💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › hack9309.rpt captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
========================================================================= || From the files of The Hack Squad: || by Lee Jackson, Moderator, FidoNet || Int'l Echos SHAREWRE & WARNINGS The Hack Report || Volume 2, Number 9 for September, 1993 || Report Date: September 12, 1993 || ========================================================================= Welcome to the ninth 1993 issue of The Hack Report. This is a series of reports that aim to help all users of files found on BBSs avoid fraudulent programs, and is presented as a free public service by the FidoNet International Shareware and Warnings Echos and the author of the report, Lee Jackson (FidoNet 1:124/4007). This has not been a very good month here at Hack Central Station: not only was the report delayed by a week due to a back injury, but the August issue was the subject of a hack. It isn't the first time, and it won't be the last. Also, a file reported as a hoax last month has been reclassified as a Trojan, and many new pirated files surface. Thanks to everyone who has helped put this report together, and to those that have sent in comments and suggestions. NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on your BBS, subject to these conditions: 1) the latest version is used, 2) it is posted in its entirety, and 3) it is not altered in any way. NOTE TO OTHER READERS: The Hack Report (file version) may be freely uploaded to any BBS, subject to the above conditions, and only if you do not change the filename. You may convert the archive type as you wish, but please leave the filename in its original HACK????.* format. The Hack Report may also be cross-posted in other networks (with the permission of the other network) as long as it meets the above conditions and you give appropriate credit to the FidoNet International Shareware and Warnings Echos (and the author <g>). The idea is to make this information available freely. However, please don't cut out the disclaimers and other information if you use it, or confuse the issue by spreading the file under different names. Thanks! DISCLAIMER: The listings of Official Versions are not a guarantee of the files' safety or fitness for use Someone out there might just be sick-minded enough to upload a Trojan with an "official" file name, so >scan everything you download<!!! The author of this report will not be responsible for any damage to any system caused by the programs listed as Official Versions, or by anything using the name of an Official Version. On this same note, programs and files listed in this report should not be automatically considered dangerous. It is simply impossible for the author of this report to receive and test copies of every listed file, so many of the reports listed herein are based on information sent to the author by individuals in the BBS community. For this reason, neither the author of this report nor anyone officially associated with it shall be held liable for any losses and/or damages resulting from a listing in this report. Finally, the releases listed as the latest Official Versions may not be entirely accurate. However, they do reflect the latest version known to the author of The Hack Report at the time of writing. That's the nature of the beast we call shareware: authors have every right (and in this writer's opinion, are well advised) to release a new version without advance notice of any kind. If you see a version newer than one listed here, please contact one of The HackWatchers or myself so that we can keep these listings up to date. ************************************************************************* Hacked Programs Here are the latest known versions of some programs known to have hacked copies floating around. Archive names are listed when known, along with the person who reported the fraud (thanks from us all!). Program Hack(s) Latest Official Version ======= ======= ======================= ARJ Archiver ARJ250 ARJ241A Reported By: Tommy Vielkanowitz(1:151/2305) ARJ239E Reported By: The Hack Squad ARJ239G Reported By: The Hack Squad ARJ240A Reported By: Ryan Shaw (1:152/38) ARJ300 Reported By: Mike Stowe (ITCNet, via HW Robert Hinshaw) Blue Wave Offline BWAVE213 BWAVE212 Message Reader Reported By: Don Becker (grendel@jaflrn.linet.org) BNU FOSSIL Driver BNU202 BNU170 Reported By: Amauty Lambrecht (2:291/712) (not counting betas) BNU188B Reported By: David Nugent (3:632/348), Author of BNU DMS Amiga Disk DMS version 1.12 DMS version 1.11 Masher Reported By: Ben Filips, via Jay Ruyle (1:377/31) | F-Prot Virus Scanner FP-205B FP-209D Reported By: HW Bill Lambdin LhA Amiga Archiver LHA148E LHA138E (Shareware) Reported By: Michael Arends (1:343/54) LHA v1.50r (Regist.) LHA151 Reported By: Lawrence Chen (1:134/3002) LHA Archiver (PC) LHA214 LHA213 (non-beta)* Reported by: Patrick Lee (RIME address RUNNINGB) LHA214B ICE214 LHA215 Reported by: Kenjirou Okubo, LHA Support Rep. (Internet address: kenjirou@mathdent.im.uec.ac.jp) LHA300 Reported by: Mark Church (1:260/284) MakeNL MKNL251 MKNL250 Reported by: Dan Guenthner (SAF-Net 44:900/200, via HW Robert Hinshaw Math Master MATHMSTR M-MST400 Reported by: James Frazee (1:343/158) MusicPlay MPLAY31 MPLAY25B Reported By: Lee Madajczyk (1:280/5) PKLite PKLTE201 PKL115 Reported By: Wen-Chung Wu (1:102/342) PKZip PKZ301 PKZ204G Reported By: Mark Dudley (1:3612/601) Jon Grimes (1:104/332) | Shez SHEZ72A SHEZ92 (also | SHEZ73 SHEZ92P patch) Reported By: HW Bill Lambdin Telemate TM40C TM412-1 through 4 Reported By: Philip Dynes, RIME Telemate conference, via HW Richard Steiner TM401 Reported By: HW Richard Steiner TM410-1 Reported By: Bat Lang (1:382/91) Telix Telix v3.20 TLX321-1 (Prior to Dec. 1992) TLX321-2 Telix v3.25 TLX321-3 Reported By: Brian C. Blad (1:114/107) TLX321-4 Peter Kirn (WildNet, via HW Ken Whiton) Telix v4.00 Telix v4.15 Reported By: Barry Bryan (1:370/70) Telix v4.25 Reported By: Daniel Zuck (2:247/30, via Chris Lueders (2:241/5306.1) MegaTelix Verified By: Jeff Woods, deltaComm, Inc. Telix Pro Reported By: Jason Engebretson (1:114/36), in the FidoNet TELIX echo TheDraw TDRAW430 TDRAW461 TDRAW5 Reported by: Ian Douglas (5:7102/119) TDRAW500 Reported by: Ian Davis, Author TDRAW550 Reported by: Steve Klemetti (1:228/19) TDRAW600 Reported by: Hawley Warren (1:120/297) THEDR60 Reported by: Larry Owens (PDREVIEW echo, 1:280/17) TDRAW601 Reported by: Jesper Tragardh (2:200/109) TDRAW800 Reported by: James Carswell (1:153/775) Wolfenstein-3D WOLF2-1 #1WOLF14 WOLF2-2 Reported By: Wen-Chung Wu (1:102/342) WFSF2-IA Reported By: Jared Huber (1:203/762) * - See the section "Clarifications and Thanks" for details on other valid version numbers for LHA. ========================================================================= Hoax Alert: | Whoa - what happened here? Wasn't there a report in the August 1993 | issue about OWS95B in this section of the report? Yes, there was, but it | has been moved. After discussion with Aryeh Goretsky, SysOp of the | McAfee VirusForum on CompuServe (76702,1714), this file has been | reclassified. Look in The Trojan Wars section for details and for Aryeh | Goretsky's comments. HW Mikael Winterkvist reports that he received a program for study from Patrik Sjoberg, the author of Febbs. The program Patrik found was called VIP and claimed to be a "new, easy to use archive-program" called "Visual Illusions Pack." Mikael and Patrik both studied the program and determined that it was merely an altered version of the LHA Archiver v1.13. To make matters worse, the "author" asked for a registration fee. Save your money. The Hack That Wouldn't Die has reared its ugly head again: XTRATANK is still floating around out there, according to a sighting by Mike Ledoux (1:132/202). This file was reported in detail in the 1992 Full Archive Edition of The Hack Report (HACK92FA), but it seems to be so unwilling to go away that it is mentioned again here. For those of you new to The Hack Report, XTRATANK is a confirmed and tested hoax that does _not_ double your hard drive space, regardless of what you might see when you do a DIR command. If you have doubts, try the Fitzgerald test below. *** The Fitzgerald Test Here is the now-famous Fitzgerald Test, devised by Tim Fitzgerald of 1:3800/18.0 and validated through testing performed by Bill Logan of The Pueblo Group (1:300/22). Try this if you think you have managed to get XTRATANK to work on your system. Follow these simple steps: 1. Run CHKDSK and write down the free space it reports as free. 2. Do a DIR command and write down what XTRATANK reports. 3. Copy any text file to a new text file. 4. Repeat steps 1 and 2, and compare. You will see that XTRATANK reports that twice as much disk space is taken up by the new text file. Michael Toth (1:115/439.7) has located another incident of the Amiga Emulator hoax, reported in the 1992 Full Archive Edition of The Hack Report as AMIGA. This time, the file was under the filename IBM_AMGA, and contained the following internal files: Name Length Method Size now Mod Date Time CRC ============ ======== ======== ======== ========= ======== ======== README.USA 393 Imploded 338 10 Apr 91 18:07:06 2CF72B62 EMULATOR.EXE 273947 Imploded 157084 15 Sep 90 01:00:00 02A68881 ============ ======== ======== ======== ========= ======== ======== *total 2 274340 ZIP 1.10 158592 13 Oct 91 11:28:00 The file claims to emulate Kickstart 1.2, version 33.192, on an IBM compatible. Michael's tests show that this file doesn't do much, if anything - 15 minutes worth of waiting after running the program produced no results. Recently, an archive of Frisk's (a.k.a. Fridrik Skulason's) F-Prot Virus Scanner v2.07 has been distributed with a "registration form" from a company called JLT. According to Frisk, this is not legitimate. He says that JLT contacted him in the fall of 1992, asking if they could distribute F-Prot, collect registration fees, and forward 50% of the fees to him. Frisk didn't want them to do this, but it appears that an archive with the "registration form" may have slipped into distribution. In Frisk's words, "...this version is most certainly not something that I want distributed." From the "Not Really A Program, but Interesting Anyway" department, a "press release" has entered distribution, claiming that PKWare Inc. has filed for Chapter 11 bankruptcy. The letter is dated Friday, February 26, 1993, and supposedly quotes Mark Gresbach of PKWare in the statement. However, in a message posted in the CompuServe PKWARE forum on March 1, 1993, PKWare employee Douglas Hay states that this is not true. Douglas also points out that the perpetrator of the hoax misspelled the word Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in the message for PKWare is wrong. In short, ignore the letter - PKWare has _not_ filed bankruptcy. Other previously reported hoaxes: Filename Claimed use/Actual activity/Reporter(s) ============ ========================================================== PKZ305 Hacked "new version" of PKZip. However, a message in wide circulation claimed this was infected with a virus called PROTO-T. This message is the actual hoax: there may be one or more PROTO-T viruses around now, but none do what was claimed in the hoax message. This hack, PKZ305, was not infected with any virus, nor did it contain Trojan code, per testing by Bill Logan (1:300/22), HW Jeff White, and HW Bill Lambdin. RAOPT "Optimizes" your RemoteAccess BBS files and claims to be from Continental Software. Actually does nothing but read your USERS.BBS file and report the number of users. The program is _not_ from Continental Software, according to Andrew Milner. Reported by Kai Sundren (2:201/150), via HW Mikael Winterkvist. SCORCHV2 Claims to be v2.0 of the game Scorched Earth: this version doesn't yet exist. Actually a renamed archive of version 1.2. Reported by Brian Dhatt (1:3648/2.5). ========================================================================= The Trojan Wars Well, folks, it has happened again. Someone apparently doesn't like the idea of The Hack Report, and has decided to take a hack at it themselves. Fortunately, it was caught rather quickly, thanks to the people who read and support the report. Your assistance is very much appreciated, folks! This isn't the only new report for the month - oh yes, there is more. So, sit back, buckle up, enjoy the scenery, and read on. | As I just mentioned, there has been another attack against The Hack | Report itself: this time, against the August issue. James Anderson (1: | 379/609) left a message on Jack Cross's system (1:3805/13, Official Hack | Report Utility Distribution Site) and a copy of the August report archive | which contained the file HMON.EXE. This Trojan, found by one of James's | users on a Florida BBS, attacks mostly .exe files on your path, as well | as some Windows programs and COMMAND.COM (according to James' report). | | The archive of the report had one of its text files altered as well. The | NOTE9308.TXT file had a paragraph inserted at the beginning which claimed | that the HMON.EXE file was a "small virus-detection program" that "i and | others (sic) were developing." Those of you who have followed this | report since its start would suspect this immediately, as I have | previously stated that I am not an anti-viral programmer or researcher: | merely a journalist who relays reports he receives from others. | | The paragraph goes on to say (in very bad grammar) that the file should | be placed in the same directory as SCAN.EXE, and recommends that you put | it on your path. I do not know why, but I would assume that it looks for | McAfee's SCAN and does something nasty to it. | | In any event, allow me to restate the warning that I made when this | happened previously: | | THE OFFICIAL ARCHIVE OF THE HACK REPORT WILL _NEVER_ CONTAIN | ANY EXECUTABLE OR BATCH FILE! ONLY TEXT FILES AND NON- | EXECUTABLE BINARY FILES WILL BE INCLUDED IN THE REPORT ARCHIVE. | | If you have _any_ doubt of the legitimacy of your copy of the report, | please inform your friendly neighborhood HackWatcher or myself, and | contact one of the official distribution sites to obtain an official | copy. | | With the above in mind, and taking into regard the best interests of the | BBS community, HACK9308 goes into the report as a file to avoid. | From the "I'll Sell You the Brooklyn Bridge for $5" department: a file | claiming to be an archiver that can achieve 1500:1 compression of almost | any file has been spotted. Sounds too good to be true? You're right: it | is too good to be true. | | The file in question is called OWS95B. The first report I received on it | came via HW Bob Seaborn, although at least a dozen reports similar to his | came through the echos I monitor or through NetMail. In short, the file | does nothing more than act like an "undelete" utility of sorts, storing | filenames and copying them to other directories. Test results of this | file can be seen in the file FILETSTS.LZH, part of the archive version of | The Hack Report. Look for two files inside this internal archive: a | text report from Kevin Gates (1:140/64) called OWS.RES, and a dump of the | data segment of the program, DS_DUMP.OWS. | | If you have a copy of this program and need to see for yourself that it | is a fraud, here is a test devised by Bob that should do the trick. | | *** The Seaborn Test | | 1) Create a temporary working directory (\WORK) and a temporary test | directory (\TEST) on any drive. | 2) Copy any number of mixed files into the \WORK directory. | 3) Use OWS.EXE to create \TEST\archive.ows of \WORK\*.