💾 Archived View for spam.works › mirrors › textfiles › hacking › hack9303.rpt captured on 2023-06-14 at 16:50:07.
-=-=-=-=-=-=-
=========================================================================
||
From the files of The Hack Squad: || by Lee Jackson, Co-Moderator,
|| FidoNet International Echo SHAREWRE
The Hack Report || Volume 2, Number 3
for March, 1993 || Report Date: March 7, 1993
||
=========================================================================
Welcome to the third 1993 issue of The Hack Report. This is a series of
reports that aim to help all users of files found on BBSs avoid
fraudulent programs, and is presented as a free public service by the
FidoNet International Shareware Echo and the author of the report, Lee
Jackson (FidoNet 1:382/95).
This month, another commercial software company contacts your Hack Squad,
and several new Trojans rear their ugly heads. Also, this issue
introduces some minor formatting changes and an addition to the archive
version: an internal archive with the full text of file tests performed
this year. Thanks to everyone who has helped put this report together,
and to those that have sent in comments and suggestions.
NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
your BBS, subject to these conditions:
1) the latest version is used,
2) it is posted in its entirety, and
3) it is not altered in any way.
NOTE TO OTHER READERS: The Hack Report (file version) may be freely
uploaded to any BBS, subject to the above conditions, and only if you do
not change the filename. You may convert the archive type as you wish,
but please leave the filename in its original HACK????.* format. The
Hack Report may also be cross-posted in other networks (with the
permission of the other network) as long as it meets the above conditions
and you give appropriate credit to the FidoNet International Shareware
Echo (and the author <g>).
The idea is to make this information available freely. However, please
don't cut out the disclaimers and other information if you use it, or
confuse the issue by spreading the file under different names. Thanks!
DISCLAIMER: The listings of Official Versions are not a guarantee of the
files' safety or fitness for use. Someone out there might just be
sick-minded enough to upload a Trojan with an "official" file name, so
>scan everything you download<!!! The author of this report will not be
responsible for any damage to any system caused by the programs listed as
Official Versions, or by anything using the name of an Official Version.
*************************************************************************
Hacked Programs
Here are the latest versions of some programs known to have hacked copies
floating around. Archive names are listed when known, along with the
person who reported the fraud (thanks from us all!).
Program Hack(s) Latest Official Version
======= ======= =======================
| ARJ Archiver ARJ250 ARJ239C (* - see note)
| Reported By: Tommy Vielkanowitz(1:151/2305)
| ARJ240A
| Reported By: Ryan Shaw (1:152/38)
| Blue Wave Offline BWAVE_3 BWAVE212
| Mail Reader
| Reported By: HW Scott Raymond
BNU FOSSIL Driver BNU202 BNU170
Reported By: Amauty Lambrecht (2:291/712) (not counting betas)
BNU188B
Reported By: David Nugent (3:632/348),
Author of BNU
| F-Prot Virus Scanner FP-205B FP-207
Reported By: Bill Lambdin (1:343/45)
LhA Amiga Archiver LHA148E LHA138E (Shareware)
Reported By: Michael Arends (1:343/54) LHA v1.50r (Regist.)
LHA151
Reported By: Lawrence Chen (1:134/3002)
| MusicPlay MPLAY31 MPLAY25B
| Reported By: Lee Madajczyk (1:280/5)
PKLite PKLTE201 PKL115
Reported By: Wen-Chung Wu (1:102/342)
| PKZip PKZ301 PKZ204G
Reported By: Mark Dudley (1:3612/601)
Jon Grimes (1:104/332)
| Shez SHEZ72A SHEZ87
SHEZ73
Reported By: Bill Lambdin (1:343/45)
Telix Telix v3.20 TLX320-1
(Prior to Dec. 1992) TLX320-2
Telix v3.25 TLX320-3
Reported By: Brian C. Blad (1:114/107) TLX320-4
Peter Kirn (WildNet, via
Ken Whiton)
Telix v4.00
Telix v4.15
Reported By: Barry Bryan (1:370/70)
Telix v4.25
Reported By: Daniel Zuck (2:247/30, via Chris
Lueders (2:241/5306.1)
MegaTelix
Verified By Jeff Woods, deltaComm, Inc.
Please Note - the 3.20 release dated either December 10th
or December 14th, 1992, is legitimate: any earlier file
calling itself v3.20 and carrying an Exis, Inc. trademark
is not legitimate. Please thoroughly check your version
prior to sending questions to this reporter! <g>
Telix Pro
Reported By: Jason Engebretson (1:114/36),
in the FidoNet TELIX echo
Wolfenstein-3D WOLF2-1 #1WOLF14
WOLF2-2
Reported By: Wen-Chung Wu (1:102/342)
| * - Quick break with tradition: by the time you read this,
| ARJ239D may have been released. Robert Jung has announced
| that this is a bug fix to the current pre-release, ARJ239C.
=========================================================================
Hoax Alert:
| This isn't a program hoax, but it concerns a company that most folks know
| of. You might want to see this.
|
| A letter/text file/message has entered distribution, claiming that PKWare
| Inc. has filed for Chapter 11 bankruptcy. The letter is dated Friday,
| February 26, 1993, and supposedly quotes Mark Gresbach of PKWare in the
| statement.
|
| However, in a message posted in the CompuServe PKWARE forum on March 1,
| 1993, PKWare employee Douglas Hay states that this is not true. Douglas
| also points out that the perpetrator of the hoax misspelled the word
| Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in
| the message for PKWare is wrong. In short, ignore the letter - PKWare
| has _not_ filed bankruptcy.
Other previously reported hoaxes:
Filename Claimed use/Actual activity/Reporter(s)
============ ==========================================================
PKZ305 Hacked "new version" of PKZip. However, a message in wide
circulation claimed this was infected with a virus called
PROTO-T. This message is the actual hoax: there may be
one or more PROTO-T viruses around now, but none do what
was claimed in the hoax message. This hack, PKZ305, was
not infected with any virus, nor did it contain Trojan
code, per testing by Bill Logan (1:300/22), Jeff White
(1:300/23), and Bill Lambdin (1:343/45).
RAOPT "Optimizes" your RemoteAccess BBS files and claims to be
from Continental Software. Actually does nothing but read
your USERS.BBS file and report the number of users. The
program is _not_ from Continental Software, according to
Andrew Milner. Reported by Kai Sundren (2:201/150), via
HW Mikael Winterkvist.
SCORCHV2 Claims to be v2.0 of the game Scorched Earth: this version
doesn't yet exist. Actually a renamed archive of version
1.2. Reported by Brian Dhatt (1:3648/2.5).
=========================================================================
The Trojan Wars
Trojan writers seem to be getting a bit trickier with their code lately -
two of this month's reports involve "multipartite Trojans," or Trojans
whose code is split among two or more files and reassembled by a "clean"
program. In honor of this, I recommend that you grab a Banana Split,
cover your keyboard, and read on.
| Last month's issue included a report on a "fix" for PKZip v2.04c (yes, I
| mean 2.04c this time) that corrected the -$ (store disk volume) bug. The
| bulk of the report came from Jeff White of The Pueblo Group in Tuscon,
| Arizona, and had reference to some suspicious code in the file.
|
| The biggest question brought up by the test concerned the following code:
|
| Address: 0000d0e0-0000d110
| Code: x:/ x: *.* / Erasing contents of drive, completed.
|
| I have received a message from a user whose name I no longer have on file
| (please forgive me - NetMail me and I'll add your name to the report!)
| which states that this same text string can be seen within legitimate
| versions of PKZip (both v2.04e and the latest, v2.04g). It can't be seen
| by using a file/hex viewer, but it can be seen if the code is debugged,
| and only after the program has un-PKLited itself.
|
| *** EDITOR'S NOTE - I need to state that this is not something that I
| encourage, since many shareware licenses state that debugging,
| disassembly, and/or reverse engineering is not allowed. However,
| hopefully the folks at PKWare won't mind this bit of software sleuthing,
| since it is in their best interest to get to the heart of this matter.
|
| If you want to see the full text of the test results on this, see the
| file PKZIPFIX.RES in the archive FILETSTS.LZH, included in the archive
| version of The Hack Report.
|
| As always, our thanks go out to Bill and Jeff for their invaluable help.
William Gordon (1:369/104) reports BEV105, a file that claims to be a
"Beverly Hills 90210 Adventure Game." This file contains 8 files, but
two seem to be the real culprits: DORINFO.DIR and INSTALL.COM. The
installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
This program asks for some sort of wildcard according to William, then
proceeds to delete everything on your drive that matches that wildcard.
However, it doesn't stop there: it continues on and deletes all .bat,
.fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files. William also
says the file "comes with the following virii: Bootkill and Genesis."
| A copy of this file was sent to Mr. White and Mr. Logan, who were able to
| confirm the behaviour that William reported. For the complete results of
| their test, see the file BEV105.RES in the FILETSTS.LZH archive, included
| in the archive version of The Hack Report.
| Bill Lambdin (1:343/45) forwards a message from Terry Goodman in the U'NI
| Net virus conference concerning the file SCOMP. This was advertised as a
| compression utility with better compression than PKZip. The file passes
| all virus checkers unless you also check data files in addition to
| executables. In short, the executable loads a file called SCOMP.DAT,
| which it uses to create a file called CASPER.COM, which is apparently the
| Casper virus.
| Another report from Bill concerns a file he located called TAXTIP93.
| This archive contains a file called TAXTIP93.DAT, which the executable
| file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and
| WINDOWS directory. The new MOUSE.COM is infected with the ADA virus.
| Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which
| was described with a very short line ("'Password,' or some other short
| word," according to Brian). The archive contained these files:
|
| PASS .PA1
| PASS .PA2
| PASS .PA3
| PASSWORD.COM
|
| Brian looked inside the .com file, which he says looks like a compiled
| batch file, and found these strings/commands:
|
| Please Wait While Loading;
| It may take in between 30seconds to 5 minutes
| To unshrink nessessary files
| Please Turn off Screen, and wait for the beep.
| If You do not, your screen might not function
| the way it should.
| Turn Off Screen now, and press the space bar.
|
| /C REN pass.pa1 pa.exe
| pass.pa2 /C DEL c:\*.*
| pass.pa2 /C DEL c:\dos\*.*
| /C REN pa.exe pass.pa1
| pass.pa3 FORMAT
| c:
| /C CLS
|
| As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed
| with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program. PASS.PA2
| contains the single letter 'Y', and PASS.PA3 contains the single word
| 'Yes'. From the looks of things, this turns out to be a multipartite
| Trojan that attempts to format (what else?) your hard drive.
