backdoor: Backdoor.Win32.Hupigon.urc
Risk level: Medium
virus Description
The virus is a “backdoor” written using Delphi, using “nSPack” packers way in an attempt to evade signature scanning, the size after packed, “291,029″ bytes, the icon is “
“, use the “exe” extension, through the bundle file, web page linked to horse, download tool to download and the other way to spread. The main purpose of the virus is to control the user’s computer. After the user’s computer was infected, there will be Slow network, the network port open, unknown processes running and so on.
Infection in the operating system
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7
Transmission
Bundle file, web page linked to horse, download tools to download
Manually removal:
Manually delete files
1. Delete the% SystemRoot% \ Hacker.com.cn.exe
2. Delete the% SystemRoot% \ uninstal.bat
Manually delete the Registry
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ GrayPigeon_Hacker.com.Cn
Name: ImagePath
Data: C: \ Windows \ Hacker.com.cn.exe
Variable declaration:
% SystemDriver% partition where the system is, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Virus:
1, the virus is running, access to the system path and their own path, whether the virus itself into the comparison “iexplorer.exe”.
2, if not into the “iexplorer.exe”, comparing the virus itself is not “C: \ Windows \ Hacker.com.cn.exe”.
3, if not “Hacker.com.cn.exe”, to create a mutex variable, to prevent the program several times to run, the virus copies itself renamed to “C: \ Windows \ Hacker.com.cn.exe”. And will “Hacker.com.cn.exe” hidden file attributes set to read-only system
4, open information registry HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ WinOlfApp \ NoRealMode, then delete the registry key, so can not enter DOS mode.
5, the virus creates registry information:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ GrayPigeon_Hacker.com.Cn
Name: ImagePath
Data: C: \ Windows \ Hacker.com.cn.exe
And as a service to load the service. To achieve self-starting purposes.
6, the virus runs successfully, create the “C: \ Windows \ uninstal.bat” batch file to achieve self-deleted.
7, the virus run iexplorer.exe in hide way, the virus is injected into the process, connect to the network to obtain IP address, connection to the host, waiting for the next step hacking instructions.
Virus to create files:
% SystemRoot% \ Hacker.com.cn.exe
% SystemRoot% \ uninstal.bat
Virus to create the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ GrayPigeon_Hacker.com.Cn
Name: ImagePath
Data: C: \ Windows \ Hacker.com.cn.exe
Virus to delete the registry:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ WinOlfApp \ NoRealMode
Virus to access the network:
http://ittoi .******. net
Hello there, I discovered your site by means of Google even as searching for a related subject, your web site got here up, it seems great. I have added to my favourites|added to my bookmarks.
Great issues altogether, you simply gained a brand new reader. What might you recommend about your submit that you made a few days in the past? Any positive?
NsN6k3 , [url=http://ujigtwcxwjmw.com/]ujigtwcxwjmw[/url], [link=http://wmljomtofoxo.com/]wmljomtofoxo[/link], http://dcgnfphgbflk.com/
RyMJga , [url=http://iizmlgwwsrkq.com/]iizmlgwwsrkq[/url], [link=http://jsihosybxqjx.com/]jsihosybxqjx[/link], http://aynfxiebdzui.com/
This works for almost every type of file you can mgniiae. You can even send VB scripts in zip files for most email providers because they don’t look inside the zip file.VA:F [1.9.10_1130]please wait…VA:F [1.9.10_1130](from 0 votes)
Great information it is really. My father has been looking for this info.
I liked as much as you will obtain carried out right here. The comic strip is tasteful, your authored subject matter stylish. nonetheless, you command get got an impatience over that you wish be delivering the following. ill certainly come more in the past again since exactly the similar just about very ceaselessly inside of case you protect this hike.
Great post. I was checking constantly this weblog and I’m impressed! Extremely useful information specifically the last phase
I care for such info a lot. I was looking for this certain information for a very lengthy time. Thank you and best of luck.
i like this idea, really. i try it.
Grandfather Clocks…
Good post. I learn something much more challenging on different blogs everyday. It will always be stimulating to study content material from other writers and apply just a little some thing from their shop. I’d prefer to make use of some using the cont…
antique linden clock parts…
Your location is valueble for me. Many thanks!…
suzuki second hand…
This really is the proper weblog for anyone who desires to find out about this topic. You understand so a lot its nearly hard to argue with you (not that I really would want…HaHa). You certainly put a new spin on the subject thats been created about fo…
Nespresso…
Your style is so unique compared to many other people. Thank you for publishing when you have the opportunity,Guess I will just make this bookmarked….
