We have seen what this bug tends to lay its signature in;
(.tib) Acronis image
(.gho) Norton Ghost image
(.xml, .dat) Drive image XML
(.vdi) Virtual Disk Images
Which leads me to think that there is a common file between them that has been compromised.
For us at the shop, this bug is most definately NOT a false positive. We have recently caught this little guy in the PAGEFILE.SYS and/or the HIBERFIL.SYS on the root of the system drive. The signature indeed disappears from backup images when you run a defrag on the infected area. It also disappears when you simply copy the file to a portable medium. The signature isnt attaching itself to the file directly. It is storing the signature in the tail end of used sectors or in sectors marked as blank. Since these sectors are either marked completely blank or are in an arean where no data is expected by the system, they do not get scanned and cannot be normally seen. This is why when you defrag or move the file the signature doesnt follow it. W32.Hupigon-ONX [trj] is a symptom not the disease. We have yet to absolutely verify the source of the problem, however, there is some speculation that Hupigon and its variants have a developement kit from which these threats are developed.
My question to the Avast team is;
The Avast! Bart CD identifies this bug in the pagefile.sys, hiberfil.sys, and the backup images. Why does Avast! Proffessional Edition not do the same thing (Boot time scan or otherwise)? It might not be able to make changes to the sys files but it darn sure should be able to see the signature moving.