* | 4) Now use SUNOWS.COM to tear apart \TEST\archive.ows, with the files | going into the \TEST directory. | | At this point everything should appear to work properly. | | 5) Delete all the original files in the \WORK\*.* directory. | 6) Use SUNOWS.COM to extract all the files in the \TEST\archive.ows | file to restore all the files originally in the \WORK directory. | | This will fail giving you a "Sector Not Found, Abort, Retry, Fail" | error, and there's nothing that you can do to solve this error. | | This file was originally reported in the Hoax Alert section of this | report. However, Aryeh Goretsky, SysOp of the McAfee VirusForum on | CompuServe (76702,1714) pointed out that this is actually a Trojan. Here | are his comments, used by permission: | | "The program is indeed a Trojan horse. It is an expectation of the | author that the user will delete the original uncompressed file. An | expectation that is filled most of the time...." | | I had not considered this when I classed the file as a simple Hoax. | However, Aryeh is right. This is a very sneaky Trojan. It doesn't do | any damage to your system: instead, it fools you into doing the damage | yourself. | Ian Douglas (5:7105/119) forwarded a sighting of RAG2FIX from Tiaan Van | Aardt (5:7105/8). This file, a supposed "fix" for RemoteAccess | v2.00gamma, gives itself away by using the company name "Continental | Software" - a name no longer in use by the RA folks. The Trojan first | searches for your FILES.RA file, and then erases all files in the current | directory, your RA.KEY file, and any ARJ, LZH, and ZIP files it runs | across. Hopefully, this hasn't spread outside of FidoNet Zone 5 | (Africa), but you never know: keep your eyes open. | Carl Johnson (1:115/363) reported on VIZ534, a possible isolated incident | involving a program called VIZ. From Carl's analysis, he was unable to | determine if this was a pure Trojan, an altered legitimate program, or a | Trojan masquerading as a legitimate program. However, Michael Toth, a | regular contributor to The Hack Report, received a copy of the file and | verified its destructive behaviour. Here are the archive contents: | | Files in archive: VIZ.DAT, 22426 bytes | VIZ.COM, 3163 bytes | VIZ.DOC, 65715 bytes | VIZ.REG, 3676 bytes | | What it's supposed to do: Accelerate video performance, as | well as do a few utilities with | the video display. | | Carl learned that when the VIZ.COM file is run, it renames VIZ.DAT to | BE.EXE (a file from The Norton Utilities v6.X, known as Batch Enhancer). | Next, it displays a configuration screen, then displays the string: | | "Is this text in red? (Y/N) | | At some point during all of this, it executes the system command | FORMAT C: /Q /U, apparently suppressing the output and replacing it with | the above string. This tricks the user into answering "yes" to the | normal warning about all data on the non-removable drive being lost. | John says that he was lucky in that he uses MS-DOS 6.0 and DoubleSpace, | which prevented the normal FORMAT command from operating (a side benefit | of DoubleSpace? Trojan protection? Interesting.). | HW Bill Lambdin received a file for testing from Brian O'Sullivan. The | file, SPORT21C, claims to be a serial port analyzer. It seems that Brian | has located an infected copy of the program, possibly an isolated | incident. The INSTALL.COM file in the archive is infected with a new | variant of the Butterfly virus, which differs from the original in that | it contains the text "Hurray the Crusades!", and that it infects .exe | files as well as .com files. Bill provides the following information for | users of Frisk's F-Prot and other scanners that allow for external scan | strings: | | "F-Prot 2.09 detects this virus as Butterfly in .COM files, but | misses it in .EXE files. Add this signature to F-Prot or others | scanners that allow the use of external signature file. | | Name: Butterfly (Crusades) | Infects: .COM and .EXE files. | Signature: B4 4E 8D B6 50 02 8D 96 2C 02 52 EB 3C B4 1A BA | | Remove the spaces between the HEX values when adding the signature." | Martin Roesler (Martin_Roesler@nem.fido.de, 2:246/149) posted a message | in the FidoNet VIRUS_INFO echo that was rather short and to the point. | He stated that a file called BREAKARJ is circulating in Germany, and that | it contains the Split virus. He ended by saying that Split is a simple | COM infector, 250 bytes long, and can be detected with the following | signature: | | 9CFC 8DB6 DF01 BF00 01B9 0200 | | Short, to the point, and much appreciated. Glenn Jordan (1:3641/1.201) reports on a "wave of Trojans down in Oklahoma" (or up in Oklahoma, depending on your geographical perspective). His contact originally came via Doug Taylor of the Vanishing Point BBS. According to Glenn, someone got a bunch of [IVP] produced viruses and a Trojan produced by a Trojan Construction Kit, then proceeded to upload them to quite a few systems. The only filename provided, however, was ZIPCHAP, which contained an ANSI bomb that redefined your spacebar to invoke an internal ZIPCHAP program (apparently infected - Glenn's copy was corrupted and wouldn't run). This ANSI bomb is a bit different from others that I have seen, but not unique in its method. It is stored inside the archive under the filename CON. In other words, it's actually a device bomb variant - turning off ANSI comments in PKZIP or other unpackers won't stop it, since it isn't part of the header. Instead, unpacking the file causes the device CON to be opened, and the bomb is written straight to it as a result. HW Chris Wise received reports on two Trojans from Jim Deal (address not given). The first, PRIN2UNP, claimed to be an "unprotect" for Prince of Persia 2, but appears to be a compiled batch file that does a good deal of damage. It starts by deleting everything in your C: drive root directory, as well as the directory C:\DOS. It then checks to see if you are running a BBS: if so, it deletes the files in your BBS directory. Finally, it looks for other drives in your system and deletes their root directories as well. The second Trojan, VECTORS, was described as a Sound Blaster demo program. It was compressed with PKLite v1.15. This one simply deletes all files in your C: drive's root directory, but that is enough to make your system unbootable for a while. This wasn't a compiled batch file: however, Jim's report stated it contained some Borland BGI drivers, which indicates it had some graphics in it (apparently to show off). Jim says that both files came from the same place. I assume he meant they were both done by the same person, as both had a message inside that said, "Thanks for trusting F.*.C.K.S. INFORMER." Rod Fewster (3:640/886) did a bit of detective work on a file claiming to be version 8.2 of Vern Buerg's LIST program, under the filename LIST82. He says he called Mr. Buerg to confirm the file, and verified that this is not a valid release. In fact, the file Rod received from one of his users is infected. His examination of the file shows it to be compressed with PKLite, using the "no unpack" option. Further, the documentation has been altered to look authentic, and the archive was packed with a PKZip -AV stamp which displays the text "Authentic files from Vernon D. Buerg" when unzipped. The only giveaways Rod could find were that the internal help screen date didn't match the filedates, and the copyright notice reads "1983-92". Rod says the file is infected with a variant of the Butterfly virus which he calls the FJM virus ("for want of a better name"). This virus infects .com files in the directory it is executed in by attaching itself to the end of a few files at a time, increasing each file's size by 305 bytes. The infected files then spread the infection. The virus does not attack COMMAND.COM, nor does it attack files "smaller than about 100 bytes." The virus does not show immediately inside of the LIST program, but the files it infects are detectable by VirusBuster v4.00.23, F-Prot, and TBAV in heuristic mode. VirusBuster can disinfect the infected files. Rod provided the following scan string that users of VirusBuster v4.xx can add to their VBTSR.DAT file: Butterfly/FJM ED ?12 96 ?10 96 ?0F DB ?08 BC ?02 BD ?04 ED ?02 DB He says this will stop Butterfly and FJM dead in their tracks. Thanks for the report, Rod! An extremely widely reported incident concerned Winfred Hu's Telemate program, v4.11. Winfred himself has confirmed that an internal self-extracting archive, VESA.EXE, which is part of the archive TM411-4, contains two files that are infected with the Butterfly virus. These files, in the archive subdirectory OAK, are 37VESA.COM and 67VESA.COM. The infection can be detected by F-Prot v2.08a. Winfred has since distributed a replacement archive, TM411-4A, which does not contain these files. (This has now been superseded by a new version, TM412-1 through TM412-4.) He has asked that anyone who has the infected archive delete it and replace it with the newest version. He also stresses that neither Telemate or GIFLink (part of the Telemate package) are infected - only the two VESA drivers. Winfred has since informed me via HW Richard Steiner that the same VESA drivers are present in the files GIFLK110 and GIFLK111. He has asked that these two archives be deleted and replaced with GIFLK112 (or the most current version). GIFLK112 has a README.TXT file which mentions the infected VESA drivers inside the v1.10 and v1.11 files. He also states that he has traced the infection back to an isolated incident of an infected copy of LIST77B. He was unable to say for certain where this copy originally came from. Editorial - as I've said before, it takes a lot of courage for an author to publicly announce such a problem with their software. Winfred Hu is to be commended for his handling of this situation, and for the prompt action he has taken to resolve it. Gary Marden (2:258/27) has located a Trojan version of a file that was quite popular last year - USRPATCH. This was originally distributed as a "patch" to the ROMs of a certain modem that would take advantage of a bug left in the ROM chips in order to upgrade the modem to faster speeds. However, this Trojan takes advantage of your system instead of your modem. At first look, it appears to be a mutation of the BILLNTED Trojan reported last year by David Elkins (2:254/78). Gary says that it acts more like the QOUTES Trojan reported later in this section. It displays the following messages once you invoke the internal USRPATCH.EXE file: Please wait, extracting user files.Bill'N'Ted have begun their bogus journey... Bill'N'Ted have begun their bogus journey. Looks like an Evil Robot Bill'N'Ted have trashed your drive, dude! At this point, your prompt turns into a simple "C>". If you press Enter, your screen displays the message, "So long, suckers!", and then clears, leaving you with a system that is quite useless. Gary's test, performed on an MFM drive, resulted in a hard drive with the first 128 cylinders low-level formatted. This included the partition table, boot sectors, and FATs. Repair is not possible using FDISK alone, since the first 128 cylinders remain inaccessible. The only practical repair is to perform your own low-level format, followed by FDISK and a high-level format. Gary did not test this with an IDE drive, but I am willing to wager that he would have had the same results. Repair would not have been as simple, however - unless you have some heavy-duty IDE utility software, you'd have to send your drive back to the manufacturer for a low-level format. Most bogus indeed. HW Emanuel Levy forwarded a report from John Rose (1:106/6001) about FORUM30. The file, according to John, was "cleverly disguised as a 'new BBS package'...." However, John says it formatted both of his hard drives. Andrew Barnhardt (1:247/301) forwarded a post from Dom D'amato (1:141/510) about an Amiga Trojan/dropper in circulation. The file, MCHECK, claims to be a modem test utility. However, the original reporter, Luca Spada (2:331/106.0), states that this file reports that your modem is "OK" even if no modem is attached to your system. Apparently, the Trojan monitors the keyboard for activity - if you leave it alone for 5-10 minutes, it begins to overwrite random tracks on your hard drive with endless obscenity. Luca says it can reduce all of your partitions to garbage in about 4 seconds. Another unidentified user reported that the Trojan looks for the presence of an antiviral background program called SnoopDos - if it finds it, it deactivates it. The archive contains these two files: Modemcheck.doc 2227 Bytes Modemchecker 15516 Bytes Definitely sounds like one that Amiga users should avoid. HW Ken Whiton forwarded a message from Wildnet user Kevin Tischler about an incident of a tampered version of the AVScan antiviral tool, AVSCAN83. This file supposedly contains an internal file called VIRUS.DAT, which is "sometimes unzipped" by the host program, leaving five files behind. These five files are 911.COM, YANKEE.COM, SYSLOCK.COM, ANTHRAX.COM, and "a program reporting to be an icon viewer/maker called rim300.zip." Kevin reports that MicroSoft AntiVirus (part of MS-DOS 6.0) was able to detect the infection - from the way it looks, the first 4 files are the real things. Ryan Thompson (1:124/2213) reports that one of his users found a file calling itself ARJ240, claiming