We help IT Professionals succeed at work.

Cannot locate software decompression bomb

Medium Priority
846 Views
Last Modified: 2012-06-27
I ran an Avast BART PE utility and the final report listed a decompression bomb at the address below

C:\WINDOWS\Installer\270be3.msi\01AdminExecuteSequence\7 9 : @ ¬ À Á e=>   e=

As you can see, the last line in the address is garbled text. Also, the address was not found when I tried to manually locate the file. After the scan there was no virus activity. The listing may be false but I wanted to run this question just in case I can locate it. A search on any file name similar to the garbled text had no returns. Any suggestions?
Comment
Watch Question

Sudeep SharmaTechnical Designer
CERTIFIED EXPERT

Commented:
Its under the file "C:\WINDOWS\Installer\270be3.msi" which is a compressed format in itself. Hence you are unable to search it as well.

Just like all the AV solutions Avast did the uncompression to scan the files and reported that one of the compress files has "decompression bomb".

I would suggest you to scan with some other AV as well and if the same thing or similar is reported then remove the "C:\WINDOWS\Installer\270be3.msi"

I hope that would help

Sudeep
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Some bootable AV for scanning to ascertain as well @ http://antivirus.about.com/od/freeantivirussoftware/tp/avrescuecd.htm

I am thinking from command line browsing, you should be able to see the 270be3.msi.
Alternatively, LiveCD type of file explorer can be able to see it - I am assuming your machine is not infected with rootkit
@ http://www.livecd.com/explore_computer.htm

With the sample, it can then be submitted for more check such as VirusTotal, ThreatExpert etc
But the probably the key attention is how it even come onto the machine - root source ...
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
We may also want to make sure that it is of true file extension (it is as what it claimed to be MSI)

@ http://mark0.net/soft-trid-e.html

If interested, we can even decompile the MSI into XML (using the 'Dark' from the WiX toolset below) and check out its GUID - this can be used to search key as well to (they would not be able to "replay" existing one though, unless overwritten but unlikely). The GUID can also be used for uninstalling e.g. msiexec.exe /x {GUID STRING} /QN

@ http://wix.sourceforge.net/index.html

** but we need to be careful to run the artefact in separate isolated environment (VM image) since it is deem malicious...

Author

Commented:
@BillDL: Thanks, I'll check the registry.

Author

Commented:
This solution was right on the money! It was simply a  package recompressed into another, and so on.  Thanks!
CERTIFIED EXPERT

Commented:
Thank you Tech_20.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.