Just tested this tonight, and since this actually does have the ability to shut down an AV product, it could preceed an actual threat to turn off an AV, then launch the payload behind the archive i’d imagine. Anyway, I believe the file is recursive zip file containing Eicar at its core, but set to unpack unlimited amounts of a single character, which puts AV products in an endless loop, effectively locking them up.
Now Avast does not lock up, but it endless tries to open the file and scan it, and seems to loop into nothingness.
Since this isn’t a real virus, and is merely a packed Eicar file, i’ve placed this up for download so everyone can test it for themselves if they wish. In addition, hopefully the Avast folks will find a way to deal with this.
Self reply… Possible solution found that Avast can implement?
I’ve found only one AV so far that this archive can’t bring down, and thats that little Polish gem I found last night. They seem to use a pretty simple method to eliminate this type of problem - or at least control it.
Just in case anyone else tried this (my system clogged too, I manually aborted before any hint of warnings about the Eicar) and is going crazy trying to find the many gigs of temp files so they can be dumped …
On my XP-Home, they wound up under Documents & Settings/Michael/ …etc. I originally did a search in Explorer for extra-large files but, oddly, that turned up nothing. I finally tried re-scanning with avast with archive-checking turned off (still a thorough scan) and made a note of where it was spending an unusual amount of time due to the file sizes, and that’s where they were.
The problem is actually that there is over 100GB of data to unpack
before it can scan. If you look very carefully it is a rar file with
a 13.5GB file in it, then there is 5 copies of that, as well as other
large files as well, I think it is around 100GB total.
Most mail servers don’t even have that space to unpack it.
You don’t really need much knowledge to make a decompression bomb. Right now i’m making two bombs. One is a Nuclear Cypher Bomb and second one is Bit2BitBomb. Testing will be done soon. I love this stuff. Its so damn simple and it has a killing effect.
PS: Kids don’t do this at home and don’t use it for nasty things
I've found only one AV so far that this archive can't bring down, and thats that little Polish gem I found last night. They seem to use a pretty simple method to eliminate this type of problem - or at least control it.
Sorry to disappoint you, guys, but BitDefender has no problem whatsoever with this zip-file. It doesn't even consider it a virus, but an Eicar testfile. Time to scan it was almost instant.
This was done on my PC for work. Avast Pro is installed on my personal PC. ;)
KAV based engine products recognize it as a mail bomb, apparently with Signatures. But other products just limit the depth of archive scanning.
Bit defender surprises me that it picks it up, but it could be because bit defender hardly even unpacks stuff, probably just a limit of its engine, picking up the first Eicar, and stopping its scan automagically. My testing showed very little ability to scan within archives/packed files with BitDefender.