Author Topic: Win32:Hupigon-ONX [Trj]  (Read 68612 times)

0 Members and 1 Guest are viewing this topic.

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Win32:Hupigon-ONX [Trj]
« on: March 29, 2010, 01:51:55 PM »
I regularly scan my PC once a fortnight and last scanned it a day or 2 ago.

However a scheduled scan started today and it is claiming that all my monthly ghost images dating back to the beginning of the year are infected with "Win32:Hupigon-ONX [Trj]". Could this possilbly be a false positive as I cannot understand how they could all have suddenly become infected with no other warnings from Avast?

Cheers

Baz
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #1 on: March 29, 2010, 02:22:04 PM »
Hello,
you can send us (virus@avast.com) the file and put "False positive" to subject.

Milos

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #2 on: March 29, 2010, 02:54:21 PM »
The file is 2GB in size so not really easy to email

I am getting really confused now as my scan log clearly shows that I did a full system scan at 11:48 on 28/03/2010 and it was all clear.

I then took my monthly Ghost image of my C: drive straight after and placed it on the D: drive. The D: drive already contained a couple of previous ghost images which would have been scanned as clean.

This morning using VPS file 100329-1, 29/03/2010 the scans are reporting all the ghost images as infected with "Win32:Hupigon-ONX [Trj]" virus.

The Virus database history shows that this definition was included in VPS 100311-1, 11/3/2010.

However here's the twist, I just fired up a virtual PC that has not updated since VPS 100313-2, 13/3/2010 and scanned one of the infected files and it also finds the virus.

So either this virus has somehow managed creep past Avast in the past 24 hours and infect several Norton ghost .GHS files or something weird is going on with the detection of this virus.
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #3 on: March 29, 2010, 03:17:09 PM »
Why don't you do another ghost-file - a smaller one, that can be send via mail.
Check that "custom"-file if it shows the same behaviour, which IMHO it should.
You can then send that file to alwil, they will work it out and remove the FP - and I think it is an FP.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #4 on: March 29, 2010, 03:28:21 PM »
I am just going to copy the infected(?) file onto a virtual machine and run an online scan to make sure it is a FP.

Not sure that I can create a custom file as I use ghost 2003 and backup the entire disk, this backup creates several 2GB .GHS files and only one or two of the set of 13 show as infected

Eg.
Set 1
D:\Ghost Images\Most Recent\18122009\18122001.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122003.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122005.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122008.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus
D:\Ghost Images\Most Recent\18122009\18122010.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus

Set 2
D:\Ghost Images\Most Recent\28032010\28032008.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus

Set 3
D:\Ghost Images\Most Recent\11032010\11032008.GHS" is infected by "Win32:Hupigon-ONX [Trj]" virus


So the chances of producing a small image and it being flagged as a virus are quite low :(
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #5 on: March 29, 2010, 04:06:14 PM »
I have just scanned the one of the files with 2 online scanners (Housecall and ESET) and both have come up clean
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #6 on: March 29, 2010, 04:29:08 PM »
Hello,
all files detected as "Win32:Hupigon-ONX [Trj]" that comes to us as false positive are .pdf, .jpg, .css, .mp3, etc. which have pasted some code with signes of digital signature which is weird.

Milos

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #7 on: March 29, 2010, 05:13:50 PM »
Malware bytes also shows clean.

Also just performed a scan on my wifes PC and it too shows the same issues with .GHS files on her PC.
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #8 on: March 29, 2010, 05:53:57 PM »
What about an FTP upload? Start in the evening, before bedtime... when you get up in the morning, it's done.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #9 on: March 29, 2010, 10:05:57 PM »
FTP should be OK if Milos wants to give me an address
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #10 on: March 29, 2010, 10:20:00 PM »
« Last Edit: March 29, 2010, 10:25:15 PM by Zyndstoff »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #11 on: March 30, 2010, 12:06:53 AM »
Sending 220210.gho now, estimated 9Hrs 23 Mins.

This is part of a ghost image from my sandbox PC which is a minimal build. It was built from clean and then ghosted, every time the machine is used the ghost it written back to ensure a clean starting point. This machine has been kept isolated from the rest of my machines but the latest scan of its ghost images shows the same infection.

99.9% certain it is an FP
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Baz8755

  • Full Member
  • ***
  • Posts: 123
Re: Win32:Hupigon-ONX [Trj]
« Reply #12 on: March 30, 2010, 09:48:53 AM »
Uploaded, please let me know if OK
Windows 8.1, i7 12GB RAM 500GB SSD, Avast Free

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2604
  • I can resist anything except temptation.
    • tex62
Re: Win32:Hupigon-ONX [Trj]
« Reply #13 on: March 30, 2010, 09:52:51 AM »
We'll have to wait for a Mod to check the upload.  8)
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Win32:Hupigon-ONX [Trj]
« Reply #14 on: March 30, 2010, 11:00:49 AM »
Uploaded, please let me know if OK
Hello,
the file has size: 2 147 481 103 bytes.

Milos