Avast! Found A Decompression Bomb!

Hi Everyone,

I started Avast running a virus scan last night when I stopped for the evening and today I see that Avast is reporting having found a file that it couldn’t open and that that file contains something called a “Decompression Bomb”.

My first question is; What the heck is a decompression bomb? My second question is; Is that something that is hazardous to my system? My third question is; What to do with that file, leave it alone or move it to the chest manually as Avast didn’t offer to do it for me?

Thanks for any insight into this.

Wendy

Decompression bomb — an attack that targets antivirus software during malware analysis. The attack occurs when antivirus decompresses or unpacks a decompression bomb and attempts to run it in a virtual machine. Decompression bomb may crash the antivirus and/or subject the system to a denial of service attack by heavily loading the CPU.

Decompression bomb is just something that unpacks to an unusually big amount of data even though it’s rather small (i.e. has a high compression ratio, for example). It’s nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it’s an archive, but it seems like it is) because it may take VERY long to process. (quoted from Igor: http://forum.avast.com/index.php?topic=15389.msg131213#msg131213)

I’d suggest to ignore these files.
But you can change values into avast4.ini file to configure how avast should work with these files.
Click ‘Settings’ in my signature for more info :wink:

What would be helpful is the file name and location, we may have an idea about what it is, e.g. (C:\windows\system32\suspect-file-name.xxx) ?

Hi All,

Thanks for the information. I thought it might be something like that but I wondered why Avast hadn’t given me the options to jail it up in the chest or delete it.

The complete path is:

C:\ADMIN\Local Settings\Temporary Internet Files\Content.IE5\8XQFCX6J\default[3].css\default[3]

So does that mean anything to you guys? What should I do with that thing?

Thanks,

Wendy

Well I’m a little surprised by it picking up a .css file (Cascading Style Sheet) as a decompression bomb, which is usually used to control web page effects, text size, colour, and much more. The .css file is usually an uncompressed text file and I would say it is generally only a few KB in size.

The other strange thing about it is the fact that it has this (\default[3]) after file name default[3].css, you usually see this after the file name for an archive file (zip, which .css isn’t) as avast unpacks or displays the content, but that doesn’t have a file type .css or anything for that matter. So I think this is a hiccup on the detection/classification front.

If this file is still in your Temporary Internet Files, what size it it shown as in windows explorer ?

Since it is a temporary file there is no problem clearing the temporary internet files after checking the file size for me.

Weren’t the options there or, on contrary, they were there but did not work?

Hi Tech,

Well I’m not really sure if I had any options or not. All I remember for sure is that after the scan had completed Avast was showing me a log that indicated that it couldn’t open that particular file. I didn’t see anything that asked what action I wanted to take though.

Hi DavidR,

→ So I think this is a hiccup on the detection/classification front. ← Oh no baby, that wasn’t any hiccup AND don’t you dare go readjusting Avast because of this either because “AVAST! DID ITS JOB!!”

When I had closed the log I just happened to notice that Avast was reporting having scanned xxx number of files and that there was well over 15GB of space used on the HD.

OK, then I had gone to Bleeping Computers and started following all of the required steps to post a HJT log which included running ATF and a couple of virus checkers.

ATF gets rid of all kinds of junk… including Temporary Internet files. Anyway after I had done all of that I ran a complete system scan with Avast!

And this is why I say that AVAST! WORKS!! AND WORKS WELL TOO because avast didn’t find anything BUT it reported the space being used on my HD as being something like 9.8GB… so that means that the ‘hiccup’ that Avast had had was caused by something well over 5GB that was hiding in that .css thing.

For future reference, if I come across something like that again should I try to send it in to Avast so that the tech people can have a look at it and see if it’s something new that’s just gotten into the wild?

Wendy

ATF should have deleted any temporary file used by avast, besides that when it is correctly working, avast deletes its temporary files.
So the disk usage can’t be used by avast temporary files.

If you run ATF right now, won’t the disk usage decrease?

We will never know what that .css file was since you have deleted it, I was suggesting looking at the physical location of the file ‘in’ the temporary internet files location, for size and the files properties (right click menu). That may have provided some information, but we will never know.

You don’t know for sure what was in the .css file and I doubt it was 5GB, what you didn’t mention was what type of scan you did, thorough with archives or what. Any scan with archives enabled will return a greater ‘scanned’ size than the size on disk as avast counts the size of files unpacked from archives to be scanned. In theory since avast didn’t/couldn’t scan this file, it shouldn’t be included in the total size of scanned data (15GB).

It can be investigated here first, but you have to remember a file that can’t be scanned is just that, a file that can’t be scanned. Where this file was reported as a file that can’t (or rather won’t be scanned) because avast believes it ‘might’ be a decompression bomb, boy do I hate that expression as it strikes fear into users. It is not something that is new and has got into the wild, it is just a suspicion by avast that this file if unpacked could be very large, why it is very large isn’t stated other than that daft term decompression bomb.

