How to Prevent and Remove the Backdoor.Win32.Hupigon.lotd

Bookmark and Share

 

1. What is the Backdoor.Win32.Hupigon.lotd

Backdoor.Win32.Hupigon.cprz is a type of backdoor virus that can open your computer up to access to other computer over the internet. Due to the Backdoor.Win32.Hupigon.cprz infection, your computer is considerable security risks. While your run a Trojan horse on your computer, Backdoor.Win32.Hupigon.cprz always gets onto your computer.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Temp%\dc_hook1.dll 18,944 bytes
2 c:\LSSvc\genius32.exe
[file and pathname of the sample #1] 		647,368 bytes
  • Note:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
  • The following directory was created:
    • c:\LSSvc

b. Memory Modifications

  • There were new memory pages created in the address space of the system process(es):

Process Name Process Filename Allocated Size
[filename of the sample #1] [file and pathname of the sample #1] 786,432 bytes
genius32.exe C:\LSSvc\genius32.exe 786,432 bytes

  • There was a new service created in the system:

Service Name Display Name Status Service Filename
genius32 genius32 "Stopped" C:\LSSvc\genius32.exe

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4V5K2-U4P4U54-BD587-QC8309-3ABXT1VQL}
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32\Security
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4V5K2-U4P4U54-BD587-QC8309-3ABXT1VQL}]
        • StubPath = "C:\LSSvc\genius32.exe Restart"

        so that genius32.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • genius32.exe = "C:\LSSvc\genius32.exe"

        so that genius32.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32]
        • Type = 0x00000110
        • Start = 0x00000002
        • ErrorControl = 0x00000000
        • ImagePath = "C:\LSSvc\genius32.exe"
        • DisplayName = "genius32"
        • ObjectName = "LocalSystem"
        • Description = "GeniusSvc"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32]
        • Type = 0x00000110
        • Start = 0x00000002
        • ErrorControl = 0x00000000
        • ImagePath = "C:\LSSvc\genius32.exe"
        • DisplayName = "genius32"
        • ObjectName = "LocalSystem"
        • Description = "GeniusSvc"

    d. Other details

    • To mark the presence in the system, the following Mutex object was created:
      • MUTEX-J0YYRP
    • The following Host Name was requested from a host database:
      • zxx.no-ip.info
    • There was registered attempt to establish connection with the remote host. The connection details are:
    Remote Host Port Number
    zxx.no-ip.info 5150
    • There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
      • %Temp%\dc_hook1.dll

     

    3. How-to's

    a. How to prevent the  Backdoor.Win32.Hupigon.lotd ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Backdoor.Win32.Hupigon.lotd   Manually?

    Step 1 : Stop the following Trojan.Dropper-Delf processes
    C:\LSSvc\genius32.exe

    Step 2 : Remove the following Trojan.Dropper-Delf registry keys:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4V5K2-U4P4U54-BD587-QC8309-3ABXT1VQL}
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32\Security
    The newly created Registry Values are:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4V5K2-U4P4U54-BD587-QC8309-3ABXT1VQL}]
    StubPath = "C:\LSSvc\genius32.exe Restart"



    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    genius32.exe = "C:\LSSvc\genius32.exe"


    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\genius32]
    Type = 0x00000110
    Start = 0x00000002
    ErrorControl = 0x00000000
    ImagePath = "C:\LSSvc\genius32.exe"
    DisplayName = "genius32"
    ObjectName = "LocalSystem"
    Description = "GeniusSvc"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\genius32]
    Type = 0x00000110
    Start = 0x00000002
    ErrorControl = 0x00000000
    ImagePath = "C:\LSSvc\genius32.exe"
    DisplayName = "genius32"
    ObjectName = "LocalSystem"
    Description = "GeniusSvc"

    Step3: Locate and delete the following Trojan.Win32.Refroso.cxc files

    C:\LSSvc\genius32.exe
    %Temp%\dc_hook1.dll

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•