Re: zip bombs and virus"Mal/Packer"

---

• From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
• Date: Wed, 15 Nov 2006 16:54:59 -0500

---

From: "p.mc" <nothanks.ok>

| Hi there
|
| I've just used the "multi av" scanner on my PC and run all the vendors with
| the exception of Sophos reporting *14 viruses "Mal/Packer" which all happen
| to be keygens for one thing or another. I'm pretty sure these were all false
| positives although They were automatically deleted.
|
| (Copied and pasted from David H. Lipman a googled post)
| "MAL/packer is Sophos' heuristic detection of Trojans using new compression
| agents known to
| be used by malware. Sophos will use this Heuristic detection until the
| Trojan is fully
| identified and a signature is created."
| So does this mean all keygens will give this response under Sophos?
|
| Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
| ".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip bombs
| are made for disruption for AV Prog's and don't run any code or damage your
| machine is that right?
| I must determine whether or not these are false positives too, I understand
| extensions can be renamed to fool AV Progs, but I ran the .avi file, which
| indeed was a film so I'm sure that's a false positive, but for the rest how
| does one determine whether these are what Sophos reports as "Appears to be"
| zip bombs?
|
| http://en.wikipedia.org/wiki/Zip_bomb
|
| http://www.sophos.com/security/analyses/malpacker.html
|
| --
|


Using the Sophos module it may declare a large ciompressed file such as a; ISO file, Ghost
file or PST as a "Zip Bomb", This is most likely a False detection.

Yep. that was a good quote and I affirm the quote on Sophos' gheuristic detection.
Keygenerators are malware.

I would say the "Zip Bomb" dection are mostly false. The Mal/packer detections may be
righteous detections.

Sophos now has a switch to disable the detection of "Zip Bombs" I al strongly considering
implementing it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.

---

• Follow-Ups:
  • Re: zip bombs and virus"Mal/Packer"
    • From: p.mc

• References:
  • zip bombs and virus"Mal/Packer"
    • From: p.mc

• Prev by Date: zip bombs and virus"Mal/Packer"
• Next by Date: Re: Viruses common in .wmv & media files ?
• Previous by thread: zip bombs and virus"Mal/Packer"
• Next by thread: Re: zip bombs and virus"Mal/Packer"
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: zip bombs and virus"Mal/Packer" ... Sophos will use this Heuristic detection until the ... that was a good quote and I affirm the quote on Sophos' gheuristic ... Sophos now has a switch to disable the detection of "Zip Bombs" I al ... (microsoft.public.security.virus) zip bombs and virus"Mal/Packer" ... "MAL/packer is Sophos' heuristic detection of Trojans using new compression ... So does this mean all keygens will give this response under Sophos? ... I must determine whether or not these are false positives too, ... (microsoft.public.security.virus)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security.virus  > 2006-11