-----BEGIN PGP SIGNED MESSAGE-----


           ___  __ __    _     ___           __  __ __   __   __
          /       |     /_\   /       |\ |  /  \   |    |_   /_
          \___  __|__  /   \  \___    | \|  \__/   |    |__  __/

Number 95-10                                               June 16, 1995


This edition of CIAC NOTES includes:

    1) PKZIP003 Trojan
    2) Logdaemon/FreeBSD vulnerability in S/Key
    3) EBOLA Virus Hoax
    4) Caibua Virus

Please send your comments and feedback to ciac@llnl.gov.

  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
  $ Reference to any specific commercial product does not necessarily   $
  $ constitute or imply its endorsement, recommendation or favoring by  $
  $ CIAC, the University of California, or the United States Government.$
  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$


=========================================================================
1) PKZIP Trojan
=========================================================================

A Trojaned version of the popular, DOS file compression utility PKZIP
is circulating on the networks and on dial-up BBS systems. The
Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the
following warning from PKWARE:
- -------------------------------------------------------------------------
  Some joker out there is distributing a file called PKZ300B.EXE and
  PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your
  harddrive if you use it.  The most recent version is 2.04G.  Please 
  tell all your friends and favorite BBS stops about this hack.

  Thank You.

  Patrick Weeks Product Support PKWARE, Inc.
- -------------------------------------------------------------------------
PKZ300B.EXE appears to be a self extracting archive, but actually
attempts to format your hard drive. PKZ300B.ZIP is an archive, but the
extracted executable also attempts to format your hard drive. While
PKWARE indicated the Trojan is real, we have not talked to anyone who
has actually touched it. We have no reports of it being seen anywhere
in the DOE.

According to PKWARE, the only released versions of PKZIP are: 1.10,
1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating
on BBS's are hacks or fakes. The current version of PKZIP and PKUNZIP
is 2.04g.

The current version of PKZIP is available in the CIAC Archive, or
directly from PKWARE.

- From CIAC:   ftp://ciac.llnl.gov/pub/ciac/util/pc/pkz204g.exe
             BBS: 510-423-4753, 510-423-3331
- From PKWARE: ftp://pkware.com/pub/pkware/pkz204g.exe
             BBS: 414-354-8670

Note: Don't forget to pay your shareware fees.
   
=========================================================================
2) Logdaemon/FreeBSD vulnerability in S/Key
=========================================================================

The following was released by Wietse Venema through a vendor bulletin
VB-95:04.venema (ftp://cert.org:/pub/cert_bulletins/VB-95:04.venema).
Wietse Venema, who urges you to act on this information as soon as
possible.  Please contact Wietse Venema if you have any questions or
need further information.

>A vulnerability exists in my own S/Key software enhancements.  Since
>these enhancements are in wide-spread use, a public announcement is 
>appropriate.  The vulnerability affects the following products:
>
>        FreeBSD version 1.1.5.1
>        FreeBSD version 2.0
>        logdaemon versions before 4.9
>
>I recommend that users of this software follow the instructions given
>below in section III. 
>
>------------------------------------------------------------------------
>
>I.   Description
>
>     An obscure oversight was found in software that I derived from
>     the S/Key software from Bellcore (Bell Communications Research).
>     Analysis revealed that my oversight introduces a vulnerability.
>
>     Note: the vulnerability is not present in the original S/Key
>     software from Bellcore.
>
>II.  Impact
>
>     Unauthorized users can gain privileges of other users, possibly
>     including root.
>
>     The vulnerability can be exploited only by users with a valid
>     account. It cannot be exploited by arbitrary remote users.
>
>     The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0
>     implementations and all Logdaemon versions before 4.9. The problem
>     exists only when S/Key logins are supported (which is the default
>     for FreeBSD). Sites with S/Key logins disabled are not vulnerable.
>
>III. Solution
>
>     Logdaemon users: 
>     ================
>        Upgrade to version 4.9
>
>            URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz.
>            MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6
>
>        To plug the hole, build and install the ftpd, rexecd and login
>        programs. If you installed the keysu and skeysh commands, these
>        need to be replaced too.
>
>     FreeBSD 1.1.5.1 and FreeBSD 2.0 users: 
>     ======================================
>        Retrieve the corrected files that match the system you are
>        running:
>
>            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz
>            MD5 checksum bf3a8e8e10d63da9de550b0332107302
>
>            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz
>            MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29
>
>        Unpack the tar archive and follow the instructions in the
>        README file.
>
>     FreeBSD current users:  
>     ======================
>        Update your /usr/src/lib/libskey sources and rebuild and
>        install libskey (both shared and non-shared versions).
>
>        The vulnerability has been fixed with FreeBSD 2.0.5.
>
>-------------------------------------------------------------------------
>
>S/KEY is a trademark of Bellcore (Bell Communications Research).
>
>Wietse Venema appreciates helpful assistance with the resolution of
>this vulnerability from CERT/CC; Rodney W.  Grimes, FreeBSD Core Team
>Member; Guido van Rooij, Philips Communication and Processing Services;
>Walter Belgers.

CIAC would like to thank Wietse Venema and CERT/CC for the information in 
section 2 of this CIAC Notes article.

=========================================================================
3) EBOLA Virus Hoax
=========================================================================

The following note circulated around the networks last month warning
of a new and potentially deadly computer virus. However, after chasing
down the sources of the note, CIAC has found that this is another
hoax, similar to the Good Times Hoax.

