Errmmm, Stigmata:
1) the files on Simtel are exactly the same as the one yo find on Patchou's server. The only thing that simtel does is to zip them, nothing more...
2) The point in being a mirrorsite is that they do not alter any of the files they host!
3) You can't hide a file inside a zipfile
4) "rar the file, then using winrar to unrar it it will show u everything inside have a check" ... that makes absolutely no sense...
GiantSpider has send the file to me...
Size:
Original Plus! 3.01.94:
3.497.984 bytes
Infected Plus! 3.01.94:
3.502.080 bytes (=4096 bytes bigger)
TimeDateStamp: (this is not the timedatestamp that you'll see in windows, but this is the timedatestamp from when the exe file was actually made; it is found inside the exe-header itself)
Original Plus! 3.01.94:
2/6/2004 22:29:47
Infected Plus! 3.01.94:
24/7/2004 22:31:36 (=yesterday!)
The resources (aka setupfiles etc...) inside are the same
Remarks:
It is very strange that the file was downloaded at an
official source while the file was named
MsgPlus-302.exe.
Note that this happend only to GiantSpider and the person on IRC!
As well as GiantSpider as the person who came on IRC got this file from downloading it from an official source.
The thing that popuped up after installing was "Bad Elmo, u need to install this with the parental program"...
A scan of the file resulted in nothing, no detected infection. (at least as far as I can tell with a cheap/free scanner
)
Although I can't find anything (at this moment after a quick search) related to a virus, this has been reported before with other people (and other files):
http://club.cdfreaks.com/showthread.php?t=84510
http://www.pchelper.nl/forum/index.php?showtopic=1718
http://www.talkroot.com/archive/topic/14496-1.html
Also, together with the "bad elmo"-talk, there is also talk about a related MP3_plugin.exe (someone says this is the source of the problem), and inside that file I find "http://www.lop.com". Logic, if you consider that someone else says that that file is the LOP installer. But why the strange name then?).. :/
Conclussion:
* Or both are infected with some kind of spyware/virus/trojan/whataver (but it is strange that this only happend once and only with Plus! downloading)
* Something is fishy with the sponsor-program (LOP acting up again?)
Note:
Although it seems that it is some malicious thing called "Bad Elmo", it is realy frustrating that you can't find ANYTHING about it on the net. The only things you find are "it is spyware", "it is a virus", etc... but nobody or no company reports about what it ACTUALY is and what it EXACTLY does....
/ 
Attachment: 
