Subject Trojan Horse Versions of PKZIP Date 19-Apr-96
39c7aaf626b3ec377aae1ead271b52d24157ab770f5e7f77e7ea6c9013b7b894
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Don Stikvoort Index : S-96-18
Distribution : World Page : 1
Classification: External Version: 1
Subject : Trojan Horse Versions of PKZIP Date : 19-Apr-96
===============================================================================
By courtesy of NASIRC (the NASA CERT) we received information on Trojan Horse
versions of the popular PKZIP software.
CERT-NL recommends taking good notice and -as always- not accepting any
'sweets from strangers'.
Note that several warnings about this Trojan PKZIP are going around, not all
of which are as accurate as NASIRC's account.
==============================================================================
NASIRC has received information that malicious programs packaged
as a distribution of PKZIP are being distributed at FTP and BBS
sites. These programs are capable of deleting data from disks and
should be avoided. The official version of PKZIP is still 2.04g.
SYSTEMS AFFECTED
Any user of PKWare, Inc.'s PKZIP program with any operating
system that supports MS-DOS executable files (i.e., MS-DOS,
Windows 3.x, Windows 95, Windows NT, OS/2) is affected.
PROBLEM DESCRIPTION
PKZIP from PKWare, Inc. is one of the most widely used
compression, decompression, and file archiving program for MS-DOS
systems. PKZIP is shareware. The software is distributed
through public channels, such as anonymous FTP and bulletin board
system (BBS) sites. Because it is so popular, bogus versions
that do not originate with PKWare, Inc., are periodically
introduced through these public channels. Several of these bogus
versions have contained viruses or other malicious modifications.
Several of these versions are Trojan Horse Versions, which will
erase the hard drive of the computer on which they are executed.
The bogus versions cannot be recognized before they do their
damage, except from the version number of the software. The
following alert was issued by PKWare, Inc.:
+--------------- BEGIN INCLUDED Alert from PKWare, Inc. ----------------
|
| !!! NOTICE PKZIP TROJAN VERSION !!!
|
| It has come to PKWARE's attention that a trojan version of PKZIP is
| being distributed under the name PKZ300B.ZIP or PKZ300B.EXE. This
| version is not an offical version and will attempt to destroy your
| HD. Delete it immediately if you have downloaded this version. If
| you have any further questions about this trojan version, contact
| PKWARE at: support@pkware.com.
+--------------- END INCLUDED Alert from PKWare, Inc. ----------------
SOLUTION
Users should use only the current, legitimate versions of PKZIP,
which are 1.10 and PKZ204G.EXE for MSDOS and PKZWS201.EXE for
Windows. Do not attempt to use any versions except these. More
information about PKZIP can be obtained from PKWare, Inc. at
http://www.pkware.com
ADDITIONAL NOTES
Following is a list of known PKZIP "hacked versions." These are
either modified or bogus versions of PKZIP, some of which can
erase data on a user's computer. This is the PKWare, Inc.'s list
as of 06/01/95:
PKZIP120 Early hack of 1.1
PKZIP20B Hack of 1.1
PKZIP_V2.EXE ** Trojan Horse ** Will erase hard drive
PKZ201.ZIP Hack of 1.93
PKZ201.EXE Hack of 1.93
PKX201.EXE Hack of 1.93
PKZ210F.EXE Unknown
PKZIPV2 ** Trojan Horse ** Will erase hard drives
PKUNZIP.COM Unknown
PKZIP203.EXE Unknown
PUTAV 1.93 Fake putav program (Trojan Horse)
PKZIP 1.99 Unknown
PKZIP 2.02 Unknown
PKZIP 2.2 ** Trojan Horse ** Destroys hard drives
PKZ305.EXE Hack of 1.93, fake AV ** VIRUS **
PKZ41V.EXE Hack of 1.93
PKZ300B.ZIP ** Trojan Horse ** Will erase hard drives
PKZ300B.EXE ** Trojan Horse ** Will erase hard drives
Users who find one of these versions on a system should delete it
immediately without attempting to run it. Users who find a bogus
version on a BBS, FTP site, or WWW site should contact the system
administrator or sysop of that system immediately.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
NASIRC ACKNOWLEDGES: Gary Garb of the UNISYS
Computer Emergency Response Team for providing
NASIRC with detailed information about this
problem.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IIzSYjBqwfc9jEQKttgCgyV8frj5k1k3lUTU82u9mPaj0EB8AoO9x
yfAJYpcqjmBzrby1BXoyEJ+L
=A7FF
-----END PGP SIGNATURE-----