Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!mips!spool.mu.edu!munnari.oz.au!comp.vuw.ac.nz!canterbury!cctr132
From: cctr132@csc.canterbury.ac.nz (Nick FitzGerald, CSC, Uni. of Canterbury, NZ)
Newsgroups: comp.binaries.ibm.pc.d
Subject: Re: Trojan version of VIRUSCAN version 78
Message-ID: <1991May16.175841.761@csc.canterbury.ac.nz>
Date: 16 May 91 05:58:41 GMT
References: <HuNw22w164w@darkside.com>
Organization: University of Canterbury, Christchurch, New Zealand
Lines: 32

In article <HuNw22w164w@darkside.com>, aryehg@darkside.COM (Aryeh
Goretsky) writes:
> TROJAN VERSION OF VIRUSCAN VERSION 78
>[deletions]
> Running PKUNZIP on the file reveals the following:
> 
>  .PKUNZIP (R)    FAST!    Extract Utility    Version 1.1    03-15-90
>  .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
>  .PKUNZIP Reg. U.S. Pat. and Tm. Off.
>  .
>  .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
>  .  Exploding: AGENTS.TXT    -AV
>  . Extracting: REGISTER.DOC  -AV
>  .  Exploding: SCAN.EXE      -AV
>  .  Exploding: VALIDATE.COM  -AV
>  .  Exploding: README.1ST    -AV
>  .  Exploding: VIRLIST.TXT   -AV
>  .  Exploding: VALIDATE.DOC  -AV
>  .  Exploding: SCAN78.DOC    -AV
>  .
>  . Authentic files Verified!   # TJB859   Zip Source: McAFEE ASSOCIATES

Great!!  What the hell are we supposed to do here in NZ, where we can't
legally get the "full" version of PKUNZIP that gives us the key numbers.
If this trojan reached us prior to the warning all we would have seen is
up to the "!" in the last "quoted" line.

I suppose it's academic really - given that someone's hacked PK's AV
scheme this far, it may not be long before they work out how to get
the right key showing up as well.

Nick.