Truth About Computer Security Hysteria
A new antivirus vulnerability comes to light
Wednesday, 1 December 1999
"EXPLORE.ZIP IS BACK!" shouted MSNBC on their "Technology" news
menu. It didn't mention a virus; it didn't even mention a threat. Still, this menu item struck fear in the hearts
of administrators. Once again we see the lasting power of media hype.
Some people will sum up this latest virus with a line from Mike Myers: "I shall call him Mini-Zip."
Forget him, folks. Bill Murray uttered the better punch line: "hey, we did this story already!"
It's ExploreZip all over again ... except this time it arrived in a proprietary self-extractor format.
Vendors re-updated products a half-year later to detect a well-known virus. The media once again
urged everyone to update.
On a positive note, multiple reporters recognized the obvious reason behind this story. MSNBC's Bob
Sullivan noted "the virus has been updated to sneak around most anti-virus protection programs." Jim
Kerstetter at ZDNN said much the same: "compressing it changes the bits, meaning that anti-virus
software has trouble identifying the new virus." From Chris Oakes at Wired: "[an] unfamiliar
software utility compression scheme effectively provided ExplorerZip [sic] with a new disguise."
True enough. Whoever "updated" ExploreZip did nothing more than repackage it — and thus
another widespread antivirus vulnerability has come to light. Extra kudos to Sullivan for
mentioning the obvious in his lead paragraph.
Oakes offered readers an intriguing theory on how this package surfaced. "Since virus-writers rarely attempt to
re-propagate the same virus code," he wrote, "[Mikko Hypponen (Data Fellows)] suspects an innocent
mistake. He guesses that a user unwittingly compressed the virus using a relatively rare compression format"
unfamiliar to most antivirus packages. "Once uncompressed by a recipient, the virus was able to set off the
same email-based proliferation process that spread ExploreZip."
Can you imagine if airport security worked this way? "Your briefcase looks suspicious, sir, but my x-ray
machine can't penetrate the lining and I don't know how to open it to inspect its contents. You're free to board
the plane. Have a nice flight!"
Two questions need answers. (1) Why couldn't antivirus software detect a well-known virus during the archive
extraction process? (2) Did reporters at least know to ask such an obvious question?
Okay, I'll bite. Why didn't antivirus software detect ExploreZip during MiniZip's archive extraction