Content

W32/Hupigon.worm

Type
Virus
SubType
Worm
Discovery Date
04/18/2007
Length
Varies
Minimum DAT
5013 (04/19/2007)
Updated DAT
6442 (08/18/2011)
Minimum Engine
5.1.00
Description Added
04/18/2007
Description Modified
03/18/2010 10:32 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

---Updated : March 18, 2010---

This detection is for a family of worm that propagate through email, Instant Messaging, network shares and vulnerabilities. This malware also provides backdoor functionality.

File Properties

  • MD5: 1D4EAD6673B1988AD67F7D9E74980FF9
  • SHA1: 8E02CE7D1CE4C0857347C93FBA79706892B399B0

Aliases

  • Microsoft :Backdoor:Win32/Hupigon.XD
  • Kaspersky :Trojan-Dropper.Win32.Agent.brgq
  • Symantec :Backdoor.Trojan
  • AVG :Dropper.Agent.QPR

Characteristics -

This worm that attempts to spread via removable drives.

Upon execution, the Worm copies itself into the following locations:

  • %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\msbackup.exe
  • %ProgramFiles%\_msbackup.exe
  • %SystemDrive%\msbackup.exe

And drops the following file:

  • %SystemDrive%\AutoRun.inf

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The malware then launches an Internet Explorer process and injects malicious code into to it. Next, the malware may register itself as a service named "Backup_Info"

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info\Security

When executed the malware binary creates the following service:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info\]

  • ImagePath = " %ProgramFiles%\Common Files\Microsoft Shared\MSINFO\msbackup.exe"
  • DisplayName = "Backup_Info"
  • ObjectName = "LocalSystem"
  • Description = "Backup System Info"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info\]

  • ImagePath ="%ProgramFiles%\Common Files\Microsoft Shared\MSINFO\msbackup.exe"
  • DisplayName = "Backup_Info"
  • ObjectName ="LocalSystem"
  • Description = "Backup System Info"

[Where %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers), %ProgramFiles%  is a variable that refers to the Program Files folder. A typical path is C:\Program Files]

 

                                 ------------------------------------------

 

Upon execution, the worm drops itself to the following file.

  • %Windir%\lsass.exe

Some variants of this worm adds the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kkdc
    DisplayName" = "Kerberos Key Distribution Centers"
    "ErrorControl" = 0
    "ImagePath" = "%Windir%S\lsass.exe -netsvcs"
    "ObjectName" = "LocalSystem"
    "Start" = 2
    "Description" = (Chinese string)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kkdc
    DisplayName" = "Kerberos Key Distribution Centers"
    "ErrorControl" = 0
    "ImagePath" = "%Windir%S\lsass.exe -netsvcs"
    "ObjectName" = "LocalSystem"
    "Start" = 2
    "Description" = (Chinese string)

The worm attempts to connect the following remote site via http and waits commands.

  • ekai[removed].3322.org
  • ttos[removed].3322.org

Once running, the hacker is able to perform various tasks, including:

  • Run files
  • Retrieve  information from victim machie(OS, CPU, memory etc)
  • Keylog

Some variants of this worm terminates the following processes:

  • EGHOST.EXE
  • KavPFW.EXE
  • KPFW32.EXE
  • RfwMain.EXE
  • RRfwMain.EXE
  • PFW.exe
  • ewido.exe
  • SysSafe.exe
  • FireWall.exe
  • kpf4gui.exe
  • jpf.exe
  • ssgui.exe
  • outpost.exe
  • FYFireWall.exe
  • runiep.exe
  • Ras.exe
  • kav.exe
  • avp.exe
  • avpcc.exe
  • mmc.exe

Symptoms

  • Existence of files and registry keys mentioned.

---Updated : March 18, 2010---

  • Injects code into other processes.

Method of Infection

The worm copies the following files to removable drives:

  • autorun.pif (the copy of this worm)
  • autorun.inf

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is the worm variants of BackDoor-AWQ trojan that attempts to spread via removable drives.