to be the non-beta release of the next ARJ archiver. This immediately trips a flag, since the author of ARJ, Robert Jung, has publicly stated that there would never be a version with this number (due to an earlier hack by the same name). In any case, the file appears to be not merely a hack, but a simplistic Trojan. The program that was altered to do the damage was REARJ.EXE. When Ryan's user ran it, it copied a file called SINBAUD.EXE to the root directory and re-wrote the user's autoexec.bat file to invoke this file. The SINBAUD file, according to Ryan's inspection, contained "a few hard-coded CHKDSK messages, some stuff for displaying a fake DOS prompt", and a few other messages. He did not run the SINBAUD program, which is just as well - the overwrite of the autoexec.bat is enough to merit Trojan status. As many of you might know, The Hack Report does not include listings of programs designed to "crack" or "register" other programs. I feel that these files don't need the free publicity that they would get from a listing in this report, and that the act of listing might make someone go out looking for a copy of one of them. (See Ray Bradbury's short story, "Downwind from Gettysburg," from the collection "I Sing the Body Electric!", for an insight to your Hack Squad's thinking on this subject.) However, a report from David Jones (1 @ 2950 WWIVnet, Internet address 87-2950@wwiv.tfsquad.mn.org) merits an exception to this rule. He has found a file called RPIT352C, a copy of the online game "The Pit" with a "special program that will automatically register it for you." Inside the archive is a README.COM file that is infected with the Leprosy virus. This is a good reason to not even download these "cracks" - you never know what you're getting into. Rod Fewster (3:640/886) reported in the FidoNet VIRUS Echo on a file called TNN202 that he tested. This file apparently contains at least 3 files named TNN.EXE, TNN.OV1, and TNN.OV2. TNN.EXE displays the following message: TNN Anti-Virus (C) 1992-1993 by Syn Labs Inc. Version 2.02. Configuring, Please wait.... At this point, the program renames TNN.OV1 to TNN1.EXE, and TNN.OV2 to TNN2.COM. According to Rod, TNN1.EXE is the "RABID" Trojan, while TNN2.EXE is the Beta 1 Trojan. RABID "whacks out your HD's boot sector," apparently filling it with a rather obscene message. The Beta 1 Trojan, on the other hand, executes the following sequence of commands: C: CD DOS DEL COMMAND.COM CD\ DEL COMMAND.COM RENAME AUTOEXEC.BAT TEMP.BAT RENAME CONFIG.SYS AUTOEXEC.BAT RENAME TEMP.BAT CONFIG.SYS CD DOS DEL *.EXE It then displays its own obscene message on your screen. Rod says that TNN.EXE then displays the following message (edited for television): GOODBYE D*******. Wave Ta-Ta to your hard disk. Next time, dont enter messages to a public echo if you have no idea what you are talking about. Love David Humes. Rod's results show that TNN.EXE is simply a "loader" for the two Trojans, and not dangerous by itself. He also states that there are other files used to "pad out the archive," which are ancillary files from a program called VirusBuster v3.91. Thanks to Rod for posting his results. This was definitely a nasty little beggar of a Trojan. HW Hinrich Donner forwards reports from Zone 2 of a "trainer" for the game Strike Commander which doesn't appear to act as it should. The archive was distributed under the filenames SCTRNUNT and SC-TRN. SCTRNUNT contains the following files: !HIREZ COM 6888 19.04.93 23:26 SCTRNUNT EXE 6442 18.04.93 12:49 UNT EXE 11431 18.04.93 12:30 SILVER NFO 81 19.04.93 23:26 SWIFT NFO 3785 18.04.93 12:12 UNT NFO 11483 18.04.93 12:26 Note that the SC-TRN archive contents were not forwarded, but the following file size and description were: SC-TRN.ARJ 9129 Strike Commander - Trainer by [UNT] The file which appears to do the damage, SCTRNUNT.EXE, does so by destroying your root directory, partition table, FAT1, and FAT2. Teo Chee Kian (6:600/600) received a file called GIF_TSR which claimed to convert .gif files to "Photo-like Graphics." However, the file is actually a compiled batch file which seeks out and deletes all "important" files in your DOS, QEMM, WINDOWS, STACKER, and some other directories. It also deletes MSDOS.SYS, IO.SYS, COMMAND.COM, CONFIG.SYS, and AUTOEXEC.BAT - it calls ATTRIB.EXE to remove the hidden, system, and read-only attributes when necessary. Definitely a file to avoid. Emmanuel Bataille (2:320/7) forwarded a message from Serge Ayotte (Internet, rider@geolser.login.qc.ca) about a possible isolated incident of an infected copy of the BNU FOSSIL Driver, version 1.88 beta (BNU188B). The archive Serge found was infected with the Screaming Fist 650 virus. Serge goes on to say that the infection is detectable by version 104 of McAfee's ViruScan, but not by version 102. Rod Fewster (3:640/886) reports that there are two other dangerous versions of BNU, under the filenames BNU200 and BNU202 (see also the "Hacked Files" section of this report). He says that they are identical except for differences in the documentation files and internal messages, and that both attack your hard drive's partition table and master boot record (MBR). Note that there is a real version 1.88 beta of BNU, but it was not intended for public release, according to the author of BNU, David Nugent. The latest official public release of BNU is v1.70. HW Nemrod Kedem (2:403/138) reports that a new Trojan has been found in Israel, named RASPEED. He forwards the following archive information: Archive: RASPEED.ARJ Name Length Method SF Size now Mod Date Time CRC =========== ======== ======= ==== ======== ========= ======== ======== RASPEED.EXE 29120 Comp-1 37 18242 21 May 93 08:51:14 B9717331 RASPEED.DOC 4344 Comp-1 66 1443 21 May 93 12:46:36 194BB7EB FILE_ID.DIZ 611 Comp-1 57 262 20 May 93 10:13:48 0E680542 =========== ======== ======= ==== ======== ========= ======== ======== *total 3 34075 ARJ 4 40% 21310 29 May 93 21:16:56 The program is aimed at RemoteAccess BBS Systems - it copies the USERS.BBS file over to a file called JACKLINE.GIF located in the first file area listed in your FILES.RA file. It also adds a description to the FILES.BBS file that reads "JACKLINE.GIF (640x480x256)". This program works with RA v1.11, but not with RA v2.00 gamma. A full text of Nemrod's results can be found in the file RASPEED.RES, part of the FILETSTS.LZH archive found in the archive version of The Hack Report. David Snider, a user of Douglas Taylor's system (1:147/1077), reports via the FidoNet DIRTY_DOZEN echo on a file called BRE0911. Apparently, a file inside this archive called UPDATE.COM is infected with a virus (no name given) which David says is only detectable by MS-DOS 6.0's VSAFE program. The virus in question re-writes your COMMAND.COM file, adding to it slowly over a period of time: a fellow sysop who was infected for 8 days wound up with a COMMAND.COM file over 70K in size. According to David's report, there is a legitimate release of this program, under the filename BRE0910. He did not describe what the real program was, however, nor did he provide any archive statistics. All he said was that "nothing above BRE0910 is legal". Shawn McMahon (1:206/1701.66) says that this sounds like "Barren Realms Elite," a BBS door game. Now, some info on a DEBUG script forwarded by Jack Cross (1:3805/13) from the FidoNet BATPOWER echo. The script, which has generated a great deal of discussion, created an archive (LZH) of the program TinyCache (filename TNYCACHE), claiming to be a small disk cache. As soon as the script was posted, folks started reporting symptoms of destructive activity: destroyed FATs and reformatted hard drives were been reported after this program was run. Prior to the publication of the April edition of this report, I tried a feeble attempt at analyzing this program myself. However, as I have said before to folks who contact Hack Central Station, I'm a reporter, not an AV expert. So, I forwarded a copy of this script to HW Jeff White of The Pueblo Group for testing. Others ran their own tests, and still others forwarded the resulting archive for further testing. The reports (which are _far_ too numerous to credit in their entirety - please accept my thanks for your help!) had some similar results, but left some confusion as to what this file actually is. All of the reports indicate that the unarchived file, TNYCACHE.COM, is compressed with PKLite and that the PKLite ID header was edited out of the resulting file. Once decompressed, McAfee's SCAN reported that the file was infected with the Taiwan3 [T3] virus, and Frisk's F-Prot detected the AnitCAD virus. This is where things get wierd. Bill Dirks (1:385/17) reported that there were two versions of the file - TNYCACHE.EXE and TNYCACHE.COM. He also said that the .exe version is actually a renamed copy of the SCCHECK Trojan, and that the .com version is "hacked to include a hacked version of the AntiCAD virus." Bill included the following scanner strings for use with McAfee's SCAN: "2BC00221200961642E6578652004" Pklited-Anticad "46048B4E068B56088B5E0CCD261B" Sccheck-Trojan The second string can also be used with Frisk's F-Prot as a user string, as long as you inform the program that it is a .com/.exe infector. However, Bob Stettina, a user at 1:382/77, had a different analysis of this file, based on a report he says he received from Spencer Clarke of McAfee Associates. Bob also decompressed the PKLited .com file and received a Taiwan3 [T3] report from McAfee's SCAN v102. After this, he uploaded the file to McAfee Associates. The report received from Mr. Clarke said, according to Bob, that this file is "a unique/new Trojan, and it is *NOT* actually infected with a virus: rather, this Trojan includes a segment of code that is accidentally 'recognized' by SCAN as the Taiwan3 virus." The report also stated that other scanners gave off false alarms on this file. Finally, Bob goes on to say that this file does not replicate: since the ability to reproduce is part of the basic definition of a virus, Bob concludes that this one fails that test and is therefore a Trojan. HW Jeff White's test results tended to agree with the majority of the reports: the .com file was simply infected with the Taiwan3 [T3] virus, and was capable of being "cleaned" by McAfee's Clean-Up v102. This has been a fascinating study in program analysis. Unfortunately, the story does not end here. Oliver Bladek (1:134/49) has found the file posted as an archive on a BBS under the filename TNYCACHE. The file exhibited the same symptoms reported above. It would seem, therefore, that whatever the program actually is, be it virus, Trojan, or whatever, it has been re-created from the DEBUG script by someone, not run on their system, and later absent-mindedly uploaded as an archive to a BBS. If you see this file, make sure it's the same one we're talking about here: if it is, delete first and ask questions later. Andy Thomas (1:125/217) forwarded a report from Allan Thomas (Smartnet Virus Conference) about an infected copy of the archive BBSLAWS. The archive contained two files - NEWLAWS.TXT and README.COM. The .txt file seemed to be for real, but the .com file was another story. According to Allan, the program displays the following message just before it locks up your system: "Install v1.0 (c) Vivid Imaginations, Ltd. All rights reversed." As Allan points out, note the spelling of the last word in the above quote: quite subtle. The damage you will find after you reboot is not so subtle, though - the program at least overwrites your MBR and 1st FAT, deletes itself, and overwrites the remnants of itself with garbage to hide the evidence. When it overwrites itself, it writes enough bytes to cover every sector it used to occupy, resulting in a write of more bytes than the original file size. Paul Harney (1:107/579) forwarded a message from a user, Rod Fewster, concerning a sighting of something claiming to be PKZip v2.04I. The file, a self-extracting archive called PKZ204I, shows a "valid" authenticity verification on unpacking. However, Rod says both the internal files PKZIP.EXE and PKUNZIP.EXE "whack out your CMOS settings totally as soon as they're run." No other damage was reported. Here are the vital stats, as provided by Rod: "Archive date is 02-22-93 20:35. "All files are dated 02-22-93 02.04 except pkunzip.exe which is dated 02-22-93 20:34." Rod also provided a comparison between v2.04g and this file's executables: "v2.04g filesizes are: pkzip.exe 42166 pkunzip.exe 29378 v2.04i filesizes are: pkzip.exe 42186 pkunzip.exe 29398" Chuck Gustafson (1:2201/33) forwarded to the FidoNet echo DIRTY_DOZEN a report from Brian Buchanan (Brian Buchanan #1 @8251 VirtualNET) about the file FDFORM. This appears to be an isolated incident of a Trojan version of the legitimate program FDFormat. The .zip archive was only 13106 bytes long, and contained the files FDOCS.PAK (317 bytes), FDFORMAT.PAK (11366 bytes), and FDSETUP.BAT (174 bytes). The .bat file contains the following commands: @echo off cls echo Analizing system configuration... @echo off ren fdocs.pak fd.exe echo Unpacking files... echo (This may take a few minutes) fd c:\ fd d:\ fd e:\ The problem here is that the file FDOCS.PAK is actually a renamed copy of a program called NHUE, which according to Brian is a utility that deletes all files and sub-directories in the directory specified on the command line. If you look at what happens in the .bat file, you'll note that NHUE, originally renamed FDOCS.PAK, is re-renamed to FD.EXE and is called for drives C: through E:, potentially wiping out everything on these drives. Lee Noga (1:3618/23), apparently one of the folks associated with the PowerPak Gold '92 Shareware CD-ROM disk, asked that I help warn folks of a Trojan file on their disk called MWARS20. This file, which has been seen in other locations, contains two files, DEMO.EXE and READTHIS.COM, which appear to be the main culprits. According to a report from Scott Catterill (Intelec PC-Security conference, via HW Bill Lambdin and based on info from Dave Comeau), both files contain the following text: eat this. REVENGE!. Melting Memory!. Maybe next time, you won't steal people's Passwords and get them ****** off at you... I hope you backed up your hard drive! Scott says both will try to low-level format your hard drive. However, according to Lee Noga's report, the program acts a bit differently. The copy on the PowerPak CD-ROM contains the following files: MWARS.BAT 128 07/17/92 MWARS20.EXE 15864 02/15/92 MWARS20.DOC 2058 07/17/92 NOTE.DOC 309 01/01/80 YANG.ME 121 07/17/92 INSTALL.EXE 39080 06/14/90 DEMO.EXE 5470 04/22/90 DOMENOW.COM 937 09/24/90 READTHIS.COM 5470 04/22/90 Lee says the program does its damage via the .bat file, via DEMO.COM, and via DOMENOW.COM - all three are dangerous, as they will scramble your hard drive's FAT table. The same message as Scott reports will appear, but if you reboot during its display, you may be able to abort the Trojan's damage. Lee also notes that the game itself was untouched: if you don't invoke it via the .bat file, it will run just fine. Bizarre. (Editorial - I appreciate the effort taken by vendors to inform the public of a problem with their product. Even if the publicity hurts sales, the loss can't be worse than the potential loss caused by a perception that a company doesn't care about whether or not their product is dangerous. This is not an indictment of _any_ company or author: it is merely intended to encourage companies and authors to report attacks against and/or problems with their products as soon as they learn of them. My life would be _so_ much easier. <g> -lj) Tom Guelker (1:2250/26) posts in the FidoNet DIRTY_DOZEN echo a report of a Trojan called SINBAD. It claims to be a file transfer protocol utility, but it actually throws your system into a perpetual loop by overwriting your AUTOEXEC.BAT file. The new AUTOEXEC.BAT (as well as SINBAD.EXE) becomes read-only and invokes SINBAD.EXE, which again overwrites AUTOEXEC.BAT with the same info (apparently turning off the read-only bit first <?>), etc. ad nauseum. Definitely sounds irritating, but not dangerous unless you don't have a copy of your original AUTOEXEC.BAT file: you can bypass the loop by booting from a known clean, write-protected system disk, and then use a utility such as the MS-DOS 4.01 and above ATTRIB.EXE to remove the read-only bit. This will allow you to delete the offending .bat file and replace it with a copy of your original, or to re-write it if you didn't have a backup. Henry Shaw (1:261/1177, via Jack Cross, 1:3805/13) reports on TAGCRASH, a supposed utility or crack of some sort for TAG BBS systems. Henry says the archive contained the internal file TAGUTIL.COM, which started off in your \BBS directory and "worked its way through the obvious choices of \TAG and \MULTI till it found all the .DAT files, .LST files and everything else that pertained to a TAG board." These files would be deleted when found. An easy way to trash a TAG system, Henry says. HW Richard Steiner forwarded a message from the ILink Shareware_Support conference by Bob Feldman concerning an archive named HSDIAG. Bob stated that this file is a Trojan. Bob posted further details on the ILink Virus conference (forwarded by HW Bill Lambdin), and also sent a copy of the file to R. Wallace Hale, SysOp of the Driftnet BBS ((506)325-9002). Mr. Hale did preliminary testing of the file, and was able to determine that it will at least try to overwrite the first 255 sectors on the first eight drives in a system, including floppy drives. For the full text of Mr. Hale's report, as forwarded by HW Bill Lambdin and James FitzGibbon (1:250/301), please obtain the archive version of The Hack Report and see the file HSDIAG.RES, located inside the internal archive FILETSTS.LZH. HW Jeff White received a file for testing called ANSIVIEW.COM, which has apparently been seen inside a couple of archives, most often ANSI collections. The copy Jeff received for testing is infected with the AIDS [N1] virus, and cannot be disinfected by either McAfee's Clean-Up or the AIDSOUT utility. The infection is detectable by McAfee's SCAN. Yet another of The Hack Squad's 2048 reasons to check everything you download for viruses. HW Scott Raymond has cleared up a discrepancy that I had in previous reports concerning the file BWAVE_3. This was listed as a hack of the Blue Wave Offline Reader, but according to the report received by Scott from a user in Australia, the file is actually a Trojan. The user in Australia reported that the Trojan trashed partitions and boot sectors, in addition to attacking RemoteAccess BBS data files. According to Scott, this is the same file reported by Frans Hagelaars (2:512/2). Please note that this Trojan was discovered prior to the release of BWAVE212, version 2.12 of the reader. More Australian sightings come from Greg Miller (3:711/454), via HW Emanuel Levy, and Nigel Hunt (3:712/218). No archive name was given, but the file again claimed to be version 3.0 of Blue Wave. It didn't exhibit any dangerous behaviour, but it does seem to at least be related to the above file: it doesn't do QWK packets (v2.12 does), and it has no delay screen for unregistered users. Vincent Aniello (aniello@gauss.rutgers.edu) reported a "back door" for use when logging onto Renegade BBS systems. This file, RGBACKDR, claims to allow you to log onto any Renegade board with SysOp privileges. Instead, it makes a beeline for several key files on _your_ system and deletes them. For the full text of the test results, as performed by HW Jeff White of The Pueblo Group, see the file RGBACKDR.RES in the archive FILETSTS.LZH, found in the archive version of The Hack Report. Maynard Marquis (1:141/328) forwarded a message to the FidoNet Int'l Echo WARNINGS from Joel Lambert about a file called TW-CHEAT. This claims to be a cheat file for Tradewars 2002, and contains the following files: TW-CHEAT EXE 6306 03-09-93 9:47p SIN COM 535 03-09-93 9:47p He did not say which file he ran, but one of these displayed "some unrelated menu" and then returned to DOS. Apparently, Joel later rebooted, at which point the BOOTSAFE program (part of Central Point Antivirus) reported that his system had been infected with the Tequila virus. Fortunately, he was able to remove the infection. He hopes. I hope so too, for his sake. Michael Heinbockel (2:242/316) found a file on a BBS in Hamburg, Germany, called PARITY. This file renames your AUTOEXEC.BAT file to AUTOEXEC.BAK, creates a new AUTOEXEC.BAT file with the single line C:\DOS\PARITY.EXE, and then tries to copy itself to your C:\DOS\ directory. It usually hangs the system during the copy attempt, resulting in the file not being copied. It may be a Trojan that doesn't work, but it is still a Trojan. Several reports came in on yet another Trojan attack against McAfee's SCAN - this time, under the filename SCANV103. The first report came via Eugene Woiwod (Eugen_Woiwod@mindlink.bc.ca), and full test results were later received from Bill Logan of The Pueblo Group (via HW Jeff White). As a result of this Trojan, McAfee Associates decided to skip version number 103, using number 104 as the release which followed SCANV102. For a full text of Bill's test results, see the file SCANV103.RES in the archive FILETSTS.LZH, found in the archive version of The Hack Report. Staale Fagerland (staale.fagerland@euronetis.no) reported a file called CES_402, which claimed to be an antiviral program. However, the archive contains two files (CES.COM and DONT_!) which are quite suspicious. Staale ran the CES.COM file through a program called CHK4BOMB and discovered that it uses ROM BIOS routines for direct disk access. The file DONT_! contains several messages that relate to corrupting your FAT, partition table, etc., and the message, "Mate(s), it simply makes sense, make a backup...". Ashley Kleynhans (5:7101/55) reports a Trojan called DREAMDEM, which claims to be a demo of some sort by a computer group. According to Ashley, the group named in the file descriptions is not responsible for creating this Trojan. When run, the file displays several messages, including ones like, "found PC Speaker," "Found porno GIFs," etc., and finally asks whether or not you have a sound card. Ashley answered Yes to this question, and received the response, "OH by the way, I trashed your hard disk about a minute ago." Ashley immediately did a DIR command on the C: drive and saw no immediate damage. However, the entire disk was gone after a system reset. Ashley says this is because the Trojan deletes both your hard disk partition table and your boot sector. I'm not sure if this is right, but I wouldn't want to try it out on my system to verify Ashley's findings. Here is the internal file info: CHECKANS COM 3585 03-10-93 2:43p VGADEMO EXE 8892 04-17-93 7:45p START BAT 17 04-17-93 1:33p Ian Douglas (5:7102/119) forwarded further information on what appears to be the same file from a report by Shane Greyvenstein (5:7102/119). This file, called VGADEM1, apparently managed to delete a lot of Shane's files before he could stop it: fortunately, it doesn't appear to have trashed Shane's disk. However, Shane's test revealed that the file was written using two packages called "IntroMaker v3.0" and "Mod-OBJ," but that the files are encrypted so that the copyright messages for these two packages are not visible until after they are decrypted by the host program. Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his system was "taken down" by a file called DRAGON. It claimed to be a Public Domain VGA and Sound Blaster supported game. No symptoms were reported, except that he had to reformat his hard drive. Penny Nebrich (1:369/101) confirms this, saying that the program that was affected was one called Dragon's Shard. She states that it "created what looked like infinite subdirectories with binary names of I think it was a dir name of 8 chars. McAfee's scan and Virucide just got stuck in an infinite loop. I had to reformat my drive." Bill Roark (RIME Shareware conference, via HW Richard Steiner) verifies that there is a legitimate file called Dragon's Shard, available under the filename DRAGON21. He also states that the real program is not public domain, but shareware instead. So, what we have here would seem to be a pair of isolated incidents of an altered version of a legitimate program. As the documentation Bill forwarded states, if you feel you have an altered copy of the program, contact the publishers with your information. They can be reached at: Bit Brother Software c/o Michael Ramsey #2 Winged Foot Way Littleton CO 80123 Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2. In what might be an isolated incident, Josh says the file claimed to be a "really cool game, VGA gfx and SB sound." However, the INSTALL program destroys hard disks. Bob Seaborn received a copy of this file and forwarded it to me - I in turn forwarded it to Bill Logan and HW Jeff White for testing. As it turns out, there is an internal file called SETUP.EXE that is identical, byte for byte, with the file INSTALL.EXE. Both will trash your hard drive with amazing speed, according to HW Jeff White. Also, the file PHYLOX.EXE is flagged as a possible infected file. For a full text of the test results, see the file PHYLOX.RES in the internal archive FILETSTS.LZH, found in the archive version of The Hack Report. Ryan Tucker (1:290/10) forwards a message from a fellow SysOp, Robert Pedersen, about ASM2PAS. This claims to create Pascal source code from an .EXE file. However, from text inside the executable, it appears that this program tries to delete your DOS directory. It also brags about a certain anti-viral scanner not being able to detect it. Valid point, that: practically _no_ anti-viral tools detect Trojans, with the exception of Frisk's F-Prot and one or two others. Even then, the Trojan detection is not complete. Your best protection against Trojans is a religiously maintained set of backups, preferably done after a check for viruses on your hard drive(s). HW Richard Steiner forwarded a message from the America OnLine GEOWORKS forum about the file GEOCOMM. The message, from "GW Steve" (a "GeoRep", according to Richard), came from a user of GeoComm named J. S. James, and warned that this archive contains a hacked version of the original GeoComm program. The file claims to be an "update," but it seems to be a Trojan which will damage your File Allocation Table (FAT). Not a file to be kept around, it would seem. HW Bill Lambdin reports on LAW22 (no description), which contains the following files: Length Date Time CRC-32 Attr Name ------ ---- ---- -------- ---- ---- 22911 02-24-93 14:13 a4b84cc7 --w- ABOUT.COM 13422 02-24-93 14:44 8f0d1e96 --w- INFO.EXE 126 02-24-93 14:50 68c9463a --w- DESC.SDI ------ ------- 36459 3 Bill says that ABOUT.COM contains a virus. Scan 102 labels it as BA101, which is a 160 byte-long .COM file infector. This could be an isolated incident of an infected legitimate file, so thoroughly check any such file you find that has the above files in it before you kill it. Another report from Mr. Lambdin concerns a file that a user in the Intelec PC-Security conference sent to him, called PCS204 (PC-Sentry v2.04). Bill's tests show that this copy of the archive contains two files, INSTALSW.COM and EVERYDAY.COM, that are infected with a non-resident "companion" virus that utilizes the Mutation Engine. It also contains the file PCS.EXE, which is infected with a virus created by a virus-writing group's "Mass Produce Code Generator." Bill also reports that our old friend, the Power Pump virus, has resurfaced inside a file called FX2. Here's the archive info: Length Date Time CRC-32 Attr Name ------ ---- ---- -------- ---- ---- 25846 01-01-92 00:00 2635e28a --w- FX2.EXE 1199 01-01-92 00:00 f61885bd --w- FX2.COM 17354 01-01-92 00:00 02eac55c --w- POWER.EXE 1007 01-01-92 00:00 139e1291 --w- FX2.DOC ------ ------- 45406 4 The giveaway here is the file POWER.EXE. For a full documentation of the Power Pump virus, please see the 1992 Full Archive Edition of The Hack Report (filename HACK92FA), available from most official distribution sites. Travis Griggs (1:3807/8) forwarded a report from a local board called The Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen. The message referred to a file called BOUNCE, which she said was infected with the Beeper (Russian Mirror) virus. The file, according to Travis, claimed to be a game. Travis has now forwarded the file information on this archive: Filename Original DateTime modified CRC-32 Attr BTPMGVX ------------ ---------- ----------------- -------- ---------- BOUNCE.COM 4053 80-01-01 00:02:04 35C562AF A--W B 1 BOUNCE.DAT 119101 92-11-20 23:16:10 247712A8 A--W B 0 BOUNCE.DOC 348 92-11-20 23:21:46 B28557FE A--W B 1 ------------ ---------- 3 files 123502 Geoffrey Liu (1:229/15) reports in the FidoNet WARNINGS echo on a file called BWE. This claims to provide a "quick and easy way to exit Windows." Geoffrey forwards this file info and disassembly report from John Eady (1:229/15, john.eady@canrem.com): Name Length Mod Date Time CRC ============ ======== ========= ======== ======== LICENSE.TXT 2656 14 Feb 93 22:01:14 46B50814 ORDER.TXT 2335 12 Feb 93 12:00:18 9D1A705E README.TXT 3565 14 Feb 93 23:08:08 3EA7548E BWE.EXE 19517 14 Feb 93 23:02:34 F1729CA4 ============ ======== ========= ======== ======== *total 4 28073 14 Feb 93 23:08:08 "After debugging part of the virus, the following text appears (encrypted) in the infected program: It's time for a math test curtesy of YAM! And the question is... What is 00 + 00 = WRONG!!!! TRY AGAIN! Admiral Bailey "This virus is self-encrypting, but does not use any stealth techniques (as far as I've seen). It doesn't appear to infect the boot record, or the boot partition record. It does not appear to infect .SYS files, or .OV? files. "If you feel you have been infected, examine any EXE or COM files that you believe are infected. Check the 4th and 5th bytes in a COM file for the characters "BA". Check the 12th and 13th bytes in a EXE file for the characters "BA". If you find a file like this, chances are you have been infected." Mike Wenthold (1:271/47) found a program under the filename GS2000 which contained the VCL 3 [Con] Virus. The archive contains the following files: Length Date Time CRC Filename ======== ========= ====== ======== ============ 1984 22-Dec-91 01:40p 3527B16B GS2000.COM 543 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC ======== ========= ====== ======== ============ 2527 2 files. The compression method (on this ZIP archive) was not included in his data. According to Dave Lartique (1:3800/22) and Chris Gramer (1:271/47), the program is an "unprotect" for MicroProse's game Gunship 2000. This appears to be another isolated incident of an infected legitimate file. William Gordon (1:369/104) reports BEV105, a file that claims to be a "Beverly Hills 90210 Adventure Game." This file contains 8 files, but two seem to be the real culprits: DORINFO.DIR and INSTALL.COM. The installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it. This program asks for some sort of wildcard according to William, then proceeds to delete everything on your drive that matches that wildcard. However, it doesn't stop there: it continues on and deletes all .bat, .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files. William also says the file "comes with the following virii: Bootkill and Genesis." A copy of this file was sent to Mr. White and Mr. Logan, who were able to confirm the behaviour that William reported. For the complete results of their test, see the file BEV105.RES in the FILETSTS.LZH archive, included in the archive version of The Hack Report. Another report from Bill concerns a file he located called TAXTIP93. This archive contains a file called TAXTIP93.DAT, which the executable file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and WINDOWS directory. The new MOUSE.COM is infected with the ADA virus. Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which was described with a very short line ("'Password,' or some other short word," according to Brian). The archive contained these files: PASS .PA1 PASS .PA2 PASS .PA3 PASSWORD.COM Brian looked inside the .com file, which he says looks like a compiled batch file, and found these strings/commands: Please Wait While Loading; It may take in between 30seconds to 5 minutes To unshrink nessessary files Please Turn off Screen, and wait for the beep. If You do not, your screen might not function the way it should. Turn Off Screen now, and press the space bar. /C REN pass.pa1 pa.exe pass.pa2 /C DEL c:\*.* pass.pa2 /C DEL c:\dos\*.* /C REN pa.exe pass.pa1 pass.pa3 FORMAT c: /C CLS As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program. PASS.PA2 contains the single letter 'Y', and PASS.PA3 contains the single word 'Yes'. From the looks of things, this turns out to be a multipartite Trojan that attempts to format (what else?) your hard drive. Another multipartite Trojan was spotted by James Frazee (1:343/58), under the filename ADD_IT. It contains these files: Name of File Size Date ADD_IT.ARJ 40888 02-11-93 ======================================= ADDIT1 DAT 34283 07-20-91 2:13a ADD_IT ANS 646 02-11-93 8:31p ADDIT2 DAT 20634 04-09-91 5:00a ADDIT DOC 177 02-11-93 7:28p ADDIT COM 1391 02-11-93 8:14p ADDIT3 DAT 138 02-11-93 8:13p THEDRAW PCK 650 02-11-93 8:31p When run, ADDIT.COM merges the three .DAT files into an .EXE file. The end result was that the program deleted all of the files in the directory in which it was run. John Balkunas (1:107/639) forwards information on GIFCHECK. He reports that Lance Merlen (1:107/614) received an upload of this file, which, when checked with McAfee's ViruScan v100, reported over 5 viruses in the files in the archive. No internal archive data was provided, so it is hard to say whether or not this is an isolated incident. Zack Jones (1:151/173) reports a file called GAGS which was seen in the San Antonio area. The file, described as "Some Christmas practical jokes," was analyzed by Bill Dirks (1:385/17) and confirmed as a Trojan. The program grabs control of several interrupt vectors, including the critical error handler. The only way to stop it once it starts is to hit the reset button or power down. When invoked, it displays a countdown from 8 to 0, which corresponds to drives H through A, in that order. For each found drive, it overwrites the first 255 sectors with random data from a block of memory. To add insult to injury, if drives B and A are empty, you are prompted to insert disks (so that they can be trashed as well). After this, the Trojan displays the message, including something like, "the disk was trashed but it's only a joke and they are only kidding." It then prompts you to reboot, which is rather hard to do unless you have a bootable "panic disk" floppy on hand - you certainly won't be able to boot from your HD. Bill says that if your HD is smaller than 60 megs, you're better off trying to recover your disk from scratch. Between 60-120 megs, you have a better chance of recovery via disk utilities: over 120 megs, you should be able to accomplish a complete recovery if you're careful and you know what you're doing. Bill posted the following scan string that can be used to detect this Trojan - if your scanner can use external strings, be sure to read the instructions carefully before trying to add this: 9A46027205B003B9FF00BA0000CD26 If your scanner requires a name for the string, Bill suggests using "AlamoXmasTrojan." This Trojan report comes from an article in MacWeek magazine, Volume 7, Number 2, issued January 11, 1993. The article, posted in the FidoNet VIRUS_INFO echo by Robert Cummings, states that a program called CPro 1.41.sea, claiming to be a new version of Compact Pro (a Macintosh shareware compression utility), will reformat any floppy in drive 1 and tries to reformat the user's start-up hard drive when launched. The file can be identified by a 312K sound resource file called "log jingle," which is digitized sound from the Ren and Stimpy cartoons. Other previously reported Trojans: Filename Claimed use/Actual activity/Reporter(s) ======== ============================================================== AANSI100 Claims to add Auto-ANSI detect to Telegard BBSs - contains something called the "Malhavoc Trojan," which displays a verse from a Toronto band and attacks files/sectors on drives C: through F:. Reported by HW Todd Clayton and by George Goode (1:229/15). ANSISCR VGA BBS ad - contains a self-extracting archive of the Yankee Doodle and AntiChrist viruses. Can trash hard drives as well through Trojan behaviour. Reported by Bill Dirks (1:385/17), and under the filename RUNME by Stephen Furness (1:163/273). AVENGER Advertised as an "amazing game that supports all kind of sound cards...." Contains 2 internal password-protected .ZIP format files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by the program to the files RUNTIME1.COM (N1 virus) and RUNTIME2.COM (Anthrax virus). From Reinhardt Mueller, via HW Bill Lambdin. BATMAN No claim reported - searches your DOS path and tries to "delete the executable file that loads WildCat BBSs." Reported by James Powell (Intelec PC-Security Conf.), via HW Bill Lambdin. CHROME Possible isolated incident - contains a file, FGDS.COM, which contains text that says "Skism Rythem Stack Virus-808." Reported by Richard Meyers and forwarded by Larry Dingethal (1:273/231). DBSOUND Possible isolated incident - claimed update of the Drum Blaster .MOD file player. Deletes all files in the current directory and all of its subdirectories. From "Khamsin #1 @9168*1", forwarded by HW Ken Whiton and HW Bill Dennison, from Ken Green of the CentraLink BBS. DRSLEEP Reported as a "cheap virii (sic)", but actually appears to be a Trojan: deletes your COMMAND.COM file when run. Reported by Matt Hargett (1:2430/1532). GRAFIX Possible isolated incident - contains the file WAIT.COM, which is a renamed copy of DELDIR.COM, a directory remover and file deletion tool. Reported by Andreas Reinicke (2:284/402). LOGIM613 Possible isolated incident - one internal file, MOUSE.COM, reports as being infected with the VCL virus when checked with McAfee's ViruScan v95. Reported by Mike Wenthold (1:271/47). MUVBACK Claimed keyboard utility - actual ANSI bomb that remaps the D key of your keyboard to invoke DEBUG and create a couple of Trojans from script files. Reported by Bill Dirks. OPTIBBS Aimed at RemoteAccess BBS systems - archives your USERS.BBS list and places it in your download directory. Reported by HW Nemrod Kedem. QOUTES Not a misspelling - claimed Christmas quotation generator. Overwrites the first 128 cylinders of your first HD, requiring a low level format to overcome the damage (IDE drives may need to go back to the factory). Reported by Gary Marden (2:258/27). QSCAN20 Claimed small virus scanner - when run, identifies itself as "being a stealth bomber" and attacks your hard drive's FAT. Reported by Art Mason (1:229/15). RA111TO2 Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to the OPTIBBS file reported above. Reported by Peter Janssens (2:512/1). RAFIX "Fixes little bugs" in RemoteAccess - program contains the string "COMMAND /C FORMAT C:" internally. Reported by Sylvain Simard (1:242/158). RAMANAGE Claimed USERS.BBS manager for RemoteAccess - yet another file that makes an archive of this file (MIX1.ARJ or WISE.ARJ) and places it in a download directory. Reported by Peter Janssens. NOTE - Peter Hoek (2:281/506.15) reports a program that does the same thing, but uses the archive name RUNNING.ARJ to hold the USERS.BBS file. No name of the Trojan was supplied. REAPER ANSI bomb - remaps the keyboard to force file deletion and hard disk formatting - also generates insults. Reported by Victor Padron (1:3609/14), via Rich Veraa (1:135/907). REDFOX Batch file which deletes all DOS and system files. Reported by Mike Wenthold. ROLEX Possible isolated incident of an infection by the Keypress [Key] virus. Reported by David Gibbs, via Michael Toth (1:115/220). SCOMP Advertised as a compression utility. Passes scans unless you check data files - loads a file called SCOMP.DAT to create CASPER.COM, which is apparently the Casper virus. Reported by Terry Goodman (U'NI Net virus conference), via HW Bill Lambdin. SBBSFIX Tries to format drive C: - contains two files, SBBSFIX.EXE and COM_P.OVL. Reported by Clayton Mattatall (1:247/400). SPEED Claims to "check your PC speed" - actually deletes all files on drive C:, including directories. Reported by HW Nemrod Kedem. TDRAW460 A "modified" copy of a legitimate release of TheDraw v4.60 - the archive had a ZIP Comment which contained an ANSI bomb, and an internal file called UFO!.COM would reformat your hard drive unconditionally. Reported by Matt Glosson, via Michael Toth (1:115/439.7). XYPHR2 No claim - contains the Power Pump companion virus (documented in the 1992 Full Archive of this report). Reported by Mark Histed (1:268/332). YPCBR101 A copy of this file, uploaded to Simtel-20 and the oak mirror on archie.au, contained an infection of the Dark Avenger virus in the file YAPCBR.EXE. Was supposed to be re-released as a clean archive. Reported by John Miezitis (Internet, John.Miezitis@cc.utas.edu.au). ========================================================================= Pirated Commercial Software Program Archive Name(s) Reported By ======= =============== =========== 2400 A.D. (game) 2400AD Kevin Brott (Internet, dp03%ccccs.uucp@pdxgate.cs.pdx.edu) 3-D Pool 3DPOOL Michael Gibbs (via HW Bill Lambdin) 4DOS v4.02 (reg.) 4DOS402R HW Scott Raymond 4DOSREG Airball (game) AIRBALL Michael Gorse (1:101/346) Alone in the Dark ALONEDEM Mark Mistretta (1:102/1314) (full game-not a demo) ArcMaster (registered) AM91REG HW Scott Raymond AM92REG Arctic Fox (game, by AFOX from the Meier/Morlan List, Electronic Arts) conf. by HW Emanuel Levy and Brendt Hess (1:105/362) ARJ Archiver ARJ239RG HW Scott Raymond (registered) AJ241ECR Arkanoid II: Revenge ARKNOID James Crawford (1:202/1809) of DoH (game) Atomix (game) ATOMIX_ HW Matt Kracht A-Train by Maxis ATRAIN1 through Chris Blackwell of Maxis ATRAIN6, also (zoinks@netcom.com) A-TRAIN1 through A-TRAIN6 BannerMania BANMANIA Harold Stein (1:107/236) Battle Chess CHESS Ron Mahan (1:123/61) | BTLCHESS Michael Wagoner (1:105/331) BeetleJuice (game) BEETLE Mark Harris (1:121/99) BETLEJUC Jason Robertson (1:250/802.2) BJUICE Alan Hess (1:261/1000) BJ Bill Blakely (RIME Shareware echo) BTLJWC the Hack Squad (1:124/4007) Big Bird (game?) BIGBIRD Cindy McVey, via Harold Stein Budokan: the Martial BUDOKAN Michael Gibbs (Intelec, via Spirit (game) HW Bill Lambdin) Caveman Ninja CAVEMAN Dave Lartique (1:3800/22), ver. by HW Emanuel Levy Check-It PC CHECKIT HW Bert Bredewoud Diagnostic Software CHKIT20 HW Bill Lambdin Cisco Heat (game) CISCO Jason Robertson Commander Keen Pt. 5 _1KEEN5 Scott Wunsch (1:140/23.1701) KEEN5E Carson Hanrahan (CompuServe, 71554,2652) {COMMO} v5.4 COMO54X Allan Bowhill (1:343/555) CompuShow GIF Viewer CSHW860B HW Scott Raymond Copy II PC COPYPC70 Ryan Park (1:283/420) Cyber Chess C-CHESS Shane Paul, RIME, via HW Richard Steiner Darkside (game) DARKSIDE Ralph Busch (1:153/9) Disk Copy Fast 4.0 DCF4UNT HW Scott Raymond | (registered) DCF41AR DiskDupe Pro v4.03 DD403PRO Jan Koopmans (2:512/163) Energizer Bunny Screen ENERGIZR Kurt Jacobson, PC Dynamics, Saver for Windows Inc., via HW Bill Dennison F-Prot Professional FP206SF Mikko Hypponen (mikko.hypponen@compart.fi) Family Feud (game) FAM-FEUD Harold Stein FAST! Disk Cache FAST_1V4 Ryan Park (1:283/420), via v4.03.08 HW Bill Lambdin | FaxTalk (Thought FAXTALK Lyle Taylor (1:293/644), | Communications) via Steve Fuqua | FaxPlus (Thought FAXPLUS Lyle Taylor (1:293/644), | Communications) via Steve Fuqua FaxPower FAXPWR Carson Hanrahan (CompuServe, 71544,2652) | Freddy Pharkas, FREDDY-1 HW Bob Seaborn | Frontier Pharmacist FREDDY-2 | FREDDY-3 | FREDDY-4 | FREDDY-5 | FREDDY-6 GEcho Mail Tosser GE_1000K HW Scott Raymond GE_100CK GifLite 2.0 (regist.) GL2-ECR HW Scott Raymond Gods (game) GODS Ron Woods (1:134/144) Golden Axe (game) GOLDAXE Harold Stein GSZ Protocol Driver GSZ0503R HW Scott Raymond (registered) GSZ0529R Home Lawyer HOMELAWY Kim Miller (1:103/700) HMLAWYER Harvey Woien (1:102/752) | Hoyle's Classic Games HOYLECL1 HW Bob Seaborn | HOYLECL2 | HOYLECL3 | HOYLECL4 HS/Link Protocol HS121R Don Becker (Internet, v1.21 (registered) grendel@jaflrn.linet.org) HS121REG HW Scott Raymond HyperWare Speedkit SPKT460R HW Scott Raymond v4.60 (registered) Ian Bothams Cricket IBCTDT Vince Sorensen (1:140/121) Intelcom Modem Test TESTCOM from the Meier/Morlan List, Utility (dist. with confirmed by Onno Tesink Intel modems) (RIME, via HW Richard Steiner) | INTELCOM HW Jason Robertson | Intermail Mailer IM221U HW Scott Raymond | (registered) IM22FIX Jetsons (game) JETSONS Kevin Brott (Internet, dp03%ccccs.uucp@pdxgate.cs.pdx.edu) Jill of the Jungle JILL2 Harold Stein (non-shareware files) JILL3 $JILL2 HW Bert Bredewoud $JILL3 Killing Cloud (game) CLOUD Mike Wenthold Kings of the Beach VBALL Jason Robertson (game) Landmark System SPEED330 Larry Dingethal (1:273/242) Speed Test SPEED600 Joe Morlan (1:125/28) Life & Death (game) L&D1 Harold Stein L&D2 List Enhanced LIST8 Richard Dale (1:280/333) LISTE18D HW Scott Raymond MegaMan (game) MEGAMAN HW Emanuel Levy Microsoft Flight FS Michael Gibbs (Intelec, via Simulator HW Bill Lambdin) | FS50TDT1 HW Bob Seaborn | FS50TDT2 | Microsoft Mouse Driver MOUSE901 Alex Morelli (CompuServe, | 75050,2130) Microsoft Ramdrive RAMDRIVE Barry Martin (Intelec, via HW Bill Lambdin) MS-DOS 6.0 MSDOS6-1 Harold Stein MSDOS6-2 MSDOS6-3 Oh No, More Lemmings ONMLEMM Larry Dingethal (1:273/231) (complete-not demo) Over the Net OTNINC1 Tim Sitzler (1:206/2708) (volleyball game) PGA Tour Golf GOLF HW Bill Lambdin PKLite (registered) PKL15REG HW Scott Raymond PKZip v2.04c PK204REG HW Scott Raymond (Registered) PKZip v2.04c PKZCFG Mark Mistretta (1:102/1314) Configuration Editor PKZip v2.04e PK204ERG HW Scott Raymond (Registered) PKZip v2.04g PKZ204R HW Bill Dennison (Registered) PKZ204GR HW Jason Robertson Populous (game) POPULOUS Harold Stein The Price is Right PRICE Harold Stein (game) Prince of Persia PRINCE Kenneth Darling (2:231/98.67) Eric Alexander (1:3613/10) HW Emanuel Levy PRINCE2A Todd Crawford (1:3616/40), PRINCE2B via HW Jeff White PRINCE2C PrintShop PSHOP Michael Gibbs, Intelec, via HW Bill Lambdin Psion Chess 3D-CHESS Matt Farrenkopf (1:105/376) Pyro! PC DOSPYRO Jay Kendall (1:141/338), via (Fifth Generation) HW Scott Raymond Q387 (registered) Q387UTG Michael Toth (1:115/439.7) QModem Pro QMPRO-1 Mark Mistretta QMPRO-2 QuickLink II Fax v2.0.2 QLINK1 Carson Hanrahan (CompuServe, QLINK2 71554,2652) Rack 'Em (game) RACKEM Ruth Lee (1:106/5352) Rawcopy PC RAWCOPY HW Chris Wise Sequencer Plus Pro SPPRO Tom Dunavold (Intelec, via Larry Dingethal) Shadow Warriors (game) SHADOWG Mark Mistretta Sharky's 3D Pool POOL Jason Robertson (1:250/801) Shez (Registered) SHEZ84R Eric Vanebrick (2:291/712) SHEZ85R HW Scott Raymond SHEZ87R SHEZ88R SHEZ89R | SHEZ91R SideKick 2.0 SK3 Harold Stein SimCity (by Maxis)* SIMCITY1 Peter Kirn, WildNet Shareware SIMCITY2 conf., via HW Ken Whiton SIMCITY3 SIM_CITY Kevin Brott (Internet, dp03%ccccs.uucp@pdxgate.cs.pdx.edu) SIMCTYSW Scott Wunsch Smartdrive Disk Cache SMARTDRV Barry Martin (Intelec, via HW Bill Lambdin) SMTDRV40 Michael Toth (1:115/220) Spidey (game) SPIDEY Brian Henry (ILink, via HW Richard Steiner) SPIDRMAN Alan Hess (address unknown) Squish 2.1 SQUISH Jason Robertson (1:250/802.2) (Sundog Software) SQUISH21 Several (ver. by Joe Morlan) Star Control Vol. 4 STARCON Carson M. Hanrahan (CompuServe 71554,2652) Streets on a Disk STREETS Harvey Woien | SuperZModem SZMO200 HW Jason Robertson | (registered) Teledisk (files TDISK214 Mark Mistretta dated after Apr. 1991) TELE214R Staale Fagerland (Internet, staale.fagerland@euronetis.no) Telemate TM411REG HW Scott Raymond TheDraw v4.61 (reg.) TDRW461R HW Scott Raymond Vegas Casino 2 (game) VEGAS2 The Hack Squad VOpt Disk Defragmenter VOPT30 The Hack Squad VPic v6.0 (registered) VPIC60CR HW Scott Raymond Wheel of Fortune WHEEL Harold Stein Where in the USA is CARMEN Carson Hanrahan Carmen Sandiego? CARMENUS Cindy McVey, via Harold Stein Where in Time is CARMENT Cindy McVey, via Harold Stein Carmen Sandiego? WinWay Resume for WINRES Erez Carmel (CompuServe, Windows 70523,2574) World Class Rugby WCRFNTDT Vince Sorensen ZipMaster (registered) ZM31REG HW Scott Raymond * - Peter Kirn's report on SimCity indicated that Maxis has in fact released a demo of SimCity onto ZiffNet which limits play to 5 minutes. This is not the same file as he reported, however - the ones he found are indeed pirate copies. ========================================================================= ?????Questionable Programs????? This section of The Hack Report is for the "misfits" - in other words, files that are hacks, hoaxes, Trojans, or pirated, but either do not quite fit into one of the main sections of the report or require more explanation than the format of the appropriate section allows. The extra material presented here is usually included for a good reason, so please take the time to read at least the new entries quite carefully. Also, if you have any input on any of the listed files, do not hesitate to send it in to your Hack Squad. Quite a few folks questioned a release of Vern Buerg's LIST calling itself v7.8a. This one actually came down one of the file distribution networks, if memory serves. However, in response to these inquiries, your Hack Squad called up The Motherboard BBS, Mr. Buerg's home system. On that system was posted the following bulletin: ================================ === July 15: LIST78A.ZIP is bogus =============================== ================================ A beta test version of LIST 7.8a was uploaded to other systems by mistake. It is not an official version, and it has bugs, e.g. the mouse doesn't work. A new version will be released next week. Those waiting for registered copies will be sent their's first, then it will be posted on VOR and CIS. The manual was dramatically updated and is now 54 pages with full color cover. We'll have some on the shelves at the store next week. So, this definitely qualifies as a "misfit" - it isn't a hack, hoax, or Trojan - it's an accident. Robert Jung's ARJ archiver has had a new release in non-beta form. The legitimate file can be identified by an ARJ-SECURED envelope. However, making equally big news (unfortunately) were several sightings of pirated versions of the registered v2.41 file. These were most often seen as a ZIP file (?) with the following internal files: Length Method Size Ratio Date Time CRC-32 Name ------ ------ ----- ----- ---- ---- -------- ---- 1436 DeflatX 614 58% 06-09-93 16:05 23af995c README 223594 DeflatX 222850 1% 06-04-93 09:19 fe351d41 ARJ241.EXE 127882 Stored 127882 0% 06-04-93 09:27 54fdf489 ARJUTIL.ARJ 55301 DeflatX 54641 2% 06-04-93 09:18 6d4e75fe UNARJ241.EXE 244816 Stored 244816 0% 06-10-93 09:23 0abdb4be ARJHLP24.ARJ ------ ------ --- ------- 653029 650803 1% 5 The giveaway here is the ARJUTIL.ARJ file - this contains programs that are only available to registered users. This causes a problem as far as listing this in the .col/.idx files is concerned: the person who distributed the pirated version used the same filename as the real thing. The only way you're going to be able to tell the pirated version from the legitimate one will be to look inside your copy of the archive. If you see either the ARJUTIL.ARJ file inside, or the files ARJR.EXE or DEARJ.EXE, then you have the pirated copy. Please delete it. (Note - version 2.41 has been superseded - please see the Hacked Files section of this report for the latest version as of this writing.) Dotti Rosier (1:114/107) found a message on a local BBS system that might be worth reading. The text read as follows: WARNING: Nobody download PHACS1.EXE and NETWORK1.EXE..They have the Yankee Doodle virus that is only detectable by SCANV99.... please clean these two exe files IMMEDIATELY and in case you have run them already, there might b some other files that are infected. CLEAN99 will clean them just fine. Sorry for the inconvenience but I recently found out that my HD was infected and therefore, every file that I compile is infected. Thank you for your patience. I can only assume that these were self extracting archives - no descriptions of the files were available. Steve Winter (1:153/7070) reported on a file called SUB1_V21. This claimed to be a program called SUB, a directory list utility. Steve checked out the file prior to running the install program and found no anomalies. However, once installed, he says he began to get conflicting directory reads, disk full errors, and problems booting. Somehow, his boot record had been damaged. According to his testing, the file passes scans with F-Prot v2.08a and does not alert McAfee's VShield v104. He says the archive contains two files - INSTALL.EXE and SUB.SPZ, which contains the executable. INSTALL creates a subdirectory and extracts files from the SUB.SPZ file. Steve says he is attempting to get another copy for testing. Until that time, I can't say for sure if he was the victim of a system glitch, buggy software, or a true Trojan. If anyone out there has this file, please contact your local HackWatcher or myself so that we can arrange for testing. Mark Harris (1:121/26.1) found a pair of archives called DEATH_1 and DEATH_2 on a local system. The files were described as a new Apogee game called Deathbringer. The archives contained no documentation, and all program files were dated 1990 or 1991. When run, the game displayed the name "Deathbringer," but gave no company or copyright information. Scans by McAfee's ViruScan and Frisk's F-Prot proved negative. Mark has provided additional information that adds to the suspicion that this is a pirated file. The program begins with the following screen: Empire, in association with ODE and The Mystery Machine, presents -=*=- DEATHBRINGER -=*=- Select Vidoe Mode: 1) VGA 16 color 2) EGA 16 color 3) Tandy 4 color 4) CGA 4 color 5) Tandy 16 color Roland, Adlib and Tandy music supported (Playing now, if found, M to toggle on/off) J to select Joystick, K for keyboard = to speed up, - to slow down game (fast PCs) THOSE WHO LABOURED: John Wood...................Atari ST, Commodore Amiga, Design Kevin Ayre.....................................IBM PC, Design Colin Swinbourne.....................................Graphics Richard Yapp...................................Levels, Design Sound Images............................................Music Deathbringer, Karn and all Deathbringer Characters and the distinctive likenesses thereof are Trademarks of Abaddon Duke of Hell Group Inc. Mark goes on to say: There was no documentation in the archive (which I will continue to hold on to, in case you need it for any reason) giving any playing instructions, no shareware notice or registration request, nothing whatsoever to indicate the origin of this program except for the above. That's what prompted me to write in the first place; it looks to me (especially considering the quality of the graphics,) like this is a commercial program with as much of the copyright and identifying screens hacked out of it as possible. As an Apogee Tech Support Specialist, I can personally verify that this is not a product of Apogee. Mark's opinion is that this is a hack of a commercial game: I tend to agree. Jim Wells (1:2613/261) forwarded the file contents, along with some other information still being looked into: he feels that this is a "hacked" version of the official release, whether shareware or commercial. Rick McBride (1:363/178) says it is indeed commercial, as he saw it on a CD-ROM about a year ago. However, he does not remember the publisher's name (possibly Psygnosis, he says) - only that it is an arcade-style D&D game. This is still being researched. In the meantime, I would appreciate any information that a user of the possible commercial version could forward - please help your Hack Squad verify this one. Chuck Cypert (1:124/2113) reported in the FidoNet VIRUS_INFO echo that the SysOp of the CompUSA BBS in Carrollton, TX had a problem with a file called UNIXHAC. The SysOp reports that this file formatted his hard drive. No further details were available, as the SysOp had already deleted the file. If someone has a copy of this, again, please contact one of The HackWatchers or myself. | Harvey Woien (1:102/752) forwarded a report from a user of The | Motherboard (Vern Buerg's BBS), Ted R. Marcus, about a version of the | Microsoft Mouse Driver claiming to be version 9.0. It also appears that | this file came down a file distribution network under the filename | MSMAUS90, possibly originating in Germany. Your Hack Squad has found a | copy of the same archive Ted reported on, and confirms some of his | observations on the file (MOUSE900), quoted here: | | 1. Microsoft Diagnostics and InfoPlus report this "9.00" driver as | version 8.00. The latest "official" version of which I am aware is | 8.20a. | | 2. The "new" driver is significantly smaller than version 8.20a. | | 3. The "new" driver supports the undocumented /U switch (which loads | much of the driver into the HMA). Version 8.0 and 8.1 supported this | feature, but Microsoft removed it from version 8.2 (shipped with DOS | 6.0). The support for the /U switch suggests that the driver is, in | fact, version 8.0. | | 4. Examining the MOUSE.COM driver file reveals one instance where the | version number (repeated in the initialization message for each | language the driver supports) is "9.40". That indicates either | uncharacteristic sloppiness on the part of Microsoft -- or, more | likely, sloppiness on the part of a hacker. | | More information on MOUSE900 comes from Jeffery Bradley (1:3635/35). He | informed the folks here at Hack Central Station that there is indeed a | legitimate v9.0 of the Microsoft Mouse Driver. However, after talking | with Microsoft, he did confirm that this should not be distributed via | BBS systems: it is commercial only, as previously reported. Yet another file that doesn't fit into any of the report categories: a report from Wen-Chung Wu (1:102/342) concerns the archive PKLT120R, which claims to be version 1.20 of PKLite. This is actually PKLite Professional v1.12, a commercial product, which has been hacked to show version 1.20 instead of 1.12. To make matters worse, the PKLITE.EXE file was compressed "by PKLITE itself more than three times and once by LZEXE." So, what we have here is a hack of a pirated commercial file - jeez, this job gets confusing at times. ;-) Here's an update on the report from Bud Webster (1:264/165.7) on the Apogee game being distributed under the filename BLOCK5.ZIP. As reported by Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan Stratton (via HW Ken Whiton), this program was part of an Apogee disk called the "Super Game Pack," and that it is a game called "Block Five." Joe Siegler (1:124/9006), the online support representative for Apogee Software Productions, confirms this, and states that the majority of the games on this disk, including this one, have been officially discontinued. The official company stand is that this game should not be distributed via BBS systems, as it is no longer supported in any way by Apogee Software Productions. Thanks to everyone who helped on this one. HW Bill Lambdin says he found a file in the Knoxville, Tennessee area called BIBLEPR (no description available) that appears a bit suspicious. The file contents are: Length Time CRC-32 Attr Name ------ ---- -------- ---- ---- 34176 11:26 d267f5de --w- BIBLEPR.COM 158493 00:04 4298ac2d --w- DATAPR-0.DAT 158493 00:04 d87adf4b --w- DATAPR-1.DAT 158493 00:08 1213c6b3 --w- DATAPR-2.DAT 159764 00:08 38d7cc06 --w- DATAPR-3.DAT 1572 24:05 3a60c80e --w- BIBLEPR.DOC ------ ------- 670991 6 When BIBLEPR.COM executes, Bill says it displays the following message: Greets from DOA! Don't say I didn't warn you! You are also busted! Expect a visit from the SPA! Omni, I will avenge you! Bill's disassembly shows the file contains two INT 26 calls, which are DOS Absolute Disk Write instructions. He said that if it contains a virus, he was unable to get it to replicate. A copy of the archive has been sent to Glenn Jordan at Datawatch Software for testing. Here's an interesting point, brought to my attention by HW Richard Steiner and John Weiss of the RIME Shareware Conference. In previous issues, I have listed two files, QM60IST1 and QM60IST2 (reported by Francois Thunus, 2:270/25), as pirated copies of QModem v6.0. However, Richard and John quite correctly point out that there was no release of QModem v6.0 - the program changed to QModem Pro after v5. | This file, or a variant, has also been spotted by Jerry Van Laer of | 2:292/805.7, under the name QM60D1-2 and QM60D2-2. In this case, an | internal "brag" screen stated the program was QmodemPro 1.0. From what Francois reported, I believe that what he saw was indeed Qmodem Pro, now a commercial-only program. However, it was "released" under the above filenames. So, is it a Hack? Pirated File? Or what? Doesn't matter - it shouldn't be distributed. Thanks, Richard and John, for making me fully engage my brain for a change. <grin> HW Bill Dennison captured a message from Marshall Dudley (Data World BBS, (615)966-3574) in the ILink VIRUS FILE conference about the archive ASCDEMO. Marshall says that McAfee's ViruScan doesn't detect any infection until after you run it and it has infected other files. No further information was supplied, other than the internal filenames (ASCDEMO.DOC and ASCDEMO.EXE). I need further data on this before I can list it in the Trojan Wars section, so please advise if you have any. HW Emanuel Levy says the file IM, reported by Michael Santos in the Intelec Net Chat conference and listed in the 1992 Full Archive edition of The Hack Report. Michael's report was a "hearsay" report from one of his friends, and stated that the IM screen saver file caused a viral infection. Emanuel says the file is an "outer space screen saver," currently under the filename IM17. Scott Wunsch (1:140/23.1701) says the program name is "Inner Mission," and he currently has version 1.6. In both cases, the files were clean. So, it looks like either Michael's friend's system became infected from a different source than the IM file, or that an isolated incident of an infected IM is involved. No way to tell at this writing. Long time readers of this report will remember a question concerning the status of a screen saver called TUNNEL. Ove Lorentzon (2:203/403.6) and Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard Steiner) both stated that the program was an internal IBM test program and was not intended for outside distribution. Your Hack Squad has received word from the author of the program, Dan Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware, the program has never been released to the general public. According to Dan, "it is still owned by IBM, and as such has been given the IBM security classification 'IBM Internal Use Only' which means what it says: the program is not for distribution to non-IBM employees." Dan also says that several other "Internal Use Only" programs have been "leaked" to the outside world, which implies that these files should not be posted for download. One such program was originally called Dazzle (NOT to be confused with the other popular DAZZLE screensaver), but has entered BBS distribution under the filename O-MY-GOD (also seen as OMG, per Michael Burkhart (RIME address CENTER, via HW Richard Steiner). However, note that the O-MY-GOD/OMG file was hacked, according to Dan, so that all of the "Internal Use Only" references were removed. Another is a program that is usually included inside other archives: the program name is PLAYANI. Dan says this has been distributed "along with various animations," and also falls under the same Internal classification. A prime example of this is an archive called BALLS (not what you think). This is an animation of multiple chrome spheres rotating around each other above a red and white checkerboard platform. In this case, both the player (PLAYANI) _and_ the animation are the property of IBM and are not intended for BBS distribution. Again, to quote Dan, "None of these programs are for external distribution; all are owned by IBM and are only for use inside IBM by IBM employees." Thanks to Dan for all of his help. Donn Bly has cleared up the question on the status of the Sydex program TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson. Donn was kind enough to mail a copy of a letter sent to him by Sydex explaining that Teledisk is no longer shareware. Here is an excerpt from the letter: "Effective April 1991, TeleDisk is no longer a shareware product. After long consideration, we decided to discontinue our offering of the shareware edition of TeleDisk, and license it only as a commercial product. "Commercial licenses of TeleDisk are available from Sydex at $150 a copy. All shareware distributors and BBS sysops who take time to check their sources are requested to remove TeleDisk from shareware distribution." The letter is signed by Miriam St. Clair for Sydex. To summarize, Sydex is no longer accepting shareware registrations for TeleDisk, and asks that it be not be made available for download from BBS systems. Thanks to Donn for his help in this matter. HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen Barnes of Mustang Software, Inc., about a "patch" program aimed at OffLine Xpress (OLX) v1.0. The patch is supposed to allow OLX to read and reply to Blue Wave packets, along with a lot of other seemingly unbelievable feats. Gwen Barnes did not seem to know of the patch, but published the following advice in the WildNet SLMROLX conference to anyone considering trying it: 1. Make a complete backup of your system. 2. Make sure you've got all the latest SCAN stuff from McAfee 3. Try it, keeping in mind that it more than likely does nothing at all, or is a trojan that will hose your system. 4. Get ready to re-format and restore from backups if this is in fact the case. No filename was given for this patch. If anyone runs across a copy of it, please contact one of The HackWatchers or myself so that we can forward a copy to MSI for testing. HW Bill Lambdin reports that someone has taken all of McAfee Associates' antiviral programs and combined them into one gigantic (over 700k) archive. He did not say whether the files had been tampered with, but he did send a copy to McAfee for them to dissect. The file was posted under the filename MCAFEE99. I would not suggest downloading this file: as a matter of fact, this reporter prefers to call McAfee's BBS directly when a new version of any of their utilities comes out. I highly recommend this method, since it insures that you will receive an official copy. HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu also says that there is a warning about these in circulation. If you have a copy of this warning, please send a copy to Hack Central Station (1:124/4007). ========================================================================= Information, Please This the section of The Hack Report, where your Hack Squad asks for _your_ help. Several reports come in every week, and there aren't enough hours in the day (or fingers for the keyboards) to verify them all. Only with help from all of you can The Hack Report stay on top of all of the weirdness going on out there in BBSLand. So, if you have any leads on any of the files shown below, please send it in: operators are standing by. | Chuck Hammock (1:392/20) reported in the FidoNet DIRTY_DOZEN echo that | one of his users uploaded a file called PASTUT24. The user warned Chuck | that this file was infected with the Kamikazee virus. I was unable to | get further information on this, so Chuck, if you are reading this (or if | anyone else can confirm this), please send me some NetMail on your | results. | Russell Wagner reported a problem with a copy of VMIX222. This shareware | multitasker is currently at v2.87. Russell claims to have found a | possible isolated incident of a Trojan version of the program. He wound | up scrambling the FAT on his C: drive when he ran the program, and was | able to reproduce the damage in subsequent tests. He only ran the | program on one system, however, so it is not clear as to whether he has | found a true Trojan claiming to be the real VMiX, a corrupted copy of the | file, or whether he has some sort of hardware incompatibility. If anyone | else has run into a problem with v2.22 of this program, please advise. Robert Rothenburg (Internet robert.rothenburg@asb.com) received a file called JAMMER that he says is very suspicious. The archive had a file with the name JAMMER.EXE and a description that said something to the effect of, "run this first and your calls won't be traced." He looked through the executable and found the name "Nmodem Jammer 2.8", along with "some other claims about adjusting the modem configuration" and "some nasty insults to a couple of people." Virus scanners showed nothing, so he looked at the interrupts. He says it "looks like it installs a TSR of sorts and does some disk writes." He concludes that the file possibly "instals a virus or just damages certain files, though i suspect it will go after the comm program, as a message says when it ends to 'run your communications program now!'". I am attempting to get a copy of this from Robert for further testing - please be on the lookout for a copy, and notify your local HackWatcher or myself if you see it. Jim Tinlin (1:206/2604) brought into question a file called CRAPS, which looks like a shareware Craps game for Windows. However, a line inside the internal README.TXT file reads as follows: "As a licensed owner, please do not distribute this copy to others" To further confuse matters, the game displays an opening screen that states it is indeed shareware and should be distributed. The file contents are as follows: CRAPS EXE 264007 05-13-93 9:05aC CRAPS HLP 40043 04-12-93 7:16aC README TXT 5322 04-12-93 7:02aR 5 file(s) 309372 bytes This is another one that makes us scratch our heads here at Hack Central Station. Any information would be appreciated. HW Bob Seaborn forwarded a message from Kevin Haverstock (via Tom Scott, 1:140/47) about a file called TCM_V511. This was described as "The Configuration Manager," a system configuration utility. Kevin's report said that once you finish running the setup, your computer reboots and you get a prompt that "scrolls your screen and locks up your system." He was unable to access his hard drive after booting from a system disk - a reformat was required. I am familiar with a legitimate shareware program called The Configuration Manager, but not under version number 5.11, nor under the above filename. I can't be sure if Kevin's problems were the result of a hardware error, user error, or an isolated incident of a tampered archive. If anyone has any information on what could have caused this, please enlighten me. Harold Stein (1:107/236) found a file called STETRIS, claiming to be a Super Tetris game. He says that there was a shareware version of this that was released about a year ago, but has since been renamed due to a conflict with a commercial game of the same name. He is not sure whether or not he found the old shareware file or a pirated copy of the commercial file. The archive (in .zip format, presumably using v2.04g) was 55,318 bytes long, and the archive date had been "touched" by the BBS it was uploaded to, forcing it to March 23, 1993 (Editorial: this renders filedates rather useless, IMHO. -lj) Based on further information from Jeff Hancock (1:3600/7), it seems now that Harold may have either an older shareware version, an incomplete archive, or a different program altogether. Jeff's copy of the shareware version was only 47480 bytes (compressed with ARJ). He has seen the commercial game, and says it is "MUCH larger". With this information, I consider the matter closed. Thanks to Jeff for his help. Peter Hempel (1:229/15) posted a message in the FidoNet Echo VIRUS about the file BREAKIT!, which was described as follows: BREAKIT!.ZIP 6714 03-29-93 (CRS) A Gw-Basic Code And Cipher Program Allowing You To Enter Ascii Characters, To Save Them, And To Encode And Decode. Peter claims that this program erased his root directory, but says he was able to recover