Created: 2009-09-10, 17:02:36
Last updated on: 2009-09-10, 17:02:36

Platform: Win32 Type: trojan Size: 576512
Date: 2009-01-27

Compressor: ASProtect
Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all...


The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

antivirus naming
AVG BackDoor.Hupigon4.AATV
BitDefender Backdoor.Hupigon.AAFC
Fortinet PossibleThreat
F-Secure Backdoor.Win32.Hupigon.ezli
Ikarus Backdoor.Win32.Hupigon
McAfee BackDoor-AWQ!hv.c(Trojan)
NOD32 (ESET) Win32/Hupigon.NJJ
Microsoft Win32/Hupigon.gen!B
Rising Antivirus Backdoor.Win32.Gpigeon.gel
Sophos Mal/Inet-Fam
Trend Micro BKDR_Generic.DMS
VirusBuster Backdoor.Hupigon.CIUS


The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The Win32/Hupigon.NJJ trojan in the Windows System32 folder (default: C:\Windows\System32) creates the files.


Win32/Hupigon.NJJ trojan creates the following entries in the registry or modifies it (if it exists already):

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\system32] "DisplayName"="system32"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\system32] "ImagePath"="C:\WINDOWS\system32\"


Viruses and worms can create services in the system to activate after the boot process. Service parameters are stored in the registry as well. The services can be viewed in Control Panel/Administrative Tools/Services of Windows XP. It is possible that malware stop services too.

Win32/Hupigon.NJJ trojan creates the service using the system32 name.

The path of the created service is C:\Windows\System32\ .



Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.

Win32/Hupigon.NJJ trojan opens a backdoor on TCP port number 8080 .

It connects to the web page.