Avast WEBforum

Other => Viruses and worms => Topic started by: sylph_14 on May 30, 2009, 08:13:45 PM

Title: Trojan and decompression bomb?
Post by: sylph_14 on May 30, 2009, 08:13:45 PM
Hello! First time posting, I seem to have come across a situation that has me fairly concerned.

This morning I was browsing deviantart, a website I frequent several times a day with no problem. I then got Avast giving me a trojan virus warning,from the url I figure it was from one of the advertisement banners on the site, for which I hit the Abort Connection button, and it appeared as if one of the ad banners didn't load, assumed that was the culprit. I then proceeded to poke around the menus for instructions on how to report the ad to the site, and had the same warning pop up again, and gave the same address in the warning. Again, I used the Abort Connection.

I then ran a scan just to be sure, and the results showed zero infected files, but told me I had 2 'Decompression Bombs', which I've never seen before. There were no options to do anything with those files.

So, it may be a coincidence that I had 2 virus warnings and then 2 decompression bombs, but I'm sort of a paranoid person by nature  :-[ (and not the brightest when it comes to computer files) So I was wondering if there is any risk of trojans hiding in those bombs? And if there are any steps I should take?

I'm running the scan again, just in case, so I'll post the file names if they come up again

Thanks for taking the time to read :D any help is much appreciated  :-* (oh, I use Windows Vista if that makes any difference)
Title: Re: Trojan and decompression bomb?
Post by: DavidR on May 30, 2009, 08:23:16 PM
The web shield would have blocked the detected file from being saved to your browser cache and consequently run in your system, so it shouldn't be present on your system.

You check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections, but I don't know if this would be much help to them. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.

Many sites have banner ads that are out of their control as they are served by some other service and on occasion that banner could have malicious content. Even if you reported it to them they may not be able to do anything about it unless you could specifically state it was a banner ad and which one.

Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213 (http://forum.avast.com/index.php?topic=15389.msg131213#msg131213).
 
The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
Title: Re: Trojan and decompression bomb?
Post by: spg SCOTT on May 30, 2009, 08:29:02 PM
Hello Sylph_14,

Firstly, Welcome to the forums.

Could we have the link to the page that avast alerted you on?
This can be found in the avast log viewer:

right click avast icon-->click avast log viewer-->click warning section-->the most recent warnings will be at the bottom by default

The fact that you clicked the abort connection button means that the potential malware was interrupted and stopped before it had a chance to reach your system.

As for the 'decompression bombs'

Decompression Bomb, a file that is highly compressed, which could be very large when decompressed. This used to be a tactic long ago to swamp the system, also see http://forum.avast.com/index.php?topic=15389.msg131213#msg131213 (http://forum.avast.com/index.php?topic=15389.msg131213#msg131213).
 
The name really is the most dangerous thing about this and I wish they would change it or simply not report it, a real PITA.

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

I think there is nothing to worry about there.

EDIT:ahh I'm no match for you DavidR, even when I cheat  ;D
            odd, the preview button didn't show me your post... oh well its done now...
Title: Re: Trojan and decompression bomb?
Post by: sylph_14 on May 30, 2009, 11:21:35 PM
Thanks so much!

I checked the files that were listed as decompression bombs, turns out one was a Firefox cache file, and the other was an old .exe for a windows patch I forgot to delete ages ago  :-X Just like me to panic at nothing  ;D

As for the page that Avast gave the alert on, the link was hxxp://exchange.blueadvertise.com/72890_dyn.php

Thanks again! :D