BKDR_HUPIGON.CFV

Malware type: Backdoor

Aliases: Trojan-PSW.Win32.OnLineGames.ainb (Kaspersky), Backdoor.Trojan (Symantec), Worm/Otwycal.J (Avira), Mal/Dropper-O (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This backdoor may be downloaded from remote sites by the following malware:

  • JS_DLOADER.AP
  • JS_DLOADER.GXS
  • JS_DLOADER.UOW
  • JS_LIANZONG.E
  • JS_REALPLAY.AT
  • JS_REALPLAY.CE
  • JS_SENGLOT.D
  • JS_VEEMYFULL.AA
  • VBS_PSYME.CSZ
  • It can also be downloaded from certain remote sites.

    It drops files/components detected as the following:

  • TSPY_ONLINEG.RKQ
  • TSPY_ONLINEG.DKL
  • TROJ_ONLINEG.DKO
  • TROJ_ONLINEG.DKY
  • TROJ_AGENT.VXO
  • TSPY_ONLINEG.DJZ
  • TSPY_ONLINEG.DJR
  • TSPY_LEGMIR.YS
  • TSPY_ONLINEG.OZN
  • TROJ_ONLINEG.DJT
  • TSPY_ONLINEG.DJW
  • TSPY_FRETHOG.NS
  • TSPY_FRETHOG.NW
  • TSPY_FRETHOG.NY
  • TSPY_ONLINEG.DJX
  • TSPY_FRETHOG.NZ
  • TSPY_ONLINEG.DKC
  • TSPY_ONLINEG.RMM
  • TSPY_ONLINEG.DKJ
  • TSPY_ONLINEG.RKQ
  • TSPY_ONLINEG.DKL
  • It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes the following commands on the affected system:

  • Download files
  • Get system information
  • Log keystrokes
  • Shutdown affected system
  • Terminate process
  • It accesses Web sites to download files detected as the following:

  • TROJ_PROXY.ZK
  • TROJ_SYSTEMHI.DK
  • TROJ_SYSTEMHI.DL
  • TROJ_SYSTEMHI.DM
  • TROJ_SYSTEMHI.DO
  • TROJ_SYSTEMHI.DP
  • TROJ_SYSTEMHI.DW
  • TROJ_SYSTEMHI.EA
  • TROJ_SYSTEMHI.EB
  • TROJ_SYSTEMHI.HK
  • TSPY_FRETHOG.HE
  • TSPY_FRETHOG.IH
  • TSPY_FRETHOG.MR
  • TSPY_FRETHOG.MX
  • TSPY_FRETHOG.NA
  • TSPY_FRETHOG.NO
  • TSPY_FRETHOG.NQ
  • TSPY_GAMEOL.AQ
  • TSPY_LEGMIR.RD
  • TSPY_ONLINEG.DJM
  • TSPY_ONLINEG.DJN
  • TSPY_ONLINEG.DJR
  • TSPY_ONLINEG.DJS
  • TSPY_ONLINEG.GKR
  • TSPY_ONLINEG.KQL
  • TSPY_ONLINEG.OZN
  • TSPY_ONLINEG.RKQ
  • TSPY_ONLINEG.RKQ
  • TSPY_ONLINEG.SCS
  • TSPY_ONLINEG.SCY
  • As a result, malicious routines of the downloaded files are exhibited on the affected system.

    It terminates certain services if found on the system.

    For additional information about this threat, see:

    Description created: May. 18, 2008 6:41:58 PM GMT -0800


    TECHNICAL DETAILS


    File type: PE

    Memory resident:  Yes

    Size of malware: Varies

    Initial samples received on: May 14, 2008

    Payload 1: Drops files

    Payload 2: Downloads files

    Payload 3: Terminates processes

    Details:

    Arrival Details

    This backdoor may be downloaded from remote sites by the following malware:

