============================================================================= AA-95.05 AUSCERT Advisory 14 June, 1995 PKZ300B Contains a Trojan Horse (DOS) ----------------------------------------------------------------------------- 1. Description The Australian Computer Emergency Response Team (AUSCERT) has received information that a file is being distributed on the Internet and on various dial-up BBS systems which claims to be version 3.00G of PKWARE Inc.'s shareware DOS data compression utility, PKZip. The file is being distributed as PKZ300B.EXE and in zipped form as PKZ300B.ZIP. AUSCERT has confirmed that this file is a self-extracting archive which contains a trojan horse. AUSCERT has confirmed that the trojan horse will destroy all data on the PC's hard drive. A trojan horse is a piece of software which claims to do one thing but in reality does something different, usually something malicious. 2. Impact If the trojan horse is executed, all data on the PC hard drive will be destroyed. This is not a virus; it cannot infect other machines unless it is manually run on those machines. 3. Proposed Defences Do not download or execute any file named PKZ300B.EXE or PKZ300B.ZIP. Do not execute any of the files created by PKZ300B.EXE. Always do a full backup before an installation. If the system fails as a result of the installation, then the original configuration may be retrieved from the backup. PKWARE Inc. have confirmed that the latest release of PKZip is v2.04G. There is no release of a version 3.00 from PKWare. The latest release is available from: ftp://pkware.com/pub/pkware/PKZ204G.exe ---------------------------------------------------------------------------- AUSCERT would like to thank Pete Hammes of ASSIST, and Allen Chen and Fred Blonder of NASIRC for their assistance in confirming the extent of this vulnerability. The AUSCERT team also wishes to thank all the people who contacted us to inform us of this problem. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is the Australian Computer Emergency Response Team, funded by the Australian Academic Research Network (AARNet) for its members. It is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which contains past SERT and AUSCERT Advisories, and other computer security information: ftp://ftp.auscert.org.au/pub/ AUSCERT also maintains a World Wide Web service: http://www.auscert.org.au/ Internet Email: auscert@auscert.org.au (monitored during business hours) Facsimile: (07) 365 4477 (International: +61 7 365 4477) Telephone: (07) 365 4417 (International: +61 7 365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA