Kill Hupigon
As for the last couple of weeks all of my computers are infected with a trojan called Hupigon. Spybot picked it up a few times after running scans and that’s when I noticed something was wrong. I did my research and found that Hupigon is not so new but lethal. It appears that the trojan is originated from China. It contains Chinese characters and is discussed widely amongst Chinese forums. You can read an article about it. The trojan is capable of keylogging, remote control of infected machines, and disables cmd.exe, msconfig.exe, regedit.exe and various other programs. It also appears that my credit card details were stolen recently and used elsewhere online so I guess this has something to do with Hupigon.
First I will discuss a little about the trojan and the background, how I discovered it, what it did to my computers, and how I deleted it. A few months ago I got a Toshiba 4GB USB flash drive from Harvey Norman. The USB drive came with a built-in software called U3, which is pretty nifty except that I don’t use it. I travel between work and home, which I own all the computers so I don’t need to run portable software. Other than that, my university does not allow software to run from any external drive, rendering my USB drive useless. So I decided to remove the U3 utility. I went to u3.com and downloaded a removal utility. Later on, I was at uni and I plugged in the USB drive to one of the machines. McAfee immediately notified a trojan called Hupigon (X:\runauto..\autorun.pif). So I selected to remove the file via McAfee which didn’t complain. A while later, I did the same thing and McAfee again notified the trojan. This time I went to see the technical support guy at uni. He copied the files on my USB drive across to a temporary location, then did a quick format of the USB drive and we thought the trojan was gone for good. The tech guy said that it could be a dodgy auturun file for the U3 utility. The autorun.pif file is sitting inside an invisible folder called runauto.. (with the double fullstops). I called Toshiba technical support in Australia and they are not sure whether the hidden folder and file are associated with their product and even if they were, Toshiba insisted that it is not malicious.
A few days/weeks later…
I was sitting at my desk at home and thought, “Oh, I will just open up msconfig.exe”. When I open the run dialog and type in msconfig (or msconfig.exe) and press enter, it displays the following error message:
Windows cannot find 'msconfig'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
Annoyed by this, I did complete system scans with AVG Anti-virus, Spybot – Search & Destroy, and Lavasoft Ad-Aware. Both AVG and Ad-Aware did not pick up anything suspicious however, Spybot picked up something called “Hupigon13″. So I clicked on the fix button to fix Hupigon13. The interesting thing is that when I rebooted, the trojan comes right back, still unable to open msconfig. The next thing I did, I went to another computer and tried to run msconfig from the run dialog. It threw the same error message at me. At this point, I realised all of the machines were infected.
I have two seperate networks: one at home, another at the office. The networks are not linked in anyway but I do copy some files across the two networks from time to time. I guess that’s how one network got infected by the other. I should mention here that I suspected the trojan is capable of replicating itself and propagate through the network and jump onto different machines. I found out this later on down the track because I was fixing my laptop which removed the trojan, then when I turned on my external hard drive, the laptop was infected again. As soon as the power was turned on with the USB cable plugged in, AVG Anti-spyware notified that Hupigon is detected and is trying to create some files (specifically C:\Windows\dllhost.exe). It is probably apparent that the trojan is targeting Microsoft Windows machines.
During the next couple of days, I became highly cautious. I stopped paying bills online and transferring money over the Internet. Fearing the trojan will do further damage. I looked high and low for possible fixes to get rid of the trojan but didn’t find any solution. I visited a site called pchelpforum.com and posted a help request. One of the support guys on the forum recommended me to do a “prework” which is a set of standard procedures to install and run their recommended malicious software removal utilities. So I did this, installed AVG Anti-spyware, SuperAntiSpyware, and CCleaner. After rebooting to safe mode AVG Anti-spyware picked up 13 instances of Hupigon (possibly variants). After completing the prework, I rebooted to normal mode and the trojan infection got worse. I was unable to open msconfig.exe, regedit.exe, and cmd.exe. I have used the Malicious Software Removal Tool provided by Microsoft without any luck (article). The tool claims to remove all variants of Hupigon, apparently not the one that I was infected with.
I performed the same procedures on other machines and got the same result. Again, burned by frustration, I decided to get rid of Windows altogether and install Ubuntu instead, which I did on two machines. One morning, just before going to work, I decided to do a little more research into Hupigon and came across a Chinese forum which listed a fix for Hupigon. It’s a simple Windows scripting code which removes the files that Hupigon creates on the infected machines, bypassing all the Hupigon protection of course (Hupigon makes itself invisible and attaches itself to various Windows processes). After running this code and rebooted, the Hupigon trojan was gone for good.
Apparently, the Hupigon source code was released to public and there are many variants out there. I will post the Windows script (.bat) below so that if anyone is infected with this hard-to-remove trojan, I hope it will make it a little easy for you.
Instructions:
Do the prework first.
1. Download the file (hupigon.7z) above. You need 7zip to unzip it to somewhere (eg. desktop). Why do I use 7zip? Because it is an open format.
2. Find cmd.exe by going to the Start Menu and Search. Usually, cmd.exe is located in C:\Windows\System32\.
3. Once you find cmd.exe, create a copy of it on the desktop.
4. Rename the copy you have created to anything you like (eg. helloworld.exe).
5. Double click on the copy of cmd.exe you have created and drag the .bat file into the command prompt, then hit Enter.
6. Follow the prompt. You will be asked to press Enter to continue and select the drive letters which you want to clean. For example, if you have C, D, and G drive, you have to enter: c,d,g and press Enter.
7. Reboot once the script completes.
Now try to run msconfig.exe, regedit.exe, and cmd.exe. If you have followed the prework and instructions above, you should no longer have Hupigon infection. Otherwise, redo the prework (make sure you run those software under safe mode) and run the script again. Be sure to clean all of your drives. That means including USB flash drives and external hard drives. You can have those devices plugged in and turned on when you run the script. You MUST do this otherwise if one of your drives is still infected, it will re-infect everything again.
Note: The alternative to all of the steps above is to install Ubuntu and live in a free world. Yes, I’m being sarcastic.