Author Topic: Hupigon-ONX false positive in VMware VMDK file on Mac?  (Read 27386 times)

0 Members and 1 Guest are viewing this topic.

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #15 on: May 27, 2010, 11:17:10 AM »
I did what was requested, I opened my virtual machine, did a scan and found that the following files were infected with the Win32-hupigon-ONX [trj]

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I then make a directory in my C:/ drive and then created a file and copied it until I had only 1 MB left on my virtual machine.  I then deleted the directory and then restarted my machine. 

I then scanned again and found the following files infected with the same virus:

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I am at a loss for what to do now. Any suggetions?

Hallo,
I'm confused a bit - how can you see the *.vmdk files (those images for your virtual machines) when you are INSIDE the virtualised machine? Then, you should see their content, instead of the image file.

You must start the virtual machine, and populate the particular *.vmdk from there. Or, do you have some oter-filesystem sharing, so that you can see files from the outer system?

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #16 on: May 27, 2010, 04:11:57 PM »
I have deleted the .vmdk file from my MAC, I can restore it via timemachine, not knowing if I have a problem or not, I decided to delete it until I have this issue resolved.

All my scans within the Virtual machine are done as “through scans”  Setting are for all directories...
 
When I am in the virtual machine and scanning, I scan all files including those that are shared between my MAC and the Virtual PC, the shared documents are in a directory on my MAC called “documents” and in there is a subdirectory called virtual machines which contains the .vmdk file.  So that is how the scan of them is being done. 

I have some further information;

I did a couple of other things to see if I have a virus of not and I am more confused now. Here is what I did

I downloaded Spybot like was suggested on the forum, I ran Spybot and only found tracking cookies - deleted them

I then set up Avast to do scan when I booted my XP on my virtual machine, here is the log which shows NO INFECTION at all

01/21/2009 15:45
Scan of all local drives

Number of searched folders: 787
Number of tested files: 10348
Number of infected files: 0

----------------------------------------
01/25/2009 10:52
Scan of C:\Documents and Settings\Owner\My Documents

Number of searched folders: 3
Number of tested files: 5
Number of infected files: 0

----------------------------------------
05/22/2010 12:48
Scan of C:\Documents and Settings\Owner\My Documents

Scan of Z:\

Scan of C:\Documents and Settings\All Users\Documents

Number of searched folders: 21
Number of tested files: 56
Number of infected files: 0

----------------------------------------
05/22/2010 17:12
Scan of C:\Documents and Settings\Owner\My Documents

Scan of Z:\

Scan of C:\Documents and Settings\All Users\Documents

Number of searched folders: 21
Number of tested files: 58
Number of infected files: 0

----------------------------------------
05/22/2010 17:16
Scan of Z:\

Scan of C:\

Number of searched folders: 3481
Number of tested files: 46637
Number of infected files: 0


I then closed XP and then VMFusion and did a scan from the MAC side and got the following

XP home Edition   Package 4 items, 0 Warnings, 4 Viruses

  XP Home Edition-000001.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000002.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000003.vmdk      Win3:Agent-COH [trj]
  XP Home Edition-vmdk                  Win3:Hupigon-ONX [Trj]

I then opened up VMFusion, started the Virtual Machine without a scan and then scanned the virtual machine as I have done before and got the same results:

  XP Home Edition-000001.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000002.vmdk      Win3:Hupigon-ONX [Trj]
  XP Home Edition-000003.vmdk      Win3:Agent-COH [trj]
  XP Home Edition-vmdk                  Win3:Hupigon-ONX [Trj]

Now which one do I believe?  Do I have an infection virtual PC or not?

Additional information:

I have a MACBookPro running OS 10.6.4 and I am running VMFusion version 3.0.2  I have Avast HomePro version 2.7.4 on my MAC and version  4.8 on my virtual PC. 

Mike

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #17 on: May 28, 2010, 10:10:38 PM »
hallo,
it's really strange a bit, but i have an explanation - it might be some part of swapfile or hibernation file. when shutting the system down, it was stored into swap, and thus detectable later, surviving also when you started your vm again.

i posted the string that's used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it's NOT infected, as it seems.
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #18 on: May 29, 2010, 05:23:44 PM »

i posted the string that's used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it's NOT infected, as it seems.

I am not very computer savy, so this might be a stupid question - I assume you would use the Hexedit from the Mac side to scan the .vmdk with out it running on VMFusion - right.  I do not have linux so can not do your last suggestion so I have to go with the first suggestion.  I will try later this weekend and get back to you.  I assume the this is the hex sequence you want me to locate:

          sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75 inside that     file,     to get a clue where it comes from.

Any suggestion on a hex editor to use to scan my .vmdk file?

I do appreciate all the help so far... Mike

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #19 on: May 31, 2010, 12:47:51 PM »

i posted the string that's used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it's NOT infected, as it seems.

I am not very computer savy, so this might be a stupid question - I assume you would use the Hexedit from the Mac side to scan the .vmdk with out it running on VMFusion - right.  I do not have linux so can not do your last suggestion so I have to go with the first suggestion.  I will try later this weekend and get back to you.  I assume the this is the hex sequence you want me to locate:

          sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75 inside that     file,     to get a clue where it comes from.

Any suggestion on a hex editor to use to scan my .vmdk file?

