Threat description


Category: Malware
Type: Backdoor
Platform: W32
Aliases: Backdoor:W32/Hupigon


A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


More information on scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Hupigon variants are backdoor programs, which provide an attacker with access to, and control of, an infected machine. There are a large number of variants in the Hupigon family.

The backdoor's file is a PE executable. The file may be packed with UPX. Unpacked, the code size is 710kB. It is very rare for a Hupigon variant to be smaller than 299kB.

Hupigons are written with Borland Delphi.

The following text strings can typically be found in a Hupigon variant:

  • GrayPigeon
  • huaihuaitudou
  • Rejoice2007
  • woainisisi


When the backdoor's file is started, it copies itself as a file named something similar to "" in the Windows System folder and then uses the following processes to make itself to look like a valid Windows program:

  • calc.exe
  • cmd.exe
  • mmc.exe
  • mspaint.exe
  • mstsc.exe
  • notepad.exe
  • osk.exe
  • sndrec.exe
  • sndvol32.exe
  • svchost.exe
  • winchat.exe

It also makes a number of additions to the registry.


Hupigon variants have several different types of features. The following list is an example of some:

  • It allows others to access the computer
  • Allows for recording with the user's webcam
  • Can make the user's computer to attack various servers
  • Send victim's computer messages
  • Has rootkit functionality so it has a stealth component that hides files
  • Create logs from keystrokes, steals passwords, and sends this information to remote servers


Hupigon doesn't have any automatic mechanisms to spread itself. It must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.

Creating Hupigon Variants

Hupigon variants are created using kit software. The kit is maintained in a very professional fashion with a highly developed User Interface (UI).

The main UI of the kit can be seen below:

Many options can be set. The "Fast Configuration" shown below enable the following options:

  • Service name is rejoice44.exe
  • Installation path is Msinfo…
  • Password is 1234
  • Icon is taken from MS Media Player
  • Uses Internet Explorer to bypass firewall
  • Create mutex and remove installer from installer folder
  • Pack code by using UPX
  • Self/auto-clone protected installation path is "system32"
  • Executable is calc.exe

There is also a "rootkit" option available. Other options including adding a URL to target for a Distributed Denial of Service (DDoS) attack:

The kit as default settings to create mutexes. Many Hupigon variants therefore create mutexes in the following format:


The "xxx" being a variable, for example:

Registry Modifications

Creates these keys:

  • HKLM\System\CurrentControlSet\Services\system32 ImagePath = C:\WINDOWS\
  • HKLM\System\CurrentControlSet\Services\system32
  • HKLM\System\CurrentControlSet\Services\system32\Security


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More