💾 Archived View for spam.works › mirrors › textfiles › virus › trojan.vir captured on 2023-06-16 at 21:04:57.

View Raw

More Information

-=-=-=-=-=-=-

THIS IS A COMBINATION OF FILES UPLOADED TO PDSE BY DAVID GEERINCK OF
HACKETTSTOWN, NJ, ON 10/17/85


Msg #  583  Dated 09-13-84 06:27:16
From: DON BEILFUSS
  To: CONFIDENTIAL
  Re: BOARD CRASHING

Bob, and others:   First of all, thanks Bob for helping the other
evening with my board crashing problem. I have spent considerable time
on the data and this is what I have concluded.

1. Someone using the name, Walter Koenig, uploaded a file called
   STARS3.EXE to my board. (the Trojan Horse, if you will)
2. Within the next day, I had executed the program to see what it was.
3. It creates a starfield background that could be used as part of a
   game, like STARTREK.
4. One of the program's actions is to copy RBBS-PC.DEF to RBBS-PC.
5. 24 hours after uploading, Walter logged on again and downloaded
   RBBS-PC (I didn't even know it was there)
6. Within 4 minutes, a call came in with the user identifying himself
   as a Remote Sysop.
7. During this call, he used Sysop #8 to give a user sysop level access.
8. Naturally, after he escaped into DOS, he listed my password file,
   deleted the RBBS-PC file, and did what ever else someone like this
   does for cheap thrills.
                  See next message...


Msg #  584  Dated 09-13-84 06:35:22
From: DON BEILFUSS
  To: CONFIDENTIAL
  Re: BOARD CRASHING CON'T

9. The username that he used for subsequent logons was Moe Greene.

I took the following action. I changed all of the Sysop functions to
require a higher level of access than the Sysop is granted on logon.
This appeared to stifle his access to DOS, but I did a few more things
to help insure the system.

1. I downgraded all special users to normal access levels.
2. I changed all of my passwords on Files and Groups
3. I changed the name of my password files.
4. I patched my RBBS-PC.EXE file to use a different filename for
   configuration. Norton works well for this.
5. I put all restricted functions at security levels far beyond
   the Sysop Access Level.
6. I altered my directory structure to reflect a more concise restricted
   area for the BBS in that particular background partition.
7. I left both usernames on the system with levels below minimum and
   a message for both Walter and Moe.   See next message.

Msg #  585  Dated 09-13-84 06:43:09
From: DON BEILFUSS
  To: CONFIDENTIAL
  Re: BOARD CRASHING CON'T

This morning when I checked the system, Moe had been on again and this
time he left a message that RBBS had a large hole in it and he had
"taken my system". During the evening two days ago, I caught him using
the system identified as one of my friends. I knewthis because my
friend was out of town on vacation, but obviously he didn't know that.
We  chatted at bit and I definitely proved it was a masquerade through
one or another false statements that my friend would not have been
tripped up on. Also the typing skills and vocabulary were that of some-
one in junior high instead of an adult technical specialist.

One last note, anyone who reads this message and uses the Astrix
Computer System has had their password compromised. If you are in the
habit of using the same password on all of the boards that you frequent,
you may want to start using a different one.

The users of this bulletin board should be aware of a very scary thing
that happened recently on a bulletin board in the Rockville/Gaithersburg
area. Some clown UPLOADed a BASIC program called SECRET.BAS. Then he left
a message to all users claiming he had hacked this program from a mainframe
and he was having a problem getting it to run on his personal computer. He
asked anyone who could get the thing to run to leave him a message telling
him about it. (Which of us could resist such a plea?)
As it turned out the program ran fine and this #$%&^* knew it! What the
program did was to erase all the files on the disk(s) on the computer that
ran it!!  ALL THE FILES ... ON ALL THE DISKS !!!
After a couple of users lost their disks the word got around and the
"killer" progam was deleted from the bulletin board. But it could happen
again. It could happen here.
Please y'all, be careful. Look over the programs you DOWNLOAD before you
run them (or have good and recent backups).


