Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Decompression Bomb


  • Please log in to reply
9 replies to this topic

#1 Wendy K. Walker

Wendy K. Walker

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:04:18 AM

Posted 30 May 2007 - 08:33 PM

Hi Everyone,

I ran an anti virus check and turned up something called a Decompression Bomb. What the heck is that and what do I do with it?

Thanks,
Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:18 PM

Posted 31 May 2007 - 04:39 PM

Decompression bomb an attack that targets antivirus software during malware analysis. The attack occurs when antivirus decompresses or unpacks a decompression bomb and attempts to run it in a virtual machine. Decompression bomb may crash the antivirus and/or subject the system to a denial of service attack by heavily loading the CPU.
http://wiki.delectix.com/index.php/Decompression_bomb

Edited by buddy215, 31 May 2007 - 05:50 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:18 PM

Posted 31 May 2007 - 09:47 PM

A decompression bomb is a highly compressed archive of a large amount of uncompressed data. In other words, it is a file that looks small as a result of multiple compression methods but is actually very large when decompressed. Such files could potentially crash a system when unpacked and in the past they were known for targeting anti-virus programs during scanning. Your anti-virus will not attempt to scan/unpack the file but will alert you to the high compression ratio which it considers suspicious.

Are you using avast as your anti-virus?

Generally, there is not need to be worried about. Decompression bomb is just something that unpacks to an unusually big amount of data even though it's rather small (i.e. has a high compression ratio, for example). It's nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it's an archive, but it seems like it is) because it may take VERY long to process...I'd suggest to ignore these files.
But you can change values into avast4.ini file to configure how avast should work with these files.

forum.avast
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:04:18 AM

Posted 01 June 2007 - 12:07 AM

Hi quietman7,

Thanks for the reply and yes I was using Avast! when that thing showed up. I posted this topic about it over on Avasts site --> http://forum.avast.com/index.php?topic=28638.0 Check it out if you'd like.

Edited by Wendy K. Walker, 01 June 2007 - 01:42 AM.

TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:18 PM

Posted 01 June 2007 - 04:45 AM

I see they gave you the same standard reply to begin with but added in your case it was caused by a "hiccup" on the detection/classification front. To me that was their way of saying a "False Positive".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:04:18 AM

Posted 01 June 2007 - 07:37 PM

Hi quietman7,

Thanks for the reply. I don't mind getting the standard reply but I don't think that they are understanding what I'm trying to tell them. There's a language difference I know and there might be something lacking in the translations.

Anyway, I don't think that it was a false positive or hiccup. I understand why Avast would thing something is a decompression bomb and not open it to check it but in this case I think it was a real threat and not a false positive.

If you check out my latest reply on that topic on Avast you'll see what I mean. I always scan in "Paranoid Mode" and after that first scan Avast said that there was well over 15 GBs on my HD. Then after I ran ATF and scanned with Avast again there was only 9.8 GBs.

I had downloaded something that took well over twelve hours to download too and I'm on DSL. So now I have to go on a search and destroy mission tracking that down.


Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:18 PM

Posted 01 June 2007 - 08:22 PM

Well at least they are still willing to work with you and investigate. Keep us posted.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rowal5555

rowal5555

    Just enough info to be armed & dangerous...


  • Members
  • 2,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Kilda, Dunedin. South Island. NZ
  • Local time:05:18 PM

Posted 01 June 2007 - 08:37 PM

Hi Wendy K Walker

Something that large should be pretty obvious in Sequoia View Posted Image and will give you the exact path to it. It is available in the Freeware Replacement forum.

Good luck

#9 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:04:18 AM

Posted 01 June 2007 - 11:44 PM

Hi quietman7,

Thanks for the comment. Yeah they are and if I run across that same situation again I'll know to go there before I run ATF. Not to worry, if I run across it again I'll post about it.


Hi rowal5555,

Thanks for the comment. Well it was obvious to Avast too and Avast had given me the full path to it too. It was a file in the Temporary Internet Files. I just messed up [kind of] by running AFT before I had gone to Avast to see if they might want to check it out.

Anyway its gone now and it didn't explode on me so I guess all is well.


Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:18 PM

Posted 02 June 2007 - 07:50 AM

Your welcome Wendy and thanks for keeping us updated. Doing that may help someone else who experiences a similar issue in the future.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users