************************************************************************** Security Bulletin 9220 DISA Defense Communications System July 28, 1992 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9220). ************************************************************************** CORRUPTED VERSIONS OF PKZIP UTILITIES July 27, 1992 I. DESCRIPTION ASSIST has learned that two corrupt versions of the popular archiving utility PKZIP for PC-DOS and MS-DOS machines are being circulated on several bulletin board systems around the country. The two corrupted versions are 2.01 (PKZ201.ZIP AND PKZ201.EXE) AND 2.2 (PKZIPV2.ZIP AND PKZIPV2.EXE). If you have downloaded any of these files, do not attempt to use these utilities. At the current time, the released version of PKZIP is version 1.10. A new version of PKZIP is expected to be released within the next few months. Its version number may be 2.00, or it may be a version number greater than 2.2 to distinguish it from the corrupted versions. PKWARE INC. has indicated it will never issue a version 2.01 or 2.2 of PKZIP. II. IMPACT THE DESTRUCTION OF ALL THE DATA ON YOUR HARD DISK IS A POSSIBILITY IF THE PROGRAMS ARE EXECUTED. III. SOLUTION According to PKWARE INC., version 2.01 is a hacked version of PKZIP 1.93 alpha. While this version does not intentionally do any damage, it is alpha level software and may have serious bugs in it. Version 2.2 is a simple batch file that attempts to erase the C:(BACKSLASH) and C:(BACKSLASH)DOS directories. If the hard disk has been erased by this program, recovery may be possible by utilizing hard disk undelete utilities such as those in NORTON UTILITIES or PCTOOLS. Don't do anything that might create or expand a file on your hard disk until the files have been undeleted to avoid overwriting the deleted files, which will destroy them. To examine a file to determine if it is version 2.2, type it to the screen with the DOS `TYPE' command. If the file that prints on the screen is a short batch file with commands such as DEL C:(BACKSLASH)(ASTERISK).(ASTERISK), or DEL C:(BACKSLASH)(DOS)(BACKSLASH)(ASTERISK).(ASTERISK) then you have the corrupted file. Any freeware or shareware program downloaded from a BBS should be scanned and evaluated by a knowledgeable AIS person on a standalone PC before the program is introduced into any system. If you or anyone else at your site should happen to encounter any corrupted files on a BBS, Please contact the ASSIST immediately PKWARE Inc. has also requested that they be informed of any occurrences of corrupted PKZIP files. PKWARE Inc. can be reached at (414) 354-8699 (voice), (414) 354-8670(BBS), (414) 354-8559(FAX). The ASSIST Point of Contact for this matter is Mr. Mike Higgins, COMM (202) 373-8852/55 or DSN 243-8852/55. ASSIST can be reached 24 hours a day via commercial pager at 1-(800) SKY-PAGE, PIN NUMBER 2133937 (FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT) or AUTOVON dial 243-8000 and ask to have the ASSIST Duty Officer paged. ASSIST can also be reached via E-Mail at "DOD-CERT(AT-SIGN)DDN-CONUS.DDN.MIL." **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************