💾 Archived View for spam.works › mirrors › textfiles › hacking › hack9306.rpt captured on 2023-11-14 at 09:52:10.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Moderator, FidoNet
                                    ||    Int'l Echos SHAREWRE & WARNINGS
          The Hack Report           ||  Volume 2, Number 6
           for June 1993            ||  Report Date: June 6, 1993
                                    ||
  =========================================================================

  Welcome to the sixth 1993 issue of The Hack Report.  This is a series of
  reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware and Warnings Echos and the author of the
  report, Lee Jackson (FidoNet 1:124/4007).

  Hack Central Station is returning to abnormal following a rather chaotic
  past two months.  A relatively light month in terms of the number of
  reports helped matters.  However, the reports themselves were quite
  interesting:  yet another attack on RemoteAccess BBS systems appeared,
  and two popular archiver programs, ARJ and LHA, were the victims of a
  hack and a hoax, respectively.  Thanks to everyone who has helped put
  this report together, and to those that have sent in comments and
  suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  and Warnings Echos (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

  On this same note, programs and files listed in this report should not be
  automatically considered dangerous.  It is simply impossible for the
  author of this report to receive and test copies of every listed file, so
  many of the reports listed herein are based on information sent to the
  author by individuals in the BBS community.  For this reason, neither the
  author of this report nor anyone officially associated with it shall be
  held liable for any losses and/or damages resulting from a listing in
  this report.

  Finally, the releases listed as the latest Official Versions may not be
  entirely accurate.  However, they do reflect the latest version known to
  the author of The Hack Report at the time of writing.  That's the nature
  of the beast we call shareware:  authors have every right (and in this
  writer's opinion, are well advised) to release a new version without
  advance notice of any kind.  If you see a version newer than one listed
  here, please contact one of The HackWatchers or myself so that we can
  keep these listings up to date.

  *************************************************************************

                              Hacked Programs

  Here are the latest known versions of some programs known to have hacked
  copies floating around.  Archive names are listed when known, along with
  the person who reported the fraud (thanks from us all!).

   Program              Hack(s)                    Latest Official Version
   =======              =======                    =======================
   ARJ Archiver         ARJ250                     ARJ239F
      Reported By:  Tommy Vielkanowitz(1:151/2305)
                        ARJ239E
      Reported By:  The Hack Squad
                        ARJ240A
      Reported By:  Ryan Shaw (1:152/38)
|                       ARJ300
|     Reported By:  Mike Stowe (ITCNet, via HW Robert Hinshaw)

   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                      Author of BNU

   DMS Amiga Disk       DMS version 1.12           DMS version 1.11
    Masher
      Reported By: Ben Filips, via Jay Ruyle (1:377/31)

|  F-Prot Virus Scanner FP-205B                    FP-208a
      Reported By: HW Bill Lambdin

   LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
      Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
                        LHA151
      Reported By: Lawrence Chen (1:134/3002)

   LHA Archiver (PC)    LHA214                     LHA213 (non-beta)*
      Reported by: Patrick Lee (RIME address RUNNINGB)
                        LHA214B
                        ICE214
                        LHA215
      Reported by: Kenjirou Okubo, LHA Support Rep.
         (Internet address: kenjirou@mathdent.im.uec.ac.jp)
                        LHA300
      Reported by: Mark Church (1:260/284)

|  MakeNL               MKNL251                    MKNL250
|     Reported by: Dan Guenthner (SAF-Net 44:900/200,
|                  via HW Robert Hinshaw

   MusicPlay            MPLAY31                    MPLAY25B
      Reported By: Lee Madajczyk (1:280/5)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

   PKZip                PKZ301                     PKZ204G
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)

|  Shez                 SHEZ72A                    SHEZ90A
                        SHEZ73
      Reported By: HW Bill Lambdin

   Telemate             TM40C                      TM400-1 through 4
      Reported By: Philip Dynes, RIME Telemate conference,
                   via HW Richard Steiner
|                       TM401
|     Reported By: HW Richard Steiner
                        TM410-1
      Reported By: Bat Lang (1:382/91)

   Telix                Telix v3.20                TLX321-1
                         (Prior to Dec. 1992)      TLX321-2
                        Telix v3.25                TLX321-3
      Reported By: Brian C. Blad (1:114/107)       TLX321-4
                   Peter Kirn (WildNet, via HW Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By: Jeff Woods, deltaComm, Inc.
                        Telix Pro
      Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

   TheDraw              TDRAW430                   TDRAW461
                        TDRAW5
      Reported by: Ian Douglas (5:7102/119)
                        TDRAW500
      Reported by: Ian Davis, Author
                        TDRAW550
      Reported by: Steve Klemetti (1:228/19)
                        TDRAW600
      Reported by: Hawley Warren (1:120/297)
                        THEDR60
      Reported by: Larry Owens (PDREVIEW echo, 1:280/17)
                        TDRAW601
      Reported by: Jesper Tragardh (2:200/109)
                        TDRAW800
      Reported by: James Carswell (1:153/775)


   Wolfenstein-3D       WOLF2-1                    #1WOLF14
                        WOLF2-2
      Reported By: Wen-Chung Wu (1:102/342)


  * -   See the section "Clarifications and Thanks" for details on
        other valid version numbers for LHA.


  =========================================================================

                                Hoax Alert:

| HW Mikael Winterkvist reports that he received a program for study from
| Patrik Sjoberg, the author of Febbs.  The program Patrik found was called
| VIP and claimed to be a "new, easy to use archive-program" called "Visual
| Illusions Pack."
|
| Mikael and Patrik both studied the program and determined that it was
| merely an altered version of the LHA Archiver v1.13.  To make matters
| worse, the "author" asked for a registration fee.  Save your money.


  The Hack That Wouldn't Die has reared its ugly head again:  XTRATANK is
  still floating around out there, according to a sighting by Mike Ledoux
  (1:132/202).  This file was reported in detail in the 1992 Full Archive
  Edition of The Hack Report (HACK92FA), but it seems to be so unwilling to
  go away that it is mentioned again here.  For those of you new to The
  Hack Report, XTRATANK is a confirmed and tested hoax that does _not_
  double your hard drive space, regardless of what you might see when you
  do a DIR command.  If you have doubts, try the Fitzgerald test below.

  *** The Fitzgerald Test

  Here is the now-famous Fitzgerald Test, devised by Tim Fitzgerald of
  1:3800/18.0 and validated through testing performed by Bill Logan of The
  Pueblo Group (1:300/22).  Try this if you think you have managed to get
  XTRATANK to work on your system.  Follow these simple steps:

      1. Run CHKDSK and write down the free space it reports as free.
      2. Do a DIR command and write down what XTRATANK reports.
      3. Copy any text file to a new text file.
      4. Repeat steps 1 and 2, and compare.

  You will see that XTRATANK reports that twice as much disk space is taken
  up by the new text file.


  Michael Toth (1:115/439.7) has located another incident of the Amiga
  Emulator hoax, reported in the 1992 Full Archive Edition of The Hack
  Report as AMIGA.  This time, the file was under the filename IBM_AMGA,
  and contained the following internal files:

  Name          Length    Method    Size now  Mod Date    Time     CRC
  ============  ========  ========  ========  =========  ======== ========
  README.USA         393  Imploded       338  10 Apr 91  18:07:06 2CF72B62
  EMULATOR.EXE    273947  Imploded    157084  15 Sep 90  01:00:00 02A68881
  ============  ========  ========  ========  =========  ======== ========
  *total     2    274340  ZIP 1.10    158592  13 Oct 91  11:28:00

  The file claims to emulate Kickstart 1.2, version 33.192, on an IBM
  compatible.  Michael's tests show that this file doesn't do much, if
  anything - 15 minutes worth of waiting after running the program produced
  no results.


  Recently, an archive of Frisk's (a.k.a. Fridrik Skulason's) F-Prot Virus
  Scanner v2.07 has been distributed with a "registration form" from a
  company called JLT.  According to Frisk, this is not legitimate.  He says
  that JLT contacted him in the fall of 1992, asking if they could
  distribute F-Prot, collect registration fees, and forward 50% of the fees
  to him.  Frisk didn't want them to do this, but it appears that an
  archive with the "registration form" may have slipped into distribution.
  In Frisk's words, "...this version is most certainly not something that I
  want distributed."


  From the "Not Really A Program, but Interesting Anyway" department, a
  "press release" has entered distribution, claiming that PKWare Inc. has
  filed for Chapter 11 bankruptcy.  The letter is dated Friday, February
  26, 1993, and supposedly quotes Mark Gresbach of PKWare in the statement.

  However, in a message posted in the CompuServe PKWARE forum on March 1,
  1993, PKWare employee Douglas Hay states that this is not true.  Douglas
  also points out that the perpetrator of the hoax misspelled the word
  Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in
  the message for PKWare is wrong.  In short, ignore the letter - PKWare
  has _not_ filed bankruptcy.


  Other previously reported hoaxes:

  Filename      Claimed use/Actual activity/Reporter(s)
  ============  ==========================================================
  PKZ305        Hacked "new version" of PKZip.  However, a message in wide
                circulation claimed this was infected with a virus called
                PROTO-T.  This message is the actual hoax:  there may be
                one or more PROTO-T viruses around now, but none do what
                was claimed in the hoax message.  This hack, PKZ305, was
                not infected with any virus, nor did it contain Trojan
                code, per testing by Bill Logan (1:300/22), HW Jeff White,
                and HW Bill Lambdin.

  RAOPT         "Optimizes" your RemoteAccess BBS files and claims to be
                from Continental Software.  Actually does nothing but read
                your USERS.BBS file and report the number of users.  The
                program is _not_ from Continental Software, according to
                Andrew Milner.  Reported by Kai Sundren (2:201/150), via
                HW Mikael Winterkvist.

  SCORCHV2      Claims to be v2.0 of the game Scorched Earth:  this version
                doesn't yet exist.  Actually a renamed archive of version
                1.2.  Reported by Brian Dhatt (1:3648/2.5).

