Author Topic: What is a decompression bomb.  (Read 230264 times)

Offline tyranny89

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #15 on: December 27, 2008, 07:25:25 PM »
Is there any way to delete the decompression bomb, though? Because Avast found one in my temp:

C:\windows\Temp\Leg93A.tmp\$INSTDIR\data.grf

I think I know what it is,  and if memory serves, it pertains to an Online MMO (Ragnarok Online: Legacy) that ended up not working on my computer and I deleted it.

Yet this was over a year ago.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #16 on: December 27, 2008, 07:45:13 PM »
Is there any way to delete the decompression bomb, though?
The better will be sent to Chest.
If the file is too big, or you're sure it could be deleted, just do it within the virus alert (delete button) or using Windows Explorer.
The best things in life are free.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #17 on: December 27, 2008, 08:05:50 PM »
Under normal circumstances I would say leave it alone as all avast is reporting it is can't/didn't scan the file because it is a very large archive and when unpacked (to be able to scan the contents it has to be unpacked) could be very, very large.

Now this in the dim and distant past was used to crash a system hence it got named a 'decompression bomb' and the term is still used today though there is much less possibility of it crashing a system as they have far more resources. So decompression bomb is very scary but not necessarily malicious.

Since this is in a Temp folder the easiest option is to clear the Temp folder.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline prickey

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #18 on: December 29, 2008, 12:25:41 PM »
I also was notified of a decompression file. What concerns me most is that when I tried to have Avast delete the file, it was unable to. The file is:

ta03upsw.exe
Located in a subdirectory of my Documents folder.

Any suggestions?

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #19 on: December 29, 2008, 01:17:35 PM »
ta03upsw.exe
Strange file...
Please submit it to VirusTotal and let us know the result.

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #20 on: December 29, 2008, 02:55:31 PM »
I also was notified of a decompression file. What concerns me most is that when I tried to have Avast delete the file, it was unable to. The file is:

ta03upsw.exe
Located in a subdirectory of my Documents folder.

This just means a highly compressed file, that when unpacked to be scanned would be very large. However in that location it does seem strange and a google search on the file returns zero hits which is in itself suspicious.

What reason did avast give for not being able to delete it ?

However, deletion isn't a good idea/habit to get into, even more so for a file that just can't be scanned as it isn't a clear indication of an infected file just because of it can't be scanned, no matter how scary the name decompression bomb is. Though in this case it is suspicious and should be checked out.

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Diogenes

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #21 on: February 21, 2009, 03:50:17 PM »
Back up some in this thread, Daemon problems were mentioned in conjunction with "decompression bomb."  I remembered seeing that word flitting about on my system so did a search on it and found

cidaemon.exe in C:\WINDOWS\system32
cidaemon.exe in C:\WINDOWS\system32\dllcache
HandleCollector$Daemon.class in com/ms/wfc/util (twice)

Are these legitimate files?

Finally, with regard to decompression bombs.  I have two that are legitimate files that brought down some music and a video of my fav Scottish pipe and drum group.  I have unzipped them.  Can I delete these two compressed files w/o losing what I unzipped?

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #22 on: February 21, 2009, 04:45:13 PM »
Are these legitimate files?
Can you submit them to www.virustotal.com ?

Can I delete these two compressed files w/o losing what I unzipped?
Deleting the original archive won't delete the extracted files.
The best things in life are free.

Offline Diogenes

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #23 on: February 21, 2009, 05:20:35 PM »
Thank you Tech... :)

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #24 on: February 21, 2009, 05:58:19 PM »
Thank you Tech... :)
You're welcome. Feel free to come back any time you need help or just to change experiences 8)
The best things in life are free.

Offline helpme22

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
need decompression bomb removal help
« Reply #25 on: March 12, 2009, 03:36:27 PM »
 :( I will begin by making it known that I am inexperienced at this.  I downloaded the avast free home version 4.8 I believe.  I do regular antivirus scans as well as boot scans.  I have been told that I have 3 decompression bombs that avast is unable to scan.  All three are movies I downloaded.  I also have been noticing my PC slowing down and my internet explorer crashing with the usual error report asking me to send, not send, or debug.  I have done some research and understand that a decompression bomb can be malicious but also avast has made some mistakes and at times detects some files that are not a problem.  I think mine are a problem.  I also have noticed fake antivirus icons popping up in my bottom bar.  Avast is not catching these as viruses...but I did not download them.  I don't know if these are old and recently resurfacing or what.  I am still learning a lot about this stuff and have limited knowledge of how to handle this stuff.  I used to have spybot antivirus and I deleted all of its log files when avast said it was unable to scan them.  I am not sure what else may be helpful info except that I have windows xp media center edition graphics is a NVIDIA geforce 6150 le and I am running an amd athlon 64 and as a side note I have been trying to gradually learn about Linux and switch...but have not found the best version for my system to work with.  If anyone has any suggestions on that please feel free to educate me.  My main concern however is with avast and my processor slowing down.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #26 on: March 12, 2009, 05:22:14 PM »
Well as explained inthis topic you have nothing to worry about.

The term decompression bomb is more scary than what it is actually reporting, that the file is highly compressed and if it were unpacked for scanning it would be exceptionally large (par for the course of a large movie file) and for that reason alone avast hasn't scanned it, no other reason. How could it determine anything, malicious or otherwise, as it hasn't scanned them.

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
So deleting those S&D files was wrong.

So I would say these files have nothing to do with your other issue with IE slowing down, that is likely to do with other undetected malware.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Larson

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Wt is a decompression bomb.
« Reply #27 on: March 29, 2009, 06:24:31 PM »
avast! found 3 files that couldn't be scanned that are in an invalid folder. They also cannot be moved, deleted or repaired, claiming it's a decompression bomb.
C:\FOUND.81\FILE0013.CHK\(gzip)
C:\FOUND.81\FILE0014.CHK\(gzip)
C:\FOUND.81\FILE0018.CHK\(gzip)
Should I be concerned?
Thanks!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #28 on: March 29, 2009, 06:40:04 PM »
As has been said many time in this topic, no there is nothing to worry about it is just the files are just very large and the gzip format compresses then highly.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: What is a decompression bomb.
« Reply #29 on: March 30, 2009, 12:06:20 AM »
Should I be concerned?
No. See my reply #14 to understand what is a decompression bomb.
The best things in life are free.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now