Decompression Bombs

1. 

   David Russell on January 9, 2006 at 9:34 pm

   So someone with the time to write a 100Gb long text file could write a ‘bomb’ that makes me gasp have to restart my computer. Forgive me for not running for the hills.

2. 

   Steve on January 10, 2006 at 12:11 pm

   Granted, it’s not an overly serious issue, but it’s one that’d piss you right off if you fell for it. It’s probably about as quick as a forkbomb, but easier to plant, and more universal — farewell, unsaved work, farewell cached data which hasn’t made it to disk yet!

3. 

   Gary Fleming on January 10, 2006 at 1:23 pm

   As with most things of this nature, no-one really cares about you, the home user. I’ve written most of a second post (which I should be putting up tomorrow) that covers a couple of scenarios where decompression bombs could cause problems that people might not be thinking about.

4. 

   Shelby on January 23, 2006 at 10:40 pm

   Hello,

   I came upon this site while trying to find out what a decompression bomb file is. I have Avast antivirus on my computer. I did a scan today and the report showed 2 files that were decompression bombs and could not be scanned. I didn’t know what to do, so I had them put into a vault until I can find out what kind of files they are. I just a housewife who uses the computer minimally, mostly e-mails and banking or to find recipes etc. In the last several weeks my computer has been acting strangely. It just freezes and I must restart it. Happens many many times during a session. Would these files have anything to do with the problem? A friend thought that it might have something to do with the computer’s memory because of some unusual activity he saw on the task manager. I don’t know what I’ve got or what to do with the files. Can you help me?

5. 

   Gary Fleming on January 24, 2006 at 7:44 pm

   If your antivirus program says you have decompression bombs, delete them. If they are the problem, it’ll go away.

6. 

   JvD on June 27, 2006 at 6:13 pm

   Oh geez Gary, yeah, delete files that might be useful to your system, just because your antivirus thinks that it’s compressed too much.

   DO NOT DELETE the “COMPRESSION BOMB” – labelled files until you know what those files do. I have some .PST (MS Outlook archive) files that Avast thinks are compression bombs.

   And besides, who cares if it is a compression bomb? An inert file sitting somewhere on your system isn’t going to inexplicably open like a lifeboat in an airplane or something.

7. 

   Gary Fleming on June 27, 2006 at 7:01 pm

   JvD: As the previous commentator already said, she had put them in the vault meaning they were effectively gone. Deleting them is unlikely to make any difference. But yes, I agree that you should be cautious about exactly what you delete: mail files have high compression ratios. I’m just surprised it’s high enough to set off a compression bomb, or that it’s the only heuristic in use (you can use fingerprinting techniques to detect a great number of bombs).

8. 

   BlesedB on January 19, 2007 at 7:00 pm

   Mr. Russell’s comment above was interesting, and suggests that he’s a veteran Windows user – so what if you have to reboot? No big deal if you’re used to it. If you run Windows, you’re used to it (I know; I run Windows).

   I don’t think that the point is how much damage this sort of trick can cause, but that it is an intrusion, someone interfering with your use of your computer. Not every exploit has to be devastating, to be a problem.

9. 

   netdpb on January 19, 2007 at 9:18 pm

   By the way, I belive that the Zip algorithm uses Huffman coding. GZip uses LZW.

10. 

    netdpb on January 19, 2007 at 9:18 pm

    By the way, I belive that the Zip algorithm uses Huffman coding. GZip uses LZW.

11. 

    Gary Fleming on January 20, 2007 at 12:03 am

    Thanks for the comment. I freely admit I was using ZIP in the laziest sense possible. In reality, Zip files use various compression methods. The first method used was LZW-based, other revisions use deflate. Deflate, in turn, uses the Huffman encoding (as you point out) and LZ77 encoding; LZ77 encoding itself being the basis of LZW. Phew.

    I think the Wikipedia page on the Zip File format gives a decent background to all of this. Worth a look.

