Analysis by: Karl Dominguez
 PLATFORM:

Windows 2000, Windows XP, Winidows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This backdoor may be dropped by other malware.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk. However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE, DLL
Memory Resident: Yes
Initial Samples Received Date: 14 Apr 2011
Payload: Compromises system security, Drops files

Arrival Details

This backdoor may be dropped by the following malware:

  • TROJ_MDROP.HN

Installation

This backdoor drops the following files:

  • %System%\dmdskngr.dll - also detected as BKDR_HUPIGON.DGZ

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This backdoor registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
Type = 20

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
ErrorControl = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
ImagePath = %System%\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
DisplayName = Network Provider Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
ObjectName = LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}
Description = Service that offers Security network whith Outlook Express. It shuodn't be stopped unless Special service needed or you known how to contrl.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}\Parameters
ServiceDll = %System%\dmdskngr.dll

Backdoor Routine

This backdoor executes the following command(s) from a remote malicious user:

  • Kill Processes
  • Receive files
  • Execute files
  • Execute CMD shell commands

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}1.{BLOCKED}w.us
  • {BLOCKED}1.{BLOCKED}s.org

However, as of this writing, the said sites are inaccessible.

NOTES:
It queries the following registry entry to enumerate network related services:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
netsvcs

Default Services in netsvcs which this backdoor may use are as follows:

  • 6to4
  • AeLookupSvc
  • AppInfo
  • AppMgmt
  • AudioSrv
  • BDESVC
  • BITS
  • Browser
  • CertPropSvc
  • CryptSvc
  • DHCP
  • DMServer
  • ERSvc
  • EapHost
  • EventSystem
  • FastUserSwitchingCompatibility
  • HidServ
  • IKEEXT
  • Ias
  • Iprip
  • Irmon
  • LanmanServer
  • LanmanWorkstation
  • LogonHours
  • MMCSS
  • Messenger
  • NWCWorkstation
  • Netman
  • Nla
  • Ntmssvc
  • Nwsapagent
  • PCAudit
  • ProfSvc
  • Rasauto
  • Rasman
  • Remoteaccess
  • SCPolicySvc
  • SENS
  • SRService
  • Schedule
  • Seclogon
  • SessionEnv
  • Sharedaccess
  • ShellHWDetection
  • Tapisrv
  • TermService
  • Themes
  • TrkWks
  • W32Time
  • WZCSVC
  • WmdmPmSN
  • WmdmPmSp
  • Wmi
  • browser
  • gpsvc
  • helpsvc
  • hkmsvc
  • iphlpsvc
  • lanmanserver
  • msiscsi
  • napagent
  • schedule
  • seclogon
  • uploadmgr
  • wercplsupport
  • winmgmt
  • wscsvc
  • wuauserv
  • xmlprov

It then checks if the service names found already exists in the following registry key. If a service name does not exist, the said name is used by the malware as its own.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 7.974.11
FIRST VSAPI PATTERN DATE: 14 Apr 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware/grayware files that dropped/downloaded BKDR_HUPIGON.DGZ

     TROJ_MDROP.HN

Step 3

Scan your computer with your Trend Micro product and note files detected as BKDR_HUPIGON.DGZ

Step 4

Restart in Safe Mode

[ Learn More ]

NOTES:

Step 5. To delete the random service key this malware created:

Scan your computer with your Trend Micro product and take note of the name of the malware/grayware/spyware detected.
Open Registry Editor. To do this, click Start > Run, type regedit in the text box provided, then press Enter.
Press CTRL+F.

In the Find dialog box, type the file name of the malware detected earlier.
(Note: Make sure that only the data checkbox is selected, then click Find Next.)
Once found, in the right panel, check if the result is the following value-data pair:


ServiceDLL = {Malware path and file name}

If yes, in the left panel, locate the service where the data is under.
Right-click on the located service in the left panel and choose Delete.
Close Registry Editor.

Step 6. Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_HUPIGON.DGZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware