Hupigon-ONX false positive in VMware VMDK file on Mac?

I am using a MacOS 10.5.8 with Avast 2.74r0 and I got an alert yesterday saying I have a Windows Hupigon-ONX Trojan in my vmware files (see log at end of this post) but also in my Mac Cookies and something called the internetconfigpriv.plist . The VM itself is Windows XP and is protected by McAfee which is up to date and not reporting anything.

I googled and found this on the vmware site which suggests it is a false positive http://communities.vmware.com/thread/266004;jsessionid=D8026D4DCBDF3F410B525BC7005251FB?tstart=0

I have also been advised that I shouldn’t really have Avast scanning the vmdk files in any case, however I can’t find any way to disable scanning of this file type or a specific folder. Can someone help please?

This is the logfile from Avast Mac edition

11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s001.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000007-s008.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Library/Preferences/com.apple.internetconfigpriv.plist Win32:Agent-IZJ [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s004.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s008.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s005.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s004.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s019.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s002.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s019.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s017.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s007.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s003.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s014.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s001.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Library/Cookies/Cookies.plist Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000002-s011.vmdk Win32:Hupigon-ONX [Trj]
11.05.2010 16:24:37 /Users/grahamcook/Documents/Virtual Machines.localized/GC-Pindar-WinXPPro1.vmwarevm/winxp-000004-s001.vmdk Win32:Hupigon-ONX [Trj]

It is probably a false-positive. There’s only minor chance that it’s real malware, hidden in the windows filesystem, and visible this way only.

But anyway, you might locate the sequence: 22 A9 22 C1 75 82 01 0F 11 60 AB 01 0A 02 21 4A A9 CA B2 00 A4 CC CD 20 AF 0A 7D 89 00 AC 87 75
inside that file, to get a clue where it comes from.

This is not only mac-specific problem, and probably, the signature will be altered, because it’s found in many images quite often.

regards,
pc

Thanks Zilog. Is there a way to stop Avast scanning my vmdk files?

Hallo,
yes, in the forthcoming 3.08 you can use exclusion-mask for them (based on the suffix), or, you can turn off the option “scan full files”, if this is why it scans through the whole image (in Preferences).

Or, wait for VPS fix/update, this Hupigon-ONX flaw isn’t Mac-related only…

regards,
pc

Hallo, try to use some disk-wiper (tool that zeroes all unused sectors on the filesystem, where some infection, although already deleted, might survive as raw-data, making your image/backups seemingly infected). I think it would be useful for avast too, as a feature, for those cases.

Please, let me know whether this helped to make the image clean again.

regards,
pc

I am running Avast2.74R0 and I am getting the following

“/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000001.vmdk”
“/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000002.vmdk”
“/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition-000003.vmdk”
“/Users/Mike/Documents/Virtual Machines.localized/XP Home Edition.vmwarevm/XP Home Edition.vmdk”

both on my MAC scan as well as my Virtual Windows machine. From the readings I get that this is a false positive. I Have defraged both my MAC as well as my Virtual machine. I am concerned since I don’t want to have to reload XP in a new Virtual machine, since I don’t have all the sources for all my applications.

Is there anything else I can do to verify I have a FP. ???

other method (which doesn’t need any diskzeroes or diskwiper) is to create some very huge file, until all the disk space in the virtual machine is exhausted. then, just delete the file (and all free sectors with its data should be overwritten-wiped this way). you can create some directory, and using copy /b somebigfile + somebigfile somebigfile2 and then copy /b somebigfile2 + somebigfile2 somebigfile you can generate file which is getting bigger and bigger… then, just delete this “diskspace-greedy” directory :slight_smile:

pc

I am not as conversant in all this, what I see you saying is that the issue is do to space issues - not a corrupt XP Home Edition file and by using up all my extra space and then deleting the space, I will get rid of the problem. Can you explain a little more on why this process will work and exactly what the issue is that is creating the FP. Thanks for your patience… ??? Mike

the mechanism is quite straightforward - when you delete malware, found in your system - eiuther using antivirus, or antispyware, or manually - usually the raw data remain in the freed-sectors, and when you scan all sectors (the case of virtual image scanning - those *.vmdk, *.img and others), it’s often reported as an infected file.

so, it’s the all about how to get rid of that residual data in orphaned sectors.

regards,
pc

What I don’t understand it that I did not find any malware on my virtual PC, Avast found that my XP Home Editions is infected with the win32.hupigon-ONX [trj] virus, if I remove it, I have to reinstall my Virtual Machines XP OS. So from what you just said doing the exercise of building a file to take up the rest of the free space will not work for me. Is there some way to determine if I really am infected or have a FP like others said about this situation.

will work for you.
scan on your virtual dick scans files, not each patricular sector on your hdd. on the other hand, from macos, the virtual disk looks like big file, and is scanned entirely.

that’s why you see infection from outside, and not when scanning in virtual machine. you need to get rid of the unused sectors, where the infection survived, and that’s the hint with that biig file.

regards,
pc

I have scanned my virtual drive, it show the say files as being infected, not any other file on my virtual drive. That is what is bothering me since when I did scan the virtual drive when I was in it, I deleted the files that were infected and then when I closed it down and tried to get back in it said it could not find my virtual PC file. So it seem as if the infection is in the who virtual machine, am I correct here. The question I have is why is the whole Virtual image of my XP home edition infected? And I assume that means I have to delete it and rebuild a new one from scratch… Hope not. - Thanks for you help - Mike

as was said before - remove the infection from inside (when being under virtual machine, using stock win32 free avast). to kill all the orphaned sectors which might carry the infected residual data, grow one biiig file and delete it, when all the space on the virtual drive is exhausted. this way you can be prety sure it won’t be externally detected as infected anymore.

there’s no need to start from scratch.

regards,
pc

When I loaded my Virtual Machine and loaded my Windows XP, I tried scanned with my Avast Pro edition version 4.8 (that is what show as the version when I click about Avast) I get only that the XP Home Editions are contaminated (initial version and FP 1, 2 and 3). If I remove them, I will have essentially deleted my Windows Operating System. So I am a little confused, sorry for my lack of understanding.