Aliases

  • Backdoor.Trojan (Symantec)
  • Backdoor.Win32.Delf.aws (Kaspersky)
  • BKDR_DELF.FRI (Trendmicro)
  • W32/Devall.A.worm (Panda)

Characteristics

Characteristics -

---Updated : March 18, 2010---

This detection is for a family of worm that propagate through email, Instant Messaging, network shares and vulnerabilities. This malware also provides backdoor functionality.

File Properties

  • MD5: 1D4EAD6673B1988AD67F7D9E74980FF9
  • SHA1: 8E02CE7D1CE4C0857347C93FBA79706892B399B0

Aliases

  • Microsoft :Backdoor:Win32/Hupigon.XD
  • Kaspersky :Trojan-Dropper.Win32.Agent.brgq
  • Symantec :Backdoor.Trojan
  • AVG :Dropper.Agent.QPR

Characteristics -

This worm that attempts to spread via removable drives.

Upon execution, the Worm copies itself into the following locations:

  • %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\msbackup.exe
  • %ProgramFiles%\_msbackup.exe
  • %SystemDrive%\msbackup.exe

And drops the following file:

  • %SystemDrive%\AutoRun.inf

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The malware then launches an Internet Explorer process and injects malicious code into to it. Next, the malware may register itself as a service named "Backup_Info"

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info\Security

When executed the malware binary creates the following service:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info\]

  • ImagePath = " %ProgramFiles%\Common Files\Microsoft Shared\MSINFO\msbackup.exe"
  • DisplayName = "Backup_Info"
  • ObjectName = "LocalSystem"
  • Description = "Backup System Info"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info\]

  • ImagePath ="%ProgramFiles%\Common Files\Microsoft Shared\MSINFO\msbackup.exe"
  • DisplayName = "Backup_Info"
  • ObjectName ="LocalSystem"
  • Description = "Backup System Info"

[Where %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers), %ProgramFiles%  is a variable that refers to the Program Files folder. A typical path is C:\Program Files]

 

                                 ------------------------------------------

 

Upon execution, the worm drops itself to the following file.

  • %Windir%\lsass.exe

Some variants of this worm adds the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kkdc
    DisplayName" = "Kerberos Key Distribution Centers"
    "ErrorControl" = 0
    "ImagePath" = "%Windir%S\lsass.exe -netsvcs"
    "ObjectName" = "LocalSystem"
    "Start" = 2
    "Description" = (Chinese string)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kkdc
    DisplayName" = "Kerberos Key Distribution Centers"
    "ErrorControl" = 0
    "ImagePath" = "%Windir%S\lsass.exe -netsvcs"
    "ObjectName" = "LocalSystem"
    "Start" = 2
    "Description" = (Chinese string)

The worm attempts to connect the following remote site via http and waits commands.

  • ekai[removed].3322.org
  • ttos[removed].3322.org

Once running, the hacker is able to perform various tasks, including:

  • Run files
  • Retrieve  information from victim machie(OS, CPU, memory etc)
  • Keylog

Some variants of this worm terminates the following processes:

  • EGHOST.EXE
  • KavPFW.EXE
  • KPFW32.EXE
  • RfwMain.EXE
  • RRfwMain.EXE
  • PFW.exe
  • ewido.exe
  • SysSafe.exe
  • FireWall.exe
  • kpf4gui.exe
  • jpf.exe
  • ssgui.exe
  • outpost.exe
  • FYFireWall.exe
  • runiep.exe
  • Ras.exe
  • kav.exe
  • avp.exe
  • avpcc.exe
  • mmc.exe

Symptoms

Symptoms -

  • Existence of files and registry keys mentioned.

---Updated : March 18, 2010---

  • Injects code into other processes.

Method of Infection

Method of Infection -

The worm copies the following files to removable drives:

  • autorun.pif (the copy of this worm)
  • autorun.inf

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A