1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Backdoor:W32/Hupigon.OGA

Backdoor:W32/Hupigon.OGA

Name : Backdoor:W32/Hupigon.OGA
Detection Names : Backdoor:W32/Hupigon.OGA
Backdoor.Win32.Hupigon.dsbm
Category:Malware
Type:Backdoor
Platform:W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.

Details


File System Changes
Creates these files:

  • %windir%\temp\a.exe
  • %windir%\temp\b.exe


Additional Details

Upon execution, this Hupigon variant creates the following files:

  • %windir%\temp\a.exe
  • %windir%\temp\b.exe

Only the file called "b.exe" is executed, which is detected as Backdoor:W32/Hupigon.OGA.

It modifies and executes the driver %systemdir%\drivers\beep.sys with its own kernel rootkit  component.

The modified beep.sys file is detected as Rootkit:W32/Agent.UI.

After the execution of Rootkit:W32/Agent.UI, Hupigon.OGA then restores the original data of the beep.sys file.

It then drops a copy itself to the following directory:

  • %Programdir%\ime\sodata.exe

It executes sodata.exe as a driver.

The following Registry key are then created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows data
Type    = dword:00000110
Start    = dword:00000002
ErrorControl =    dword:00000000
ImagePath = "%programdir%\ime\sodata.exe"
DisplayName = "Windows data"
ObjectName = "LocalSystem"
Description = "