Mechanical Music Digest  Archives
You Are Not Logged In Login/Get New Account
Please Log In. Accounts are free!
Logged In users are granted additional features including a more current version of the Archives and a simplified process for submitting articles.
Home Archives Calendar Gallery Store Links Info
MMD > Archives > April 1996 > 1996.04.02 > 06Prev  Next


PKZIP300 Virus Alert
By Mike Walter

Dear Jody,

I just received a virus alert this morning concerning a new trojan horse virus with the name PKZIP300.ZIP which will affect hard disks and modems at 14.4 and higher. "This is an extremely destructive virus and there is not yet a way of cleaning up this one".

I don't know if it's appropriate for the group, but better to be safe than sorry!!!   Best wishes. Mike Walter

 [ Editor's Note:   This is a little off the topic, but a number of our
 [ readers are just learning how to use the Internet, so a little "help"
 [ isn't necessarily a bad thing.  There have been a lot of virus "hoaxes"
 [ on the 'Net and I'm not certain what the story is on this one.  This is,
 [ however, quite old.  I did a "Web Search" on "PKZIP300" and got five
 [ hits.  The most interesting one is below, which documents several virus
 [ hoaxes and seems to indicate that the PKZIP300 one is _REAL_.  Ugh!
 [ Jody

CIAC Notes, #95-10, June 16, 1995

----------------------------------------------------------------------------

CIAC

CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide.

----------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

           ___  __ __    _     ___           __  __ __   __   __
          /       |     /_\   /       |\ |  /  \   |    |_   /_
          \___  __|__  /   \  \___    | \|  \__/   |    |__  __/

Number 95-10                                               June 16, 1995

This edition of CIAC NOTES includes:

    1) PKZIP300 Trojan
    2) Logdaemon/FreeBSD vulnerability in S/Key
    3) EBOLA Virus Hoax
    4) Caibua Virus

Please send your comments and feedback to ciac@llnl.gov.

  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
  $ Reference to any specific commercial product does not necessarily   $
  $ constitute or imply its endorsement, recommendation or favoring by  $
  $ CIAC, the University of California, or the United States Government.$
  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$

=========================================================
1) PKZIP Trojan
=========================================================

A Trojaned version of the popular, DOS file compression utility PKZIP is circulating on the networks and on dial-up BBS systems. The Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the following warning from PKWARE:
- -------------------------------------------------------------------------
  Some joker out there is distributing a file called PKZ300B.EXE and
  PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your
  harddrive if you use it.  The most recent version is 2.04G.  Please
  tell all your friends and favorite BBS stops about this hack.

  Thank You.

  Patrick Weeks Product Support PKWARE, Inc.
- -------------------------------------------------------------------------
PKZ300B.EXE appears to be a self extracting archive, but actually attempts to format your hard drive. PKZ300B.ZIP is an archive, but the extracted executable also attempts to format your hard drive. While PKWARE indicated the Trojan is real, we have not talked to anyone who has actually touched it. We have no reports of it being seen anywhere in the DOE.

According to PKWARE, the only released versions of PKZIP are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating on BBS's are hacks or fakes. The current version of PKZIP and PKUNZIP is 2.04g.

The current version of PKZIP is available in the CIAC Archive, or directly from PKWARE.

- From CIAC:   ftp://ciac.llnl.gov/pub/ciac/util/pc/pkz204g.exe
             BBS: 510-423-4753, 510-423-3331 - From PKWARE: ftp://pkware.com/pub/pkware/pkz204g.exe
             BBS: 414-354-8670

Note: Don't forget to pay your shareware fees.

==========================================================
2) Logdaemon/FreeBSD vulnerability in S/Key
==========================================================

The following was released by Wietse Venema through a vendor bulletin VB-95:04.venema (ftp://cert.org:/pub/cert_bulletins/VB-95:04.venema). Wietse Venema, who urges you to act on this information as soon as possible.  Please contact Wietse Venema if you have any questions or need further information.

>A vulnerability exists in my own S/Key software enhancements.  Since
>these enhancements are in wide-spread use, a public announcement is
>appropriate.  The vulnerability affects the following products:
>
>        FreeBSD version 1.1.5.1
>        FreeBSD version 2.0
>        logdaemon versions before 4.9
>
>I recommend that users of this software follow the instructions given
>below in section III.
>
>------------------------------------------------------------------------
>
>I.   Description
>
>     An obscure oversight was found in software that I derived from
>     the S/Key software from Bellcore (Bell Communications Research).
>     Analysis revealed that my oversight introduces a vulnerability.
>
>     Note: the vulnerability is not present in the original S/Key
>     software from Bellcore.
>
>II.  Impact
>
>     Unauthorized users can gain privileges of other users, possibly
>     including root.
>
>     The vulnerability can be exploited only by users with a valid
>     account. It cannot be exploited by arbitrary remote users.
>
>     The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0
>     implementations and all Logdaemon versions before 4.9. The problem
>     exists only when S/Key logins are supported (which is the default
>     for FreeBSD). Sites with S/Key logins disabled are not vulnerable.
>
>III. Solution
>
>     Logdaemon users:
>     ================
>        Upgrade to version 4.9
>
>            URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz.
>            MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6
>
>        To plug the hole, build and install the ftpd, rexecd and login
>        programs. If you installed the keysu and skeysh commands, these
>        need to be replaced too.
>
>     FreeBSD 1.1.5.1 and FreeBSD 2.0 users:
>     ======================================
>        Retrieve the corrected files that match the system you are
>        running:
>
>            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz
>            MD5 checksum bf3a8e8e10d63da9de550b0332107302
>
>            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz
>            MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29
>
>        Unpack the tar archive and follow the instructions in the
>        README file.
>
>     FreeBSD current users:
>     ======================
>        Update your /usr/src/lib/libskey sources and rebuild and
>        install libskey (both shared and non-shared versions).
>
>        The vulnerability has been fixed with FreeBSD 2.0.5.
>
>-------------------------------------------------------------------------
>
>S/KEY is a trademark of Bellcore (Bell Communications Research).
>
>Wietse Venema appreciates helpful assistance with the resolution of
>this vulnerability from CERT/CC; Rodney W.  Grimes, FreeBSD Core Team
>Member; Guido van Rooij, Philips Communication and Processing Services;
>Walter Belgers.

CIAC would like to thank Wietse Venema and CERT/CC for the information in section 2 of this CIAC Notes article.

==========================================================
3) EBOLA Virus Hoax
==========================================================

The following note circulated around the networks last month warning of a new and potentially deadly computer virus. However, after chasing down the sources of the note, CIAC has found that this is another hoax, similar to the Good Times Hoax.

- ---------------------------  Start of HOAX --------------------------------
 ** Imporant! VIRUS ALERT **
  A message has just been recieved from DataTech Development in
  Westhills, Texas.  It reads as follows:

        "A very *Dangerous* virus has just been released, Primarily Affecting
     Unix users who have FTP'd files from a Major server in the last few days.

         This virus patches itself onto the source code of FTP, and
     automatically piggybacks on files FTP'd to another site or user where it
     again patches iself onto FTP.

         When an infected User runs ELM or PINE, the virus secretly sends one
     of several pre-written disgusting letters to the user's SysAmin,
     addressed from the unlucky victim.  The letters contain graphic appeals
     for sexual favors of a deviant nature , or explicitly describe Diane
     Sawyer bondage fantasies.

         As a result of this,  many have had their access revoked, causing
     both users and sysadmins alike much grief, and creating an administrative
     backlog for the re-instation of accounts.

         As yet, we have not been able to properly trace the distribution of
     the EBOLA Virus, so you are best advised to Disinfect any files recently
     FTP'd from a Unix based-server.

         Standby for Updates,
         |>ataTech |>evelopment."

- ---------------------------  End of HOAX ----------------------------------

As of this date, we have not been able to locate a DataTech Development of Westhills, Texas, in fact, we have not even been able to locate a town of Westhills, Texas. Also, we have not been able to locate the person who uploaded this message to several newsgroups, or anyone who has actually seen it.