  • JS_DLOADER.AP
  • JS_DLOADER.GXS
  • JS_DLOADER.UOW
  • JS_LIANZONG.E
  • JS_REALPLAY.AT
  • JS_REALPLAY.CE
  • JS_SENGLOT.D
  • JS_VEEMYFULL.AA
  • VBS_PSYME.CSZ
  • It may be downloaded from the following remote site(s):

    • http: //{BLOCKED}8.com/ms.exe
    • http://{BLOCKED}gol.com/xx.exe

    Installation

    This backdoor drops the following file(s)/component(s):

    • %System%\anistio.dll - detected as TSPY_ONLINEG.RKQ
    • %System%\bincdwsa.dll - detected as TSPY_ONLINEG.DKL
    • %System%\dbhlp32.dlL - detected as TROJ_ONLINEG.DKO
    • %System%\dionpis.dll - detected as TROJ_ONLINEG.DKY
    • %System%\drivers\msosmsfpfis64.sys - detected as TROJ_AGENT.VXO
    • %System%\drivers\msosmsp2p32.sys - detected as TSPY_ONLINEG.DJZ
    • %System%\drivers\nicomsp2p32.sys - detected as TSPY_ONLINEG.DJZ
    • %System%\fmsbbqi.dll - detected as TSPY_ONLINEG.DJR
    • %System%\fmsiocps.dll - detected as TSPY_LEGMIR.YS
    • %System%\fmsjhif.dll - detected as TSPY_ONLINEG.OZN
    • %System%\issms32.dll - detected as TROJ_ONLINEG.DJT
    • %System%\mfchlp64.dll - detected as TSPY_ONLINEG.DJW
    • %System%\msoscqit.dat - non malicious file
    • %System%\msoscqit00.dll - detected as TSPY_FRETHOG.NS
    • %System%\msosdohs.dat - non malicious file
    • %System%\msosdohs00.dll - detected as TSPY_FRETHOG.NW
    • %System%\msosmhfp.dat - non malicious file
    • %System%\msosmhfp00.dll - detected as TSPY_FRETHOG.NY
    • %System%\msosmnsf.dat - non malicious file
    • %System%\msosmnsf00.dll - detected as TSPY_ONLINEG.DJX
    • %System%\nicozftp.dat - non malicious file
    • %System%\nicozftp00.dll - detected as TSPY_FRETHOG.NZ
    • %System%\ptshell.dll - detected as TSPY_ONLINEG.DKC
    • %System%\rzwmbknd.dll - detected as TSPY_ONLINEG.RMM
    • %System%\tciocp64.dll - detected as TSPY_ONLINEG.DKJ
    • %Windows%\anistio.exE - detected as TSPY_ONLINEG.RKQ
    • %Windows%\bincdwsa.exe - detected as TSPY_ONLINEG.DKL
    • %Windows%\dbhlp32.exe - detected as TROJ_ONLINEG.DKO
    • %Windows%\dionpis.exe - detected as TROJ_ONLINEG.DKY
    • %Windows%\fmsbbqi.exe - detected as TSPY_ONLINEG.DJR
    • %Windows%\fmsiocps.exe - detected as TSPY_LEGMIR.YS
    • %Windows%\fmsjhif.exe - detected as TSPY_ONLINEG.OZN
    • %Windows%\gsmyadvp.exe - detected as TSPY_ONLINEG.KQL
    • %Windows%\issms32.exe - detected as TROJ_ONLINEG.DJT
    • %Windows%\mfchlp64.exe - detected as TSPY_ONLINEG.DJW
    • %Windows%\ptshell.exe - detected as TSPY_ONLINEG.DKC
    • %Windows%\tciocp64.exe - detected as TSPY_ONLINEG.DKJ
    • %Windows%\Temp\dat82.exe - non malicious file

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.%Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. )

    It terminates the initially executed copy and executes the dropped copy.

