Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: gcook on May 12, 2010, 12:13:03 PM

Title: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: gcook on May 12, 2010, 12:13:03 PM
I am using a MacOS 10.5.8 with Avast 2.74r0 and I got an alert yesterday saying I have a Windows Hupigon-ONX Trojan in my vmware files (see log at end of this post) but also in my Mac Cookies and something called the internetconfigpriv.plist . The VM itself is Windows XP and is protected by McAfee which is up to date and not reporting anything.

I googled and found this on the vmware site which suggests it is a false positive http://communities.vmware.com/thread/266004;jsessionid=D8026D4DCBDF3F410B525BC7005251FB?tstart=0

I  have also been advised that I shouldn't really have Avast scanning the vmdk files in any case, however I can't find any way to disable scanning of this file type or a specific folder. Can someone help please?

This is the logfile from Avast Mac edition

11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Preferences/com.apple.internetconfigpriv.plist   Win32:Agent-IZJ [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s005.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s002.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s017.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s007.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s003.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s014.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Cookies/Cookies.plist   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s011.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s001.vmdk   Win32:Hupigon-ONX [Trj]
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 12, 2010, 03:09:40 PM
I am using a MacOS 10.5.8 with Avast 2.74r0 and I got an alert yesterday saying I have a Windows Hupigon-ONX Trojan in my vmware files (see log at end of this post) but also in my Mac Cookies and something called the internetconfigpriv.plist . The VM itself is Windows XP and is protected by McAfee which is up to date and not reporting anything.

I googled and found this on the vmware site which suggests it is a false positive http://communities.vmware.com/thread/266004;jsessionid=D8026D4DCBDF3F410B525BC7005251FB?tstart=0

I  have also been advised that I shouldn't really have Avast scanning the vmdk files in any case, however I can't find any way to disable scanning of this file type or a specific folder. Can someone help please?

This is the logfile from Avast Mac edition

11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Preferences/com.apple.internetconfigpriv.plist   Win32:Agent-IZJ [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s005.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s002.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s017.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s007.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s003.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s014.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Cookies/Cookies.plist   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s011.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s001.vmdk   Win32:Hupigon-ONX [Trj]


It is probably a false-positive. There's only minor chance that it's real malware, hidden in the windows filesystem, and visible this way only.

But anyway, you might locate the sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75
inside that file, to get a clue where it comes from.

This is not only mac-specific problem, and probably, the signature will be altered, because it's found in many images quite often.

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: gcook on May 12, 2010, 05:13:58 PM
Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 13, 2010, 07:35:26 PM
Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?

Hallo,
yes, in the forthcoming 3.08 you can use exclusion-mask for them (based on the suffix), or, you can turn off the option "scan full files", if this is why it scans through the whole image (in Preferences).

Or, wait for VPS fix/update, this Hupigon-ONX flaw isn't Mac-related only..

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 14, 2010, 04:52:32 PM
Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?

Hallo, try to use some disk-wiper (tool that zeroes all unused sectors on the filesystem, where some infection, although already deleted, might survive as raw-data, making your image/backups seemingly infected). I think it would be useful for avast too, as a feature, for those cases.

Please, let me know whether this helped to make the image clean again.

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 15, 2010, 12:16:27 AM
I am running Avast2.74R0 and I am getting the following

"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000001.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000002.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000003.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition.vmdk"

both on my MAC scan as well as my Virtual Windows machine.  From the readings I get that this is a false positive.  I Have defraged both my MAC as well as my Virtual machine.  I am concerned since I don’t want to have to reload XP in a new Virtual machine, since I don’t have all the sources for all my applications. 

Is there anything else I can do to verify I have a FP. ???
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 16, 2010, 02:25:07 PM
I am running Avast2.74R0 and I am getting the following

"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000001.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000002.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000003.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition.vmdk"

both on my MAC scan as well as my Virtual Windows machine.  From the readings I get that this is a false positive.  I Have defraged both my MAC as well as my Virtual machine.  I am concerned since I don’t want to have to reload XP in a new Virtual machine, since I don’t have all the sources for all my applications. 

Is there anything else I can do to verify I have a FP. ???

other method (which doesn't need any diskzeroes or diskwiper) is to create some very huge file, until all the disk space in the virtual machine is exhausted. then, just delete the file (and all free sectors with its data should be overwritten-wiped this way). you can create some directory, and using copy /b somebigfile + somebigfile somebigfile2  and then copy /b somebigfile2 + somebigfile2 somebigfile you can generate file which is getting bigger and bigger... then, just delete this "diskspace-greedy" directory :)

pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 16, 2010, 07:59:00 PM
I am not as conversant in all this, what I see you saying is that the issue is do to space issues - not a corrupt XP Home Edition file and by using up all my extra space and then deleting the space, I will get rid of the problem.  Can you explain a little more on why this process will work and exactly what the issue is that is creating the FP.  Thanks for your patience..  ???  Mike
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 16, 2010, 08:51:33 PM
I am not as conversant in all this, what I see you saying is that the issue is do to space issues - not a corrupt XP Home Edition file and by using up all my extra space and then deleting the space, I will get rid of the problem.  Can you explain a little more on why this process will work and exactly what the issue is that is creating the FP.  Thanks for your patience..  ???  Mike

the mechanism is quite straightforward - when you delete malware, found in your system - eiuther using antivirus, or antispyware, or manually - usually the raw data remain in the freed-sectors, and when you scan all sectors (the case of virtual image scanning - those *.vmdk, *.img and others), it's often reported as an infected file.

so, it's the all about how to get rid of that residual data in orphaned sectors.

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 16, 2010, 11:54:16 PM
What I don’t understand it that I did not find any malware on my virtual PC, Avast found that my XP Home Editions is infected with the win32.hupigon-ONX [trj] virus, if I remove it, I have to reinstall my Virtual Machines XP OS.  So from what you just said doing the exercise of building a file to take up the rest of the free space will not work for me.  Is there some way to determine if I really am infected or have a FP like others said about this situation. 
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 17, 2010, 01:39:19 AM
What I don’t understand it that I did not find any malware on my virtual PC, Avast found that my XP Home Editions is infected with the win32.hupigon-ONX [trj] virus, if I remove it, I have to reinstall my Virtual Machines XP OS.  So from what you just said doing the exercise of building a file to take up the rest of the free space will not work for me.  Is there some way to determine if I really am infected or have a FP like others said about this situation. 

will work for you.
scan on your virtual dick scans files, not each patricular sector on your hdd. on the other hand, from macos, the virtual disk looks like big file, and is scanned entirely.

that's why you see infection from outside, and not when scanning in virtual machine. you need to get rid of the unused sectors, where the infection survived, and that's the hint with that biig file.

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 17, 2010, 04:07:36 PM
I have scanned my virtual drive, it show the say files as being infected, not any other file on my virtual drive.  That is what is bothering me since when I did scan the virtual drive when I was in it, I deleted the files that were infected and then when I closed it down and tried to get back in it said it could not find my virtual PC file.  So it seem as if the infection is in the who virtual machine, am I correct here.  The question I have is why is the whole Virtual image of my XP home edition infected?  And I assume that means I have to delete it and rebuild a new one from scratch.... Hope not. - Thanks for you help - Mike
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 18, 2010, 12:53:24 AM
I have scanned my virtual drive, it show the say files as being infected, not any other file on my virtual drive.  That is what is bothering me since when I did scan the virtual drive when I was in it, I deleted the files that were infected and then when I closed it down and tried to get back in it said it could not find my virtual PC file.  So it seem as if the infection is in the who virtual machine, am I correct here.  The question I have is why is the whole Virtual image of my XP home edition infected?  And I assume that means I have to delete it and rebuild a new one from scratch.... Hope not. - Thanks for you help - Mike

as was said before - remove the infection from inside (when being under virtual machine, using stock win32 free avast). to kill all the orphaned sectors which might carry the infected residual data, grow one biiig file and delete it, when all the space on the virtual drive is exhausted. this way you can be prety sure it won't be externally detected as infected anymore.

there's no need to start from scratch.

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 18, 2010, 03:40:12 PM
When I loaded my Virtual Machine and loaded my Windows XP,  I tried scanned with my Avast Pro edition version 4.8 (that is what show as the version when I click about Avast) I get only that the XP Home Editions are contaminated (initial version and FP 1, 2 and 3).  If I remove them, I will have essentially deleted my Windows Operating System.  So I am a little confused, sorry for my lack of understanding. 

I do not get that anything else is corrupted with the Win32-hupigon-ONX [trj] malware. 

Is there some other Avast scanner I should be using?  I thought I had followed your instructions earlier, but I guess I am missing something.
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 21, 2010, 04:01:19 AM
I did what was requested, I opened my virtual machine, did a scan and found that the following files were infected with the Win32-hupigon-ONX [trj]

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I then make a directory in my C:/ drive and then created a file and copied it until I had only 1 MB left on my virtual machine.  I then deleted the directory and then restarted my machine. 

I then scanned again and found the following files infected with the same virus:

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I am at a loss for what to do now. Any suggetions?
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 27, 2010, 11:17:10 AM
I did what was requested, I opened my virtual machine, did a scan and found that the following files were infected with the Win32-hupigon-ONX [trj]

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I then make a directory in my C:/ drive and then created a file and copied it until I had only 1 MB left on my virtual machine.  I then deleted the directory and then restarted my machine. 

I then scanned again and found the following files infected with the same virus:

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I am at a loss for what to do now. Any suggetions?