Airsoft Guns…
I loved as much as you’ll receive carried out right here. The sketch is tasteful, your authored material stylish. nonetheless, you command get bought an nervousness over that you wish be delivering the following. unwell unquestionably come more former…
Nature Herbal World…
Thanx for the effort, keep up the good work Great work, I am going to start a small Blog Engine course work using your site I hope you enjoy blogging with the popular BlogEngine.net.Thethoughts you express are really awesome. Hope you will right some m…
Bass Fishing Boats…
Undeniably believe that which you stated. Your favorite justification seemed to be on the internet the easiest thing to be aware of. I say to you, I certainly get annoyed while people think about worries that they just don’t know about. You managed to…
New Macbook Review…
Its like you read my mind! You seem to know a lot about this, like you wrote the book in it or something. I think that you can do with a few pics to drive the message home a bit, but instead of that, this is magnificent blog. An excellent read. I’ll c…
2011…
Wow! This could be one particular of the most beneficial blogs We have ever arrive across on this subject. Basically Excellent. I’m also an expert in this topic so I can understand your effort….
good idea
i like that
perfect
i can’t understand please re-write for me basic eng.
woavv supper!! i like it
thank you, i search it about one week
2011…
Attractive section of content. I just stumbled upon your blog and in accession capital to assert that I acquire in fact enjoyed account your blog posts. Anyway I’ll be subscribing to your augment and even I achievement you access consistently fast….
2011…
Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! By the way, how can we communicate?…
www.eRealEstateLaJolla.com…
Search Ca homes for sale using our La Jolla and San Diego MLS real estate search. Receive email updates of Realtor listings with prices and blog for all your San Diego county real estate needs. Whether single-family houses, townhomes, luxury homes, bea…
Website Trackback Link…
[...]the time to read or visit the content or sites we have linked to below the[...]…
missbruk beroende…
[...]m This is is great. You’re a very professional blogger. I’ve joined your xg[...]…
2011…
I do agree with all of the ideas you’ve presented in your post. They are really convincing and will definitely work. Still, the posts are too short for novices. Could you please extend them a little from next time? Thanks for the post….
finansiera barskola…
[...]k Very few websites that happen to be detailed below, from our point of view b6[...]…
staden shenzhen kina…
[...]g Hmmm that was weird, my comment seems to have been eaten. Anyway I wanted t xu[...]…
minnesotamodellen effektiv…
[...]s I need to set up wordpess through a webhost. I know i have to download word nm[...]…
finnar i ansiktet…
[...]e What cache solution do you use for this website? It loads so much faster th bb[...]…
hongkong 2011…
[...]r What cache product do you use for this site? It loads so much faster than m 9n[...]…
essencial manipulação…
http://www.delicious.com/manipulacaosaopaulo…
remedio manipulado para emagrecer…
http://manipulacaosaopaulo.blogspot.com/…
manipulação de caralluma…
http://www.youtube.com/user/manipulacaosaopaulo…
fungerar roaccutan mot finnar…
[...]s Just added this site to my favorites. I enjoy reading your sites and hope y mn[...]…
bästa hundförsäkringen…
[...]c Just added this website to my bookmarks. I enjoy reading your websites and id[...]…
aniversário festa…
http://buffetmariliasp.com.br/site/buffet-marilia-o-servico-de-buffet/…
macau kina…
[...]n Very few sites that happen to be detailed below, from our point of view are ec[...]…
2011…
I think other web site proprietors should take this web site as an model, very clean and fantastic user genial style and design, as well as the content. You’re an expert in this topic!…
studera i kina…
[...]x I am visiting this land for the first time. I have come to know a lot of in g4[...]…
acne tvätta händerna…
[...]h This is very attention-grabbing, You’re a very professional writer. I’v bk[...]…
www.eRealEstateSanDiego.com…
Pacific Real Estate Broker serving all of your San Diego county real estate needs. Search Ca homes for sale using our MLS search. Receive email updates of Realtor listings with prices and blog. Whether single-family houses, townhomes, luxury homes, bea…
OH HAI…
Hi, i think that i saw you visited my web site thus i came to “return the favor”.I am trying to find things to improve my web site!I suppose its ok to use some of your ideas!!…
English bulldog puppy for sale…
[...]usually posts some very exciting stuff like this. If you?re new to this site[...]…
escort…
[...]we like to honor numerous other internet sites on the web, even though they aren?t linked to us, by linking to them. Under are some webpages really worth checking out[...]…
video porno…
[...]here are some hyperlinks to sites that we link to because we believe they are really worth visiting[...]…
Google Search…
[...]Here are several of the websites we suggest for our visitors[...]…
What hosting company are you using for your blog? I looking hosting for my TV Shows site….
This post receives a 2 thumbs way up from me….
Websites worth visiting…
[...]here are some links to sites that we link to because we think they are worth visiting[...]…