home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware 1 2 the Maxx
/
sw_1.zip
/
sw_1
/
TEXT
/
HACK1092.ZIP
/
HACK1092.RPT
< prev
Wrap
Text File
|
1992-10-07
|
78KB
|
1,557 lines
=========================================================================
||
From the files of The Hack Squad: || by Lee Jackson, Co-Moderator,
|| FidoNet International Echo SHAREWRE
The Hack Report || Volume 1, Number 22
for October 1992 || Report Date: October 7, 1992
||
=========================================================================
Welcome to the twenty-second issue of The Hack Report. This is a series
of reports that aim to help all users of files found on BBSs avoid
fraudulent programs, and is presented as a free public service by the
FidoNet International Shareware Echo and the author of the report, Lee
Jackson (FidoNet 1:382/95).
| First, a personal note: this past month has been particularly bad for
| the staff here at Hack Central Station. For the first time in recorded
| history, the full report came out after its deadline, due to my catching
| a case of the flu that has had me bedridden for almost a solid week. If
| I have left anyone's reports out of this issue, please notify me so I can
| correct the situation in next month's release.
|
| To anyone who tried to download the report on its scheduled date, I
| extend my full apologies. Of course, there are new reports to share this
| month as well, so thanks to everyone who has helped put this report
| together, and to those that have sent in comments and suggestions.
NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
your BBS, subject to these conditions:
1) the latest version is used,
2) it is posted in its entirety, and
3) it is not altered in any way.
NOTE TO OTHER READERS: The Hack Report (file version) may be freely
uploaded to any BBS, subject to the above conditions, and only if you do
not change the filename. You may convert the archive type as you wish,
but please leave the filename in its original HACK????.* format. The
Hack Report may also be cross-posted in other networks (with the
permission of the other network) as long as it meets the above conditions
and you give appropriate credit to the FidoNet International Shareware
Echo (and the author <g>).
The idea is to make this information available freely. However, please
don't cut out the disclaimers and other information if you use it, or
confuse the issue by spreading the file under different names. Thanks!
DISCLAIMER: The listings of Official Versions are not a guarantee of the
files' safety or fitness for use. Someone out there might just be
sick-minded enough to upload a Trojan with an "official" file name, so
>scan everything you download<!!! The author of this report will not be
responsible for any damage to any system caused by the programs listed as
Official Versions, or by anything using the name of an Official Version.
*************************************************************************
Editorial
| I would like to take this opportunity to explain a bit of the theory
| behind The Hack Report. I feel this is necessary, since it seems that
| some folks may not completely understand what a listing in this report
| actually implies.
|
| Shareware authors distribute files by several different means. There are
| networks for file distribution, major nationwide download systems and
| BBSs, and, of course, the old reliable "upload the file to as many BBSs
| as you can" system. All of these methods, to some degree, depend on
| users taking the authors' files and further distributing them to
| non-networked, independent BBSs.
|
| In the course of human events (sorry, Mr. Jefferson), some users may
| decide to download a perfectly legitimate archive, unpack it, add a virus
| or other harmful code (some go as far as replacing the executables
| completely), and uploading the file somewhere else using the original
| archive name.
|
| When this happens, a bad archive is born. The authors of the original
| program usually are not aware that a tampered version of their file has
| entered circulation. However, their legitimate archive now has to
| compete with a fraudulent version.
|
| A situation of this type is what I call an "isolated incident" of a bad
| archive. It is a prime target for inclusion in The Hack Report, since it
| has the potential to do major damage to an unsuspecting user. However,
| this is also where the problems begin.
|
| Recently, there have been occasions where I have listed such an
| incident, and have received a swift and heated response from either the
| author, a user, or both. Authors have assumed that I have accused their
| own work of being infected, defective, or hacked in some way. Users have
| stated that I should go to the source (as they have done), since the
| listed release is in fact legitimate.
|
| >I do not intend to imply that a listing in The Hack Report is an
| >accusation of all files being distributed under the name in question.