Hallo,
I'm confused a bit - how can you see the *.vmdk files (those images for your virtual machines) when you are INSIDE the virtualised machine? Then, you should see their content, instead of the image file.

You must start the virtual machine, and populate the particular *.vmdk from there. Or, do you have some oter-filesystem sharing, so that you can see files from the outer system?

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 27, 2010, 04:11:57 PM
I have deleted the .vmdk file from my MAC, I can restore it via timemachine, not knowing if I have a problem or not, I decided to delete it until I have this issue resolved.

All my scans within the Virtual machine are done as “through scans”  Setting are for all directories...
 
When I am in the virtual machine and scanning, I scan all files including those that are shared between my MAC and the Virtual PC, the shared documents are in a directory on my MAC called “documents” and in there is a subdirectory called virtual machines which contains the .vmdk file.  So that is how the scan of them is being done. 

I have some further information;

I did a couple of other things to see if I have a virus of not and I am more confused now. Here is what I did

I downloaded Spybot like was suggested on the forum, I ran Spybot and only found tracking cookies - deleted them

I then set up Avast to do scan when I booted my XP on my virtual machine, here is the log which shows NO INFECTION at all

01/21/2009 15:45
Scan of all local drives

Number of searched folders: 787
Number of tested files: 10348
Number of infected files: 0

----------------------------------------
01/25/2009 10:52
Scan of C:\Documents and Settings\Owner\My Documents

Number of searched folders: 3
Number of tested files: 5
Number of infected files: 0

----------------------------------------
05/22/2010 12:48
Scan of C:\Documents and Settings\Owner\My Documents

Scan of Z:\

Scan of C:\Documents and Settings\All Users\Documents

Number of searched folders: 21
Number of tested files: 56
Number of infected files: 0

----------------------------------------
05/22/2010 17:12
Scan of C:\Documents and Settings\Owner\My Documents

Scan of Z:\

Scan of C:\Documents and Settings\All Users\Documents

Number of searched folders: 21
Number of tested files: 58
Number of infected files: 0

----------------------------------------
05/22/2010 17:16
Scan of Z:\

Scan of C:\

Number of searched folders: 3481
Number of tested files: 46637
Number of infected files: 0


I then closed XP and then VMFusion and did a scan from the MAC side and got the following

XP home Edition   Package 4 items, 0 Warnings, 4 Viruses

  XP Home Edition-000001.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000002.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000003.vmdk      Win3:Agent-COH [trj]
  XP Home Edition-vmdk                  Win3:Hupigon-ONX [Trj]

I then opened up VMFusion, started the Virtual Machine without a scan and then scanned the virtual machine as I have done before and got the same results:

  XP Home Edition-000001.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000002.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000003.vmdk      Win3:Agent-COH [trj]
  XP Home Edition-vmdk                  Win3:Hupigon-ONX [Trj]

Now which one do I believe?  Do I have an infection virtual PC or not?

Additional information:

I have a MACBookPro running OS 10.6.4 and I am running VMFusion version 3.0.2  I have Avast HomePro version 2.7.4 on my MAC and version  4.8 on my virtual PC. 

Mike
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 28, 2010, 10:10:38 PM
hallo,
it's really strange a bit, but i have an explanation - it might be some part of swapfile or hibernation file. when shutting the system down, it was stored into swap, and thus detectable later, surviving also when you started your vm again.

i posted the string that's used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it's NOT infected, as it seems.
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on May 29, 2010, 05:23:44 PM

i posted the string that's used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it's NOT infected, as it seems.

I am not very computer savy, so this might be a stupid question - I assume you would use the Hexedit from the Mac side to scan the .vmdk with out it running on VMFusion - right.  I do not have linux so can not do your last suggestion so I have to go with the first suggestion.  I will try later this weekend and get back to you.  I assume the this is the hex sequence you want me to locate:

          sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75 inside that     file,     to get a clue where it comes from.

Any suggestion on a hex editor to use to scan my .vmdk file?

I do appreciate all the help so far... Mike
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on May 31, 2010, 12:47:51 PM

i posted the string that's used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it's NOT infected, as it seems.

I am not very computer savy, so this might be a stupid question - I assume you would use the Hexedit from the Mac side to scan the .vmdk with out it running on VMFusion - right.  I do not have linux so can not do your last suggestion so I have to go with the first suggestion.  I will try later this weekend and get back to you.  I assume the this is the hex sequence you want me to locate:

          sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75 inside that     file,     to get a clue where it comes from.

Any suggestion on a hex editor to use to scan my .vmdk file?

