BKDR_HUPIGON.ARQ
TrojanDropper:Win32/Hupigon.gen!A (Microsoft); Backdoor.Win32.Hupigon.aai (Kaspersky); Backdoor.Graybird (Symantec)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Backdoor drops the following copies of itself into the affected system:
- %Program Files%\Internet Explorer\Connection Wizard\msicw.exe
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
It drops and executes the following files:
- %Windows%\uninstal.bat
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This Backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Description = ±¾µØÖ´ÐÐϵͳ»¹Ô¹¦ÄÜ¡£ Ҫֹͣ·þÎñ£¬Çë´Ó¡°ÎҵĵçÄÔ¡±µÄÊôÐÔÖеÄϵͳ»¹ÔÑ¡Ï¹Ø±Õϵͳ»¹Ô
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
DisplayName = System local Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
ErrorControl = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
ImagePath = “%Program Files%\Internet Explorer\Connection Wizard\msicw.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
ObjectName = LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Type = 110
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Other Details
This Backdoor deletes the initially executed copy of itself