Author Topic: What is a decompression bomb.  (Read 380314 times)

0 Members and 1 Guest are viewing this topic.

justfoo

  • Guest
What is a decompression bomb.
« on: November 19, 2004, 04:15:27 PM »
Just did my first scan with Avast home version. The first line in the "Results of last scan" is: "Unable to scan: The file is a decompression bomb" , this is for a file named COMMS1.cdb. I know what this file is and it is legit, or at least a file named that belongs where it is lol.
There are hundreds of files with ext cdb in the same area as this one, yet it is the only one with this error.
 
This is a Win XP pro machine and I have done the file compression to increase my drive capacity.
Can anyone tell me what a "decompression bomb" is?
Thank you in advance.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:What is a decompression bomb.
« Reply #1 on: November 19, 2004, 04:20:54 PM »
A decompression bomb is a file that unpacks to an enormous amount of data - thus "flooding" the unpacking engine. It's quite hard to detect such files reliably, so it's possible that it gives some false alarms ocassionally.

justfoo

  • Guest
Re:What is a decompression bomb.
« Reply #2 on: November 19, 2004, 04:25:35 PM »
Thanks very much for your quick reply :)

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re:What is a decompression bomb.
« Reply #3 on: November 19, 2004, 09:03:58 PM »
Typically such a bomb is a multi-level packing thing -- data's compressed with one packer (e.g. into a zip), then the resulting archive file is in turn packed (usually with a different packer), and so on several times.

We had a thread here a while back reporting avast and system crashes from trying to scan an apparently small file (50 or 100K, if I remember) which would have eventually expanded, if disk space and memory were available, to a couple of hundred gigs.  :o

So 4.5's new ability to at least try to detect such bombs is certainly a welcome addition.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

justfoo

  • Guest
Re:What is a decompression bomb.
« Reply #4 on: November 20, 2004, 08:52:31 AM »
wow, so should I be concerned that this may have been tampered with by some virus like infection?
  As far as I know this file is a winzipped filed which was then compressed when I selected "compress drive" to regain some space on my poor little choked up laptop.

Thanks for all the help, you guys are excellent !

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:What is a decompression bomb.
« Reply #5 on: November 20, 2004, 01:25:24 PM »
No, I think the file is OK - just the compression ratio is unusually high.
You may check the properties of the file - how big is the compressed and uncompressed size?

badbob13

  • Guest
Re: What is a decompression bomb.
« Reply #6 on: July 27, 2008, 08:22:10 PM »
Can I delete compression bomb files that Avast has identified without worrying about consequence?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: What is a decompression bomb.
« Reply #7 on: July 28, 2008, 12:01:46 AM »
Of course you can if you don't care of the consequences, but why do anything.

Other than the fact it is a highly compressed file that would take up large amounts of HDD space if uncompressed nothing has been found to be wrong.

You don't mention the file name or its location ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Kraven88

  • Guest
Re: What is a decompression bomb.
« Reply #8 on: October 13, 2008, 07:15:37 AM »
Well I have the same bomb, file name
G:\RECYCLER\S-1-5-21-789336058-2025429265-682003330-1003\Dg53.iso\EXTRAS\DOOM 3~5\DAEMON~0\DAEMON~0.EXE\$INSTDIR\SetupDTSB.exe\DaemonTools_WhenUSave_Installer.exe

I dont know much about virus protection or computers that much so if anyone could help please try to simplify what I should do.  :-[

CharleyO

  • Guest
Re: What is a decompression bomb.
« Reply #9 on: October 13, 2008, 09:31:03 AM »
***

Welcome to the forums, Kraven88.   :)

Well I have the same bomb, file name
G:\RECYCLER\S-1-5-21-789336058-2025429265-682003330-1003\Dg53.iso\EXTRAS\DOOM 3~5\DAEMON~0\DAEMON~0.EXE\$INSTDIR\SetupDTSB.exe\DaemonTools_WhenUSave_Installer.exe

I dont know much about virus protection or computers that much so if anyone could help please try to simplify what I should do.  :-[

Well, I do not think you have the same decompression bomb, but none the less ...

This executable ... DaemonTools_WhenUSave_Installer.exe ... is adware. Did you installed WhenUSave?

Please see the below links ...

http://research.sunbelt-software.com/threatdisplay.aspx?name=WhenU.Save&threatid=10810

http://www.threatexpert.com/report.aspx?uid=a10b9ab0-5b36-41dc-b6f0-90fbb5ad5972

My suggestion is to first try to remove WhenUSave by using Add/Remove Programs if possible.

Then, download malwarebytes anti-malware (MBAM), update it, and then run MBAM ...

http://www.malwarebytes.org/mbam.php


***

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: What is a decompression bomb.
« Reply #10 on: October 13, 2008, 04:22:11 PM »
Forget DaemonTools... it's adware  :P
Use Magic Disk instead!
The best things in life are free.

Kraven88

  • Guest
Re: What is a decompression bomb.
« Reply #11 on: October 13, 2008, 10:28:27 PM »
Well I completely removed daemon tools and  all its components so hopefully that worked. Thanx again guys.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: What is a decompression bomb.
« Reply #12 on: October 13, 2008, 10:34:53 PM »
Well I completely removed daemon tools and  all its components so hopefully that worked. Thanx again guys.
You're welcome. Feel free to come back any time you need help or just to change experiences 8)
The best things in life are free.

Tom.k

  • Guest
Re: What is a decompression bomb.
« Reply #13 on: December 25, 2008, 11:03:01 PM »
Hey I'm new on the avast forum. I have no idea what a decompression bomb is or what its douse is it keylogger virus mallware spywere is it lethal or something .
i let my Avast home scan it shows me C:\System Volume Information\...\Data1.cab 3times and a C:\Documents and Settings\...\Data1.cab
Can someone pls tell me haw do deal with it or tell me what do to
Thx for Reading .

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: What is a decompression bomb.
« Reply #14 on: December 25, 2008, 11:19:35 PM »
decompression bomb is just something that unpacks to an unusually big amount of data even though it's rather small (i.e. has a high compression ratio, for example). It's nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it's an archive, but it seems like it is) because it may take VERY long to process.
(quoted from Igor: http://forum.avast.com/index.php?topic=15389.msg131213#msg131213)

I'd suggest to ignore these files.
But you can change values into avast4.ini file to configure how avast should work with these files.
Click 'Settings' in my signature for more info  ;)
The best things in life are free.