I do appreciate all the help so far... Mike


Hallo,
for me, the terminal "hexedit" is the most useful one, but you migh probably prefer some GUI-endowed, so maybe this one?
http://mac.softpedia.com/get/Developer-Tools/HexEditor.shtml

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on June 04, 2010, 03:38:44 PM
PC

I got HexEditor and tried to open the file “XP Home Edition”, can not see the infected files “....000001.vmdk, etc”, HexEditor could not open, I presume since it wants a the actual file inside “XP Home Edition”.  So since I really am flying blind, how do I get to thsse files from my MAC or do I have to open up my virtual machine to see them......?
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on June 05, 2010, 01:10:47 PM
PC

I got HexEditor and tried to open the file “XP Home Edition”, can not see the infected files “....000001.vmdk, etc”, HexEditor could not open, I presume since it wants a the actual file inside “XP Home Edition”.  So since I really am flying blind, how do I get to thsse files from my MAC or do I have to open up my virtual machine to see them......?

open the image file (*.vmdk) in the hexeditor, and try to locate the mentioned string.

seems you're heavily mixing emulations and filesystems together, accessing native files from native filesystem from inside virtual machine, and vice versa...
regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on June 05, 2010, 10:04:24 PM
I tried what you said, I opened HexEditor (MAC version) and tried to open *.vmdk and was told HexEditor could mot open it. ......I feel like I am beating my head against a brick wall...
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on June 07, 2010, 11:23:49 AM
I tried what you said, I opened HexEditor (MAC version) and tried to open *.vmdk and was told HexEditor could mot open it. ......I feel like I am beating my head against a brick wall...

don't worry,
as i said, it's probably no infection. the only question is, why is this case encountered here and there - but, it's necessary to locate the signature then.
there's also "hexedit" GNU app - no GUI, but tar better functionality (as usually).

regards,
pc
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: gcook on July 04, 2010, 12:50:07 PM
I started this thread off so thought useful to comment again on this.

Basically I am still in exactly the same situation as I was 2 months ago :(. I am still getting the messages (over 30 this morning while its doing a scan) saying that I have have the Win32:Hupigon-ONX [Trj] infection in all the .vmdk files of a particular VM. I have never actually had this infection inside the VM and it has had (company enforced) Mcafee protection during this time and IT checked additionally just in case. So I don't think Zilogs comments about this being the leftovers from an attack inside the vm would apply.

I think as Zilog originally said it is a false positive caused by the Avast looking into the vmdk file as a regular mac file and finding a match by coincidence.

I am very disappointed by Avast because there has been no fix to this after two months. Zilog implied that this could be solved by an update to the virus database. I am not exactly sure whether Zilog works for Avast or is just a volunteer. Either way would be much appreciated if Zilog could use whatever contacts/influence he has to ask for a prompt fix from Avast. It is extremely embarrassing when Avast brings up this message in a meeting when I am sharing my screen. I am going to have to abandon Avast and buy something else which would be a shame as I have used it for a couple of years quite happily before this on my Mac and also use it on several home PC's.
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on July 04, 2010, 05:24:52 PM
 ???  I basically was he same as you, I could not find it or get rid of it. So I just bit the bullet, deleted my Window XP virtual machine from my MAC and started over, I now will NOT be open to the internet when I am using Windows, I don’t have to and so I won’t will live with the versions of my applications as they are.  :'(
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: regmikewall on July 04, 2010, 06:32:51 PM
 ??? >:( To recap - i had the win32-hupigon-ONX [trj] on all my virtual .vmdk files.  i finally just deleted them from my MAC and did a scan, the virus was gone.  i then reinstalled my virtual machine and i have NOT connected to the internet for any reason while using my virtual machine. 

i just did a scan of my MAC and found that i know have the "win32-hupigon-opb [trj] virus, i have not been connected to the internet when using my virtual machine, so i don't know how i got this?  Why is AVAST finding this and what are they going to do about this issue. 

Need some answers..... >:(
Title: Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
Post by: zilog on July 07, 2010, 02:31:19 PM
??? >:( To recap - i had the win32-hupigon-ONX [trj] on all my virtual .vmdk files.  i finally just deleted them from my MAC and did a scan, the virus was gone.  i then reinstalled my virtual machine and i have NOT connected to the internet for any reason while using my virtual machine. 

i just did a scan of my MAC and found that i know have the "win32-hupigon-opb [trj] virus, i have not been connected to the internet when using my virtual machine, so i don't know how i got this?  Why is AVAST finding this and what are they going to do about this issue. 

Need some answers..... >:(

Hallo,
to put it simply - somewhere in the file must be this sequence of bytes: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75

i assume that when scanning this drive from the virtual machine itself (using avast for windows), nothing will be found. Thus, it must be inside some abandoned sectors, or in some file that isn't normally scanned (pagefile.sys). If you need exact answer, please, locate this sequence.

Probably, this is interefing with some system thing, and we should consider altering the detecting algo a bit for this case - but, please, dive us more information. Virtual files of mine VMWare/Qemu seems to be clean, so it's something more specific.

regards,
pc