[Dshield] Re: Dshield digest, Vol 1 #226 - 12 msgs

Peter Feltham peter at intelligentorgs.com
Tue Aug 28 21:00:48 GMT 2001

Hi all

At 16:37 28/08/2001 -0400, in message 5, John wrote:

>Message: 5
>From: "Dalantech" <john at dalantech.com>
>To: <dshield at dshield.org>
>Subject: RE: [Dshield] door opener /ZoneAlarm
>Date: Tue, 28 Aug 2001 16:53:04 +0200
>Reply-To: dshield at dshield.org
>Zone Alarm Pro will change the extension of executable files so that they
>cannot be run just by double clicking on them. If you try to run a file that
>has a zlx extension (where x = some number) ZAP will through up a dialog box
>asking you if you are sure you want to run the file, and also give you the
>option to open the file in Note Pad.
>I don't think the number in the zlx extension has anything to do with the
>specific virus, just random as far as I can tell (there may be files with
>extensions of zl1 to zl8 on your hard drive, so ZAP chose zl9).

Dalantech is correct.

The reason you cannot find any .ZLn files on your hard disk after dealing with
them is that they get transformed into .EXE files if you open them! ZoneAlarm
nags and nags "This is potentially dangerous. Are you sure?" and then
"Are you really sure?" etc, but finally does the dirty deed if you insist.

I had a Windoze Explorer open to the Eudora attachments folder when I did
finally open one such file (after virus-checking it up down and sideways with
multiple AV tools) and....

... I damn near ate my desk when its file extension flipped from .ZL9 to
.EXE before my horrified eyes..

It was benign. But a very nasty moment.

I think ZoneAlarm should provide oxygen cylinders for such times. ;)

All part of the fun, but still..

BTW, thanks for the link to zonelog.co.uk - nice little tool that one.

Take care out there


Peter Feltham, CEO of Intelligent Organisations.

Tel: +44 208 357 7355           Fax: +44 7050 697 405
                         Private  Fax: +44 7050 694 038
A member of Rheingold Associates

More information about the list mailing list