  =========================================================================

                              The Trojan Wars

  This past month was a welcome relief, compared to the past couple of
  months.  For a change, the volume of new Trojans went down.  However,
  the folks writing the Trojans didn't stop altogether:  there are some
  new reports which should be of interest to everyone who reads this
  report.  With that in mind, I suggest you sit back, relax, keep the
  antacid of your choice handy, and read on.


| Rod Fewster (3:640/886) reported in the FidoNet VIRUS Echo on a file
| called TNN202 that he tested.  This file apparently contains at least 3
| files named TNN.EXE, TNN.OV1, and TNN.OV2.  TNN.EXE displays the
| following message:
|
|      TNN Anti-Virus (C) 1992-1993 by Syn Labs Inc. Version 2.02.
|      Configuring, Please wait....
|
| At this point, the program renames TNN.OV1 to TNN1.EXE, and TNN.OV2 to
| TNN2.COM.  According to Rod, TNN1.EXE is the "RABID" Trojan, while
| TNN2.EXE is the Beta 1 Trojan.  RABID "whacks out your HD's boot sector,"
| apparently filling it with a rather obscene message.  The Beta 1 Trojan,
| on the other hand, executes the following sequence of commands:
|
|       C:
|       CD DOS
|       DEL COMMAND.COM
|       CD\
|       DEL COMMAND.COM
|       RENAME AUTOEXEC.BAT TEMP.BAT
|       RENAME CONFIG.SYS AUTOEXEC.BAT
|       RENAME TEMP.BAT CONFIG.SYS
|       CD DOS
|       DEL *.EXE
|
| It then displays its own obscene message on your screen.  Rod says that
| TNN.EXE then displays the following message (edited for television):
|
|       GOODBYE D*******. Wave Ta-Ta to your hard disk.
|       Next time, dont enter messages to a public echo if you have
|       no idea what you are talking about.
|       Love David Humes.
|
| Rod's results show that TNN.EXE is simply a "loader" for the two Trojans,
| and not dangerous by itself.  He also states that there are other files
| used to "pad out the archive," which are ancillary files from a program
| called VirusBuster v3.91.
|
| Thanks to Rod for posting his results.  This was definitely a nasty
| little beggar of a Trojan.


| HW Hinrich Donner forwards reports from Zone 2 of a "trainer" for the
| game Strike Commander which doesn't appear to act as it should.  The
| archive was distributed under the filenames SCTRNUNT and SC-TRN.
| SCTRNUNT contains the following files:
|
|            !HIREZ   COM      6888 19.04.93   23:26
|            SCTRNUNT EXE      6442 18.04.93   12:49
|            UNT      EXE     11431 18.04.93   12:30
|            SILVER   NFO        81 19.04.93   23:26
|            SWIFT    NFO      3785 18.04.93   12:12
|            UNT      NFO     11483 18.04.93   12:26
|
| Note that the SC-TRN archive contents were not forwarded, but the
| following file size and description were:
|
|        SC-TRN.ARJ     9129 Strike Commander - Trainer by [UNT]
|
| The file which appears to do the damage, SCTRNUNT.EXE, does so by
| destroying your root directory, partition table, FAT1, and FAT2.


| Teo Chee Kian (6:600/600) received a file called GIF_TSR which claimed to
| convert .gif files to "Photo-like Graphics."  However, the file is
| actually a compiled batch file which seeks out and deletes all
| "important" files in your DOS, QEMM, WINDOWS, STACKER, and some other
| directories.  It also deletes MSDOS.SYS, IO.SYS, COMMAND.COM, CONFIG.SYS,
| and AUTOEXEC.BAT - it calls ATTRIB.EXE to remove the hidden, system, and
| read-only attributes when necessary.  Definitely a file to avoid.


| Emmanuel Bataille (2:320/7) forwarded a message from Serge Ayotte
| (Internet, rider@geolser.login.qc.ca) about a possible isolated incident
| of an infected copy of the BNU FOSSIL Driver, version 1.88 beta
| (BNU188B).  The archive Serge found was infected with the Screaming Fist
| 650 virus.  Serge goes on to say that the infection is detectable by
| version 104 of McAfee's ViruScan, but not by version 102.
|
| Rod Fewster (3:640/886) reports that there are two other dangerous
| versions of BNU, under the filenames BNU200 and BNU202 (see also the
| "Hacked Files" section of this report).  He says that they are identical
| except for differences in the documentation files and internal messages,
| and that both attack your hard drive's partition table and master boot
| record (MBR).
|
| Note that there is a real version 1.88 beta of BNU, but it was not
| intended for public release, according to the author of BNU, David
| Nugent.  The latest official public release of BNU is v1.70.


| HW Nemrod Kedem (2:403/138) reports that a new Trojan has been found in
| Israel, named RASPEED.  He forwards the following archive information:
|
| Archive:  RASPEED.ARJ
|
| Name        Length   Method    SF  Size now Mod Date   Time     CRC
| =========== ======== =======  ==== ======== ========= ======== ========
| RASPEED.EXE    29120 Comp-1    37     18242 21 May 93 08:51:14 B9717331
| RASPEED.DOC     4344 Comp-1    66      1443 21 May 93 12:46:36 194BB7EB
| FILE_ID.DIZ      611 Comp-1    57       262 20 May 93 10:13:48 0E680542
| =========== ======== =======  ==== ======== ========= ======== ========
| *total    3    34075 ARJ 4     40%    21310 29 May 93 21:16:56
|
| The program is aimed at RemoteAccess BBS Systems - it copies the
| USERS.BBS file over to a file called JACKLINE.GIF located in the first
| file area listed in your FILES.RA file.  It also adds a description to
| the FILES.BBS file that reads "JACKLINE.GIF (640x480x256)".
|
| This program works with RA v1.11, but not with RA v2.00 gamma.  A full
| text of Nemrod's results can be found in the file RASPEED.RES, part of
| the FILETSTS.LZH archive found in the archive version of The Hack Report.


| David Snider, a user of Douglas Taylor's system (1:147/1077), reports via
| the FidoNet DIRTY_DOZEN echo on a file called BRE0911.  Apparently, a
| file inside this archive called UPDATE.COM is infected with a virus (no
| name given) which David says is only detectable by MS-DOS 6.0's VSAFE
| program.  The virus in question re-writes your COMMAND.COM file, adding
| to it slowly over a period of time:  a fellow sysop who was infected for
| 8 days wound up with a COMMAND.COM file over 70K in size.
|
| According to David's report, there is a legitimate release of this
| program, under the filename BRE0910.  He did not describe what the real
| program was, however, nor did he provide any archive statistics.  All he
| said was that "nothing above BRE0910 is legal".


  Now, some info on a DEBUG script forwarded by Jack Cross (1:3805/13) from
  the FidoNet BATPOWER echo.  The script, which has generated a great deal
  of discussion, created an archive (LZH) of the program TinyCache
  (filename TNYCACHE), claiming to be a small disk cache.

  As soon as the script was posted, folks started reporting symptoms of
  destructive activity:  destroyed FATs and reformatted hard drives were
  been reported after this program was run.

  Prior to the publication of the April edition of this report, I tried a
  feeble attempt at analyzing this program myself.  However, as I have said
  before to folks who contact Hack Central Station, I'm a reporter, not an
  AV expert.  So, I forwarded a copy of this script to HW Jeff White of The
  Pueblo Group for testing.  Others ran their own tests, and still others
  forwarded the resulting archive for further testing.  The reports (which
  are _far_ too numerous to credit in their entirety - please accept my
  thanks for your help!) had some similar results, but left some confusion
  as to what this file actually is.

  All of the reports indicate that the unarchived file, TNYCACHE.COM, is
  compressed with PKLite and that the PKLite ID header was edited out of
  the resulting file.  Once decompressed, McAfee's SCAN reported that the
  file was infected with the Taiwan3 [T3] virus, and Frisk's F-Prot
  detected the AnitCAD virus.

  This is where things get wierd.  Bill Dirks (1:385/17) reported that
  there were two versions of the file - TNYCACHE.EXE and TNYCACHE.COM.  He
  also said that the .exe version is actually a renamed copy of the SCCHECK
  Trojan, and that the .com version is "hacked to include a hacked version
  of the AntiCAD virus."

  Bill included the following scanner strings for use with McAfee's SCAN:

              "2BC00221200961642E6578652004" Pklited-Anticad
              "46048B4E068B56088B5E0CCD261B" Sccheck-Trojan

  The second string can also be used with Frisk's F-Prot as a user string,
  as long as you inform the program that it is a .com/.exe infector.

  However, Bob Stettina, a user at 1:382/77, had a different analysis of
  this file, based on a report he says he received from Spencer Clarke of
  McAfee Associates.  Bob also decompressed the PKLited .com file and
  received a Taiwan3 [T3] report from McAfee's SCAN v102.  After this, he
  uploaded the file to McAfee Associates.

  The report received from Mr. Clarke said, according to Bob, that this
  file is "a unique/new Trojan, and it is *NOT* actually infected with a
  virus:  rather, this Trojan includes a segment of code that is
  accidentally 'recognized' by SCAN as the Taiwan3 virus."  The report also
  stated that other scanners gave off false alarms on this file.  Finally,
  Bob goes on to say that this file does not replicate:  since the ability
  to reproduce is part of the basic definition of a virus, Bob concludes
  that this one fails that test and is therefore a Trojan.

  HW Jeff White's test results tended to agree with the majority of the
  reports:  the .com file was simply infected with the Taiwan3 [T3] virus,
  and was capable of being "cleaned" by McAfee's Clean-Up v102.

  This has been a fascinating study in program analysis.  However, I'm sure
  that the folks who were hit by this are not quite as fascinated - the
  word infuriated would be more appropriate.  Whatever the program actually
  is, be it virus, Trojan, or whatever, it _may_ have been re-created from
  the DEBUG script by someone, not run on their system, and later
  absent-mindedly uploaded as an archive to a BBS.  If you see this file,
  make sure it's the same one we're talking about here:  if it is, delete
  first and ask questions later.


  Andy Thomas (1:125/217) forwarded a report from Allan Thomas (Smartnet
  Virus Conference) about an infected copy of the archive BBSLAWS.  The
  archive contained two files - NEWLAWS.TXT and README.COM.  The .txt file
  seemed to be for real, but the .com file was another story.  According to
  Allan, the program displays the following message just before it locks up
  your system:

      "Install v1.0 (c) Vivid Imaginations, Ltd.  All rights reversed."

  As Allan points out, note the spelling of the last word in the above
  quote:  quite subtle.  The damage you will find after you reboot is not
  so subtle, though - the program at least overwrites your MBR and 1st FAT,
  deletes itself, and overwrites the remnants of itself with garbage to
  hide the evidence.  When it overwrites itself, it writes enough bytes to
  cover every sector it used to occupy, resulting in a write of more bytes
  than the original file size.


  Paul Harney (1:107/579) forwarded a message from a user, Rod Fewster,
  concerning a sighting of something claiming to be PKZip v2.04I.  The
  file, a self-extracting archive called PKZ204I, shows a "valid"
  authenticity verification on unpacking.  However, Rod says both the
  internal files PKZIP.EXE and PKUNZIP.EXE "whack out your CMOS settings
  totally as soon as they're run."  No other damage was reported.

  Here are the vital stats, as provided by Rod:

        "Archive date is 02-22-93 20:35.

        "All files are dated 02-22-93 02.04 except pkunzip.exe
         which is dated 02-22-93 20:34."

  Rod also provided a comparison between v2.04g and this file's
  executables:

        "v2.04g filesizes are:  pkzip.exe 42166   pkunzip.exe 29378
         v2.04i filesizes are:  pkzip.exe 42186   pkunzip.exe 29398"


  Chuck Gustafson (1:2201/33) forwarded to the FidoNet echo DIRTY_DOZEN a
  report from Brian Buchanan (Brian Buchanan #1 @8251 VirtualNET) about the
  file FDFORM.  This appears to be an isolated incident of a Trojan version
  of the legitimate program FDFormat.  The .zip archive was only 13106
  bytes long, and contained the files FDOCS.PAK (317 bytes), FDFORMAT.PAK
  (11366 bytes), and FDSETUP.BAT (174 bytes).  The .bat file contains the
  following commands:

                  @echo off
                  cls
                  echo Analizing system configuration...
                  @echo off
                  ren fdocs.pak fd.exe
                  echo Unpacking files...
                  echo (This may take a few minutes)
                  fd c:\
                  fd d:\
                  fd e:\

  The problem here is that the file FDOCS.PAK is actually a renamed copy of
  a program called NHUE, which according to Brian is a utility that deletes
  all files and sub-directories in the directory specified on the command
  line.  If you look at what happens in the .bat file, you'll note that
  NHUE, originally renamed FDOCS.PAK, is re-renamed to FD.EXE and is called
  for drives C: through E:, potentially wiping out everything on these
  drives.


  Lee Noga (1:3618/23), apparently one of the folks associated with the
  PowerPak Gold '92 Shareware CD-ROM disk, asked that I help warn folks of
  a Trojan file on their disk called MWARS20.  This file, which has been
  seen in other locations, contains two files, DEMO.EXE and READTHIS.COM,
  which appear to be the main culprits.  According to a report from Scott
  Catterill (Intelec PC-Security conference, via HW Bill Lambdin and based
  on info from Dave Comeau), both files contain the following text:

    eat this. REVENGE!. Melting Memory!. Maybe next time, you won't steal
    people's Passwords and get them ****** off at you... I hope you backed
    up your hard drive!

  Scott says both will try to low-level format your hard drive.  However,
  according to Lee Noga's report, the program acts a bit differently.  The
  copy on the PowerPak CD-ROM contains the following files:

                       MWARS.BAT      128     07/17/92
                     MWARS20.EXE    15864     02/15/92
                     MWARS20.DOC     2058     07/17/92
                        NOTE.DOC      309     01/01/80
                         YANG.ME      121     07/17/92
                     INSTALL.EXE    39080     06/14/90
                        DEMO.EXE     5470     04/22/90
                     DOMENOW.COM      937     09/24/90
                    READTHIS.COM     5470     04/22/90

  Lee says the program does its damage via the .bat file, via DEMO.COM, and
  via DOMENOW.COM - all three are dangerous, as they will scramble your
  hard drive's FAT table.  The same message as Scott reports will appear,
  but if you reboot during its display, you may be able to abort the
  Trojan's damage.  Lee also notes that the game itself was untouched:  if
  you don't invoke it via the .bat file, it will run just fine.  Bizarre.

  (Editorial - I appreciate the effort taken by vendors to inform the
  public of a problem with their product.  Even if the publicity hurts
  sales, the loss can't be worse than the potential loss caused by a
  perception that a company doesn't care about whether or not their product
  is dangerous.  This is not an indictment of _any_ company or author:  it
  is merely intended to encourage companies and authors to report attacks
  against and/or problems with their products as soon as they learn of
  them.  My life would be _so_ much easier. <g>  -lj)


  Tom Guelker (1:2250/26) posts in the FidoNet DIRTY_DOZEN echo a report of
  a Trojan called SINBAD.  It claims to be a file transfer protocol
  utility, but it actually throws your system into a perpetual loop by
  overwriting your AUTOEXEC.BAT file.  The new AUTOEXEC.BAT (as well as
  SINBAD.EXE) becomes read-only and invokes SINBAD.EXE, which again
  overwrites AUTOEXEC.BAT with the same info (apparently turning off the
  read-only bit first <?>), etc. ad nauseum.  Definitely sounds irritating,
  but not dangerous unless you don't have a copy of your original
  AUTOEXEC.BAT file:  you can bypass the loop by booting from a known
  clean, write-protected system disk, and then use a utility such as the
  MS-DOS 4.01 and above ATTRIB.EXE to remove the read-only bit.  This will
  allow you to delete the offending .bat file and replace it with a copy of
  your original, or to re-write it if you didn't have a backup.


  Henry Shaw (1:261/1177, via Jack Cross, 1:3805/13) reports on TAGCRASH, a
  supposed utility or crack of some sort for TAG BBS systems.  Henry says
  the archive contained the internal file TAGUTIL.COM, which started off in
  your \BBS directory and "worked its way through the obvious choices of
  \TAG and \MULTI till it found all the .DAT files, .LST files and
  everything else that pertained to a TAG board."  These files would be
  deleted when found.  An easy way to trash a TAG system, Henry says.


  HW Richard Steiner forwarded a message from the ILink Shareware_Support
  conference by Bob Feldman concerning an archive named HSDIAG.  Bob stated
  that this file is a Trojan.  Bob posted further details on the ILink
  Virus conference (forwarded by HW Bill Lambdin), and also sent a copy of
  the file to R. Wallace Hale, SysOp of the Driftnet BBS ((506)325-9002).
  Mr. Hale did preliminary testing of the file, and was able to determine
  that it will at least try to overwrite the first 255 sectors on the first
  eight drives in a system, including floppy drives.  For the full text of
  Mr. Hale's report, as forwarded by HW Bill Lambdin and James FitzGibbon
  (1:250/301), please obtain the archive version of The Hack Report and see
  the file HSDIAG.RES, located inside the internal archive FILETSTS.LZH.


  HW Jeff White received a file for testing called ANSIVIEW.COM, which has
  apparently been seen inside a couple of archives, most often ANSI
  collections.  The copy Jeff received for testing is infected with the
  AIDS [N1] virus, and cannot be disinfected by either McAfee's Clean-Up or
  the AIDSOUT utility.  The infection is detectable by McAfee's SCAN.  Yet
  another of The Hack Squad's 2048 reasons to check everything you download
  for viruses.


  HW Scott Raymond has cleared up a discrepancy that I had in previous
  reports concerning the file BWAVE_3.  This was listed as a hack of the
  Blue Wave Offline Reader, but according to the report received by Scott
  from a user in Australia, the file is actually a Trojan.  The user in
  Australia reported that the Trojan trashed partitions and boot sectors,
  in addition to attacking RemoteAccess BBS data files.  According to
  Scott, this is the same file reported by Frans Hagelaars (2:512/2).
  Please note that this Trojan was discovered prior to the release of
  BWAVE212, version 2.12 of the reader.


  Vincent Aniello (aniello@gauss.rutgers.edu) reported a "back door" for
  use when logging onto Renegade BBS systems.  This file, RGBACKDR, claims
  to allow you to log onto any Renegade board with SysOp privileges.
  Instead, it makes a beeline for several key files on _your_ system and
  deletes them.  For the full text of the test results, as performed by HW
  Jeff White of The Pueblo Group, see the file RGBACKDR.RES in the archive
  FILETSTS.LZH, found in the archive version of The Hack Report.


  Maynard Marquis (1:141/328) forwarded a message to the FidoNet Int'l Echo
  WARNINGS from Joel Lambert about a file called TW-CHEAT.  This claims to
  be a cheat file for Tradewars 2002, and contains the following files:

                  TW-CHEAT EXE      6306 03-09-93   9:47p
                  SIN      COM       535 03-09-93   9:47p

  He did not say which file he ran, but one of these displayed "some
  unrelated menu" and then returned to DOS.  Apparently, Joel later
  rebooted, at which point the BOOTSAFE program (part of Central Point
  Antivirus) reported that his system had been infected with the Tequila
  virus.  Fortunately, he was able to remove the infection.  He hopes.  I
  hope so too, for his sake.


  Michael Heinbockel (2:242/316) found a file on a BBS in Hamburg, Germany,
  called PARITY.  This file renames your AUTOEXEC.BAT file to AUTOEXEC.BAK,
  creates a new AUTOEXEC.BAT file with the single line C:\DOS\PARITY.EXE,
  and then tries to copy itself to your C:\DOS\ directory.  It usually
  hangs the system during the copy attempt, resulting in the file not being
  copied.  It may be a Trojan that doesn't work, but it is still a Trojan.


  Several reports came in on yet another Trojan attack against McAfee's
  SCAN - this time, under the filename SCANV103.  The first report came via
  Eugene Woiwod (Eugen_Woiwod@mindlink.bc.ca), and full test results were
  later received from Bill Logan of The Pueblo Group (via HW Jeff White).
  As a result of this Trojan, McAfee Associates decided to skip version
  number 103, using number 104 as the release which followed SCANV102.  For
  a full text of Bill's test results, see the file SCANV103.RES in the
  archive FILETSTS.LZH, found in the archive version of The Hack Report.


  Staale Fagerland (staale.fagerland@euronetis.no) reported a file called
  CES_402, which claimed to be an antiviral program.  However, the archive
  contains two files (CES.COM and DONT_!) which are quite suspicious.
  Staale ran the CES.COM file through a program called CHK4BOMB and
  discovered that it uses ROM BIOS routines for direct disk access.  The
  file DONT_! contains several messages that relate to corrupting your FAT,
  partition table, etc., and the message, "Mate(s), it simply makes sense,
  make a backup...".


  Ashley Kleynhans (5:7101/55) reports a Trojan called DREAMDEM, which
  claims to be a demo of some sort by a computer group.  According to
  Ashley, the group named in the file descriptions is not responsible for
  creating this Trojan.  When run, the file displays several messages,
  including ones like, "found PC Speaker," "Found porno GIFs," etc., and
  finally asks whether or not you have a sound card.  Ashley answered Yes
  to this question, and received the response, "OH by the way, I trashed
  your hard disk about a minute ago."

  Ashley immediately did a DIR command on the C: drive and saw no immediate
  damage.  However, the entire disk was gone after a system reset.  Ashley
  says this is because the Trojan deletes both your hard disk partition
  table and your boot sector.  I'm not sure if this is right, but I
  wouldn't want to try it out on my system to verify Ashley's findings.

  Here is the internal file info:

                  CHECKANS COM      3585 03-10-93   2:43p
                  VGADEMO  EXE      8892 04-17-93   7:45p
                  START    BAT        17 04-17-93   1:33p

| Ian Douglas (5:7102/119) forwarded further information on what appears to
| be the same file from a report by Shane Greyvenstein (5:7102/119).  This
| file, called VGADEM1, apparently managed to delete a lot of Shane's files
| before he could stop it:  fortunately, it doesn't appear to have trashed
| Shane's disk.  However, Shane's test revealed that the file was written
| using two packages called "IntroMaker v3.0" and "Mod-OBJ," but that the
| files are encrypted so that the copyright messages for these two packages
| are not visible until after they are decrypted by the host program.


  Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his
  system was "taken down" by a file called DRAGON.  It claimed to be a
  Public Domain VGA and Sound Blaster supported game.  No symptoms were
  reported, except that he had to reformat his hard drive.

  Penny Nebrich (1:369/101) confirms this, saying that the program that was
  affected was one called Dragon's Shard.  She states that it "created what
  looked like infinite subdirectories with binary names of I think it was a
  dir name of 8 chars. McAfee's scan and Virucide just got stuck in an
  infinite loop. I had to reformat my drive."

| Bill Roark (RIME Shareware conference, via HW Richard Steiner) verifies
| that there is a legitimate file called Dragon's Shard, available under
| the filename DRAGON21.  He also states that the real program is not
| public domain, but shareware instead.
|
| So, what we have here would seem to be a pair of isolated incidents of
| an altered version of a legitimate program.  As the documentation Bill
| forwarded states, if you feel you have an altered copy of the program,
| contact the publishers with your information.  They can be reached at:
|
|                          Bit Brother Software
|                          c/o Michael Ramsey
|                          #2 Winged Foot Way
|                          Littleton CO 80123


  Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis
  Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2.
  In what might be an isolated incident, Josh says the file claimed to be a
  "really cool game, VGA gfx and SB sound."  However, the INSTALL program
  destroys hard disks.

  Bob Seaborn received a copy of this file and forwarded it to me - I in
  turn forwarded it to Bill Logan and HW Jeff White for testing.  As it
  turns out, there is an internal file called SETUP.EXE that is identical,
  byte for byte, with the file INSTALL.EXE.  Both will trash your hard
  drive with amazing speed, according to HW Jeff White.  Also, the file
  PHYLOX.EXE is flagged as a possible infected file.  For a full text of
  the test results, see the file PHYLOX.RES in the internal archive
  FILETSTS.LZH, found in the archive version of The Hack Report.


  Ryan Tucker (1:290/10) forwards a message from a fellow SysOp, Robert
  Pedersen, about ASM2PAS.  This claims to create Pascal source code from
  an .EXE file.  However, from text inside the executable, it appears that
  this program tries to delete your DOS directory.  It also brags about a
  certain anti-viral scanner not being able to detect it.

  Valid point, that:  practically _no_ anti-viral tools detect Trojans,
  with the exception of Frisk's F-Prot and one or two others.  Even then,
  the Trojan detection is not complete.  Your best protection against
  Trojans is a religiously maintained set of backups, preferably done after
  a check for viruses on your hard drive(s).


  HW Richard Steiner forwarded a message from the America OnLine GEOWORKS
  forum about the file GEOCOMM.  The message, from "GW Steve" (a "GeoRep",
  according to Richard), came from a user of GeoComm named J. S. James, and
  warned that this archive contains a hacked version of the original
  GeoComm program.  The file claims to be an "update," but it seems to be a
  Trojan which will damage your File Allocation Table (FAT).  Not a file to
  be kept around, it would seem.


  HW Bill Lambdin reports on LAW22 (no description), which contains the
  following files:

       Length    Date    Time    CRC-32  Attr  Name
       ------    ----    ----   -------- ----  ----
        22911  02-24-93  14:13  a4b84cc7 --w-  ABOUT.COM
        13422  02-24-93  14:44  8f0d1e96 --w-  INFO.EXE
          126  02-24-93  14:50  68c9463a --w-  DESC.SDI
       ------                                  -------
        36459                                        3

  Bill says that ABOUT.COM contains a virus. Scan 102 labels it as BA101,
  which is a 160 byte-long .COM file infector.  This could be an isolated
  incident of an infected legitimate file, so thoroughly check any such
  file you find that has the above files in it before you kill it.


  Another report from Mr. Lambdin concerns a file that a user in the
  Intelec PC-Security conference sent to him, called PCS204 (PC-Sentry
  v2.04).  Bill's tests show that this copy of the archive contains two
  files, INSTALSW.COM and EVERYDAY.COM, that are infected with a
  non-resident "companion" virus that utilizes the Mutation Engine.  It
  also contains the file PCS.EXE, which is infected with a virus created by
  a virus-writing group's "Mass Produce Code Generator."


  Bill also reports that our old friend, the Power Pump virus, has
  resurfaced inside a file called FX2.  Here's the archive info:

                Length   Date    Time    CRC-32  Attr  Name
                ------   ----    ----   -------- ----  ----
                 25846 01-01-92  00:00  2635e28a --w-  FX2.EXE
                  1199 01-01-92  00:00  f61885bd --w-  FX2.COM
                 17354 01-01-92  00:00  02eac55c --w-  POWER.EXE
                  1007 01-01-92  00:00  139e1291 --w-  FX2.DOC
                ------                                 -------
                 45406                                       4

  The giveaway here is the file POWER.EXE.  For a full documentation of the
  Power Pump virus, please see the 1992 Full Archive Edition of The Hack
  Report (filename HACK92FA), available from most official distribution
  sites.


  Travis Griggs (1:3807/8) forwarded a report from a local board called The
  Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen. The
  message referred to a file called BOUNCE, which she said was infected
  with the Beeper (Russian Mirror) virus.  The file, according to Travis,
  claimed to be a game.  Travis has now forwarded the file information on
  this archive:

      Filename       Original DateTime modified CRC-32   Attr BTPMGVX
      ------------ ---------- ----------------- -------- ----------
      BOUNCE.COM         4053 80-01-01 00:02:04 35C562AF A--W B 1
      BOUNCE.DAT       119101 92-11-20 23:16:10 247712A8 A--W B 0
      BOUNCE.DOC          348 92-11-20 23:21:46 B28557FE A--W B 1
      ------------ ----------
          3 files      123502


  Geoffrey Liu (1:229/15) reports in the FidoNet WARNINGS echo on a file
  called BWE.  This claims to provide a "quick and easy way to exit
  Windows."  Geoffrey forwards this file info and disassembly report from
  John Eady (1:229/15, john.eady@canrem.com):

            Name          Length   Mod Date    Time     CRC
            ============  ======== =========  ======== ========
            LICENSE.TXT       2656 14 Feb 93  22:01:14 46B50814
            ORDER.TXT         2335 12 Feb 93  12:00:18 9D1A705E
            README.TXT        3565 14 Feb 93  23:08:08 3EA7548E
            BWE.EXE          19517 14 Feb 93  23:02:34 F1729CA4
            ============  ======== =========  ======== ========
            *total     4     28073 14 Feb 93  23:08:08

  "After debugging part of the virus, the following text appears (encrypted)
  in the infected program:

        It's time for a math test curtesy of YAM!

        And the question is...

        What is 00 + 00 =

        WRONG!!!! TRY AGAIN!

        Admiral Bailey

  "This virus is self-encrypting, but does not use any stealth techniques
  (as far as I've seen). It doesn't appear to infect the boot record, or
  the boot partition record. It does not appear to infect .SYS files, or
  .OV? files.

  "If you feel you have been infected, examine any EXE or COM files that you
  believe are infected. Check the 4th and 5th bytes in a COM file for the
  characters "BA". Check the 12th and 13th bytes in a EXE file for the
  characters "BA". If you find a file like this, chances are you have been
  infected."


  Mike Wenthold (1:271/47) found a program under the filename GS2000 which
  contained the VCL 3 [Con] Virus.  The archive contains the following
  files:

               Length    Date     Time    CRC      Filename
              ======== ========= ====== ======== ============
                  1984 22-Dec-91 01:40p 3527B16B GS2000.COM
                   543 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
              ======== ========= ====== ======== ============
                  2527                           2 files.

  The compression method (on this ZIP archive) was not included in his
  data.  According to Dave Lartique (1:3800/22) and Chris Gramer
  (1:271/47), the program is an "unprotect" for MicroProse's game Gunship
  2000.  This appears to be another isolated incident of an infected
  legitimate file.


  William Gordon (1:369/104) reports BEV105, a file that claims to be a
  "Beverly Hills 90210 Adventure Game."  This file contains 8 files, but
  two seem to be the real culprits:  DORINFO.DIR and INSTALL.COM.  The
  installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
  This program asks for some sort of wildcard according to William, then
  proceeds to delete everything on your drive that matches that wildcard.
  However, it doesn't stop there:  it continues on and deletes all .bat,
  .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files.  William also
  says the file "comes with the following virii:  Bootkill and Genesis."

  A copy of this file was sent to Mr. White and Mr. Logan, who were able to
  confirm the behaviour that William reported.  For the complete results of
  their test, see the file BEV105.RES in the FILETSTS.LZH archive, included
  in the archive version of The Hack Report.


  Another report from Bill concerns a file he located called TAXTIP93.
  This archive contains a file called TAXTIP93.DAT, which the executable
  file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and
  WINDOWS directory.  The new MOUSE.COM is infected with the ADA virus.


  Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which
  was described with a very short line ("'Password,' or some other short
  word," according to Brian).  The archive contained these files:

                               PASS    .PA1
                               PASS    .PA2
                               PASS    .PA3
                               PASSWORD.COM

  Brian looked inside the .com file, which he says looks like a compiled
  batch file, and found these strings/commands:

      Please Wait While Loading;
      It may take in between 30seconds to 5 minutes
      To unshrink nessessary files
      Please Turn off Screen, and wait for the beep.
      If You do not, your screen might not function
      the way it should.
      Turn Off Screen now, and press the space bar.

      /C REN pass.pa1 pa.exe
      pass.pa2 /C DEL c:\*.*
      pass.pa2 /C DEL c:\dos\*.*
      /C REN pa.exe pass.pa1
      pass.pa3 FORMAT
      c:
      /C CLS

  As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed
  with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program.  PASS.PA2
  contains the single letter 'Y', and PASS.PA3 contains the single word
  'Yes'.  From the looks of things, this turns out to be a multipartite
  Trojan that attempts to format (what else?) your hard drive.


  Another multipartite Trojan was spotted by James Frazee (1:343/58), under
  the filename ADD_IT.  It contains these files:

                  Name of File    Size  Date
                  ADD_IT.ARJ     40888 02-11-93
                  =======================================
                  ADDIT1   DAT     34283 07-20-91   2:13a
                  ADD_IT   ANS       646 02-11-93   8:31p
                  ADDIT2   DAT     20634 04-09-91   5:00a
                  ADDIT    DOC       177 02-11-93   7:28p
                  ADDIT    COM      1391 02-11-93   8:14p
                  ADDIT3   DAT       138 02-11-93   8:13p
                  THEDRAW  PCK       650 02-11-93   8:31p

  When run, ADDIT.COM merges the three .DAT files into an .EXE file.  The
  end result was that the program deleted all of the files in the directory
  in which it was run.


  John Balkunas (1:107/639) forwards information on GIFCHECK.  He reports
  that Lance Merlen (1:107/614) received an upload of this file, which,
  when checked with McAfee's ViruScan v100, reported over 5 viruses in the
  files in the archive.  No internal archive data was provided, so it is
  hard to say whether or not this is an isolated incident.


  Zack Jones (1:151/173) reports a file called GAGS which was seen in the
  San Antonio area.  The file, described as "Some Christmas practical
  jokes," was analyzed by Bill Dirks (1: 385/17) and confirmed as a Trojan.
  The program grabs control of several interrupt vectors, including the
  critical error handler.  The only way to stop it once it starts is to hit
  the reset button or power down.

  When invoked, it displays a countdown from 8 to 0, which corresponds to
  drives H through A, in that order.  For each found drive, it overwrites
  the first 255 sectors with random data from a block of memory.  To add
  insult to injury, if drives B and A are empty, you are prompted to insert
  disks (so that they can be trashed as well).

  After this, the Trojan displays the message, including something like,
  "the disk was trashed but it's only a joke and they are only kidding."
  It then prompts you to reboot, which is rather hard to do unless you have
  a bootable "panic disk" floppy on hand - you certainly won't be able to
  boot from your HD.

  Bill says that if your HD is smaller than 60 megs, you're better off
  trying to recover your disk from scratch.  Between 60-120 megs, you have
  a better chance of recovery via disk utilities:  over 120 megs, you
  should be able to accomplish a complete recovery if you're careful and
  you know what you're doing.

  Bill posted the following scan string that can be used to detect this
  Trojan - if your scanner can use external strings, be sure to read the
  instructions carefully before trying to add this:

               9A46027205B003B9FF00BA0000CD26

  If your scanner requires a name for the string, Bill suggests using
  "AlamoXmasTrojan."


  This Trojan report comes from an article in MacWeek magazine, Volume 7,
  Number 2, issued January 11, 1993.  The article, posted in the FidoNet
  VIRUS_INFO echo by Robert Cummings, states that a program called CPro
  1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
  shareware compression utility), will reformat any floppy in drive 1 and
  tries to reformat the user's start-up hard drive when launched.

  The file can be identified by a 312K sound resource file called "log
  jingle," which is digitized sound from the Ren and Stimpy cartoons.


  Other previously reported Trojans:

  Filename  Claimed use/Actual activity/Reporter(s)
  ========  ==============================================================
  AANSI100  Claims to add Auto-ANSI detect to Telegard BBSs - contains
            something called the "Malhavoc Trojan," which displays a verse
            from a Toronto band and attacks files/sectors on drives C:
            through F:.  Reported by HW Todd Clayton and by George Goode
            (1:229/15).

  ANSISCR   VGA BBS ad - contains a self-extracting archive of the Yankee
            Doodle and AntiChrist viruses.  Can trash hard drives as well
            through Trojan behaviour.  Reported by Bill Dirks (1:385/17),
            and under the filename RUNME by Stephen Furness (1:163/273).

  AVENGER   Advertised as an "amazing game that supports all kind of sound
            cards...."  Contains 2 internal password-protected .ZIP format
            files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by
            the program to the files RUNTIME1.COM (N1 virus) and
            RUNTIME2.COM (Anthrax virus).  From Reinhardt Mueller, via
            HW Bill Lambdin.

  BATMAN    No claim reported - searches your DOS path and tries to "delete
            the executable file that loads WildCat BBSs."  Reported by
            James Powell (Intelec PC-Security Conf.), via HW Bill Lambdin.

  CHROME    Possible isolated incident - contains a file, FGDS.COM, which
            contains text that says "Skism Rythem Stack Virus-808."
            Reported by Richard Meyers and forwarded by Larry Dingethal
            (1:273/231).

  DBSOUND   Possible isolated incident - claimed update of the Drum
            Blaster .MOD file player.  Deletes all files in the current
            directory and all of its subdirectories.  From "Khamsin #1
            @9168*1", forwarded by HW Ken Whiton and HW Bill Dennison,
            from Ken Green of the CentraLink BBS.

  DRSLEEP   Reported as a "cheap virii (sic)", but actually appears to be
            a Trojan:  deletes your COMMAND.COM file when run.  Reported
            by Matt Hargett (1:2430/1532).

  GRAFIX    Possible isolated incident - contains the file WAIT.COM, which
            is a renamed copy of DELDIR.COM, a directory remover and file
            deletion tool.  Reported by Andreas Reinicke (2:284/402).

  LOGIM613  Possible isolated incident - one internal file, MOUSE.COM,
            reports as being infected with the VCL virus when checked with
            McAfee's ViruScan v95.  Reported by Mike Wenthold (1:271/47).

  MUVBACK   Claimed keyboard utility - actual ANSI bomb that remaps the D
            key of your keyboard to invoke DEBUG and create a couple of
            Trojans from script files.  Reported by Bill Dirks.

  OPTIBBS   Aimed at RemoteAccess BBS systems - archives your USERS.BBS
            list and places it in your download directory.  Reported by
            HW Nemrod Kedem.

  QOUTES    Not a misspelling - claimed Christmas quotation generator.
            Overwrites the first 128 cylinders of your first HD, requiring
            a low level format to overcome the damage (IDE drives may need
            to go back to the factory).  Reported by Gary Marden
            (2:258/27).

  QSCAN20   Claimed small virus scanner - when run, identifies itself as
            "being a stealth bomber" and attacks your hard drive's FAT.
            Reported by Art Mason (1:229/15).

  RA111TO2  Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to
            the OPTIBBS file reported above.  Reported by Peter Janssens
            (2:512/1).

  RAFIX     "Fixes little bugs" in RemoteAccess - program contains the
            string "COMMAND /C FORMAT C:" internally.  Reported by Sylvain
            Simard (1:242/158).

  RAMANAGE  Claimed USERS.BBS manager for RemoteAccess - yet another
            file that makes an archive of this file (MIX1.ARJ or WISE.ARJ)
            and places it in a download directory.  Reported by Peter
            Janssens.

            NOTE - Peter Hoek (2:281/506.15) reports a program that does
            the same thing, but uses the archive name RUNNING.ARJ to
            hold the USERS.BBS file.  No name of the Trojan was supplied.

  REAPER    ANSI bomb - remaps the keyboard to force file deletion and
            hard disk formatting - also generates insults.  Reported by
            Victor Padron (1:3609/14), via Rich Veraa (1:135/907).

  REDFOX    Batch file which deletes all DOS and system files.  Reported
            by Mike Wenthold.

  ROLEX     Possible isolated incident of an infection by the Keypress
            [Key] virus.  Reported by David Gibbs, via Michael Toth
            (1:115/220).

  SCOMP     Advertised as a compression utility.  Passes scans unless you
            check data files - loads a file called SCOMP.DAT to create
            CASPER.COM, which is apparently the Casper virus.  Reported by
            Terry Goodman (U'NI Net virus conference), via HW Bill Lambdin.

  SBBSFIX   Tries to format drive C: - contains two files, SBBSFIX.EXE and
            COM_P.OVL.  Reported by Clayton Mattatall (1:247/400).

  SPEED     Claims to "check your PC speed" - actually deletes all files
            on drive C:, including directories.  Reported by HW Nemrod
            Kedem.

  TDRAW460  A "modified" copy of a legitimate release of TheDraw v4.60 -
            the archive had a ZIP Comment which contained an ANSI bomb, and
            an internal file called UFO!.COM would reformat your hard drive
            unconditionally.  Reported by Matt Glosson, via Michael Toth
            (1:115/439.7).

  XYPHR2    No claim - contains the Power Pump companion virus (documented
            in the 1992 Full Archive of this report).  Reported by Mark
            Histed (1:268/332).

  YPCBR101  A copy of this file, uploaded to Simtel-20 and the oak mirror
            on archie.au, contained an infection of the Dark Avenger
            virus in the file YAPCBR.EXE.  Was supposed to be re-released
            as a clean archive.  Reported by John Miezitis (Internet,
            John.Miezitis@cc.utas.edu.au).

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  =======                 ===============     ===========
  2400 A.D. (game)        2400AD              Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)

  3-D Pool                3DPOOL              Michael Gibbs (via HW Bill
                                               Lambdin)

  4DOS v4.02 (reg.)       4DOS402R            HW Scott Raymond
                          4DOSREG

  Alone in the Dark       ALONEDEM            Mark Mistretta (1:102/1314)
   (full game-not a demo)

  ArcMaster (registered)  AM91REG             HW Scott Raymond
                          AM92REG

  Arctic Fox (game, by    AFOX                from the Meier/Morlan List,
   Electronic Arts)                            conf. by HW Emanuel Levy
                                               and Brendt Hess (1:105/362)

  Arkanoid II: Revenge    ARKNOID             James Crawford (1:202/1809)
   of DoH (game)

  Atomix (game)           ATOMIX_             HW Matt Kracht

  A-Train by Maxis        ATRAIN1  through    Chris Blackwell of Maxis
                          ATRAIN6, also        (zoinks@netcom.com)
                          A-TRAIN1 through
                          A-TRAIN6

  BannerMania             BANMANIA            Harold Stein (1:107/236)

  Battle Chess            CHESS               Ron Mahan (1:123/61)

  BeetleJuice (game)      BEETLE              Mark Harris (1:121/99)
                          BETLEJUC            Jason Robertson (1:250/802.2)
                          BJUICE              Alan Hess (1:261/1000)
                          BJ                  Bill Blakely
                                               (RIME Shareware echo)
                          BTLJWC              the Hack Squad
                                               (1:124/4007)

  Big Bird (game?)        BIGBIRD             Cindy McVey, via Harold Stein

  Budokan: the Martial    BUDOKAN             Michael Gibbs (Intelec, via
   Spirit (game)                               HW Bill Lambdin)

  Caveman Ninja           CAVEMAN             Dave Lartique (1:3800/22),
                                               ver. by HW Emanuel Levy

  Check-It PC             CHECKIT             HW Bert Bredewoud
   Diagnostic Software    CHKIT20             HW Bill Lambdin

  Cisco Heat (game)       CISCO               Jason Robertson

  Commander Keen Pt. 5    _1KEEN5             Scott Wunsch (1:140/23.1701)
                          KEEN5E              Carson Hanrahan (CompuServe,
                                               71554,2652)

  CompuShow GIF Viewer    CSHW860B            HW Scott Raymond

  Copy II PC              COPYPC70            Ryan Park (1:283/420)

  Cyber Chess             C-CHESS             Shane Paul, RIME, via HW
                                               Richard Steiner

  Darkside (game)         DARKSIDE            Ralph Busch (1:153/9)

  DiskDupe Pro v4.03      DD403PRO            Jan Koopmans (2:512/163)

  Energizer Bunny Screen  ENERGIZR            Kurt Jacobson, PC Dynamics,
   Saver for Windows                           Inc., via HW Bill Dennison

  FAST! Disk Cache        FAST_1V4            Ryan Park (1:283/420), via
   v4.03.08                                    HW Bill Lambdin

  Family Feud (game)      FAM-FEUD            Harold Stein

  F-Prot Professional     FP206SF             Mikko Hypponen
                                               (mikko.hypponen@compart.fi)

  GEcho Mail Tosser       GE_1000K            HW Scott Raymond
|                         GE_100CK

  GifLite 2.0 (regist.)   GL2-ECR             HW Scott Raymond

  Golden Axe (game)       GOLDAXE             Harold Stein

  HyperWare Speedkit      SPKT460R            HW Scott Raymond
   v4.60 (registered)

  Ian Bothams Cricket     IBCTDT              Vince Sorensen (1:140/121)

  Intelcom Modem Test     TESTCOM             from the Meier/Morlan List,
   Utility (dist. with                         confirmed by Onno Tesink
   Intel modems)                               (RIME, via HW Richard
                                               Steiner)

| Intermail Mailer v2.21  IM221U              HW Scott Raymond

  Jetsons (game)          JETSONS             Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)

  Jill of the Jungle      JILL2               Harold Stein
   (non-shareware files)  JILL3
                          $JILL2              HW Bert Bredewoud
                          $JILL3

  Killing Cloud (game)    CLOUD               Mike Wenthold

  Kings of the Beach      VBALL               Jason Robertson
   (game)

  Life & Death (game)     L&D1                Harold Stein
                          L&D2

| List Enhanced           LIST8               Richard Dale (1:280/333)

  MegaMan (game)          MEGAMAN             HW Emanuel Levy

  Microsoft Flight        FS                  Michael Gibbs (Intelec, via
   Simulator                                   HW Bill Lambdin)

  MS-DOS 6.0              MSDOS6-1            Harold Stein
                          MSDOS6-2
                          MSDOS6-3

  Oh No, More Lemmings    ONMLEMM             Larry Dingethal (1:273/231)
   (complete-not demo)

  Over the Net            OTNINC1             Tim Sitzler (1:206/2708)
   (volleyball game)

  PGA Tour Golf           GOLF                HW Bill Lambdin

  PKLite (registered)     PKL15REG            HW Scott Raymond

  PKZip v2.04c            PK204REG            HW Scott Raymond
   (Registered)

  PKZip v2.04c            PKZCFG              Mark Mistretta (1:102/1314)
   Configuration Editor

  PKZip v2.04e            PK204ERG            HW Scott Raymond
   (Registered)

  PKZip v2.04g            PKZ204R             HW Bill Dennison
|  (Registered)           PKZ204GR            HW Jason Robertson

  Populous (game)         POPULOUS            Harold Stein

  The Price is Right      PRICE               Harold Stein
   (game)

  Prince of Persia        PRINCE              Kenneth Darling (2:231/98.67)
                                              Eric Alexander (1:3613/10)
                                              HW Emanuel Levy

  PrintShop               PSHOP               Michael Gibbs, Intelec, via
                                               HW Bill Lambdin

  Psion Chess             3D-CHESS            Matt Farrenkopf (1:105/376)

  Pyro! PC                DOSPYRO             Jay Kendall (1:141/338), via
   (Fifth Generation)                          HW Scott Raymond

  Q387 (registered)       Q387UTG             Michael Toth (1:115/439.7)

  QModem Pro              QMPRO-1             Mark Mistretta
                          QMPRO-2

  QuickLink II Fax v2.0.2 QLINK1              Carson Hanrahan (CompuServe,
                          QLINK2               71554,2652)

  Rack 'Em (game)         RACKEM              Ruth Lee (1:106/5352)

  Microsoft Ramdrive      RAMDRIVE            Barry Martin (Intelec, via
                                                HW Bill Lambdin)

  Sequencer Plus Pro      SPPRO               Tom Dunavold (Intelec,
                                               via Larry Dingethal)

  Shadow Warriors (game)  SHADOWG             Mark Mistretta

  Sharky's 3D Pool        POOL                Jason Robertson (1:250/801)

  Shez (Registered)       SHEZ84R             Eric Vanebrick (2:291/712)
                          SHEZ85R             HW Scott Raymond
                          SHEZ87R
                          SHEZ88R
                          SHEZ89R

  SideKick 2.0            SK3                 Harold Stein

| SimCity (by Maxis)      SIMCITY1            Peter Kirn, WildNet Shareware
|                         SIMCITY2             conf., via HW Ken Whiton
|                         SIMCITY3
                          SIM_CITY            Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)
                          SIMCTYSW            Scott Wunsch

  Smartdrive Disk Cache   SMARTDRV            Barry Martin (Intelec, via
                                                HW Bill Lambdin)
                          SMTDRV40            Michael Toth (1:115/220)

  Squish 2.1              SQUISH              Jason Robertson (1:250/802.2)
   (Sundog Software)      SQUISH21            Several (ver. by Joe Morlan)

  Star Control Vol. 4     STARCON             Carson M. Hanrahan
                                               (CompuServe 71554,2652)

  Streets on a Disk       STREETS             Harvey Woien (1:102/752)

  Teledisk (files         TDISK214            Mark Mistretta
   dated after Apr. 1991)
                          TELE214R            Staale Fagerland (Internet,
                                             staale.fagerland@euronetis.no)

  TheDraw v4.61 (reg.)    TDRW461R            HW Scott Raymond

  Vegas Casino 2 (game)   VEGAS2              The Hack Squad

  VOpt Disk Defragmenter  VOPT30              The Hack Squad

  VPic v6.0 (registered)  VPIC60CR            HW Scott Raymond

  Wheel of Fortune        WHEEL               Harold Stein

  Where in the USA is     CARMENUS            Cindy McVey, via Harold Stein
   Carmen Sandiego?

  Where in Time is        CARMENT             Cindy McVey, via Harold Stein
   Carmen Sandiego?

  WinWay Resume for       WINRES              Erez Carmel (CompuServe,
   Windows                                      70523,2574)

  World Class Rugby       WCRFNTDT            Vince Sorensen

  ZipMaster (registered)  ZM31REG             HW Scott Raymond

  =========================================================================

                      ?????Questionable Programs?????

| This section of The Hack Report is for the "misfits" - in other words,
| files that are hacks, hoaxes, Trojans, or pirated, but either do not
| quite fit into one of the main sections of the report or require more
| explanation than the format of the appropriate section allows.  The extra
| material presented here is usually included for a good reason, so please
| take the time to read at least the new entries quite carefully.  Also, if
| you have any input on any of the listed files, do not hesitate to send it
| in to your Hack Squad.


| Harvey Woien (1:102/752) forwarded a report from a user of The
| Motherboard (Vern Buerg's BBS), Ted R. Marcus, about a version of the
| Microsoft Mouse Driver claiming to be version 9.0.  Your Hack Squad has
| found a copy of the same archive Ted reported on, and confirms some of
| his observations on the file (MOUSE900), quoted here:
|
| 1.  Microsoft Diagnostics and InfoPlus report this "9.00" driver as
|     version 8.00.  The latest "official" version of which I am aware is
|     8.20a.
|
| 2.  The "new" driver is significantly smaller than version 8.20a.
|
| 3.  The "new" driver supports the undocumented /U switch (which loads
|     much of the driver into the HMA).  Version 8.0 and 8.1 supported this
|     feature, but Microsoft removed it from version 8.2 (shipped with DOS
|     6.0).  The support for the /U switch suggests that the driver is, in
|     fact, version 8.0.
|
| 4.  Examining the MOUSE.COM driver file reveals one instance where the
|     version number (repeated in the initialization message for each
|     language the driver supports) is "9.40".  That indicates either
|     uncharacteristic sloppiness on the part of Microsoft -- or, more
|     likely, sloppiness on the part of a hacker.
|
| Compounding this matter is the fact that this file is a commercial
| product of Microsoft (as reported in previous issues of this report) and
| is not supposed to be distributed via BBS systems.


  Yet another file that doesn't fit into any of the report categories: a
  report from Wen-Chung Wu (1:102/342) concerns the archive PKLT120R, which
  claims to be version 1.20 of PKLite.  This is actually PKLite
  Professional v1.12, a commercial product, which has been hacked to show
  version 1.20 instead of 1.12.  To make matters worse, the PKLITE.EXE file
  was compressed "by PKLITE itself more than three times and once by
  LZEXE."  So, what we have here is a hack of a pirated commercial file -
  jeez, this job gets confusing at times. ;-)


  Here's an update on the report from Bud Webster (1:264/165.7) on the
  Apogee game being distributed under the filename BLOCK5.ZIP.  As reported
  by Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan
  Stratton (via HW Ken Whiton), this program was part of an Apogee disk
  called the "Super Game Pack," and that it is a game called "Block Five."
  Joe Siegler (1:124/9006), the online support representative for Apogee
  Software Productions, confirms this, and states that the majority of the
  games on this disk, including this one, have been officially
  discontinued.  The official company stand is that this game should not be
  distributed via BBS systems, as it is no longer supported in any way by
  Apogee Software Productions.  Thanks to everyone who helped on this one.


  HW Bill Lambdin says he found a file in the Knoxville, Tennessee area
  called BIBLEPR (no description available) that appears a bit suspicious.
  The file contents are:

                Length  Time    CRC-32  Attr  Name
                ------  ----   -------- ----  ----
                 34176  11:26  d267f5de --w-  BIBLEPR.COM
                158493  00:04  4298ac2d --w-  DATAPR-0.DAT
                158493  00:04  d87adf4b --w-  DATAPR-1.DAT
                158493  00:08  1213c6b3 --w-  DATAPR-2.DAT
                159764  00:08  38d7cc06 --w-  DATAPR-3.DAT
                  1572  24:05  3a60c80e --w-  BIBLEPR.DOC
                ------                        -------
                670991                              6

  When BIBLEPR.COM executes, Bill says it displays the following message:

                        Greets from DOA!

        Don't say I didn't warn you! You are also busted!

        Expect a visit from the SPA!

        Omni, I will avenge you!

  Bill's disassembly shows the file contains two INT 26 calls, which are
  DOS Absolute Disk Write instructions.  He said that if it contains a
  virus, he was unable to get it to replicate.  A copy of the archive has
  been sent to Glenn Jordan at Datawatch Software for testing.


  Here's an interesting point, brought to my attention by HW Richard
  Steiner and John Weiss of the RIME Shareware Conference.  In previous
  issues, I have listed two files, QM60IST1 and QM60IST2 (reported by
  Francois Thunus, 2:270/25), as pirated copies of QModem v6.0.  However,
  Richard and John quite correctly point out that there was no release of
  QModem v6.0 - the program changed to QModem Pro after v5.

  From what Francois reported, I believe that what he saw was indeed Qmodem
  Pro, now a commercial-only program.  However, it was "released" under the
  above filenames.  So, is it a Hack?  Pirated File?  Or what?  Doesn't
  matter - it shouldn't be distributed.  Thanks, Richard and John, for
  making me fully engage my brain for a change. <grin>


  HW Bill Dennison captured a message from Marshall Dudley (Data World BBS,
  (615)966-3574) in the ILink VIRUS FILE conference about the archive
  ASCDEMO.  Marshall says that McAfee's ViruScan doesn't detect any
  infection until after you run it and it has infected other files.  No
  further information was supplied, other than the internal filenames
  (ASCDEMO.DOC and ASCDEMO.EXE).  I need further data on this before I can
  list it in the Trojan Wars section, so please advise if you have any.


  HW Emanuel Levy says the file IM, reported by Michael Santos in the
  Intelec Net Chat conference and listed in the 1992 Full Archive edition
  of The Hack Report.  Michael's report was a "hearsay" report from one of
  his friends, and stated that the IM screen saver file caused a viral
  infection.

  Emanuel says the file is an "outer space screen saver," currently under
  the filename IM17.  Scott Wunsch (1:140/23.1701) says the program name is
  "Inner Mission," and he currently has version 1.6.  In both cases, the
  files were clean.

  So, it looks like either Michael's friend's system became infected from a
  different source than the IM file, or that an isolated incident of an
  infected IM is involved.  No way to tell at this writing.


  Long time readers of this report will remember a question concerning the
  status of a screen saver called TUNNEL.  Ove Lorentzon (2:203/403.6) and
  Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
  Steiner) both stated that the program was an internal IBM test program
  and was not intended for outside distribution.

  Your Hack Squad has received word from the author of the program, Dan
  Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
  the program has never been released to the general public.  According to
  Dan, "it is still owned by IBM, and as such has been given the IBM
  security classification 'IBM Internal Use Only' which means what it says:
  the program is not for distribution to non-IBM employees."

  Dan also says that several other "Internal Use Only" programs have been
  "leaked" to the outside world, which implies that these files should not
  be posted for download.  One such program was originally called Dazzle
  (NOT to be confused with the other popular DAZZLE screensaver), but has
  entered BBS distribution under the filename O-MY-GOD (also seen as OMG,
  per Michael Burkhart (RIME address CENTER, via HW Richard Steiner).
  However, note that the O-MY-GOD/OMG file was hacked, according to Dan, so
  that all of the "Internal Use Only" references were removed.

  Another is a program that is usually included inside other archives:  the
  program name is PLAYANI.  Dan says this has been distributed "along with
  various animations," and also falls under the same Internal
  classification.

  A prime example of this is an archive called BALLS (not what you think).
  This is an animation of multiple chrome spheres rotating around each
  other above a red and white checkerboard platform.  In this case, both
  the player (PLAYANI) _and_ the animation are the property of IBM and are
  not intended for BBS distribution.

  Again, to quote Dan, "None of these programs are for external
  distribution; all are owned by IBM and are only for use inside IBM by IBM
  employees."  Thanks to Dan for all of his help.


  Donn Bly has cleared up the question on the status of the Sydex program
  TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
  Donn was kind enough to mail a copy of a letter sent to him by Sydex
  explaining that Teledisk is no longer shareware.  Here is an excerpt from
  the letter:

       "Effective April 1991, TeleDisk is no longer a shareware
       product.  After long consideration, we decided to
       discontinue our offering of the shareware edition of
       TeleDisk, and license it only as a commercial product.

       "Commercial licenses of TeleDisk are available from Sydex at
       $150 a copy.  All shareware distributors and BBS sysops who
       take time to check their sources are requested to remove
       TeleDisk from shareware distribution."

  The letter is signed by Miriam St. Clair for Sydex.  To summarize, Sydex
  is no longer accepting shareware registrations for TeleDisk, and asks
  that it be not be made available for download from BBS systems.

  Thanks to Donn for his help in this matter.


  HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
  Barnes of Mustang Software, Inc., about a "patch" program aimed at
  OffLine Xpress (OLX) v1.0.  The patch is supposed to allow OLX to
  read and reply to Blue Wave packets, along with a lot of other seemingly
  unbelievable feats.  Gwen Barnes did not seem to know of the patch, but
  published the following advice in the WildNet SLMROLX conference to
  anyone considering trying it:

    1. Make a complete backup of your system.
    2. Make sure you've got all the latest SCAN stuff from McAfee
    3. Try it, keeping in mind that it more than likely does nothing
       at all, or is a trojan that will hose your system.
    4. Get ready to re-format and restore from backups if this is in
       fact the case.

  No filename was given for this patch.  If anyone runs across a copy of
  it, please contact one of The HackWatchers or myself so that we can
  forward a copy to MSI for testing.


  HW Bill Lambdin reports that someone has taken all of McAfee Associates'
  antiviral programs and combined them into one gigantic (over 700k)
  archive.  He did not say whether the files had been tampered with, but he
  did send a copy to McAfee for them to dissect.  The file was posted under
  the filename MCAFEE99.  I would not suggest downloading this file:  as a
  matter of fact, this reporter prefers to call McAfee's BBS directly when
  a new version of any of their utilities comes out.  I highly recommend
  this method, since it insures that you will receive an official copy.


  HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:124/4007).

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.


| HW Bob Seaborn forwarded a message from Kevin Haverstock (via Tom Scott,
| 1:140/47) about a file called TCM_V511.  This was described as "The
| Configuration Manager," a system configuration utility.  Kevin's report
| said that once you finish running the setup, your computer reboots and
| you get a prompt that "scrolls your screen and locks up your system."  He
| was unable to access his hard drive after booting from a system disk - a
| reformat was required.
|
| I am familiar with a legitimate shareware program called The
| Configuration Manager, but not under version number 5.11, nor under the
| above filename.  I can't be sure if Kevin's problems were the result of a
| hardware error, user error, or an isolated incident of a tampered
| archive.  If anyone has any information on what could have caused this,
| please enlighten me.


| Mark Harris (1:121/26.1) found a pair of archives called DEATH_1 and
| DEATH_2 on a local system.  The files were described as a new Apogee game
| called Deathbringer.  The archives contained no documentation, and all
| program files were dated 1990 or 1991.  When run, the game displayed the
| name "Deathbringer," but gave no company or copyright information.  Scans
| by McAfee's ViruScan and Frisk's F-Prot proved negative.
|
| As an Apogee Tech Support Specialist, I can verify that this is not a
| product of Apogee.  Mark's opinion is that this is a hack of a commercial
| game, but there was not enough information to positively confirm this.
| Any input would be appreciated.


  Harold Stein (1:107/236) found a file called STETRIS, claiming to be a
  Super Tetris game.  He says that there was a shareware version of this
  that was released about a year ago, but has since been renamed due to a
  conflict with a commercial game of the same name.  He is not sure whether
  or not he found the old shareware file or a pirated copy of the
  commercial file.  The archive (in .zip format, presumably using v2.04g)
  was 55,318 bytes long, and the archive date had been "touched" by the BBS
  it was uploaded to, forcing it to March 23, 1993 (Editorial: this renders
  filedates rather useless, IMHO. -lj)  Does anyone know which version
  Harold has seen?  If so, please advise.


  Peter Hempel (1:229/15) posted a message in the FidoNet Echo VIRUS about
  the file BREAKIT!, which was described as follows:

  BREAKIT!.ZIP  6714  03-29-93  (CRS) A Gw-Basic Code And Cipher Program
                                Allowing You To Enter Ascii Characters, To
                                Save Them, And To Encode And Decode.

  Peter claims that this program erased his root directory, but says he was
  able to recover everything by booting from a write-protected system disk
  and using the Norton Utilities UNERASE command.  The archive contents are
  as follows:

   Name         Original Method     Packed CR%   Date     Time   CRC
   ============ ======== ======== ======== === ======== ======== ========
   BREAKIT!.BAS     4453 Implode      2604  58  1-24-93 11:25:24 42CA0CE4
   CODEFILE.FIL     1240 Implode       550  44  3-28-92 10:52:44 B6ADEB20
   PRINTME.BAT        31 Stored         31 100  1-24-93 11:54:12 965CF8AE
   VIEW.COM          958 Implode       876  91  3-19-92 19:11:46 47C5E5EF
   README.BAT         30 Stored         30 100  1-24-93 11:52:32 95294A43
   BRK.BAT            40 Stored         40 100  1-24-93 11:53:32 FC9F3B2E
   BREAKIT!.DOC     2679 Implode      1440  54  1-24-93 11:56:06 EC302AFA
   ============ ======== ======== ======== === ======== ======== ========
          7         9431 ZIP          5571  59  1-24-93 11:56:06

  He did not say which file did the damage.  I do not know if this is a
  Trojan or an infected file - in either case, it may well be an isolated
  incident.  Test results would be greatly appreciated.


  Lowell Shatraw (1:315/6) states that there may be two pirated commercial
  fax programs floating around under the filenames FAX and PC_FAX.  The
  archives he reported on were in ARJ format and were 447,693 and 101,089
  bytes long, respectively.  The file dates were Dec. 4, 1992, and May 26,
  1992 - no way to tell if the BBS "touched" the filedates.  Lowell is also
  not sure which commercial products these may be.  If you happen to run
  across one or both of these, please look inside them - if they are
  commercial, please let me know (after you delete your copies, of course!
  <g>).


  A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13)
  states that he had a user upload a file called TAG-NFO, which turned out
  to be a Trojan.  No details about the Trojan were given, so any
  confirmation of this would be appreciated.


  HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
  Conference about two files.  The archives, called PHOTON and NUKE, are
  possibly droppers, containing a file called NUKE.COM which "will trash
  your HD."

  Pat Finnerty (1:3627/107) sent a reply to the last report of this,
  stating that he has a copy of a PC Magazine utility called NUKE.COM,
  which is used to remove subdirectories which contain "nested subs,
  hidden, read-only (you name it)."  He says that the command NUKE C:\ will
  effectively delete everything on a hard drive, with no chance of repair.
  This is merely the way the program is designed.

  I do not know if this is what happened in Mario's case, or if Mario
  actually found a copy (read: isolated incident) which was infected. Bill
  has asked Mario for further information, and I would like to echo his
  call for help.  If you know of this, please lend a hand.


  Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
  echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
  Rich Bongiovanni.  Rich reports that there is a file floating around
  called DEMON WARS (archive name DMNWAR52) that is "infected with a
  virus."  If true, this may be an isolated incident.  I would appreciate
  confirmation on this.


  Greg Walters (1:270/612) reports a possible isolated incident of a
  problem with #1KEEN7.  When he ran the installation, he began seeing on
  his monitor "what looked like an X-rated GIF."  The file apparently
  scanned clean.  Any information on similar sightings would be
  appreciated.


  A report from Todd Clayton (1:259/210) concerns a program called
  ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
  faster."  He says he has heard that the program fools around with your
  File Allocation Table.  I have not heard any other reports of this, so I
  would appreciate some confirmation from someone else who has seen similar
  reports.


  Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
  possible hack of FEBBS called F192HACK.  I have not seen this file, nor
  has the author of FEBBS, Patrik Sjoberg (2:205/208).  He forwards the
  file sizes in the archive, reported here:

        Name          Length      Mod Date  Time     CRC
        ============  ========    ========= ======== ========
        FEBBS.EXE       220841    09 Mar 92 21:17:00 96D2E08D
        014734.TXT        1403    26 Aug 92 01:59:18 3B9F717F
        ============  ========    ========= ======== ========
        *total     2    222244    26 Aug 92 01:59:24

  Kelvin says the .TXT file is just an advert for a BBS, so it is "not
  relevant!".  As I said, the author of FEBBS has never seen this file, so
  I've asked Kelvin to forward a copy of it to him.


  Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
  Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley,
  the author of Maximus, says he did not write any programs that have these
  names, but he does not know whether they are or are not legitimate third
  party utilities.  I have requested further information from Andrew on
  this topic, and would appreciate anyone else's information, if they have
  any.


  Yet another short warning comes from David Bell (1:280/315), posted in
  the FidoNet SHAREWRE echo, about a file called PCPLSTD2.  All he says is
  that it is a Trojan, and that he got his information from another
  "billboard" and is merely passing it on.  Again, please help if you know
  what is going on here.


  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.


  Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
  Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
  whether or not Mr.  Mills had seen the file.  Mr.  Jung has repeated that
  the latest version of ARJ is v2.30 (however, there is a legitimate public
  "pre-release" version numbered 2.39f).  It is possible that the
  references Greg saw about 2.33 were typos, but you never know.  Please
  help your Hack Squad out on this one - if you see it, report it.

  =========================================================================

                           The Meier/Morlan List

  Here is the current status of the files contained in the Meier/Morlan
  List.


  Shane Paul of Softdisk Publishing (RIME, via HW Richard Steiner),
  comments on the SLORDAX game:

    "If the SLORDAX game if by Gamer's Edge and copyrighted by Softdisk
     then it is a pirated copy."

  I can't be sure that this is the case, so the file stays on the list
  until someone can verify this.


            === Previous comments on the files in the list: ===

  Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat
  Simulator by Mindscape, Inc.  He says that he hasn't seen anything from
  them in quite a while, and doesn't know if the company is still in
  business.


  Here are the remaining unresolved reports from HW Emanuel Levy:

  "387DX  - sounds like a Math Co-Processor emulator - might be legit

  "Barkeep sounds like it may be a version of Tapper. If you send beer mugs
  down the screen to patrons and then have to pick up the returning mugs
  and they leave tips, then it is Tapper. Or it may be an OLD game
  published in Compute Mag. If it is the one from Compute only those who
  have the Compute issue with the game in it are allowed to have a copy.

  "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
  out for the Commodore 64 in 89 so I would assume it came out for IBM
  around then too.

  "Gremlins- There was an Gremlins Text Adventure and a Video Came for the
  computer. The video game was put out by Atari

  Thanks, Emanuel.


  For those who have missed it before, here is what is left of the list of
  files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
  of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system.  Joe
  says Wes keeps a bulletin of all rejected files uploaded to him and the
  reasons they were rejected.  Joe also says he cannot confirm or deny the
  status of any of the files on the list.

  There are some that I am not familiar with or cannot confirm.  These are
  listed below, along with the description from Wes Meier's list.

  Due to the unconfirmed nature of the files below, the filenames are not
  included in the HACK????.COL and HACK????.IDX files that are a part of
  the archive of The Hack Report.  I would appreciate any help that
  anyone can offer in verifying the status of these files.  Until I receive
  verification on them, I will not count them as either hacks or pirated
  files.  Remember - innocent until proven guilty.

  My thanks go to Joe and Wes for their help.

        Filename  Reason for Rejection
        ========  =============================================
        BARKEEP   Too old, no docs and copyrighted with no copy
                  permission.
        HARRIER   Copyrighted.  No permission to copy granted.
        SLORGAME  Copyrighted.  No docs.  No permission to copy
                  granted.
        NOVELL    Copyrighted material with no permission to
                  BBS distribute
        DRUMS     I have no idea if these are legit or not.  No
                  docs.
        GREMLINS  No documantation or permission to copy given.
        CLOUDKM   A hacked commercial program.
        MENACE    Copyrighted.  No docs.  No permission to copy
                  granted.
        AIRBALL   A hacked commercial program.
        SNOOPY    Copyrighted.  No docs.  No permission to
                  copy granted.
        SLORDAX   Copyrighted.  No docs.  No permission to
                  copy granted.
        ESCAPE    Copyrighted.  No docs.  No permission to
                  copy granted.
        BANNER    Copyrighted.  No docs.  No permission to
                  copy granted.
        387DX     Copyrighted.  No docs or permission to
                  copy granted.
        WINDRV    Copyrighted.  No permission to copy granted.

  =========================================================================

                                  Help!!!

  Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
  The Hack Squad for testing/verification please re-identify themselves via
  NetMail?  Somehow, your message went to the great Bit Bucket in the sky.
  Thanks in advance!

  =========================================================================

                         Clarifications and Thanks

  Folks, the LHA mystery has finally been resolved, thanks to Scott Fell
  (1:124/6119), Steve Quarrella (1:124/9005), and Kenjirou Okubo, the
  support person for LHA.  Your Hack Squad finally received the Internet
  address for Kenjirou Okubo (kenjirou@mathdent.im.uec.ac.jp), and managed
  to verify Scott Fell's own contact, relayed via Steve.

  If you recall, Onno Tesink (2:283/318) found a file called LHA255B.  This
  claims to be version 2.55b of the LHA archiver, with a file date in the
  executable of 12/08/92.  Onno's report was the one that started the
  search.

  Kenjirou knew of this version and verified its legitimacy.  He also
  provided some other very helpful information, which is best relayed by
  quoting his message to me:

       "For DOS, currently lha256a1 is under testing in a closed
       circle for networking environment. After LHA213, dos5 appeared
       in Japan and Yoshi started his series LHA25x series. The two
       versions you mentioned seem to fall under this series. The
       latest version which might be distributed by me is LHA254 for
       people who wants to test -lh6- algorithm."

  He went on to provide the following information on how to verify your
  copy of LHA:

       "Any version ending with LHA25xb is a beta test version, and
       LHA25xa is for a limited circulation. To test whether these
       files are legitimate release either from Yoshi or me, please
       use -t option to check two dimensional CRC self-validation
       check. We believe our test will check the validation with
       10E-38 % of error probability."

  From my own testing, here is the best way to run the verification:

    1.  Extract LHA.EXE from the suspect archive and place it in an
        empty subdirectory that is not on your path.  (example:
        c:\foo\lha.exe).

    2.  Change directories to the one which contains a known good copy
        of LHA.EXE.

    3.  Execute the command LHA t drive:\path\LHA.EXE.  Using the above
        example, your command line would look like this:

                C:\LHADIR>LHA t C:\FOO\LHA.EXE

  This will execute the known good copy of lha, which will test the suspect
  copy and report whether or not the file "appears" to be the original or
  not.  Even though the older LHA is doing the testing, it will be able to
  verify the newer copy.

  Please note that Scott Fell's information was that the author does not
  want these copies distributed.  However, it seems that the folks working
  on LHA are aware that some betas have "escaped" into circulation.  In
  other words, use any betas _entirely_ at your own risk.

  Scott and Steve have my undying gratitude for helping to lay this to
  rest, most notably by locating Kenjirou's Internet address and following
  through on it.  Thanks from all of us!

  *************************************************************************

                                Conclusion

| If you see one of the listed files on a board near you, it would be a
| very friendly gesture to let the SysOp know.  Remember, in the case of
| pirated files, they can get in just as much trouble as the fiend who
| uploads pirated files, so help them out if you can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed as "confirmed"
  from their boards.  I can not and will not take any "enforcement action"
  on this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

                   Lee Jackson, Author, The Hack Report
     Moderator, FidoNet Int'l Echos SHAREWRE and WARNINGS (1:124/4007)