Mozy detected as Mnemonix Worm

[rangoon_fr]

Hello All,

I'm using Mozy (http://www.mozy.com/) since middle of July and since today (I just came back from holidays) one of its temporary files is considered as Mnemonix Worm (see screenshot attached)

Here is a log from avast :
warning.log

11/08/2006   21:18:08   1155323888   SYSTEM   376   Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy86.2" file. 
13/08/2006   21:48:36   1155498516   SYSTEM   960   Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy87.2" file. 
15/08/2006   01:37:26   1155598646   SYSTEM   680   Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy88.2" file. 
25/08/2006   19:51:36   1156528296   SYSTEM   356   Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy459.2" file. 
25/08/2006   21:37:35   1156534655   SYSTEM   356   Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy598.2" file. 
25/08/2006   23:59:25   1156543165   SYSTEM   356   Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy638.2" file. 

notice.log

12/08/2006   15:21:14   1155388874   SYSTEM   376   The program was automatically updated. 
14/08/2006   15:51:16   1155563476   SYSTEM   960   The virus database (VPS 0633-0) was automatically updated. 
15/08/2006   15:39:36   1155649176   SYSTEM   680   The virus database (VPS 0633-1) was automatically updated. 
16/08/2006   15:45:53   1155735953   SYSTEM   680   The virus database (VPS 0633-2) was automatically updated. 
17/08/2006   15:57:44   1155823064   SYSTEM   680   The virus database (VPS 0633-3) was automatically updated. 
18/08/2006   16:08:15   1155910095   SYSTEM   680   The virus database (VPS 0633-4) was automatically updated. 
25/08/2006   17:38:14   1156520294   SYSTEM   356   The virus database (VPS 0634-2) was automatically updated. 

Any idea ?

I'm about to run a complete scan on reboot, I'll let you know about it,

Thanks

[DavidR]

Obviously these signatures have been added to the VPS during your holiday and on update detected the above files.

That is some weird location for Temp files. The usual system Temp folder is c:\windows\temp, what are these mozy86.2, mozy87.2, etc. etc. for ?

If they are truly temp files then perhaps they can be moved/deleted ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

Let us know what is found.

[rangoon_fr]

Hello DavidR,

Thanks for the answer.
Now my home ADSL connexion is down, I'll use your link when it comes back.

I'll keep you all updated :-)

Ran

[drew64]

I am having the same issue,  it seems Avast is mis-identifying an encrypted file as a virus. Here is what Mozy has to say about it:

Code: MozyClientError11

Problem:
One of the mozyx.x files in the Windows %TEMP% folder got deleted or is otherwise inaccessible to mozy. This can sometimes be caused by anti-virus detecting and quarantining a file in the seemingly random bytes that make up the Reed-Solomon encoded, Blowfish encrypted files that mozy creates before sending them to our servers. This can also occur if the %TEMP% folder gets inadvertantly cleared while a backup is in progress.

Solution:
We're currently working with anti-virus vendors to prevent this issue. We'll release an update as soon as we can. In the meantime, you can try the backup again, and it may work, or you can try pausing or disabling your anti-virus software while the backup is in progress.

[DavidR]

Confirm it is a false positive as mentioned above, if so send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions. If the file doesn't have a fixed file name, you can either exclude them like this path\mozy*.* that would exclude all files beginning with mozy and any file type, like the mozy82.2 example above. Even then the path might be long and could be further shortened c:\windows\system32\*\mozy*.* if your folder location is anything like the one above.

Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

[drew64]

VirusTotal Results:

Code: [Select]

File "mozy38617.6" received on 11.17.2006 at 22:13:58 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.

Antivirus Version Update Result
AntiVir 7.2.0.39 11.17.2006 no virus found
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.15.2006 Mnemonix family
AVG 386 11.17.2006 no virus found
BitDefender 7.2 11.17.2006 no virus found
CAT-QuickHeal 8.00 11.17.2006 no virus found
ClamAV devel-20060426 11.17.2006 no virus found
DrWeb 4.33 11.17.2006 no virus found

Aditional Information
File size: 1781 bytes
MD5: 796694ef5afd02c2112f52c9da9ce762
SHA1: aba7cc808bfe95cda3d153cd3bacd6020371e950
I emailed the zipped files(it has done it six different times) to Avast per the instructions from DavidR. I also added that directory to my exclusions list. Hopefully Avast can fix the problem from their end.

[DavidR]

I would suggest you are a little more selective with the exclusions (using the file wildcard example I gave) than simply adding the directory as that would leave that directory vulnerable.

[drew64]

The thing is the only files that are created in that folder are temporary ones in that format mozy*.* , the program temporarily stores the encrypted file before uploading to the server. But I guess you are right, might as well specify the file name.

[drew64]

This sounds like a dumb question but what exclusion path should I use:

C:\DOCUME~1\MOZYBA~1\LOCALS~1\Temp\mozy*.*

or

C:\Documents and Settings\Mozy Backup Service\Local Settings\Temp\mozy*.*

I only ask because Avast shows locations like the first example, but windows shows the whole name like in the second example. Which format of path does Avast want?

[Lisandro]

This sounds like a dumb question but what exclusion path should I use

It's not a dumb question...
You could use both, better, you should use both. The string is checked as text so, both short and long path could be used.

[DavidR]

This sounds like a dumb question but what exclusion path should I use:

C:\DOCUME~1\MOZYBA~1\LOCALS~1\Temp\mozy*.*

or

C:\Documents and Settings\Mozy Backup Service\Local Settings\Temp\mozy*.*

I only ask because Avast shows locations like the first example, but windows shows the whole name like in the second example. Which format of path does Avast want?

As Tech mentioned either notation should work in avasts exclusions if you have to type them then something shorter would be better, less chance of a typo:
C:\DOCUME~1\MOZYBA~1\*\mozy*.* or C:\Documents and Settings\Mozy Backup Service\*\mozy*.*

[drew64]

I just cut and pasted both of them. Thanks for the help!

[DavidR]

No problem, glad we could help.