    Autostart Techniques

    This backdoor creates the following registry entry(ies) to enable its automatic execution at every system startup:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    anistio = "%Windows%\anistio.exE"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    bincdwsa = "%Windows%\bincdwsa.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    dbhlp32 = "%Windows%\dbhlp32.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    dionpis = "%Windows%\dionpis.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    fmsbbqi = "%Windows%\fmsbbqi.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    fmsiocps = "%Windows%\fmsiocps.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    fmsjhif = "%Windows%\fmsjhif.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    issms32 = "%Windows%\issms32.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    mfchlp64 = "%Windows%\mfchlp64.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    ngzslmhy = "%Windows%\gsmyadvp.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    ptshell = "%Windows%\ptshell.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run
    tciocp64 = "%Windows%\tciocp64.exe"

    It registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry key(s)/entry(ies):

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cqit
    ImagePath = "\??\ %Windows%\Temp\tmp71.tmp"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnsf
    ImagePath = "\??\ %Windows%\Temp\tmp71.tmp"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msfpfis64
    ImagePath = "\??\ %System%\drivers\msfpfis64.sys"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msp2p32
    ImagePath = "\??\%System%\drivers\msosmsp2p32.sys"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zftp
    ImagePath = "\??\ %Windows%\Temp\tmp71.tmp"

    It employs registry shell spawning so that it executes when files of certain types are run. It does this by creating the following registry entry(ies):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\{Application Name}
    Debugger = "ntsd -d"

    (Note: {Application Name} refers to the following:

  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360tray.exe
  • CCenter.exe
  • KPPMain.exe
  • KWatch.exe
  • QQDoctor.exe
  • QQKav.exe
  • RavMon.exe
  • RavMonD.exe
  • safeboxTray.exe
  • tqat.exe
  • )

    Backdoor Capabilities

    This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

    • Download files
    • Get system information
    • Log keystrokes
    • Shutdown affected system
    • Terminate process

    Download Routine

    This backdoor accesses Web sites to download the following file(s):

    • http://{BLOCKED}gol.com/xx/soc01.exe - detected as TSPY_ONLINEG.SCY
    • http://{BLOCKED}gol.com/xx/soc02.exe - detected as TROJ_SYSTEMHI.EB
    • http://{BLOCKED}gol.com/xx/soc03.exe - detected as TSPY_FRETHOG.NQ
    • http://{BLOCKED}gol.com/xx/soc04.exe - detected as TSPY_ONLINEG.RKQ
    • http://{BLOCKED}gol.com/xx/soc05.exe - detected as TROJ_SYSTEMHI.DK
    • http://{BLOCKED}gol.com/xx/soc06.exe - detected as TSPY_FRETHOG.IH
    • http://{BLOCKED}gol.com/xx/soc07.exe - detected as TSPY_ONLINEG.DJM
    • http://{BLOCKED}gol.com/xx/soc08.exe - detected as TSPY_LEGMIR.RD
    • http://{BLOCKED}gol.com/xx/soc09.exe - detected as TSPY_ONLINEG.DJN
    • http://{BLOCKED}gol.com/xx/soc10.exe - detected as TSPY_ONLINEG.DJR
    • http://{BLOCKED}gol.com/xx/soc11.exe - detected as TSPY_FRETHOG.MR
    • http://{BLOCKED}gol.com/xx/soc12.exe - detected as TROJ_SYSTEMHI.HK
    • http://{BLOCKED}gol.com/xx/soc13.exe - detected as TSPY_ONLINEG.KQL
    • http://{BLOCKED}gol.com/xx/soc14.exe - detected as TSPY_FRETHOG.HE
    • http://{BLOCKED}gol.com/xx/soc15.exe - detected as TSPY_ONLINEG.OZN
    • http://{BLOCKED}gol.com/xx/soc16.exe - detected as TSPY_ONLINEG.DJS
    • http://{BLOCKED}gol.com/xx/soc17.exe - detected as TROJ_SYSTEMHI.DL
    • http://{BLOCKED}gol.com/xx/soc18.exe - detected as TSPY_FRETHOG.MX
    • http://{BLOCKED}gol.com/xx/soc19.exe - detected as TROJ_PROXY.ZK
    • http://{BLOCKED}gol.com/xx/soc20.exe - detected as TSPY_ONLINEG.RKQ
    • http://{BLOCKED}gol.com/xx/soc21.exe - detected as TSPY_ONLINEG.SCS
    • http://{BLOCKED}gol.com/xx/soc22.exe - detected as TROJ_SYSTEMHI.DM
    • http://{BLOCKED}gol.com/xx/soc23.exe - detected as TSPY_ONLINEG.GKR
    • http://{BLOCKED}gol.com/xx/soc24.exe - detected as TROJ_SYSTEMHI.DO
    • http://{BLOCKED}gol.com/xx/soc25.exe - detected as TSPY_FRETHOG.NA
    • http://{BLOCKED}gol.com/xx/soc26.exe - detected as TROJ_SYSTEMHI.DP
    • http://{BLOCKED}gol.com/xx/soc27.exe - detected as TROJ_SYSTEMHI.DW
    • http://{BLOCKED}gol.com/xx/soc28.exe - detected as TSPY_GAMEOL.AQ
    • http://{BLOCKED}gol.com/xx/soc29.exe - detected as TSPY_FRETHOG.NO
    • http://{BLOCKED}gol.com/xx/soc30.exe - detected as TROJ_SYSTEMHI.EA

    Process Termination

    This backdoor terminates the following service(s), if found on the system:

    • 360rpt.exe
    • 360safe.exe
    • 360safebox.exe
    • 360tray.exe
    • CCenter.exe
    • KPPMain.exe
    • KWatch.exe
    • QQDoctor.exe
    • QQKav.exe
    • RavMon.exe
    • RavMonD.exe
    • safeboxTray.exe
    • tqat.exe

    Affected Platforms

    This backdoor runs on Windows 98, ME, NT, 2000, XP, Server 2003.


    Analysis By: Jasen Sumalapao

    Revision History:

    First pattern file version: 5.284.04
    First pattern file release date: May 19, 2008

    SOLUTION


    Minimum scan engine version needed: 8.300

    Pattern file needed: 5.317.00

    Pattern release date: Jun 3, 2008


    Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

    Solution:

    Note: To fully remove all associated malware, perform the clean solutions for the following:

  • JS_DLOADER.AP
  • JS_DLOADER.GXS
  • JS_DLOADER.UOW
  • TSPY_ONLIGEG.RKQ
  • TSPY_ONLINEG.DKL
  • TSPY_ONLINEG.DKJ
  • TSPY_ONLINEG.RKQ
  • TSPY_ONLINEG.DKL
  • Important Windows ME/XP Cleaning Instructions

    Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

    Users running other Windows versions can proceed with the succeeding solution set(s).

    Restarting in Safe Mode

    This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

    Removing Autostart Keys and Entries from the Registry

    Removing autostart keys from the registry prevents the malware from executing at startup.

    If the registry keys below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>cqit
    3. Still in the left panel, locate and delete the key:
      • cqit
    4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>mnsf
    5. Still in the left panel, locate and delete the key:
      • mnsf
    6. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>msfpfis64
    7. Still in the left panel, locate and delete the key:
      • msfpfis64
    8. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>msp2p32
    9. Still in the left panel, locate and delete the key:
      • msp2p32
    10. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>zftp
    11. Still in the left panel, locate and delete the key:
      • zftp
    12. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Run
    13. In the right panel, locate and delete following entries:
      • anistio = "%Windows%\anistio.exE"
      • bincdwsa = "%Windows%\bincdwsa.exe"
      • dbhlp32 = "%Windows%\dbhlp32.exe"
      • dionpis = "%Windows%\dionpis.exe"
      • fmsbbqi = "%Windows%\fmsbbqi.exe"
      • fmsiocps = "%Windows%\fmsiocps.exe"
      • fmsjhif = "%Windows%\fmsjhif.exe"
      • issms32 = "%Windows%\issms32.exe"
      • mfchlp64 = "%Windows%\mfchlp64.exe"
      • ngzslmhy = "%Windows%\gsmyadvp.exe"
      • ptshell = "%Windows%\ptshell.exe"
      • tciocp64 = "%Windows%\tciocp64.exe"

    Addressing Registry Shell Spawning

    This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

    This procedure prevents the malware from executing whenever a user opens files with certain extension names. It should restore the registry to its original settings.

