Please help with Win32:Hupigon-ONX [Trj] found in Windows Backup file

[KA9194]

Need some help with detection of Win32:Hupigon-ONX [Trj], please...

My PC is a 64-bit Windows 7 machine (Hewlett-Packard).   It has been running Avast Pro since it was purchased in November 2009.  I scan weekly and have never had Avast detect a virus on this machine.

I use Windows Backup to backup files/system image to my external harddrive.

I ran a scan with the simple interface (thorough scan with archive files) on my external hard drive yesterday.  This is the first time I've scanned the external drive since running Windows Backup. Avast said that
the file K:\WindowsImageBackup\MyPC\Backup 2010-03-30 020022/bb813b4a-c8eb-11de-b8bc-806e6f6e6963.vhd contained Win32:Hupigon-ONX [Trj].  I could not put it in the chest because the file was too big.  I stopped the scan, ejected the external drive, and proceeded to scan my PC (thorough with archives).  My PC came up clean.

I then reconnected the external drive, deleted the Windows Backup files from it, and scanned it again.  No threats found this time.

I then ran Windows Backup to create a new backup/system image on the external drive.  Ran another Avast scan on the external drive - once again it is indicating that a .vhd file (similarly named) has Win32:Hupigon-ONX [Trj].  A MalwareBytes AntiMalware scan of my external drive comes up clean.

Another scan of my PC comes out clean, and a MalwareBytes AntiMalware scan of my PC comes up clean.

Is this a false positive? I'm not sure what to do next.  In the past I've sent you files to look at, and used Virus Total, but this file is too big.

Thanks so much for your help.

[mkis]

Better check out this thread

http://forum.avast.com/index.php?topic=57768.msg487336#msg487336

I couldn't make a call myself

[KA9194]

Thanks so much for the reply, mkis. I'd already read through that thread...didn't know how pertinent some of it was since that was a Norton Ghost issue and mine is Windows Backup.  We're both making system images, though.  I find it hard to believe that I really have a virus when everything reads clean until I run the backup.

Maybe someone else will report a similar problem and Baz8755 and I can feel more confident that it really is a false positive.

I'd love to have anyone else's input...

[KA9194]

Well, I tried the fix posted in the the thread linked above, but it didn't work for me...still getting the same results.

[areacode270]

To KA9194- I could have posted your problem word for word.  I am having the exact same problem with my new HP 64 bit Windows 7, except I am using the free Avast.  When I go to move it to chest, it is too big.  I then delete it (successfully), only to have it show up again after a Windows back-up.  A scan immediately after I delete the file comes up clean.  I must have Windows back-up turned on automatically as the Trojan shows up about every other scan.  Each scan that finds the Hupigon is a much larger scan than the one that comes up clean, so I am assuming that a back-up has been performed automatically.  Anyway, I am thinking it is Avast.  I am going to install other programs (AVG, Norton, McAfee, etc) to see if they find anything.  What is going on here???  Surely someone at Avast can help us.  We have the exact same problem and who knows how many more out here has this problem who just isn't posting it here. 

[RepublicanWolf]

I have windows 7 64 bit backed up to Windows Home Server like everyone else with this false. The Avast WHS version keeps detecting Win32:Hupigon-ONX [Trj] and deleting the virus which corrupts all my backups for my network PC's. So annoying.

Can this false positive be fixed? It has been over a month! Otherwise I'll remove Avast.

[dkmarshall]

I am using Win 7 Pro 64 bit and I get exactly the same trojan warning as described above when I virus check my system image file that has been saved to an external drive.  Avast confirms my C drive as clean when I do a thorough virus check prior to taking a system image backup.  I can only conclude that it is a false positive.  Are Avast doing something about this? 

[mkis]

@  dkmarshall   - hope this issue is sorted in the near future

By what you say, you are particular in making sure backup image is good. And yet the detection, almost certainly FP, pops up again..

the reading which accompanies - Win32:Hupigon-ONX [Trj] - is a misnomer in yr case, and most likely refers to malware variant common to backup services. and thats pretty much it, from what I gather, nothing spectacular, but a real nuisance I bet.

if its any consolation, at least you not beset with the real hupigon, which  can be real nasty
this from McAfee on the worm character, one of hupigon variant, and this one associated with backup services
- but is not the same event that is the detection on yr computer

http://vil.nai.com/vil/content/v_142042.htm

Characteristics -

This worm that attempts to spread via removable drives.

Upon execution, the Worm copies itself into the following locations:

%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\msbackup.exe
%ProgramFiles%\_msbackup.exe
%SystemDrive%\msbackup.exe

And drops the following file:
%SystemDrive%\AutoRun.inf
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The malware then launches an Internet Explorer process and injects malicious code into to it. Next, the malware may register itself as a service named "Backup_Info"

The following registry keys have been added to the system.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info\Security

When executed the malware binary creates the following service:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Backup_Info\]

ImagePath = " %ProgramFiles%\Common Files\Microsoft Shared\MSINFO\msbackup.exe"
DisplayName = "Backup_Info"
ObjectName = "LocalSystem"
Description = "Backup System Info"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup_Info\]

ImagePath ="%ProgramFiles%\Common Files\Microsoft Shared\MSINFO\msbackup.exe"
DisplayName = "Backup_Info"
ObjectName ="LocalSystem"
Description = "Backup System Info"

[Where %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers), %ProgramFiles%  is a variable that refers to the Program Files folder. A typical path is C:\Program Files]

And here follows the standard hupigon with its trademark self delete / hijack startup / carry packers
http://www.bitdefender.com/VIRUS-1000330-en--Backdoor.Hupigon.html

Again, in this case not the same event as you have on yr computer.
In yr case avast scan is trying to categorize the reading of a query that has arisen in the run of the scan.

[Left123]

Start windwos in SAFE MODE,do a full scan with avast,use ccleaner  to clean cookies registry etc.