12. 

    ashanka on April 2, 2007 at 10:16 am

    Hi,

    I use Avast and it has detected this file:c:\Found000\file\ooochk\file0000

    Avast Message shown, Unknown File format: This is a decompression bomb.It’s listed in the scans for avast but I can find the file on the hard disk.

    Every time I try to delete / move to chest this file, through avast, it gives me an error message.

    Is there anyway I can get rid of these files.

13. 

    Kato on May 24, 2007 at 3:03 am

    Gary,
    you been getting a tough time here.
    if you see this, thanks for enlightening me aboot decomp bombs.
    You went oot your way to let the dumb folks(me included) understand and for that as i say, ta.
    Cheers and may you have nooo moooore decompression bombs on stinky windows!
    Kato )

14. 

    Gary Fleming on May 24, 2007 at 8:35 am

    Thanks, glad that someone is finding it interesting. By the amount of traffic I get to this page (a lot), I’m guessing quite a few people like it.

    I’m also going to add a link to the second part, which is a little more technical.

15. 

    Simon on July 4, 2007 at 3:49 am

    If Gary’s been getting a bit of a tough time, it might be because he didn’t really acknowledge that quite legitimate files may be recognised as so-called decompression bombs. Any compressed file with a high compression ratio risks being flagged by an AV program as a decompression bomb.

    eg. I have a 630 mB file compressed down to 340 mb. Avast! thinks this is a decompression bomb. It isn’t. If I deleted that file, I would be an unhappy camper.

    It’s well worth making the effort to determine what the compressed file is for or what its contents are before deleting it.

16. 

    Jill on August 3, 2007 at 8:47 am

    I know you guys are sick of hearing this but I am having the same "decompression bomb" problem. I also am not a computer guru, so when avast gives you that horrible "bomb" message when you are trying to fix a virus that it has found, it kinda freaks you out, especially when it has the word "bomb" associated with it. The "geek squad", a company that will come in and help you with problems like this, says they can fix this for a nominal fee. Is this something that I should do or should I just not really worry about it? Is in "documents and settings", don’t know if that matters or not. Please help, I don’t have any idea what to do about this problem…

17. 

    Gary Fleming on August 4, 2007 at 12:12 am

    Jill: to be honest, I wouldn’t worry about it a huge amount. Unless you try to open it (or a program tries to open it on your behalf), you’re completely fine.

18. 

    Hummmmmmmm on August 12, 2007 at 7:05 pm

    I too ended at this site after trying to find out what the 6 alarming sounding "Decompression Bombs" that Avast! turned up on my computer might be.

    Of note, the Avast! website bothers not to define the term.

    So have now learned what a DCX Bomb is. Interesting, not much of a threat.

    In my own case I was not too worried as all the files ID’d in this manner were vacation video footage which I had edited and rendered to DVD format.

    Avast! apparently thinks that VOB files are too efficiently compressed – which is certainly open to argument.

19. 

    Gary Fleming on August 13, 2007 at 11:53 am

    I think we’re seeing a definite pattern here. I can’t say for sure, as I don’t use it myself, but it seems like Avast! is fairly quick to call a file a decompression bomb and it seems to be doing it primarily based on it’s compression ratio. Right now, fingerprinting techniques are more effective.

    It does surprise me that a VOB would be marked as a decompression bomb.

20. 

    Jill Clark on August 18, 2007 at 5:00 am

    Me agaun,
    If the "fingerprinting technique" is more effective, what is it and how do you do it? I know I shouldn’t even worry about the D-bomb, but it seems like when we first put the DSL line in a couple of weeks ago,the internet was really really fast, now it has gotten progressively slower. I keep running the anti-virus software from like Microsoft and Windows websites to see what is going on but all they have found so far is a trojan that comes through the backdoor or something like that. I don’t know what else to do…any suggestions?

21. 

    Gary Fleming on August 18, 2007 at 1:27 pm

    Jill: the fingerprinting techniques I’ve alluded to are not really something that you, as an end user, can easily utilise. It’s more down to your security software to use them. If I get some time, I’ll write a bit more about them.

    As for your net connection getting slower, it’s not related to decompression bombs. Since you’re using Windows, I’d install a decent virus scanner, a decent firewall (not Windows built-in firewall), and probably AdAware too. I’ll leave the choice of firewall and virus scanner up to your research, as I barely use Windows these days.

    I’d also go through your “Add/Remove Programs” list and remove anything you don’t use, and do this fairly aggressively. You could just be experiencing slow-down because of a bloated Windows installation.

22. 

    Dante on August 21, 2007 at 11:24 pm

    Just in the event that nay-sayers didn’t actually read the article, it says nothing about anti virus programs always identifying Decomp Bombs properly. I quote,

    Most modern anti-virus software has some defences against decompression bombs, but they can still cause significant system lock-ups while figuring it out.

    That is the only mention of an anti virus identifying a bomb, and doesn’t even say the defense is practical. Just that it exists.

    And to Gary, thank you for sharing this information. I had a folder that was flagged as holding 3 trojans and two decomp bombs, and I had about 10 minutes this morning to fix things before school.

    Thanks for writing this up. It at least made a difference for some of us.

    Dante

23. 

    Roger Tseng on August 24, 2007 at 11:34 pm

    Question…I want to open one of these files…how do I? because my computer recently crashed and as I did a AV scan I found that all the files lost went into a folder starting with C:/foun0000/ and then I forget it from there. But anyway my question is if there’s anyway to restore all this stuff? I went into control panel to the restore option but it couldn’t restore anything… I’d really appreciate it if someone with an answer reply asap because I’m really annoyed that I can’t access my previous works and documents. (btw everything on my desktop was deleted when it crashed…everything else was fine.)

24. 

    Gary Fleming on August 25, 2007 at 11:52 am

    Dante: glad it was useful.

    Roger: I can’t really give you advice on how your AV software works, as I don’t know. It will likely have an option inside it to remove items from quarantine. You’ll need to speak to your vendor to figure out how.

25. 

    doranq on September 3, 2007 at 1:55 am

    Thanks Gary, I have found one of these decompression bombs and was at my wits end so I appreciate your article that at least gives some light on the subject.

    Since this one is located in Thunderbird I have a suspicison that it may be mmy compressed mail files. Now at least I do not have to be so concerned.

    As a side note, the file cannot be removed, deleted or put into the virus chest. There is an error message instead. Perhaps this is a protection if it is a necessary file. go figure.

26. 

    Dianna on September 11, 2007 at 12:27 pm

    Dear Gary, My daughters computer has gotten 6 decompression bombs in her D Drive, over the past few weeks, She has noticed the pc running slower and freezing at times. We can not remove the files, or defragment the drive, please advice how i can sole this problem. Sincerly,
    Dianna

27. 

    Gary Bennett on October 17, 2007 at 12:39 pm

    You can avoid some of the issues with ‘bombs’ like these if you use a virtual machine.
    Microsoft provide virtual pc for free and vmware is also free at the moment.
    The benefit would be that you would do your browsing, or checking, in a virtual machine with limited memory (256Mb). If it dies your main machine is unaffected and the memory was only virtual machine memory. If you have corruption, or virus, issues then you delete your vm and restore from the last good backup. This strategy limits the impact of novelty items such as ‘decompression bombs’ and other inventive ways to waste peoples time and disrupt their lives.

28. 

    Carson on October 17, 2007 at 8:33 pm

    For these stubborn files people want to remove but can’t — I’m surprised that you can’t. For example, if you used any live CD, even a Linux CD, or maybe Hiren’s Boot CD, couldn’t you come up "alongside" your XP and reach over and delete the file?

    And what about a program like Eraser 5.8? Wouldn’t it give you a choice to have the file erased on your next restart?

    If not, as a last resort, couldn’t you install a second XP to a different partition — or, if you absolutely had to, even to the same partition (not recommended, but possible) and get at the file from there? You can set up XP from a disk in, well, 39 minutes + about 20 minutes.

    And if none of those work for you, couldn’t you have a separate partition for downloads? Use XP’s Computer Management to reformat that partition, bomb and all. Couldn’t that idea be adapted for your mail, too, by sandboxing the program?

    I dunno; just some ideas.

29. 

    Gary Fleming on October 17, 2007 at 10:08 pm

    Gary Bennett: good point on the virtual machines. A VM will, of course, protect you from decompression bombs (in so far as you can just spawn another one). Not particularly viable for the casual user though as no-one has really come close to nailing the VM set-up and user experience. Definitely got potential though.

    Carson: using a Live CD to bypass Windows’ sometimes odd file locking strategy seems pretty solid too. As someone who uses it daily, I’d recommend trying Ubuntu.

30. 

    Danny T on October 20, 2007 at 9:17 am

    Nice article about Decompression Bombs Gary. Nothing to get too excited about, unless you routinely open all unexpected/unknown compressed files. But essential to know about especially for those with older computers and/or smaller hard disks (I’m running 1.5TB!!).

    Some of the pleas for help here suggest that people are not running effective firewalls. If the PC is behind an ADSL router with an SPI firewall then the Windows firewall will probably do. But if the PC is directly attached to the Internet via a DSL Modem then it needs something much stronger. There are plenty of free and paid-for SPI firewalls out there. No excuse for not running one of these. All of the other caveats for using the Internet also apply. Find out about and secure your PC by visiting http://www.grc.com

    Dianna – your daughter’s PC running slow – do you mean just the browser or everything? If its just the browser check for and consider removing all Browser Helper Objects (i.e. Google/Yahoo etc. toolbars). The kids love these, like candy in a store, but they clog up the browser dreadfully. Other reasons for running slow generally are low RAM memory and running lots of apps concurrently.

31. 

    P Tyson on November 17, 2007 at 3:37 pm

    Jill,
    You mentioned that there was something going on in your task manager that was not correct. This is the clue that needs to be addressed. You are probably getting a high CPU usage on one of the "Image Name" programs. I have found that 95% of the time this is a result of some recently installed software that is either poorly written or it is conflicting with another piece of software. I have even had this problem occur after downloading Microsoft Updates. This is sometimes difficult to track down. Especially if the high CPU usage is showing up under one of the svchost.exe processes. You can try removing recently installed programs and rebooting. Then reinstall each one individually and check to see when the high CPU usage begins again. You can also see if it occurs only when certain programs are open. If it does then either check for an update to the program that seems to be causing it or delete the program.
    The files that Avast are showing as decompression bombs have been moved, then unless you physically click on them then they are unlikely to be causing the problem. Hope this helps.
    P Tyson

32. 

    Hampster Farm on November 27, 2007 at 12:33 am

    my decompresson bomb came in the winnt internet logs as tvdebug.zip. It seems to also auto unlock my spybot s & do "lock hosts file" w start. The initial symptoms were memory, as stated by other posters, then became evident with win32.iroffer.af I reccomend using spybot s & d to keep your computer managable, then try making that file a read only file. I have not got into this one much yet, so Don’t hold me to it. But spybot has kept the major symptoms at bay.

33. 

    David on December 12, 2007 at 1:20 am

    I find this interesting, and agree that it’s not much of a threat compared to other things, although letting them sit there isn’t the best idea (like when some other program is in the startup folder accessing it).

    Also, I’ve seen a lot of responses with Avast! concerning its labeling of harmless files as decompression bombs. I have to agree that whatever algorithm or method they use to pick out decompression bombs appears to have flaws. A recent Avast! scan labeled 5 files as decompression bombs, and I noticed that all of them were the install files I had neglected to delete.
    While not necessary, they certainly weren’t harmful (quicker way to delete them though).

34. 

    Bobby on January 19, 2008 at 9:09 pm

    I ran Avast and it says that I have two files that are decompression bombs. But it will not let me delete the files. Does anybody know how I could delete these files, or of any programs that can? My computer freezes 2-3 times every hour, so this is really getting annoying. Thanks!

35. 

    Gary Fleming on January 20, 2008 at 1:24 pm

    Bobby: your computer freezing 2-3 times an hour might not be (read: probably isn’t) related to decompression bombs. Do some general maintenance.

36. 

    Robert L. Sutton on January 21, 2008 at 2:57 pm

    Is there a way to extract the OS in my case Windows XP from the computer so I can have it on disk or dvd? I would like to know the steps and explaination or be told where to get it; I also have found decompression bomb notes on my set by Avast. More than 20 at last count. If I back up and restart with a new OS will I transport these bombs to that OS? Is there a better OS to use to not have the problem? Thanks very much, you have a great site!

37. 

    Gary Fleming on January 21, 2008 at 5:02 pm

    Robert: you’re really asking a few different questions there.

    1) You can’t really “extract an OS”. You can reinstall it fresh from source (a Windows XP install disc, in your case).
    2) You can use virtualisation to make your set-up more tolerant of OS changes. Look into VMWare or Xen.
    3) Avast is probably incorrectly identifying at least some of those files as bombs. Find out what each of them are to see if they can be safely deleted.
    4) If you wipe your entire system, then real decompression bombs will be wiped; but you’ll lose all your data so that seems more than extreme.
    5) There are better operating systems, but they won’t shield you from genuine decompression issues. Ubuntu is nice though.

    Hope that helps.

38. 

    Alexandros on January 26, 2008 at 10:17 am

    Well here goes my comment:
    I use Avast 3 years now. Many times it has detected d-bombs, and I took no action against them. This is the first time I glanced through the net to learn what they are. I never had trouble with them, some times (all the times), they were files belonging to another program (as in Nero).
    Now I know what d-bombs are thanks to you people, specially thanks to Gary Fleming.
    I found, just by chance, that it is helpful to have to different anti-virus programs in my pc. One in each of my two partitions. So when Avast says BOMB!! my other one (Eset for the moment) says what bomb?! And by doing the math you get to a safe conclusion.
    Thanks again for the enlightenment Gary.

    Alexandros.

39. 

    Tony on February 5, 2008 at 5:29 pm

    I am also running Avast on my Ubuntu machine. 4 out of 11 files it identified as D-Bombs were the Ubuntu ISO’s I had downloaded (Kbuntu, Gobuntu, Ubunto, Xbuntu) 2 were .img files 1 another .iso and the rest compressed English language tutors. I think you hit it on the head when you said there was a pattern here Hmmm…Avast me hearties!!!
    To the lady with her Windoze machine getting slower, check your Doc Watson Log file it can sometimes grow out of proportion and you end up with not enough disk space for your virtual memory. Just delete it, it will create another and the debugging info is useless to most people. Do check how much space is free on your hard disk and maybe increase the size of your swap file (virtual memory).
    Hope that helps
    Tony

40. 

    jack on February 19, 2008 at 6:07 am

    Hi, i got a d bomb from my avast! scanning but it wont let me delete it. The file is located in my system volume information folder in the C drive. I don’t know what to do. Help would be appreciated. Also, is this “D bomb” malicious?

41. 

    Peter Clarke on April 8, 2008 at 12:32 pm

    I just had Avast scan my desktop – it allegedly found 6185 files that it “couldn’t scan” !!! – about half it labelled as “decompression bombs” and another (approx) half were listed as “corrupted” (usually described by Avast as “CAB” files, although their extensions varied all over the map – “exe”, “dll”, “zip”, “jpg”, etc, etc). Remainder of “couldn’t scans” were labelled as various “something elses”, that I don’t remember the details of at the moment.
    Will investigate further tonight. [Avast's virus definition was updated last night].

42. 

    Craig Bennett on April 16, 2008 at 6:35 am

    Thanks heaps for some very helpful info Gary. I, (along with the multitudes using Avast!) have been getting Dbomb and corrupt warnings with all sorts of files, including VOB and system files, if I was to delete a these files that are flagged as potentially dangerous I’d lose a lot of video/picture files among other things, and I would probably not be able to boot up due to the removal of system files. I think maybe it would be very wise for people using Avast! to at least create a restore point or even do a back-up before deleting anything that Avast! has flagged, common sense really. BTW, have you heard of any other AV programs that have such a penchant for flagging so many files as Dbombs, corrupted etc, because I have never run across this type of thing in other AV progs. Keep up the good work.

43. 

    Kid With Bombs on April 21, 2008 at 9:25 pm

    I have bombs, as well as Avast. It seems avast is the ONLY antivirus scanner I have seen that finds theses “bombs”. So I have a few questions pertaining to these…..
    Why is Avast the only, or one of the few antivirus scanners that find these problems? Also….I have a trojan. A bad one. How can I get rid of this? I want to delete it, but I’ve deleted a virus on another computer, and the computer stopped functioning properly. So can someone give me some good advice on deleting a trojan? Also, I know a little about computers, but not a lot, so please keep the technical terms to a minimum, and keep it dumd. Haha

44. 

    Kw on April 23, 2008 at 7:58 pm

    “There inlies the problem”? Presumably you mean “Therein lies the problem”, which actually makes sense.

45. 

    Gary Fleming on April 24, 2008 at 8:00 pm

    Kw: I wrote this over two years ago and no-one else had noticed. Good spot! Fixed it.

46. 

    CW on May 13, 2008 at 2:31 pm

    Thanks for a concise explanation of decompression bombs. Running a deep scan using Avast I got a warning that two files were bombs, files that I had created.
    On 3/15 I zipped 3 graphics files to send via email. Afterwards I just left the zipped file in My Documents. Compressed the files are 1,177 KB extracted they are 12,774 KB.
    I don’t run virus scans as often as I should (how many users do?). I’ve run Avast scans three times since creating the zipped folder and files without any alert. Running a scan overnight it tagged them, this time, as Decompression Bombs.
    Perhaps Avast has been made more cautious. The thinking might be that it is better to be oversensitive than miss something significant.
    I’m glad to know that I’m not the accidental father of something malicious. Thanks again!

47. 

    opal white on July 6, 2008 at 7:32 am

    I found this site most interesting and it gave me an idea of what to do when the same message came up in my Avast scan.

    I found out that Avast was seeing files from the Microsoft program Picture It! as decompression bombs. I actually typed in the file path into Microsoft’s site search and found out the folder was associated with Picture It!

    Please check before you delete as I would have lost the use of a program that although I don’t use it a lot kids love to play with it when they visit.

    I have only just installed it on this computer in between my usual weekly scans. So maybe also check to see if you have installed a new program recently.

    Now all I have to do is tell Avast to ignore them. ;-)

    Thanks everybody for the help.

48. 

    Omar on July 25, 2008 at 8:51 am

    i have a d-bomb by avast and my shredder
    wont delete it cause as the notice says
    it is being used by another process

49. 

    Howard on July 31, 2008 at 4:52 am

    Well, as with most, Avast is what brought me here. Going off of the general tone from most of the posts, I would be tempted to not stress too much over the d-bombs Avast found…

    However, the same day I discover what a d-bomb is I find that I am having problems getting onto the internet. I know it’s not my internet connection because when I plug into another computer, I’m connected.

    The files labeled as d-bombs are related to a torrent I’ve been downloading. Could it be that this movie torrent is bad news? Again, I want to go with “no”. However, I’m thinking that my two issues are related.

    Please, if anyone can offer some insight, it’d be greatly appreciated.

    Finally, a big thanks goes out to Gary for starting this whole thing. I’m pretty impressed that the discussion has been active for two years.

50. 

    Gary Fleming on July 31, 2008 at 8:27 am

    Howard: I find it unlikely that your torrent is stopping you from connecting to the internet. It’d slow your connection down if already connected, but not stop a connection in the first place. Good luck figuring out the real cause, given my experience I’d be tempted to blame some kind of wifi problem (but I don’t have much to go on).

    Believe me, I’m as surprised as anyone the thread has survived this long.

1 · 2 · Next ›