home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 8
/
CDASC08.ISO
/
VRAC
/
HACK9309.ZIP
/
FILETSTS.ZIP
/
PKZIPFIX.RES
< prev
next >
Wrap
Text File
|
1993-03-06
|
7KB
|
150 lines
=========================================================================
||
From the files of The Hack Squad: || by Lee Jackson, Co-Moderator,
|| FidoNet International Echo SHAREWRE
The Hack Report || Volume 2, Number 2
File Test Results || Result Report Date: Feb. 7, 1993
||
=========================================================================
*************************************************************************
* *
* The following test was performed by and the results are courtesy *
* of Jeff White and Bill Logan of the Pueblo Group in Tuscon, *
* Arizona. Their assistance is greatly appreciated. *
* *
*************************************************************************
Results of test on: PKZIPFIX.ZIP
File description: Fix for volume bug in PKZIP v2.04c
Synopsis:
When the latest release of PKZ from PKWare came out, there was a bug
with the volume label being added to the archive. This program was
designed (?) to fix that bug.
It does indeed fix the bug, but remains a hacked copy of a copyrighted
piece of software and therefore is suspicious.
First of all, the author managed to crack PKWare's Commercial PKLite
compression, which shouldn't be able to be expanded. When the author
hacked PKZ204C, he re-PKLited the fix, but with the standard version of
PKLite, which allows it to be expanded.
Also, there is questionable code contained in this "fix". Most notably,
the words "Erasing contents of drive, completed" appear towards the end
of the program. Every command line switch I could think of that might
prompt this response did not bring these words up. It is possible it
is waiting for some time or criteria to activate, or it could be
associated with an option I am not familiar with. PKZ 193 and 204c are
non-expandable, and therefore couldn't be checked for this text, but
PKZ 110 was checked and it did NOT contain this text.
Integrity Master was used to ensure that nothing on the drive was
changed that shouldn't have been. McAfee's ViruScan was used to ensure
that PKZIPFIX was not a dropper for an existing virus.
======================================================================
File information:
File Name: pkzipfix.zip
Size: 40,912
Date: 12-28-1992
File Authentication:
Check Method 1 - 082F
Check Method 2 - 059C
======================================================================
File contents:
Length Method Size Ratio Date Time CRC-32 Attr Name
====== ====== ===== ===== ==== ==== ======== ==== ====
41935 DeflatX 40796 3% 12-28-92 02:04 7dc49363 --w- PKZIP.EXE
====== ====== === =======
41935 40796 3% 1
======================================================================
PKZIP.EXE check:
CHK4LITE (tm) Check for files compressed by PKLITE Version 1.15
7-30-92 Copyright 1990-1992 by PKWARE Inc. All Rights Reserved.
PKZIP.EXE Compressed with PKLITE (tm) Ver. 1.15
======================================================================
Validation check on PKZIP.EXE **after** unPKLITEing
File Name: pkzip.exe
Size: 55,370
Date: 12-28-1992
File Authentication:
Check Method 1 - E8B1
Check Method 2 - 1224
======================================================================
ViruScan of PKZIP.EXE **after** unPKLITEing
Scanning memory for critical viruses.
Scanning Volume: DRIVE I
Scanning C:PKZIP.EXE
No viruses found.
======================================================================
Use:
The PKZIP released in PKZ204C.EXE would not properly add a volume label
when the -$ option was specified.
The version of PKZIP.EXE release in PKZIPFIX.ZIP does indeed fix this
bug. Example follows.
Attempt to use the -$ option with PKZIP 2.04c:
PKZIP (R) FAST! Create/Update Utility Version 2.04c 12-28-92
Copr. 1989-1992 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745
* XMS version 3.00 detected.
* Using Normal Compression.
Creating ZIP: PKZTEST2.ZIP
Adding: PKZIP.EXE Deflating % (30%), done.
= = =
Attempt to use the -$ option with PKZIP.EXE from PKZIPFIX.ZIP
PKZIP (R) FAST! Create/Update Utility Version 2.04c 12-28-92
Copr. 1989-1992 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745
* XMS version 3.00 detected.
* Using Normal Compression.
Creating ZIP: PKTEST1.ZIP
Adding: PKZIP.EXE Deflating % (30%), done.
Adding: DRIVE I Storing ( 0%), done.
======================================================================
Integrity Master v1.41a was reinitialized for drive C: before testing.
Comparing drive C:'s data (after multiple executions of PKZIP.EXE) to
the backup information showed no changes or virus activity. McAfee's
ViruScan confirmed no known virus activity.
======================================================================
Suspicious code:
PKZIP.EXE contains several questionable pieces of code. Although we
were unable to get PKZIP.EXE to do anything damaging, it is possible
that, under the right circumstances, PKZIP.EXE could prove to be a
trojan.
The suspicious code is as follows:
Address: 0000d0e0-0000d110
Code: x:/ x: *.* / Erasing contents of drive, completed.
The above could be a reference to a temporary drive (although I used a
temporary drive using the -B command line switch and got no such
response) or in conjunction with a switch (unbeknownst to myself) that
might possibly delete files as they are archived. It should be noted
that PKZIP.EXE as included in PKZ110.EXE contains none of this code.
Later releases of PKZIP.EXE cannot be checked since they are compressed
with PKLite and are non-expandable.