-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Don Stikvoort                               Index  :    S-96-18
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Trojan Horse Versions of PKZIP              Date   :  19-Apr-96
===============================================================================

By courtesy of NASIRC (the NASA CERT) we received information on Trojan Horse 
versions of the popular PKZIP software. 

CERT-NL recommends taking good notice and -as always- not accepting any
'sweets from strangers'.

Note that several warnings about this Trojan PKZIP are going around, not all 
of which are as accurate as NASIRC's account.

==============================================================================


        NASIRC has received information that malicious programs packaged
        as a distribution of PKZIP are being distributed at FTP and BBS
        sites. These programs are capable of deleting data from disks and
        should be avoided. The official version of PKZIP is still 2.04g.


SYSTEMS AFFECTED

        Any user of PKWare, Inc.'s PKZIP program with any operating
        system that supports MS-DOS executable files (i.e., MS-DOS,
        Windows 3.x, Windows 95, Windows NT, OS/2) is affected.


PROBLEM DESCRIPTION

        PKZIP from PKWare, Inc. is one of the most widely used
        compression, decompression, and file archiving program for MS-DOS
        systems.  PKZIP is shareware.  The software is distributed
        through public channels, such as anonymous FTP and bulletin board
        system (BBS) sites.  Because it is so popular, bogus versions
        that do not originate with PKWare, Inc., are periodically
        introduced through these public channels. Several of these bogus
        versions have contained viruses or other malicious modifications.
        Several of these versions are Trojan Horse Versions, which will
        erase the hard drive of the computer on which they are executed.
        The bogus versions cannot be recognized before they do their
        damage, except from the version number of the software.  The
        following alert was issued by PKWare, Inc.:


 +--------------- BEGIN INCLUDED Alert from PKWare, Inc. ----------------
 |
 | !!! NOTICE PKZIP TROJAN VERSION !!!
 |
 | It has come to PKWARE's attention that a trojan version of PKZIP is
 | being distributed under the name PKZ300B.ZIP or PKZ300B.EXE. This
 | version is not an offical version and will attempt to destroy your
 | HD. Delete it immediately if you have downloaded this version.  If
 | you have any further questions about this trojan version, contact
 | PKWARE at: support@pkware.com.
 +--------------- END INCLUDED Alert from PKWare, Inc. ----------------


SOLUTION

        Users should use only the current, legitimate versions of PKZIP,
        which are 1.10 and PKZ204G.EXE for MSDOS and PKZWS201.EXE for
        Windows.  Do not attempt to use any versions except these.  More
        information about PKZIP can be obtained from PKWare, Inc. at

                http://www.pkware.com


ADDITIONAL NOTES

        Following is a list of known PKZIP "hacked versions."  These are
        either modified or bogus versions of PKZIP, some of which can
        erase data on a user's computer.  This is the PKWare, Inc.'s list
        as of 06/01/95:

             PKZIP120        Early hack of 1.1
             PKZIP20B        Hack of 1.1
             PKZIP_V2.EXE    ** Trojan Horse **   Will erase hard drive
             PKZ201.ZIP      Hack of 1.93
             PKZ201.EXE      Hack of 1.93
             PKX201.EXE      Hack of 1.93
             PKZ210F.EXE     Unknown
             PKZIPV2         ** Trojan Horse **   Will erase hard drives
             PKUNZIP.COM     Unknown
             PKZIP203.EXE    Unknown
             PUTAV 1.93      Fake putav program (Trojan Horse)
             PKZIP 1.99      Unknown
             PKZIP 2.02      Unknown
             PKZIP 2.2       ** Trojan Horse **   Destroys hard drives
             PKZ305.EXE      Hack of 1.93, fake AV ** VIRUS **
             PKZ41V.EXE      Hack of 1.93
             PKZ300B.ZIP     ** Trojan Horse **   Will erase hard drives
             PKZ300B.EXE     ** Trojan Horse **   Will erase hard drives

        Users who find one of these versions on a system should delete it
        immediately without attempting to run it.  Users who find a bogus
        version on a BBS, FTP site, or WWW site should contact the system
        administrator or sysop of that system immediately.

        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                NASIRC ACKNOWLEDGES: Gary Garb of the UNISYS
                        Computer Emergency Response Team for providing
                        NASIRC with detailed information about this
                        problem.
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IIzSYjBqwfc9jEQKttgCgyV8frj5k1k3lUTU82u9mPaj0EB8AoO9x
yfAJYpcqjmBzrby1BXoyEJ+L
=A7FF
-----END PGP SIGNATURE-----