Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:lineage, Win32:ctx & A Decompression Bomb?


  • Please log in to reply
3 replies to this topic

#1 mama4cats

mama4cats

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Arizona
  • Local time:03:53 AM

Posted 27 October 2007 - 01:54 AM

Ran an avast! scan and it found several instances of Win32:Lineage, a Win32:CTX and it was unable to scan one file reporting, "This file is a decompression bomb."

What is this decompression bomb and how can it be deleted without "setting it off"?

Any guidance or advice would be greatly appreciated! :thumbsup:

AMD A10-7700K, MSI A68HM, 2 x 8GB Avexir DDR3 2133, 240GB SSD x 2 & 1TB SATAIII x 4, McAfee, Windows 10 Pro, Office 2016.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:53 AM

Posted 27 October 2007 - 08:13 AM

A decompression bomb is a highly compressed archive of a large amount of uncompressed data. In other words, it is a file that looks small as a result of multiple compression methods but is actually very large when decompressed. Such files could potentially crash a system when unpacked and in the past they were known for targeting anti-virus programs during scanning. Your anti-virus will not attempt to scan/unpack the file but will alert you to the high compression ratio which it considers suspicious.

This is a common issue for avast anti-virus users.

Generally, there is not need to be worried about. Decompression bomb is just something that unpacks to an unusually big amount of data even though it's rather small (i.e. has a high compression ratio, for example). It's nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it's an archive, but it seems like it is) because it may take VERY long to process...I'd suggest to ignore these files.
But you can change values into avast4.ini file to configure how avast should work with these files.

forum.avast

Win32.Lineage is a family of trojans that steals account information and passwords for the online game Lineage. Win32.CTX is a dangerous, encrypted, polymorph virus.

However, if you used Panda Activescan, avast detects and claims there is a Win32:CTX worm/virus. This has been a known problem dating back to early 2005. You need to disable avast! while scanning with Panda because Panda uses unencrypted virus definitions which avast! detects as the real virus.

Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file".
When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).

avast.com
avast detects Win32:CTX worm/virus

Edit: Forgot about Win32.Lineage. If your running Win 2000/XP/Vista (32-Bit/64-Bit), download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.)
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.

Edited by quietman7, 27 October 2007 - 08:57 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mama4cats

mama4cats
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Arizona
  • Local time:03:53 AM

Posted 29 October 2007 - 10:44 PM

Thanks for the info. I don't think I ever used Panda, but I'm not sure. I'll follow the steps and run the AVG and things will be good there. The path of the file identified as a decompression bomb shows as a system restore file, would this because I've run backups while it was there? Do I delete it, or ?

AMD A10-7700K, MSI A68HM, 2 x 8GB Avexir DDR3 2133, 240GB SSD x 2 & 1TB SATAIII x 4, McAfee, Windows 10 Pro, Office 2016.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:53 AM

Posted 30 October 2007 - 07:12 AM

When your done and your system is clean, you can set a New Restore Point and use Disk Cleanup to remove all but the most recent Restore Point. That should take care of anything in the SIV folder.

Edited by quietman7, 30 October 2007 - 07:12 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users