| Another multipartite Trojan was spotted by James Frazee (1:343/58), under
| the filename ADD_IT. It contains these files:
|
| Name of File Size Date
| ADD_IT.ARJ 40888 02-11-93
| =======================================
| ADDIT1 DAT 34283 07-20-91 2:13a
| ADD_IT ANS 646 02-11-93 8:31p
| ADDIT2 DAT 20634 04-09-91 5:00a
| ADDIT DOC 177 02-11-93 7:28p
| ADDIT COM 1391 02-11-93 8:14p
| ADDIT3 DAT 138 02-11-93 8:13p
| THEDRAW PCK 650 02-11-93 8:31p
|
| When run, ADDIT.COM merges the three .DAT files into an .EXE file. The
| end result was that the program deleted all of the files in the directory
| in which it was run.
| Matt Hargett (1:2430/1532) found a file called DRSLEEP which he says has
| a "cheap virii (sic) in it," but actually appears to be a Trojan. When
| the executable, DRSLEEP.EXE is run, it deletes your COMMAND.COM file.
| Not much to write home about, but nasty enough. Thanks, Matt.
| Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his
| system was "taken down" by a file called DRAGON. It claimed to be a
| Public Domain VGA and Sound Blaster supported game. No symptoms were
| reported, except that he had to reformat his hard drive.
| Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis
| Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2.
| In what might be an isolated incident, Josh says the file claimed to be a
| "really cool game, VGA gfx and SB sound." However, the INSTALL program
| destroys hard disks.
|
| Bob Seaborn received a copy of this file and forwarded it to me - as soon
| as possible, I will try to get it tested to see just exactly what it
| does.
| John Balkunas (1:107/639) forwards information on GIFCHECK. He reports
| that Lance Merlen (1:107/614) received an upload of this file, which,
| when checked with McAfee's ViruScan v100, reported over 5 viruses in the
| files in the archive. No internal archive data was provided, so it is
| hard to say whether or not this is an isolated incident.
Zack Jones (1:387/641) reports a file called GAGS which was seen in the
San Antonio area. The file, described as "Some Christmas practical
jokes," was analyzed by Bill Dirks (1:385/17) and confirmed as a Trojan.
The program grabs control of several interrupt vectors, including the
critical error handler. The only way to stop it once it starts is to hit
the reset button or power down.
When invoked, it displays a countdown from 8 to 0, which corresponds to
drives H through A, in that order. For each found drive, it overwrites
the first 255 sectors with random data from a block of memory. To add
insult to injury, if drives B and A are empty, you are prompted to insert
disks (so that they can be trashed as well).
After this, the Trojan displays the message, including something like,
"the disk was trashed but it's only a joke and they are only kidding."
It then prompts you to reboot, which is rather hard to do unless you have
a bootable "panic disk" floppy on hand - you certainly won't be able to
boot from your HD.
Bill says that if your HD is smaller than 60 megs, you're better off
trying to recover your disk from scratch. Between 60-120 megs, you have
a better chance of recovery via disk utilities: over 120 megs, you
should be able to accomplish a complete recovery if you're careful and
you know what you're doing.
Bill posted the following scan string that can be used to detect this
Trojan - if your scanner can use external strings, be sure to read the
instructions carefully before trying to add this:
9A46027205B003B9FF00BA0000CD26
If your scanner requires a name for the string, Bill suggests using
"AlamoXmasTrojan."
This Trojan report comes from an article in MacWeek magazine, Volume 7,
Number 2, issued January 11, 1993. The article, posted in the FidoNet
VIRUS_INFO echo by Robert Cummings, states that a program called CPro
1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
shareware compression utility), will reformat any floppy in drive 1 and
tries to reformat the user's start-up hard drive when launched.
The file can be identified by a 312K sound resource file called "log
jingle," which is digitized sound from the Ren and Stimpy cartoons.
Mike Wenthold (1:271/47) found a program under the filename GS2000 which
contained the VCL 3 [Con] Virus. I am attempting to get further details
on what this file is, but until then, here is the archive data that Mike
sent:
Length Method Size CF Date Time CRC Filename
======== ======== ======== ==== ========= ====== ======== ============
1984 1304 34% 22-Dec-91 01:40p 3527B16B GS2000.COM
543 363 33% 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
======== ======== ======== ==== ========= ====== ======== ============
2527 1667 34% 2 files.
The compression method (on this ZIP archive) was not included in his
data.
Frans Hagelaars (2:512/2) has posted a message in several echos
concerning a Trojan version of the Blue Wave Offline Mail Reader that had
been circulating in his area. According to the warning, the "hacked"
version attacks your hard drive boot sector and partition table, and will
then "play tricks" with RemoteAccess userlists and phone numbers.
The filename of this version was not given in the report, nor was it made
clear whether the BBS door or the Reader was involved. If you have any
questions about the security of your copy, remember that you can always
obtain a safe copy from the BBS of the author, George Hatchew, at FidoNet
address 1:2240/176, phone number 1-313-743-8464, or from any of the
official distribution sites (which I believe are listed in the
documentation for the program).