| >With the exception of known single-purpose Trojans and Pirated Files,
| >this has never been my intention.
|
| This report is published as a service to users and authors of shareware,
| as well as BBS operators. I do not publish it to attack anyone's
| favorite files, nor to smear the good name of legitimate programs. I do
| it to alert everyone of potentially dangerous files, including "isolated
| incidents."
|
| If an author sees their program listed in the report, I suggest that they
| do everything they can, as soon as possible, to help the public avoid the
| bad archive. If the version listed as bad happens to be the same as the
| current legitimate version, please don't take it as an incrimination of
| the good archive. As I state in the disclaimer section, Someone out
| there might just be sick-minded enough to upload a Trojan with an
| "official" file name, so >scan everything you download<!!!
|
| And, at the same time, please don't shoot the messenger.
*************************************************************************
Hacked Programs
Here are the latest versions of some programs known to have hacked copies
floating around. Archive names are listed when known, along with the
person who reported the fraud (thanks from us all!).
Program Hack(s) Latest Official Version
------- ------- -----------------------
Aliens Ate !ALIENS K6DEMO
My Babysitter
Reported by: Christopher Baker (1:374/14)
ARJ Archiver ARJ250 ARJ230
Reported by: Tommy Vielkanowitz (also ARJ239A, a beta test)
(1:151/2305)
AutoMenu AUTO48 AUTO47
Reported by: Tony Blair (WildNet)
via Ken Whiton (1:132/152)
Verified by Marshall Magee, Magee Enterprises, Inc.
CatDisk CDISK510 CDISK632
CDISK530
CDISK661
Reported by: Jeff Kaplow (1:120/234)
| CompuShow CSHOW801 CSHW850A
CSHOW831
CSHOW851
Reported by: Paul Brazil
CSHOW91
Reported by: Harold Stein (Wildnet)
(Note: Any version ending with a B, such as CSHW841B, is _not_
a shareware version. This is the enhanced version received
with the user's registration and is not to be distributed.
Consider all B archives to be pirated copies.)
HS/Link HSLK113 HSLK112
Reported by: Samuel H. Smith, Author
Las Vegas EGA Casino (unknown)
Reported by the author, Diana Gruber, in the ILink net,
relayed by Richard Steiner (1:282/85)
(Note: a version of this program sold through Gemini
shareware outlets with the title screen "Special GEMINI
game disk" and a version calling itself the "Ledyard$
EGA Casino" have been distributed. No archive names
have been supplied yet.)
LHA Archiver LHA214 LHA213
Reported by: Patrick Lee (RIME address RUNNINGB)
LHA300
Reported by: Mark Church (1:260/284)
List LIST8 LIST76B
LIST18
Reported by: The Hack Squad (from the Buerg BBS)
Math Master MATHMSTR M-MST301
Reported by: James Frazee (1:343/158)
PKZip PKZIP120 PKZIP110
| PKZ199B
| Verified by Mark Gresbach, PKWare
PKZIP20B
PKZIP_V2.EXE
Reported by: Mike Burger (WildNet)
via Ken Whiton (1:132/152)
Reported by: Fred Towner (1:134/73)
PKZ201.ARJ
Reported by: Frank Pizer (5:71/0)
PKZ201.ZIP
PKZ201.EXE
Reported by: Jim Westbrook (1:382/29)
| PKZ202
| Reported by: Scott Drake (1:107/900)
| PKZ305
| Reported by: Scott Raymond (1:278/624)
PKX201.EXE
Reported by: Bill Logan (1:300/22)
PKZ210F.EXE
Reported by: Bert Bredewoud (2:281/703)
PKZIPV2
(Claims to be v2.2 of PKZip - reported via PKWare Tech Support)
PKUNZIP.COM
Reported by: Harold Stein, via Ken Whiton
PKZIP203.EXE
Reported by: Mark Clark (2:440/107)
QEdit Advanced XEDIT QEDIT215
Reported by: Sammy Mitchell, Author
(thanks to Rand Nowell and Joe Morlan for relaying the report)
QEDIT500
Reported by: Onno Tesink (ILink, via Richard Steiner, 1:282/85)
Qmodem QM451 QM452TD
Reported by: Bill Lambdin, via Arthur Shipkowski (1:260/213.2)
Shez SHEZ72A SHEZ80
SHEZ73
Reported By: Bill Lambdin (1:343/45)
Telegard TG29EALP Telegard 2.7
Reported by: Karen Maynor (1:3640/5)
(Found on the NightOwl CD-ROM disc version 5.0)
TG30
Reported by: Doug Sorber, via Martin Pollard (1:120/187)
JIGSAWV2
Reported by: Tommy Smith, via Mark Evans (formerly 1:382/87)
Telix Telix v3.20 Telix v3.15
Telix v3.25
Reported by: Brian C. Blad (1:114/107)
Peter Kirn (WildNet, via Ken Whiton)
Telix v4.00
Telix v4.15
Reported by: Barry Bryan (1:370/70)
Telix v4.25
Reported by: Daniel Zuck (2:247/30, via Chris
Lueders (2:241/5306.1)
MegaTelix
Verified by Jeff Woods, Exis, Inc. (now deltaComm), in the TELIX
echo, who also states that there will be _no_ commercial
release titled Telix 4.0. He states the next release of Telix
will be under a "modified" form of the name Telix, which has not
been decided upon yet. Any version with a number higher than
3.15 and claiming to be shareware can be considered a confirmed
hack, unless reported here otherwise.
Telix Pro
| Reported by: Jason Engebretson (1:114/36), in the FidoNet TELIX echo
TheDraw TDRAW430 TDRAW451
TDRAW500
Reported by: Ian Davis, Author
TDRAW550
Reported by: Steve Klemetti (1:228/19)
TDRAW600
Reported by: Hawley Warren (1:120/297)
THEDR60
Reported by: Larry Owens (PDREVIEW echo, 1:280/17)
TDRAW800
Reported by: James Carswell (1:153/775)
Turbo Antivirus Version 9.00b Version 8.10
Version 9.01a
(Archive names unknown)
Reported by: Thomas Ruess (2:246/24)
ViruScan SCAN92 SCAN95B
Reported by: Don Dunlop (1:153/715)
X00 Fossil X00V130 X00V124
X00V130J (also official is
X00V149A, a beta
test of an OS/2 ver.)
*** More Hacks
Bill Lambdin (1:343/45), host of the Intelec Virus Info conference, sent
a list of versions of McAfee's ViruScan (better known as just SCAN) that
have been hacked. Here are the version numbers he sent:
SCAN74 SCAN81 SCAN88
SCAN78 SCAN83 SCAN92
SCAN79 SCAN87 SCAN96
More information on ViruScan can be found in The Trojan Wars section.
HackWatcher Bill Dennison saw a copy of the PKZ201.EXE file mentioned
above, but with a twist: when he used the file view feature of the BBS
he saw it on, he saw that the file was not a PKZip SFX (self-extracting)
file, but was an LHA SFX (using -lh5- compression). This, folks, is a
bit of a giveaway. PKWare isn't likely to use any archiver other than
ZIP to distribute their next release.
Chris Lueders (2:241/5306.1) reports that a file calling itself VPIC50DT
is a hack of version 4.5 of the VPic graphics file viewer. Specifically,
the 5.0dt file ("dt" indicates a German language edition, per Chris) is a
hack of the English version 4.5. At the time of the report, version 5.1
was the latest official release, but a legitimate version 5.0 was
released. Just be careful: if your copy of VPic starts up in German,
delete it.
Zone 2 (especially UK) users might want to watch out for a disk being
distributed by Personal Computer World magazine. Shakib Otaqui (2:
440/74) reports that all of the files on the August issue's "free" cover
disk are zipped using the PKZip 1.93 alpha test release, and that the
version of PKZip distributed with the disk is the hacked version 2.01.
