Threat behavior
Win32/Hupigon is a family of backdoor Trojans. A Win32/Hupigon infection includes TrojanDropper:Win32/Hupigon and two to three dynamic-link library (DLL) files that the dropper installs.
TrojanDropper:Win32/Hupigon copies itself to the Windows system folder and runs itself from there. The Trojan dropper then drops the following DLL files:
- Backdoor:Win32/Hupigon. This is the main backdoor component of Win32/Hupigon. TrojanDropper:Win32/Hupigon registers this component as a service. The service opens a backdoor server that allows other computers to connect to and control the infected computer in various ways. Backdoor:Win32/Hupigon connects to a specified Web site to notify the attacker of the infection. This backdoor component may have other functionality, such as the ability to host a telnet server and the means to connect to a video source such as a Web cam to spy on the user using Windows API functions for audio-video interleave (AVI) capture.
- Backdoor:Win32/Hupigon!hook. This is the stealth component of Win32/Hupigon. This component hides files and processes associated with Win32/Hupigon by intercepting certain Windows API function calls. Backdoor:Win32/Hupigon!hook is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.
TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It too is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.
Prevention
