Win32:Hupigon-ONX [Trj]

[RepublicanWolf]

I still have this false positive. It keeps deleting my backups! When will they fix this??!

[WangMandingo]

We have seen what this bug tends to lay its signature in;
(.tib) Acronis image
(.gho) Norton Ghost image
(.xml, .dat) Drive image XML
(.vdi) Virtual Disk Images
Which leads me to think that there is a common file between them that has been compromised.

For us at the shop, this bug is most definately NOT a false positive. We have recently caught this little guy in the PAGEFILE.SYS and/or the HIBERFIL.SYS on the root of the system drive. The signature indeed disappears from backup images when you run a defrag on the infected area. It also disappears when you simply copy the file to a portable medium. The signature isnt attaching itself to the file directly. It is storing the signature in the tail end of used sectors or in sectors marked as blank. Since these sectors are either marked completely blank or are in an arean where no data is expected by the system, they do not get scanned and cannot be normally seen. This is why when you defrag or move the file the signature doesnt follow it. W32.Hupigon-ONX [trj] is a symptom not the disease. We have yet to absolutely verify the source of the problem, however, there is some speculation that Hupigon and its variants have a developement kit from which these threats are developed.

My question to the Avast team is;

The Avast! Bart CD identifies this bug in the pagefile.sys, hiberfil.sys, and the backup images. Why does Avast! Proffessional Edition not do the same thing (Boot time scan or otherwise)? It might not be able to make changes to the sys files but it darn sure should be able to see the signature moving.

[WangMandingo]

BTW....very important....We are currently using version 4.8 of Avast Pro Edition.

[Milos]

My question to the Avast team is;

The Avast! Bart CD identifies this bug in the pagefile.sys, hiberfil.sys, and the backup images. Why does Avast! Proffessional Edition not do the same thing (Boot time scan or otherwise)? It might not be able to make changes to the sys files but it darn sure should be able to see the signature moving.

Hello,
I think, that pagefile.sys, hiberfil.sys are in exclusions (but not in Bart CD).

Milos

[WangMandingo]

They are indeed exclusions. However they are not optional exclusions. Is there no way to force Avast! Pro 4.8 check these files while in the operating environment or at least in a BTS? I took a look at Avast! 5 and apparently it does have exclusion options that will allow one to scan them. Unfortunately 5 is, or at least was, relatively unstable.

[doktornotor]

Once again, why'd you EVER scan such thing? Takes ages, absolutely unproductive. If you think that your pagefile is infected (don't see how exactly), then just disable it temporarily. Ditto for the hibernation file.

[WangMandingo]

The reason I would most definately want to scan it is because the infection signature could inadvertantly dump off into the page file or malicious instructions could be set into the hibernate file. Either way, if one or both of them flag then it is cause for further inspection. The only way you can get them to flag is by doing a scan using Avast!s Bart CD. However, if these files flag positive it would only indicate that they are the symptoms of a larger problem. The executable that set the signatures in these files is still missing. It could possibly be masquerading as a windows system file (i.e. calc.exe, find.exe, shutdown.exe), although I highly doubt it at this point. My guess is some driver or library maybe carrying the infector.

[doktornotor]

Well, folks... go, reformat, restore a clean image.

10 Immutable Laws of Security
Help: I Got Hacked. Now What Do I Do?

P.S. Scanning pagefile is absolutely pointless, As said, you disable it and it's gone. You disable hibernation, the file's gone. Heck, you can delete it from Linux.

[WangMandingo]

Of course after setting the page file to delete on shut down and disabling hibernate, one would then most likely turn page file back on. After all, it takes about 5 to 10 just to shut down with the deletion of page file. Sooner or later the page file gets infected again, which means you still have a bug. I believe these signatures are caused by something else that has yet to be detected.

There are many different infections that exist in memory that get dumped off and reread from the pagefile. While it probably isnt good for persistance beyond reboot (infecting hibernate may circumvent this...idk), it will allow persistance while sitting in an environment.

