-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Don Stikvoort Index : S-96-18 Distribution : World Page : 1 Classification: External Version: 1 Subject : Trojan Horse Versions of PKZIP Date : 19-Apr-96 =============================================================================== By courtesy of NASIRC (the NASA CERT) we received information on Trojan Horse versions of the popular PKZIP software. CERT-NL recommends taking good notice and -as always- not accepting any 'sweets from strangers'. Note that several warnings about this Trojan PKZIP are going around, not all of which are as accurate as NASIRC's account. ============================================================================== NASIRC has received information that malicious programs packaged as a distribution of PKZIP are being distributed at FTP and BBS sites. These programs are capable of deleting data from disks and should be avoided. The official version of PKZIP is still 2.04g. SYSTEMS AFFECTED Any user of PKWare, Inc.'s PKZIP program with any operating system that supports MS-DOS executable files (i.e., MS-DOS, Windows 3.x, Windows 95, Windows NT, OS/2) is affected. PROBLEM DESCRIPTION PKZIP from PKWare, Inc. is one of the most widely used compression, decompression, and file archiving program for MS-DOS systems. PKZIP is shareware. The software is distributed through public channels, such as anonymous FTP and bulletin board system (BBS) sites. Because it is so popular, bogus versions that do not originate with PKWare, Inc., are periodically introduced through these public channels. Several of these bogus versions have contained viruses or other malicious modifications. Several of these versions are Trojan Horse Versions, which will erase the hard drive of the computer on which they are executed. The bogus versions cannot be recognized before they do their damage, except from the version number of the software. The following alert was issued by PKWare, Inc.: +--------------- BEGIN INCLUDED Alert from PKWare, Inc. ---------------- | | !!! NOTICE PKZIP TROJAN VERSION !!! | | It has come to PKWARE's attention that a trojan version of PKZIP is | being distributed under the name PKZ300B.ZIP or PKZ300B.EXE. This | version is not an offical version and will attempt to destroy your | HD. Delete it immediately if you have downloaded this version. If | you have any further questions about this trojan version, contact | PKWARE at: support@pkware.com. +--------------- END INCLUDED Alert from PKWare, Inc. ---------------- SOLUTION Users should use only the current, legitimate versions of PKZIP, which are 1.10 and PKZ204G.EXE for MSDOS and PKZWS201.EXE for Windows. Do not attempt to use any versions except these. More information about PKZIP can be obtained from PKWare, Inc. at http://www.pkware.com ADDITIONAL NOTES Following is a list of known PKZIP "hacked versions." These are either modified or bogus versions of PKZIP, some of which can erase data on a user's computer. This is the PKWare, Inc.'s list as of 06/01/95: PKZIP120 Early hack of 1.1 PKZIP20B Hack of 1.1 PKZIP_V2.EXE ** Trojan Horse ** Will erase hard drive PKZ201.ZIP Hack of 1.93 PKZ201.EXE Hack of 1.93 PKX201.EXE Hack of 1.93 PKZ210F.EXE Unknown PKZIPV2 ** Trojan Horse ** Will erase hard drives PKUNZIP.COM Unknown PKZIP203.EXE Unknown PUTAV 1.93 Fake putav program (Trojan Horse) PKZIP 1.99 Unknown PKZIP 2.02 Unknown PKZIP 2.2 ** Trojan Horse ** Destroys hard drives PKZ305.EXE Hack of 1.93, fake AV ** VIRUS ** PKZ41V.EXE Hack of 1.93 PKZ300B.ZIP ** Trojan Horse ** Will erase hard drives PKZ300B.EXE ** Trojan Horse ** Will erase hard drives Users who find one of these versions on a system should delete it immediately without attempting to run it. Users who find a bogus version on a BBS, FTP site, or WWW site should contact the system administrator or sysop of that system immediately. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NASIRC ACKNOWLEDGES: Gary Garb of the UNISYS Computer Emergency Response Team for providing NASIRC with detailed information about this problem. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMXcmwmL2fnkJN/jpAQGwtwQAwbr/O5bZQ+oXHemk5WwS6Np3/NdGM7W2 MuRz2jBo/9PG9CU/kmkNL82An6DHJs+3jjOQCoRTZN6+EuJBzUehQJ1pIifNaoRx rsx+W5B50mGZXaBxz0iFKpt/wBUnVjUaSZq0LtZ2fdHTRy1Oc/4kYDxfMJl0GQ3c q+mRSp/SBM4= =aF2k -----END PGP SIGNATURE-----