=============================================================================
AA-95.05      AUSCERT Advisory
         14 June, 1995
         PKZ300B Contains a Trojan Horse (DOS)
-----------------------------------------------------------------------------

1.  Description

    The Australian Computer Emergency Response Team (AUSCERT) has received
    information that a file is being distributed on the Internet and on
    various dial-up BBS systems which claims to be version 3.00G of PKWARE
    Inc.'s shareware DOS data compression utility, PKZip.

    The file is being distributed as PKZ300B.EXE and in zipped form as
    PKZ300B.ZIP.  AUSCERT has confirmed that this file is a self-extracting
    archive which contains a trojan horse.
      
    AUSCERT has confirmed that the trojan horse will destroy all data on
    the PC's hard drive.  
   
    A trojan horse is a piece of software which claims to do one thing but
    in reality does something different, usually something malicious.
      
2.  Impact
   
    If the trojan horse is executed, all data on the PC hard drive will be
    destroyed.

    This is not a virus; it cannot infect other machines unless it is
    manually run on those machines.
   
3.  Proposed Defences

    Do not download or execute any file named PKZ300B.EXE or PKZ300B.ZIP. 
    Do not execute any of the files created by PKZ300B.EXE.
      
    Always do a full backup before an installation.  If the system fails as a
    result of the installation, then the original configuration may be
    retrieved from the backup.
  
    PKWARE Inc. have confirmed that the latest release of PKZip is v2.04G.  
    There is no release of a version 3.00 from PKWare.  The latest release
    is available from:
   
    ftp://pkware.com/pub/pkware/PKZ204G.exe
  
----------------------------------------------------------------------------
AUSCERT would like to thank Pete Hammes of ASSIST, and Allen Chen and Fred
Blonder of NASIRC for their assistance in confirming the  extent of this
vulnerability. The AUSCERT team also wishes to thank all the people who
contacted us to inform us of this problem.
----------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members.  It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).

AUSCERT maintains an anonymous FTP service which contains past SERT and
AUSCERT Advisories, and other computer security information:

  ftp://ftp.auscert.org.au/pub/

AUSCERT also maintains a World Wide Web service:

  http://www.auscert.org.au/

Internet Email:  auscert@auscert.org.au  (monitored during business hours)
Facsimile:  (07) 365 4477 (International: +61 7 365 4477)
Telephone:  (07) 365 4417 (International: +61 7 365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA