decompression bombs

Forum Moderators: open

Message Too Old, No Replies

decompression bombs

how to get rid of?

surrealillusions

6:13 pm on Nov 18, 2008 (gmt 0)

Hi all,

Just ran scan of my system with avast, and its found some decompression bombs. After some research on google, i havent found much in the way of getting rid of them.

Ive booted in safe mode, ran the scan, but still wouldnt delete them.

They're apparently in thunderbirds mail folders, but yet they're not in there when i go to browse that folder. (i have folders to show hidden files and folders).

I'm on windoze xp (sp3).

kaled

10:23 pm on Nov 18, 2008 (gmt 0)

Windows doesn't display all files even when you instruct it to. For instance, desktop.ini is normally hidden from view irrespective of folder options, etc.

Check the folder properties - that will tell you the actual number of files and subfolders therein (I think). You can then count them manually and see if they tally (select-all is useful if the statusbar is visible). You can also select "properties" for the selected files and check the combined size against the size given in the folder properties. By deduction, that should tell you if the files really exist.

Kaled.

caribguy

10:30 pm on Nov 18, 2008 (gmt 0)

Try opening a command prompt and navigating to the directory. Do you see the files then?

surrealillusions

10:48 am on Nov 25, 2008 (gmt 0)

Tried both options, the cmd prompt way and folder properties (select all, as well as right click on folder) all show the same number of items and same size where these decompression bombs apparently are.

So...if they dont exist...then how come avast is picking them up?

kaled

11:20 am on Nov 25, 2008 (gmt 0)

It sounds like a bug in Avast.

I've never used Avast or encountered a decompression bomb (I had to look it up) but my recommendation would be to ignore it for now.

Thunderbird compresses emails for storage so if they contain zipped files that's a second level of compression and if the zipped files contain other compressed files such as UPX-compressed exe files or even png image files (which use deflate) then that's a third level of compression. Attempts to scan inside all of that may well fail but it's possible even higher levels exist if you have self-extracting installers stored in there.

My guess is that the reported file name is that of a compressed file stored somewhere within a compressed mail folder.

Kaled.

surrealillusions

12:17 pm on Nov 26, 2008 (gmt 0)

ok..thanks

kaled

2:39 pm on Nov 26, 2008 (gmt 0)

One final thought...

There is little point using real-time anti-virus detection and also scanning inside compressed folders. The operating system cannot execute files within compressed folders without first decompressing, saving and opening them. Real-time scanning will detect the virus, if there is one, when the file is opened (and before it is executed).

In other words, if the option exists to do so, switch off scanning within compressed folders for scheduled scans (but leave it on for manual scans, if possible). This may also mean that scheduled scans are completed much more quickly.

Kaled.