PKZIP 3.00 Virus UL?
Perry B. Friedman
about it some time last year. Anyone have any more info on this?
Was this really nothing more than another "Good Times" virus?
The lines:
"Experts warn not to download this file. If you expand or install this
file, the virus will wipe out your hard disk and affect modems at 14.4. and
higher.
It's an extremely destructive virus and there is no way yet of
eradicating it."
Definitely have a UL'ish ring to them.
Date: 10 Apr 96 13:15:15
From:"Mark Johnson <mhjo...@oracle.com>" <MHJOHNSO.US.ORACLE.COM>
To: MADAVIDS.US.ORACLE.COM
Subject: Re: Microsoft Trojan horse virus
Cc: secure
X-Orcl-Application: In-Reply-To: MADAVIDS.US.ORACLE.COM's message of 10-Apr-96 01:56
Content-Type: multipart/mixed; boundary=Boundary-4283163-0-1
--Boundary-4283163-0-1
This is getting to be fun. I got a flash warning on this from a collegue a
couple of weeks ago. Being a good citizen, I promptly set a bunch of web
searchers looking for copies of PKZIP300.ZIP and PKZIP300.EXE that I could
download.
What I found were a couple of (very good) virus information sites that
discussed this virus -- including the assertion from PK(whoever) that they had
heard of the virus -- but did not find a single copy of PKZIP300.xxx available
to load. It is my assumption that if alta_vista et al can't find it anywhere,
it probably dosen't exist.
Curiously, the description of the virus etc. was dated June 5, 1995, on at
least one site, calling into question the term "new". One presumes that a
real virus that was reported on in that time frame is probably properly
detected by McAfee and Symantec virus scaning programs, among others.
In any case, 2.04 (204) is the latest PKZIP stuff. If you do see PKZIP300, it
is probably bogus. However, it looks like this report is more likely to be
either an "urban legend" or an email based worm that we are busy propogating.
(You do run a modern, up to date virus scan on anything you let into your
computer, don't you? Viruses are very real--I have cleaned out three
infestations in my group in the past year. The last two I found when my virus
shield software found the Monkey virus on a floppy from a co-worker and the
CONCEPT virus on a Word attachment sent internally by Oracle Office. Be
careful--but not every virus discussed is real.)
Mark Johnson mhjo...@us.oracle.com
UNIX System Architect, Oracle Corporation 500 Oracle Parkway
Open Systems Division Box 659103
Tel: 415 506-2551 Fax: 415 506-7358 Redwood Shores, CA 94065
--Boundary-4283163-0-1
Content-Type: message/rfc822
Date: 10 Apr 96 12:00:20
From:"MADAVIDS.US.ORACLE.COM" <MADAVIDS.US.ORACLE.COM>
To: secure
Subject: Microsoft Trojan horse virus
Cc:
Hi -
>From April 8 Information Week:
"Microsoft's team of security experts recently confirmed the existence
of a Trojan horse virus that masquerades as an upgrade to the popular PKZIP
data compression utility from PKWare.
The file is being sent over the Internet as PKZIP300.ZIP. The actual
shipping version of the compression utility is 2.04.
Experts warn not to download this file. If you expand or install this
file, the virus will wipe out your hard disk and affect modems at 14.4. and
higher.
It's an extremely destructive virus and there is no way yet of
eradicating it."
Cheers-
Mary Ann
```````````````````````````````````````````````````````````````````````````````
Mary Ann Davidson 415 506 3304 Phone
Manager, 415 506 7226 FAX
Security Product Management
```````````````````````````````````````````````````````````````````````````````
He aupuni palapala ko`u; o ke kanaka pono `oia ko`u kanaka.
Mine is the kingdom of education; the righteous man is my man.
-Kauikeaouli (Kamehameha III, King of the Hawaiian Islands from 1825 to
1854)
``````````````````````````````````````````````````````````````````````````````
--Boundary-4283163-0-1--
--Boundary-4283163-0-0--
Melvin Klassen
>I know that the warning is not new, as noted below. I recall heating
>about it some time last year. Anyone have any more info on this?
Surf the Internet: http://WWW.PKWARE.COM/fake.html
and read all about it (last updated May 1995).
Jake Patterson
> I know that the warning is not new, as noted below. I recall heating
> about it some time last year. Anyone have any more info on this?
> Was this really nothing more than another "Good Times" virus?
> The lines:
> "Experts warn not to download this file. If you expand or install
> this file, the virus will wipe out your hard disk and affect modems at
> 14.4. and higher.
>
> It's an extremely destructive virus and there is no way yet of
> eradicating it."
> Definitely have a UL'ish ring to them.
I remember reading about this sometime in 1994, my understanding was that
it was just a batch file that said something like "del c:\*.*". I have
never seen a pkz300g.exe or pkz300g.zip file available anywhere for
download, but I havn't really been looking for it. Just exactly how is it
supposed to "affect modems at 14.4"? Sounds like the classic UL'ish lack
of detail.
__
Yet another Yet another Yet another Yet another Yet anot
lame (TM) lame (TM) lame (TM) lame (TM) lame (TM)
3D .sig! 3D .sig! 3D .sig! 3D .sig! 3D .sig! 3D .
This sig and the post preceding it brought to you by jpat...@mole.uvm.edu
Kurt Lovelace
Pkzip300.zip or varients has been around for years. It's nothing new.
It's not hard to deal with. With almost all virii, you can _only_ get
them if you _run_ them after downloading and extracting from an archive.
Unfortunately, some fo the 'automated' web programs for automatically
downloading, extracting, and installing programs that had intended 'ease
of use' are making it easy for tech-clueless people to get a virus. Hey,
progress, I would never stand in the way...
-=farsight=-
ku...@charm.net
-------------------------=farsight=---------------------------
#!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL
$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa
2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/^.|\W//g,print
pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length$n&~1)/2)