Filename Claimed use/Actual activity/Reporter(s)
======== ==============================================================
AANSI100 Claims to add Auto-ANSI detect to Telegard BBSs - contains
something called the "Malhavoc Trojan," which displays a verse
from a Toronto band and attacks files/sectors on drives C:
through F:. Reported by HW Todd Clayton and by George Goode
(1:229/15).
ANSISCR VGA BBS ad - contains a self-extracting archive of the Yankee
Doodle and AntiChrist viruses. Can trash hard drives as well
through Trojan behaviour. Reported by Bill Dirks (1:385/17),
and under the filename RUNME by Stephen Furness (1:163/273).
AVENGER Advertised as an "amazing game that supports all kind of sound
cards...." Contains 2 internal password-protected .ZIP format
files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by
the program to the files RUNTIME1.COM (N1 virus) and
RUNTIME2.COM (Anthrax virus). From Reinhardt Mueller, via
Bill Lambdin (1:343/45).
BATMAN No claim reported - searches your DOS path and tries to "delete
the executable file that loads WildCat BBSs." Reported by
James Powell (Intelec PC-Security Conference), via Bill Lambdin
(1:343/45).
CHROME Possible isolated incident - contains a file, FGDS.COM, which
contains text that says "Skism Rythem Stack Virus-808."
Reported by Richard Meyers and forwarded by Larry Dingethal
(1:273/231).
DBSOUND Possible isolated incident - claimed update of the Drum
Blaster .MOD file player. Deletes all files in the current
directory and all of its subdirectories. From "Khamsin #1
@9168*1", forwarded by HW Ken Whiton and HW Bill Dennison,
from Ken Green of the CentraLink BBS.
GRAFIX Possible isolated incident - contains the file WAIT.COM, which
is a renamed copy of DELDIR.COM, a directory remover and file
deletion tool. Reported by Andreas Reinicke (2:284/402).
LOGIM613 Possible isolated incident - one internal file, MOUSE.COM,
reports as being infected with the VCL virus when checked with
McAfee's ViruScan v95. Reported by Mike Wenthold (1:271/47).
MUVBACK Claimed keyboard utility - actual ANSI bomb that remaps the D
key of your keyboard to invoke DEBUG and create a couple of
Trojans from script files. Reported by Bill Dirks.
OPTIBBS Aimed at RemoteAccess BBS systems - archives your USERS.BBS
list and places it in your download directory. Reported by
HW Nemrod Kedem.
QOUTES Not a misspelling - claimed Christmas quotation generator.
Overwrites the first 128 cylinders of your first HD, requiring
a low level format to overcome the damage (IDE drives may need
to go back to the factory). Reported by Gary Marden
(2:258/27).
QSCAN20 Claimed small virus scanner - when run, identifies itself as
"being a stealth bomber" and attacks your hard drive's FAT.
Reported by Art Mason (1:229/15).
RA111TO2 Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to
the OPTIBBS file reported above. Reported by Peter Janssens
(2:512/1).
RAFIX "Fixes little bugs" in RemoteAccess - program contains the
string "COMMAND /C FORMAT C:" internally. Reported by Sylvain
Simard (1:242/158).
RAMANAGE Claimed USERS.BBS manager for RemoteAccess - yet another
file that makes an archive of this file (MIX1.ARJ or WISE.ARJ)
and places it in a download directory. Reported by Peter
Janssens.
NOTE - Peter Hoek (2:281/506.15) reports a program that does
the same thing, but uses the archive name RUNNING.ARJ to
hold the USERS.BBS file. No name of the Trojan was supplied.
REAPER ANSI bomb - remaps the keyboard to force file deletion and
hard disk formatting - also generates insults. Reported by
Victor Padron (1:3609/14), via Rich Veraa (1:135/907).
REDFOX Batch file which deletes all DOS and system files. Reported
by Mike Wenthold.
ROLEX Possible isolated incident of an infection by the Keypress
[Key] virus. Reported by David Gibbs, via Michael Toth
(1:115/220).
SBBSFIX Tries to format drive C: - contains two files, SBBSFIX.EXE and
COM_P.OVL. Reported by Clayton Mattatall (1:247/400).
SPEED Claims to "check your PC speed" - actually deletes all files
on drive C:, including directories. Reported by HW Nemrod
Kedem.
XYPHR2 No claim - contains the Power Pump companion virus (documented
in the 1992 Full Archive of this report). Reported by Mark
Histed (1:268/332).
YPCBR101 A copy of this file, uploaded to Simtel-20 and the oak mirror
on archie.au, contained an infection of the Dark Avenger
virus in the file YAPCBR.EXE. Was supposed to be re-released
as a clean archive. Reported by John Miezitis (Internet,
John.Miezitis@cc.utas.edu.au).
=========================================================================
Pirated Commercial Software
Program Archive Name(s) Reported By
======= =============== ===========
3-D Pool 3DPOOL Michael Gibbs (via Bill
Lambdin)
| Alone in the Dark ALONEDEM Mark Mistretta (1:102/1314)
| (full game-not a demo)
Atomix (game) ATOMIX_ HW Matt Kracht
| A-Train by Maxis ATRAIN1 through Chris Blackwell of Maxis
| ATRAIN6, also (zoinks@netcom.com)
| A-TRAIN1 through
| A-TRAIN6
Battle Chess CHESS Ron Mahan (1:123/61)
Check-It PC CHECKIT HW Bert Bredewoud
Diagnostic Software CHKIT20 Bill Lambdin
Commander Keen _1KEEN5 Scott Wunsch (1:140/23.1701)
(part 5)
| Copy II PC COPYPC70 Ryan Park (1:283/420)
Darkside (game) DARKSIDE Ralph Busch (1:153/9)
| DiskDupe Pro v4.03 DD403PRO Jan Koopmans (2:512/163)
Energizer Bunny Screen ENERGIZR Kurt Jacobson, PC Dynamics,
Saver for Windows Inc., via HW Bill Dennison
| Family Feud (game) FAM-FEUD Harold Stein (1:107/236)
F-Prot Professional FP206SF Mikko Hypponen
(mikko.hypponen@compart.fi)
| Golden Axe (game) GOLDAXE Harold Stein
| Ian Bothams Cricket IBCTDT Vince Sorensen (1:140/121)
Killing Cloud (game) CLOUD Mike Wenthold
| Life & Death (game) L&D1 Harold Stein
| L&D2
MegaMan (game) MEGAMAN Emanuel Levy (1:266/63)
| Oh No, More Lemmings ONMLEMM Larry Dingethal (1:273/231)
| (complete-not demo)
Over the Net OTNINC1 Tim Sitzler (1:206/2708)
(volleyball game)
PKZip v2.04c PK204REG HW Scott Raymond
(Registered)
PKZip v2.04c PKZCFG Mark Mistretta (1:102/1314)
Configuration Editor
PKZip v2.04e PK204ERG HW Scott Raymond
(Registered)
| PKZip v2.04g PKZ204R HW Bill Dennison
| (Registered)
PrintShop PSHOP Michael Gibbs, Intelec, via
Bill Lambdin
Psion Chess 3D-CHESS Matt Farrenkopf (1:105/376)
QModem v6.0 QM60IST1 Francois Thunus (2:270/25)
QM60IST2
QModem Pro QMPRO-1 Mark Mistretta
QMPRO-2
Rack 'Em (game) RACKEM Ruth Lee (1:106/5352)
| Sequencer Plus Pro SPPRO Tom Dunavold (Intelec,
| via Larry Dingethal)
Shadow Warriors (game) SHADOWG Mark Mistretta
Sharky's 3D Pool POOL Jason Robertson (1:250/801)
| Shez (Registered) SHEZ84R Eric Vanebrick (2:291/712)
SHEZ85R HW Scott Raymond
| SideKick 2.0 SK3 Harold Stein
SimCity (by Maxis) SIMCTYSW Scott Wunsch
| Star Control Vol. 4 STARCON Carson M. Hanrahan
| (CompuServe 71554,2652)
Streets on a Disk STREETS Harvey Woien (1:102/752)
Teledisk (files TDISK214 Mark Mistretta
dated after Apr. 1991)
Vegas Casino 2 (game) VEGAS2 The Hack Squad
WinWay Resume for WINRES Erez Carmel (CompuServe,
Windows 70523,2574)
| World Class Rugby WCRFNTDT Vince Sorensen
=========================================================================
?????Questionable Programs?????
First, a quick note - this section, along with the Information, Please
section, are the only ones that have any information carried over from
the 1992 report. This is because many of the listings in these sections
were not completely resolved when the last 1992 issue was published. As
usual, if anyone has any additional information on anything listed in
these sections, _please_ help!
| HW Bill Dennison captured a message from Marshall Dudley (Data World BBS,
| (615)966-3574) in the ILink VIRUS FILE conference about the archive
| ASCDEMO. Marshall says that McAfee's ViruScan doesn't detect any
| infection until after you run it and it has infected other files. No
| further information was supplied, other than the internal filenames
| (ASCDEMO.DOC and ASCDEMO.EXE). I need further data on this before I can
| list it in the Trojan Wars section, so please advise if you have any.
| Emanuel Levy (1:266/63) says the file IM, reported by Michael Santos in
| the Intelec Net Chat conference and listed in the 1992 Full Archive
| edition of The Hack Report. Michael's report was a "hearsay" report from
| one of his friends, and stated that the IM screen saver file caused a
| viral infection.
|
| Emanuel says the file is an "outer space screen saver," currently under
| the filename IM17. Scott Wunsch (1:140/23.1701) says the program name is
| "Inner Mission," and he currently has version 1.6. In both cases, the
| files were clean.
|
| So, it looks like either Michael's friend's system became infected from a
| different source than the IM file, or that an isolated incident of an
| infected IM is involved. No way to tell at this writing.
Long time readers of this report will remember a question concerning the
status of a screen saver called TUNNEL. Ove Lorentzon (2:203/403.6) and
Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
Steiner) both stated that the program was an internal IBM test program
and was not intended for outside distribution.
Your Hack Squad has received word from the author of the program, Dan
Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
the program has never been released to the general public. According to
Dan, "it is still owned by IBM, and as such has been given the IBM
security classification 'IBM Internal Use Only' which means what it says:
the program is not for distribution to non-IBM employees."
Dan also says that several other "Internal Use Only" programs have been
"leaked" to the outside world, which implies that these files should not
be posted for download. One such program was originally called Dazzle
(NOT to be confused with the other popular DAZZLE screensaver), but has
entered BBS distribution under the filename O-MY-GOD. Another is a
program that is usually included inside other archives: the program name
is PLAYANI. Dan says this has been distributed "along with various
animations," and also falls under the same Internal classification.
A prime example of this is an archive called BALLS (not what you think).
This is an animation of multiple chrome spheres rotating around each
other above a red and white checkerboard platform. In this case, both
the player (PLAYANI) _and_ the animation are the property of IBM and are
not intended for BBS distribution.
Again, to quote Dan, "None of these programs are for external
distribution; all are owned by IBM and are only for use inside IBM by IBM
employees." Thanks to Dan for all of his help.
Donn Bly has cleared up the question on the status of the Sydex program
TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
Donn was kind enough to mail a copy of a letter sent to him by Sydex
explaining that Teledisk is no longer shareware. Here is an excerpt from
the letter:
"Effective April 1991, TeleDisk is no longer a shareware
product. After long consideration, we decided to
discontinue our offering of the shareware edition of
TeleDisk, and license it only as a commercial product.
"Commercial licenses of TeleDisk are available from Sydex at
$150 a copy. All shareware distributors and BBS sysops who
take time to check their sources are requested to remove
TeleDisk from shareware distribution."
The letter is signed by Miriam St. Clair for Sydex. To summarize, Sydex
is no longer accepting shareware registrations for TeleDisk, and asks
that it be not be made available for download from BBS systems.
Thanks to Donn for his help in this matter.
HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
Barnes of Mustang Software, Inc., about a "patch" program aimed at
OffLine Xpress (OLX) v1.0. The patch is supposed to allow OLX to
read and reply to Blue Wave packets, along with a lot of other seemingly
unbelievable feats. Gwen Barnes did not seem to know of the patch, but
published the following advice in the WildNet SLMROLX conference to
anyone considering trying it:
1. Make a complete backup of your system.
2. Make sure you've got all the latest SCAN stuff from McAfee
3. Try it, keeping in mind that it more than likely does nothing
at all, or is a trojan that will hose your system.
4. Get ready to re-format and restore from backups if this is in
fact the case.
No filename was given for this patch. If anyone runs across a copy of
it, please contact one of The HackWatchers or myself so that we can
forward a copy to MSI for testing.
Bill Lambdin (1:343/45) reports that someone has taken all of McAfee
Associates' antiviral programs and combined them into one gigantic (over
700k) archive. He did not say whether the files had been tampered with,
but he did send a copy to McAfee for them to dissect. The file was
posted under the filename MCAFEE99. I would not suggest downloading this
file: as a matter of fact, this reporter prefers to call McAfee's BBS
directly when a new version of any of their utilities comes out. I
highly recommend this method, since it insures that you will receive an
official copy.
HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu
also says that there is a warning about these in circulation. If you
have a copy of this warning, please send a copy to Hack Central Station
(1:382/95).
=========================================================================
Information, Please
This the section of The Hack Report, where your Hack Squad asks for
_your_ help. Several reports come in every week, and there aren't enough
hours in the day (or fingers for the keyboards) to verify them all. Only
with help from all of you can The Hack Report stay on top of all of the
weirdness going on out there in BBSLand. So, if you have any leads on
any of the files shown below, please send it in: operators are standing
by.
| Onno Tesink (2:283/318) has sighted a file called LHA255B. This claims
| to be version 2.55b of the LHA archiver, with a file date in the
| executable of 12/08/92. He compared the file to the latest known
| official release, v2.13, and found two additional program options which
| were mentioned when the program was invoked with no command line
| (generating a help screen). The archive contained nothing but the
| executable file. Viral scans were negative.
|
| Many, MANY other folks have seen this file, as well as one called LHA252.
| Your Hack Squad has copies of both files. The LHA252 file contains
| Japanese documentation, so it is a bit of a tough nut to crack.
|
| I have not heard of any further development going on by the author of
| LHA, H. Yoshi, but that wouldn't be a first. <g> He is supposedly
| contactable via the NIFTY-SERVE service of CompuServe. However, this
| service requires some knowledge of Japanese, and my only foreign language
| training was a semester of Czech at the University of Texas.
|
| If anyone knows of a new version of LHA, or has CompuServe access and the
| ability to converse in Japanese (and would be willing to assist), please
| contact your nearest HackWatcher or me and lend a hand. This is getting
| very frustrating. <grin>
Travis Griggs (1:3807/4.25) forwarded a report from a local board called
The Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen.
The message referred to a file called BOUNCE, which she said was infected
with the Russian Mirror virus. The file, according to Travis, claimed to
be a game. I would appreciate further confirmation of this sighting.
| An update on a warning from Mark Stansfield (1:115/404), concerning
| the files KILL and PROTECT. He claims that these delete the user's hard
| drive when run. Dan Onstott (1:100/470) reported in the FidoNet SHAREWRE
| echo that he has a small utility called PROTECT.COM (205 bytes, dated
| 12-10-86), which is a write-protect utility for your hard drive. He says
| he has never had a problem with it.
|
| Jerry Han (jhan@debra.dgbt.doc.ca) has a copy of a program called KILL.
| This file is a utility that removes entire branches of a directory tree,
| and is safe when used correctly. The program was written by two of his
| friends and distributed as shareware: current version is 1.5.
|
| So, Mark's report may be an isolated incident. If anyone else sees the
| files Mark mentioned, please advise.
Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
Conference about two files. The archives, called PHOTON and NUKE, are
possibly droppers, containing a file called NUKE.COM which "will trash
your HD."
Pat Finnerty (1:3627/107) sent a reply to the last report of this,
stating that he has a copy of a PC Magazine utility called NUKE.COM,
which is used to remove subdirectories which contain "nested subs,
hidden, read-only (you name it)." He says that the command NUKE C:\ will
effectively delete everything on a hard drive, with no chance of repair.
This is merely the way the program is designed.
I do not know if this is what happened in Mario's case, or if Mario
actually found a copy (read: isolated incident) which was infected. Bill
has asked Mario for further information, and I would like to echo his
call for help. If you know of this, please lend a hand.
Another one forwarded by Bill comes from Michael Santos in the Intelec
Net Chat conference, concerning a screen saver named IM. This is only a
"hearsay" report from one of Michael's friends, who says he downloaded it
and wound up with a virus. There is no way to tell if the infection came
from the file itself or if it was already present on his friend's system.
Once again, if anyone can clear this up, please do so.
Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
Rich Bongiovanni. Rich reports that there is a file floating around
called DEMON WARS (archive name DMNWAR52) that is "infected with a
virus." If true, this may be an isolated incident. I would appreciate
confirmation on this.
Greg Walters (1:270/612) reports a possible isolated incident of a
problem with #1KEEN7. When he ran the installation, he began seeing on
his monitor "what looked like an X-rated GIF." The file apparently
scanned clean. Any information on similar sightings would be
appreciated.
A report from Todd Clayton (1:259/210) concerns a program called
ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
faster." He says he has heard that the program fools around with your
File Allocation Table. I have not heard any other reports of this, so I
would appreciate some confirmation from someone else who has seen similar
reports.
Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
possible hack of FEBBS called F192HACK. I have not seen this file, nor
has the author of FEBBS, Patrik Sjoberg (2:205/208). He forwards the
file sizes in the archive, reported here:
Name Length Mod Date Time CRC
============ ======== ========= ======== ========
FEBBS.EXE 220841 09 Mar 92 21:17:00 96D2E08D
014734.TXT 1403 26 Aug 92 01:59:18 3B9F717F
============ ======== ========= ======== ========
*total 2 222244 26 Aug 92 01:59:24
Kelvin says the .TXT file is just an advert for a BBS, so it is "not
relevant!". As I said, the author of FEBBS has never seen this file, so
I've asked Kelvin to forward a copy of it to him.
Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
Optimiser (sic)," going under the filenames MAX-XD and MAXXD20. Scott
Dudley, the author of Maximus, says he did not write any programs that
have these names, but he does not know whether they are or are not
legitimate third party utilities. I have requested further information
from Andrew on this topic, and would appreciate anyone else's
information, if they have any.
Yet another short warning comes from David Bell (1:280/315), posted in
the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is
that it is a Trojan, and that he got his information from another
"billboard" and is merely passing it on. Again, please help if you know
what is going on here.
Bud Webster (1:264/165.7) reports an Apogee game being distributed under
the filename BLOCK5.ZIP. He says that the game displayed a message that
said, "This game is not in the public domain or shareware." There was
only an .EXE file in the archive, and no documentation. I need to know
what the real name of this game is so that I can include it in the
pirated files section (if necessary).
A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
grabbed my attention the moment I saw it: in capital letters, it said,
"DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He
goes on to say that two BBSs have been destroyed by the file. However,
that's about all that was reported. I really need more to go on before I
can classify this as a Trojan and not just a false alarm (i.e., archive
name, what it does, etc.). Please advise.
Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to
whether or not Mr. Mills had seen the file. Mr. Jung has repeated that
the latest version of ARJ is v2.30 (however, there is a legitimate public
beta version numbered 2.39b). It is possible that the references Greg
saw about 2.33 were typos, but you never know. Please help your Hack
Squad out on this one - if you see it, report it.
=========================================================================
The Meier/Morlan List
Here are this month's updates on the status of the files contained in the
Meier/Morlan List.
| Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat
| Simulator by Mindscape, Inc. He says that he hasn't seen anything from
| them in quite a while, and doesn't know if the company is still in
| business.
| Jeffrey Marshall (1:153/733) forwarded information confirming that
| STARGOOSE, listed in the list as SPACEGOO, is copyrighted freeware and
| can be distributed via BBSs. If someone has merely renamed the archive,
| then I might consider the SPACEGOO file a hoax. However, I have no
| information to support this. Therefore, SPACEGOO comes out of the list,
| unless someone has specific information on it. Thanks to Jeffrey for his
| help.
| HW Nemrod Kedem says that FIXDOS50 is an official patch for IBM DOS v5.0,
| according to his contact with IBM officials. IBM has had a policy of
| releasing some patches via BBS systems, so FIXDOS50 comes off the list.
| Emanuel Levy (1:266/63) has some more input to add to last month's
| information:
|
| AFOX - possibly Artic Fox by Electronic Arts
| WINGIF - possible registered version of a shareware Windows .GIF viewer
| 387DX - sounds like a Math Co-Processor emulator - might be legit
|
| Confirmation of these would be appreciated. In the meantime, here are
| the remaining unresolved reports from Emanuel:
"Barkeep sounds like it may be a version of Tapper. If you send beer mugs
down the screen to patrons and then have to pick up the returning mugs
and they leave tips, then it is Tapper. Or it may be an OLD game
published in Compute Mag. If it is the one from Compute only those who
have the Compute issue with the game in it are allowed to have a copy.
"Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
out for the Commodore 64 in 89 so I would assume it came out for IBM
around then too.
"Gremlins- There was an Gremlins Text Adventure and a Video Came for the
computer. The video game was put out by Atari
"Antix may be Artic Antix one lof the Spy vs Spy games
| Thanks, Emanuel. While we're on the subject of ANTIX, here is some
| further information on this file:
|
| Andrew McCullough (1:2614/409) has a copy of a game called ANTIX,
| mentioned above. According to Andrew, "as far as I can tell it is
| legit." He says it is a "'dinky' little program where you try to eat
| away 75% of the screen without being hit by the 'bad guys'."
|
| Steve Huston (1:266/49) and Matthew Evanson (mevanson@iastate.edu)
| confirm Andrew's report. Matthew says that it used to be a top download
| on America OnLine, and that it is a legitimate shareware game. So, with
| this, ANTIX comes off the list.
For those who have missed it before, here is what is left of the list of
files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system. Joe
says Wes keeps a bulletin of all rejected files uploaded to him and the
reasons they were rejected. Joe also says he cannot confirm or deny the
status of any of the files on the list.
There are some that I am not familiar with or cannot confirm. These are
listed below, along with the description from Wes Meier's list.
Due to the unconfirmed nature of the files below, the filenames are not
included in the columnar lists. I would appreciate any help that
anyone can offer in verifying the status of these files. Until I receive
some verification on them, I will not count them as either hacks or
pirated files. Remember - innocent until proven guilty.
My thanks go to Joe and Wes for their help.
Filename Reason for Rejection
======== =============================================
BARKEEP Too old, no docs and copyrighted with no copy
permission.
HARRIER Copyrighted. No permission to copy granted.
SLORGAME Copyrighted. No docs. No permission to copy
granted.
NOVELL Copyrighted material with no permission to
BBS distribute
DRUMS I have no idea if these are legit or not. No
docs.
GREMLINS No documantation or permission to copy given.
NAVM Copyrighted. No permission to copy granted.
TESTCOM Copyrighted. No permission to copy granted.
CLOUDKM A hacked commercial program.
MENACE Copyrighted. No docs. No permission to copy
granted.
AIRBALL A hacked commercial program.
SNOOPY Copyrighted. No docs. No permission to
copy granted.
SLORDAX Copyrighted. No docs. No permission to
copy granted.
ESCAPE Copyrighted. No docs. No permission to
copy granted.
AFOX A cracked commercial program.
BANNER Copyrighted. No docs. No permission to
copy granted.
WINGIF14 The author's documentation specifically
requests this file to not be distributed.
INTELCOM Copyrighted. No docs. No permission to
copy granted.
387DX Copyrighted. No docs or permission to
copy granted.
WINDRV Copyrighted. No permission to copy granted.
=========================================================================
Help!!!
Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
The Hack Squad for testing/verification please re-identify themselves via
NetMail? Somehow, your message went to the great Bit Bucket in the sky.
Thanks in advance!
*************************************************************************
Conclusion
If you see one of these on a board near you, it would be a very friendly
gesture to let the SysOp know. Remember, they can get in just as much
trouble as the fiend who uploads pirated files, so help them out if you
can.
***HACK SQUAD POLICY***
The intent of this report is to help SysOps and Users to identify
fraudulent files. To this extent, I give credit to the reporter of a
confirmed hack. On this same note, I do _not_ intend to "go after" any
BBS SysOps who have these programs posted for d/l. The Shareware World
operates best when everyone works together, so it would be
counter-productive to "rat" on anyone who has such a file on their board.
Like I said, my intent is to help, not harm. SysOps are strongly
encouraged to read this report and remove all files listed within from
their boards. I can not and will not take any "enforcement action" on
this, but you never know who else may be calling your board. Pirated
commercial software posted for d/l can get you into _deeply_ serious
trouble with certain authorities.
Updates of programs listed in this report need verification. It is
unfortunate that anyone who downloads a file must be paranoid about its
legitimacy. Call me a crusader, but I'd really like to see the day that
this is no longer true. Until then, if you _know_ of a new official
version of a program listed here, please help me verify it.
On the same token, hacks need to be verified, too. I won't be held
responsible for falsely accusing the real thing of being a fraud. So,
innocent until proven guilty, but unofficial until verified.
Upcoming official releases will not be included or announced in this
report. It is this Co-Moderator's personal opinion that the hype
surrounding a pending release leads to hacks and Trojans, which is
exactly the opposite of what I'm trying to accomplish here.
If you know of any other programs that are hacks, bogus, jokes, hoaxes,
etc., please let me know. Thanks for helping to keep shareware clean!
Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE, and
Moderator, FidoNet Echo WARNINGS (1:382/95)