- ---------------------------  Start of HOAX --------------------------------
 ** Imporant! VIRUS ALERT **
  A message has just been recieved from DataTech Development in 
  Westhills, Texas.  It reads as follows:
     
        "A very *Dangerous* virus has just been released, Primarily Affecting 
     Unix users who have FTP'd files from a Major server in the last few days.
     
         This virus patches itself onto the source code of FTP, and 
     automatically piggybacks on files FTP'd to another site or user where it 
     again patches iself onto FTP.
         
         When an infected User runs ELM or PINE, the virus secretly sends one 
     of several pre-written disgusting letters to the user's SysAmin, 
     addressed from the unlucky victim.  The letters contain graphic appeals 
     for sexual favors of a deviant nature , or explicitly describe Diane 
     Sawyer bondage fantasies.
     
         As a result of this,  many have had their access revoked, causing 
     both users and sysadmins alike much grief, and creating an administrative
     backlog for the re-instation of accounts.
     
         As yet, we have not been able to properly trace the distribution of 
     the EBOLA Virus, so you are best advised to Disinfect any files recently
     FTP'd from a Unix based-server.  
     
         Standby for Updates,
         |>ataTech |>evelopment."
     
- ---------------------------  End of HOAX ----------------------------------

As of this date, we have not been able to locate a DataTech
Development of Westhills, Texas, in fact, we have not even been able
to locate a town of Westhills, Texas. Also, we have not been able to
locate the person who uploaded this message to several newsgroups, or
anyone who has actually seen it.
 
Pending any evidence to the contrary, we believe that this message is a hoax.

============================================================================
4) Caibua Virus
============================================================================

The initial warnings about the outrageous behavior of the Caibua virus
(alias: Butthead, BUA-2263) made us suspect that it was another hoax,
but this one is real.
 
The Caibua virus was originally distributed in the package
BESTSSVR.ZIP which contained the program COOLSAVR.COM. This is
supposed to be an interesting screen saver, and does contain some
interesting graphics. While you are watching the graphics, it is
infecting two of your .COM files with the Caibua virus.
 
The Caibua is a relatively unsophisticated virus, of a kind that
doesn't normally spread very well in the wild. It is a non-resident
infector of *.COM files in the current directory and on the PATH. Each
time an infected program is executed, two .COM files are infected with
the virus. Because of this, slow multiplication factor, the virus does
not spread very rapidly.
 
If the date is May 5, 1995 or after, and the time is between 3pm and
7pm, it displays a phallic symbol marching across the screen. The
damage routines are executed after the virus has been run about 20
times. Damage consists of creating directories named "Caibua", "FUCK
YOU", "EAT SHIT" and "BITE ME!", the erasing of the first file in the
current directory on the default drive, and overwriting the system and
boot areas of the C: drive, rendering it unreadable.
 
Most current anti-virus scanners do not detect the Caibua virus. A
free virus scanner is available from the makers of InVircible, in:
XCAIBUA.ZIP. XCAIBUA.ZIP is available on the CIAC archive, or directly
from InVircible. Note that XCAIBUA does not detect the infection in
the original file, COOLSAVR.COM.

- From CIAC: 
      ftp://ciac.llnl.gov/pub/ciac/sectools/pcvirus/xcaibua.zip
      BBS: 510-423-4753, 510-423-3331
- From INVircible:
      ftp://InVircible.com/antivirus/av-software/invircible/xcaibua.exe
============================================================================

- ----------------------------------
Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to
employees and contractors of the DOE, such as:

    . Incident Handling Consulting
    . Computer Security Information
    . On-site Workshops
    . White-hat Audits

CIAC is located at Lawrence Livermore National Laboratory in
Livermore, California, and is a part of its Computer Security
Technology Center. Further information can be found at CIAC. CIAC is
also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster
cooperation and coordination among computer security teams
worldwide. See FIRST for more details (http://www.first.org/first/).

CIAC services are available for fee to other Federal civilian agencies.
Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741.
- ----------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer security
incident response team for the U.S. Department of Energy. CIAC is located
at the Lawrence Livermore National Laboratory in Livermore, California.
CIAC is also a founding member of FIRST, the Forum of Incident Response
and Security Teams, a global organization established to foster cooperation
and coordination among computer security teams worldwide.

CIAC services are available to DOE and DOE contractors, and can be
contacted at:
    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE and DOE contractor sites may
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, pgp public key, and other
information are available from the CIAC Computer Security Archive.

   World Wide Web:       http://ciac.llnl.gov/
   Anonymous FTP:               ciac.llnl.gov (128.115.19.53)
   Modem access:  (510) 423-4753 (14.4K baud)
                  (510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe
(add yourself) to one of our mailing lists, send the following request as
the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE
or SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.

- ------------------------------------------------------------------
This document was prepared as an account of work sponsored by an
agency of the United States Government.  Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
- -------------------------------------------------------------------

End of CIAC Notes Number 95-10 95_06_16


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBL+G9ALnzJzdsy3QZAQHDVAP9EL5fauODXnIiNJmUCd8ieeSppi+o6HOm
X2x87cPi1FIUCoklUMYTW/FnqfU8Z3BCAmraJdBv7DwX3LtqppSzM0dHg57CKX0N
0SK7ZlPn8xxppGctPAqkG+gOFqMdVaZB7kTJ0V3+R9rAazIvIlseb7Ohmuj7FXEu
Y1vAnwRzvFI=
=XyZq
-----END PGP SIGNATURE-----