    1. Click Start>Run.
    2. In the Open input box, type:
      command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
    3. Press Enter.
    4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>
      Image File Execution Options>{Application Name}
    5. In the right panel, locate the registry entry:
      Default
    6. Check whether its value is the path and file name of the malware file.
    7. If the value is the malware file, right-click Default and select Modify to change its value.
    8. In the Value data input box, delete the existing value and type the default value:
      "%1" %*
    9. Repeat this procedure for the following registry key(s):
        HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>
        Image File Execution Options>{Application Name}

        (Note: {Application Name} refers to the following:

      • 360rpt.exe
      • 360safe.exe
      • 360safebox.exe
      • 360tray.exe
      • CCenter.exe
      • KPPMain.exe
      • KWatch.exe
      • QQDoctor.exe
      • QQKav.exe
      • RavMon.exe
      • RavMonD.exe
      • safeboxTray.exe
      • tqat.exe
      • )

    10. Close Registry Editor.
    11. Click Start>Run, then type:
      command /c del regedit.com
    12. Press Enter.

    Deleting the Malware File(s)

    1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    2. In the Named input box, type:
        %System%\msoscqit.dat
    3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
    4. Once located, select the file then press SHIFT%20DELETE.
    5. Repeat steps 2-4 for the following file(s):
      • %System%\msosdohs.dat
      • %System%\msosmhfp.dat
      • %System%\msosmnsf.dat
      • %System%\nicozftp.dat
      • %Windows%\Temp\dat82.exe

    Running Trend Micro Antivirus

    If you are currently running in safe mode, please restart your computer normally before performing the following solution.

    Scan your computer with Trend Micro antivirus and delete files detected as BKDR_HUPIGON.CFV, JS_LIANZONG.E, JS_REALPLAY.AT, JS_REALPLAY.CE, JS_SENGLOT.D, JS_VEEMYFULL.AA, VBS_PSYME.CSZ, TROJ_ONLINEG.DKO, TROJ_ONLINEG.DKY, TROJ_AGENT.VXO, TROJ_PROXY.ZK, TROJ_SYSTEMHI.DK, TROJ_SYSTEMHI.DL, TROJ_SYSTEMHI.DM, TROJ_SYSTEMHI.DO, TROJ_SYSTEMHI.DP, TROJ_SYSTEMHI.DW, TROJ_SYSTEMHI.EA, TROJ_SYSTEMHI.EB, TROJ_SYSTEMHI.HK TSPY_ONLINEG.DJZ, TSPY_ONLINEG.DJR, TSPY_LEGMIR.YS, TSPY_ONLINEG.OZN, TROJ_ONLINEG.DJT, TSPY_ONLINEG.DJW, TSPY_FRETHOG.NS, TSPY_FRETHOG.NW, TSPY_FRETHOG.NY, TSPY_ONLINEG.DJX, TSPY_FRETHOG.NZ, TSPY_ONLINEG.DKC, TSPY_ONLINEG.RMM, TSPY_FRETHOG.HE, TSPY_FRETHOG.IH, TSPY_FRETHOG.MR, TSPY_FRETHOG.MX, TSPY_FRETHOG.NA, TSPY_FRETHOG.NO, TSPY_FRETHOG.NQ, TSPY_GAMEOL.AQ, TSPY_LEGMIR.RD, TSPY_ONLINEG.DJM, TSPY_ONLINEG.DJN, TSPY_ONLINEG.DJR, TSPY_ONLINEG.DJS, TSPY_ONLINEG.GKR, TSPY_ONLINEG.KQL, TSPY_ONLINEG.OZN, TSPY_ONLINEG.RKQ, TSPY_ONLINEG.RKQ, TSPY_ONLINEG.SCS and TSPY_ONLINEG.SCY. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.