💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › hack9304.rpt captured on 2023-01-29 at 07:44:32.

View Raw

More Information

⬅️ Previous capture (2021-12-04)

-=-=-=-=-=-=-

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Co-Moderator,
                                    ||  FidoNet International Echo SHAREWRE
          The Hack Report           ||  Volume 2, Number 4
          for April, 1993           ||  Report Date: April 4, 1993
                                    ||
  =========================================================================

  Welcome to the fourth 1993 issue of The Hack Report.  This is a series of
  reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware Echo and the author of the report, Lee
  Jackson (FidoNet 1:382/95).

  This month's issue was delayed a bit, due to some severe weather in the
  area of Hack Central Station.  However, and I hope you'll agree with me,
  the wait was worth it:  more ARJ hacks have appeared, seemingly in
  anticipation of a new release of the popular archiver, and the Power Pump
  is sighted once again.  Also, in what seems to be a never-ending attack
  against a well-known program, someone has released yet another tampered
  archive of TheDraw.  Thanks to everyone who has helped put this report
  together, and to those that have sent in comments and suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  Echo (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use.  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

| In addition, the releases listed as the latest Official Versions may not
| be entirely accurate.  However, they do reflect the latest version known
| to the author of The Hack Report at the time of writing.  That's the
| nature of the beast we call shareware:  authors have every right (and in
| this writer's opinion, are well advised) to release a new version without
| advance notice of any kind.  If you see a version newer than one listed
| here, please contact one of The HackWatchers or myself so that we can
| keep these listings up to date.

  *************************************************************************

                              Hacked Programs

| Here are the latest known versions of some programs known to have hacked
| copies floating around.  Archive names are listed when known, along with
| the person who reported the fraud (thanks from us all!).

   Program              Hack(s)                    Latest Official Version
   =======              =======                    =======================
|  ARJ Archiver         ARJ250                     ARJ239D
      Reported By:  Tommy Vielkanowitz(1:151/2305)
|                       ARJ239E
|     Reported By:  The Hack Squad
                        ARJ240A
      Reported By:  Ryan Shaw (1:152/38)

   Blue Wave Offline    BWAVE_3                    BWAVE212
    Mail Reader
      Reported By: HW Scott Raymond

   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                      Author of BNU

   DMS Amiga Disk       DMS version 1.12           DMS version 1.11
    Masher
      Reported By: Ben Filips, via Jay Ruyle (1:377/31)

   F-Prot Virus Scanner FP-205B                    FP-207
      Reported By: HW Bill Lambdin

   LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
      Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
                        LHA151
      Reported By: Lawrence Chen (1:134/3002)

   MusicPlay            MPLAY31                    MPLAY25B
      Reported By: Lee Madajczyk (1:280/5)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

   PKZip                PKZ301                     PKZ204G
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)


   Shez                 SHEZ72A                    SHEZ89
                        SHEZ73
      Reported By: HW Bill Lambdin

|  Telemate             TM40C                      TM400-1 through 4
|     Reported By: Philip Dynes, RIME Telemate
|                  conference, via HW Richard
|                  Steiner
|                       TM410-1
|     Reported By: Bat Lang (1:382/91)

|  Telix                Telix v3.20                TLX321-1
|                        (Prior to Dec. 1992)      TLX321-2
|                       Telix v3.25                TLX321-3
|     Reported By: Brian C. Blad (1:114/107)       TLX321-4
                   Peter Kirn (WildNet, via HW Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By: Jeff Woods, deltaComm, Inc.
                        Telix Pro
      Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

   Wolfenstein-3D       WOLF2-1                    #1WOLF14
                        WOLF2-2
      Reported By: Wen-Chung Wu (1:102/342)

  =========================================================================

                                Hoax Alert:

| Recently, an archive of Frisk's (a.k.a. Fridrik Skulason's) F-Prot Virus
| Scanner v2.07 has been distributed with a "registration form" from a
| company called JLT.  According to Frisk, this is not legitimate.  He says
| that JLT contacted him in the fall of 1992, asking if they could
| distribute F-Prot, collect registration fees, and forward 50% of the fees
| to him.  Frisk didn't want them to do this, but it appears that an
| archive with the "registration form" may have slipped into distribution.
| In Frisk's words, "...this version is most certainly not something that I
| want distributed."


  From the "Not Really A Program, but Interesting Anyway" department, a
  "press release" has entered distribution, claiming that PKWare Inc. has
  filed for Chapter 11 bankruptcy.  The letter is dated Friday, February
  26, 1993, and supposedly quotes Mark Gresbach of PKWare in the statement.

  However, in a message posted in the CompuServe PKWARE forum on March 1,
  1993, PKWare employee Douglas Hay states that this is not true.  Douglas
  also points out that the perpetrator of the hoax misspelled the word
  Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in
  the message for PKWare is wrong.  In short, ignore the letter - PKWare
  has _not_ filed bankruptcy.


  Other previously reported hoaxes:

  Filename      Claimed use/Actual activity/Reporter(s)
  ============  ==========================================================
  PKZ305        Hacked "new version" of PKZip.  However, a message in wide
                circulation claimed this was infected with a virus called
                PROTO-T.  This message is the actual hoax:  there may be
                one or more PROTO-T viruses around now, but none do what
                was claimed in the hoax message.  This hack, PKZ305, was
                not infected with any virus, nor did it contain Trojan
                code, per testing by Bill Logan (1:300/22), HW Jeff White,
                and HW Bill Lambdin.

  RAOPT         "Optimizes" your RemoteAccess BBS files and claims to be
                from Continental Software.  Actually does nothing but read
                your USERS.BBS file and report the number of users.  The
                program is _not_ from Continental Software, according to
                Andrew Milner.  Reported by Kai Sundren (2:201/150), via
                HW Mikael Winterkvist.

  SCORCHV2      Claims to be v2.0 of the game Scorched Earth:  this version
                doesn't yet exist.  Actually a renamed archive of version
                1.2.  Reported by Brian Dhatt (1:3648/2.5).

  =========================================================================

                              The Trojan Wars

  The usual "multitude" of Trojans that usually pass through the gates here
  at Hack Central Station was a bit smaller than some months.  However, the
  ones that did come through were enough to make life interesting.  So,
  grab some loaves and fishes, just in case, and read on.


| Ryan Tucker (1:290/10) forwards a message from a fellow SysOp, Robert
| Pedersen, about ASM2PAS.  This claims to create Pascal source code from
| an .EXE file.  However, from text inside the executable, it appears that
| this program tries to delete your DOS directory.  It also brags about a
| certain anti-viral scanner not being able to detect it.
|
| Valid point, that:  practically _no_ anti-viral tools detect Trojans,
| with the exception of Frisk's F-Prot and one or two others.  Even then,
| the Trojan detection is not complete.  Your best protection against
| Trojans is a religiously maintained set of backups, preferably done after
| a check for viruses on your hard drive(s).


| HW Richard Steiner forwarded a message from the America OnLine GEOWORKS
| forum about the file GEOCOMM.  The message, from "GW Steve" (a "GeoRep",
| according to Richard), came from a user of GeoComm named J. S. James, and
| warned that this archive contains a hacked version of the original
| GeoComm program.  The file claims to be an "update," but it seems to be a
| Trojan which will damage your File Allocation Table (FAT).  Not a file to
| be kept around, it would seem.


| HW Bill Lambdin reports on LAW22 (no description), which contains the
| following files:
|
|      Length    Date    Time    CRC-32  Attr  Name
|      ------    ----    ----   -------- ----  ----
|       22911  02-24-93  14:13  a4b84cc7 --w-  ABOUT.COM
|       13422  02-24-93  14:44  8f0d1e96 --w-  INFO.EXE
|         126  02-24-93  14:50  68c9463a --w-  DESC.SDI
|      ------                                  -------
|       36459                                        3
|
| Bill says that ABOUT.COM contains a virus. Scan 102 labels it as BA101,
| which is a 160 byte-long .COM file infector.  This could be an isolated
| incident of an infected legitimate file, so thoroughly check any such
| file you find that has the above files in it before you kill it.


| Another report from Mr. Lambdin concerns a file that a user in the
| Intelec PC-Security conference sent to him, called PCS204 (PC-Sentry
| v2.04).  Bill's tests show that this copy of the archive contains two
| files, INSTALSW.COM and EVERYDAY.COM, that are infected with a
| non-resident "companion" virus that utilizes the Mutation Engine.  It
| also contains the file PCS.EXE, which is infected with a virus created by
| a virus-writing group's "Mass Produce Code Generator."


| Bill also reports that our old friend, the Power Pump virus, has
| resurfaced inside a file called FX2.  Here's the archive info:
|
|               Length   Date    Time    CRC-32  Attr  Name
|               ------   ----    ----   -------- ----  ----
|                25846 01-01-92  00:00  2635e28a --w-  FX2.EXE
|                 1199 01-01-92  00:00  f61885bd --w-  FX2.COM
|                17354 01-01-92  00:00  02eac55c --w-  POWER.EXE
|                 1007 01-01-92  00:00  139e1291 --w-  FX2.DOC
|               ------                                 -------
|                45406                                       4
|
| The giveaway here is the file POWER.EXE.  For a full documentation of the
| Power Pump virus, please see the 1992 Full Archive Edition of The Hack
| Report (filename HACK92FA), available from most official distribution
| sites.


| Travis Griggs (1:3807/8) forwarded a report from a local board called The
| Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen. The
| message referred to a file called BOUNCE, which she said was infected
| with the Beeper (Russian Mirror) virus.  The file, according to Travis,
| claimed to be a game.  Travis has now forwarded the file information on
| this archive:
|
|     Filename       Original DateTime modified CRC-32   Attr BTPMGVX
|     ------------ ---------- ----------------- -------- ----------
|     BOUNCE.COM         4053 80-01-01 00:02:04 35C562AF A--W B 1
|     BOUNCE.DAT       119101 92-11-20 23:16:10 247712A8 A--W B 0
|     BOUNCE.DOC          348 92-11-20 23:21:46 B28557FE A--W B 1
|     ------------ ----------
|         3 files      123502


| Geoffrey Liu (1:229/15) reports in the FidoNet WARNINGS echo on a file
| called BWE.  This claims to provide a "quick and easy way to exit
| Windows."  Geoffrey forwards this file info and disassembly report from
| John Eady (1:229/15, john.eady@canrem.com):
|
|           Name          Length   Mod Date    Time     CRC
|           ============  ======== =========  ======== ========
|           LICENSE.TXT       2656 14 Feb 93  22:01:14 46B50814
|           ORDER.TXT         2335 12 Feb 93  12:00:18 9D1A705E
|           README.TXT        3565 14 Feb 93  23:08:08 3EA7548E
|           BWE.EXE          19517 14 Feb 93  23:02:34 F1729CA4
|           ============  ======== =========  ======== ========
|           *total     4     28073 14 Feb 93  23:08:08
|
| "After debugging part of the virus, the following text appears (encrypted)
| in the infected program:
|
|       It's time for a math test curtesy of YAM!
|
|       And the question is...
|
|       What is 00 + 00 =
|
|       WRONG!!!! TRY AGAIN!
|
|       Admiral Bailey
|
| "This virus is self-encrypting, but does not use any stealth techniques
| (as far as I've seen). It doesn't appear to infect the boot record, or
| the boot partition record. It does not appear to infect .SYS files, or
| .OV? files.
|
| "If you feel you have been infected, examine any EXE or COM files that you
| believe are infected. Check the 4th and 5th bytes in a COM file for the
| characters "BA". Check the 12th and 13th bytes in a EXE file for the
| characters "BA". If you find a file like this, chances are you have been
| infected."


| Michael Toth (1:115/439.7) has received a report from a local SysOp, Matt
| Glosson of Audio Adrenalin, of a copy of TheDraw v4.60 (filename
| TDRAW460) that was uploaded to him with a few "modifications."  The file
| contained a "ZIP Comment" that had an ANSI bomb embedded in it, and also
| had a file called UFO!.COM inside the archive which would perform an
| unconditional format on your hard drive.  (Editorial - for Ian Davis'
| sake, I wish folks would leave TheDraw alone for a while.  No one program
| or programmer deserves this much abuse. - lj)


| Mike Wenthold (1:271/47) found a program under the filename GS2000 which
| contained the VCL 3 [Con] Virus.  The archive contains the following
| files:
|
|              Length    Date     Time    CRC      Filename
|             ======== ========= ====== ======== ============
|                 1984 22-Dec-91 01:40p 3527B16B GS2000.COM
|                  543 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
|             ======== ========= ====== ======== ============
|                 2527                           2 files.
|
| The compression method (on this ZIP archive) was not included in his
| data.  According to Dave Lartique (1:3800/22) and Chris Gramer
| (1:271/47), the program is an "unprotect" for MicroProse's game Gunship
| 2000.  This appears to be another isolated incident of an infected
| legitimate file.


  William Gordon (1:369/104) reports BEV105, a file that claims to be a
  "Beverly Hills 90210 Adventure Game."  This file contains 8 files, but
  two seem to be the real culprits:  DORINFO.DIR and INSTALL.COM.  The
  installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
  This program asks for some sort of wildcard according to William, then
  proceeds to delete everything on your drive that matches that wildcard.
  However, it doesn't stop there:  it continues on and deletes all .bat,
  .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files.  William also
  says the file "comes with the following virii:  Bootkill and Genesis."

  A copy of this file was sent to Mr. White and Mr. Logan, who were able to
  confirm the behaviour that William reported.  For the complete results of
  their test, see the file BEV105.RES in the FILETSTS.LZH archive, included
  in the archive version of The Hack Report.


  More from  HW Bill Lambdin: he forwards a message from Terry Goodman in
  the U'NI Net virus conference concerning the file SCOMP.  This was
  advertised as a compression utility with better compression than PKZip.
  The file passes all virus checkers unless you also check data files in
  addition to executables.  In short, the executable loads a file called
  SCOMP.DAT, which it uses to create a file called CASPER.COM, which is
  apparently the Casper virus.


  Another report from Bill concerns a file he located called TAXTIP93.
  This archive contains a file called TAXTIP93.DAT, which the executable
  file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and
  WINDOWS directory.  The new MOUSE.COM is infected with the ADA virus.


  Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which
  was described with a very short line ("'Password,' or some other short
  word," according to Brian).  The archive contained these files:

                               PASS    .PA1
                               PASS    .PA2
                               PASS    .PA3
                               PASSWORD.COM

  Brian looked inside the .com file, which he says looks like a compiled
  batch file, and found these strings/commands:

      Please Wait While Loading;
      It may take in between 30seconds to 5 minutes
      To unshrink nessessary files
      Please Turn off Screen, and wait for the beep.
      If You do not, your screen might not function
      the way it should.
      Turn Off Screen now, and press the space bar.

      /C REN pass.pa1 pa.exe
      pass.pa2 /C DEL c:\*.*
      pass.pa2 /C DEL c:\dos\*.*
      /C REN pa.exe pass.pa1
      pass.pa3 FORMAT
      c:
      /C CLS

  As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed
  with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program.  PASS.PA2
  contains the single letter 'Y', and PASS.PA3 contains the single word
  'Yes'.  From the looks of things, this turns out to be a multipartite
  Trojan that attempts to format (what else?) your hard drive.


  Another multipartite Trojan was spotted by James Frazee (1:343/58), under
  the filename ADD_IT.  It contains these files:

                  Name of File    Size  Date
                  ADD_IT.ARJ     40888 02-11-93
                  =======================================
                  ADDIT1   DAT     34283 07-20-91   2:13a
                  ADD_IT   ANS       646 02-11-93   8:31p
                  ADDIT2   DAT     20634 04-09-91   5:00a
                  ADDIT    DOC       177 02-11-93   7:28p
                  ADDIT    COM      1391 02-11-93   8:14p
                  ADDIT3   DAT       138 02-11-93   8:13p
                  THEDRAW  PCK       650 02-11-93   8:31p

  When run, ADDIT.COM merges the three .DAT files into an .EXE file.  The
  end result was that the program deleted all of the files in the directory
  in which it was run.


  Matt Hargett (1:2430/1532) found a file called DRSLEEP which he says has
  a "cheap virii (sic) in it," but actually appears to be a Trojan.  When
  the executable, DRSLEEP.EXE is run, it deletes your COMMAND.COM file.
  Not much to write home about, but nasty enough.  Thanks, Matt.


  Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his
  system was "taken down" by a file called DRAGON.  It claimed to be a
  Public Domain VGA and Sound Blaster supported game.  No symptoms were
  reported, except that he had to reformat his hard drive.


  Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis
  Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2.
  In what might be an isolated incident, Josh says the file claimed to be a
  "really cool game, VGA gfx and SB sound."  However, the INSTALL program
  destroys hard disks.

| Bob Seaborn received a copy of this file and forwarded it to me - I have
| in turn forwarded it to Bill Logan and HW Jeff White for testing.  Stay
| tuned.


  John Balkunas (1:107/639) forwards information on GIFCHECK.  He reports
  that Lance Merlen (1:107/614) received an upload of this file, which,
  when checked with McAfee's ViruScan v100, reported over 5 viruses in the
  files in the archive.  No internal archive data was provided, so it is
  hard to say whether or not this is an isolated incident.


| Zack Jones (formerly 1:387/641: new address not yet known) reports a file
  called GAGS which was seen in the San Antonio area.  The file, described
  as "Some Christmas practical jokes," was analyzed by Bill Dirks (1:
  385/17) and confirmed as a Trojan. The program grabs control of several
  interrupt vectors, including the critical error handler.  The only way to
  stop it once it starts is to hit the reset button or power down.

  When invoked, it displays a countdown from 8 to 0, which corresponds to
  drives H through A, in that order.  For each found drive, it overwrites
  the first 255 sectors with random data from a block of memory.  To add
  insult to injury, if drives B and A are empty, you are prompted to insert
  disks (so that they can be trashed as well).

  After this, the Trojan displays the message, including something like,
  "the disk was trashed but it's only a joke and they are only kidding."
  It then prompts you to reboot, which is rather hard to do unless you have
  a bootable "panic disk" floppy on hand - you certainly won't be able to
  boot from your HD.

  Bill says that if your HD is smaller than 60 megs, you're better off
  trying to recover your disk from scratch.  Between 60-120 megs, you have
  a better chance of recovery via disk utilities:  over 120 megs, you
  should be able to accomplish a complete recovery if you're careful and
  you know what you're doing.

  Bill posted the following scan string that can be used to detect this
  Trojan - if your scanner can use external strings, be sure to read the
  instructions carefully before trying to add this:

               9A46027205B003B9FF00BA0000CD26

  If your scanner requires a name for the string, Bill suggests using
  "AlamoXmasTrojan."


  This Trojan report comes from an article in MacWeek magazine, Volume 7,
  Number 2, issued January 11, 1993.  The article, posted in the FidoNet
  VIRUS_INFO echo by Robert Cummings, states that a program called CPro
  1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
  shareware compression utility), will reformat any floppy in drive 1 and
  tries to reformat the user's start-up hard drive when launched.

  The file can be identified by a 312K sound resource file called "log
  jingle," which is digitized sound from the Ren and Stimpy cartoons.


  Frans Hagelaars (2:512/2) has posted a message in several echos
  concerning a Trojan version of the Blue Wave Offline Mail Reader that had
  been circulating in his area.  According to the warning, the "hacked"
  version attacks your hard drive boot sector and partition table, and will
  then "play tricks" with RemoteAccess userlists and phone numbers.

  The filename of this version was not given in the report, nor was it made
  clear whether the BBS door or the Reader was involved.  If you have any
  questions about the security of your copy, remember that you can always
  obtain a safe copy from the BBS of the author, George Hatchew, at FidoNet
  address 1:2240/176, phone number 1-313-743-8464, or from any of the
  official distribution sites (which I believe are listed in the
  documentation for the program).


  Other previously reported Trojans:

  Filename  Claimed use/Actual activity/Reporter(s)
  ========  ==============================================================
  AANSI100  Claims to add Auto-ANSI detect to Telegard BBSs - contains
            something called the "Malhavoc Trojan," which displays a verse
            from a Toronto band and attacks files/sectors on drives C:
            through F:.  Reported by HW Todd Clayton and by George Goode
            (1:229/15).

  ANSISCR   VGA BBS ad - contains a self-extracting archive of the Yankee
            Doodle and AntiChrist viruses.  Can trash hard drives as well
            through Trojan behaviour.  Reported by Bill Dirks (1:385/17),
            and under the filename RUNME by Stephen Furness (1:163/273).

  AVENGER   Advertised as an "amazing game that supports all kind of sound
            cards...."  Contains 2 internal password-protected .ZIP format
            files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by
            the program to the files RUNTIME1.COM (N1 virus) and
            RUNTIME2.COM (Anthrax virus).  From Reinhardt Mueller, via
            HW Bill Lambdin.

  BATMAN    No claim reported - searches your DOS path and tries to "delete
            the executable file that loads WildCat BBSs."  Reported by
            James Powell (Intelec PC-Security Conf.), via HW Bill Lambdin.

  CHROME    Possible isolated incident - contains a file, FGDS.COM, which
            contains text that says "Skism Rythem Stack Virus-808."
            Reported by Richard Meyers and forwarded by Larry Dingethal
            (1:273/231).

  DBSOUND   Possible isolated incident - claimed update of the Drum
            Blaster .MOD file player.  Deletes all files in the current
            directory and all of its subdirectories.  From "Khamsin #1
            @9168*1", forwarded by HW Ken Whiton and HW Bill Dennison,
            from Ken Green of the CentraLink BBS.

  GRAFIX    Possible isolated incident - contains the file WAIT.COM, which
            is a renamed copy of DELDIR.COM, a directory remover and file
            deletion tool.  Reported by Andreas Reinicke (2:284/402).

  LOGIM613  Possible isolated incident - one internal file, MOUSE.COM,
            reports as being infected with the VCL virus when checked with
            McAfee's ViruScan v95.  Reported by Mike Wenthold (1:271/47).

  MUVBACK   Claimed keyboard utility - actual ANSI bomb that remaps the D
            key of your keyboard to invoke DEBUG and create a couple of
            Trojans from script files.  Reported by Bill Dirks.

  OPTIBBS   Aimed at RemoteAccess BBS systems - archives your USERS.BBS
            list and places it in your download directory.  Reported by
            HW Nemrod Kedem.

  QOUTES    Not a misspelling - claimed Christmas quotation generator.
            Overwrites the first 128 cylinders of your first HD, requiring
            a low level format to overcome the damage (IDE drives may need
            to go back to the factory).  Reported by Gary Marden
            (2:258/27).

  QSCAN20   Claimed small virus scanner - when run, identifies itself as
            "being a stealth bomber" and attacks your hard drive's FAT.
            Reported by Art Mason (1:229/15).

  RA111TO2  Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to
            the OPTIBBS file reported above.  Reported by Peter Janssens
            (2:512/1).

  RAFIX     "Fixes little bugs" in RemoteAccess - program contains the
            string "COMMAND /C FORMAT C:" internally.  Reported by Sylvain
            Simard (1:242/158).

  RAMANAGE  Claimed USERS.BBS manager for RemoteAccess - yet another
            file that makes an archive of this file (MIX1.ARJ or WISE.ARJ)
            and places it in a download directory.  Reported by Peter
            Janssens.

            NOTE - Peter Hoek (2:281/506.15) reports a program that does
            the same thing, but uses the archive name RUNNING.ARJ to
            hold the USERS.BBS file.  No name of the Trojan was supplied.

  REAPER    ANSI bomb - remaps the keyboard to force file deletion and
            hard disk formatting - also generates insults.  Reported by
            Victor Padron (1:3609/14), via Rich Veraa (1:135/907).

  REDFOX    Batch file which deletes all DOS and system files.  Reported
            by Mike Wenthold.

  ROLEX     Possible isolated incident of an infection by the Keypress
            [Key] virus.  Reported by David Gibbs, via Michael Toth
            (1:115/220).

  SBBSFIX   Tries to format drive C: - contains two files, SBBSFIX.EXE and
            COM_P.OVL.  Reported by Clayton Mattatall (1:247/400).

  SPEED     Claims to "check your PC speed" - actually deletes all files
            on drive C:, including directories.  Reported by HW Nemrod
            Kedem.

  XYPHR2    No claim - contains the Power Pump companion virus (documented
            in the 1992 Full Archive of this report).  Reported by Mark
            Histed (1:268/332).


  YPCBR101  A copy of this file, uploaded to Simtel-20 and the oak mirror
            on archie.au, contained an infection of the Dark Avenger
            virus in the file YAPCBR.EXE.  Was supposed to be re-released
            as a clean archive.  Reported by John Miezitis (Internet,
            John.Miezitis@cc.utas.edu.au).

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  =======                 ===============     ===========
  3-D Pool                3DPOOL              Michael Gibbs (via Bill
                                               Lambdin)

  Alone in the Dark       ALONEDEM            Mark Mistretta (1:102/1314)
   (full game-not a demo)

| ArcMaster (registered)  AM91REG             HW Scott Raymond

| Arctic Fox (game, by    AFOX                from the Meier/Morlan List,
|  Electronic Arts)                            confirmed by Emanuel Levy
|                                              (1:266/63) and Brendt Hess
|                                              (1:105/362)

  Atomix (game)           ATOMIX_             HW Matt Kracht

  A-Train by Maxis        ATRAIN1  through    Chris Blackwell of Maxis
                          ATRAIN6, also        (zoinks@netcom.com)
                          A-TRAIN1 through
                          A-TRAIN6

  Battle Chess            CHESS               Ron Mahan (1:123/61)

| BeetleJuice (game)      BEETLE              Mark Harris (1:121/99)
|                         BETLEJUC            Jason Robertson (1:250/802.2)
                          BJUICE              Alan Hess (1:261/1000)
                          BJ                  Bill Blakely
                                               (RIME Shareware echo)
                          BTLJWC              the Hack Squad
                                               (1:382/95)

| Budokan: the Martial    BUDOKAN             Michael Gibbs (Intelec, via
|  Spirit (game)                               HW Bill Lambdin)

  Check-It PC             CHECKIT             HW Bert Bredewoud
   Diagnostic Software    CHKIT20             HW Bill Lambdin

| Cisco Heat (game)       CISCO               Jason Robertson

  Commander Keen          _1KEEN5             Scott Wunsch (1:140/23.1701)
   (part 5)

  Copy II PC              COPYPC70            Ryan Park (1:283/420)

  Darkside (game)         DARKSIDE            Ralph Busch (1:153/9)

  DiskDupe Pro v4.03      DD403PRO            Jan Koopmans (2:512/163)

  Energizer Bunny Screen  ENERGIZR            Kurt Jacobson, PC Dynamics,
   Saver for Windows                           Inc., via HW Bill Dennison

  Family Feud (game)      FAM-FEUD            Harold Stein (1:107/236)

  F-Prot Professional     FP206SF             Mikko Hypponen
                                               (mikko.hypponen@compart.fi)

| GifLite 2.0 (regist.)   GL2-ECR             HW Scott Raymond

  Golden Axe (game)       GOLDAXE             Harold Stein

  Ian Bothams Cricket     IBCTDT              Vince Sorensen (1:140/121)

| Intelcom Modem Test     TESTCOM             from the Meier/Morlan List,
|  Utility (dist. with                         confirmed by Onno Tesink
|  Intel modems)                               (RIME, via HW Richard
|                                              Steiner)

  Killing Cloud (game)    CLOUD               Mike Wenthold

| Kings of the Beach      VBALL               Jason Robertson
   (game)

  Life & Death (game)     L&D1                Harold Stein
                          L&D2

  MegaMan (game)          MEGAMAN             Emanuel Levy (1:266/63)

| Microsoft Flight        FS                  Michael Gibbs (Intelec, via
|  Simulator                                   HW Bill Lambdin)

  Oh No, More Lemmings    ONMLEMM             Larry Dingethal (1:273/231)
   (complete-not demo)

  Over the Net            OTNINC1             Tim Sitzler (1:206/2708)
   (volleyball game)

| PKLite (registered)     PKL15REG            HW Scott Raymond

  PKZip v2.04c            PK204REG            HW Scott Raymond
   (Registered)

  PKZip v2.04c            PKZCFG              Mark Mistretta (1:102/1314)
   Configuration Editor

  PKZip v2.04e            PK204ERG            HW Scott Raymond
   (Registered)

  PKZip v2.04g            PKZ204R             HW Bill Dennison
   (Registered)

  PrintShop               PSHOP               Michael Gibbs, Intelec, via
                                               HW Bill Lambdin

  Psion Chess             3D-CHESS            Matt Farrenkopf (1:105/376)

| Q387 (registered)       Q387UTG             Michael Toth (1:115/439.7)

  QModem Pro              QMPRO-1             Mark Mistretta
                          QMPRO-2

  Rack 'Em (game)         RACKEM              Ruth Lee (1:106/5352)

| Microsoft Ramdrive      RAMDRIVE            Barry Martin (Intelec, via
|                                               HW Bill Lambdin)

  Sequencer Plus Pro      SPPRO               Tom Dunavold (Intelec,
                                               via Larry Dingethal)

  Shadow Warriors (game)  SHADOWG             Mark Mistretta

  Sharky's 3D Pool        POOL                Jason Robertson (1:250/801)

  Shez (Registered)       SHEZ84R             Eric Vanebrick (2:291/712)
                          SHEZ85R             HW Scott Raymond
|                         SHEZ87R
|                         SHEZ88R
|                         SHEZ89R

  SideKick 2.0            SK3                 Harold Stein

| SimCity (by Maxis)      SIM_CITY            Kevin Brott (Internet,
|                                       dp03%ccccs.uucp@pdxgate.cs.pdx.edu)
                          SIMCTYSW            Scott Wunsch

| Smartdrive Disk Cache   SMARTDRV            Barry Martin (Intelec, via
|                                               HW Bill Lambdin)
                          SMTDRV40            Michael Toth (1:115/220)

  Star Control Vol. 4     STARCON             Carson M. Hanrahan
                                               (CompuServe 71554,2652)

  Streets on a Disk       STREETS             Harvey Woien (1:102/752)

  Teledisk (files         TDISK214            Mark Mistretta
   dated after Apr. 1991)
|                         TELE214R            Staale Fagerland (Internet,
|                                            staale.fagerland@euronetis.no)

  Vegas Casino 2 (game)   VEGAS2              The Hack Squad

| VPic v6.0 (registered)  VPIC60CR            HW Scott Raymond

  WinWay Resume for       WINRES              Erez Carmel (CompuServe,
   Windows                                      70523,2574)

  World Class Rugby       WCRFNTDT            Vince Sorensen

| ZipMaster (registered)  ZM31REG             HW Scott Raymond

  =========================================================================

                      ?????Questionable Programs?????

  First, a quick note - this section, along with the Information, Please
  section, are the only ones that have any information carried over from
  the 1992 report.  This is because many of the listings in these sections
  were not completely resolved when the last 1992 issue was published.  As
  usual, if anyone has any additional information on anything listed in
  these sections, _please_ help!


| HW Bill Lambdin says he found a file in the Knoxville, Tennessee area
| called BIBLEPR (no description available) that appears a bit suspicious.
| The file contents are:
|
|               Length  Time    CRC-32  Attr  Name
|               ------  ----   -------- ----  ----
|                34176  11:26  d267f5de --w-  BIBLEPR.COM
|               158493  00:04  4298ac2d --w-  DATAPR-0.DAT
|               158493  00:04  d87adf4b --w-  DATAPR-1.DAT
|               158493  00:08  1213c6b3 --w-  DATAPR-2.DAT
|               159764  00:08  38d7cc06 --w-  DATAPR-3.DAT
|                 1572  24:05  3a60c80e --w-  BIBLEPR.DOC
|               ------                        -------
|               670991                              6
|
| When BIBLEPR.COM executes, Bill says it displays the following message:
|
|                       Greets from DOA!
|
|       Don't say I didn't warn you! You are also busted!
|
|       Expect a visit from the SPA!
|
|       Omni, I will avenge you!
|
| Bill's disassembly shows the file contains two INT 26 calls, which are
| DOS Absolute Disk Write instructions.  He said that if it contains a
| virus, he was unable to get it to replicate.  A copy of the archive has
| been sent to Glenn Jordan at Datawatch Software for testing.


