95-05
dfc57cfb847a2b1ca08109a8aafcd08f290831f56a0e71c9eee3f3921ffbe3b8
=============================================================================
AA-95.05 AUSCERT Advisory
14 June, 1995
PKZ300B Contains a Trojan Horse (DOS)
-----------------------------------------------------------------------------
1. Description
The Australian Computer Emergency Response Team (AUSCERT) has received
information that a file is being distributed on the Internet and on
various dial-up BBS systems which claims to be version 3.00G of PKWARE
Inc.'s shareware DOS data compression utility, PKZip.
The file is being distributed as PKZ300B.EXE and in zipped form as
PKZ300B.ZIP. AUSCERT has confirmed that this file is a self-extracting
archive which contains a trojan horse.
AUSCERT has confirmed that the trojan horse will destroy all data on
the PC's hard drive.
A trojan horse is a piece of software which claims to do one thing but
in reality does something different, usually something malicious.
2. Impact
If the trojan horse is executed, all data on the PC hard drive will be
destroyed.
This is not a virus; it cannot infect other machines unless it is
manually run on those machines.
3. Proposed Defences
Do not download or execute any file named PKZ300B.EXE or PKZ300B.ZIP.
Do not execute any of the files created by PKZ300B.EXE.
Always do a full backup before an installation. If the system fails as a
result of the installation, then the original configuration may be
retrieved from the backup.
PKWARE Inc. have confirmed that the latest release of PKZip is v2.04G.
There is no release of a version 3.00 from PKWare. The latest release
is available from:
ftp://pkware.com/pub/pkware/PKZ204G.exe
----------------------------------------------------------------------------
AUSCERT would like to thank Pete Hammes of ASSIST, and Allen Chen and Fred
Blonder of NASIRC for their assistance in confirming the extent of this
vulnerability. The AUSCERT team also wishes to thank all the people who
contacted us to inform us of this problem.
----------------------------------------------------------------------------
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members. It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).
AUSCERT maintains an anonymous FTP service which contains past SERT and
AUSCERT Advisories, and other computer security information:
ftp://ftp.auscert.org.au/pub/
AUSCERT also maintains a World Wide Web service:
http://www.auscert.org.au/
Internet Email: auscert@auscert.org.au (monitored during business hours)
Facsimile: (07) 365 4477 (International: +61 7 365 4477)
Telephone: (07) 365 4417 (International: +61 7 365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA