Author Topic: Hupigon-ONX false positive in VMware VMDK file on Mac?  (Read 27385 times)

0 Members and 1 Guest are viewing this topic.

gcook

  • Guest
Hupigon-ONX false positive in VMware VMDK file on Mac?
« on: May 12, 2010, 12:13:03 PM »
I am using a MacOS 10.5.8 with Avast 2.74r0 and I got an alert yesterday saying I have a Windows Hupigon-ONX Trojan in my vmware files (see log at end of this post) but also in my Mac Cookies and something called the internetconfigpriv.plist . The VM itself is Windows XP and is protected by McAfee which is up to date and not reporting anything.

I googled and found this on the vmware site which suggests it is a false positive http://communities.vmware.com/thread/266004;jsessionid=D8026D4DCBDF3F410B525BC7005251FB?tstart=0

I  have also been advised that I shouldn't really have Avast scanning the vmdk files in any case, however I can't find any way to disable scanning of this file type or a specific folder. Can someone help please?

This is the logfile from Avast Mac edition

11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Preferences/com.apple.internetconfigpriv.plist   Win32:Agent-IZJ [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s005.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s002.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s017.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s007.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s003.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s014.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Cookies/Cookies.plist   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s011.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s001.vmdk   Win32:Hupigon-ONX [Trj]

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #1 on: May 12, 2010, 03:09:40 PM »
I am using a MacOS 10.5.8 with Avast 2.74r0 and I got an alert yesterday saying I have a Windows Hupigon-ONX Trojan in my vmware files (see log at end of this post) but also in my Mac Cookies and something called the internetconfigpriv.plist . The VM itself is Windows XP and is protected by McAfee which is up to date and not reporting anything.

I googled and found this on the vmware site which suggests it is a false positive http://communities.vmware.com/thread/266004;jsessionid=D8026D4DCBDF3F410B525BC7005251FB?tstart=0

I  have also been advised that I shouldn't really have Avast scanning the vmdk files in any case, however I can't find any way to disable scanning of this file type or a specific folder. Can someone help please?

This is the logfile from Avast Mac edition

11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Preferences/com.apple.internetconfigpriv.plist   Win32:Agent-IZJ [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s008.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s005.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s004.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s002.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s019.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s017.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s007.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s003.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s014.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s001.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Library/Cookies/Cookies.plist   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s011.vmdk   Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37   /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s001.vmdk   Win32:Hupigon-ONX [Trj]


It is probably a false-positive. There's only minor chance that it's real malware, hidden in the windows filesystem, and visible this way only.

But anyway, you might locate the sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75
inside that file, to get a clue where it comes from.

This is not only mac-specific problem, and probably, the signature will be altered, because it's found in many images quite often.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

gcook

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #2 on: May 12, 2010, 05:13:58 PM »
Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #3 on: May 13, 2010, 07:35:26 PM »
Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?

Hallo,
yes, in the forthcoming 3.08 you can use exclusion-mask for them (based on the suffix), or, you can turn off the option "scan full files", if this is why it scans through the whole image (in Preferences).

Or, wait for VPS fix/update, this Hupigon-ONX flaw isn't Mac-related only..

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #4 on: May 14, 2010, 04:52:32 PM »
Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?

Hallo, try to use some disk-wiper (tool that zeroes all unused sectors on the filesystem, where some infection, although already deleted, might survive as raw-data, making your image/backups seemingly infected). I think it would be useful for avast too, as a feature, for those cases.

Please, let me know whether this helped to make the image clean again.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #5 on: May 15, 2010, 12:16:27 AM »
I am running Avast2.74R0 and I am getting the following

"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000001.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000002.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000003.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition.vmdk"

both on my MAC scan as well as my Virtual Windows machine.  From the readings I get that this is a false positive.  I Have defraged both my MAC as well as my Virtual machine.  I am concerned since I don’t want to have to reload XP in a new Virtual machine, since I don’t have all the sources for all my applications. 

Is there anything else I can do to verify I have a FP. ???

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #6 on: May 16, 2010, 02:25:07 PM »
I am running Avast2.74R0 and I am getting the following

"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000001.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000002.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000003.vmdk"
"/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition.vmdk"

both on my MAC scan as well as my Virtual Windows machine.  From the readings I get that this is a false positive.  I Have defraged both my MAC as well as my Virtual machine.  I am concerned since I don’t want to have to reload XP in a new Virtual machine, since I don’t have all the sources for all my applications. 

Is there anything else I can do to verify I have a FP. ???

other method (which doesn't need any diskzeroes or diskwiper) is to create some very huge file, until all the disk space in the virtual machine is exhausted. then, just delete the file (and all free sectors with its data should be overwritten-wiped this way). you can create some directory, and using copy /b somebigfile + somebigfile somebigfile2  and then copy /b somebigfile2 + somebigfile2 somebigfile you can generate file which is getting bigger and bigger... then, just delete this "diskspace-greedy" directory :)

pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #7 on: May 16, 2010, 07:59:00 PM »
I am not as conversant in all this, what I see you saying is that the issue is do to space issues - not a corrupt XP Home Edition file and by using up all my extra space and then deleting the space, I will get rid of the problem.  Can you explain a little more on why this process will work and exactly what the issue is that is creating the FP.  Thanks for your patience..  ???  Mike

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #8 on: May 16, 2010, 08:51:33 PM »
I am not as conversant in all this, what I see you saying is that the issue is do to space issues - not a corrupt XP Home Edition file and by using up all my extra space and then deleting the space, I will get rid of the problem.  Can you explain a little more on why this process will work and exactly what the issue is that is creating the FP.  Thanks for your patience..  ???  Mike

the mechanism is quite straightforward - when you delete malware, found in your system - eiuther using antivirus, or antispyware, or manually - usually the raw data remain in the freed-sectors, and when you scan all sectors (the case of virtual image scanning - those *.vmdk, *.img and others), it's often reported as an infected file.

so, it's the all about how to get rid of that residual data in orphaned sectors.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #9 on: May 16, 2010, 11:54:16 PM »
What I don’t understand it that I did not find any malware on my virtual PC, Avast found that my XP Home Editions is infected with the win32.hupigon-ONX [trj] virus, if I remove it, I have to reinstall my Virtual Machines XP OS.  So from what you just said doing the exercise of building a file to take up the rest of the free space will not work for me.  Is there some way to determine if I really am infected or have a FP like others said about this situation. 

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #10 on: May 17, 2010, 01:39:19 AM »
What I don’t understand it that I did not find any malware on my virtual PC, Avast found that my XP Home Editions is infected with the win32.hupigon-ONX [trj] virus, if I remove it, I have to reinstall my Virtual Machines XP OS.  So from what you just said doing the exercise of building a file to take up the rest of the free space will not work for me.  Is there some way to determine if I really am infected or have a FP like others said about this situation. 

will work for you.
scan on your virtual dick scans files, not each patricular sector on your hdd. on the other hand, from macos, the virtual disk looks like big file, and is scanned entirely.

that's why you see infection from outside, and not when scanning in virtual machine. you need to get rid of the unused sectors, where the infection survived, and that's the hint with that biig file.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #11 on: May 17, 2010, 04:07:36 PM »
I have scanned my virtual drive, it show the say files as being infected, not any other file on my virtual drive.  That is what is bothering me since when I did scan the virtual drive when I was in it, I deleted the files that were infected and then when I closed it down and tried to get back in it said it could not find my virtual PC file.  So it seem as if the infection is in the who virtual machine, am I correct here.  The question I have is why is the whole Virtual image of my XP home edition infected?  And I assume that means I have to delete it and rebuild a new one from scratch.... Hope not. - Thanks for you help - Mike

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #12 on: May 18, 2010, 12:53:24 AM »
I have scanned my virtual drive, it show the say files as being infected, not any other file on my virtual drive.  That is what is bothering me since when I did scan the virtual drive when I was in it, I deleted the files that were infected and then when I closed it down and tried to get back in it said it could not find my virtual PC file.  So it seem as if the infection is in the who virtual machine, am I correct here.  The question I have is why is the whole Virtual image of my XP home edition infected?  And I assume that means I have to delete it and rebuild a new one from scratch.... Hope not. - Thanks for you help - Mike

as was said before - remove the infection from inside (when being under virtual machine, using stock win32 free avast). to kill all the orphaned sectors which might carry the infected residual data, grow one biiig file and delete it, when all the space on the virtual drive is exhausted. this way you can be prety sure it won't be externally detected as infected anymore.

there's no need to start from scratch.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #13 on: May 18, 2010, 03:40:12 PM »
When I loaded my Virtual Machine and loaded my Windows XP,  I tried scanned with my Avast Pro edition version 4.8 (that is what show as the version when I click about Avast) I get only that the XP Home Editions are contaminated (initial version and FP 1, 2 and 3).  If I remove them, I will have essentially deleted my Windows Operating System.  So I am a little confused, sorry for my lack of understanding. 

I do not get that anything else is corrupted with the Win32-hupigon-ONX [trj] malware. 

Is there some other Avast scanner I should be using?  I thought I had followed your instructions earlier, but I guess I am missing something.

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #14 on: May 21, 2010, 04:01:19 AM »
I did what was requested, I opened my virtual machine, did a scan and found that the following files were infected with the Win32-hupigon-ONX [trj]

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I then make a directory in my C:/ drive and then created a file and copied it until I had only 1 MB left on my virtual machine.  I then deleted the directory and then restarted my machine. 

I then scanned again and found the following files infected with the same virus:

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I am at a loss for what to do now. Any suggetions?