SDSC Security Bulletin 96.04.pkzip3.00 Original Issue Date: 1996/10/22 Updated: 1996/11/21 Version: $Id: 96.04.pkzip3.00,v 1.3 1996/11/21 19:21:43 tep Exp $ Topic: PKZIP 3.0 "Trojan Horse Virus", modems, etc. ________________________________________________________________________________ Recently, "new" reports of the "PKZIP300 Trojan Horse Virus" have re-emerged from the urban legend swamp. SDSC has received more than 10 reports in the last two weeks, all labeled "urgent", "emergency", and claiming to report a "new" computer security threat. Many reports also predicted the "Imminent Death of the Internet (tm)", as well :-) While not exactly an "Urban Legend" (UL), this information is rather old, and rather useless. This advisory is furnished by SDSC Security Technologies as a service to the SDSC and Internet communities. Other organizations have issued similar bulletins since this was originally issued. For example, see: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml I. Description This information is rather old, having been first widely released in May *1995*, although some researchers believe that it was first posted in *1993*. It is now widely considered to be an Urban Legend (UL), as the original posting gets passed around, forwarded, and "creatively re-interpreted". According to various sources, although this trojan horse did exist, and was seen a small number of times "in the wild", it was never very widespread. It actually did attempt to remove all the directories on your hard drive, but not reformat the drive. The extra warnings about "affecting modems at 14.4 and higher", is one of those extra "creative bits" that tends to be added to Urban Legends as they mutate over the years. In fact, it is entirely possible that the PKZIP300 Urban Legend actually spawned the PKZIP300 "trojan horse" that was eventually found at a very small number of sites around the world (probably fewer than 100 copies were ever "found"). II. Impact Some users will forward the "warning" to everyone they know, insist on installing new virus protection software, or insist that this virus be "blocked at the firewall". Other users, having seen this before, will emit a small sigh, shake their heads slowly from side to side, and debate with themselves whether or not to attempt to educate the Internet community. III. Solution Do not forward the message to anyone else. Send this information to the person who sent the "warning" to you :-) See the following URLs: PKWare's official statement from 1995: http://www.pkware.com/fake.html The DoE's Computer Incident Advisory Capability statement: http://www.nha.com/ciac6165.html The alt.com.virus newsgroup statement: ftp://ftp.seas.gwu.edu/pub/rtfm/comp/virus/ALT.COMP.VIRUS_MINI-FAQ_-_READ_BEFORE_POSTING The Internet Urban Legends Archive: http://www.urbanlegends.com/ (This site includes such computer-related ULs as the "Good Times Email Virus" and "Airport Laptop Theft" legends as well as the more common "Blue Star LSD tattoo" and "Procter and Gamble is owned by Satanists" legends. Enjoy!) The New Hacker's Dictionary AKA the "Jargon File": http://www.ccil.org/jargon/jargon.html (Has definitions for "Trojan Horse", "Virus", etc.) IV. Detecting an attack Read your email. If there is a message about PKZIP300, you've been "attacked" :-) V. Acknowledgments Information in this bulletin was produced by Tom Perrine, from various information sources on the Internet (listed above). San Diego Supercomputer Center: http://www.sdsc.edu VI. Disclaimers Copyright 1996 San Diego Supercomputer Center. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to SDSC. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community.