| Bud Webster (1:264/165.7) reports an Apogee game being distributed under
| the filename BLOCK5.ZIP.  He says that the game displayed a message that
| said, "This game is not in the public domain or shareware."  There was
| only an .EXE file in the archive, and no documentation.
|
| Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan
| Stratton (via HW Ken Whiton) state that this program was part of an
| Apogee disk called the "Super Game Pack," and that it is a game called
| "Block Five."  Joe Siegler (1:124/9006), the online support
| representative for Apogee Software Productions, confirms this, and states
| that the majority of the games on this disk, including this one, have
| been officially discontinued.  No word yet on whether they may be
| distributed via BBS systems - watch this space for updates.


| Here's an interesting point, brought to my attention by HW Richard
| Steiner and John Weiss of the RIME Shareware Conference.  In previous
| issues, I have listed two files, QM60IST1 and QM60IST2 (reported by
| Francois Thunus, 2:270/25), as pirated copies of QModem v6.0.  However,
| Richard and John quite correctly point out that there was no release of
| QModem v6.0 - the program changed to QModem Pro after v5.
|
| From what Francois reported, I believe that what he saw was indeed Qmodem
| Pro, now a commercial-only program.  However, it was "released" under the
| above filenames.  So, is it a Hack?  Pirated File?  Or what?  Doesn't
| matter - it shouldn't be distributed.  Thanks, Richard and John, for
| making me fully engage my brain for a change. <grin>


| Jack Cross (1:3805/13) forwarded a copy of a DEBUG script posted in the
| FidoNet BATPOWER echo.  The script, which has created a great deal of
| discussion in that echo, created an archive (LZH) of the program
| TinyCache (filename TNYCACHE), a small disk cache program.
|
| A couple of folks who ran the program state that this is not a legitimate
| file.  In fact, it appears (from their reported symptoms) to be a Trojan.
| Destroyed FATs and reformatted hard drives have been reported after this
| program is run.
|
| I ran the script through DEBUG and un-archived the TNYCACHE.COM file.
| Afterwards, I checked it for viruses and looked at it with Vern Buerg's
| LIST Enhanced.  At first glance, the file doesn't even look like a real
| program:  it appears to be a corrupted file of some sort, and bears no
| resemblance to any .COM file I have ever seen.  If it is in fact a
| corrupted file, then the damage it could cause if run would be
| unpredictable at best.  My guess is that the file might not be an
| intentional dirty trick, but that the person who distributed it may have
| some cross-linked clusters on their hard drive.
|
| As I have said before to folks who contact Hack Central Station, I'm a
| reporter, not an AV expert:  my analysis is not as reliable as one coming
| from a real expert.  I have been offline for several days due to
| circumstances beyond my control, so I might have missed a report from
| Jack on this.  If not, I will forward a copy for testing.


  HW Bill Dennison captured a message from Marshall Dudley (Data World BBS,
  (615)966-3574) in the ILink VIRUS FILE conference about the archive
  ASCDEMO.  Marshall says that McAfee's ViruScan doesn't detect any
  infection until after you run it and it has infected other files.  No
  further information was supplied, other than the internal filenames
  (ASCDEMO.DOC and ASCDEMO.EXE).  I need further data on this before I can
  list it in the Trojan Wars section, so please advise if you have any.


  Emanuel Levy (1:266/63) says the file IM, reported by Michael Santos in
  the Intelec Net Chat conference and listed in the 1992 Full Archive
  edition of The Hack Report.  Michael's report was a "hearsay" report from
  one of his friends, and stated that the IM screen saver file caused a
  viral infection.

  Emanuel says the file is an "outer space screen saver," currently under
  the filename IM17.  Scott Wunsch (1:140/23.1701) says the program name is
  "Inner Mission," and he currently has version 1.6.  In both cases, the
  files were clean.

  So, it looks like either Michael's friend's system became infected from a
  different source than the IM file, or that an isolated incident of an
  infected IM is involved.  No way to tell at this writing.


  Long time readers of this report will remember a question concerning the
  status of a screen saver called TUNNEL.  Ove Lorentzon (2:203/403.6) and
  Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
  Steiner) both stated that the program was an internal IBM test program
  and was not intended for outside distribution.

  Your Hack Squad has received word from the author of the program, Dan
  Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
  the program has never been released to the general public.  According to
  Dan, "it is still owned by IBM, and as such has been given the IBM
  security classification 'IBM Internal Use Only' which means what it says:
  the program is not for distribution to non-IBM employees."

  Dan also says that several other "Internal Use Only" programs have been
  "leaked" to the outside world, which implies that these files should not
  be posted for download.  One such program was originally called Dazzle
  (NOT to be confused with the other popular DAZZLE screensaver), but has
  entered BBS distribution under the filename O-MY-GOD.  Another is a
  program that is usually included inside other archives:  the program name
  is PLAYANI.  Dan says this has been distributed "along with various
  animations," and also falls under the same Internal classification.

  A prime example of this is an archive called BALLS (not what you think).
  This is an animation of multiple chrome spheres rotating around each
  other above a red and white checkerboard platform.  In this case, both
  the player (PLAYANI) _and_ the animation are the property of IBM and are
  not intended for BBS distribution.

  Again, to quote Dan, "None of these programs are for external
  distribution; all are owned by IBM and are only for use inside IBM by IBM
  employees."  Thanks to Dan for all of his help.


  Donn Bly has cleared up the question on the status of the Sydex program
  TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
  Donn was kind enough to mail a copy of a letter sent to him by Sydex
  explaining that Teledisk is no longer shareware.  Here is an excerpt from
  the letter:

       "Effective April 1991, TeleDisk is no longer a shareware
       product.  After long consideration, we decided to
       discontinue our offering of the shareware edition of
       TeleDisk, and license it only as a commercial product.

       "Commercial licenses of TeleDisk are available from Sydex at
       $150 a copy.  All shareware distributors and BBS sysops who
       take time to check their sources are requested to remove
       TeleDisk from shareware distribution."

  The letter is signed by Miriam St. Clair for Sydex.  To summarize, Sydex
  is no longer accepting shareware registrations for TeleDisk, and asks
  that it be not be made available for download from BBS systems.

  Thanks to Donn for his help in this matter.


  HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
  Barnes of Mustang Software, Inc., about a "patch" program aimed at
  OffLine Xpress (OLX) v1.0.  The patch is supposed to allow OLX to
  read and reply to Blue Wave packets, along with a lot of other seemingly
  unbelievable feats.  Gwen Barnes did not seem to know of the patch, but
  published the following advice in the WildNet SLMROLX conference to
  anyone considering trying it:

    1. Make a complete backup of your system.
    2. Make sure you've got all the latest SCAN stuff from McAfee
    3. Try it, keeping in mind that it more than likely does nothing
       at all, or is a trojan that will hose your system.
    4. Get ready to re-format and restore from backups if this is in
       fact the case.

  No filename was given for this patch.  If anyone runs across a copy of
  it, please contact one of The HackWatchers or myself so that we can
  forward a copy to MSI for testing.


  HW Bill Lambdin reports that someone has taken all of McAfee Associates'
  antiviral programs and combined them into one gigantic (over 700k)
  archive.  He did not say whether the files had been tampered with, but he
  did send a copy to McAfee for them to dissect.  The file was posted under
  the filename MCAFEE99.  I would not suggest downloading this file:  as a
  matter of fact, this reporter prefers to call McAfee's BBS directly when
  a new version of any of their utilities comes out.  I highly recommend
  this method, since it insures that you will receive an official copy.


  HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:382/95).

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.


| Eric Alexander (1:3613/10) reported a file called PRINCE that appears to
| be a cracked commercial game of some sort.  One internal file,
| "predit.doc", contained a reference to someone called "The Fang."  I am
| not familiar with this game, so if anyone comes across Fang's version of
| PRINCE, please let me know what they've found.


| Dave Lartique (1:3800/22) found a game described as "a shareware game
| from Great Britain" called CAVEMAN.  This was described on another BBS he
| saw it on (under the filename CAVE) as an Apogee game, but it is not an
| Apogee release.  The game is called Caveman Ninja, and Dave says one of
| the internal files contains the following (somewhat garbled) text:
|
|     "DISTRIBUTED BY ELITE SYSTEM LTD   (C) 1991 DATA EAST CORPORATION"
|
| If memory serves, Data East is a producer of commercial games.  However,
| I have no knowledge of this game.  Can someone verify this?  Please
| advise.


| A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13)
| states that he had a user upload a file called TAG-NFO, which turned out
| to be a Trojan.  No details about the Trojan were given, so any
| confirmation of this would be appreciated.


  Onno Tesink (2:283/318) has sighted a file called LHA255B.  This claims
  to be version 2.55b of the LHA archiver, with a file date in the
  executable of 12/08/92.  He compared the file to the latest known
  official release, v2.13, and found two additional program options which
  were mentioned when the program was invoked with no command line
  (generating a help screen).  The archive contained nothing but the
  executable file.  Viral scans were negative.

  Many, MANY other folks have seen this file, as well as one called LHA252.
  Your Hack Squad has copies of both files.  The LHA252 file contains
  Japanese documentation, so it is a bit of a tough nut to crack.

  I have not heard of any further development going on by the author of
  LHA, H. Yoshi, but that wouldn't be a first. <g>  He is supposedly
  contactable via the NIFTY-SERVE service of CompuServe.  However, this
  service requires some knowledge of Japanese, and my only foreign language
  training was a semester of Czech at the University of Texas.

  If anyone knows of a new version of LHA, or has CompuServe access and the
  ability to converse in Japanese (and would be willing to assist), please
  contact your nearest HackWatcher or me and lend a hand.  This is getting
  very frustrating. <grin>


  HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
  Conference about two files.  The archives, called PHOTON and NUKE, are
  possibly droppers, containing a file called NUKE.COM which "will trash
  your HD."

  Pat Finnerty (1:3627/107) sent a reply to the last report of this,
  stating that he has a copy of a PC Magazine utility called NUKE.COM,
  which is used to remove subdirectories which contain "nested subs,
  hidden, read-only (you name it)."  He says that the command NUKE C:\ will
  effectively delete everything on a hard drive, with no chance of repair.
  This is merely the way the program is designed.

  I do not know if this is what happened in Mario's case, or if Mario
  actually found a copy (read: isolated incident) which was infected. Bill
  has asked Mario for further information, and I would like to echo his
  call for help.  If you know of this, please lend a hand.


  Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
  echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
  Rich Bongiovanni.  Rich reports that there is a file floating around
  called DEMON WARS (archive name DMNWAR52) that is "infected with a
  virus."  If true, this may be an isolated incident.  I would appreciate
  confirmation on this.


  Greg Walters (1:270/612) reports a possible isolated incident of a
  problem with #1KEEN7.  When he ran the installation, he began seeing on
  his monitor "what looked like an X-rated GIF."  The file apparently
  scanned clean.  Any information on similar sightings would be
  appreciated.


  A report from Todd Clayton (1:259/210) concerns a program called
  ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
  faster."  He says he has heard that the program fools around with your
  File Allocation Table.  I have not heard any other reports of this, so I
  would appreciate some confirmation from someone else who has seen similar
  reports.


  Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
  possible hack of FEBBS called F192HACK.  I have not seen this file, nor
  has the author of FEBBS, Patrik Sjoberg (2:205/208).  He forwards the
  file sizes in the archive, reported here:

        Name          Length      Mod Date  Time     CRC
        ============  ========    ========= ======== ========
        FEBBS.EXE       220841    09 Mar 92 21:17:00 96D2E08D
        014734.TXT        1403    26 Aug 92 01:59:18 3B9F717F
        ============  ========    ========= ======== ========
        *total     2    222244    26 Aug 92 01:59:24

  Kelvin says the .TXT file is just an advert for a BBS, so it is "not
  relevant!".  As I said, the author of FEBBS has never seen this file, so
  I've asked Kelvin to forward a copy of it to him.


  Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
| Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley,
  the author of Maximus, says he did not write any programs that have these
  names, but he does not know whether they are or are not legitimate third
  party utilities.  I have requested further information from Andrew on
  this topic, and would appreciate anyone else's information, if they have
  any.


  Yet another short warning comes from David Bell (1:280/315), posted in
  the FidoNet SHAREWRE echo, about a file called PCPLSTD2.  All he says is
  that it is a Trojan, and that he got his information from another
  "billboard" and is merely passing it on.  Again, please help if you know
  what is going on here.


  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.


  Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
  Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
  whether or not Mr.  Mills had seen the file.  Mr.  Jung has repeated that
  the latest version of ARJ is v2.30 (however, there is a legitimate public
  "pre-release" version numbered 2.39d).  It is possible that the
  references Greg saw about 2.33 were typos, but you never know.  Please
  help your Hack Squad out on this one - if you see it, report it.

  =========================================================================

                           The Meier/Morlan List

  Here are this month's updates on the status of the files contained in the
  Meier/Morlan List.


| Matthew Revelle (1:2608/27) lent a hand on the file WINGIF14, which he
| found as WGIF14.  The documentation from this file includes the
| following:
|
|      "This is a beta release.  Please do not distribute
|       publicly but you can go ahead and give it to WinGIF
|       users that might need some of these new features.
|       The real release should be available soon!  Please
|       let me know about bugs as well as what you think of
|       the new features."
|
| What we seem to have here is a limited beta that has escaped into
| distribution.  However, from documentation excerpts sent to me by Michael
| Pfister (CompuServe address 100042,102), there has since been a full,
| non-beta release of WinGIF v1.4 that is being distributed under the same
| filename (WINGIF14).
|
| This is a confusing situation, to be sure.  However, it is simple to
| resolve:  just look at your documentation.  If your copy is a beta
| release, go find the new one.  Thanks to Matthew and Michael for their
| help - WINGIF14 is now off the list.


| Several reports came in on NAVM, all indicating that this was the version
| of Norton AntiVirus released in 1992 in response to the Michelangelo
| virus scare.  The reports, from Mark Murphy (1:132/119) and Jerry Murphy
| (1:157/2 (no relation, I think)), struck a note of recognition here at
| Hack Central Station:  thanks to both of you.  NAVM comes off the list as
| well.


  Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat
  Simulator by Mindscape, Inc.  He says that he hasn't seen anything from
  them in quite a while, and doesn't know if the company is still in
  business.


  Here are the remaining unresolved reports from Emanuel Levy (1:266/63):

  "387DX  - sounds like a Math Co-Processor emulator - might be legit

  "Barkeep sounds like it may be a version of Tapper. If you send beer mugs
  down the screen to patrons and then have to pick up the returning mugs
  and they leave tips, then it is Tapper. Or it may be an OLD game
  published in Compute Mag. If it is the one from Compute only those who
  have the Compute issue with the game in it are allowed to have a copy.

  "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
  out for the Commodore 64 in 89 so I would assume it came out for IBM
  around then too.

  "Gremlins- There was an Gremlins Text Adventure and a Video Came for the
  computer. The video game was put out by Atari

  Thanks, Emanuel.


  For those who have missed it before, here is what is left of the list of
  files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
  of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system.  Joe
  says Wes keeps a bulletin of all rejected files uploaded to him and the
  reasons they were rejected.  Joe also says he cannot confirm or deny the
  status of any of the files on the list.

  There are some that I am not familiar with or cannot confirm.  These are
  listed below, along with the description from Wes Meier's list.

| Due to the unconfirmed nature of the files below, the filenames are not
| included in the HACK????.COL and HACK????.IDX files that are a part of
| the archive of The Hack Report.  I would appreciate any help that
| anyone can offer in verifying the status of these files.  Until I receive
| verification on them, I will not count them as either hacks or pirated
| files.  Remember - innocent until proven guilty.

  My thanks go to Joe and Wes for their help.

        Filename  Reason for Rejection
        ========  =============================================
        BARKEEP   Too old, no docs and copyrighted with no copy
                  permission.
        HARRIER   Copyrighted.  No permission to copy granted.
        SLORGAME  Copyrighted.  No docs.  No permission to copy
                  granted.
        NOVELL    Copyrighted material with no permission to
                  BBS distribute
        DRUMS     I have no idea if these are legit or not.  No
                  docs.
        GREMLINS  No documantation or permission to copy given.
        CLOUDKM   A hacked commercial program.
        MENACE    Copyrighted.  No docs.  No permission to copy
                  granted.
        AIRBALL   A hacked commercial program.
        SNOOPY    Copyrighted.  No docs.  No permission to
                  copy granted.
        SLORDAX   Copyrighted.  No docs.  No permission to
                  copy granted.
        ESCAPE    Copyrighted.  No docs.  No permission to
                  copy granted.
        BANNER    Copyrighted.  No docs.  No permission to
                  copy granted.
        387DX     Copyrighted.  No docs or permission to
                  copy granted.
        WINDRV    Copyrighted.  No permission to copy granted.

  =========================================================================

                         Clarifications and Thanks

| I have received a message from Amit K. Mathur (Internet address
| mathur@SERVER.uwindsor.ca), the author of the KILL program reported by
| Mark Stansfield (1:115/404).  If you will remember, Mark claimed that
| this will delete the user's hard drive when run.
|
| According to Amit, this is possible if the program was accidentally told
| to delete the hard drive, since the program is a recursive directory
| deletion tool (with "tons of options" and plenty of progress/warning
| messages, according to Amit).  If you run it from your root directory
| with the proper commands, you could very well wind up with a clean hard
| drive.
|
| So, this reporter's advice is to go ahead and use without fear, but use
| with care.  Thanks for the help, Amit!


| Finally, and coming from an angle I never expected, Rick Moen (CompuServe
| address 76711,243) points out quite rightly that your Hack Squad has been
| a bit biased toward the American version of the English language.
| Specifically, he said that my "Maximus BBS Optimiser (sic)" comment was
| not correct, especially since the report came from Australia.  Seems that
| the folks from Oz and most of the rest of the world tend to use an S
| instead of a Z to spell the word OPTIMIZER.
|
| For those who aren't familiar with it, "sic" is used at times by a writer
| to point out that the spelling of the previous word might be incorrect,
| but it's a direct copy of the original author's spelling.  So, thanks to
| Rick's sharp eyes, I have removed the "(sic)" comment from that portion
| of the report.  (FYI, Rick, I _do_ use the correct spelling for words
| like "catalogue" and "theatre". <grin>)

  =========================================================================

                                  Help!!!

  Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
  The Hack Squad for testing/verification please re-identify themselves via
  NetMail?  Somehow, your message went to the great Bit Bucket in the sky.
  Thanks in advance!

  *************************************************************************

                                Conclusion

  If you see one of these on a board near you, it would be a very friendly
  gesture to let the SysOp know.  Remember, they can get in just as much
  trouble as the fiend who uploads pirated files, so help them out if you
  can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed within from
  their boards.  I can not and will not take any "enforcement action" on
  this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Co-Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

                   Lee Jackson, Author, The Hack Report
       Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)
                Moderator, FidoNet Echo WARNINGS (1:382/95)