I do not get that anything else is corrupted with the Win32-hupigon-ONX [trj] malware.

Is there some other Avast scanner I should be using? I thought I had followed your instructions earlier, but I guess I am missing something.

I did what was requested, I opened my virtual machine, did a scan and found that the following files were infected with the Win32-hupigon-ONX [trj]

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I then make a directory in my C:/ drive and then created a file and copied it until I had only 1 MB left on my virtual machine. I then deleted the directory and then restarted my machine.

I then scanned again and found the following files infected with the same virus:

XP Home edition-000001.vmdk
XP Home edition-000002.vmdk
xp Home edition.vmdk

I am at a loss for what to do now. Any suggetions?

Hallo,
I’m confused a bit - how can you see the *.vmdk files (those images for your virtual machines) when you are INSIDE the virtualised machine? Then, you should see their content, instead of the image file.

You must start the virtual machine, and populate the particular *.vmdk from there. Or, do you have some oter-filesystem sharing, so that you can see files from the outer system?

regards,
pc

I have deleted the .vmdk file from my MAC, I can restore it via timemachine, not knowing if I have a problem or not, I decided to delete it until I have this issue resolved.

All my scans within the Virtual machine are done as “through scans” Setting are for all directories…

When I am in the virtual machine and scanning, I scan all files including those that are shared between my MAC and the Virtual PC, the shared documents are in a directory on my MAC called “documents” and in there is a subdirectory called virtual machines which contains the .vmdk file. So that is how the scan of them is being done.

I have some further information;

I did a couple of other things to see if I have a virus of not and I am more confused now. Here is what I did

I downloaded Spybot like was suggested on the forum, I ran Spybot and only found tracking cookies - deleted them

I then set up Avast to do scan when I booted my XP on my virtual machine, here is the log which shows NO INFECTION at all

01/21/2009 15:45
Scan of all local drives

Number of searched folders: 787
Number of tested files: 10348
Number of infected files: 0


01/25/2009 10:52
Scan of C:\Documents and Settings\Owner\My Documents

Number of searched folders: 3
Number of tested files: 5
Number of infected files: 0


05/22/2010 12:48
Scan of C:\Documents and Settings\Owner\My Documents

Scan of Z:\

Scan of C:\Documents and Settings\All Users\Documents

Number of searched folders: 21
Number of tested files: 56
Number of infected files: 0


05/22/2010 17:12
Scan of C:\Documents and Settings\Owner\My Documents

Scan of Z:\

Scan of C:\Documents and Settings\All Users\Documents

Number of searched folders: 21
Number of tested files: 58
Number of infected files: 0


05/22/2010 17:16
Scan of Z:\

Scan of C:\

Number of searched folders: 3481
Number of tested files: 46637
Number of infected files: 0

I then closed XP and then VMFusion and did a scan from the MAC side and got the following

XP home Edition Package 4 items, 0 Warnings, 4 Viruses

XP Home Edition-000001.vmdk Win3:Hupigon-ONX [Trj]
XP Home Edition-000002.vmdk Win3:Hupigon-ONX [Trj]
XP Home Edition-000003.vmdk Win3:Agent-COH [trj]
XP Home Edition-vmdk Win3:Hupigon-ONX [Trj]

I then opened up VMFusion, started the Virtual Machine without a scan and then scanned the virtual machine as I have done before and got the same results:

XP Home Edition-000001.vmdk Win3:Hupigon-ONX [Trj]
XP Home Edition-000002.vmdk Win3:Hupigon-ONX [Trj]
XP Home Edition-000003.vmdk Win3:Agent-COH [trj]
XP Home Edition-vmdk Win3:Hupigon-ONX [Trj]

Now which one do I believe? Do I have an infection virtual PC or not?

Additional information:

I have a MACBookPro running OS 10.6.4 and I am running VMFusion version 3.0.2 I have Avast HomePro version 2.7.4 on my MAC and version 4.8 on my virtual PC.

Mike

hallo,
it’s really strange a bit, but i have an explanation - it might be some part of swapfile or hibernation file. when shutting the system down, it was stored into swap, and thus detectable later, surviving also when you started your vm again.

i posted the string that’s used for detection, so you can have a look using some hexa editor with hexa-string scan ability to locate it inside that vmdk to get a clue where it does belong (or you can boot a live linux with that vmdk as a second harddrive and do hexedit over /dev/hdxxx).

but probably it’s NOT infected, as it seems.

I am not very computer savy, so this might be a stupid question - I assume you would use the Hexedit from the Mac side to scan the .vmdk with out it running on VMFusion - right. I do not have linux so can not do your last suggestion so I have to go with the first suggestion. I will try later this weekend and get back to you. I assume the this is the hex sequence you want me to locate:

      sequence: 22 A9 22 C1  75 82 01 0F  11 60 AB 01  0A 02 21 4A  A9 CA B2 00  A4 CC CD 20  AF 0A 7D 89  00 AC 87 75 inside that     file,     to get a clue where it comes from.

Any suggestion on a hex editor to use to scan my .vmdk file?

I do appreciate all the help so far… Mike

Hallo,
for me, the terminal “hexedit” is the most useful one, but you migh probably prefer some GUI-endowed, so maybe this one?
http://mac.softpedia.com/get/Developer-Tools/HexEditor.shtml

regards,
pc