Backdoor.Win32.Hupigon.fdnv

Technical Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 28672 bytes in size. It is packed using AsPack. The unpacked file is approximately 119KB in size. It is written in Delphi.

Installation

Once launched, the Trojan ascribes the “hidden” attribute to its executable file and copies it to the Windows directory as shown below.

%System%\wintemp.exe
%System%\syswin.exe

The malicious file is then launched for execution.

Payload

The Trojan then attempt to contact the following URL:

http://www.qq.com/***

At the moment of writing, this link was not working.

The Trojan then determines the name, and IP address of the victim machine and sends this information to the remote malicious user’s server:

http://www.75*****.com/images/ge.asp?u=<name of computer>&i=<IP address> 

The Trojan then downloads a file from the URL shown below:

http://reg.75*****.com/image/log.jpg

And substitutes this file for the contents of the files shown below:

%System%\wintemp.exe
%System%\syswin.exe

This file is 28 672 bytes in size. It will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Hupigon.fsfz. The Trojan then launches these files for execution. In order to ensure that the Trojan is launched automatically each time the system is booted, it adds the following link to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IeServer" = "%System%\syswin.exe"

The Trojan also injects its code into the address space of "elementclient.exe". It also tracks the entry of confidential data in the online game "Perfect World" registration form.

Removal Instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the “wintemp.exe” and “syswin.exe”.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
    "IeServer" = "%System%\syswin.exe"
  4. Delete the following files:
    %System%\wintemp.exe
    %System%\syswin.exe
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).