The PKZip 2.01 file is 19793 bytes, dated March 15, 1992, and is PKLited
with the extra compression (non-expandable) option. Shakib tested the
file and confirmed that it is a simple hack with no viral or Trojan code.
Finally, here's one I'm not sure how to handle: It's a hack, but it
appears to be a hack of a commercial program. HackWatcher Frank Pizer
has found a hack of a program called BitFax. The hack, calling itself
ZIPFAX.ZIP (at 146320 bytes), has been altered so that all occurrences of
the word Bit with the word Zip. The archive contains configuration files
with the words "Technopoint - Avi Miller" in them. Thanks to Frank for
the report from Zone 5: let's hope the rest of us can keep it from
spreading beyond there.
=========================================================================
Hoax Alert:
Finally, the news we've all been waiting for: Bill Logan's test results
on Xtratank. If you recall, Mr. Logan, an agent of McAfee Associates,
agreed to test out this file to see once and for all if it really works,
or if it is a hoax.
Bill tested the program on two IBM compatible computers and one AT&T XT
clone. The PC Clones were 286s, one with a 40meg IDE hard drive, the
other with a 40meg MFM hard drive. The AT&T had a 10meg hard drive.
To weed out possible clashes with DOS versions, the test was repeated on
each computer using 4 different DOS flavors: MS-DOS 3.30, IBM DOS 3.30,
MS-DOS 4.01, and MS-DOS 5.0.
The hard drives were formatted and Xtratank was installed on each. The
PC Clones now reported that their drive capacity was now doubled. The
AT&T XT did not, since it was not a true IBM compatible. Bill then
attempted to copy 80 megabytes of raw, non-compressed files from floppy
disks onto the hard drives. All of the hard drives ran out of disk space
after only 40 megs of files had been copied.
The testing did not reveal any viral or Trojan code. To quote Bill, "It
is our opinion that this program is simply nothing but a hoax."
(However, see the ???Questionable Files??? section for more on this.)
In addition to Bill's testing, Gary Weinfurther (1:120/301) sent a
summary of his disassembly of the programs in the archive. He found that
the XTRATANK.EXE and the XTRATANK.COM files contained the exact same
code, with one padded with "garbage" that made it look larger. The code
is designed to intercept the DOS 21h interrupt, function 36h, which is
for determining free space on a drive. Xtratank then doubles the result.
None of the warning messages in the docs are present in the files, and no
check is performed to see if it could be correctly installed. Gary says
that since it is a simple interrupt-intercept TSR, "it can be
successfully installed every time." He suggests (humorously) that
installing it twice would theoretically result in a report that your hard
drive space had quadrupled.
This should settle the debate once and for all - XTRATANK IS A HOAX AND
DOES NOT ACTUALLY WORK. All of Bill's and Gary's results completely
verify the Fitzgerald Test results, so if you _still_ don't believe it,
run the test for yourself.
*** The Fitzgerald Test
Here is the now-famous Fitzgerald Test, devised by Tim Fitzgerald of
1:3800/18.0 and validated by Bill Logan's test results. Try this if you
think you have managed to get XTRATANK to work on your system. Follow
these simple steps:
1. Run CHKDSK and write down the free space it reports as free.
2. Do a DIR command and write down what XTRATANK reports.
3. Copy any text file to a new text file.
4. Repeat steps 1 and 2, and compare.
You will see that XTRATANK reports that twice as much disk space is taken
up by the new text file.
Scott Raymond (1:278/624), who runs an Alpha Test site for the Telegard
BBS package, reports a hoax version of Telegard called TG27E. It claims
to be an upgrade of Telegard 2.7, but Scott says, "it is nothing more
than Telegard 2.7 Standard." The archive contains four LHA SFX files
that are meant to be extracted over an existing Telegard installation.
In short, it completely overwrites your current setup with a different
one. Scott says the main TELEGARD.EXE file is exactly the same as the
official release - no evidence of hacking was found.
According to Scott, true upgrades to Telegard will "NEVER destroy an
existing configuration and replace it with a different one - especially
one with a horrendous color combination that looks like a bad acid trip."
Other previously reported hoaxes:
Filename Claimed use/Actual activity/Reporter(s)
------------ ---------------------------------------------------------
2496 This, and all files that claim to run a 2400 bps
modem at 9600 or 14400 bps, are hoaxes. If you
follow their instructions, you will have a 0 bps
modem. Reported by several people.
AMIGA Claims to allow IBM/Clones to read Amiga Workbench
Disks: displays a picture of an Amiga Workbench disk
on your screen, then spins your A: drive and locks
your system. From Suriya Matsuda, Jacob Kanafoski
(1:3613/4), Derek Vanmunster (1:229/418), and Jeff
Hancock (1:3600/7).
BIMOD126 Claims to be version 1.26 of BiModem - actually v1.24
renamed and re-archived.
HIMEM500 Looks like v5.00 of the HIMEM.SYS driver from MS-DOS and
Windows, but is actually v3.07 with the numbers changed.
Pirated as well (HIMEM.SYS is not shareware). From
Joe Morlan (1:125/28) and Mike Bray (RIME address COFFEE).
MAXRES Claims to "check your graphics interface and show you
resolutions of your interface card." Elaborate hoax
that lists the author as Samuel H. Smith (of HS/Link
fame). Mr. Smith has confirmed that he did not write
this program. Possible Trojan, but no Trojan activity
has been reported.
SPEEDUP Claims to increase system clock speed - instead doubles
the length of each second and resets the system clock to
use 30 of the new seconds each minute. From Kim Miller
(1:103/700).
WOLFXXX Claims to patch your copy of Wolfenstein-3D to version
1.3. No such version exists. Also has a fake address
that you are asked to send money to. From Jay Wilbur of
Id Software (1:124/6300).
=========================================================================
The Trojan Wars
| This past month saw the birth of more droppers than actual Trojans, but
| there's no relief to be had in that news - both are equally dangerous. As
| always, I strongly recommend that you take time and read this section
| very carefully - the hard drive you save may be your own.
| HackWatcher Nemrod Kedem reports that a Trojan version of a RemoteAccess
| BBS utility, RANEW_16, was sighted in his area over the past couple of
| months. He did not give specifics, other than it had caused damage to RA
| BBS systems and that the executable file was about 12K larger than the
| legitimate version of the file. This is another one of those "isolated
| incidents," that Nemrod says was taken care of before it got out of his
| country. Look out, though, just in case a copy slipped through.
| Last month's report forwarded by Troy Dowding about REGLITE brought in
| some further information, forwarded by Bill Dennison (1:273/216). One
| message forwarded from Bill Baer of the ILink Shareware conference (via
| Larry Dingethal) says that the file contained only an executable file,
| with no docs. Another message from John Cline gives further info on the
| virus that infected the REGLITE file, called "Particle Man." It
| increases the size of a .com file by 690 bytes (no info on .exe files),
| and is not detectable by SCAN v95.
|
| John says you can make SCAN detect it, using the following procedure:
|
| First make an ascii consisting of the following line:
|
| "b94201313583c702e2f9" Particle Man
|
| Type the line exactly, including the quotes, and save the textfile with
| filename VIR.TXT to the same subdirectory that contains SCAN, next run
| with the following command line:
|
| scan c: /ext vir.txt
|
| You can replace "c:" with any drive letter you want to check.
|
| The above scan string will detect the virus after it has started to
| replicate, but before it starts overwriting files in all your
| directories.
| In another update from last month, concerning the report from Rajeev Seth
| (1:250/328) about TGCHAT21, Todd Clayton (1:259/210) says he can confirm
| the file's destructive abilities. Todd says the program tried to format
| the first 300 tracks of his hard drive. Fortunately, he avoided damage.
| You can, too, by avoiding this file.
| HackWatcher Ken Whiton forwards a message from a SysOp named Richie
| Molinelli (via Harold Stein) about a supposed RBBS patch called PROTOFIX.
| The version of this archive that Richie found claimed to correct a "flaw"
| in RBBS. However, one of Richie's users claims this file destroyed his
| FAT and wiped out some files.
| Gary Madison (2:259/22) and Howard Wood (address unknown) have found a
| copy of a game called Corewars that seems to be infected with the Dark
| Avenger [DAME] virus. The archive, CORWP22, contains a file (CORE.EXE)
| that McAfee's SCAN v95 reports as having the DAME virus. This may be an
| isolated incident, so don't delete your copy until you scan it
| thoroughly.
| Brian Sterrett (2:255/34) reports in the FidoNet VIRUS echo that an
| archive called SPARKS that was uploaded to him contained a virus called
| ICE-9. The virus is a .com file infector, which adds 639 bytes to the
| file. The archive in question may be a single incident, so again, scan
| before you delete. If your copy is clean, keep and distribute in good
| health.
HackWatcher Richard Steiner forwarded a message from Eric Hamel (RIME
address SOFTC, Shareware Conference) about the file MSTLST10. A user of
a board local to Eric found the file, described as "like Sidekick, only
better," and downloaded it. An INSTALL.BAT file in the archive had
references to copying the command interpreter. Eric ran the install
program, and wound up with an overwritten command interpreter - the file
MASTLAST.COM had been copied to his root directory and had been renamed
to the same name as what was pointed to in his COMSPEC setting.
Another forwarding from Richard involves a report from Steve Bogacz of
the Rice Lake PCUG (via George Goza, ILink (Channel 1 BBS)). Steve found
a file called FLIP-IT that contains a variant of the Wisconsin virus. No
file description was given. Here comes the sermon again - SCAN
EVERYTHING YOU DOWNLOAD. Before you run it, preferably.
| Malte Eppert (2:240/500.6) forwarded a message into the FidoNet
| DIRTY_DOZEN echo from Dick Hazeleger about EARLYWA, an "AV warning
| program." He ran the main program, DAILY.COM, after scanning it with
| McAfee's SCAN95 and getting a clean result. The program crashed when it
| tried to invoke the DOS DEBUG program, which Dick doesn't have on his
| system. After this, he checked the file using Fridrik Skulasson's F-Prot
| virus scanner in "Heuristic" mode, and received the message, "...the
| first 71 bytes of this program contain a primitive virus." (See the
| clarifications section for further information.)
Matthew Peddelsden (2:440/302) has received a report of a virus in a copy
of the GSZ ZModem protocol driver archive by Chuck Forsberg. He says
that "running any file in the archive will infect the file COMMAND.COM,
and subsequent program (sic) that is run is infected so that it is
corrupted and when run simply displays rubbish on the screen and beeps
madly out of the speaker." Matthew received an archive listing from the
person whose system was infected by this. Here's the info:
Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- ------ ---- ----
76 Shrunk 72 6% 13-12-91 13:32 0a33cf32 --w DS.BAT
340 Implode 287 16% 13-12-91 13:35 631a91b6 --w FIX.BAT
110 Shrunk 98 11% 13-12-91 13:27 6836df0d --w RZ.BAT
36 Shrunk 31 14% 13-12-91 13:22 d8d5d2f9 --w SZ.BAT
151 Shrunk 140 8% 13-12-91 13:27 b5400e97 --w ZDOWN.BAT
123 Shrunk 115 7% 13-12-91 13:27 5cffa510 --w ZMODEMAD.BAT
116 Shrunk 106 9% 13-12-91 13:28 c38f9bfe --w ZMODEMD.BAT
134 Shrunk 123 9% 13-12-91 13:28 89aeacd7 --w ZMODEMDR.BAT
140 Shrunk 123 13% 13-12-91 13:28 eeba3b6f --w ZMODEMU.BAT
59 Stored 59 0% 13-12-91 13:28 3eedc27b --w ZUP.BAT
898 Implode 683 24% 24-11-90 04:20 07d84f0d --w DSZ.10
71424 Implode 42742 41% 27-04-92 15:00 ccda0966 --w GSZ.EXE
33936 Implode 21315 38% 26-04-92 08:44 cd04b5ea --w GCOLORS.EXE
130736 Implode 45830 65% 27-04-92 15:38 ead89b23 --w GSZ.DOC
3067 Implode 1230 60% 27-04-92 15:03 da90ea8b --w MAILER
------ ------ --- -------
241346 112954 54% 15
His source says the virus is in both GSZ.EXE and GCOLORS.EXE. McAfee's
SCAN95B doesn't detect it, but they have been informed. The virus
contains the string, "APACHE WARRIER," along with a few others.
