WORM_HUPIGON
Delf, Emerleox, Logsnif, Graybird, Pcclient
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
The HUPIGON malware family consists of backdoors. These are usually dropped by other malware onto a system or are downloaded unknowingly by users when visiting malicious sites. HUPIGON variants may drop several files or copies of themselves.
HUPIGON variants open ports or connect to servers to allow remote users to connect to the affected system. Once a successful connection is established, the remote user executes commands on the system, such as to delete files and folders, download and execute files, and terminate processes.
Variants may also gather information about the affected system. They can also steal information such as logged keystrokes, passwords, and other user credentials.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs
Installation
This worm drops the following files:
- %System%\IEXPL0RER.bat
- %System%\pchsvc.dll
- %System%\Sysclt.dll
- %System%\Systen.dll
- %Windows%\{random}.dat
- %Windows%\{random}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)
It drops the following copies of itself into the affected system:
- %System%\pchsvc.dll
- %Program Files%\Common Files\Microsoft Shared\MSInfo\Stemp.exe
- %System%\IEXPL0RER.EXE
- %Windows%\Hacker.com.cn.ini
Other System Modifications
This worm adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
Asynchronous = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
Impersonate = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
DllName = "%System%\Systen.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
Startup = "ServiceMain"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\winlogon.exe = "%System%\winlogon.exe:*:Enabled:Thunder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
Asynchronous = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
Impersonate = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
DllName = "%System%\Sysclt.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
Startup = "ServiceMain"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
ImagePath = ""%System%\IEXPL0RER.EXE " /service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
DisplayName = "NTDISK Instrumentation Driver Extensions"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
Description = "BlackHole Remote Control Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
ImagePath = "%Program Files%\Common Files\Microsoft Shared\MSInfo\Stemp.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
DisplayName = "Oogical Kisk Manager Administrative Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
ImagePath = "%Windows%\Hacker.com.cn.ini"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
DisplayName = "Windows XP Vista"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\helpsvc\Parameters
ServiceMain = "ServiceMain"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Enabled:Thunder"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\
QQ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\helpsvc\Parameters
ServiceDll = "%System%\pchsvc.dll"
(Note: The default value data of the said registry entry is %Windows%\PCHealth\HelpCtr\Binaries\pchsvc.dll.)
Other Details
This worm connects to the following possibly malicious URL:
- baobao550.{BLOCKED}8.net
- dico666.go.{BLOCKED}2.org
- gang0007.go.{BLOCKED}2.org
- hkago.{BLOCKED}2.org
- kaihai520.go3.{BLOCKED}n.com
- kuaihuo128.go1.{BLOCKED}n.com
- sixup.{BLOCKED}2.org
- sixup.go.{BLOCKED}2.org
- user.free.{BLOCKED}9.net
- vip2.{BLOCKED}3.com
- waxy.go3.{BLOCKED}n.com
- www.{BLOCKED}b.net
- www.{BLOCKED}i.cn
- xiaolidong.{BLOCKED}p.net
- xiaolidong1.go.{BLOCKED}2.org