Author Topic: Decompression bomb, doesn't look legitimate (Read 3050 times)

zanthal · « **on:** March 28, 2010, 11:43:20 PM »

http://class0702.com/zanthal/decompressionbomb1.jpg

I've read several other threads that indicate that avast! will notify about decompression bombs, when those files are actually safe and normal.

I just did a full system scan for PUPs and the works and got two threats as seen above in the image linked.

One is a high severity threat that ended up in the chest as instructed, and the other looks very similar in path and file name (part of a restore point?) and is indicated to be a decompression bomb.

So that leaves me questioning, what should I do with this decompression bomb file? Avast! hasn't done anything with it I don't believe.

Thanks for the help

Hermite15 · « **Reply #1 on:** March 29, 2010, 12:11:25 AM »

you know what a decompression bomb is, right? ... anyway, one file on your pic, it appears one file was clearly malware and sent to chest, so not much to add there...as to the other one, the decompression bomb, attempt to scan it anyway, and see what gives...

zanthal · « **Reply #2 on:** March 29, 2010, 12:36:50 AM »

There's something dangerous about it being called a "bomb", yeah I read up on it. Can't find the file now. What's more I can't find the "G:\System Volume Information\" path, the directory doesn't appear to exist.

.: L' arc :. · « **Reply #3 on:** March 29, 2010, 12:43:32 AM »

Welcome to the forums zanthal,

G:\System Volume Information\ refers to System Restore and is a system protected location so I suggest, if you want to get rid of it:

Clear Restore Points

On the Desktop, right-click My Computer > Properties > System Restore tab
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
On the Desktop, right-click My Computer > Properties > System Restore tab
Uncheck Turn off System Restore.
Click Apply, and then click OK.

Hermite15 · « **Reply #4 on:** March 29, 2010, 12:55:17 AM »

Quote from: zanthal on March 29, 2010, 12:36:50 AM

There's something dangerous about it being called a "bomb", yeah I read up on it. Can't find the file now. What's more I can't find the "G:\System Volume Information\" path, the directory doesn't appear to exist.

OK thought so

... so no, a decompression bomb is just an archive with either a too high level of compression or with too many sub-archives inside for Avast to scan it. It would take ages and Avast just skips it. Whether it contains malware or not is another story. You won't find out unless you ask Avast to explicitly scan all of it - which I wouldn't do, or open it, and chances are that it's a safe file.
You cannot find the path to your file because it's in a system restore folder, and you have an acess denied, that's normal. You should delete all your restore points now anyway as there's some malware inside, and make sure your system is clean before you create a new one.

zanthal · « **Reply #5 on:** March 29, 2010, 02:15:20 AM »

Done and re-scanning ... thanks guys.

Author Topic: Decompression bomb, doesn't look legitimate (Read 3050 times)

zanthal

Decompression bomb, doesn't look legitimate

Hermite15

Re: Decompression bomb, doesn't look legitimate

zanthal

Re: Decompression bomb, doesn't look legitimate

.: L' arc :.

Re: Decompression bomb, doesn't look legitimate

Hermite15

Re: Decompression bomb, doesn't look legitimate

zanthal

Re: Decompression bomb, doesn't look legitimate