[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot locate software decompression bomb

Posted on 2011-04-27
7
Medium Priority
?
726 Views
Last Modified: 2012-06-27
I ran an Avast BART PE utility and the final report listed a decompression bomb at the address below

C:\WINDOWS\Installer\270be3.msi\01AdminExecuteSequence\7 9 : @ ¬ À Á e=>   e=

As you can see, the last line in the address is garbled text. Also, the address was not found when I tried to manually locate the file. After the scan there was no virus activity. The listing may be false but I wanted to run this question just in case I can locate it. A search on any file name similar to the garbled text had no returns. Any suggestions?
0
Comment
Question by:Tech_20
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 35477227
Its under the file "C:\WINDOWS\Installer\270be3.msi" which is a compressed format in itself. Hence you are unable to search it as well.

Just like all the AV solutions Avast did the uncompression to scan the files and reported that one of the compress files has "decompression bomb".

I would suggest you to scan with some other AV as well and if the same thing or similar is reported then remove the "C:\WINDOWS\Installer\270be3.msi"

I hope that would help

Sudeep
0
 
LVL 65

Expert Comment

by:btan
ID: 35482124
Some bootable AV for scanning to ascertain as well @ http://antivirus.about.com/od/freeantivirussoftware/tp/avrescuecd.htm

I am thinking from command line browsing, you should be able to see the 270be3.msi.
Alternatively, LiveCD type of file explorer can be able to see it - I am assuming your machine is not infected with rootkit
@ http://www.livecd.com/explore_computer.htm

With the sample, it can then be submitted for more check such as VirusTotal, ThreatExpert etc
But the probably the key attention is how it even come onto the machine - root source ...
0
 
LVL 39

Accepted Solution

by:
BillDL earned 2000 total points
ID: 35501721
The expression "decompression bomb" is a bit misleading and can be ambiguous.  The term refers to contents that are compressed into a package, then that package is recompressed into another, and so on.  It doesn't necessarily indicate that there is any infection in the packaged files, but most antivirus applications have a user setting to report or not report "decompression bombs" in much the same way as they have a setting to report password protected files that cannot be fully scanned.  It is really just a warning to indicate that the file could not be scanned because the application could not dig through to all the files inside the package, or that all the levels of unpacking could swamp and overwhelm the system or antivirus package.

An *.MSI package IS a compressed package comprising, in some cases, thousands of files that would extract out to some very deep folder hierarchies. Windows installer routines place a copy of the setup package in the C:\Windows\Installer folder for re-use, for example a repair or maintenance install of the application concerned.  You can delete them without harming the system, but that can affect the ability to later add or remove components or uninstall the application.

You can Right-Click on an MSI file and choose Properties to get details of what application the package pertains to.

The file name is random, so it's not as though you can just google "270be3.msi" and get an idea what installed it there.  If, however, you searched the registry using REGEDIT, the name of that *.MSI file should be found against the key(s) that store the "Uninstall" inscructions used by the Control Panel > Add/Remove Programs.  Other clues as to its origin may also be found in the MRU (recently accessed) keys.

Open REGEDIT (or use a registry file viewer on a copy of the registry hive files from that computer if preserving it) and search for "270be3.msi".  If it appears in a sub-key of:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

or (under user profile GUID):

[HKEY_USERS\S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall]

then the software is installed and you should see the relevant details indicated.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 65

Expert Comment

by:btan
ID: 35503187
We may also want to make sure that it is of true file extension (it is as what it claimed to be MSI)

@ http://mark0.net/soft-trid-e.html

If interested, we can even decompile the MSI into XML (using the 'Dark' from the WiX toolset below) and check out its GUID - this can be used to search key as well to (they would not be able to "replay" existing one though, unless overwritten but unlikely). The GUID can also be used for uninstalling e.g. msiexec.exe /x {GUID STRING} /QN

@ http://wix.sourceforge.net/index.html

** but we need to be careful to run the artefact in separate isolated environment (VM image) since it is deem malicious...
0
 

Author Comment

by:Tech_20
ID: 35505207
@BillDL: Thanks, I'll check the registry.
0
 

Author Closing Comment

by:Tech_20
ID: 35774285
This solution was right on the money! It was simply a  package recompressed into another, and so on.  Thanks!
0
 
LVL 39

Expert Comment

by:BillDL
ID: 35775227
Thank you Tech_20.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question