[doktornotor]

Of course after setting the page file to delete on shut down and disabling hibernate, one would then most likely turn page file back on. After all, it takes about 5 to 10 just to shut down with the deletion of page file. Sooner or later the page file gets infected again, which means you still have a bug. I believe these signatures are caused by something else that has yet to be detected.

Getting pagefile mysteriously "infected" over and over again doesn't sound like a false positive. As said, your course of action here it to wipe the drive (including MBR) and restore a known clean image (no, none of those you have detected by Avast) or - failing that - just reinstall from scratch. If you still get the issue after that, now that's something worth investigation. But to keep backing up a potentially infected system and keep complaining about the images being detected as infected really doesn't make much sense. You need a trustworthy machine to work with, not one that "mysteriously" gets infected all the time, meaning you can have whatever rootkit running there completely undetected.

[WangMandingo]

Im not sure if you are making that statement for my benefit or if you are referencing the others on this thread. Never the less, allow me to explain a little more about my particular situation and why I am asking about Avast! Pro 4.8 and the scanning of the pagefile.sys and hyberfil.sys.

I currently work as a computer repair technician in a shop with other technicians. We troubleshoot and repair hardware and software problems on a daily basis with a decent volume of machines. Recently we started to experiment with using bootable cd-rom environments to affect malicious software scans on our customers machines. This lead us to Avast! and their Bart CD. Using this tool we have begun to see an overwhelming increase in pagefile.sys and hyberfil.sys files flagging positive for a number of different infections. The one that concerns me is this Win32:Hupigon-ONX [Trj] signature that we began picking up attached to various drive images as mentioned above. This signature is also showing up in the pagefile.sys and hyberfil.sys of the same machines we are finding flagged backup images. In our experience it usually shows up with something else flagging in the opposite file although not all the time. One signature I remember seeing in hyberfil.sys when Win32:Hupigon-ONX [Trj] was in the pagefile.sys was Win32/Trojandownloader.bredolab.AA.

All that being said, Im not wondering 'why is it that backup images get reinfected every time we backup infected drives?'. Im wondering why is it that the windows installed Avast! Pro 4.8 software doesnt scan or flag these files for the signatures with either a direct scan or a boot time scan --AND-- can it be forced by some means to scan them with a boot time scan?

Or are we just going to have to dis on our old friend v4.8 and move everyone up to 5?

Again the afore mentioned stability issue with v5 still haunts me.

[mkis]

When you are in business WangMandingo, why is it so important for you to make so much extra work for yrself and yr colleagues? You dont have to do all this extra work, and as far as I can see you are doing yr clients a disservice by loading yr business up with this kind of indulgences. Almost as if yr taking on these issues like you are doing a thesis in the subject matter. And avast 4.8, for goodness sake!

And now bredolab!

Pardon me for saying, but you appear to have a consuming wish to be haunted.

[Baz8755]

You boys are getting me worried now :'(

Having performed the fill/defrag procedure I mentioned earlier none of my subsequent ghost images have been flagged as infected.

But now you are saying there may still be some undetected infection lurking

Should I be worried, whay can I do?

Baz

[mkis]

What do you think Baz? Perhaps some kind of summation is in order.

I would say definitely an environment issue related to imaging instruction set(s), but seemingly not universal, as occurrences across the board (all systems) are intermittent. And given also that when there is an occurrence, instances can be constant and coherent.

Hard to see that issue involves a bona fide infection. My opinion.
I would stick to a call that I made earlier in the thread, (and without venturing further).

'avast needs to make some call - so calls a definition appropriate to imaging, which is hupigon'

[RepublicanWolf]

I will guarantee there is no bonifide infection on my WHS server or in the backup image of the Windows 7 64 bit machine. Both machines were built from scratch and installed with fresh new copies of Windows. I performed a backup on the first day of installation - 2 weeks ago. Then I scanned the WHS server with Avast WHS edition and it "found" a trojan and deleted most of my other backup images too. If I just backup my other Windows XP PC's there is no trojan found. Only when I backup the W7Pro 64bit - a fresh brand new copy.

This false positive has been around WAAAAAY too long. It should have been fixed a long time ago and it better be fixed soon or i'm taking Avast off.