English
Romana
Home
|
Contact
|
Feedback
SEARCH
Security Development
Company
Careers
Press Center
Virus Info
Security News
Virus Glossary
About Malware
VDF History
External Links
Solutions
Products
Alerts Panel
Support
Register
BDS/Hupigon.chy - Backdoor Server
See also
Summary
Full description
Virus:
BDS/Hupigon.chy
Date discovered:
12/09/2006
Type:
Backdoor Server
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
Yes
File size:
833.536 Bytes
MD5 checksum:
4052dc2493d0b00af39524765d4c6119
VDF version:
6.35.01.215
IVDF version:
6.35.01.219
General
Method of propagation:
• No own spreading routine
Aliases:
• Mcafee: BackDoor-AWQ
• Kaspersky: Backdoor.Win32.Hupigon.chy
• TrendMicro: BKDR_HUPIGON.BJX
• F-Secure: Backdoor.Win32.Hupigon.chy
• Eset: Win32/Hupigon.CHY
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops files
• Registry modification
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%WINDIR%
\server.bat
It deletes the initially executed copy of itself.
The following files are created:
–
%SYSDIR%
\SVKP.sys
–
%WINDIR%
\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
Registry
The following registry keys are added in order to load the services after reboot:
– [HKLM\SYSTEM\CurrentControlSet\Services\SVKP]
• "Type"=dword:00000001
• "Start"=dword:00000002
• "ErrorControl"=dword:00000001
• "ImagePath"="
%SYSDIR%
\SVKP.sys"
• "DisplayName"="SVKP"
– [HKLM\SYSTEM\CurrentControlSet\Services\SVKP\Security]
• "Security"=
%hex values%
– [HKLM\SYSTEM\CurrentControlSet\Services\SVKP\Enum]
• "0"="Root\\LEGACY_SVKP\\0000"
• "Count"=dword:00000001
• "NextInstance"=dword:00000001
– [HKLM\SYSTEM\CurrentControlSet\Services\BNS Service]
• "Type"=dword:00000110
• "Start"=dword:00000002
• "ErrorControl"=dword:00000000
• "ImagePath"="
%WINDIR%
\server.bat"
• "DisplayName"="DNS Service"
• "ObjectName"="LocalSystem"
• "Description"="Ö§³Ö´Ë¼ÆËã»úµÄ½âÎöºÍ»º³åÓòÃûϵͳ(DNS)·þÎñ¡£Èç¹û´Ë·þÎñÍ£Ö¹£¬½âÎöºÍ»º³åÓòÃûϵͳ(DNS)·þÎñ¹¦Äܽ«²»¿ÉÓá£"
– [HKLM\SYSTEM\CurrentControlSet\Services\BNS Service\Security]
• "Security"=
%hex values%
– [HKLM\SYSTEM\CurrentControlSet\Services\BNS Service\Enum]
• "0"="Root\\LEGACY_BNS_SERVICE\\0000"
• "Count"=dword:00000001
• "NextInstance"=dword:00000001
Backdoor
The following ports are opened:
– iexplore.exe on TCP port 8080 in order to provide a proxy server.
– iexplore.exe on TCP port 1080
Contact server:
The following:
• syrus.3322.**********:8000
As a result it may send information and remote control could be provided.
Sends information about:
• Computer name
• Information about the Windows operating system
Injection
– It injects itself into a process.
Process name:
• iexplore.exe
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• SVKP
See a brief description
here
.
Inserted by Adriana Popa on Thu, 26 Oct 2006 15:44 (GMT+1)
Updated by Adriana Popa on Fri, 27 Oct 2006 14:34 (GMT+1)
« Back
Print this page
Latest News
Avira survey shows 1 in 3 people think all websites pose security threat
Avira warns of Windows vulnerability
HEUR/HTML.Malware
TR/Crypt.XPACK.Gen2
TR/Crypt.XPACK.Gen3
W32/Sality.Y
Java/Agent.M.1
TR/Renos.AB.4
TR/Renos.AT
TR/Fakealert.MA.591
TR/Agent.321536
TR/Agent2.loa
Download here
© 2010 Avira Soft SRL
Privacy
|
Site terms
|
Copyright
|
Site map
Print this page
