Re: Virus alert!

Dylan (dylan@exmachina.com)
Fri, 25 Oct 1996 09:52:31 -0400


>Date: Sun, 20 Oct 1996 17:16:03 -0400
>Reply-To: dfenton@nico.bway.net
>Originator: wwwac@echonyc.com
>Sender: wwwac@echonyc.com
>From: "David W. Fenton" <dfenton@nico.bway.net>
>To: Multiple recipients of list <wwwac@echonyc.com>
>Subject: Re: New Virus?
>X-Listprocessor-Version: 6.0 -- ListProcessor by Anastasios Kotsikonas
>
>On 20 Oct 96, Tim Bush wrote:
>
>> I just heard about a new Trojan virus and was wondering if anyone knows
>> anything about it.
>> Goes by the name PKZIP300.ZIP, if installed or expanded it will wipe your
>> hard disk clean and affect modems at 14.4 and up. Don't know what they mean
>> about the modem bit. Says it's not yet detectable.
>> Got this from a friend, but I don't know the source. Could be hooie I
suppose.
>
>Within the last two weeks, I've seen this crop up on each of the two other
>mailing lists I subscribe to, and I've received it from a friend also.
>
>>From the research I did, it appears that at one time (in 1995) this was a
real
>trojan horse, although it seems that it was distributed more on BBS's than on
>the Net. However, the present recurrence of the notices (apparently they
>started re-appearing in May '96) appears to be yet another of the urban myth
>type occurences. The only difference between the PKZIP300 trojan horse and the
>GOOD TIMES virus is that PKZIP300 did in fact exist at one point.
>
>At this point, however, there is _no_ difference between the two.
>
>Please do not continue to spread this virus notice!
>
>The results of my research follow. The info. from Cornell seems to demonstrate
>the most common sense.
>
>------
>
>This is not a virus, but a "Trojan Horse" program that is disguised as a new
>version of the ubiquitous PKZIP program. However, unzipping it actually deletes
>information from your hard drive.
>
>These reliable sites confirm that it is (or _was_) actually real:
>
> http://www.mcafee.com/new/trojzip.html (McAfee is one of the leading
> manufacturers of anti-virus software)
> http://www.pkware.com/fake.html (PKWare is the manufacturer of the
_real_ PKZip)
> http://www.ncsa.com/pkzip.html (National Computer Security
> Association)
> http://www.datafellows.fi/v-descs/pkz300.htm (the information site on
> the PKZIP3 Trojan from a distributor of F-PROT, one of the major
> anti-virus programs)
> http://www.datafellows.fi/bulletin/bull-223.htm (a bulletin put out by
> the manufacturers of F-PROT)
>
>Here's a quote from that last site's FAQ:
>
> [Q:] I received a warning about a harmful program called PKZIP300. What
> should I do?
>
> [A:] Don't worry too much. PKZIP300 was a Trojan Horse program which
claimed to
> be a new version of the popular compression/packing utility PKZIP.
Actually the
> program tried to format the hard disk. This Trojan was reported in a couple of
> places during spring 1995. After that, it has not been seen anywhere.
>
> For some reason, there was a renewed warning scare about the PKZIP300 Trojan
> during spring 1996. However, although the PKZIP300 Trojan does exist, it is
> extremely unlikely for anybody to actually run into it.
>
> V2.04g is the latest official version of PKZIP.
>
>And some great common sense from Cornell University's helpdesk site
>( http://www.cit.cornell.edu/helpdesk/virus/pkzip300.html ):
>
> A warning is being forwarded around the internet about about the pkzip300.exe
> and pkzip300.zip files. According to PKWARE, the makers of the real pkzip
> product, this is true and has been confirmed. . . .
>
> In order for these programs to affect you, you would have to actively seek out
> and download the programs labelled pkz300b.exe or pkz300b.zip and run them on
> your own computer.
>
> It is important to keep this in perspective; it is true that someone at some
> point really did create a bogus PKZIP release. On the other hand, this is a
> Trojan Horse, not a virus. A Trojan Horse is malicious program disguised as a
> legitimate piece of software, but without the ability to infect other
programs.
> Because they do not replicate themselves, Trojan Horses are rarely widespread.
>
> Despite what is said in the alert that seems to be circulating again (the
> PKZ300.ZIP version of the alert showed up around here in force last June),
> there has never been any indication that the Trojan was loose "on the
> Internet." Major Internet archive sites, and decent BBSs, are pretty good
about
> checking software before posting for public access. Trojan Horses and viruses
> are more likely to be found on private BBSs where the SysOp doesn't check
> submissions thoroughly. The CIAC report suggests that that's just where this
> was found.
>
> Thus, this critter likely never was and never will be a threat to the Cornell
> community. If anything, it illustrates the general caveat that one should be
> careful about software obtained from an external source, particularly when not
> from a well known archive site. The more important lesson is to be very
wary of
> "alerts" that come from ad hoc sources. Even when they contain some germ of
> truth, they rarely give a full and balanced picture.
>
>And last, a site for general virus info.:
>
> http://www.symantec.com/avcenter/virl.html (Symantec makes Norton Anti-Virus)
>
>David W. Fenton |
>New York University | The way of stylistic tolerance
>dfenton@bway.net | dwf4930@is2.nyu.edu | may lead to the final horror of
>http://www.bway.net/~dfenton | John Tesh. --Alex Ross, NYTimes
>
>
----------------------------------------------------------------------------
dylan@bubblecore.com **Bubble Core Records** http://www.bubblecore.com
----------------------------------------------------------------------------
**HEY YOU!!!** LOOK---> NY area DJ seeks gigs. Will spin for travel
expenses and a falafel sandwich. Preferred styles are twisted ambient and
lush, mellow d'n'b, but can throw down dark/techstep, tr*p h*p/acid-jazz/
rare groove, and deep, deep house. For booking, email the above address or
call the Prof. Frink Hotline at 1.800.759.8888 pin# 595.5573 (then select
#2 for voicemail). [Demo tapes available through the same channels]
----------------------------------------------------------------------------