Author Topic: Win32:Hupigon-ONX [Trj]  (Read 68614 times)

0 Members and 1 Guest are viewing this topic.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #15 on: March 30, 2010, 11:29:23 AM »
The file is 2GB in size so not really easy to email

I am getting really confused now as my scan log clearly shows that I did a full system scan at 11:48 on 28/03/2010 and it was all clear.

I then took my monthly Ghost image of my C: drive straight after and placed it on the D: drive. The D: drive already contained a couple of previous ghost images which would have been scanned as clean.

This morning using VPS file 100329-1, 29/03/2010 the scans are reporting all the ghost images as infected with "Win32:Hupigon-ONX [Trj]" virus.

The Virus database history shows that this definition was included in VPS 100311-1, 11/3/2010.

However here's the twist, I just fired up a virtual PC that has not updated since VPS 100313-2, 13/3/2010 and scanned one of the infected files and it also finds the virus.

So either this virus has somehow managed creep past Avast in the past 24 hours and infect several Norton ghost .GHS files or something weird is going on with the detection of this virus.


Hello,
thank you for sending file.
The malware could be there before the VPS 100311-1, 11/3/2010, but the file was not accessed, so it wasn't scanned.
If the malware was removed by avast! there still physically exists clusters with data containing the malware signature and are backed up by ghost. So if avast! don't report any malware on the drive, you can rewrite whole unused space on the drive by some data to rewrite the malware signatures and then the new images created by ghost should be also clean.

Milos

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #16 on: March 30, 2010, 11:42:26 AM »
Milos, does it help to determin the cause?
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #17 on: March 30, 2010, 11:52:36 AM »
Milos, does it help to determin the cause?
What do you mean by the word "it"?

Milos

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #18 on: March 30, 2010, 11:59:33 AM »
It = the uploaded file.
Does it help you to determin if it is a FP or an infection?
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #19 on: March 30, 2010, 12:16:02 PM »
I still doubt it's an infection as I have now seen this warning on  ghost files on 3 independant machines.

Machine 1 : My main machine
This was the one that 1st alerted me to the issue and it is regularly full scanned once a month prior to ghosting.
This machine found infections in 6 ghost image files dating back to december last year.
This machine did find a virus in the internet cache about a month ago.
Until a month or 2 ago has been running CA Antivirus.
Now uses Zonealarm and Avast.

Machine 2: Wifes PC
Again regularly scanned, light user. Only ghosted a month or 2 ago.
This machine has never reported any infections.
Until a month or 2 ago has been running CA Antivirus.
Now uses Zonealarm and Avast.

Machine 3: Sandpit PC
Minimal build, literally clean install up to XP Pro SP3.
Used as test bed and always restored back to clean fully patched ghost image (the image supplied).
This machine is the least likely to ever show any history of infection as it is always resotred from image after use.
This machine has never reported any infections.
Until a month or 2 ago has been running AVG Antivirus.
Now uses Zonealarm and Avast.


As the ghosts are taken from machines that are all scanning clean how can their be any viruses in the ghost images?
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #20 on: March 30, 2010, 12:40:20 PM »
It = the uploaded file.
Does it help you to determin if it is a FP or an infection?
Hello,
this looks like already arrived damaged files, but in this case 17x in one file.

Milos

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #21 on: March 30, 2010, 12:47:39 PM »
I do not understand that post...
What is 17 times in that file?
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #22 on: March 30, 2010, 12:48:12 PM »

As the ghosts are taken from machines that are all scanning clean how can their be any viruses in the ghost images?


Hello,
Even if the malware was removed, there still physically exists clusters on partition not linked to any existing file, but to the deleted files, with data containing the malware signature and are backed up by ghost.

Milos

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #23 on: March 30, 2010, 12:49:50 PM »
I do not understand that post...
What is 17 times in that file?

17 same malware signatures.

Milos

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #24 on: March 30, 2010, 01:26:24 PM »
But as I have already said, to remove the infection first of all something must have found it. This virus has never been found on any machine ever so how can it have been removed?

Also I have just done another full scan of my machine and it shows clean, including the so called infected .GHS files. However an ondemand scan of the file still flags as infected

So I am still confused
1) Have any of the machines ever been infected. If so how come nothing ever reported
2) Are any of the machines still infected?
3) How come full system scan says clean but on demand file scan says not
4) If as you say their are still clusters with a signature in how can I remove these clusters.
5) Could these 17 signatures be the ones held within avast by any chance (ie it's find its own definitions)?
6) What does Win32:Hupigon-ONX actually do?

Also I have just been reading about Norton Ghost 2003 (which is what I used) and as far I can tell it does not copy unused clusters. Something I suspect to be true as watching what it copies and the resultant image size would seem to suggest. Add to that the fact that the image files are compressed so any virus signatures will probably be scambled.
« Last Edit: March 30, 2010, 03:05:23 PM by Baz8755 »
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #25 on: March 30, 2010, 03:58:31 PM »
Hello,
1) maybe avast! didn't have the detection when the infection comes
2) I don't know -- run the scan -- all extensions, packers, ...
3) It depends what is scanned in "full  system scan" -- extensins, packers, ...
4) I mentioned that:
Quote
... you can rewrite whole unused space on the drive by some data to rewrite the malware signatures ...
5) Only if it is some memory dump, but I think that the signatures are crypted in memory too. When I saw the malware sigantures in submited files it was not avast!'s own definitions.
6) I don't know, maybe the author of the detection.

Milos

Steved45

  • Guest
Re: Win32:Hupigon-ONX [Trj]
« Reply #26 on: March 30, 2010, 10:26:59 PM »
I just got four of these on my MacBook Pro in my Windows XP Virtual Machine - I deleted them because they would not go into the virus safe.  However when I did it also took out the entire Windows XP install on my VM.  What is the story with these?  You can't move them as AVAST just crashes when you try to and delete even says it didn't delete them yet on the panel it shows them deleted.

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #27 on: March 31, 2010, 12:02:10 AM »
I have just deep scan 2 of my 3 machines, Thorough, packers, all files etc... and they have shown completely clean with exception of the Ghost files.

As I have already stated absolutely none of my machine have EVER report this infection. The theory that it must have been cleaned prior to the ghost file creations and must exist in a cluster somewhere does not make sense as nothing have ever cleaned this virus off the machines and it only appears to exist in the ghost images taken, one of which was taken a day or two ago.

If someone wants to tell me how I can blank out unused clusters then I will and then take another ghost, I am willing to bet that the ghost image will still scan as infected for 2 reasons.

1) The machines have NEVER been found to be infected so therefore could not have been cleaned leaving behind unused clusters with the signature.
2) Ghost 2003 from what I have read does NOT copy unused clusters to a backup image file.

I would therefore strongly suggest that the signature that Avast is using for this virus is producing false positives.

Do I sound a little aggrevated, too right as I have wasted 2 valuable days of my vacation trying to get to the bottom of an infection I firmly belive does not and has not ever existed on my network.

Baz
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #28 on: April 01, 2010, 06:10:28 PM »
All appears very quiet, no repsonses to my request.........
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #29 on: April 01, 2010, 06:56:58 PM »
Baz8755: I just tried to draw the attention of the mods to this thread again. However - it's Easter. So hang in there a little.
Your effort is much appreciated, thx a lot!
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear