💾 Archived View for spam.works › mirrors › textfiles › hacking › hack9401.rpt captured on 2023-11-14 at 09:52:15.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  Compiled by W.H. (Bill) Lambdin
                                    ||  Volume 3, Issue 1
          The Hack Report           ||  Report Date: January 29. 1994
         for Jan/Feb, 1994          ||
                                    ||
  =========================================================================

  Welcome to the first 1994 issue of The Hack Report.  This is a series
  of reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  Hack Watchers and other people that report these suspect files, and
  Compiled by Bill Lambdin.

  I was expecting some diskettes with material from Lee, but they haven't
  arrived as yet. However; the Hack Report will be monthly after this late
  issue.

  With my new status as Hack Central. I am going to make a few changes to
  the Hack Report. I believe all of these changes are necessary, and for
  the better for all that read the Hack Report. I do not expect to make any
  radical changes.

        1. I intend to minimize the number of files in the Hack Report
           archive. Because some people read the Hack Report in conferences
           and distribute this version as the Hack Report.

        2. I will be using CHKFILE (written by Wolfgang Stiller) to
           generate CRC Values for the Hack Report. HACK????.CRC will
           contain the CRC values for the Hack Report, and newest versions
           of A-V software.

        3. I am considering changing the HACK????.COL to the .IDX format.
           This will make it easier for me to update.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  and Warnings Echos (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

  On this same note, programs and files listed in this report should not be
  automatically considered dangerous.  It is simply impossible for the
  author of this report to receive and test copies of every listed file, so
  many of the reports listed herein are based on information sent to the
  author by individuals in the BBS community.  For this reason, neither the
  author of this report nor anyone officially associated with it shall be
  held liable for any losses and/or damages resulting from a listing in
  this report.

  Finally, the releases listed as the latest Official Versions may not be
  entirely accurate.  However, they do reflect the latest version known to
  the author of The Hack Report at the time of writing.  That's the nature
  of the beast we call shareware:  authors have every right (and in this
  writer's opinion, are well advised) to release a new version without
  advance notice of any kind.  If you see a version newer than one listed
  here, please contact one of The HackWatchers or myself so that we can
  keep these listings up to date.

  *************************************************************************

                              Hacked Programs

  Here are the latest known versions of some programs known to have hacked
  copies floating around.  Archive names are listed when known, along with
  the person who reported the fraud (thanks from us all!).

   Program              Hack(s)                    Latest Official Version
   =======              =======                    =======================
   ARJ Archiver         ARJ250                     ARJ241A
      Reported By:  Tommy Vielkanowitz(1:151/2305)
                        ARJ239E
      Reported By:  The Hack Squad
                        ARJ239G
      Reported By:  The Hack Squad
                        ARJ240A
      Reported By:  Ryan Shaw (1:152/38)
                        ARJ300
      Reported By:  Mike Stowe (ITCNet, via HW Robert Hinshaw)

   Blue Wave Offline    BWAVE213                   BWAVE212
    Message Reader
      Reported By:  Don Becker (grendel@jaflrn.linet.org)

   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                      Author of BNU

   DMS Amiga Disk       DMS version 1.12           DMS version 1.11
    Masher
      Reported By: Ben Filips, via Jay Ruyle (1:377/31)

|  F-Prot Virus Scanner FP-205B                    FP-210C
      Reported By: HW Bill Lambdin

   LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
      Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
                        LHA151
      Reported By: Lawrence Chen (1:134/3002)

   LHA Archiver (PC)    LHA214                     LHA213 (non-beta)*
      Reported by: Patrick Lee (RIME address RUNNINGB)
                        LHA214B
                        ICE214
                        LHA215
      Reported by: Kenjirou Okubo, LHA Support Rep.
         (Internet address: kenjirou@mathdent.im.uec.ac.jp)
                        LHA300
      Reported by: Mark Church (1:260/284)

   MakeNL               MKNL251                    MKNL250
      Reported by: Dan Guenthner (SAF-Net 44:900/200,
                   via HW Robert Hinshaw

   Math Master          MATHMSTR                   M-MST400
      Reported by: James Frazee (1:343/158)

   MusicPlay            MPLAY31                    MPLAY25B
      Reported By: Lee Madajczyk (1:280/5)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

   PKZip                PKZ301                     PKZ204G
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)

|  Shez                 SHEZ72A                    SHEZ92 (also
|                       SHEZ73                      SHEZ92P patch)
      Reported By: HW Bill Lambdin

   Telemate             TM40C                      TM412-1 through 4
      Reported By: Philip Dynes, RIME Telemate conference,
                   via HW Richard Steiner
                        TM401
      Reported By: HW Richard Steiner
                        TM410-1
      Reported By: Bat Lang (1:382/91)

   Telix                Telix v3.20                TLX321-1
                         (Prior to Dec. 1992)      TLX321-2
                        Telix v3.25                TLX321-3
      Reported By: Brian C. Blad (1:114/107)       TLX321-4
                   Peter Kirn (WildNet, via HW Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By: Jeff Woods, deltaComm, Inc.
                        Telix Pro
      Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

   TheDraw              TDRAW430                   TDRAW461
                        TDRAW5
      Reported by: Ian Douglas (5:7102/119)
                        TDRAW500
      Reported by: Ian Davis, Author
                        TDRAW550
      Reported by: Steve Klemetti (1:228/19)
                        TDRAW600
      Reported by: Hawley Warren (1:120/297)
                        THEDR60
      Reported by: Larry Owens (PDREVIEW echo, 1:280/17)
                        TDRAW601
      Reported by: Jesper Tragardh (2:200/109)
                        TDRAW800
      Reported by: James Carswell (1:153/775)


   Wolfenstein-3D       WOLF2-1                    #1WOLF14
                        WOLF2-2
      Reported By: Wen-Chung Wu (1:102/342)
                        WFSF2-IA
      Reported By: Jared Huber (1:203/762)


  * -   See the section "Clarifications and Thanks" for details on
        other valid version numbers for LHA.


  =========================================================================

                                Hoax Alert:

| Eric Bader HW sent JAMMER.ZIP to me in .UUE for, for examination. This
| file reportedly modifies modems so that your calls can not be traced.
|
| I have ran the files on my test machine. I did not experience a trojan or
| a virus. However; just because no trojan activated, and no virus replicated
| does not mean these files are clean. I would like to examine these files in
| depth, but I am quickly running out of time.
|
| Here are the contents of the archive.
|
| PKUNZIP (R)   FAST!   Extract Utility   Version 1.93  ALPHA  10-15-91
| Copr. 1989-1991 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
| PKUNZIP Reg. U.S. Pat. and Tm. Off.
|
| Searching ZIP: JAMMER.ZIP
|
| Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
| ------  ------   ----- -----   ----    ----   -------- ----  ----
|    105  A-Norm     102   3%  10-07-93  21:04  9b549658 --w-  FILE_ID.DIZ
|   4464  A-Norm    2404  47%  02-28-90  16:21  b69dd7d3 --w-  JAMMER.EXE
|   1803  A-Norm     782  57%  10-07-93  21:04  72986750 --w-  HIGHLAND.ER
|   3013  A-Norm    2891   5%  08-01-93  10:25  54cf3b68 --w-  CRAZY.COM
| ------          ------  ---                                  -------
|   9385            6179  35%                                        4

  =========================================================================

                              The Trojan Wars

| Owen Hawkins reported this trojan in the Intelec Net Administration
| conference.
|
| ************ TROJAN ALERT ****************************
|
| Two users reported that a program named MKDEMO wiped out all of their
| files in the root directory.  Program purports to be a demo of a new game.
| Subsequent viewing of the EXE with a hex editor confirms same in that
| filenames such as command.com, config.sys, etc were found as well as
| "Gotcha" messages.
|
| The following is the CRC values using PKUNZIP 2.04
|
| Searching ZIP: MKDEMO.ZIP -
|
|  Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
|  ------  ------   ----- -----   ----    ----   -------- ----  ----
|    7264  DeflatN    4169  43%  01-15-94  16:00  6aa2408f --w-  MKDEMO.EXE
| 2629981  DeflatN 1041388  61%  01-12-94  17:02  3e785170 --w-  MKDEMO.DAT
|  ------          ------  ---                                  -------
| 2637245         1045557  61%                                        2
|
| If you are using FWKCS:
|
| Copy the two lines directly below to a file named XCSLIST.DEL
| 3E785170  28215DxMKDEMO.DAT   MKDEMO.ZIP
| 6AA2408F    1C60xMKDEMO.EXE   MKDEMO.ZIP
|
| then run the command:  FWKCS /t20u XCSLIST.DEL

| Trojan Report - analysis by  Glenn Jordan - Virex for the PC Development Team
|
| The following file was uploaded to Richard Lee's Psychotronic BBS by a
| user claiming to be "Thomas Farrington" of Pittsboro, NC.
|
|        speedpc.zip     20772  11-22-93  16:13
|
| It contains these files:
|
| Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
| ------  ------   ----- -----   ----    ----   -------- ----  ----
|  21032  DeflatX  20089   5%  11-22-93  11:11  d83ed878 --w-  SPEEDPC.EXE
|   1261  DeflatX    467  63%  11-23-93  04:04  bc4e556c --w-  README.DOC
| ------          ------  ---                                  -------
|  22293           20556   8%                                        2
|
| SPEEDPC.EXE decrypts the following message:
|
|                     "One moment please..."
|
| Then it tries to use the bios to format (INT 13h/07h) disks 2-5 (C:-F:),
| starting at head 0, track 0, sector 0 (?), 3 passes per disk.  This is
| buggy for a couple of reasons, including author's apparant unfamiliarity
| with how to use the stack.
|
| Afterwards the program decrypts and displays:
|
|                       "all done...   - HaHaHaHaHaHaHaHaHaHaHaHaHaHaHa-"
|
|           "You dumb ass! don't you know a TROJAN when you see one?"
|
| "Guess Not!!!!  I never did like you"
|                                          "The Revenger"
| "This trojan was created with..."
| "The Trojan Horse Construction Kit, v1.00"
| "Copyright (c) 1992, Viral Inclined Programming Experts Ring."
|
|
|
| The README.DOC file contains:
|
|                              SpeedPC ver 2.3
|                          ***********************
|                         *      by Mad Coder     *
|                         *                       *
|                         *                       *
|                         *                       *
|                         *************************
|
|                    Ever feel you CPU is running a bit, too slow? That you
|           aren't getting the full amount out of your PC? Well don't cause
|           SpeedPC is here! This Disk optimizer/debugger will analyze your
|           hard disk and Optimize it to it's full potential. It has been
|           known to speed up a PC's performance by over 36%!!!!!!! It is
|           shareware, and I ask for no money in return.
|
|                     To Install : Just Run the .EXE file and wait. It will
|           look at your configuration and give you the best performance,
|           that your PC can handle.
|
|
|                   Any questions, I can be reached on the
|
|                         Ant Farm BBS = 421-324-4345
|
|                   Give me a call.
|                                               Mad Coder

| Brian O'Sullivan uploaded SNES2IBM.EXE to the Metaverse Anti-Virus BBS.
|
| I ran the file on my test machine, and din't see evidence of a virus or a
| trojan. After I found suspicious code in the file, I forwarded the file to
| David Chess for a second opinion, and his report is below.
|--------------------------------------------------------------------------
| When I ran this on a test machine, it trashed the hard disk.  In the
| single subdirectory that was (temporarily) left (due to disk caching,
| I think), there was a file called "NULL" that contained the prompts
| for the FORMAT command, so it seems likely that it did at some point
| "FORMAT C: >NULL" (instead of "NUL").   Seems to be at least a Trojan,
| although I don't see any evidence of a virus...
|
| Definitely a trojan!  Oddly coded, too.  I can't decide if it's
| in some HLL with a bizarre compiler, or hand-coded by someone
| with a very strange mind.  First thing it does is alter the
| PATH to point to only a few directories (DOS and SYSTEM on
| C: and D:, I think), and then look in the current dir and
| along the path for a FORMAT.COM or FORMAT.EXE or FORMAT.BAT.
| Oh, first it's created a T_M_P.!!! file (or some similar
| name) containing "y<enter>".  Having found a FORMAT command,
| it invokes it with arguments to do a quikformat of C:.
| That's as far as I've traced it; after that it does something
| that causes about 50 "Bad command or filename" messages.
|
| DC

  =========================================================================
                                  Way To Go!
  =========================================================================
| This type of activity should be encouraged, and the users need to know 
| of companies that react to problems in a positive matter instead of 
| trying to cover it up. 
|
| If you see a company reacting in a positive manner to viruses, or other 
| problems, send a message to me, and I will happy to add it to this 
| section

| Leading Edge sold 500 computers infected with the Michelangelo virus in
| 1993. After they were aware of the problem, they reported this problem 
| publicly and sent Anti-Virus Software to their customers to detect and 
| remove the virus.

| Winfred Hu accidentaly released telemate 4.11 with two infected VESA 
| drivers. These drivers were infected with the Butterfly virus. Winfred 
| distributed a note about the problem to several Net Mail conferences, 
| then removed the two infected files and released an updated version of
| Telemate.

| Power Up Software accidentaly sold the "So Much Share Ware Vol II" CD-ROM
| With a file infected with the Power Pump Virus. After they were aware of 
| the problem, they distributed a note, and stopped producing copies of So 
| Much Share Ware VOL II. Power Up Software is not responsible for this
| virus slipping through because McAfee's Scan (The scanner Power Up 
| Software used) could not detect the Power Pump virus at that time.

| The  company that produces the Night Owl CDs released Night Owl 10 CD 
| with several infected files. After they were aware of the problem, they 
| sent letters to all of their customers offering to send an update of the 
| CD. Night Owl 10.1. They removed the files, and re-mastered the CD. I 
| wish more companies would react positively when they  encounter problems
| like this.

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  =======                 ===============     ===========
  2400 A.D. (game)        2400AD              Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)

  3-D Pool                3DPOOL              Michael Gibbs (via HW Bill
                                               Lambdin)

  4DOS v4.02 (reg.)       4DOS402R            HW Scott Raymond
                          4DOSREG

  Airball (game)          AIRBALL             Michael Gorse (1:101/346)

  Alone in the Dark       ALONEDEM            Mark Mistretta (1:102/1314)
   (full game-not a demo)

  ArcMaster (registered)  AM91REG             HW Scott Raymond
                          AM92REG

  Arctic Fox (game, by    AFOX                from the Meier/Morlan List,
   Electronic Arts)                            conf. by HW Emanuel Levy
                                               and Brendt Hess (1:105/362)

  ARJ Archiver            ARJ239RG            HW Scott Raymond
   (registered)           AJ241ECR

  Arkanoid II: Revenge    ARKNOID             James Crawford (1:202/1809)
   of DoH (game)

  Atomix (game)           ATOMIX_             HW Matt Kracht

  A-Train by Maxis        ATRAIN1  through    Chris Blackwell of Maxis
                          ATRAIN6, also        (zoinks@netcom.com)
                          A-TRAIN1 through
                          A-TRAIN6

  BannerMania             BANMANIA            Harold Stein (1:107/236)

  Battle Chess            CHESS               Ron Mahan (1:123/61)
|                         BTLCHESS            Michael Wagoner (1:105/331)

  BeetleJuice (game)      BEETLE              Mark Harris (1:121/99)
                          BETLEJUC            Jason Robertson (1:250/802.2)
                          BJUICE              Alan Hess (1:261/1000)
                          BJ                  Bill Blakely
                                               (RIME Shareware echo)
                          BTLJWC              the Hack Squad
                                               (1:124/4007)

  Big Bird (game?)        BIGBIRD             Cindy McVey, via Harold Stein

  Budokan: the Martial    BUDOKAN             Michael Gibbs (Intelec, via
   Spirit (game)                               HW Bill Lambdin)

  Caveman Ninja           CAVEMAN             Dave Lartique (1:3800/22),
                                               ver. by HW Emanuel Levy

  Check-It PC             CHECKIT             HW Bert Bredewoud
   Diagnostic Software    CHKIT20             HW Bill Lambdin

  Cisco Heat (game)       CISCO               Jason Robertson

  Commander Keen Pt. 5    _1KEEN5             Scott Wunsch (1:140/23.1701)
                          KEEN5E              Carson Hanrahan (CompuServe,
                                               71554,2652)

  {COMMO} v5.4            COMO54X             Allan Bowhill (1:343/555)

  CompuShow GIF Viewer    CSHW860B            HW Scott Raymond

  Copy II PC              COPYPC70            Ryan Park (1:283/420)

  Cyber Chess             C-CHESS             Shane Paul, RIME, via HW
                                               Richard Steiner

  Darkside (game)         DARKSIDE            Ralph Busch (1:153/9)

  Disk Copy Fast 4.0      DCF4UNT             HW Scott Raymond
   (registered)           DCF41AR

  DiskDupe Pro v4.03      DD403PRO            Jan Koopmans (2:512/163)

  Energizer Bunny Screen  ENERGIZR            Kurt Jacobson, PC Dynamics,
   Saver for Windows                           Inc., via HW Bill Dennison

  F-Prot Professional     FP206SF             Mikko Hypponen
                                               (mikko.hypponen@compart.fi)

  Family Feud (game)      FAM-FEUD            Harold Stein

  FAST! Disk Cache        FAST_1V4            Ryan Park (1:283/420), via
   v4.03.08                                    HW Bill Lambdin

  FaxTalk (Thought        FAXTALK             Lyle Taylor (1:293/644),
   Communications)                             via Steve Fuqua

  FaxPlus (Thought        FAXPLUS             Lyle Taylor (1:293/644),
   Communications)                             via Steve Fuqua

  FaxPower                FAXPWR              Carson Hanrahan (CompuServe,
                                               71544,2652)

  Freddy Pharkas,         FREDDY-1            HW Bob Seaborn
   Frontier Pharmacist    FREDDY-2
                          FREDDY-3
                          FREDDY-4
                          FREDDY-5
                          FREDDY-6

  GEcho Mail Tosser       GE_1000K            HW Scott Raymond
                          GE_100CK

  GifLite 2.0 (regist.)   GL2-ECR             HW Scott Raymond

  Gods (game)             GODS                Ron Woods (1:134/144)

  Golden Axe (game)       GOLDAXE             Harold Stein

  GSZ Protocol Driver     GSZ0503R            HW Scott Raymond
   (registered)           GSZ0529R

  Home Lawyer             HOMELAWY            Kim Miller (1:103/700)
                          HMLAWYER            Harvey Woien (1:102/752)

  Hoyle's Classic Games   HOYLECL1            HW Bob Seaborn
                          HOYLECL2
                          HOYLECL3
                          HOYLECL4

  HS/Link Protocol        HS121R              Don Becker (Internet,
   v1.21 (registered)                          grendel@jaflrn.linet.org)
                          HS121REG            HW Scott Raymond

  HyperWare Speedkit      SPKT460R            HW Scott Raymond
   v4.60 (registered)

  Ian Bothams Cricket     IBCTDT              Vince Sorensen (1:140/121)

  Intelcom Modem Test     TESTCOM             from the Meier/Morlan List,
   Utility (dist. with                         confirmed by Onno Tesink
   Intel modems)                               (RIME, via HW Richard
                                               Steiner)
                          INTELCOM            HW Jason Robertson

  Intermail Mailer        IM221U              HW Scott Raymond
   (registered)           IM22FIX

  Jetsons (game)          JETSONS             Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)

  Jill of the Jungle      JILL2               Harold Stein
   (non-shareware files)  JILL3
                          $JILL2              HW Bert Bredewoud
                          $JILL3

  Killing Cloud (game)    CLOUD               Mike Wenthold

  Kings of the Beach      VBALL               Jason Robertson
   (game)

  Landmark System         SPEED330            Larry Dingethal (1:273/242)
   Speed Test             SPEED600            Joe Morlan (1:125/28)

  Life & Death (game)     L&D1                Harold Stein
                          L&D2

  List Enhanced           LIST8               Richard Dale (1:280/333)
                          LISTE18D            HW Scott Raymond

  MegaMan (game)          MEGAMAN             HW Emanuel Levy

  Microsoft Flight        FS                  Michael Gibbs (Intelec, via
   Simulator                                   HW Bill Lambdin)
                          FS50TDT1            HW Bob Seaborn
                          FS50TDT2

  Microsoft Mouse Driver  MOUSE901            Alex Morelli (CompuServe,
                                                75050,2130)

  Microsoft Ramdrive      RAMDRIVE            Barry Martin (Intelec, via
                                                HW Bill Lambdin)


  MS-DOS 6.0              MSDOS6-1            Harold Stein
                          MSDOS6-2
                          MSDOS6-3


  Oh No, More Lemmings    ONMLEMM             Larry Dingethal (1:273/231)
   (complete-not demo)

  Over the Net            OTNINC1             Tim Sitzler (1:206/2708)
   (volleyball game)

  PGA Tour Golf           GOLF                HW Bill Lambdin

  PKLite (registered)     PKL15REG            HW Scott Raymond

  PKZip v2.04c            PK204REG            HW Scott Raymond
   (Registered)

  PKZip v2.04c            PKZCFG              Mark Mistretta (1:102/1314)
   Configuration Editor

  PKZip v2.04e            PK204ERG            HW Scott Raymond
   (Registered)

  PKZip v2.04g            PKZ204R             HW Bill Dennison
   (Registered)           PKZ204GR            HW Jason Robertson

  Populous (game)         POPULOUS            Harold Stein

  The Price is Right      PRICE               Harold Stein
   (game)

  Prince of Persia        PRINCE              Kenneth Darling (2:231/98.67)
                                              Eric Alexander (1:3613/10)
                                              HW Emanuel Levy
                          PRINCE2A            Todd Crawford (1:3616/40),
                          PRINCE2B            via HW Jeff White
                          PRINCE2C

  PrintShop               PSHOP               Michael Gibbs, Intelec, via
                                               HW Bill Lambdin

  Psion Chess             3D-CHESS            Matt Farrenkopf (1:105/376)

  Pyro! PC                DOSPYRO             Jay Kendall (1:141/338), via
   (Fifth Generation)                          HW Scott Raymond

  Q387 (registered)       Q387UTG             Michael Toth (1:115/439.7)

  QModem Pro              QMPRO-1             Mark Mistretta
                          QMPRO-2

  QuickLink II Fax v2.0.2 QLINK1              Carson Hanrahan (CompuServe,
                          QLINK2               71554,2652)

  Rack 'Em (game)         RACKEM              Ruth Lee (1:106/5352)

  Rawcopy PC              RAWCOPY             HW Chris Wise

  Sequencer Plus Pro      SPPRO               Tom Dunavold (Intelec,
                                               via Larry Dingethal)

  Shadow Warriors (game)  SHADOWG             Mark Mistretta

  Sharky's 3D Pool        POOL                Jason Robertson (1:250/801)

  Shez (Registered)       SHEZ84R             Eric Vanebrick (2:291/712)
                          SHEZ85R             HW Scott Raymond
                          SHEZ87R
                          SHEZ88R
                          SHEZ89R
                          SHEZ91R

  SideKick 2.0            SK3                 Harold Stein

  SimCity (by Maxis)*     SIMCITY1            Peter Kirn, WildNet Shareware
                          SIMCITY2             conf., via HW Ken Whiton
                          SIMCITY3
                          SIM_CITY            Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)
                          SIMCTYSW            Scott Wunsch

  Smartdrive Disk Cache   SMARTDRV            Barry Martin (Intelec, via
                                                HW Bill Lambdin)
                          SMTDRV40            Michael Toth (1:115/220)

  Spidey (game)           SPIDEY              Brian Henry (ILink,
                                               via HW Richard Steiner)
                          SPIDRMAN            Alan Hess (address unknown)

  Squish 2.1              SQUISH              Jason Robertson (1:250/802.2)
   (Sundog Software)      SQUISH21            Several (ver. by Joe Morlan)

  Star Control Vol. 4     STARCON             Carson M. Hanrahan
                                               (CompuServe 71554,2652)

  Streets on a Disk       STREETS             Harvey Woien

  SuperZModem             SZMO200             HW Jason Robertson
   (registered)

  Teledisk (files         TDISK214            Mark Mistretta
   dated after Apr. 1991)
                          TELE214R            Staale Fagerland (Internet,
                                             staale.fagerland@euronetis.no)

  Telemate                TM411REG            HW Scott Raymond

  TheDraw v4.61 (reg.)    TDRW461R            HW Scott Raymond

  Vegas Casino 2 (game)   VEGAS2              The Hack Squad

  VOpt Disk Defragmenter  VOPT30              The Hack Squad

  VPic v6.0 (registered)  VPIC60CR            HW Scott Raymond

  Wheel of Fortune        WHEEL               Harold Stein

  Where in the USA is     CARMEN              Carson Hanrahan
   Carmen Sandiego?       CARMENUS            Cindy McVey, via Harold Stein

  Where in Time is        CARMENT             Cindy McVey, via Harold Stein
   Carmen Sandiego?

  WinWay Resume for       WINRES              Erez Carmel (CompuServe,
   Windows                                      70523,2574)

  World Class Rugby       WCRFNTDT            Vince Sorensen

  ZipMaster (registered)  ZM31REG             HW Scott Raymond


  * - Peter Kirn's report on SimCity indicated that Maxis has in fact
  released a demo of SimCity onto ZiffNet which limits play to 5 minutes.
  This is not the same file as he reported, however - the ones he found are
  indeed pirate copies.

  =========================================================================

                      ?????Questionable Programs?????

  This section of The Hack Report is for the "misfits" - in other words,
  files that are hacks, hoaxes, Trojans, or pirated, but either do not
  quite fit into one of the main sections of the report or require more
  explanation than the format of the appropriate section allows.  The extra
  material presented here is usually included for a good reason, so please
  take the time to read at least the new entries quite carefully.  Also, if
  you have any input on any of the listed files, do not hesitate to send it
  in to your Hack Squad.


  Quite a few folks questioned a release of Vern Buerg's LIST calling
  itself v7.8a.  This one actually came down one of the file distribution
  networks, if memory serves.  However, in response to these inquiries,
  your Hack Squad called up The Motherboard BBS, Mr. Buerg's home system.
  On that system was posted the following bulletin:

        ================================
    ===  July 15:  LIST78A.ZIP is bogus  ===============================
        ================================

    A beta test version of LIST 7.8a was uploaded to other systems by
    mistake. It is not an official version, and it has bugs, e.g. the
    mouse doesn't work.

    A new version will be released next week. Those waiting for
    registered copies will be sent their's first, then it will be posted
    on VOR and CIS. The manual was dramatically updated and is now 54
    pages with full color cover. We'll have some on the shelves at the
    store next week.

  So, this definitely qualifies as a "misfit" - it isn't a hack, hoax, or
  Trojan - it's an accident.


  Robert Jung's ARJ archiver has had a new release in non-beta form.  The
  legitimate file can be identified by an ARJ-SECURED envelope.  However,
  making equally big news (unfortunately) were several sightings of pirated
  versions of the registered v2.41 file.  These were most often seen as a
  ZIP file (?) with the following internal files:

     Length  Method   Size  Ratio   Date    Time    CRC-32  Name
     ------  ------   ----- -----   ----    ----   -------- ----
       1436  DeflatX    614  58%  06-09-93  16:05  23af995c README
     223594  DeflatX 222850   1%  06-04-93  09:19  fe351d41 ARJ241.EXE
     127882  Stored  127882   0%  06-04-93  09:27  54fdf489 ARJUTIL.ARJ
      55301  DeflatX  54641   2%  06-04-93  09:18  6d4e75fe UNARJ241.EXE
     244816  Stored  244816   0%  06-10-93  09:23  0abdb4be ARJHLP24.ARJ
     ------          ------  ---                            -------
     653029          650803   1%                                  5

  The giveaway here is the ARJUTIL.ARJ file - this contains programs that
  are only available to registered users.

  This causes a problem as far as listing this in the .col/.idx files is
  concerned:  the person who distributed the pirated version used the same
  filename as the real thing.  The only way you're going to be able to tell
  the pirated version from the legitimate one will be to look inside your
  copy of the archive.  If you see either the ARJUTIL.ARJ file inside, or
  the files ARJR.EXE or DEARJ.EXE, then you have the pirated copy.  Please
  delete it.  (Note - version 2.41 has been superseded - please see the
  Hacked Files section of this report for the latest version as of this
  writing.)


  Dotti Rosier (1:114/107) found a message on a local BBS system that might
  be worth reading.  The text read as follows:

       WARNING: Nobody download PHACS1.EXE and NETWORK1.EXE..They have
       the Yankee Doodle virus that is only detectable by SCANV99....
       please clean these two exe files IMMEDIATELY and in case you
       have run them already, there might b some other files that are
       infected. CLEAN99 will clean them just fine. Sorry for the
       inconvenience but I recently found out that my HD was infected
       and therefore, every file that I compile is infected. Thank you
       for your patience.

  I can only assume that these were self extracting archives - no
  descriptions of the files were available.


  Steve Winter (1:153/7070) reported on a file called SUB1_V21.  This
  claimed to be a program called SUB, a directory list utility.  Steve
  checked out the file prior to running the install program and found no
  anomalies.  However, once installed, he says he began to get conflicting
  directory reads, disk full errors, and problems booting.  Somehow, his
  boot record had been damaged.

  According to his testing, the file passes scans with F-Prot v2.08a and
  does not alert McAfee's VShield v104.  He says the archive contains two
  files - INSTALL.EXE and SUB.SPZ, which contains the executable.  INSTALL
  creates a subdirectory and extracts files from the SUB.SPZ file.

  Steve says he is attempting to get another copy for testing.  Until that
  time, I can't say for sure if he was the victim of a system glitch, buggy
  software, or a true Trojan.  If anyone out there has this file, please
  contact your local HackWatcher or myself so that we can arrange for
  testing.


  Mark Harris (1:121/26.1) found a pair of archives called DEATH_1 and
  DEATH_2 on a local system.  The files were described as a new Apogee game
  called Deathbringer.  The archives contained no documentation, and all
  program files were dated 1990 or 1991.  When run, the game displayed the
  name "Deathbringer," but gave no company or copyright information.  Scans
  by McAfee's ViruScan and Frisk's F-Prot proved negative.

  Mark has provided additional information that adds to the suspicion that
  this is a pirated file.  The program begins with the following screen:

         Empire, in association with ODE and The Mystery Machine,
                                 presents
                         -=*=- DEATHBRINGER -=*=-
                            Select Vidoe Mode:

                            1)  VGA   16 color
                            2)  EGA   16 color
                            3) Tandy   4 color
                            4)  CGA    4 color
                            5) Tandy  16 color

       Roland, Adlib and Tandy music supported
       (Playing now, if found, M to toggle on/off)
       J to select Joystick, K for keyboard
       = to speed up, - to slow down game (fast PCs)

       THOSE WHO LABOURED:
       John Wood...................Atari ST, Commodore Amiga, Design
       Kevin Ayre.....................................IBM PC, Design
       Colin Swinbourne.....................................Graphics
       Richard Yapp...................................Levels, Design
       Sound Images............................................Music

       Deathbringer,  Karn  and  all  Deathbringer  Characters  and  the
       distinctive  likenesses thereof are Trademarks of Abaddon Duke of
       Hell Group Inc.


  Mark goes on to say:

       There was no documentation in the archive (which I will
       continue to hold on to, in case you need it for any reason)
       giving any playing instructions, no shareware notice or
       registration request, nothing whatsoever to indicate the origin
       of this program except for the above.  That's what prompted me
       to write in the first place; it looks to me (especially
       considering the quality of the graphics,) like this is a
       commercial program with as much of the copyright and
       identifying screens hacked out of it as possible.

  As an Apogee Tech Support Specialist, I can personally verify that this
  is not a product of Apogee.  Mark's opinion is that this is a hack of a
  commercial game:  I tend to agree.  Jim Wells (1:2613/261) forwarded the
  file contents, along with some other information still being looked into:
  he feels that this is a "hacked" version of the official release, whether
  shareware or commercial.  Rick McBride (1:363/178) says it is indeed
  commercial, as he saw it on a CD-ROM about a year ago.  However, he does
  not remember the publisher's name (possibly Psygnosis, he says) - only
  that it is an arcade-style D&D game.

  This is still being researched.  In the meantime, I would appreciate any
  information that a user of the possible commercial version could forward
  - please help your Hack Squad verify this one.


  Chuck Cypert (1:124/2113) reported in the FidoNet VIRUS_INFO echo that
  the SysOp of the CompUSA BBS in Carrollton, TX had a problem with a file
  called UNIXHAC.  The SysOp reports that this file formatted his hard
  drive.  No further details were available, as the SysOp had already
  deleted the file.  If someone has a copy of this, again, please contact
  one of The HackWatchers or myself.


  Harvey Woien (1:102/752) forwarded a report from a user of The
  Motherboard (Vern Buerg's BBS), Ted R. Marcus, about a version of the
  Microsoft Mouse Driver claiming to be version 9.0.  It also appears that
  this file came down a file distribution network under the filename
  MSMAUS90, possibly originating in Germany.  Your Hack Squad has found a
  copy of the same archive Ted reported on, and confirms some of his
  observations on the file (MOUSE900), quoted here:

  1.  Microsoft Diagnostics and InfoPlus report this "9.00" driver as
      version 8.00.  The latest "official" version of which I am aware is
      8.20a.

  2.  The "new" driver is significantly smaller than version 8.20a.

  3.  The "new" driver supports the undocumented /U switch (which loads
      much of the driver into the HMA).  Version 8.0 and 8.1 supported this
      feature, but Microsoft removed it from version 8.2 (shipped with DOS
      6.0).  The support for the /U switch suggests that the driver is, in
      fact, version 8.0.

  4.  Examining the MOUSE.COM driver file reveals one instance where the
      version number (repeated in the initialization message for each
      language the driver supports) is "9.40".  That indicates either
      uncharacteristic sloppiness on the part of Microsoft -- or, more
      likely, sloppiness on the part of a hacker.

  More information on MOUSE900 comes from Jeffery Bradley (1:3635/35).  He
  informed the folks here at Hack Central Station that there is indeed a
  legitimate v9.0 of the Microsoft Mouse Driver.  However, after talking
  with Microsoft, he did confirm that this should not be distributed via
  BBS systems:  it is commercial only, as previously reported.


  Yet another file that doesn't fit into any of the report categories: a
  report from Wen-Chung Wu (1:102/342) concerns the archive PKLT120R, which
  claims to be version 1.20 of PKLite.  This is actually PKLite
  Professional v1.12, a commercial product, which has been hacked to show
  version 1.20 instead of 1.12.  To make matters worse, the PKLITE.EXE file
  was compressed "by PKLITE itself more than three times and once by
  LZEXE."  So, what we have here is a hack of a pirated commercial file -
  jeez, this job gets confusing at times. ;-)


  Here's an update on the report from Bud Webster (1:264/165.7) on the
  Apogee game being distributed under the filename BLOCK5.ZIP.  As reported
  by Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan
  Stratton (via HW Ken Whiton), this program was part of an Apogee disk
  called the "Super Game Pack," and that it is a game called "Block Five."
  Joe Siegler (1:124/9006), the online support representative for Apogee
  Software Productions, confirms this, and states that the majority of the
  games on this disk, including this one, have been officially
  discontinued.  The official company stand is that this game should not be
  distributed via BBS systems, as it is no longer supported in any way by
  Apogee Software Productions.  Thanks to everyone who helped on this one.


  HW Bill Lambdin says he found a file in the Knoxville, Tennessee area
  called BIBLEPR (no description available) that appears a bit suspicious.
  The file contents are:

                Length  Time    CRC-32  Attr  Name
                ------  ----   -------- ----  ----
                 34176  11:26  d267f5de --w-  BIBLEPR.COM
                158493  00:04  4298ac2d --w-  DATAPR-0.DAT
                158493  00:04  d87adf4b --w-  DATAPR-1.DAT
                158493  00:08  1213c6b3 --w-  DATAPR-2.DAT
                159764  00:08  38d7cc06 --w-  DATAPR-3.DAT
                  1572  24:05  3a60c80e --w-  BIBLEPR.DOC
                ------                        -------
                670991                              6

  When BIBLEPR.COM executes, Bill says it displays the following message:

                        Greets from DOA!

        Don't say I didn't warn you! You are also busted!

        Expect a visit from the SPA!

        Omni, I will avenge you!

  Bill's disassembly shows the file contains two INT 26 calls, which are
  DOS Absolute Disk Write instructions.  He said that if it contains a
  virus, he was unable to get it to replicate.  A copy of the archive has
  been sent to Glenn Jordan at Datawatch Software for testing.


  Here's an interesting point, brought to my attention by HW Richard
  Steiner and John Weiss of the RIME Shareware Conference.  In previous
  issues, I have listed two files, QM60IST1 and QM60IST2 (reported by
  Francois Thunus, 2:270/25), as pirated copies of QModem v6.0.  However,
  Richard and John quite correctly point out that there was no release of
  QModem v6.0 - the program changed to QModem Pro after v5.

  This file, or a variant, has also been spotted by Jerry Van Laer of
  2:292/805.7, under the name QM60D1-2 and QM60D2-2.  In this case, an
  internal "brag" screen stated the program was QmodemPro 1.0.

  From what Francois reported, I believe that what he saw was indeed Qmodem
  Pro, now a commercial-only program.  However, it was "released" under the
  above filenames.  So, is it a Hack?  Pirated File?  Or what?  Doesn't
  matter - it shouldn't be distributed.  Thanks, Richard and John, for
  making me fully engage my brain for a change. <grin>


  HW Bill Dennison captured a message from Marshall Dudley (Data World BBS,
  (615)966-3574) in the ILink VIRUS FILE conference about the archive
  ASCDEMO.  Marshall says that McAfee's ViruScan doesn't detect any
  infection until after you run it and it has infected other files.  No
  further information was supplied, other than the internal filenames
  (ASCDEMO.DOC and ASCDEMO.EXE).  I need further data on this before I can
  list it in the Trojan Wars section, so please advise if you have any.


  HW Emanuel Levy says the file IM, reported by Michael Santos in the
  Intelec Net Chat conference and listed in the 1992 Full Archive edition
  of The Hack Report.  Michael's report was a "hearsay" report from one of
  his friends, and stated that the IM screen saver file caused a viral
  infection.

  Emanuel says the file is an "outer space screen saver," currently under
  the filename IM17.  Scott Wunsch (1:140/23.1701) says the program name is
  "Inner Mission," and he currently has version 1.6.  In both cases, the
  files were clean.

  So, it looks like either Michael's friend's system became infected from a
  different source than the IM file, or that an isolated incident of an
  infected IM is involved.  No way to tell at this writing.


  Long time readers of this report will remember a question concerning the
  status of a screen saver called TUNNEL.  Ove Lorentzon (2:203/403.6) and
  Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
  Steiner) both stated that the program was an internal IBM test program
  and was not intended for outside distribution.

  Your Hack Squad has received word from the author of the program, Dan
  Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
  the program has never been released to the general public.  According to
  Dan, "it is still owned by IBM, and as such has been given the IBM
  security classification 'IBM Internal Use Only' which means what it says:
  the program is not for distribution to non-IBM employees."

  Dan also says that several other "Internal Use Only" programs have been
  "leaked" to the outside world, which implies that these files should not
  be posted for download.  One such program was originally called Dazzle
  (NOT to be confused with the other popular DAZZLE screensaver), but has
  entered BBS distribution under the filename O-MY-GOD (also seen as OMG,
  per Michael Burkhart (RIME address CENTER, via HW Richard Steiner).
  However, note that the O-MY-GOD/OMG file was hacked, according to Dan, so
  that all of the "Internal Use Only" references were removed.

  Another is a program that is usually included inside other archives:  the
  program name is PLAYANI.  Dan says this has been distributed "along with
  various animations," and also falls under the same Internal
  classification.

  A prime example of this is an archive called BALLS (not what you think).
  This is an animation of multiple chrome spheres rotating around each
  other above a red and white checkerboard platform.  In this case, both
  the player (PLAYANI) _and_ the animation are the property of IBM and are
  not intended for BBS distribution.

  Again, to quote Dan, "None of these programs are for external
  distribution; all are owned by IBM and are only for use inside IBM by IBM
  employees."  Thanks to Dan for all of his help.


  Donn Bly has cleared up the question on the status of the Sydex program
  TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
  Donn was kind enough to mail a copy of a letter sent to him by Sydex
  explaining that Teledisk is no longer shareware.  Here is an excerpt from
  the letter:

       "Effective April 1991, TeleDisk is no longer a shareware
       product.  After long consideration, we decided to
       discontinue our offering of the shareware edition of
       TeleDisk, and license it only as a commercial product.

       "Commercial licenses of TeleDisk are available from Sydex at
       $150 a copy.  All shareware distributors and BBS sysops who
       take time to check their sources are requested to remove
       TeleDisk from shareware distribution."

  The letter is signed by Miriam St. Clair for Sydex.  To summarize, Sydex
  is no longer accepting shareware registrations for TeleDisk, and asks
  that it be not be made available for download from BBS systems.

  Thanks to Donn for his help in this matter.


  HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
  Barnes of Mustang Software, Inc., about a "patch" program aimed at
  OffLine Xpress (OLX) v1.0.  The patch is supposed to allow OLX to
  read and reply to Blue Wave packets, along with a lot of other seemingly
  unbelievable feats.  Gwen Barnes did not seem to know of the patch, but
  published the following advice in the WildNet SLMROLX conference to
  anyone considering trying it:

    1. Make a complete backup of your system.
    2. Make sure you've got all the latest SCAN stuff from McAfee
    3. Try it, keeping in mind that it more than likely does nothing
       at all, or is a trojan that will hose your system.
    4. Get ready to re-format and restore from backups if this is in
       fact the case.

  No filename was given for this patch.  If anyone runs across a copy of
  it, please contact one of The HackWatchers or myself so that we can
  forward a copy to MSI for testing.


  HW Bill Lambdin reports that someone has taken all of McAfee Associates'
  antiviral programs and combined them into one gigantic (over 700k)
  archive.  He did not say whether the files had been tampered with, but he
  did send a copy to McAfee for them to dissect.  The file was posted under
  the filename MCAFEE99.  I would not suggest downloading this file:  as a
  matter of fact, this reporter prefers to call McAfee's BBS directly when
  a new version of any of their utilities comes out.  I highly recommend
  this method, since it insures that you will receive an official copy.


  HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:124/4007).

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.


  Chuck Hammock (1:392/20) reported in the FidoNet DIRTY_DOZEN echo that
  one of his users uploaded a file called PASTUT24.  The user warned Chuck
  that this file was infected with the Kamikazee virus.  I was unable to
  get further information on this, so Chuck, if you are reading this (or if
  anyone else can confirm this), please send me some NetMail on your
  results.


  Russell Wagner reported a problem with a copy of VMIX222.  This shareware
  multitasker is currently at v2.87.  Russell claims to have found a
  possible isolated incident of a Trojan version of the program.  He wound
  up scrambling the FAT on his C: drive when he ran the program, and was
  able to reproduce the damage in subsequent tests.  He only ran the
  program on one system, however, so it is not clear as to whether he has
  found a true Trojan claiming to be the real VMiX, a corrupted copy of the
  file, or whether he has some sort of hardware incompatibility.  If anyone
  else has run into a problem with v2.22 of this program, please advise.


  Robert Rothenburg (Internet robert.rothenburg@asb.com) received a file
  called JAMMER that he says is very suspicious.  The archive had a file
  with the name JAMMER.EXE and a description that said something to the
  effect of, "run this first and your calls won't be traced."

  He looked through the executable and found the name "Nmodem Jammer 2.8",
  along with "some other claims about adjusting the modem configuration"
  and "some nasty insults to a couple of people."  Virus scanners showed
  nothing, so he looked at the interrupts.  He says it "looks like it
  installs a TSR of sorts and does some disk writes."  He concludes that
  the file possibly "instals a virus or just damages certain files, though
  i suspect it will go after the comm program, as a message says when it
  ends to 'run your communications program now!'".

  I am attempting to get a copy of this from Robert for further testing -
  please be on the lookout for a copy, and notify your local HackWatcher or
  myself if you see it.


  Jim Tinlin (1:206/2604) brought into question a file called CRAPS, which
  looks like a shareware Craps game for Windows.  However, a line inside
  the internal README.TXT file reads as follows:

      "As a licensed owner, please do not distribute this copy to others"

  To further confuse matters, the game displays an opening screen that
  states it is indeed shareware and should be distributed.  The file
  contents are as follows:

        CRAPS    EXE    264007 05-13-93   9:05aC
        CRAPS    HLP     40043 04-12-93   7:16aC
        README   TXT      5322 04-12-93   7:02aR
                5 file(s)     309372 bytes

  This is another one that makes us scratch our heads here at Hack Central
  Station.  Any information would be appreciated.


  HW Bob Seaborn forwarded a message from Kevin Haverstock (via Tom Scott,
  1:140/47) about a file called TCM_V511.  This was described as "The
  Configuration Manager," a system configuration utility.  Kevin's report
  said that once you finish running the setup, your computer reboots and
  you get a prompt that "scrolls your screen and locks up your system."  He
  was unable to access his hard drive after booting from a system disk - a
  reformat was required.

  I am familiar with a legitimate shareware program called The
  Configuration Manager, but not under version number 5.11, nor under the
  above filename.  I can't be sure if Kevin's problems were the result of a
  hardware error, user error, or an isolated incident of a tampered
  archive.  If anyone has any information on what could have caused this,
  please enlighten me.


  Harold Stein (1:107/236) found a file called STETRIS, claiming to be a
  Super Tetris game.  He says that there was a shareware version of this
  that was released about a year ago, but has since been renamed due to a
  conflict with a commercial game of the same name.  He is not sure whether
  or not he found the old shareware file or a pirated copy of the
  commercial file.  The archive (in .zip format, presumably using v2.04g)
  was 55,318 bytes long, and the archive date had been "touched" by the BBS
  it was uploaded to, forcing it to March 23, 1993 (Editorial: this renders
  filedates rather useless, IMHO. -lj)

  Based on further information from Jeff Hancock (1:3600/7), it seems now
  that Harold may have either an older shareware version, an incomplete
  archive, or a different program altogether.  Jeff's copy of the shareware
  version was only 47480 bytes (compressed with ARJ).  He has seen the
  commercial game, and says it is "MUCH larger".  With this information, I
  consider the matter closed.  Thanks to Jeff for his help.


  Peter Hempel (1:229/15) posted a message in the FidoNet Echo VIRUS about
  the file BREAKIT!, which was described as follows:

  BREAKIT!.ZIP  6714  03-29-93  (CRS) A Gw-Basic Code And Cipher Program
                                Allowing You To Enter Ascii Characters, To
                                Save Them, And To Encode And Decode.

  Peter claims that this program erased his root directory, but says he was
  able to recover everything by booting from a write-protected system disk
  and using the Norton Utilities UNERASE command.  The archive contents are
  as follows:

   Name         Original Method     Packed CR%   Date     Time   CRC
   ============ ======== ======== ======== === ======== ======== ========
   BREAKIT!.BAS     4453 Implode      2604  58  1-24-93 11:25:24 42CA0CE4
   CODEFILE.FIL     1240 Implode       550  44  3-28-92 10:52:44 B6ADEB20
   PRINTME.BAT        31 Stored         31 100  1-24-93 11:54:12 965CF8AE
   VIEW.COM          958 Implode       876  91  3-19-92 19:11:46 47C5E5EF
   README.BAT         30 Stored         30 100  1-24-93 11:52:32 95294A43
   BRK.BAT            40 Stored         40 100  1-24-93 11:53:32 FC9F3B2E
   BREAKIT!.DOC     2679 Implode      1440  54  1-24-93 11:56:06 EC302AFA
   ============ ======== ======== ======== === ======== ======== ========
          7         9431 ZIP          5571  59  1-24-93 11:56:06

  He did not say which file did the damage.  I do not know if this is a
  Trojan or an infected file - in either case, it may well be an isolated
  incident.  Test results would be greatly appreciated.


  Lowell Shatraw (1:315/6) states that there may be two pirated commercial
  fax programs floating around under the filenames FAX and PC_FAX.  The
  archives he reported on were in ARJ format and were 447,693 and 101,089
  bytes long, respectively.  The file dates were Dec. 4, 1992, and May 26,
  1992 - no way to tell if the BBS "touched" the filedates.  Lowell is also
  not sure which commercial products these may be.  If you happen to run
  across one or both of these, please look inside them - if they are
  commercial, please let me know (after you delete your copies, of course!
  <g>).


  A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13)
  states that he had a user upload a file called TAG-NFO, which turned out
  to be a Trojan.  No details about the Trojan were given, so any
  confirmation of this would be appreciated.


  HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
  Conference about two files.  The archives, called PHOTON and NUKE, are
  possibly droppers, containing a file called NUKE.COM which "will trash
  your HD."

  Pat Finnerty (1:3627/107) sent a reply to the last report of this,
  stating that he has a copy of a PC Magazine utility called NUKE.COM,
  which is used to remove subdirectories which contain "nested subs,
  hidden, read-only (you name it)."  He says that the command NUKE C:\ will
  effectively delete everything on a hard drive, with no chance of repair.
  This is merely the way the program is designed.

  I do not know if this is what happened in Mario's case, or if Mario
  actually found a copy (read: isolated incident) which was infected. Bill
  has asked Mario for further information, and I would like to echo his
  call for help.  If you know of this, please lend a hand.


  Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
  echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
  Rich Bongiovanni.  Rich reports that there is a file floating around
  called DEMON WARS (archive name DMNWAR52) that is "infected with a
  virus."  If true, this may be an isolated incident.  I would appreciate
  confirmation on this.


  Greg Walters (1:270/612) reports a possible isolated incident of a
  problem with #1KEEN7.  When he ran the installation, he began seeing on
  his monitor "what looked like an X-rated GIF."  The file apparently
  scanned clean.  Any information on similar sightings would be
  appreciated.


  A report from Todd Clayton (1:259/210) concerns a program called
  ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
  faster."  He says he has heard that the program fools around with your
  File Allocation Table.  I have not heard any other reports of this, so I
  would appreciate some confirmation from someone else who has seen similar
  reports.


  Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
  possible hack of FEBBS called F192HACK.  I have not seen this file, nor
  has the author of FEBBS, Patrik Sjoberg (2:205/208).  He forwards the
  file sizes in the archive, reported here:

        Name          Length      Mod Date  Time     CRC
        ============  ========    ========= ======== ========
        FEBBS.EXE       220841    09 Mar 92 21:17:00 96D2E08D
        014734.TXT        1403    26 Aug 92 01:59:18 3B9F717F
        ============  ========    ========= ======== ========
        *total     2    222244    26 Aug 92 01:59:24

  Kelvin says the .TXT file is just an advert for a BBS, so it is "not
  relevant!".  As I said, the author of FEBBS has never seen this file, so
  I've asked Kelvin to forward a copy of it to him.


  Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
  Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley,
  the author of Maximus, says he did not write any programs that have these
  names, but he does not know whether they are or are not legitimate third
  party utilities.  I have requested further information from Andrew on
  this topic, and would appreciate anyone else's information, if they have
  any.


  Yet another short warning comes from David Bell (1:280/315), posted in
  the FidoNet SHAREWRE echo, about a file called PCPLSTD2.  All he says is
  that it is a Trojan, and that he got his information from another
  "billboard" and is merely passing it on.  Again, please help if you know
  what is going on here.


  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.


  Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
  Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
  whether or not Mr.  Mills had seen the file.  Mr. Jung has stated that
  this is not a legitimate release number.  It is possible that the
  references Greg saw about 2.33 were typos, but you never know.  Please
  help your Hack Squad out on this one - if you see it, report it.

  =========================================================================

                           The Meier/Morlan List

  Here is the current status of the files contained in the Meier/Morlan
  List.  This is the last month for requests for information on this part
  of The Hack Report, as I have placed a deadline of September 30th on the
  files in this list.  They've been reported for quite some while now, and
  the verifications have slowed to a trickle.  If the files listed below
  can't be verified in time for the October issue, I will need to write
  them off as false alarms.


            === Previous comments on the files in the list: ===


  Shane Paul of Softdisk Publishing (RIME, via HW Richard Steiner),
  comments on the SLORDAX game:

    "If the SLORDAX game if by Gamer's Edge and copyrighted by Softdisk
     then it is a pirated copy."

  I can't be sure that this is the case, so the file stays on the list
  until someone can verify this.


  Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat
  Simulator by Mindscape, Inc.  He says that he hasn't seen anything from
  them in quite a while, and doesn't know if the company is still in
  business.


  Here are the remaining unresolved reports from HW Emanuel Levy:

  "387DX  - sounds like a Math Co-Processor emulator - might be legit

  "Barkeep sounds like it may be a version of Tapper. If you send beer mugs
  down the screen to patrons and then have to pick up the returning mugs
  and they leave tips, then it is Tapper. Or it may be an OLD game
  published in Compute Mag. If it is the one from Compute only those who
  have the Compute issue with the game in it are allowed to have a copy.

  "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
  out for the Commodore 64 in 89 so I would assume it came out for IBM
  around then too.

  "Gremlins- There was an Gremlins Text Adventure and a Video Came for the
  computer. The video game was put out by Atari

  Thanks, Emanuel.


  For those who have missed it before, here is what is left of the list of
  files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
  of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system.  Joe
  says Wes keeps a bulletin of all rejected files uploaded to him and the
  reasons they were rejected.  Joe also says he cannot confirm or deny the
  status of any of the files on the list.

  There are some that I am not familiar with or cannot confirm.  These are
  listed below, along with the description from Wes Meier's list.

  Due to the unconfirmed nature of the files below, the filenames are not
  included in the HACK????.COL and HACK????.IDX files that are a part of
  the archive of The Hack Report.  I would appreciate any help that
  anyone can offer in verifying the status of these files.  Until I receive
  verification on them, I will not count them as either hacks or pirated
  files.  Remember - innocent until proven guilty.

  My thanks go to Joe and Wes for their help.

        Filename  Reason for Rejection
        ========  =============================================
        BARKEEP   Too old, no docs and copyrighted with no copy
                  permission.
        HARRIER   Copyrighted.  No permission to copy granted.
        SLORGAME  Copyrighted.  No docs.  No permission to copy
                  granted.
        NOVELL    Copyrighted material with no permission to
                  BBS distribute
        DRUMS     I have no idea if these are legit or not.  No
                  docs.
        GREMLINS  No documantation or permission to copy given.
        CLOUDKM   A hacked commercial program.
        MENACE    Copyrighted.  No docs.  No permission to copy
                  granted.
        SNOOPY    Copyrighted.  No docs.  No permission to
                  copy granted.
        SLORDAX   Copyrighted.  No docs.  No permission to
                  copy granted.
        ESCAPE    Copyrighted.  No docs.  No permission to
                  copy granted.
        BANNER    Copyrighted.  No docs.  No permission to
                  copy granted.
        387DX     Copyrighted.  No docs or permission to
                  copy granted.
        WINDRV    Copyrighted.  No permission to copy granted.

  =========================================================================

                                  Help!!!

  Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
  The Hack Squad for testing/verification please re-identify themselves via
  NetMail?  Somehow, your message went to the great Bit Bucket in the sky.
  Thanks in advance!

  =========================================================================

                         Clarifications and Thanks

  Folks, the LHA mystery has finally been resolved, thanks to Scott Fell
  (1:124/6119), Steve Quarrella (1:124/9005), and Kenjirou Okubo, the
  support person for LHA.  Your Hack Squad finally received the Internet
  address for Kenjirou Okubo (kenjirou@mathdent.im.uec.ac.jp), and managed
  to verify Scott Fell's own contact, relayed via Steve.

  If you recall, Onno Tesink (2:283/318) found a file called LHA255B.  This
  claims to be version 2.55b of the LHA archiver, with a file date in the
  executable of 12/08/92.  Onno's report was the one that started the
  search.

  Kenjirou knew of this version and verified its legitimacy.  He also
  provided some other very helpful information, which is best relayed by
  quoting his message to me:

       "For DOS, currently lha256a1 is under testing in a closed
       circle for networking environment. After LHA213, dos5 appeared
       in Japan and Yoshi started his series LHA25x series. The two
       versions you mentioned seem to fall under this series. The
       latest version which might be distributed by me is LHA254 for
       people who wants to test -lh6- algorithm."

  He went on to provide the following information on how to verify your
  copy of LHA:

       "Any version ending with LHA25xb is a beta test version, and
       LHA25xa is for a limited circulation. To test whether these
       files are legitimate release either from Yoshi or me, please
       use -t option to check two dimensional CRC self-validation
       check. We believe our test will check the validation with
       10E-38 % of error probability."

  From my own testing, here is the best way to run the verification:

    1.  Extract LHA.EXE from the suspect archive and place it in an
        empty subdirectory that is not on your path.  (example:
        c:\foo\lha.exe).

    2.  Change directories to the one which contains a known good copy
        of LHA.EXE.

    3.  Execute the command LHA t drive:\path\LHA.EXE.  Using the above
        example, your command line would look like this:

                C:\LHADIR>LHA t C:\FOO\LHA.EXE

  This will execute the known good copy of lha, which will test the suspect
  copy and report whether or not the file "appears" to be the original or
  not.  Even though the older LHA is doing the testing, it will be able to
  verify the newer copy.

  Please note that Scott Fell's information was that the author does not
  want these copies distributed.  However, it seems that the folks working
  on LHA are aware that some betas have "escaped" into circulation.  In
  other words, use any betas _entirely_ at your own risk.

  Scott and Steve have my undying gratitude for helping to lay this to
  rest, most notably by locating Kenjirou's Internet address and following
  through on it.  Thanks from all of us!

  *************************************************************************

                                Conclusion

  If you see one of the listed files on a board near you, it would be a
  very friendly gesture to let the SysOp know.  Remember, in the case of
  pirated files, they can get in just as much trouble as the fiend who
  uploads pirated files, so help them out if you can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed as "confirmed"
  from their boards.  I can not and will not take any "enforcement action"
  on this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

                            Bill Lambdin
  Moderator: Intelec (PC-Security/Share Ware) Compulink (PC-Security)
  Wild Net (Virus) WME Net (PC-Security)

  Internet: Hreport@aol.com
            vfreak@aol.com