WORM_HUPIGON.RJ
TrojanDropper:Win32/Delfsnif.A (Microsoft); Backdoor.Win32.Hupigon.ahur (Kaspersky); W32.Versie.A (Symantec); Backdoor.Win32.Hupigon (Ikarus); Backdoor.Hupigon.AXRD (BitDefender); W32/Hupigon.AFH!tr.bdr (Fortinet); a variant of Win32/Hupigon (ESET-NOD32); Win32:Hupigon-FB [Trj] (Avast); BDS/Hupigon.Gen (Avira); BackDoor.Hupigon5.AVQA (AVG)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Via physical/removable drives, Downloaded from the Internet, Dropped by other malware, Propagates via removable drives
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
752,640 bytes
EXE
Yes
24 Sep 2015
Collects system information, Steals information
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\_Server46.exe
- %Program Files%\Common Files\Microsoft Shared\MSInfo\Server46.exe
- {Drive Letter}:\Server46.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
It drops the following files:
- %Program Files%\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat ← used to delete initially executed copy - deleted afterwards
- %Program Files%\Common Files\Microsoft Shared\MSInfo\Beizhu.TXT ← log file
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
It adds the following processes:
- calc.exe
- IEXPLORE.EXE
It injects codes into the following process(es):
- created calc.exe
- created IEXPLORE.EXE
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
Type = "272"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
ImagePath = "%Program Files%\Common Files\Microsoft Shared\MSINFO\Server46.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
DisplayName = "Logical Disk Manger"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
Description = "Detects and monitors new hard disk drives and sends disk volume"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dserver
Other System Modifications
This worm modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "0"
(Note: The default value data of the said registry entry is FF.)
Propagation
This worm drops the following copy of itself in all physical and removable drives:
- {Drive Letter}:\Server46.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun]
open=Server46.exe
shellexecute=Server46.exe
shell\Auto\command=Server46.exe
Backdoor Routine
This worm executes the following commands from a remote malicious user:
- Logs keystroke
- Capture Video
- Record Audio
- Snapshot
- Manage Services
- Download and Execute files
- Create,Delete,Modify Files
- Terminate Process
- Perform Remote Shell
- Shutdown System
- Perform DDoS attack
- Change Desktop wallpaper
- Change Startpage or Homepage
- Disable Remote Desktop
- Delete npkcrypt.sys
- Drops URL link in custom Favorites
It connects to the following websites to send and receive information:
- http://www.{BLOCKED}e.com/ip.txt
As of this writing, the said sites are inaccessible.
Information Theft
This worm gathers the following data:
- Computer Name
- Network Adapters
- CPU speed
- Memory Size
- OS version
- Service Packs
Other Details
This worm deletes the initially executed copy of itself
SOLUTION
9.750
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- dserver
- dserver
Step 5
Search and delete this file
- %Program Files%\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat
- %Program Files%\Common Files\Microsoft Shared\MSInfo\Beizhu.TXT
Step 6
Search and delete AUTORUN.INF files created by WORM_HUPIGON.RJ that contain these strings
open=Server46.exe
shellexecute=Server46.exe
shell\Auto\command=Server46.exe
Step 7
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- From: NoDriveTypeAutoRun = "0"
To: NoDriveTypeAutoRun = FF
- From: NoDriveTypeAutoRun = "0"
Step 8
Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_HUPIGON.RJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.