Threat Description

Backdoor:​W32/​Hupigon.OGA

Details

Aliases: Backdoor.Win32.Hupigon.dsbm
Category: Malware
Type: Backdoor
Platform: W32

Summary


A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


Upon execution, this Hupigon variant creates the following files:

  • %windir%\temp\a.exe
  • %windir%\temp\b.exe

Only the file called "b.exe" is executed, which is detected as Backdoor:W32/Hupigon.OGA.It modifies and executes the driver %systemdir%\drivers\beep.sys with its own kernel rootkit component.The modified beep.sys file is detected as Rootkit:W32/Agent.UI.

After the execution of Rootkit:W32/Agent.UI, Hupigon.OGA then restores the original data of the beep.sys file.It then drops a copy itself to the following directory:

  • %Programdir%\ime\sodata.exe

It executes sodata.exe as a driver.The following Registry key are then created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows data Type = dword:00000110 Start = dword:00000002 ErrorControl = dword:00000000 ImagePath = "%programdir%\ime\sodata.exe" DisplayName = "Windows data" ObjectName = "LocalSystem" Description = "
File System Changes

Creates these files:

  • %windir%\temp\a.exe
  • %windir%\temp\b.exe





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More