Submission Summary:

• Submission details:
• Submission received: 6 October 2012, 00:47:09
• Processing time: 7 min 45 sec
• Submitted sample:
• File MD5: 0x6A32AA9512431BF97A1B7A5B780F68C0
• File SHA-1: 0xCA20E51AF2F0BAB083AD31D6E52EE36C8BF36367
• Filesize: 761,344 bytes
• Alias:
• Backdoor.Graybird [Symantec]
• Backdoor.Win32.Hupigon.dsx [Kaspersky Lab]
• BackDoor-AWQ.b [McAfee]
• BKDR_HUPIGON.ABU [Trend Micro]
• Troj/GrayBrd-CD [Sophos]
• Backdoor:Win32/Hupigon [Microsoft]
• Backdoor.Win32.Hupigon [Ikarus]
• Win-Trojan/Hupigon.761344.B [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.Hacker	Trojan.Hacker is a trojan that runs silently in the background and also represent security risk for the compromised system.
Backdoor.Hupigon.GEN	Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer causing IE to hide itself. It also logs keystrokes and sends this information to remote servers.
Backdoor.Graybird.GEN	Backdoor.Graybird.GEN has rootkit functionality. It injects itself into various processes causing them to be hidden. It also logs keystrokes and sends this information to remote servers.

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\Hacker.com.cn.exe [file and pathname of the sample #1]	761,344 bytes	MD5: 0x6A32AA9512431BF97A1B7A5B780F68C0 SHA-1: 0xCA20E51AF2F0BAB083AD31D6E52EE36C8BF36367	Backdoor.Graybird [Symantec] Backdoor.Win32.Hupigon.dsx [Kaspersky Lab] BackDoor-AWQ.b [McAfee] BKDR_HUPIGON.ABU [Trend Micro] Troj/GrayBrd-CD [Sophos] Backdoor:Win32/Hupigon [Microsoft] Backdoor.Win32.Hupigon [Ikarus] Win-Trojan/Hupigon.761344.B [AhnLab]

• Note:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	794,624 bytes
Hacker.com.cn.exe	%Windir%\Hacker.com.cn.exe	794,624 bytes

• There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
GrayPigeon_Hacker.com.cn	GrayPigeon_Hacker.com.cn	"Stopped"	%Windir%\Hacker.com.cn.exe

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrayPigeon_Hacker.com.cn
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrayPigeon_Hacker.com.cn\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrayPigeon_Hacker.com.cn\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "GrayPigeon_Hacker.com.cn"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000]
• Service = "GrayPigeon_Hacker.com.cn"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "GrayPigeon_Hacker.com.cn"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn\Enum]
• 0 = "Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GrayPigeon_Hacker.com.cn]
• Type = 0x00000110
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%Windir%\Hacker.com.cn.exe"
• DisplayName = "GrayPigeon_Hacker.com.cn"
• ObjectName = "LocalSystem"
• Description = "????????????????????."
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "GrayPigeon_Hacker.com.cn"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000]
• Service = "GrayPigeon_Hacker.com.cn"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "GrayPigeon_Hacker.com.cn"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrayPigeon_Hacker.com.cn\Enum]
• 0 = "Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrayPigeon_Hacker.com.cn\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrayPigeon_Hacker.com.cn]
• Type = 0x00000110
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%Windir%\Hacker.com.cn.exe"
• DisplayName = "GrayPigeon_Hacker.com.cn"
• ObjectName = "LocalSystem"
• Description = "????????????????????."

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China

• To mark the presence in the system, the following Mutex object was created:
• Hacker.com.cn_MUTEX

• The following Host Name was requested from a host database:
• jiangchang520.3322.org

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 8000: