💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › hack9302.rpt captured on 2023-01-29 at 07:44:27.

View Raw

More Information

⬅️ Previous capture (2021-12-04)

-=-=-=-=-=-=-

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Co-Moderator,
                                    ||  FidoNet International Echo SHAREWRE
          The Hack Report           ||  Volume 2, Number 2
         for February,1993          ||  Report Date: February 7, 1993
                                    ||
  =========================================================================

  Welcome to the second 1993 issue of The Hack Report.  This is a series
  of reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware Echo and the author of the report, Lee
  Jackson (FidoNet 1:382/95).

  This month, your Hack Squad receives input on a long-standing question 
  from an unexpected source:  IBM.  Also, the Trojan writers seem to have 
  put in some serious overtime.  Thanks to everyone who has helped put this 
  report together, and to those that have sent in comments and suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  Echo (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use.  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

  *************************************************************************

                              Hacked Programs

  Here are the latest versions of some programs known to have hacked copies
  floating around.  Archive names are listed when known, along with the
  person who reported the fraud (thanks from us all!).

   Program              Hack(s)            Latest Official Version
   =======              =======            =======================
   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                    Author of BNU

|  F-Prot Virus Scanner FP-205B                    FP-206A*
      Reported By: Bill Lambdin (1:343/45)

|  LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
|     Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
|                       LHA151
|     Reported By: Lawrence Chen (1:134/3002)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

|  PKZip                PKZ301                     PKZ204E
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)


|  Shez                 SHEZ72A                    SHEZ86
                        SHEZ73
      Reported By: Bill Lambdin (1:343/45)


   Telix                Telix v3.20                TLX320-1
                         (Prior to Dec. 1992)      TLX320-2
                        Telix v3.25                TLX320-3
      Reported By: Brian C. Blad (1:114/107)       TLX320-4
                   Peter Kirn (WildNet, via
                                 Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By Jeff Woods, deltaComm, Inc.
        Please Note - the 3.20 release dated either December 10th
        or December 14th, 1992, is legitimate:  any earlier file
        calling itself v3.20 and carrying an Exis, Inc. trademark
        is not legitimate.  Please thoroughly check your version
        prior to sending questions to this reporter! <g>
                        Telix Pro
     Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

|  Wolfenstein-3D       WOLF2-1                    #1WOLF14
|                       WOLF2-2
|     Reported By: Wen-Chung Wu (1:102/342)


| * - According to the author of F-Prot, Fridrik Skulasson, version 2.06A
|     is the latest version released to BBS distribution by him.  However,
|     he has written "personalized" versions, numbered 2.06B, 2.06C, and
|     2.06D, for individual clients.  These versions were not intended for
|     general release, but may have entered distribution.

  =========================================================================

                                Hoax Alert:

| In response to my question about version 2.0 of Scorched Earth, Brian
| Dhatt (1:3648/2.5) responded that he has seen a file called SCORCHV2
| which was described as being v2.0 of this program.  However, when he
| downloaded it and ran it, it turned out that he had apparently received
| the program and doc files for v1.2.  The program even identified itself
| as v1.2, leading Brian and myself to believe that someone simply renamed
| the archive and uploaded it in an attempt to help out their file ratio.
| A simple hoax, but awfully irritating if you happen to be on the
| receiving end (and you only have a 2400bps modem).


  Other previously reported hoaxes:

  Filename      Claimed use/Actual activity/Reporter(s)
  ============  ==========================================================
  PKZ305        Hacked "new version" of PKZip.  However, a message in wide
                circulation claimed this was infected with a virus called
                PROTO-T.  This message is the actual hoax:  there may be
                one or more PROTO-T viruses around now, but none do what
                was claimed in the hoax message.  This hack, PKZ305, was
                not infected with any virus, nor did it contain Trojan
                code, per testing by Bill Logan (1:300/22), Jeff White
                (1:300/23), and Bill Lambdin (1:343/45).

  RAOPT         "Optimizes" your RemoteAccess BBS files and claims to be
                from Continental Software.  Actually does nothing but read
                your USERS.BBS file and report the number of users.  The
                program is _not_ from Continental Software, according to
                Andrew Milner.  Reported by Kai Sundren (2:201/150), via
                HW Mikael Winterkvist.

  =========================================================================

                              The Trojan Wars

  Readers of The Hack Updates, published as a series of messages in several
  networks and echos, will remember that I managed to place a rather large
  foot into my mouth by publishing a typo concerning the first release of
  the new PKZip.  I had inadvertently listed it as v2.03c, while the real
  release was in fact v2.04c.  Before you decide to send NetMail to correct
  what you have just read, please be aware that your Hack Squad is aware
  that the current latest version of PKZip/PKUnzip is v2.04E, being
  circulated under the filename PKZ204E.EXE.

  Why is this being explained in this section of The Hack Report?  Well, it
  would seem that during the time period between the release of 2.04c and
  2.04e, someone else managed to stick their foot in their own mouth by
  releasing a possible Trojan that claimed to "fix" some of the bugs in
  version 2.04c.  For all the dirty details, read on.


| In the time period mentioned above, three files appeared that claimed to
| correct problems with the -$ (store disk volume) option of PKZip v2.04c.
| Your Hack Squad found one copy of this file, PKZIPFIX, Chad Wagner
| found another, named PKZFX24C, and Scott Jibben (1:282/115) found both
| PKZFX24C and PKZFX24D.
|
| I sent my copy to Jeff White and Bill Logan, veterans of several previous
| tests for The Hack Report.  Here is their report:
|
|   ====== Begin Report ======
|
|   Results of test on: PKZIPFIX.ZIP
|
|   File description: Fix for volume bug in PKZIP v2.04c
|
|   Synopsis:
|
|   When the latest release of PKZ from PKWare came out, there was a bug
|   with the volume label being added to the archive. This program was
|   designed (?) to fix that bug.
|
|   It does indeed fix the bug, but remains a hacked copy of a copyrighted
|   piece of software and therefore is suspicious.
|
|   First of all, the author managed to crack PKWare's Commercial PKLite
|   compression, which shouldn't be able to be expanded.  When the author
|   hacked PKZ204C, he re-PKLited the fix, but with the standard version of
|   PKLite, which allows it to be expanded.
|
|   Also, there is questionable code contained in this "fix". Most notably,
|   the words "Erasing contents of drive, completed" appear towards the end
|   of the program.  Every command line switch I could think of that might
|   prompt this response did not bring these words up.  It is possible it
|   is waiting for some time or criteria to activate, or it could be
|   associated with an option I am not familiar with.  PKZ 193 and 204c are
|   non-expandable, and therefore couldn't be checked for this text, but
|   PKZ 110 was checked and it did NOT contain this text.
|
|   Integrity Master was used to ensure that nothing on the drive was
|   changed that shouldn't have been.  McAfee's ViruScan was used to ensure
|   that PKZIPFIX was not a dropper for an existing virus.
|   ======================================================================
|   File information:
|
|         File Name:  pkzipfix.zip
|              Size:  40,912
|              Date:  12-28-1992
|   File Authentication:
|        Check Method 1 - 082F
|        Check Method 2 - 059C
|   ======================================================================
|   File contents:
|
|   Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
|   ======  ======   ===== =====   ====    ====   ======== ====  ====
|    41935  DeflatX  40796   3%  12-28-92  02:04  7dc49363 --w-  PKZIP.EXE
|   ======          ======  ===                                  =======
|    41935           40796   3%                                        1
|   ======================================================================
|   PKZIP.EXE check:
|
|   CHK4LITE (tm)  Check for files compressed by PKLITE   Version 1.15
|   7-30-92 Copyright 1990-1992 by PKWARE Inc.  All Rights Reserved.
|
|   PKZIP.EXE      Compressed with PKLITE (tm) Ver. 1.15
|   ======================================================================
|   Validation check on PKZIP.EXE **after** unPKLITEing
|
|         File Name:  pkzip.exe
|              Size:  55,370
|              Date:  12-28-1992
|   File Authentication:
|        Check Method 1 - E8B1
|        Check Method 2 - 1224
|   ======================================================================
|   ViruScan of PKZIP.EXE **after** unPKLITEing
|
|   Scanning memory for critical viruses.
|
|   Scanning Volume: DRIVE I
|   Scanning C:PKZIP.EXE
|
|    No viruses found.
|   ======================================================================
|   Use:
|
|   The PKZIP released in PKZ204C.EXE would not properly add a volume label
|   when the -$ option was specified.
|
|   The version of PKZIP.EXE release in PKZIPFIX.ZIP does indeed fix this
|   bug. Example follows.
|
|   Attempt to use the -$ option with PKZIP 2.04c:
|
|   PKZIP (R)   FAST!   Create/Update Utility   Version 2.04c   12-28-92
|   Copr. 1989-1992 PKWARE Inc.  All Rights Reserved.  Shareware Version
|   PKZIP Reg. U.S. Pat. and Tm. Off.   Patent No. 5,051,745
|
|   * XMS version 3.00 detected.
|   * Using Normal Compression.
|
|   Creating ZIP: PKZTEST2.ZIP
|     Adding: PKZIP.EXE  Deflating %  (30%), done.
|
|                                  = = =
|
|   Attempt to use the -$ option with PKZIP.EXE from PKZIPFIX.ZIP
|
|   PKZIP (R)   FAST!   Create/Update Utility   Version 2.04c   12-28-92
|   Copr. 1989-1992 PKWARE Inc.  All Rights Reserved.  Shareware Version
|   PKZIP Reg. U.S. Pat. and Tm. Off.   Patent No. 5,051,745
|
|   * XMS version 3.00 detected.
|   * Using Normal Compression.
|
|   Creating ZIP: PKTEST1.ZIP
|     Adding: PKZIP.EXE    Deflating %  (30%), done.
|     Adding: DRIVE I      Storing      ( 0%), done.
|   ======================================================================
|   Integrity Master v1.41a was reinitialized for drive C: before testing.
|   Comparing drive C:'s data (after multiple executions of PKZIP.EXE) to
|   the backup information showed no changes or virus activity.  McAfee's
|   ViruScan confirmed no known virus activity.
|   ======================================================================
|   Suspicious code:
|
|   PKZIP.EXE contains several questionable pieces of code.  Although we
|   were unable to get PKZIP.EXE to do anything damaging, it is possible
|   that, under the right circumstances, PKZIP.EXE could prove to be a
|   trojan.
|
|   The suspicious code is as follows:
|
|       Address:  0000d0e0-0000d110
|       Code:     x:/ x:  *.* /  Erasing contents of drive, completed.
|
|   The above could be a reference to a temporary drive (although I used a
|   temporary drive using the -B command line switch and got no such
|   response) or in conjunction with a switch (unbeknownst to myself) that
|   might possibly delete files as they are archived.  It should be noted
|   that PKZIP.EXE as included in PKZ110.EXE contains none of this code.
|   Later releases of PKZIP.EXE cannot be checked since they are compressed
|   with PKLite and are non-expandable.
|   ====== End Report ======
|
| As always, our thanks go out to Bill and Jeff for their invaluable help.


| HW Nemrod Kedem forwards a report from Dviry Segal (2:401/4.1) about a
| program called OPTIBBS.  This claims to optimize your RemoteAccess BBS
| system, but in fact is yet another program that is aimed at the RA
| USERS.BBS file.  Dviry says it creates a file (on his tests, the filename
| created was PKZ193A.ZIP) which contains the names, phone numbers,
| security levels, and passwords stored in the USERS.BBS list.


| William Gordon (1:369/104) reports BEV105, a file that claims to be a
| "Beverly Hills 90210 Adventure Game."  This file contains 8 files, but
| two seem to be the real culprits:  DORINFO.DIR and INSTALL.COM.  The
| installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
| This program asks for some sort of wildcard according to William, then
| proceeds to delete everything on your drive that matches that wildcard.
| However, it doesn't stop there:  it continues on and deletes all .bat,
| .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files.  William also
| says the file "comes with the following virii:  Bootkill and Genesis."  A
| copy of this file has been sent to Bill Logan and Jeff White for
| analysis.


| Andreas Reinicke (2:284/402) posted a warning in the FidoNet VIRUS echo
| about an archive called GRAFIX.  This file contains a program called
| WAIT.COM, which Andreas says is a modified version of the program
| DELDIR.COM.  He states this program managed to erase one of his users'
| hard drive info.


| Bill Lambdin forwards a report posted in the Virtual Net Anti-Virus
| conference by a user identified as "Khamsin #1 @9168*1".  This message
| was also seen by HW Ken Whiton and HW Bill Dennison,  forwarded by Ken
| Green of the CentraLink BBS.  This report concerned a file called
| DBSOUND, which claims to be an updated version of the Drum Blaster .MOD
| file player.  The reporter states this incident of the program deletes
| the current directory and all directories beneath it.  Especially
| dangerous if you happen to invoke it from your root directory, I'd say.


| Larry Dingethal (1:273/231) found a message on a local BBS from a user
| named Richard Meyers.  This message concerned a file called CHROME,
| described as "the Chrome Lady .fli" animation file.  Here's the file
| info:
|
|   GO.BAT            137  09-18-92        04:58p
|   PLAY.EXE        19832  07-10-89        10:08a
|   AAPLAY.EXE      81904  08-15-89        10:03a
|   INVOKE.FLI     675108  12-06-90        07:42p
|   FGDS.COM          812  04-27-92        01:56a
|
| The GO.BAT file apparently has a bug, since it tries to invoke a file
| named FDGS.COM (instead of the FGDS.COM in the archive).  This results in
| a "Bad command or file name" error, which is just as well - Richard says
| that a look inside the FGDS.COM file with PC Tools' "VIEW FILE" option
| shows the following text, beginning at address 0096 (and edited for
| television):
|
|   "Skism Rythem Stack Virus-808.  Smart kids into sick methods.
|   Don't alter this code into your own strain, f*****.  hr/sss
|   NYCity, this is the fifth of many, many more...you sissys."
|
| Richard said that McAfee's ViruScan did not detect an infection, and that
| the latest issue of VSUM by Patricia Hoffman did not list such a virus.


| Todd Clayton (1:259/210) reports a Trojan dubbed the "Malhavoc Trojan."
| The file involved, called AANSI100, claims to be an Auto-ANSI detector
| for Telegard v2.5q+.  When invoked, the program displays a verse of a
| song by a Toronto band called Malhavoc (hence the name), and then does an
| absolute disk write on drives C: through F:.  Finally, it displays the
| message, "Ha! You've been hit!".
|
| George Goode (1:229/15) has also seen a file called AANSI100, which may
| or may not be the same Trojan.  He says the documentation says the
| program adds ANSI auto detection to a Telegard 2.7 BBS, and should be
| inserted in your mailer batch file.
|
| This version has similar symptoms, notably what George calls "some cruddy
| poetry."  He says the only real symptom, though, is seen when FrontDoor
| v2.01 is loaded by your AUTOEXEC.BAT file.  He says your system will go
| into a continuous reboot cycle, which can be stopped only by breaking out
| of your batch file before FrontDoor loads.  When he replaced the FrontDoor
| overlay file with a fresh copy of the original, the problem stopped.
|
| From this information, it is hard to tell if one or two Trojans are
| involved here.  In either case, you might want to avoid anything called
| AANSI100.


| Gary Marden (2:258/27) reports a file, QOUTES (yes, that's how it is
| spelled), that claims to be a Christmas quotation generator.  The file,
| which Gary says is a "crude trojan written in one of the Borland compiled
| languages," contains quite a few text messages, beginning with "unpacking
| christmas qoutes" (sic) and ending with "Ho, Ho, Ho! Merry Christmas!
| Hope you get a new HD in your stocking!".  A C> prompt displays, and when
| you press a key, you get a message that says, "See you next Noel, Fool!",
| as well as a cold boot.
|
| By the time you see this, the damage has been done.  The program
| overwrites the first 128 cylinders of your first physical HD, trashing
| the MBR/boot sector, partition tables, FAT, and root directory.  FDISK
| will skip these 128 cylinders if you try to repartition the drive, as
| will FORMAT.  A low level format is required for complete recovery.  Gary
| surmises that if an IDE drive is hit by this, it may need to be sent back
| to the manufacturer for a low level format.
|
| Here is the archive information:
|
|   Archive date      : 1992-12-21 18:23:30
|   Pathname/Comment
|   Rev Host OS  Original Compressed Ratio DateTime modified CRC-32
|   ------------ -------- ---------- ----- ----------------- --------
|   QOUTES.EXE
|    4  MS-DOS       4512       4512 1.000 92-12-21 18:01:08 26AADA9D
|   QOUTES.DAT
|    4  MS-DOS      14492      14492 1.000 92-12-21 18:22:28 21FAA40B
|   READ.ME
|    4  MS-DOS        534        534 1.000 92-12-21 18:17:08 702CCA29
|   ------------ -------- ---------- -----
|       3 files     19538      19538 1.000
|
| This is definitely a file to avoid.


| Bill Lambdin (1:343/45) forwards a report from James Powell in the
| Intelec PC-Security conference about an archive named BATMAN.  It
| contains a single file called BATMAN.EXE, about 30k, which will search
| your DOS PATH and "delete the executable file that loads WildCat BBSs."


| Another report from Bill Lambdin comes from a user on 1:343/45, Reinhardt
| Mueller, concerning a dropper/Trojan called AVENGER.  When the file is
| uploaded with a description, it usually claims to be an "amazing game
| that supports all kinds of sound cards, and has everything you can
| imagine in a game."
|
| Reinhardt states that most upload checker/scanners will miss the embedded
| viruses, since they are contained in two internal passworded .ZIP format
| archives named AVENGER2.DAT and AVENGER3.DAT.  He says that these can be
| unzipped using the following command line after you open the main
| archive:
|
|   pkunzip -sGotcha! AVENGER?.DAT
|
| This will unzip two files, RUNTIME1.COM and RUNTIME2.COM.  The first file
| contains the N1 virus, while the second contains the Anthrax virus.


| Mark Histed (1:268/332) has located a file called XYPHR2 that, at first
| look, appears to have an instance of our old friend, the Power Pump
| virus.  Mark posted the filenames and data in the FidoNet VIRUS_INFO
| echo:
|
| Searching ZIP: XYPHR2.ZIP
|
|    Length  Method   Size  Ratio   Date    Time    CRC-32  Name
|    ======  ======   ===== =====   ====    ====   ======== ====
|     28126  Implode   8757  69%  02-24-92  14:06  f664a51f LEVEL1.DAT
|     31795  Implode  11429  65%  02-24-92  14:08  806c0efc LEVEL2.DAT
|     45036  Implode  15204  67%  02-24-92  01:03  d6d9547a MAIN.DAT
|      6990  Implode   2454  65%  02-24-92  14:07  f774d292 REG.DAT
|     13109  Implode   1714  87%  02-24-92  14:06  e2c7a0b9 TITLE.DAT
|     22534  Stored   22534   0%  02-24-92  23:22  b367e528 XYPHR2.EXE
|      1181  Implode    471  61%  02-24-92  17:53  f81be401 AUTOEXEC.CMT
|     17354  Implode  14682  16%  02-24-92  21:04  02eac55c POWER.EXE
|      1199  Implode   1109   8%  02-24-92  21:00  f61885bd XYPHR2.COM
|       848  Implode    443  48%  02-24-92  21:41  43d9bfd0 REGISTER.DOC
|      6027  Implode   3125  49%  02-24-92  21:22  3d42937f XYPHR2.DOC
|    ======          ======  ===                            =======
|    174199           81922  53%                                 11
|
| Mark says that XYPHR2.COM is a compiled batch file that spawns the
| POWER.EXE file.  He says that this results in a "NUL POINTER ASSIGNMENT"
| error message, and passing of control back to command.com.
|
| Bill Lambdin received a copy of this file and confirmed that it does
| contain the Power Pump virus.  For first time readers, Power Pump is a
| "companion" infector, in that it seeks out .EXE files and creates hidden
| .COM files with the same base filename.  If you try to run an affected
| program by just typing the filename (no extension), the .COM file will
| run before the .EXE, due to the way DOS processes the command line.
| Fortunately, Bill reports that the virus is a very poor replicator - he
| only managed to produce 2 infections out of 14 tries.


| Art Mason (1:229/15) reports that a file called QSCAN20, posing as a
| small virus scanner, is actually a Trojan that "identifies itself as
| being a stealth bomber and proceeds to destroy your FAT."  He posts the
| following file information:
|
|            Q.chk   281 bytes
|            qscan.com 777 bytes
|            qscan.txt 3287 bytes
|            qx.cld    118 bytes
|            Dates on the files are 10-22-92
|
| All of the text messages displayed by the program are visible by viewing
| the QSCAN.COM file.


| Zack Jones (1:387/641) reports a file called GAGS which was seen in the
| San Antonio area.  The file, described as "Some Christmas practical
| jokes," was analyzed by Bill Dirks (1:385/17) and confirmed as a Trojan.
| The program grabs control of several interrupt vectors, including the
| critical error handler.  The only way to stop it once it starts is to hit
| the reset button or power down.
|
| When invoked, it displays a countdown from 8 to 0, which corresponds to
| drives H through A, in that order.  For each found drive, it overwrites
| the first 255 sectors with random data from a block of memory.  To add
| insult to injury, if drives B and A are empty, you are prompted to insert
| disks (so that they can be trashed as well).
|
| After this, the Trojan displays the message, including something like,
| "the disk was trashed but it's only a joke and they are only kidding."
| It then prompts you to reboot, which is rather hard to do unless you have
| a bootable "panic disk" floppy on hand - you certainly won't be able to
| boot from your HD.
|
| Bill says that if your HD is smaller than 60 megs, you're better off
| trying to recover your disk from scratch.  Between 60-120 megs, you have
| a better chance of recovery via disk utilities:  over 120 megs, you
| should be able to accomplish a complete recovery if you're careful and
| you know what you're doing.
|
| Bill posted the following scan string that can be used to detect this
| Trojan - if your scanner can use external strings, be sure to read the
| instructions carefully before trying to add this:
|
|              9A46027205B003B9FF00BA0000CD26
|
| If your scanner requires a name for the string, Bill suggests using
| "AlamoXmasTrojan."


| John Miezitis (Internet, John.Miezitis@cc.utas.edu.au) reported in the
| Internet comp.virus newsgroup that a file named YPCBR101, found on
| Simtel-20 and the oak mirror on archie.au, contained the 1800 variant of
| the Dark Avenger virus in the executable file YAPCBR.EXE.  F-Prot v2.06a
| was able to remove the infection.
|
| I since received information from John that the original program, which
| he says will be re-released as a clean archive, is a "cheap alternative
| to hardware bridges."  He says it works with two ethernet cards (any card
| supported by the crynwr packet drivers) and a 286 or better machine to
| "turn it into a bridge."
|
| John did not know what the archive name of the re-release will be.  So,
| if you need this file, go ahead and grab a copy, but check it out with an
| anti-viral utility first to make sure your copy is clean.


| Peter Janssens (2:512/1) reports yet another pair of Trojans aimed at
| RemoteAccess BBS systems.  These do no physical damage, but they are
| dangerous enough in what they do.
|
| The Trojans, named RAMANAGE and RA111TO2, claim to be different from each
| other:  the first claims to be a USERS.BBS file manager, while the second
| claims to upgrade RemoteAccess v1.11 to v2.0 (which doesn't exist, FYI).
| Both have the same effect, though - they pack your USERS.BBS file into an
| archive, named either MIX1.ARJ or WISE.ARJ, and move the archive into a
| download directory.
|
| Peter Hoek (2:281/506.15) reports that he has found a similar situation -
| his USERS.BBS file was placed in his GAMES directory under the name
| RUNNING.ARJ.  He did not say what program (or if any program) created
| this archive.
|
| This could cause a serious security problem for RA SysOps, as you can
| guess.  If you run a RemoteAccess system, it would be a good idea to
| check your download directories for files that you don't recognize, then
| take a good look at them.  Even if you've never seen one of these Trojans
| before - just in case.


| Clayton Mattatall (1:247/400) reports in the FidoNet VIRUS_INFO echo that
| a file named SBBSFIX is a Trojan that attempts to format drive C:.  He
| says it contains two files, SBBSFIX.EXE and COM_P.OVL, and was written in
| C++.  It also asks for a $10 fee.  At first glance, I wouldn't send it.


| This Trojan report comes from an article in MacWeek magazine, Volume 7,
| Number 2, issued January 11, 1993.  The article, posted in the FidoNet
| VIRUS_INFO echo by Robert Cummings, states that a program called CPro
| 1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
| shareware compression utility), will reformat any floppy in drive 1 and
| tries to reformat the user's start-up hard drive when launched.
|
| The file can be identified by a 312K sound resource file called "log
| jingle," which is digitized sound from the Ren and Stimpy cartoons.


| Mike Wenthold (1:271/47) found a program under the filename GS2000 which
| contained the VCL 3 [Con] Virus.  I am attempting to get further details
| on what this file is, but until then, here is the archive data that Mike
| sent:
|
|  Length   Method    Size    CF    Date     Time    CRC      Filename
| ======== ======== ======== ==== ========= ====== ======== ============
|     1984              1304  34% 22-Dec-91 01:40p 3527B16B GS2000.COM
|      543               363  33% 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
| ======== ======== ======== ==== ========= ====== ======== ============
|     2527              1667  34%                           2 files.
|
| The compression method (on this ZIP archive) was not included in his
| data.


  Frans Hagelaars (2:512/2) posted a message in several echos last month
  concerning a Trojan version of the Blue Wave Offline Mail Reader that had
  been circulating in his area.  According to the warning, the "hacked"
  version attacks your hard drive boot sector and partition table, and will
  then "play tricks" with RemoteAccess userlists and phone numbers.

  The filename of this version was not given in the report, nor was it made
  clear whether the BBS door or the Reader was involved.  If you have any
  questions about the security of your copy, remember that you can always
  obtain a safe copy from the BBS of the author, George Hatchew, at FidoNet
  address 1:2240/176, phone number 1-313-743-8464, or from any of the
  official distribution sites (which I believe are listed in the
  documentation for the program).


  Filename  Claimed use/Actual activity/Reporter(s)
  ========= ==============================================================
  ANSISCR   VGA BBS ad - contains a self-extracting archive of the Yankee
            Doodle and AntiChrist viruses.  Can trash hard drives as well
            through Trojan behaviour.  Reported by Bill Dirks (1:385/17),
            and under the filename RUNME by Stephen Furness (1:163/273).

  LOGIM613  Possible isolated incident - one internal file, MOUSE.COM,
            reports as being infected with the VCL virus when checked with
            McAfee's ViruScan v95.  Reported by Mike Wenthold (1:271/47).

  MUVBACK   Claimed keyboard utility - actual ANSI bomb that remaps the D
            key of your keyboard to invoke DEBUG and create a couple of
            Trojans from script files.  Reported by Bill Dirks.

  RAFIX     "Fixes little bugs" in RemoteAccess - program contains the
            string "COMMAND /C FORMAT C:" internally.  Reported by Sylvain
            Simard (1:242/158).

  REAPER    ANSI bomb - remaps the keyboard to force file deletion and
            hard disk formatting - also generates insults.  Reported by
            Victor Padron (1:3609/14), via Rich Veraa (1:135/907).

  REDFOX    Batch file which deletes all DOS and system files.  Reported
            by Mike Wenthold.

  ROLEX     Possible isolated incident of an infection by the Keypress
            [Key] virus.  Reported by David Gibbs, via Michael Toth
            (1:115/220).

  SPEED     Claims to "check your PC speed" - actually deletes all files
            on drive C:, including directories.  Reported by HW Nemrod
            Kedem.

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  =======                 ===============     ===========
| 3-D Pool                3DPOOL              Michael Gibbs (via Bill
|                                              Lambdin)

| Atomix (game)           ATOMIX_             HW Matt Kracht

  Battle Chess            CHESS               Ron Mahan (1:123/61)

| Check-It PC             CHECKIT             HW Bert Bredewoud
|  Diagnostic Software    CHKIT20             Bill Lambdin (1:343/45)

  Commander Keen          _1KEEN5             Scott Wunsch (1:140/23.1701)
   (part 5)

  Darkside (game)         DARKSIDE            Ralph Busch (1:153/9)

| Energizer Bunny Screen  ENERGIZR            Kurt Jacobson, PC Dynamics,
|  Saver for Windows                           Inc., via HW Bill Dennison

  F-Prot Professional     FP206SF             Mikko Hypponen
                                               (mikko.hypponen@compart.fi)

| Killing Cloud (game)    CLOUD               Mike Wenthold

| MegaMan (game)          MEGAMAN             Emanuel Levy (1:266/63)

  Over the Net            OTNINC1             Tim Sitzler (1:206/2708)
   (volleyball game)

| PKZip v2.04c            PK204REG            Scott Raymond (1:278/624)
|  (Registered)

| PKZip v2.04c            PKZCFG              Mark Mistretta (1:102/1314)
|  Configuration Editor

| PKZip v2.04e            PK204ERG            Scott Raymond
|  (Registered)

| PrintShop               PSHOP               Michael Gibbs, Intelec, via
|                                              Bill Lambdin (1:343/45)

  Psion Chess             3D-CHESS            Matt Farrenkopf (1:105/376)

| QModem v6.0             QM60IST1            Francois Thunus (2:270/25)
|                         QM60IST2

| QModem Pro              QMPRO-1             Mark Mistretta
|                         QMPRO-2

  Rack 'Em (game)         RACKEM              Ruth Lee (1:106/5352)

| Shadow Warriors (game)  SHADOWG             Mark Mistretta

| Sharky's 3D Pool        POOL                Jason Robertson (1:250/801)

| Shez (Registered)       SHEZ85R             Scott Raymond

  SimCity (by Maxis)      SIMCTYSW            Scott Wunsch

| Streets on a Disk       STREETS             Harvey Woien (1:102/752)

| Teledisk (files         TDISK214            Mark Mistretta
|  dated after Apr. 1991)

| Vegas Casino 2 (game)   VEGAS2              The Hack Squad

| WinWay Resume for
|  Windows                WINRES              Erez Carmel (CompuServe,
|                                               70523,2574)

  =========================================================================

                      ?????Questionable Programs?????

  First, a quick note - this section, along with the Information, Please
  section, are the only ones that have any information carried over from
  the 1992 report.  This is because many of the listings in these sections
  were not completely resolved when the last 1992 issue was published.  As
  usual, if anyone has any additional information on anything listed in
  these sections, _please_ help!


| Long time readers of this report will remember a question concerning the
| status of a screen saver called TUNNEL.  Ove Lorentzon (2:203/403.6) and
| Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
| Steiner) both stated that the program was an internal IBM test program
| and was not intended for outside distribution.
|
| Your Hack Squad has received word from the author of the program, Dan
| Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
| the program has never been released to the general public.  According to
| Dan, "it is still owned by IBM, and as such has been given the IBM
| security classification 'IBM Internal Use Only' which means what it says:
| the program is not for distribution to non-IBM employees."
|
| Dan also says that several other "Internal Use Only" programs have been
| "leaked" to the outside world, which implies that these files should not
| be posted for download.  One such program was originally called Dazzle
| (NOT to be confused with the other popular DAZZLE screensaver), but has
| entered BBS distribution under the filename O-MY-GOD.  Another is a
| program that is usually included inside other archives:  the program name
| is PLAYANI.  Dan says this has been distributed "along with various
| animations," and also falls under the same Internal classification.
|
| A prime example of this is an archive called BALLS (not what you think).
| This is an animation of multiple chrome spheres rotating around each
| other above a red and white checkerboard platform.  In this case, both
| the player (PLAYANI) _and_ the animation are the property of IBM and are
| not intended for BBS distribution.
|
| Again, to quote Dan, "None of these programs are for external
| distribution; all are owned by IBM and are only for use inside IBM by IBM
| employees."  Thanks to Dan for all of his help.


| Donn Bly has cleared up the question on the status of the Sydex program
| TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
| Donn was kind enough to mail a copy of a letter sent to him by Sydex
| explaining that Teledisk is no longer shareware.  Here is an excerpt from
| the letter:
|
|      "Effective April 1991, TeleDisk is no longer a shareware
|      product.  After long consideration, we decided to
|      discontinue our offering of the shareware edition of
|      TeleDisk, and license it only as a commercial product.
|
|      "Commercial licenses of TeleDisk are available from Sydex at
|      $150 a copy.  All shareware distributors and BBS sysops who
|      take time to check their sources are requested to remove
|      TeleDisk from shareware distribution."
|
| The letter is signed by Miriam St. Clair for Sydex.  To summarize, Sydex
| is no longer accepting shareware registrations for TeleDisk, and asks
| that it be not be made available for download from BBS systems.
|
| Thanks to Donn for his help in this matter.


  HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
  Barnes of Mustang Software, Inc., about a "patch" program aimed at
  OffLine Xpress (OLX) v1.0.  The patch is supposed to allow OLX to
  read and reply to Blue Wave packets, along with a lot of other seemingly
  unbelievable feats.  Gwen Barnes did not seem to know of the patch, but
  published the following advice in the WildNet SLMROLX conference to
  anyone considering trying it:

    1. Make a complete backup of your system.
    2. Make sure you've got all the latest SCAN stuff from McAfee
    3. Try it, keeping in mind that it more than likely does nothing
       at all, or is a trojan that will hose your system.
    4. Get ready to re-format and restore from backups if this is in
       fact the case.

  No filename was given for this patch.  If anyone runs across a copy of
  it, please contact one of The HackWatchers or myself so that we can
  forward a copy to MSI for testing.


  Bill Lambdin (1:343/45) reports that someone has taken all of McAfee
  Associates' antiviral programs and combined them into one gigantic (over
  700k) archive.  He did not say whether the files had been tampered with,
  but he did send a copy to McAfee for them to dissect.  The file was
  posted under the filename MCAFEE99.  I would not suggest downloading this
  file:  as a matter of fact, this reporter prefers to call McAfee's BBS
  directly when a new version of any of their utilities comes out.  I
  highly recommend this method, since it insures that you will receive an
  official copy.


  HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:382/95).

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.


  Onno Tesink (2:283/318) has sighted a file called LHA255B.  This claims
  to be version 2.55b of the LHA archiver, with a file date in the
  executable of 12/08/92.  He compared the file to the latest known
  official release, v2.13, and found two additional program options which
  were mentioned when the program was invoked with no command line
  (generating a help screen).  The archive contained nothing but the
  executable file.  Viral scans were negative.

  I have not heard of any further development going on by the author of
  LHA, H. Yoshi, but that wouldn't be a first. <g>  If anyone knows of a
  new version of LHA, please contact your nearest HackWatcher and lend a
  hand.


  Travis Griggs (1:3807/4.25) forwarded a report from a local board called
  The Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen.
  The message referred to a file called BOUNCE, which she said was infected
  with the Russian Mirror virus.  The file, according to Travis, claimed to
  be a game.  I would appreciate further confirmation of this sighting.


  An update on a warning from Mark Stansfield (1:115/404), concerning
  the files KILL and PROTECT.  He claims that these delete the user's hard
  drive when run.  Dan Onstott (1:100/470) reported in the FidoNet SHAREWRE
  echo that he has a small utility called PROTECT.COM (205 bytes, dated
  12-10-86), which is a write-protect utility for your hard drive.  He says
  he has never had a problem with it.  So, Mark's report may be an isolated
  incident.  If anyone else sees the files Mark mentioned, please advise.


  Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
  Conference about two files.  The archives, called PHOTON and NUKE, are
  possibly droppers, containing a file called NUKE.COM which "will trash
  your HD."

  Pat Finnerty (1:3627/107) sent a reply to the last report of this,
  stating that he has a copy of a PC Magazine utility called NUKE.COM,
  which is used to remove subdirectories which contain "nested subs,
  hidden, read-only (you name it)."  He says that the command NUKE C:\ will
  effectively delete everything on a hard drive, with no chance of repair.
  This is merely the way the program is designed.

  I do not know if this is what happened in Mario's case, or if Mario
  actually found a copy (read: isolated incident) which was infected. Bill
  has asked Mario for further information, and I would like to echo his
  call for help.  If you know of this, please lend a hand.


  Another one forwarded by Bill comes from Michael Santos in the Intelec
  Net Chat conference, concerning a screen saver named IM.  This is only a
  "hearsay" report from one of Michael's friends, who says he downloaded it
  and wound up with a virus.  There is no way to tell if the infection came
  from the file itself or if it was already present on his friend's system.
  Once again, if anyone can clear this up, please do so.


  Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
  echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
  Rich Bongiovanni.  Rich reports that there is a file floating around
  called DEMON WARS (archive name DMNWAR52) that is "infected with a
  virus."  If true, this may be an isolated incident.  I would appreciate
  confirmation on this.


  Greg Walters (1:270/612) reports a possible isolated incident of a
  problem with #1KEEN7.  When he ran the installation, he began seeing on
  his monitor "what looked like an X-rated GIF."  The file apparently
  scanned clean.  Any information on similar sightings would be
  appreciated.


  A report from Todd Clayton (1:259/210) concerns a program called
  ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
  faster."  He says he has heard that the program fools around with your
  File Allocation Table.  I have not heard any other reports of this, so I
  would appreciate some confirmation from someone else who has seen similar
  reports.


  Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
  possible hack of FEBBS called F192HACK.  I have not seen this file, nor
  has the author of FEBBS, Patrik Sjoberg (2:205/208).  He forwards the
  file sizes in the archive, reported here:

        Name          Length      Mod Date  Time     CRC
        ============  ========    ========= ======== ========
        FEBBS.EXE       220841    09 Mar 92 21:17:00 96D2E08D
        014734.TXT        1403    26 Aug 92 01:59:18 3B9F717F
        ============  ========    ========= ======== ========
        *total     2    222244    26 Aug 92 01:59:24

  Kelvin says the .TXT file is just an advert for a BBS, so it is "not
  relevant!".  As I said, the author of FEBBS has never seen this file, so
  I've asked Kelvin to forward a copy of it to him.


  Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
  Optimiser (sic)," going under the filenames MAX-XD and MAXXD20. Scott
  Dudley, the author of Maximus, says he did not write any programs that
  have these names, but he does not know whether they are or are not
  legitimate third party utilities.  I have requested further information
  from Andrew on this topic, and would appreciate anyone else's
  information, if they have any.


  Yet another short warning comes from David Bell (1:280/315), posted in
  the FidoNet SHAREWRE echo, about a file called PCPLSTD2.  All he says is
  that it is a Trojan, and that he got his information from another
  "billboard" and is merely passing it on.  Again, please help if you know
  what is going on here.


  Bud Webster (1:264/165.7) reports an Apogee game being distributed under
  the filename BLOCK5.ZIP.  He says that the game displayed a message that
  said, "This game is not in the public domain or shareware."  There was
  only an .EXE file in the archive, and no documentation.  I need to know
  what the real name of this game is so that I can include it in the
  pirated files section (if necessary).


  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.


  Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
  Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
  whether or not Mr.  Mills had seen the file.  Mr.  Jung has repeated that
  the latest version of ARJ is v2.30 (however, there is a legitimate public
  beta version numbered 2.39b).  It is possible that the references Greg
  saw about 2.33 were typos, but you never know.  Please help your Hack
  Squad out on this one - if you see it, report it.

  =========================================================================

                           The Meier/Morlan List

| Here are this month's updates on the status of the files contained in the
| Meier/Morlan List.


| Emanuel Levy (1:266/63) forwards some of his observations on these files.
| Here is the text of his report:
|
| "Barkeep sounds like it may be a version of Tapper. If you send beer mugs
| down the screen to patrons and then have to pick up the returning mugs
| and they leave tips, then it is Tapper. Or it may be an OLD game
| published in Compute Mag. If it is the one from Compute only those who
| have the Compute issue with the game in it are allowed to have a copy.
|
| "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
| out for the Commodore 64 in 89 so I would assume it came out for IBM
| around then too.
|
| "Gremlins- There was an Gremlins Text Adventure and a Video Came for the
| computer. The video game was put out by Atari
|
| "Megaman is sold in Stores and is out for Nintendo. It is a pirated
| program.
|
| "Antix may be Artic Antix one lof the Spy vs Spy games
|
| "Win_Trek information follows
|
| "I got it at a convention from a dealer at a Star Trek COnvention. The guy
| got it off of The Network BBS. It is located in Bal imore Maryland. The
| number there is t(420)247-3797
|
|   Files in archive are
|   WINTREK1.DLL   242112   4-07-92    6:53p
|   WINTREK2.DLL   519163   4-07-92    6:53p
|   WINTREK .EXE   144144   4-07-92    7:03p
|   WINTREK .HLP     7109   3-29-92    2:55p
|   README  .WRI     4224   4-07-92    7:12p
|
| "I hope I have been able to help."
|
| I'd say you have - thanks!  The confirmed pirated file, Megaman, is now
| listed in the Pirated Files section.  On the other hand, WinTrek will be
| removed, as Emanuel confirms that it is shareware.


| Andrew McCullough (1:2614/409) has a copy of a game called ANTIX,
| mentioned above.  According to Andrew, "as far as I can tell it is
| legit."  He says it is a "'dinky' little program where you try to eat
| away 75% of the screen without being hit by the 'bad guys'."  If anyone
| can confirm either report on this, please do so.


| Finally, Bill Lambdin forwards a message from Michael Gibbs (RIME address
| EXHIBITA, from the Intelec Shareware conference), about 3DPOOL.  Michael
| says this contains no docs, except for an ANSI file touting some pirate
| group.  This is usually clear evidence of a pirated commercial program,
| so this file moves to the Pirated Files section.


  For those who have missed it before, here is what is left of the list of
  files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
  of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system.  Joe
  says Wes keeps a bulletin of all rejected files uploaded to him and the
  reasons they were rejected.  Joe also says he cannot confirm or deny the
  status of any of the files on the list.

  There are some that I am not familiar with or cannot confirm.  These are
  listed below, along with the description from Wes Meier's list.

  Due to the unconfirmed nature of the files below, the filenames are not
  included in the columnar lists.  I would appreciate any help that
  anyone can offer in verifying the status of these files.  Until I receive
  some verification on them, I will not count them as either hacks or
  pirated files.  Remember - innocent until proven guilty.

  My thanks go to Joe and Wes for their help.

        Filename  Reason for Rejection
        ========  =============================================
        BARKEEP   Too old, no docs and copyrighted with no copy
                  permission.
        HARRIER   Copyrighted.  No permission to copy granted.
        SLORGAME  Copyrighted.  No docs.  No permission to copy
                  granted.
        NOVELL    Copyrighted material with no permission to
                  BBS distribute
        DRUMS     I have no idea if these are legit or not.  No
                  docs.
        SPACEGOO  STARGOSE in disguise.  Copyrighted.
        GREMLINS  No documantation or permission to copy given.
        NAVM      Copyrighted.  No permission to copy granted.
        TESTCOM   Copyrighted.  No permission to copy granted.
        CLOUDKM   A hacked commercial program.
        ANTIX     Couldn't make this work.  No docs.
        MENACE    Copyrighted.  No docs.  No permission to copy
                  granted.
        AIRBALL   A hacked commercial program.
        SNOOPY    Copyrighted.  No docs.  No permission to
                  copy granted.
        SLORDAX   Copyrighted.  No docs.  No permission to
                  copy granted.
        ESCAPE    Copyrighted.  No docs.  No permission to
                  copy granted.
        AFOX      A cracked commercial program.
        BANNER    Copyrighted.  No docs.  No permission to
                  copy granted.
        FIXDOS50  Copyrighted.  No permission to copy granted.
        WINGIF14  The author's documentation specifically
                  requests this file to not be distributed.
        INTELCOM  Copyrighted.  No docs.  No permission to
                  copy granted.
        387DX     Copyrighted.  No docs or permission to
                  copy granted.
        WINDRV    Copyrighted.  No permission to copy granted.

  =========================================================================

                                  Help!!!

| Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
| The Hack Squad for testing/verification please re-identify themselves via
| NetMail?  Somehow, your message went to the great Bit Bucket in the sky.
| Thanks in advance!

  =========================================================================

                               Clarification

| I need to apologize once again - this time, to Brent Lynch (1:103/132),
| concerning the file SF2BETA.  In my attempt to consolidate all of the
| information on several files of this name, I apparently misquoted Brent.
| In an attempt to rectify the situation, here is the entire text of the
| report from Brent, as forwarded by Harold Stein (1:107/236).
|
| This message was from BRENT LYNCH to ALL,
| originally in conference Games
| and was forwarded to you by HAROLD STEIN.
|
| =========================
|
|      Be careful of the game Sf2beta! Although there are no
|      trojans or viruses in it looks VERY suspicious and is prob.
|      pirated. If you really are curious I did play it before
|      deleting it as soon as I surmized it wasnt an authorized
|      copy.
|
|      First of all the Game is in Vietamese (The setup program
|      isnt though strangly enough). The graphics are VERY good
|      infact other then being a little smaller (not much though)
|      almost identical to the arcade version. The music is also
|      excellent and a good reproduction of the arcade version. The
|      animation is great at 61 frames per second on a 486! No
|      digitized voice and you can only play as Guile or Ryu. Its
|      really a pity that Capcom hasnt made a Legal version for the
|      USA as this version shows that a great game of SF2 is
|      possible.
|
|      Be careful and DONT SPREAD THIS FILE AROUND as the folks at
|      Capcom have worked very hard to make a great game. I REPEAT
|      DO NOT SPREAD it around.
|
| =========================
|
| I apologize for any confusion that may have developed from this
| situation.

  *************************************************************************

                                Conclusion

  If you see one of these on a board near you, it would be a very friendly
  gesture to let the SysOp know.  Remember, they can get in just as much
  trouble as the fiend who uploads pirated files, so help them out if you
  can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed within from
  their boards.  I can not and will not take any "enforcement action" on
  this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Co-Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)