Backdoor.Win32.Hupigon.cpu
| Alert Level : | Medium |
| Discovered: | Feb 06 2007 |
| Tag: | Backdoors |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This backdoor has a malicious payload. The program itself is a Windows PE EXE file. The file is approximately 730KB in size. It is written in Borland Delphi.
InstallationThe malicious payload consists of a range of options which are defined when the program is generated.
Once the Trojan is launched, it will compare its name with the string “IEXPLORE.EXE”. If the malicious code is not located within the infected process, then the following will take place:
The backdoor gets the letter of the logical disk (%SysChar%) where the Windows system directory is located. Using this logical disk letter, the program formulates the following string:
%SysChar%:\Program Files\CommonFiles\Microsoft Shared\MSINFO\Ahntdce.exe
The name of the launched program is compared to this string.
If the names are not the same, then the malicious program will be installed on the system. If the names are the same, then the backdoor will deliver its malicious payload.
The installation process is as follows:
A copy of the malicious program file called "Ahntdce.exe" will be created in the following folder:
%SysChar%:\Program Files\Common Files\Microsoft Shared\MSINFO\Ahntdce.exe
If such a file already exists, it will be deleted before a copy of the malicious program is made. The copied file has “Read-only” and "System" attributes.
The program then checks which family the current operating system belongs to. This is done to determine how copies of the malicious program will be automatically launched.
For the Windows NT operating system family, a system service will be created. This will be visible in the list of services:
"AhnLab Tdce Scheduler"
This will be automatically launched when the system is launched and is an interactive service.
For the Windows 9X operating system family, the following entry will be made in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"Ahntdce.exe" = "%SysChar%:\Program Files\Common Files\
Microsoft Shared\MSINFO\Ahntdce.exe"
A copy of the malicious program will then be launched, regardless of the type of operating system.
A command interpreter packet file will then be created and launched in the same directory as the copy of the malicious program. This packet file is called “Delet.bat” and will delete itself and the original backdoor file:
%SysChar%:\Program Files\Common Files\PayloadMicrosoft Shared\MSINFO\Delet.bat
If the malicious program has determined that it is, itself, a copy, and not the original file, then the Internet Explorer browser will be called:
%SysChar%:\Program Files\Internet Explorer\IEXPLORE.EXE
The malicious program will then be read to memory, corrected, and injected into the "IEXPLORE.EXE" process.
The backdoor will then check for an Internet connection. If access to the Internet is available, the backdoor will analyse the Internet address defined in the code of the malicious program. If this is a link to a file, the link will be read, and the strings where the server name and port will be located are got. Alternatively, the server name and port may be defined.
In this case:
sx.code***.org:8080
A connection will then be established to this remote server.
The backdoor then forms strings which contain information about the user
Removal Backdoor.Win32.Hupigon.cpu instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Terminate the malicious program service:
net stop "AhnLab Tdce Scheduler"
- Use Task Manager to terminate all copies of the
Need help? Live computer support via remote at SupportSpace
.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!
