1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Backdoor:W32/Hupigon.OGA

Backdoor:W32/Hupigon.OGA

Name : Backdoor:W32/Hupigon.OGA
Detection Names : Backdoor:W32/Hupigon.OGA
Backdoor.Win32.Hupigon.dsbm
Category:Malware
Type:Backdoor
Platform:W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.

Details


File System Changes
Creates these files:

  •  %windir%\temp\a.exe
  • %windir%\temp\b.exe


Additional Details

Upon execution, this Hupigon variant creates the following files:
  •  %windir%\temp\a.exe
  • %windir%\temp\b.exe

Only the file called "b.exe" is executed, which is detected as Backdoor:W32/Hupigon.OGA.
It modifies and executes the driver %systemdir%\drivers\beep.sys with its own kernel rootkit  component.
The modified beep.sys file is detected as Rootkit:W32/Agent.UI.
After the execution of Rootkit:W32/Agent.UI, Hupigon.OGA then restores the original data of the beep.sys file.
It then drops a copy itself to the following directory:
  •  %Programdir%\ime\sodata.exe

It executes sodata.exe as a driver.
The following Registry key are then created:
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows data
    Type    = dword:00000110
    Start    = dword:00000002
    ErrorControl =    dword:00000000
    ImagePath = "%programdir%\ime\sodata.exe"
    DisplayName = "Windows data"
    ObjectName = "LocalSystem"
    Description = "