I do appreciate all the help so far... Mike


Hallo,
for me, the terminal "hexedit" is the most useful one, but you migh probably prefer some GUI-endowed, so maybe this one?
http://mac.softpedia.com/get/Developer-Tools/HexEditor.shtml

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #20 on: June 04, 2010, 03:38:44 PM »
PC

I got HexEditor and tried to open the file “XP Home Edition”, can not see the infected files “....000001.vmdk, etc”, HexEditor could not open, I presume since it wants a the actual file inside “XP Home Edition”.  So since I really am flying blind, how do I get to thsse files from my MAC or do I have to open up my virtual machine to see them......?

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #21 on: June 05, 2010, 01:10:47 PM »
PC

I got HexEditor and tried to open the file “XP Home Edition”, can not see the infected files “....000001.vmdk, etc”, HexEditor could not open, I presume since it wants a the actual file inside “XP Home Edition”.  So since I really am flying blind, how do I get to thsse files from my MAC or do I have to open up my virtual machine to see them......?

open the image file (*.vmdk) in the hexeditor, and try to locate the mentioned string.

seems you're heavily mixing emulations and filesystems together, accessing native files from native filesystem from inside virtual machine, and vice versa...
regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #22 on: June 05, 2010, 10:04:24 PM »
I tried what you said, I opened HexEditor (MAC version) and tried to open *.vmdk and was told HexEditor could mot open it. ......I feel like I am beating my head against a brick wall...

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #23 on: June 07, 2010, 11:23:49 AM »
I tried what you said, I opened HexEditor (MAC version) and tried to open *.vmdk and was told HexEditor could mot open it. ......I feel like I am beating my head against a brick wall...

don't worry,
as i said, it's probably no infection. the only question is, why is this case encountered here and there - but, it's necessary to locate the signature then.
there's also "hexedit" GNU app - no GUI, but tar better functionality (as usually).

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

gcook

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #24 on: July 04, 2010, 12:50:07 PM »
I started this thread off so thought useful to comment again on this.

Basically I am still in exactly the same situation as I was 2 months ago :(. I am still getting the messages (over 30 this morning while its doing a scan) saying that I have have the Win32:Hupigon-ONX [Trj] infection in all the .vmdk files of a particular VM. I have never actually had this infection inside the VM and it has had (company enforced) Mcafee protection during this time and IT checked additionally just in case. So I don't think Zilogs comments about this being the leftovers from an attack inside the vm would apply.

I think as Zilog originally said it is a false positive caused by the Avast looking into the vmdk file as a regular mac file and finding a match by coincidence.

I am very disappointed by Avast because there has been no fix to this after two months. Zilog implied that this could be solved by an update to the virus database. I am not exactly sure whether Zilog works for Avast or is just a volunteer. Either way would be much appreciated if Zilog could use whatever contacts/influence he has to ask for a prompt fix from Avast. It is extremely embarrassing when Avast brings up this message in a meeting when I am sharing my screen. I am going to have to abandon Avast and buy something else which would be a shame as I have used it for a couple of years quite happily before this on my Mac and also use it on several home PC's.

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #25 on: July 04, 2010, 05:24:52 PM »
 ???  I basically was he same as you, I could not find it or get rid of it. So I just bit the bullet, deleted my Window XP virtual machine from my MAC and started over, I now will NOT be open to the internet when I am using Windows, I don’t have to and so I won’t will live with the versions of my applications as they are.  :'(

regmikewall

  • Guest
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #26 on: July 04, 2010, 06:32:51 PM »
 ??? >:( To recap - i had the win32-hupigon-ONX [trj] on all my virtual .vmdk files.  i finally just deleted them from my MAC and did a scan, the virus was gone.  i then reinstalled my virtual machine and i have NOT connected to the internet for any reason while using my virtual machine. 

i just did a scan of my MAC and found that i know have the "win32-hupigon-opb [trj] virus, i have not been connected to the internet when using my virtual machine, so i don't know how i got this?  Why is AVAST finding this and what are they going to do about this issue. 

Need some answers..... >:(

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Hupigon-ONX false positive in VMware VMDK file on Mac?
« Reply #27 on: July 07, 2010, 02:31:19 PM »
??? >:( To recap - i had the win32-hupigon-ONX [trj] on all my virtual .vmdk files.  i finally just deleted them from my MAC and did a scan, the virus was gone.  i then reinstalled my virtual machine and i have NOT connected to the internet for any reason while using my virtual machine. 

i just did a scan of my MAC and found that i know have the "win32-hupigon-opb [trj] virus, i have not been connected to the internet when using my virtual machine, so i don't know how i got this?  Why is AVAST finding this and what are they going to do about this issue. 

Need some answers..... >:(

Hallo,
to put it simply - somewhere in the file must be this sequence of bytes: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75

i assume that when scanning this drive from the virtual machine itself (using avast for windows), nothing will be found. Thus, it must be inside some abandoned sectors, or in some file that isn't normally scanned (pagefile.sys). If you need exact answer, please, locate this sequence.

Probably, this is interefing with some system thing, and we should consider altering the detecting algo a bit for this case - but, please, dive us more information. Virtual files of mine VMWare/Qemu seems to be clean, so it's something more specific.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)