Subject: PKZIP Hacking Update
From: dan.keisling@windmill.com (Dan Keisling)
Date: Tue Sep 19 19:34:00 1995

This is response to the discussion on implanting a virus inside of PKUNZIP and
or PKZIP.  Namely, it was dismissed that you cannot automatically make a virus
execute automatically with unzipping.

Second, it was noted that you can have an ANSI bomb as the ZIP Comment
(displayed right before unzipping).  Although I have not personally proven
this, it could be possible.  The major drawback from capturing everybody is
that the -Q switch in PKUNZIP must be added to Unzip ANSI comments. (ANSI being
escape sequences, not high ASCII)  I would tend to think that many people NO
NOT use the -Q switch for this reason, and this was PKWares intention.
Furthermore, not very many people are dumb enough to be running the stock
ANSI.SYS driver packaged with DOS.  You can fall for an ANSI bomb too easily.
People rather prefer NANSI, which detects keyboard remapping.

Next, it was told that if you trick PKZIP to display an ANSI BOMB named CON (or
CON:) it would display it to the screen.  This has been proven FALSE.  First,
you cannot have a file named CON by conventional means ("edit con" etc).  Plus,
PKZIP will NEVER create a filename called CON because DOS does not allow it.
When you first create a ZIP archive and give it a name, it creates the filename
no matter what.  It cannot create CON.ZIP (a conventional mean) so therefore
exits with an error.  It also cannot add a file named CON, wiether it be an
actually DOS filename or the device driver.  This eliminates the notion of an
ANSI bomb named CON - somewhat.  You can now try and ZIP a file named TMP (or
any 3 letter filename) to an archive.  Then use a diskeditor (Norton's DISKEDIT
is the best) to search for TMP.  There will be two occurances - and when you
find them, you change it to CON for both of them.  Now, save the sector and
exit.  A PKUNZIP of the archive will work, however, it will allows try and
first to create the filename of the enclosed files of the archive, so it will
try to create CON, which it cannot do.  It exits without showing the file or
executing it or anything for that matter.

Also, someone suggested CON: - This cannot be done since you cannot have a
colon in a filename.  PKzip will try and create it and will fail.

That should be it for now.  Yes, there is a way to hang the machine using PKZIP
and a device driver.  I will announce it, plus this complete text tommroow.

As for now, please comment on anything you see here.


[   Xenocide - Sysop of Static Line - 806.747.0802 - 700+ Megs H/P Utils  ]
[                     Author of the BBS Hacking Guide                     ]
[       Email dan.keisling@windmill.com # PGP Available Upon Request      ]