fwd: FW: PKZip Trojan Horse Update #1

J. Allen Hansley (hansley@intex.net)
Wed, 27 Sep 1995 16:44:05 -0500

Trojan Horse ALERT!!!!!!!!!!!

To the Help Desk: I received this message from my friend at EDS. Please
read and forward if needed.

Regards, Allen

>Received: from ns2.eds.com (ns2.eds.com []) by intex.net
(8.6.12/4.1.4) with ESMTP id OAA03540 for <hansley@intex.net>; Wed, 27 Sep
1995 14:53:09 -0500
>Received: by ns2.eds.com (hello)
> id PAA27963; Wed, 27 Sep 1995 15:53:03 -0400
>Received: by nnsp.eds.com (hello)
> id PAA15224; Wed, 27 Sep 1995 15:52:52 -0400
>Received: by pl5.purch.eds.com; Wed, 27 Sep 95 12:10:27 CDT
>Date: Wed, 27 Sep 95 12:09:51 CDT
>Message-ID: <ZvH8+TJMOkA@pl5.purch.eds.com>
>From: "Bonnie Edwards Woods" <bwoods01@purch.eds.com>
>To: hansley@intex.net
>Subject: fwd: FW: PKZip Trojan Horse Update #1
>X-Incognito-SN: 285
>X-Incognito-Format: VERSION=1.60f ENCRYPTED=NO
> Bogus PKZip File ALERT!
>Please read the attached, forwarded message if you are one who uses the
>internet, routinely downloads files from BBS (Bulletin Boards) or internet
>sources, or use the program PKZip to compress or decompress files.
>John E Bartholomew
>eMAIL - [purchpln.jbarth01] / SMTP - jbarth01@purch.eds.com
>Original Text
>>From CURTIS, BILL , on 6/23/95 2:43 PM:
>To: John E Bartholomew@Admin.PL1@EDS.TRA.PL, WHQ01/CL3MAIL01/RLANEY01
> M E M O R A N D U M
> EDS Corporate Information Security (CIS) - Virus
>DATE: JUNE 9, 1995
> ---------------------------------------------------------------------------
>Two files by the name of PKZ300B.EXE and PKZ300B.ZIP are currently
>in CompuServe. Patrick Weeks of PKWARE, INC.'s, Product Support group has
>indicated that the files are not a valid update of PKZIP. He also
>that these files contain code that will try to erase your information on
>your hard drive. Do not attempt to download these files. Downloading or
>execution of a programmed threat could result in system problems and or
>loss, and perhaps disciplinary action from your management. If you have
>already downloaded these files, delete them immediately - DO NOT EXECUTE
>THEM! (The correct current version on PKZIP is 2.04G.)
>These two files, which are considered Trojan Horses, can only be spread by
>user downloading.
>Because Trojan Horses do not replicate, many anti-virus vendors do not
>research or create "fixes" for them. Users are therefore expected to
>and/or avoid downloading the files/programs in question. However, Command
>(FPROT Professional), EliaShim (ViruSafe), and McAfee Associates (VIRUSCAN)
>have all been informed of the Trojan Horse. If and when detection becomes
>available, CIS will distribute further bulletins.
>1. Use a test PC to try out any software obtained, including new, home,
>co-worker (borroware), demo, game, shareware, freeware and user-developed
>2. If downloading from bulletin boards is necessary, download the
>executable files to a diskette first. Scan the diskette for viruses, then
>execute the programs.
>3. Use an anti-virus memory resident program (otherwise known as a TSR) to
>detect unusual program behavior. Anti-virus TSRs can help minimize
>spreading of a new or unknown virus.
>To avoid further panic situations, we suggest that information is passed
>directly to CIS so that we can initiate the proper research and reply with
>reliable, verified, accurate information. In turn, this information, can
>then be distributed throughout your account(s). Your assistance in this
>matter would be greatly appreciated.
>Please contact CIS Virus Control at (703) 742-1489 if you have questions or
>concerns pertaining to computer viruses. If you are an EDS or GM employee,
>please report all virus infections to EDS Corporate Information Security.
>Bonnie Edwards Woods
>Minority- and Women-Owned Business Development