Author Topic: What is a compression bomb?  (Read 2646 times)

Offline halfbaked05

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
What is a compression bomb?
« on: December 17, 2009, 01:47:39 AM »
Did my first scan today and it found a compression bomb, 2 win32:malware-gen, and a win32:trojan-gen, and 8 "unable to scan: archive is password protected."

k first what is a compression bomb? i dont much about this stuff but it sounds like its just a really full file or something(just leave it alone?).

second,(dumb question sorry ::)) when i move those 3 viruses to the chest, and then go to delete them, when it says "delete from chest," it really means take them off my computer completely right? not just take them out of the chest?

and lastly those unable to scan ones, should i worry about them?

Thanks

Offline Tarq57

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3696
  • Gender: Male
  • If at first you don’t succeed; call it version 1.0
    • Personal Message (Offline)
Re: What is a compression bomb?
« Reply #1 on: December 17, 2009, 03:08:29 AM »
Hi, halfbaked05, welcome to the forum.

Firstly, a decompression bomb is simply a file with an unusually high compression. The technique used to be used a long time ago to swamp a computer, if the payload was viral. That's quite a big "if". Chances are it is not harmful, but the name suggests otherwise for the un-knowing.

File is password protected results are usually files created by another security program Avast has no way of knowing the password, and no way of accessing the file if it did know the password. Spybot springs to mind, because items in Spybots quarantine often return this type of scan result.
Following a scan, when the report is displayed, moving the column headers in the report window can allow the user to read the original file location or name, which can usually put any concerns to rest.

The Win32 detections are worth further investigation.
There is no need to delete them from the chest; they aren't going to escape. If you could please post the full file names and original locations, that may be revealing.

Your question about deleting from the chest (which isn't a dumb question) is correct. Delete from chest will remove them from your computer, but as I said, don't be in a hurry to do this. The file/s may be harmful; they may be false positives; there is also a chance your computer may need further cleaning.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline halfbaked05

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: What is a compression bomb?
« Reply #2 on: December 17, 2009, 05:01:07 AM »
Name: MacroTrigger.dll     Location: C:\Windows.old\users\Owner\Desktop\Mouse Recorder

Name: RunDLL32.exe        Location:C:\users\carl\appdata\roaming\thinstall\program data\1000000e00002i

Name: verclsid.exe          Location: C:\users\carl\appdata\roaming\thinstall\program data\1000000600002i

Offline Tarq57

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3696
  • Gender: Male
  • If at first you don’t succeed; call it version 1.0
    • Personal Message (Offline)
Re: What is a compression bomb?
« Reply #3 on: December 17, 2009, 08:38:43 AM »
Very good, I'll look a bit more into these, post some suggestions. Nothing obviously awry is leaping out from those results.
Does the "mouse recorder" mean anything to you? Anything you may have installed at some stage in the past?

I'll post a few suggestions for further investigation tomorrow, got to go grab some zee's.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64881
  • Gender: Male
    • Personal Message (Offline)
Re: What is a compression bomb?
« Reply #4 on: December 17, 2009, 09:39:01 AM »
halfbaked05, the Windows.old is an old Windows installation folder?
Did you have to repair your Windows installation (or installed it twice)?

Just to be sure, please submit the files to VirusTotal and let us know the results.
The best things in life are free.

Offline halfbaked05

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: What is a compression bomb?
« Reply #5 on: December 17, 2009, 01:25:07 PM »
Tarq57
yeah a looooong time ago i installed a mouse recorder, avast said it was last updated i think it was around 2007

Tech
yeah windows was reinstalled a while back

Offline Tarq57

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3696
  • Gender: Male
  • If at first you don’t succeed; call it version 1.0
    • Personal Message (Offline)
Re: What is a compression bomb?
« Reply #6 on: December 17, 2009, 09:09:33 PM »
The .old file is probably safe to ignore/delete.
The other two can be investigated if you want. (Is your computer running OK now?)

-Create a new folder on your C drive simply called "Suspicious".
-Set it to be excluded from scanning. Left click the tray icon, select "standard sheild>customize>advanced" and add the path C:\Suspicious to the list of exclusions.
-Start Avast, open the virus chest, and right click and extract each of the files to the Suspicious folder.
-Open a browser, go to www.virustotal.com, and upload each file in turn for scanning. (Takes 1-3 minutes, usually). At the end of scanning there will be a list of ~46 results from the different AV's scanning the file. You can only upload/process one file at a time.
-Post the URL (copied from the browser address bar) for each of the scans in your next post.

A second opinion scanner/cleaner is sometimes useful. Most users here, self included, use the free version of MBAM for demand scanning.
Get it here.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now