execution, this Hupigon variant creates the following files:

  • %windir%\temp\a.exe
  • %windir%\temp\b.exe

Only the file called "b.exe" is executed, which is detected as Backdoor:W32/Hupigon.OGA.It modifies and executes the driver %systemdir%\drivers\beep.sys with its own kernel rootkit component.The modified beep.sys file is detected as Rootkit:W32/Agent.UI.

After the execution of Rootkit:W32/Agent.UI, Hupigon.OGA then restores the original data of the beep.sys file.It then drops a copy itself to the following directory:

  • %Programdir%\ime\sodata.exe

It executes sodata.exe as a driver.The following Registry key are then created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows data Type = dword:00000110 Start = dword:00000002 ErrorControl = dword:00000000 ImagePath = "%programdir%\ime\sodata.exe" DisplayName = "Windows data" ObjectName = "LocalSystem" Description = "

File System Changes

Creates these files:

  • %windir%\temp\a.exe
  • %windir%\temp\b.exe





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More