BKDR_HUPIGON.DHF
Backdoor:Win32/Hupigon.CY (Microsoft), Suspicious/Graybird.1 (Symantec), BackDoor-AWQ (McAfee), Backdoor.Win32.Hupigon.bhof (Kaspersky)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
271,963 bytes
EXE
Yes
30 Mar 2007
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %Windows%\F_Server.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
ImagePath = "%Windows%\F_Server.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
Description = "FinalFantasy·þÎñ¶Ë³ÌÐò"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FinalFantasy_Service
Other Details
This backdoor deletes the initially executed copy of itself