Content
W32/Hupigon.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 04/18/2007
- Length
- Varies
- Minimum DAT
- 5013 (04/19/2007)
- Updated DAT
- 5911 (03/05/2010)
- Minimum Engine
- 5.1.00
- Description Added
- 04/18/2007
- Description Modified
- 03/03/2010 10:16 PM (PT)
Tab Navigation
Characteristics
Upon execution, the worm drops itself to the following file.
- %Windir%\lsass.exe
Some variants of this worm adds the following registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kkdc
DisplayName" = "Kerberos Key Distribution Centers"
"ErrorControl" = 0
"ImagePath" = "%Windir%S\lsass.exe -netsvcs"
"ObjectName" = "LocalSystem"
"Start" = 2
"Description" = (Chinese string) - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kkdc
DisplayName" = "Kerberos Key Distribution Centers"
"ErrorControl" = 0
"ImagePath" = "%Windir%S\lsass.exe -netsvcs"
"ObjectName" = "LocalSystem"
"Start" = 2
"Description" = (Chinese string)
The worm attempts to connect the following remote site via http and waits commands.
- ekai[removed].3322.org
- ttos[removed].3322.org
Once running, the hacker is able to perform various tasks, including:
- Run files
- Retrieve information from victim machie(OS, CPU, memory etc)
- Keylog
Some variants of this worm terminates the following processes:
- EGHOST.EXE
- KavPFW.EXE
- KPFW32.EXE
- RfwMain.EXE
- RRfwMain.EXE
- PFW.exe
- ewido.exe
- SysSafe.exe
- FireWall.exe
- kpf4gui.exe
- jpf.exe
- ssgui.exe
- outpost.exe
- FYFireWall.exe
- runiep.exe
- Ras.exe
- kav.exe
- avp.exe
- avpcc.exe
- mmc.exe
Symptoms
- Existence of files and registry keys mentioned.
Method of Infection
The worm copies the following files to removable drives:
- autorun.pif (the copy of this worm)
- autorun.inf
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is the worm variants of BackDoor-AWQ trojan that attempts to spread via removable drives.
Aliases
- Backdoor.Trojan (Symantec)
- Backdoor.Win32.Delf.aws (Kaspersky)
- BKDR_DELF.FRI (Trendmicro)
- W32/Devall.A.worm (Panda)
Characteristics
Characteristics -
Upon execution, the worm drops itself to the following file.
- %Windir%\lsass.exe
Some variants of this worm adds the following registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kkdc
DisplayName" = "Kerberos Key Distribution Centers"
"ErrorControl" = 0
"ImagePath" = "%Windir%S\lsass.exe -netsvcs"
"ObjectName" = "LocalSystem"
"Start" = 2
"Description" = (Chinese string) - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kkdc
DisplayName" = "Kerberos Key Distribution Centers"
"ErrorControl" = 0
"ImagePath" = "%Windir%S\lsass.exe -netsvcs"
"ObjectName" = "LocalSystem"
"Start" = 2
"Description" = (Chinese string)
The worm attempts to connect the following remote site via http and waits commands.
- ekai[removed].3322.org
- ttos[removed].3322.org
Once running, the hacker is able to perform various tasks, including:
- Run files
- Retrieve information from victim machie(OS, CPU, memory etc)
- Keylog
Some variants of this worm terminates the following processes:
- EGHOST.EXE
- KavPFW.EXE
- KPFW32.EXE
- RfwMain.EXE
- RRfwMain.EXE
- PFW.exe
- ewido.exe
- SysSafe.exe
- FireWall.exe
- kpf4gui.exe
- jpf.exe
- ssgui.exe
- outpost.exe
- FYFireWall.exe
- runiep.exe
- Ras.exe
- kav.exe
- avp.exe
- avpcc.exe
- mmc.exe
Symptoms
Symptoms -
- Existence of files and registry keys mentioned.
Method of Infection
Method of Infection -
The worm copies the following files to removable drives:
- autorun.pif (the copy of this worm)
- autorun.inf
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