everything by booting from a write-protected system disk and using the Norton Utilities UNERASE command. The archive contents are as follows: Name Original Method Packed CR% Date Time CRC ============ ======== ======== ======== === ======== ======== ======== BREAKIT!.BAS 4453 Implode 2604 58 1-24-93 11:25:24 42CA0CE4 CODEFILE.FIL 1240 Implode 550 44 3-28-92 10:52:44 B6ADEB20 PRINTME.BAT 31 Stored 31 100 1-24-93 11:54:12 965CF8AE VIEW.COM 958 Implode 876 91 3-19-92 19:11:46 47C5E5EF README.BAT 30 Stored 30 100 1-24-93 11:52:32 95294A43 BRK.BAT 40 Stored 40 100 1-24-93 11:53:32 FC9F3B2E BREAKIT!.DOC 2679 Implode 1440 54 1-24-93 11:56:06 EC302AFA ============ ======== ======== ======== === ======== ======== ======== 7 9431 ZIP 5571 59 1-24-93 11:56:06 He did not say which file did the damage. I do not know if this is a Trojan or an infected file - in either case, it may well be an isolated incident. Test results would be greatly appreciated. Lowell Shatraw (1:315/6) states that there may be two pirated commercial fax programs floating around under the filenames FAX and PC_FAX. The archives he reported on were in ARJ format and were 447,693 and 101,089 bytes long, respectively. The file dates were Dec. 4, 1992, and May 26, 1992 - no way to tell if the BBS "touched" the filedates. Lowell is also not sure which commercial products these may be. If you happen to run across one or both of these, please look inside them - if they are commercial, please let me know (after you delete your copies, of course! <g>). A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13) states that he had a user upload a file called TAG-NFO, which turned out to be a Trojan. No details about the Trojan were given, so any confirmation of this would be appreciated. HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus Conference about two files. The archives, called PHOTON and NUKE, are possibly droppers, containing a file called NUKE.COM which "will trash your HD." Pat Finnerty (1:3627/107) sent a reply to the last report of this, stating that he has a copy of a PC Magazine utility called NUKE.COM, which is used to remove subdirectories which contain "nested subs, hidden, read-only (you name it)." He says that the command NUKE C:\ will effectively delete everything on a hard drive, with no chance of repair. This is merely the way the program is designed. I do not know if this is what happened in Mario's case, or if Mario actually found a copy (read: isolated incident) which was infected. Bill has asked Mario for further information, and I would like to echo his call for help. If you know of this, please lend a hand. Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named Rich Bongiovanni. Rich reports that there is a file floating around called DEMON WARS (archive name DMNWAR52) that is "infected with a virus." If true, this may be an isolated incident. I would appreciate confirmation on this. Greg Walters (1:270/612) reports a possible isolated incident of a problem with #1KEEN7. When he ran the installation, he began seeing on his monitor "what looked like an X-rated GIF." The file apparently scanned clean. Any information on similar sightings would be appreciated. A report from Todd Clayton (1:259/210) concerns a program called ROBO.EXE, which he says claims to apparently "make RoboBoard run 300% faster." He says he has heard that the program fools around with your File Allocation Table. I have not heard any other reports of this, so I would appreciate some confirmation from someone else who has seen similar reports. Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a possible hack of FEBBS called F192HACK. I have not seen this file, nor has the author of FEBBS, Patrik Sjoberg (2:205/208). He forwards the file sizes in the archive, reported here: Name Length Mod Date Time CRC ============ ======== ========= ======== ======== FEBBS.EXE 220841 09 Mar 92 21:17:00 96D2E08D 014734.TXT 1403 26 Aug 92 01:59:18 3B9F717F ============ ======== ========= ======== ======== *total 2 222244 26 Aug 92 01:59:24 Kelvin says the .TXT file is just an advert for a BBS, so it is "not relevant!". As I said, the author of FEBBS has never seen this file, so I've asked Kelvin to forward a copy of it to him. Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley, the author of Maximus, says he did not write any programs that have these names, but he does not know whether they are or are not legitimate third party utilities. I have requested further information from Andrew on this topic, and would appreciate anyone else's information, if they have any. Yet another short warning comes from David Bell (1:280/315), posted in the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is that it is a Trojan, and that he got his information from another "billboard" and is merely passing it on. Again, please help if you know what is going on here. A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263) grabbed my attention the moment I saw it: in capital letters, it said, "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He goes on to say that two BBSs have been destroyed by the file. However, that's about all that was reported. I really need more to go on before I can classify this as a Trojan and not just a false alarm (i.e., archive name, what it does, etc.). Please advise. | Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support | Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to | whether or not Mr. Mills had seen the file. Mr. Jung has stated that | this is not a legitimate release number. It is possible that the | references Greg saw about 2.33 were typos, but you never know. Please | help your Hack Squad out on this one - if you see it, report it. ========================================================================= The Meier/Morlan List | Here is the current status of the files contained in the Meier/Morlan | List. This is the last month for requests for information on this part | of The Hack Report, as I have placed a deadline of September 30th on the | files in this list. They've been reported for quite some while now, and | the verifications have slowed to a trickle. If the files listed below | can't be verified in time for the October issue, I will need to write | them off as false alarms. === Previous comments on the files in the list: === Shane Paul of Softdisk Publishing (RIME, via HW Richard Steiner), comments on the SLORDAX game: "If the SLORDAX game if by Gamer's Edge and copyrighted by Softdisk then it is a pirated copy." I can't be sure that this is the case, so the file stays on the list until someone can verify this. Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat Simulator by Mindscape, Inc. He says that he hasn't seen anything from them in quite a while, and doesn't know if the company is still in business. Here are the remaining unresolved reports from HW Emanuel Levy: "387DX - sounds like a Math Co-Processor emulator - might be legit "Barkeep sounds like it may be a version of Tapper. If you send beer mugs down the screen to patrons and then have to pick up the returning mugs and they leave tips, then it is Tapper. Or it may be an OLD game published in Compute Mag. If it is the one from Compute only those who have the Compute issue with the game in it are allowed to have a copy. "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came out for the Commodore 64 in 89 so I would assume it came out for IBM around then too. "Gremlins- There was an Gremlins Text Adventure and a Video Came for the computer. The video game was put out by Atari Thanks, Emanuel. For those who have missed it before, here is what is left of the list of files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system. Joe says Wes keeps a bulletin of all rejected files uploaded to him and the reasons they were rejected. Joe also says he cannot confirm or deny the status of any of the files on the list. There are some that I am not familiar with or cannot confirm. These are listed below, along with the description from Wes Meier's list. Due to the unconfirmed nature of the files below, the filenames are not included in the HACK????.COL and HACK????.IDX files that are a part of the archive of The Hack Report. I would appreciate any help that anyone can offer in verifying the status of these files. Until I receive verification on them, I will not count them as either hacks or pirated files. Remember - innocent until proven guilty. My thanks go to Joe and Wes for their help. Filename Reason for Rejection ======== ============================================= BARKEEP Too old, no docs and copyrighted with no copy permission. HARRIER Copyrighted. No permission to copy granted. SLORGAME Copyrighted. No docs. No permission to copy granted. NOVELL Copyrighted material with no permission to BBS distribute DRUMS I have no idea if these are legit or not. No docs. GREMLINS No documantation or permission to copy given. CLOUDKM A hacked commercial program. MENACE Copyrighted. No docs. No permission to copy granted. SNOOPY Copyrighted. No docs. No permission to copy granted. SLORDAX Copyrighted. No docs. No permission to copy granted. ESCAPE Copyrighted. No docs. No permission to copy granted. BANNER Copyrighted. No docs. No permission to copy granted. 387DX Copyrighted. No docs or permission to copy granted. WINDRV Copyrighted. No permission to copy granted. ========================================================================= Help!!! Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to The Hack Squad for testing/verification please re-identify themselves via NetMail? Somehow, your message went to the great Bit Bucket in the sky. Thanks in advance! ========================================================================= Clarifications and Thanks Folks, the LHA mystery has finally been resolved, thanks to Scott Fell (1:124/6119), Steve Quarrella (1:124/9005), and Kenjirou Okubo, the support person for LHA. Your Hack Squad finally received the Internet address for Kenjirou Okubo (kenjirou@mathdent.im.uec.ac.jp), and managed to verify Scott Fell's own contact, relayed via Steve. If you recall, Onno Tesink (2:283/318) found a file called LHA255B. This claims to be version 2.55b of the LHA archiver, with a file date in the executable of 12/08/92. Onno's report was the one that started the search. Kenjirou knew of this version and verified its legitimacy. He also provided some other very helpful information, which is best relayed by quoting his message to me: "For DOS, currently lha256a1 is under testing in a closed circle for networking environment. After LHA213, dos5 appeared in Japan and Yoshi started his series LHA25x series. The two versions you mentioned seem to fall under this series. The latest version which might be distributed by me is LHA254 for people who wants to test -lh6- algorithm." He went on to provide the following information on how to verify your copy of LHA: "Any version ending with LHA25xb is a beta test version, and LHA25xa is for a limited circulation. To test whether these files are legitimate release either from Yoshi or me, please use -t option to check two dimensional CRC self-validation check. We believe our test will check the validation with 10E-38 % of error probability." From my own testing, here is the best way to run the verification: 1. Extract LHA.EXE from the suspect archive and place it in an empty subdirectory that is not on your path. (example: c:\foo\lha.exe). 2. Change directories to the one which contains a known good copy of LHA.EXE. 3. Execute the command LHA t drive:\path\LHA.EXE. Using the above example, your command line would look like this: C:\LHADIR>LHA t C:\FOO\LHA.EXE This will execute the known good copy of lha, which will test the suspect copy and report whether or not the file "appears" to be the original or not. Even though the older LHA is doing the testing, it will be able to verify the newer copy. Please note that Scott Fell's information was that the author does not want these copies distributed. However, it seems that the folks working on LHA are aware that some betas have "escaped" into circulation. In other words, use any betas _entirely_ at your own risk. Scott and Steve have my undying gratitude for helping to lay this to rest, most notably by locating Kenjirou's Internet address and following through on it. Thanks from all of us! ************************************************************************* Conclusion If you see one of the listed files on a board near you, it would be a very friendly gesture to let the SysOp know. Remember, in the case of pirated files, they can get in just as much trouble as the fiend who uploads pirated files, so help them out if you can. ***HACK SQUAD POLICY*** The intent of this report is to help SysOps and Users to identify fraudulent files. To this extent, I give credit to the reporter of a confirmed hack. On this same note, I do _not_ intend to "go after" any BBS SysOps who have these programs posted for d/l. The Shareware World operates best when everyone works together, so it would be counter-productive to "rat" on anyone who has such a file on their board. Like I said, my intent is to help, not harm. SysOps are strongly encouraged to read this report and remove all files listed as "confirmed" from their boards. I can not and will not take any "enforcement action" on this, but you never know who else may be calling your board. Pirated commercial software posted for d/l can get you into _deeply_ serious trouble with certain authorities. Updates of programs listed in this report need verification. It is unfortunate that anyone who downloads a file must be paranoid about its legitimacy. Call me a crusader, but I'd really like to see the day that this is no longer true. Until then, if you _know_ of a new official version of a program listed here, please help me verify it. On the same token, hacks need to be verified, too. I won't be held responsible for falsely accusing the real thing of being a fraud. So, innocent until proven guilty, but unofficial until verified. Upcoming official releases will not be included or announced in this report. It is this Moderator's personal opinion that the hype surrounding a pending release leads to hacks and Trojans, which is exactly the opposite of what I'm trying to accomplish here. If you know of any other programs that are hacks, bogus, jokes, hoaxes, etc., please let me know. Thanks for helping to keep shareware clean! Lee Jackson, Author, The Hack Report Moderator, FidoNet Int'l Echos SHAREWRE and WARNINGS (1:124/4007)