Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: dave@tygra.ddmi.com (David Conrad)
Newsgroups: comp.virus
Subject: Re: PKZIP Auto-Verification feature.. (PC)
Message-ID: <0008.9012071952.AA18950@ubu.cert.sei.cmu.edu>
Date: 7 Dec 90 10:31:50 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 34
Approved: krvw@sei.cmu.edu

There's another way the Authenticity Verification of PKZIP might have
been fooled, though I doubt it was done this way, for reasons given
below.

As far as I know, PKUNZIP simply checks to see if the unzipped file
contains the same encrypted key that the file was originally zipped
with.  Thus, the trojan author could have gotten a valid serial number
from PKWARE and zipped the file with it.  Upon unzipping a message
would be displayed that the file was authentically made with *A VALID
SERIAL NUMBER*.  Not necessarily the right serial number.  Does anyone
know if the Name associated with the serial number is displayed upon
unzipping so that the user can confirm that the data was not just
zipped by *someone* with an AV serial number, but by the person whom
the user expects to have zipped it?  I can't check this myself as I
only have the export version of the software.  (Silly damn NSA....)

I presume, however, that the folks at PKWARE could determine which
serial number was used to zip the file, even if the current version of
their software doesn't display this information upon unzipping (well,
of course it wouldn't display the serial number, I meant to say the
name), thereby nabbing the culpret.  This seems almost too obvious.
Has this been considered?  It would be awfully funny if whoever did
this had given themselves away thinking they were clever enough to
outwith the AV.
- --
David R. Conrad | Domain: dave@tygra.ddmi.com | Path: uunet!tygra!dave
"Save the strong, lose the weak.  Never turnin' the other cheek.  Trust
nobody, and don't be no fool.  Whatever happened to the Golden Rule?"
                         -- Stevie Ray Vaughn
- --
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive  =
- -  1-313-343-0800, 300/1200/2400/9600 baud, 8/N/1. New users use 'new'    -
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")        =
   E-MAIL Address: dave@DDMI.COM