Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!sun-barr!olivea!mintaka!bloom-beacon!eru!kth.se!ugle.unit.no!sunic!mcsun!inesc!unl!unl!jpc
From: jpc@fct.unl.pt (Jose Pina Coelho)
Newsgroups: comp.binaries.ibm.pc.d
Subject: Re: Trojan version of VIRUSCAN version 78
Message-ID: <JPC.91May15161315@terra.fct.unl.pt>
Date: 15 May 91 16:13:15 GMT
References: <HuNw22w164w@darkside.com>
Sender: news@fct.unl.pt (USENET News System)
Organization: Universidade Nova de Lisboa -- Lisbon, Portugal
Lines: 62
In-Reply-To: aryehg@darkside.COM's message of 13 May 91 21:50:16 GMT


In article <HuNw22w164w@darkside.com> aryehg@darkside.COM (Aryeh
Goretsky) writes: 
>   TROJAN VERSION OF VIRUSCAN VERSION 78
>
>   We have received a trojan horse version of VIRUSCAN.  The hacked SCAN
>   has apparently been uploaded to BBSes in Michigan, USA under the
>   filename SCANV78.ZIP.  Running PKZIP -V on the file reveals:
>
>   [...]
>
>   Running PKUNZIP on the file reveals the following:
>
>    .PKUNZIP (R)    FAST!    Extract Utility    Version 1.1    03-15-90
>    .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
>    .PKUNZIP Reg. U.S. Pat. and Tm. Off.
>    .
>    .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
>    .  Exploding: AGENTS.TXT    -AV
>    . Extracting: REGISTER.DOC  -AV
>    .  Exploding: SCAN.EXE      -AV
>    .  Exploding: VALIDATE.COM  -AV
>    .  Exploding: README.1ST    -AV
>    .  Exploding: VIRLIST.TXT   -AV
>    .  Exploding: VALIDATE.DOC  -AV
>    .  Exploding: SCAN78.DOC    -AV
>    .
>    . Authentic files Verified!   # TJB859   Zip Source: McAFEE ASSOCIATES
>
>   While the Authentic Files Verified Message appears, the Serial Number is
>   NOT correct.  McAfee Associate's Serial Number is NWM405. 

This can mean several things:
	- PkWare let a bogus ``McAFEE ASSOCIATES'' registration slip in.
	- PkWare or McAfee let the key slip out.
	- PkWare let the key generator slip out.
	- Someone found the algorithm to generate the keys.
	- Someone found an algorithm that can generate a tolerable
	  percentage of ``correct'' keys. 

In the first two cases, the problem can be solved by getting McAfee a
new key.

The other cases need a new key generator to go with PkZip 2.0,
probably doubling the size of the key.

Also the next version of scan should check .zip's that have source at
McAFEE ASSOCIATES and, if the code is the old one, warn that it is no
longer safe.  Else warn that the file is bogus. 

>	[...]
>   Aryeh Goretsky
>   McAfee Associates Technical Support

What's the word from PkWare ?

--
Jose Pedro T. Pina Coelho   | BITNET/Internet: jpc@fct.unl.pt
Rua Jau N 1, 2 Dto          | UUCP: ...!mcsun!unl!jpc
1300 Lisboa, PORTUGAL       | Home phone: (+351) (1