What is Win32/Hopee
in32/Hopee.W is a trojan downloader that communicates with a remote web server in order to send information about the compromised system, and download additional malware.
Win32/Hopee Modifies Firewall Settings / Evades Firewall
Win32/Hopee disables the Windows firewall so that it can download and execute arbitrary files:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = dword:00000000
Hopee also includes its executable in the Authorized Applications List in order to evade the firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\< trojan executable > = “<trojan executable>:*:Enabled:DHCP Client”
Additionally, it terminates the software Outpost Firewall Pro.
Win32/Hopee Downloads and Executes Arbitrary Files
At the time of publication, Win32/Hopee.W downloads and executes the following malware from IP address 78.109.16.218:
scan.exe - CA detects this file as Win32/FakeAlert.GY
robo1.exe – CA detects this file as Win32/Sipay.M
Win32/Hopee also Steals Sensitive Information
Win32/Hopee.W connects to the locations below:
78.109.16.218
zs0.info
v9j.info
and sends the following information about the infected system:
- Windows operating system version
- Infection ID
- IP address
- Port opened by trojan
- Trojan version
Win32/Hopee Replaces Legitimate Files
Win32/Hopee.W replaces random active service files with a copy of the dropped file “<random letters >.syz“. CA Anti-Virus solutions detect this file as Win32/Hopee!generic.
For example, Hopee may replace the TELNET service file, referred to in the registry entry below:
HKLM\System\CurrentControlSet\Services\TlntSvr
Technical Details of Win32/Hopee
- Full name: Win32/Hopee, Win32.Hopee, Backdoor.Win32.Dreamy.ac (Kaspersky)
- Date Appeared:
- Characteristic: Trojan Downloader
- URL:
Do I need to remove Win32/Hopee
You can yourself search your computer manually, but it is not recommended unless you are a tech-geek. To save time and effort, we recommend you to download a FREE Scanner.
> > >Download< < <
Free Scanner for Win32/Hopee
.
How to Uninstall Win32/Hopee scam
The best way for the removal of Win32/Hopee is to install a good quality Anti-spyware Program and scan your system for any Win32/Hopee infections.
Automatic removal of Win32/Hopee is always good and complete as compared to any attempts to manually remove Win32/Hopee, which may sometime lead to erroneous results. If you are not completely aware of all the files and registry entries used by this rogue anti-spyware, then we do not recommend you to attempt for the manual removal of Win32/Hopee.
Instructions to get rid of Win32/Hopee
If you really want to remove the Win32/Hopee infection on your system manually then proceed as follows.
Step 1: Kill the Win32/Hopee Processes – Learn how to do that
cssrss.exe
Step 2: Remove Win32/Hopee files, folders and all associated Win32/Hopee DLL files: Learn how to do that
System\\cssrss.exe System\\.syz
Step 3: Uninstall Win32/Hopee registry entries: Learn how to do that
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = dword:00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\< trojan executable > = “:*:Enabled:DHCP Client”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMDM PMSP Service = “%System%\cssrss.exe”
