Myanmar Kid's Haveji.exe Exposed !!

Analysis Of Haveji.exe
==============================================================
File Name :            Haveji.exe (aka Win32/Hupigon)
Binded With :         cmd.exe ( Downloader )
File Size:               28672
Total Processes:    2
MD5       :             "33154e683a6b9faee259e25ecbd7a0cb"
SHA 256 :             "eba09858b2ddb1f3e489086db4e5ae886fcb7c73352975a04bc2c295fe54ba2d"
SHA 1     :             "52be3b62465243d347117f28799f225b53b2a106"
File Type :             PE32 executable for MS Windows (GUI) Intel 80386 3
------------------------------------------------------------------------------------------------
Category:        Malware
Type:              Backdoor
Platform:         W32
Origin:            CHINA ( Jun 26, 2006 !! It's Too Old :p And Stolen From China :o)


Other Names Of This Shit : C!87,ZZSlash,Malware.SB.Bbc,Artemis!1508982B3D4D,Hupigon.
----------------------------------------------------------------------------------------------------


Summary ::
This Haveji Is written with Borland Delphi. Haveji is a family of backdoor Trojans. A Haveji infection includes TrojanDropper:Haveji and two to three files that the
 dropper installs. These additional files include Backdoor:Haveji, the main backdoor component, and Backdoor:Haveji!hook,
 a stealth component that hides files and processes associated with Haveji. The Trojan dropper may also install PWS:Haveji, 
 a plugin that logs keystrokes and steals passwords. Haveji may support other malicious plugins as well.


 Main Target : Key Log and Stealing Browsers Passwords 


Symptoms:
There are no common symptoms associated with this Haveji. Alert notifications from installed antivirus software may be the only symptom(s).


Technical Information (Analysis) :
------------------------------------------------
Win32/Hupigon=Haveji is a family of backdoor Trojans. A Win32/Hupigon infection includes TrojanDropper:Win32/Hupigon and two to three 
dynamic-link library (DLL) files that the dropper installs.


TrojanDropper:Win32/Hupigon copies itself to the Windows system folder and runs itself from there. The Trojan dropper then drops the following 
DLL files: Backdoor:Win32/Hupigon. This is the main backdoor component of Win32/Hupigon. TrojanDropper:Win32/Hupigon registers this 
component as a service. The service opens a backdoor server that allows other computers to connect to and control the infected computer in 
various ways. Backdoor:Win32/Hupigon connects to a specified Web site to notify the attacker of the infection. This backdoor component may 
have other functionality, such as the ability to host a telnet server and the means to connect to a video source such as a Web cam to spy on the 
user using Windows API functions for audio-video interleave (AVI) capture. Backdoor:Win32/Hupigon!hook. This is the stealth component of 
Win32/Hupigon. This component hides files and processes associated with Win32/Hupigon by intercepting certain Windows API function calls. 
Backdoor:Win32/Hupigon!hook is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.


TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. 
PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It too is injected into other 
processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.


Process :
========
Deleted Files ::
[process 1] C:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp


Stored Modified Files::
[process 1] C:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp\Haveji.bat


Created Mutexes ::
[process 1] Name: Groove:PathMutex:YoNgf9TlAyd0477wzgfiTWi4XXU=
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE
[process 1] Name: Local\ZonesCounterMutex
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE
[process 1] Name: Local\ZoneAttributeCacheCounterMutex
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE
[process 1] Name: Local\ZonesCacheCounterMutex
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE


Created Keys ::
[process 2] \REGISTRY\MACHINE\System\CurrentControlSet\Control\TimeZoneInformation


Set Values ::
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Personal
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\MountPoints2\{3259504d-e161-11e0-bf1d-806d6172696f}
Value: BaseClass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\MountPoints2\{3259504b-e161-11e0-bf1d-806d6172696f}
Value: BaseClass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\MountPoints2\{3259504a-e161-11e0-bf1d-806d6172696f}
Value: BaseClass
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Value: Common Documents
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Desktop
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Value: Common Desktop
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Value: Common AppData
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Local AppData
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: ProxyBypass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: IntranetName
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: UNCAsIntranet
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: AutoDetect
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: ProxyBypass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: IntranetName
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: UNCAsIntranet
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: AutoDetect
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Cache
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Cookies
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Shel
lNoRoam\MUICache
Value: C:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp\Haveji.bat


Network Traffic
Connection #1 Local 10.20.25.255 to 10.20.25.247
.............................................................................
Note :
If You Want All Details Analysis  Please Leave a Comment And I'll Send You ......


The following text strings  found in a Haveji :


6600.org
BEI_ZHU
GrayPigeon
Hacker.com.cn.exe
huaihuaitudou
Rejoice2007
woainisisi


Installation ::
-------------------


When the backdoor's file is started, it copies itself as a file named something similar to "Haveji.exe" in the Windows 
System folder and then uses the following processes to make itself to look like a valid Windows program:


calc.exe
cmd.exe
mmc.exe
mspaint.exe
mstsc.exe
notepad.exe
osk.exe
sndrec.exe
sndvol32.exe
svchost.exe
winchat.exe
It also makes a number of additions to the registry.


File System Modifications bY Haveji.exe ::
--------------------------------------------------------------
The following files were created in the system:


%USERPROFILE%\ Application Data\ MsMpEng.exe
%APPDATA%\ Microsoft\ 16BA\ 7D7.exe
%USERPROFILE%\ Local Settings\ Application Data\ giq.exe
%WINDIR%\ svchost\ svchost.exe
%APPDATA%\ 457D.exe


Activity Of Haveji ::
1.It allows others to access the computer
2.Allows for recording with the user's webcam
3.Can make the user's computer to attack various servers
4.Send victim's computer messages
5.Has rootkit functionality so it has a stealth component that hides files
6.Create logs from keystrokes, steals passwords, and sends this information to remote servers



Propagation (  LoL :D ) :
------------------------------------
Haveji doesn't have any automatic mechanisms to spread itself. It must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.



Creating Haveji Variants : (The Myanmar Kiddo's Stole It From Chinese !! )
-------------------------------------
Haveji variants are created using kit software. The kit is maintained in a very professional fashion with a highly developed User Interface (UI).
The main UI of the kit can be seen below:

Many options can be set. The "Fast Configuration" shown below enable the following options:

Service name is rejoice44.exe

Installation path is Msinfo…
Password is 1234
Icon is taken from MS Media Player
Uses Internet Explorer to bypass firewall
Create mutex and remove installer from installer folder
Pack code by using UPX
Self/auto-clone protected installation path is "system32"
Executable is calc.exe


There is also a "rootkit" option available. Other options including adding a URL to target for a Distributed Denial of Service (DDoS) attack :

Registry Modifications

Creates these keys:


HKLM\System\CurrentControlSet\Services\system32
ImagePath = C:\WINDOWS\Hacker.com.cn.exe
HKLM\System\CurrentControlSet\Services\system32
HKLM\System\CurrentControlSet\Services\system32\Security


Prevention ::
------------------
Take the following steps to help prevent infection on your computer:


1.Enable a firewall on your computer.
2.Get the latest computer updates for all your installed software.
3.Use up-to-date antivirus software.
4.Limit user privileges on the computer.
5.Use caution when opening attachments and accepting file transfers.
6.Use caution when clicking on links to Web pages.
7.Protect yourself against social engineering attacks.
8.Use strong passwords.
9.Use Master Password For Your Browser .
10. Use Microsoft Security Essentials: http://www.microsoft.com/security_essentials/


©2012, copyright BLACK BURN