CIAC NotesSome joker out there is distributing a file called PKZ300B.EXE and PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your harddrive if you use it. The most recent version is 2.04G. Please tell all your friends and favorite BBS stops about this hack. Thank You. Patrick Weeks Product Support PKWARE, Inc.PKZ300B.EXE appears to be a self extracting archive, but actually attempts to format your hard drive. PKZ300B.ZIP is an archive, but the extracted executable also attempts to format your hard drive. While PKWARE indicated the Trojan is real, we have not talked to anyone who has actually touched it. We have no reports of it being seen anywhere in the DOE.
According to PKWARE, the only released versions of PKZIP are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating on BBS's are hacks or fakes. The current version of PKZIP and PKUNZIP is 2.04g.
The current version of PKZIP is available in the CIAC Archive, or directly from PKWARE.
A vulnerability exists in my own S/Key software enhancements. Since
these enhancements are in wide-spread use, a public announcement is
appropriate. The vulnerability affects the following products:
FreeBSD version 1.1.5.1
FreeBSD version 2.0
logdaemon versions before 4.9
I recommend that users of this software follow the instructions given
below in section III.
------------------------------------------------------------------------
I. Description
An obscure oversight was found in software that I derived from
the S/Key software from Bellcore (Bell Communications Research).
Analysis revealed that my oversight introduces a vulnerability.
Note: the vulnerability is not present in the original S/Key
software from Bellcore.
II. Impact
Unauthorized users can gain privileges of other users, possibly
including root.
The vulnerability can be exploited only by users with a valid
account. It cannot be exploited by arbitrary remote users.
The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0
implementations and all Logdaemon versions before 4.9. The problem
exists only when S/Key logins are supported (which is the default
for FreeBSD). Sites with S/Key logins disabled are not vulnerable.
III. Solution
Logdaemon users:
================
Upgrade to version 4.9
URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz.
MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6
To plug the hole, build and install the ftpd, rexecd and login
programs. If you installed the keysu and skeysh commands, these
need to be replaced too.
FreeBSD 1.1.5.1 and FreeBSD 2.0 users:
======================================
Retrieve the corrected files that match the system you are
running:
URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz
MD5 checksum bf3a8e8e10d63da9de550b0332107302
URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz
MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29
Unpack the tar archive and follow the instructions in the
README file.
FreeBSD current users:
======================
Update your /usr/src/lib/libskey sources and rebuild and
install libskey (both shared and non-shared versions).
The vulnerability has been fixed with FreeBSD 2.0.5.
-----------------------------------------------------------------
S/KEY is a trademark of Bellcore (Bell Communications Research).
Wietse Venema appreciates helpful assistance with the resolution of
this vulnerability from CERT/CC; Rodney W. Grimes, FreeBSD Core Team
Member; Guido van Rooij, Philips Communication and Processing Services;
Walter Belgers.
CIAC would like to thank Wietse Venema and CERT/CC for the information in
section 2 of this CIAC Notes article.
** Imporant! VIRUS ALERT **
A message has just been recieved from DataTech Development in Westhills, Texas. It reads as follows:
"A very *Dangerous* virus has just been released, Primarily Affecting Unix users who have FTP'd files from a Major server in the last few days. This virus patches itself onto the source code of FTP, and automatically piggybacks on files FTP'd to another site or user where it again patches iself onto FTP. When an infected User runs ELM or PINE, the virus secretly sends one of several pre-written disgusting letters to the user's SysAmin, addressed from the unlucky victim. The letters contain graphic appeals for sexual favors of a deviant nature , or explicitly describe Diane Sawyer bondage fantasies. As a result of this, many have had their access revoked, causing both users and sysadmins alike much grief, and creating an administrative backlog for the re-instation of accounts. As yet, we have not been able to properly trace the distribution of the EBOLA Virus, so you are best advised to Disinfect any files recently FTP'd from a Unix based-server. Standby for Updates, |>ataTech |>evelopment."
Pending any evidence to the contrary, we believe that this message is a hoax.
The Caibua virus was originally distributed in the package BESTSSVR.ZIP which contained the program COOLSAVR.COM. This is supposed to be an interesting screen saver, and does contain some interesting graphics. While you are watching the graphics, it is infecting two of your .COM files with the Caibua virus.
The Caibua is a relatively unsophisticated virus, of a kind that doesn't normally spread very well in the wild. It is a non-resident infector of *.COM files in the current directory and on the PATH. Each time an infected program is executed, two .COM files are infected with the virus. Because of this, slow multiplication factor, the virus does not spread very rapidly.
If the date is May 5, 1995 or after, and the time is between 3pm and 7pm, it displays a phallic symbol marching across the screen. The damage routines are executed after the virus has been run about 20 times. Damage consists of creating directories named "Caibua", "FUCK YOU", "EAT SHIT" and "BITE ME!", the erasing of the first file in the current directory on the default drive, and overwriting the system and boot areas of the C: drive, rendering it unreadable.
Most current anti-virus scanners do not detect the Caibua virus. A free virus scanner is available from the makers of InVircible, in: XCAIBUA.ZIP. XCAIBUA.ZIP is available on the CIAC archive, or directly from InVircible. Note that XCAIBUA does not detect the infection in the original file, COOLSAVR.COM.
CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide.
CIAC services are available to DOE and DOE contractors, and can be contacted at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE and DOE contractor sites
may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST),
call the CIAC voice number 510-422-8193 and leave a message, or call
800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page
PIN numbers, the primary PIN number, 8550070, is for the CIAC duty
person, and the secondary PIN number, 8550074 is for the CIAC Project
Leader. Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: (510) 423-4753 (14.4K baud)
(510) 423-3331 (9600 baud)
CIAC has several self-subscribing mailing lists for electronic publications:
subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help.