I’m using Mozy (http://www.mozy.com/) since middle of July and since today (I just came back from holidays) one of its temporary files is considered as Mnemonix Worm (see screenshot attached) ???
Here is a log from avast : warning.log
11/08/2006 21:18:08 1155323888 SYSTEM 376 Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy86.2" file.
13/08/2006 21:48:36 1155498516 SYSTEM 960 Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy87.2" file.
15/08/2006 01:37:26 1155598646 SYSTEM 680 Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy88.2" file.
25/08/2006 19:51:36 1156528296 SYSTEM 356 Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy459.2" file.
25/08/2006 21:37:35 1156534655 SYSTEM 356 Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy598.2" file.
25/08/2006 23:59:25 1156543165 SYSTEM 356 Sign of "Mnemonix family" has been found in "C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\mozy638.2" file.
notice.log
12/08/2006 15:21:14 1155388874 SYSTEM 376 The program was automatically updated.
14/08/2006 15:51:16 1155563476 SYSTEM 960 The virus database (VPS 0633-0) was automatically updated.
15/08/2006 15:39:36 1155649176 SYSTEM 680 The virus database (VPS 0633-1) was automatically updated.
16/08/2006 15:45:53 1155735953 SYSTEM 680 The virus database (VPS 0633-2) was automatically updated.
17/08/2006 15:57:44 1155823064 SYSTEM 680 The virus database (VPS 0633-3) was automatically updated.
18/08/2006 16:08:15 1155910095 SYSTEM 680 The virus database (VPS 0633-4) was automatically updated.
25/08/2006 17:38:14 1156520294 SYSTEM 356 The virus database (VPS 0634-2) was automatically updated.
Any idea ?
I’m about to run a complete scan on reboot, I’ll let you know about it,
I am having the same issue, it seems Avast is mis-identifying an encrypted file as a virus. Here is what Mozy has to say about it:
Code: MozyClientError11
Problem:
One of the mozyx.x files in the Windows %TEMP% folder got deleted or is otherwise inaccessible to mozy. This can sometimes be caused by anti-virus detecting and quarantining a file in the seemingly random bytes that make up the Reed-Solomon encoded, Blowfish encrypted files that mozy creates before sending them to our servers. This can also occur if the %TEMP% folder gets inadvertantly cleared while a backup is in progress.
Solution:
We’re currently working with anti-virus vendors to prevent this issue. We’ll release an update as soon as we can. In the meantime, you can try the backup again, and it may work, or you can try pausing or disabling your anti-virus software while the backup is in progress.
Confirm it is a false positive as mentioned above, if so send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions. If the file doesn’t have a fixed file name, you can either exclude them like this path\mozy*.* that would exclude all files beginning with mozy and any file type, like the mozy82.2 example above. Even then the path might be long and could be further shortened c:\windows\system32*\mozy*.* if your folder location is anything like the one above.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.
File "mozy38617.6" received on 11.17.2006 at 22:13:58 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.
Antivirus Version Update Result
AntiVir 7.2.0.39 11.17.2006 no virus found
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.15.2006 Mnemonix family
AVG 386 11.17.2006 no virus found
BitDefender 7.2 11.17.2006 no virus found
CAT-QuickHeal 8.00 11.17.2006 no virus found
ClamAV devel-20060426 11.17.2006 no virus found
DrWeb 4.33 11.17.2006 no virus found
Aditional Information
File size: 1781 bytes
MD5: 796694ef5afd02c2112f52c9da9ce762
SHA1: aba7cc808bfe95cda3d153cd3bacd6020371e950
I emailed the zipped files(it has done it six different times) to Avast per the instructions from DavidR. I also added that directory to my exclusions list. Hopefully Avast can fix the problem from their end.
I would suggest you are a little more selective with the exclusions (using the file wildcard example I gave) than simply adding the directory as that would leave that directory vulnerable.
The thing is the only files that are created in that folder are temporary ones in that format mozy*.* , the program temporarily stores the encrypted file before uploading to the server. But I guess you are right, might as well specify the file name.
This sounds like a dumb question but what exclusion path should I use:
C:\DOCUME~1\MOZYBA~1\LOCALS~1\Temp\mozy*.*
or
C:\Documents and Settings\Mozy Backup Service\Local Settings\Temp\mozy*.*
I only ask because Avast shows locations like the first example, but windows shows the whole name like in the second example. Which format of path does Avast want?
As Tech mentioned either notation should work in avasts exclusions if you have to type them then something shorter would be better, less chance of a typo:
C:\DOCUME~1\MOZYBA~1*\mozy*.* or C:\Documents and Settings\Mozy Backup Service*\mozy*.*