3 Replies Latest reply: Dec 15, 2006 10:59 PM by otacon
otacon Level 1 Level 1 (0 points)
(Please excuse my bad writing - my English isn't that good.)

Sophos AntiVirus (most recent version) warns me:

File Not Scanned (appears to be a 'zip bomb'):
Macintosh HD:System:Library:PrivateFrameworks:MediaKit.framework:Versions:A:Resources:MKD rivers.bundle:Contents:Resources:bootroot.loader


AppleCare says on a PowerPC Mac OS X there is no file like this by default - could only be a virus or could have been added by another (third-party) application.

I found a post on http://www.daniweb.com/techtalkforums/thread59657.html via Google. Someone seems to have the same problem - with a PowerPC Mac OS (Mac mini)!

I use an Intel Mac (MacBook). AppleCare was not able to tell me whether this file is part of the standard installation of an Intel Mac OS - are you?


Could you tell me if this file exists on your (Intel) Mac?

Can you tell me: Is this a zip-bomb - or not?


Thanks for help.

By the way: Sophos has never heard of this file.

Intel MacBook 1st generation   Mac OS X (10.4.8)  
  • Charles Minow Level 6 Level 6 (9,190 points)
    Hi--

    Welcome to the Apple Discussions.

    (Please excuse my bad writing - my English isn't that
    good.)


    No problem. It's good enough.

    Could you tell me if this file exists on your (Intel)
    Mac?


    Yes it does, on an Intel iMac:

    <pre class="command">-rw-r--r-- 1 root wheel 130738 Jul 1 18:47 bootroot.loader</pre>

    Can you tell me: Is this a zip-bomb - or not?


    It's probably not a zip-bomb. It's most likely a false alarm. If you run this command:

    <pre class="command">ls -l /System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Resources/MKDri vers.bundle/Contents/Resources/</pre>You can see the contents of that folder, including that file. They're owned by root, so only by giving your permission could they be installed there.

    charlie
  • rhwalker Level 3 Level 3 (585 points)
    HD:System:Library:PrivateFrameworks:MediaKit.framework:Versions:A:Resources:MKDr ivers.bundle:Contents:Resources:bootroot.loader


    Could you tell me if this file exists on your (Intel) Mac?


    On our PPCs running 10.4.8 there is a similar file with the
    same path, but named "boot.loader" rather than
    "bootroot.loader". From poking around, it looks like it's
    part of a boot procedure. That's not to say that the one you have is right or wrong for an Intel Mac. But it might have
    the different name on an Intel Mac so that it could co-exist
    with a PPC bootstrap loader in the same folder.

    Can you tell me: Is this a zip-bomb - or not?


    Well, you could submit it to the virustotal.com site, where
    it can be scanned (for free) by all of the various virus
    scanners, and you could compare the results. The link is
    here:
    http://www.virustotal.com/en/indexf.html
    Click the "Browse" button at the top, navigate to the file, then click the "Send" button. To make it easier, I'd option drag (to make a copy, not move) this file to your Desktop, then browse to it from there while on the virustotal.com web
    site.

    That's a handy web site if you have PCs - they always have viruses.

    Hope this helps,

    Russ

    Xserve G5 2.0 GHz 2 GB RAM   Mac OS X (10.4.8)   Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u
  • otacon Level 1 Level 1 (0 points)
    Well, you could submit it to the virustotal.com site,
    where
    it can be scanned (for free) by all of the various
    virus
    scanners, and you could compare the results.


    Great URL, thanks Russ! Hadn't known it, yet...

    These are the results:

    Complete scanning result of "bootroot.loader", received in VirusTotal at 12.16.2006, 07:49:16 (CET).

    Antivirus Version Update Result
    AntiVir 7.3.0.19 12.15.2006 no virus found
    Authentium 4.93.8 12.15.2006 could be an archive bomb
    Avast 4.7.892.0 12.15.2006 no virus found
    AVG 386 12.15.2006 no virus found
    BitDefender 7.2 12.16.2006 no virus found
    CAT-QuickHeal 8.00 12.15.2006 no virus found
    ClamAV devel-20060426 12.15.2006 no virus found
    DrWeb 4.33 12.15.2006 no virus found
    eSafe 7.0.14.0 12.14.2006 no virus found
    eTrust-InoculateIT 23.73.87 12.16.2006 no virus found
    eTrust-Vet 30.3.3254 12.15.2006 no virus found
    Ewido 4.0 12.15.2006 no virus found
    Fortinet 2.82.0.0 12.16.2006 no virus found
    F-Prot 3.16f 12.15.2006 could be an archive bomb
    F-Prot4 4.2.1.29 12.15.2006 no virus found
    Ikarus T3.1.0.26 12.16.2006 no virus found
    Kaspersky 4.0.2.24 12.16.2006 no virus found
    McAfee 4920 12.15.2006 no virus found
    Microsoft 1.1804 12.15.2006 no virus found
    NOD32v2 1924 12.15.2006 no virus found
    Norman 5.80.02 12.15.2006 no virus found
    Panda 9.0.0.4 12.16.2006 no virus found
    Prevx1 V2 12.16.2006 no virus found
    Sophos 4.12.0 12.14.2006 no virus found
    Sunbelt 2.2.907.0 11.30.2006 no virus found
    TheHacker 6.0.3.132 12.14.2006 no virus found
    UNA 1.83 12.15.2006 no virus found
    VBA32 3.11.1 12.15.2006 no virus found
    VirusBuster 4.3.19:9 12.15.2006 no virus found


    Thanks a lot, folks! Problem solved: no virus, no zip-bomb.

    MacBook 1st generation; PowerBook G4 12" Mac OS X (10.4.8)