PKZIP300 virus - True or False?

[Bob Payne]

PKZIP300.EXE or PKZIP300.ZIP:
I heard about this virus through email, but you can't believe everything you
read. Is this another 'Good Times'-type hoax or is it for real?

What does it do? How is it activated? Can it be detected or cleaned?

--
Bob Payne Software Development Manager
PC Service Source email: bpa...@netcom.com
2350 Valley View
Dallas, TX 75234
(214) 481-4707 WWW: http://www.pcss.net/~bpayne

[pp00...@interramp.com]

> Sender: bpa...@netcom.netcom.com

>
> PKZIP300.EXE or PKZIP300.ZIP:
> I heard about this virus through email, but you can't believe everything you
> read. Is this another 'Good Times'-type hoax or is it for real?
>
> What does it do? How is it activated? Can it be detected or cleaned?
>
> --

Bob,

Not a virus. It's a trojan. The latest PKZIP is version 204G.

Cheers,

DLC

[Mikko H. Hypponen]

Bob Payne (bpa...@netcom.com) wrote:
> PKZIP300.EXE or PKZIP300.ZIP:
> I heard about this virus through email, but you can't believe everything you
> read. Is this another 'Good Times'-type hoax or is it for real?

It's not a virus but a trojan. Warnings about this trojan have
been exceptionally widespread and have been circulated since
early 1995.

As it is a trojan, it does not spread by itself: it's not a very
realistic threat. PKZ300 trojan is not widespread but the warning
is.

--
Mikko Hermanni Hyppönen - Mikko.H...@DataFellows.com
Data Fellows Ltd's F-PROT Pro Support: F-PROT-...@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

[Michael West]

In article <bpayneDo...@netcom.com>, bpa...@netcom.com (Bob Payne) wrote:
>PKZIP300.EXE or PKZIP300.ZIP:
>I heard about this virus through email, but you can't believe everything you
>read. Is this another 'Good Times'-type hoax or is it for real?
>

>What does it do? How is it activated? Can it be detected or cleaned?
>

I just got an alert on this from a friend with connections to the El Segudo
Calif. police department. The following e-mail message was posted on their LAN.
Note - I don't know if this is a hoax or not, I'm trying to find out more info
myself. For what it's worth here's the message:

MESSAGE BEGINS:
Acording to an El Segundo Police Dept. internal memo.

A new Trojan horse virus is lose named PKZIP300.ZIP, so
named to give the impression that this is a new version of PKZIP.

Do not run this version it will WIPE YOUR HARD DISK!!

Also be aware of possible self expanding archives of same,
possibly named PKZIP300.EXE.

Known valid pkzip versions are:
1.10, 1.93, 2.04c, 2.04e and 2.04g.

The original memo also includes a warning that modems of 14.4
and higher can be affected (although this sounds a bit odd), it did
not say in what way.

MESSAGE ENDS.

--
Michael West - TRW Advanced Technology Products (mike...@trw.com)
"Man will always find a difficult means to perform a simple task"
- Rube Goldberg

['Mike' M Ramey]

bpa...@netcom.com (Bob Payne) writes:
>PKZIP300.EXE or PKZIP300.ZIP:
>I heard about this virus through email, but you can't believe everything you
>read. Is this another 'Good Times'-type hoax or is it for real?
>What does it do? How is it activated? Can it be detected or cleaned?

From: http://ciac.llnl.gov/ciac/notes/Notes10.shtml

[1][ISMAP]

[IMAGE] CIAC NOTES

Number 95-10:June 16, 1995
_________________________________________________________________

ATTENTION: CIAC is available 24-hours a day via its two skypage
numbers. To use this service, dial 1-800-759-7243. The PIN numbers
are: 8550070 (for the CIAC duty person) and 8550074 (for the CIAC
manager). Please keep these numbers handy.
_________________________________________________________________

This edition of CIAC NOTES includes:
1. [2]PKZ300B Trojan
2. [3]Logdaemon/FreeBSD vulnerability in S/Key
3. [4]EBOLA Virus Hoax
4. [5]Caibua Virus

Please send your comments and feedback to ci...@llnl.gov.
_________________________________________________________________



PKZIP Trojan

A Trojaned version of the popular, DOS file compression utility PKZIP
is circulating on the networks and on dial-up BBS systems. The
Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the
following warning from PKWARE:

Some joker out there is distributing a file called PKZ300B.EXE and
PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase
your harddrive if you use it. The most recent version is 2.04G.
Please tell all your friends and favorite BBS stops about this hack.
Thank You. Patrick Weeks Product Support PKWARE, Inc.

PKZ300B.EXE appears to be a self extracting archive, but actually
attempts to format your hard drive. PKZ300B.ZIP is an archive, but the
extracted executable also attempts to format your hard drive. While
PKWARE indicated the Trojan is real, we have not talked to anyone who
has actually touched it. We have no reports of it being seen anywhere
in the DOE.

According to PKWARE, the only released versions of PKZIP are: 1.10,
1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating
on BBS's are hacks or fakes. The current version of PKZIP and PKUNZIP
is 2.04g.

The current version of PKZIP is available in the CIAC Archive, or
directly from PKWARE.

From CIAC:
* [6]ftp://ciac.llnl.gov/pub/ciac/util/pc/pkz204g.exe
* BBS: 510-423-4753, 510-423-3331
From PKWARE:
* [7]ftp://pkware.com/pub/pkware/pkz204g.exe
* BBS: 414-354-8670

Note: Don't forget to pay your shareware fees.
_________________________________________________________________

[snip]
_________________________________________________________________

Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to
employees and contractors of the DOE, such as:
* Incident Handling Consulting
* Computer Security Information
* On-site Workshops
* White-hat Audits

CIAC is located at Lawrence Livermore National Laboratory in
Livermore, California, and is a part of its Computer Security
Technology Center. Further information can be found at CIAC. CIAC is
also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster
cooperation and coordination among computer security teams worldwide.
See [11]FIRST for more details.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy.
CIAC is located at the [12]Lawrence Livermore National Laboratory in
Livermore, California. CIAC is also a founding member of FIRST, the
Forum of Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer
security teams worldwide.

CIAC services are available to DOE and DOE contractors, and can be
contacted at:

Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ci...@llnl.gov

For emergencies and off-hour assistance, DOE and DOE contractor sites
may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST),
call the CIAC voice number 510-422-8193 and leave a message, or call
800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page
PIN numbers, the primary PIN number, 8550070, is for the CIAC duty
person, and the secondary PIN number, 8550074 is for the CIAC Project
Leader.

Previous CIAC notices, anti-virus software, pgp public key, and other
information are available from the CIAC Computer Security Archive.

World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: (510) 423-4753 (14.4K baud)
(510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security
information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-l...@llnl.gov:

subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
_________________________________________________________________

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
_________________________________________________________________

End of CIAC Notes Number 95-10 95_06_16
--
-Mike Ramey 685-0940 FAX:685-3836 Wilcox-171 Box:35-2700 UofW 98195

[David Midtbo]

I don't think this is exactly what this post is refering too, but I just
thought I'd let you know that it is possible to make at least a WEAK trojan
from a .zip file that activates upon unzipping.

Have you ever heard of the CLOCK$.??? Trick? I am not sure about new versions
of DOS, but DOS 5.0 (maybe its the bios version and not the dos versoin that
matters) and older had problems with naming a file CLOCK$ because it is a
device the computer uses. Here's how I've converted this problem into a ZIP
trojan.

Proof it works....

In DOS, type "COPY CON CLOCK$.TXT" (CLOCK$.??? will work)
then type random characters into the file "dlkfjalksfdjflklsdflaksdjf"
Hit "CONTROL+Z" to save the file. Then reboot. You will find that your bios
functions have been reset, or changed to garbage.

I used to do this when I was in High School to the PS/2 286's with DOS 3.?
that we used in class. After this was done to them they gave an error message
about the bios and made you hit F1 to continue every time they booted.

How to convert this simple trick into a ZIP trojan...

Make a small zip file with a few files in it. Make it as big or as small as
you want. Then open the zip file up in a hex editor like DISKEDIT that comes
with Norton Utilities. You will see the names of the files you ziped into the
zip. Change one of them to CLOCK$.??? (any extention will work, but make sure
it has the same filename length of characters+ext "clock$.???") and save the
file.

Now, when that file is unzipped it will try to write "CLOCK$.TXT" to the disk
like a normal file but will instead copy the contents of the file to the
CLOCK$ device and thus overwrite the bios.

This is a weak trojan because the damage can be fixed easily by reseting your
bios settings. Just uploading a file rigged like this might be enough to
crash a BBS that has a program to automaticly check newly uploaded zips.

--David (tu...@mail.utexas.edu)

If anyone knows more about the clock$ device, please let me know WHY this
works via email. Thanks.

In article <4jliuk$1...@lastactionhero.rs.itd.umich.edu>, you say...

[Mikko H. Hypponen]

David Midtbo (tu...@mail.utexas.edu) wrote:
> Now, when that file is unzipped it will try to write "CLOCK$.TXT" to the
> disk like a normal file but will instead copy the contents of the file to
> the CLOCK$ device and thus overwrite the bios.

PKWare plugged this hole in version 2.04c. Unpacking such file just
produces an error message nowadays:

PKUNZIP (R) FAST! Extract Utility Version 2.04g 02-01-93

Searching ZIP: TROJAN.ZIP
PKUNZIP: (W10) Warning! Invalid filename: CLOCK$

PKUNZIP: (E11) No file(s) found.

It also detects other common devicenames like CON, PRN, COM1, LPT1 etc.

Older versions of PKUNZIP and ARJ were indeed vulnerable to such
attacks, but then again, older versions of LHARC were vulnerable to
AUTOLARC.BAT attacks... (if such a file existed inside a LZH archive,
it was executed automatically during extraction).

Use current versions and you are relatively safe from such attacks.