zip bombs and virus"Mal/Packer"

Secure Home | Search | About

Lost Password?

Microsoft Antivirus Discussions

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

zip bombs and virus"Mal/Packer"

p.mc

11-15-2006

Re: zip bombs and virus"Mal/Packer"

David H. Lipman

11-15-2006

Re: zip bombs and virus"Mal/Packer"

p.mc

11-15-2006

Posted by p.mc on November 15, 2006, 12:52 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Hi there

I've just used the "multi av" scanner on my PC and run all the vendors with
the exception of Sophos reporting *14 viruses "Mal/Packer" which all happen
to be keygens for one thing or another. I'm pretty sure these were all false
positives although They were automatically deleted.

(Copied and pasted from David H. Lipman a googled post)
"MAL/packer is Sophos' heuristic detection of Trojans using new compression
agents known to
be used by malware. Sophos will use this Heuristic detection until the
Trojan is fully
identified and a signature is created."
So does this mean all keygens will give this response under Sophos?

Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip bombs
are made for disruption for AV Prog's and don't run any code or damage your
machine is that right?
I must determine whether or not these are false positives too, I understand
extensions can be renamed to fool AV Progs, but I ran the .avi file, which
indeed was a film so I'm sure that's a false positive, but for the rest how
does one determine whether these are what Sophos reports as "Appears to be"
zip bombs?

http://en.wikipedia.org/wiki/Zip_bomb

http://www.sophos.com/security/analyses/malpacker.html

--

--

Regards
p.mc

Posted by David H. Lipman on November 15, 2006, 4:54 pm

If you were Registered and logged in, you could reply and use other advanced thread options

From: "p.mc" <nothanks.ok>

| Hi there
|
| I've just used the "multi av" scanner on my PC and run all the vendors with
| the exception of Sophos reporting *14 viruses "Mal/Packer" which all happen
| to be keygens for one thing or another. I'm pretty sure these were all false
| positives although They were automatically deleted.
|
| (Copied and pasted from David H. Lipman a googled post)
| "MAL/packer is Sophos' heuristic detection of Trojans using new compression
| agents known to
| be used by malware. Sophos will use this Heuristic detection until the
| Trojan is fully
| identified and a signature is created."
| So does this mean all keygens will give this response under Sophos?
|
| Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
| ".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip bombs
| are made for disruption for AV Prog's and don't run any code or damage your
| machine is that right?
| I must determine whether or not these are false positives too, I understand
| extensions can be renamed to fool AV Progs, but I ran the .avi file, which
| indeed was a film so I'm sure that's a false positive, but for the rest how
| does one determine whether these are what Sophos reports as "Appears to be"
| zip bombs?
|
| http://en.wikipedia.org/wiki/Zip_bomb
|
| http://www.sophos.com/security/analyses/malpacker.html
|
| --
|

Using the Sophos module it may declare a large ciompressed file such as a; ISO
file, Ghost
file or PST as a "Zip Bomb", This is most likely a False detection.

Yep. that was a good quote and I affirm the quote on Sophos' gheuristic
detection.
Keygenerators are malware.

I would say the "Zip Bomb" dection are mostly false. The Mal/packer detections
may be
righteous detections.

Sophos now has a switch to disable the detection of "Zip Bombs" I al strongly
considering
implementing it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Posted by p.mc on November 15, 2006, 9:16 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> From: "p.mc" <nothanks.ok>

> | Hi there

> |

> | I've just used the "multi av" scanner on my PC and run all the vendors

with

> | the exception of Sophos reporting *14 viruses "Mal/Packer" which all

happen

> | to be keygens for one thing or another. I'm pretty sure these were all

false

> | positives although They were automatically deleted.

> |

> | (Copied and pasted from David H. Lipman a googled post)

> | "MAL/packer is Sophos' heuristic detection of Trojans using new

compression

> | agents known to

> | be used by malware. Sophos will use this Heuristic detection until the

> | Trojan is fully

> | identified and a signature is created."

> | So does this mean all keygens will give this response under Sophos?

> |

> | Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)

> | ".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip

bombs

> | are made for disruption for AV Prog's and don't run any code or damage

your

> | machine is that right?

> | I must determine whether or not these are false positives too, I

understand

> | extensions can be renamed to fool AV Progs, but I ran the .avi file,

which

> | indeed was a film so I'm sure that's a false positive, but for the rest

how

> | does one determine whether these are what Sophos reports as "Appears to

be"

> | zip bombs?

> |

> | http://en.wikipedia.org/wiki/Zip_bomb

> |

> | http://www.sophos.com/security/analyses/malpacker.html

> |

> | --

> |

> Using the Sophos module it may declare a large ciompressed file such as a;

ISO file, Ghost

> file or PST as a "Zip Bomb", This is most likely a False detection.

> Yep. that was a good quote and I affirm the quote on Sophos' gheuristic

detection.

> Keygenerators are malware.

> I would say the "Zip Bomb" dection are mostly false. The Mal/packer

detections may be

> righteous detections.

> Sophos now has a switch to disable the detection of "Zip Bombs" I al

strongly considering

> implementing it.

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> http://www.ik-cs.com/got-a-virus.htm

Thank's Dave

BTW I've responded in a.c.v too.

--

Regards
p.mc

Similar Threads	Posted
HELP: Virus is preventing me from installing anti virus software!!	January 11, 2007, 2:17 am
I have a virus that uses "anti virus software" downloads as a cover up	March 24, 2007, 1:40 pm
I have a worm or virus that does not allow me to go to ANY anti-virus website	January 28, 2006, 10:29 pm
Caught a Virus: Virus:Trj/Shutdown.Z -- need advice	June 13, 2007, 12:59 am
Vundo fix not finding vundo virus - windows tool deletes virus	May 14, 2008, 2:06 pm
Does anybody know what virus i've got?	July 5, 2005, 8:23 am
New Virus?	July 6, 2005, 11:22 am
virus	July 19, 2005, 12:20 pm
Virus help	August 8, 2005, 10:34 am
Virus Help	August 13, 2005, 8:00 am

The site map in XML format XML site map