MP3s detected with Win32:Hupigon-ONX [Trj]

[english teacher]

Hi,

I have made some MP3 files from a CD so that I could put it onto a mobile phone.
During the conversion I had to turn off AVAST as it kept detecting one as an infection.

Win32:Hupigon-ONX [Trj]

After more conversions another two were also flagged. They were put in to the "Virus chest" just in case. (Even if I know that they are false positives.)

I sent the files to www.virustotal.com and there only TWO AVs out of 42 or 43 found something AVAST and Gdata which was Win32:Hupigon-ONX [Trj]

Could Gdata be using a database similar (or the same) to AVAST?

From the virus chest I have right clicked the files and sent them several times (over the last few months) to AVAST. The report says that they have been sent.

Does sending files from the virus chest work? These files are still flagged as infected but the virustotal.com results haven't changed.

I have today sent two of the three files via email as the third is too big to go by email (even when zipped).

Is it possible to send the files another way (above all big files)?

Avast 6.0.1000

[DavidR]

GData uses avast as one of its two AV scanners.

Yes the sending files from the virus chest works.

How big is the file that can't be emailed ?
You should be able to send files up to 16MB using the chest, without having to change any settings in the avastUI, Settings, Virus chest.

[Pondus]

you can also send samples to Avira in a zip.file max 8mb

then you will recive a analysis result on every file inside the zip
it may take 48 hours

http://analysis.avira.com/samples/

[DavidR]

Why would he want to send to avira, when it is avast that is detecting them and not avira

Also I rather suspect that the email restriction is one of either his email program or server or ISP there is no such restriction in avast in sending emails.

[Pondus]

Why would he want to send to avira, when it is avast that is detecting them and not avira

For a manuall analysis and a second opinion since only avast detect this on the VT scan

[DavidR]

I though avira was already in virustotal so the second opinion was already there along with 41 others.

[english teacher]

Thanks for the replies so far.

About Gdata, so that's why only these two show up as false positive.

With regard to the size of the file...it's 13MB unzipped and 10MB Zipped.

I'm trying to send it via Outlook Express so I will try and send it again directly from the Yahoo website this time to see if that makes a difference.

As for Avira, thanks for the suggestion but when you send a file to virustotal.com it's already scanned by them and another 41 or 42

As for sending the file from the "Virus Chest" I asked if it works  because, as I said in the first post, I have sent it successfully different times but these files are still being flagged as infected. Now if I want to do anything with them I must turn Avast off.

[thisiscool]

my bet.. its a virus.
avast got a low false positive, but it still might be a false positive.
even 1 of 43 is disturbing - because it should say 0.
the best thing to do is to take the file into analysis, avast doesn't have any reason to detect an mp3 file if there's no reason.
btw check the software you used because it may have corrupted the mp3 file.

[DavidR]

It isn't advisable to speculate, which is why we suggest using VT for a wider check and given the low VT hits and only avast should be sent to avast for analysis.

Also the actual malware name I would say is strange for a .mp3 file. So it most certainly needs further investigation.

[Pondus]

It isn't advisable to speculate, which is why we suggest using VT for a wider check and given the low VT hits and only avast should be sent to avast for analysis.

Also the actual malware name I would say is strange for a .mp3 file. So it most certainly needs further investigation.

so you agree then, send it to Avira so they can confirm if this is malware or not 

[DavidR]

No I do not, they are already saying it isn't in the VT results along with 41 others. Sending it to Avira won't take a single step towards avast correcting it if it is an FP.

Given the current evidence based on the VT results an FP is highly likely so it should be analysed by someone that can do something about it.

[Pondus]

from avast you never get any reply, you just have to wait and see if detection is removed or not, so if it was my files i would have liked to know now...

[DavidR]

But knowing doesn't make any difference, getting it acknowledged by avira (just conforms the VT results) doesn't get the detection corrected by avast.

[english teacher]

Hi all,
First let me say thank you to everybody who has answered so far.
I have remade the MP3s again with a different converter. Same problem, just those three.
Even though I have reported these obviously FPs (I sent them to one AV company once and they confirmed that there was nothing in them.) many times over the last few months but AVAST still detects them. Why?

I have found this in these forums as well about a strange code found in different formats. This is the link http://forum.avast.com/index.php?topic=57768.0 It's the 7th down. Also reading about this "Hupigon" thing...it seems that many people are reporting many FPs with it.

Hello,
all files detected as "Win32:Hupigon-ONX [Trj]" that comes to us as false positive are .pdf, .jpg, .css, .mp3, etc. which have pasted some code with signs of digital signature which is weird.

Milos

[DavidR]

You're welcome.

This is why I said I found it strange that this malware name was given on the .mp3 file. Though I couldn't remember that particular post by Milos of the avast virus labs.

- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.