Pending any evidence to the contrary, we believe that this message is a hoax.

=============================================================
4) Caibua Virus
=============================================================

The initial warnings about the outrageous behavior of the Caibua virus (alias: Butthead, BUA-2263) made us suspect that it was another hoax, but this one is real.

The Caibua virus was originally distributed in the package BESTSSVR.ZIP which contained the program COOLSAVR.COM. This is supposed to be an interesting screen saver, and does contain some interesting graphics. While you are watching the graphics, it is infecting two of your .COM files with the Caibua virus.

The Caibua is a relatively unsophisticated virus, of a kind that doesn't normally spread very well in the wild. It is a non-resident infector of *.COM files in the current directory and on the PATH. Each time an infected program is executed, two .COM files are infected with the virus. Because of this, slow multiplication factor, the virus does not spread very rapidly.

If the date is May 5, 1995 or after, and the time is between 3pm and 7pm, it displays a phallic symbol marching across the screen. The damage routines are executed after the virus has been run about 20 times. Damage consists of creating directories named "Caibua", "FUCK YOU", "EAT SHIT" and "BITE ME!", the erasing of the first file in the current directory on the default drive, and overwriting the system and boot areas of the C: drive, rendering it unreadable.

Most current anti-virus scanners do not detect the Caibua virus. A free virus scanner is available from the makers of InVircible, in: XCAIBUA.ZIP. XCAIBUA.ZIP is available on the CIAC archive, or directly from InVircible. Note that XCAIBUA does not detect the infection in the original file, COOLSAVR.COM.

- From CIAC:
      ftp://ciac.llnl.gov/pub/ciac/sectools/pcvirus/xcaibua.zip
      BBS: 510-423-4753, 510-423-3331 - From INVircible:
      ftp://InVircible.com/antivirus/av-software/invircible/xcaibua.exe
=============================================================

- ----------------------------------
Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as:

    . Incident Handling Consulting
    . Computer Security Information
    . On-site Workshops
    . White-hat Audits

CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details (http://www.first.org/first/).

CIAC services are available for fee to other Federal civilian agencies. Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741.
- ----------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide.

CIAC services are available to DOE and DOE contractors, and can be contacted at:
    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE and DOE contractor sites may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive.

   World Wide Web:       http://ciac.llnl.gov/
   Anonymous FTP:               ciac.llnl.gov (128.115.19.53)
   Modem access:  (510) 423-4753 (14.4K baud)
                  (510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help.

- ------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of the United States Government.  Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights.  Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California.  The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
- -------------------------------------------------------------------

End of CIAC Notes Number 95-10 95_06_16

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBL+G9ALnzJzdsy3QZAQHDVAP9EL5fauODXnIiNJmUCd8ieeSppi+o6HOm X2x87cPi1FIUCoklUMYTW/FnqfU8Z3BCAmraJdBv7DwX3LtqppSzM0dHg57CKX0N 0SK7ZlPn8xxppGctPAqkG+gOFqMdVaZB7kTJ0V3+R9rAazIvIlseb7Ohmuj7FXEu Y1vAnwRzvFI= =XyZq
-----END PGP SIGNATURE-----

(Message sent Tue 2 Apr 1996, 23:09:28 GMT, from time zone GMT-0500.)

Key Words in Subject:  Alert, PKZIP300, Virus

Home    Archives    Calendar    Gallery    Store    Links    Info   


Enter text below to search the MMD Website with Google



CONTACT FORM: Click HERE to write to the editor, or to post a message about Mechanical Musical Instruments to the MMD

Unless otherwise noted, all opinions are those of the individual authors and may not represent those of the editors. Compilation copyright 1995-2024 by Jody Kravitz.

Please read our Republication Policy before copying information from or creating links to this web site.

Click HERE to contact the webmaster regarding problems with the website.

Please support publication of the MMD by donating online

Please Support Publication of the MMD with your Generous Donation

Pay via PayPal

No PayPal account required

                                     
Translate This Page