When fear strikes users act in a way that could result in the deletion of files that are ‘suspect’ only. One of the most common files, a .cab (windows cabinet file) could be very large and might also be reported in this way and deletion could have an impact on your system at some point in the future. So care has to be taken and it investigated fully, there really should be no way an .css file could be this big (your 5GB speculation), it is being downloaded over the internet and it would take ages even on a broadband connection and an eternity on dial-up.

Hi Tech,

Thanks for the reply. Please don’t think that I am complaining about the way that Avast works as I am more than happy with it.

I only mentioned ATF because I had ran that product in preparation to post a HJT log. I have only looked into the Temporary Internet Files folder once during all the years that I’ve had a computer and then only because Avast had just alerted me to something that it called a decompression bomb.

I have no doubt that Avast removes its own temp files as it goes, which is as it should be and you are correct in that ATF would have removed any temp files that Avast might have left.

I believe that you are also correct in that if I were to run ATF right now that the disk usage would decrease.

Now as for the temp file that Avast had found… it was not a file made by Avast, it was a file related to Tor and some downloading that I’d done from their site.

Hi DavidR,

Alas you’re right about never knowing what was in that .css file since I got rid of it when I ran ATF.

BUT I still have to go back to Tor and try to finish up on what I was doing just prior to Avast finding that file so there is still a slim chance that I just might come across that file again.

True, I failed to mention what what type of scan I was doing when Avast found that thing. I only do ONE type of scan with Avast, I believe you call it a “Paranoid” scan as I set Avast to Deep scan everything including ALL archives.

Fear is a good thing and so is the virus chest in Avast. If I would have been given the option to jail that file up in the virus chest I would have but I wouldn’t have deleted it until after I had came here and investigated the file first but I know what you mean about people getting carried away with the Del button.

OK, so when I had run that first scan Avast said that my HD had well over 15GBs on it and then when I ran the second scan after I ran ATF Avast said that my HD had 9.9 GBs on it. Both of those scans were run in the paranoid mode which included archives too.

Here you gave me an answer to part of my problem → there really should be no way an .css file could be this big (your 5GB speculation), it is being downloaded over the Internet and it would take ages even on a broadband connection and an eternity on dial-up.<-- I have DSL and I was downloading something from Tor and that download took well over twelve hours to complete.

Now I have to go on a search and destroy mission to see if I can find that same thing again so that I can get it checked out here.

Thanks,

Wendy

Your welcome, until next time, I hope you don’t need it though ;D

Wendy, I didn’t think you’re complaining avast… you’re reporting an experience, a behavior of the computer and we’re just trying to troubleshoot and understand what’s going on 8)

I got a message like that from Avast! in the “age” of version 4.6. It happened after I changed the extension of an AVI file.

I renamed a file named party1.AVI to party1.tmp and so Avast! alerted me.

Hi DavidR,

Well I’ve run Avast several more times since I opened this thread and so far nothing out of the ordinary has turned up… however, I haven’t played around with TOR since that happened either. I’ll have to give TOR another go to see if it happens again. Not to worry I’ll let you guys know if it does.

Hi Tech,

Sorry, I guess that I just said that wrong. I knew that you didn’t think I was complaining about Avast. And you are correct in that I was reporting an experience. I think that I had simply overlooked the option to quarantine that file when Avast had found it. At least now I have a better understanding of what had happened so that if\when something like that happens again I’ll know what to do about it and I won’t delete anything too quick.

Hi avvidro,

I hadn’t changed any file extensions. But I’d been downloading some stuff and could well have gotten something evil along with my download.

That doesn’t matter much now though because I got rid of it before it had done any damage.

Thanks for all of the information and help guys. I think we can now mark this topic ‘resolved’.

Wendy

Wendy, living and learning. That’s our way of life 8)

hey,
i found one of these decompression bombs and I’ve read the forum but i still have no idea what to do with it.
can someone help me?

-theImmaculate

Short answer, nothing, as this topic indicates, it is just a file that when unpacked to be scanned would be very large.

To be of any more help we need more information, like the file name and its location.

Decompression bomb is just something that unpacks to an unusually big amount of data even though it’s rather small (i.e. has a high compression ratio, for example). It’s nothing to worry about, you are just informed that avast! will not try to unpack the archive (you may not even know that it’s an archive, but it seems like it is) because it may take VERY long to process.
(quoted from Igor: http://forum.avast.com/index.php?topic=15389.msg131213#msg131213)

I’d suggest to ignore these files.
But you can change values into avast4.ini file to configure how avast should work with these files.
Click ‘Settings’ in my signature for more info :wink:

OK so the file name for this decompression bomb is
C:\ProgramData\WildTangent\My HP Game Console\Downloads\en-us\Updates\htdocs-img2.tgz_cache\htdocs-img2

thats all i know

also my computer has been restarting on its own.
a blue screen shows up and i don’t know what to do.
please help!

theImmaculate