Threat description




A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Hupigon variants are backdoor programs, which provide an attacker with access to, and control of, an infected machine. There are a large number of variants in the Hupigon family.

The backdoor's file is a PE executable. The file may be packed with UPX. Unpacked, the code size is 710kB. It is very rare for a Hupigon variant to be smaller than 299kB.

Hupigons are written with Borland Delphi.

The following text strings can typically be found in a Hupigon variant:

  • GrayPigeon
  • huaihuaitudou
  • Rejoice2007
  • woainisisi

When the backdoor's file is started, it copies itself as a file named something similar to "" in the Windows System folder and then uses the following processes to make itself to look like a valid Windows program:

  • calc.exe
  • cmd.exe
  • mmc.exe
  • mspaint.exe
  • mstsc.exe
  • notepad.exe
  • osk.exe
  • sndrec.exe
  • sndvol32.exe
  • svchost.exe
  • winchat.exe

It also makes a number of additions to the registry.


Hupigon variants have several different types of features. The following list is an example of some:

  • It allows others to access the computer
  • Allows for recording with the user's webcam
  • Can make the user's computer to attack various servers
  • Send victim's computer messages
  • Has rootkit functionality so it has a stealth component that hides files
  • Create logs from keystrokes, steals passwords, and sends this information to remote servers

Hupigon doesn't have any automatic mechanisms to spread itself. It must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.

Creating Hupigon Variants

Hupigon variants are created using kit software. The kit is maintained in a very professional fashion with a highly developed User Interface (UI).

The main UI of the kit can be seen below:

Many options can be set. The "Fast Configuration" shown below enable the following options:

  • Service name is rejoice44.exe
  • Installation path is Msinfo…
  • Password is 1234
  • Icon is taken from MS Media Player
  • Uses Internet Explorer to bypass firewall
  • Create mutex and remove installer from installer folder
  • Pack code by using UPX
  • Self/auto-clone protected installation path is "system32"
  • Executable is calc.exe

There is also a "rootkit" option available. Other options including adding a URL to target for a Distributed Denial of Service (DDoS) attack:

The kit as default settings to create mutexes. Many Hupigon variants therefore create mutexes in the following format:


The "xxx" being a variable, for example:

Registry Modifications

Creates these keys:

  • HKLM\System\CurrentControlSet\Services\system32 ImagePath = C:\WINDOWS\
  • HKLM\System\CurrentControlSet\Services\system32
  • HKLM\System\CurrentControlSet\Services\system32\Security

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info