Hoaxes, myths,
urban legends





About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

A new antivirus vulnerability comes to light

Rob Rosenberger, Vmyths co-founder
Wednesday, 1 December 1999 "EXPLORE.ZIP IS BACK!" shouted MSNBC on their "Technology" news menu. It didn't mention a virus; it didn't even mention a threat. Still, this menu item struck fear in the hearts of administrators. Once again we see the lasting power of media hype. Some people will sum up this latest virus with a line from Mike Myers: "I shall call him Mini-Zip." Forget him, folks. Bill Murray uttered the better punch line: "hey, we did this story already!" It's ExploreZip all over again ... except this time it arrived in a proprietary self-extractor format. Vendors re-updated products a half-year later to detect a well-known virus. The media once again urged everyone to update. On a positive note, multiple reporters recognized the obvious reason behind this story. MSNBC's Bob Sullivan noted "the virus has been updated to sneak around most anti-virus protection programs." Jim Kerstetter at ZDNN said much the same: "compressing it changes the bits, meaning that anti-virus software has trouble identifying the new virus." From Chris Oakes at Wired: "[an] unfamiliar software utility compression scheme effectively provided ExplorerZip [sic] with a new disguise."
Okay, I'll bite. Why didn't antivirus software detect ExploreZip during MiniZip's archive extraction process?
True enough. Whoever "updated" ExploreZip did nothing more than repackage it — and thus another widespread antivirus vulnerability has come to light. Extra kudos to Sullivan for mentioning the obvious in his lead paragraph. Oakes offered readers an intriguing theory on how this package surfaced. "Since virus-writers rarely attempt to re-propagate the same virus code," he wrote, "[Mikko Hypponen (Data Fellows)] suspects an innocent mistake. He guesses that a user unwittingly compressed the virus using a relatively rare compression format" unfamiliar to most antivirus packages. "Once uncompressed by a recipient, the virus was able to set off the same email-based proliferation process that spread ExploreZip." Can you imagine if airport security worked this way? "Your briefcase looks suspicious, sir, but my x-ray machine can't penetrate the lining and I don't know how to open it to inspect its contents. You're free to board the plane. Have a nice flight!" Two questions need answers. (1) Why couldn't antivirus software detect a well-known virus during the archive extraction process? (2) Did reporters at least know to ask such an obvious question?