Bruce N. McCausland




The following is from MEMO DANGER in the PCSHARE subconference of
CONTACT (at UC Berkeley):

<<< MEMO DANGER - 104 lines, 1 append(s) >>> from DAY15 on 08/15/85 at 05:40:21

WARNING! DANGEROUS PROGRAMS

I just found the following file on a local bulletin board. It's
difficult to believe that people can be this vicious. Please do
everything you can to spread the word.

Burt Alperson

The file:


	  ====================== BULLETIN #1 =======================

    The following 2 Articles I got from 2 magazines (I will give the reference
    at the end of the article), and I thought that you might like to see this.



				   WARNING!



Warning: Someone is trying to destroy your data.  Beware of the SUDDEN upsurge
of "Trojan Horse" programs on Bulletin Boards and in the public domain.  These
programs purport to be useful utilities, but, in reality, they are designed to
sack your system.

One has shown up as  EGABTR, a program that claims to show you how to maximize
the features of IBM'S Enhanced graphics Adapter, and has also been spotted as
a new super-directory program.	It actually erases the file allocation tables
on your hard disk.  For good measure, it asks you to put a disk in Drive A:,
then another in Drive B:.  After it has erased those FATs too, it displays,

		       "  Got You! Arf! Arf!  "

Don't run any public-domain program that is not a known quantity.  Have someone
you know and trust vouch for it.  ALWAYS examine it FIRST with DEBUG, looking
for all the ASCII strings and data.  If there is anything even slightly
suspicious about it, do a cursory disassembly.	Be wary of disk calls
(INTERRUPT 13H), especially if the program has no business writing to the disk.
Run your system in Floppy only mode with write protect tabs on the disk or junk
disks in the drives.

Speaking of Greeks bearing gifts, Aristotle said that the unexamined life is
not worth living.  The unexamined program is not worth running.

						   - The Editors of PC
						   July 23, 1985
						   Volume 4, Number 15


Another bit of information I got from the ARPANET: Be careful what you put into
your machine.  There is out there making the rounds of the REMOTE BULLETIN
BOARDS a program called  VDIR.COM.  It is a little hard to tell what the
program is suppose to do.

What it actually does is TRASH your system.  It writes garbage onto ANY disk it
can find, including hard disks, and flashes up various messages telling you
what it is doing.  It's a TIME BOMB: once run, you can't be sure what will
happen next because it doesn't always do anything immediately.  At a later
time, though, it can CRASH your system.  Does this remind you of some of the
imbecilic copy-protection schemes threatened by companies such as Vault and
Defendisk?  Anyway, you'd do well to avoid VDIR.COM.  I expect there are a
couple of harmless-perhaps even useful-Public Domain programs floating about
with the name VDIR; and, of course, anyone warped enough to Launch this kind
of Trap once, can do it again.	Be careful about untested "Free" software.

			   Computing at Chaos Manor
			   From the living Room
			   By Jerry Pournelle
			   BYTE Magazine, The small systems Journal


###############################################################################

Well there it is, If you happen to see any of these files on this, or any other
RBBS, IBBS,  FIDO or any other board, PLEASE leave the SYSOP a message or a
and let him know about the file.  I will List 2 other Files that I am aware of
that will also do damage as has been reported in the past:

	   1.  STAR.EXE presents a screen of stars then copies RBBS-PC.DEF
	       and renames it. The caller then calls back later and d/l the
	       innocently named file, and he then has the SYSOP'S and all the
	       Users passwords.

	   2.  SECRET.BAS  This file was left on an RBBS with a message saying
	       that the caller got the file from a mainframe, and could not get
	       the file to run on his PC, and asked someone to try it out.
	       When it was executed, it formatted all disks on the system.

We must remember, that there are a Few idiots out there who get great pleasure
from destroying other peoples equipment.  Perverted I know, but we, the serious
computer users must take an active part in Fighting against this type of stuff,
to protect what we have.  Be sure to spread this bulletin to other Boards
across the country so that as many people as possible will be aware of what is
going on.   Thanks alot!

				  ........................  Kerry
				    The Flint Board
				    Flint, Mich
				    (313) 736-8031

+++ CREATED 08/13/85 22:35:52 BY +PW/BURT +++