zip bomb - Is this file part of Mac OS X installation? - bootroot.loader

Question

Level 1

0 points

zip bomb - Is this file part of Mac OS X installation? - bootroot.loader

(Please excuse my bad writing - my English isn't that good.)

Sophos AntiVirus (most recent version) warns me:

File Not Scanned (appears to be a 'zip bomb'):
Macintosh HD:System:Library:PrivateFrameworks:MediaKit.framework:Versions:A:Resources:MKD rivers.bundle:Contents:Resources: bootroot.loader

AppleCare says on a PowerPC Mac OS X there is no file like this by default - could only be a virus or could have been added by another (third-party) application.

I found a post on http://www.daniweb.com/techtalkforums/thread59657.html via Google. Someone seems to have the same problem - with a PowerPC Mac OS (Mac mini)!

I use an Intel Mac (MacBook). AppleCare was not able to tell me whether this file is part of the standard installation of an Intel Mac OS - are you?

Could you tell me if this file exists on your (Intel) Mac?
Can you tell me: Is this a zip-bomb - or not?

Thanks for help.

By the way: Sophos has never heard of this file.

Intel MacBook 1st generation Mac OS X (10.4.8)

Posted on Dec 15, 2006 8:04 PM

Reply

Answer 1

Best reply

Charles Minow

Level 6

9,184 points

Dec 15, 2006 8:25 PM in response to otacon

Hi--

Welcome to the Apple Discussions.

(Please excuse my bad writing - my English isn't that
good.)

No problem. It's good enough.

Could you tell me if this file exists on your (Intel)
Mac?

Yes it does, on an Intel iMac:

<pre class="command">-rw-r--r-- 1 root wheel 130738 Jul 1 18:47 bootroot.loader</pre>

Can you tell me: Is this a zip-bomb - or not?

It's probably not a zip-bomb. It's most likely a false alarm. If you run this command:

<pre class="command">ls -l /System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Resources/MKDri vers.bundle/Contents/Resources/</pre>You can see the contents of that folder, including that file. They're owned by root, so only by giving your permission could they be installed there.

charlie

Reply

Answer 2

rhwalker

Level 3

589 points

Dec 15, 2006 8:27 PM in response to otacon

HD:System:Library:PrivateFrameworks:MediaKit.framework:Versions:A:Resources:MKDr ivers.bundle:Contents:Resources: bootroot.loader

Could you tell me if this file exists on your (Intel) Mac?

On our PPCs running 10.4.8 there is a similar file with the
same path, but named "boot.loader" rather than
"bootroot.loader". From poking around, it looks like it's
part of a boot procedure. That's not to say that the one you have is right or wrong for an Intel Mac. But it might have
the different name on an Intel Mac so that it could co-exist
with a PPC bootstrap loader in the same folder.

Can you tell me: Is this a zip-bomb - or not?

Well, you could submit it to the virustotal.com site, where
it can be scanned (for free) by all of the various virus
scanners, and you could compare the results. The link is
here:
http://www.virustotal.com/en/indexf.html
Click the "Browse" button at the top, navigate to the file, then click the "Send" button. To make it easier, I'd option drag (to make a copy, not move) this file to your Desktop, then browse to it from there while on the virustotal.com web
site.

That's a handy web site if you have PCs - they always have viruses.

Hope this helps,

Russ

Xserve G5 2.0 GHz 2 GB RAM Mac OS X (10.4.8) Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u

Reply

Answer 3

otacon Author

Level 1

0 points

Dec 15, 2006 10:59 PM in response to rhwalker

Well, you could submit it to the virustotal.com site,
where
it can be scanned (for free) by all of the various
virus
scanners, and you could compare the results.

Great URL, thanks Russ! Hadn't known it, yet...

These are the results:

Complete scanning result of "bootroot.loader", received in VirusTotal at 12.16.2006, 07:49:16 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.19 12.15.2006 no virus found
Authentium 4.93.8 12.15.2006 could be an archive bomb
Avast 4.7.892.0 12.15.2006 no virus found
AVG 386 12.15.2006 no virus found
BitDefender 7.2 12.16.2006 no virus found
CAT-QuickHeal 8.00 12.15.2006 no virus found
ClamAV devel-20060426 12.15.2006 no virus found
DrWeb 4.33 12.15.2006 no virus found
eSafe 7.0.14.0 12.14.2006 no virus found
eTrust-InoculateIT 23.73.87 12.16.2006 no virus found
eTrust-Vet 30.3.3254 12.15.2006 no virus found
Ewido 4.0 12.15.2006 no virus found
Fortinet 2.82.0.0 12.16.2006 no virus found
F-Prot 3.16f 12.15.2006 could be an archive bomb
F-Prot4 4.2.1.29 12.15.2006 no virus found
Ikarus T3.1.0.26 12.16.2006 no virus found
Kaspersky 4.0.2.24 12.16.2006 no virus found
McAfee 4920 12.15.2006 no virus found
Microsoft 1.1804 12.15.2006 no virus found
NOD32v2 1924 12.15.2006 no virus found
Norman 5.80.02 12.15.2006 no virus found
Panda 9.0.0.4 12.16.2006 no virus found
Prevx1 V2 12.16.2006 no virus found
Sophos 4.12.0 12.14.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.132 12.14.2006 no virus found
UNA 1.83 12.15.2006 no virus found
VBA32 3.11.1 12.15.2006 no virus found
VirusBuster 4.3.19:9 12.15.2006 no virus found

Thanks a lot, folks! Problem solved: no virus, no zip-bomb.

MacBook 1st generation; PowerBook G4 12" Mac OS X (10.4.8)

Reply