It seems very unlikely that this infected copy originated from the
author: it is almost certainly a situation where someone else down the
line unpacked the archive, infected the files, re-archived them, and
uploaded the bad archive to a BBS. If you have _any_ qualms about the
copy of GSZ that you find, you can always go to the source and download a
copy from Chuck Forsberg's BBS.
Scott Scoville (1:282/3006) reports DOS501, described as a beta version
of MS-DOS with some new features for Windows 3.1. A friend of Scott's
loaded the file on a spare computer and found that it contains a variant
of the DISKILLER virus.
Cal Gardner previously reported a file called 800II224, claiming to be
version 2.24 of the 800 II disk formatting program. He did some testing,
disabling his hard drive from the CMOS and booting from a floppy. When
he ran the program, it deleted all files on both drive A and drive B.
His information is that the latest version is v1.80. The author, Alberto
Pasquale, is in Italy according to Isaac Salpeter (1:3612/210), so he is
a bit difficult for me to contact. However, the behavior of the file Cal
found leads me to believe he has located a Trojan copy.
John Wagner (1:209/760), the author of IMPROCES, reports that his program
has been the victim of a Trojan version. The Trojan is in a file called
IMPROC50.*, which is actually v3.1 of IMPROCES that has been "infected
with about 10 viruses" according to a report received by John. John also
reports that his source said the file "waxed" a hard drive when it was
run. For the record, the latest version of IMPROCES is 4.0, so avoid any
higher numbers.
Bryan Nylin (1:343/116) reports a Trojan version of SCAN95 that has the
SCAN.EXE file in the archive replaced with a SCAN.COM file. Bryan says
this wipes out your boot sector and media descriptor byte, then
overwrites the FAT and data areas with a continuous stream of the string
"NOT!NOT!NOT!NOT!NOT!NOT!" (and so on). Sounds like this was written by
a bored programmer who watched Wayne's World once too often.
Note that this seems to be an isolated sighting: McAfee did in fact
release a valid SCAN95. They also released v94b, a beta test, but
skipped over that version number due to a report of a Trojan version
found in Mexico. The latest official version is SCAN95B.
Bill Lambdin (1:343/35) forwards a message from Phil Helms of the
CircuitNET Virus Conference. The file in question, ATTRUE.*, is listed
as "a DOS utility to change file attributes." Instead, one of the
internal files (README.COM) deletes all .EXE and .COM files in your DOS
directory and tries to do the same to your .SYS and .BAT files in your
root directory. Phil says it looks like another compiled .BAT file.
Please note that Phil did _not_ run the actual program file in the
archive (i.e., ATTR.COM). This program may be legitimate, and simply was
archived along with a Trojan README.COM file. The safest way to avoid a
problem like this is to look inside any README.COM file with a file
viewer (such as PC Tools VIEW or Buerg's LIST) before you run it. Most
of these will have readable text strings that look like documentation
inside them. If yours doesn't, be careful with it.
Enoch Ceshkovsky (RIME Shareware Conference, address NSTTZ) found a file
called ENVIRED.* that claims to be a DOS Environment Editor. However,
the copy that Enoch found was infected with a strain of the Family virus.
I'm not sure if the file is a legitimate program, since I'm not familiar
with it. Either way, this is a single sighting: the virus in it can be
detected by SCAN v93 or higher.
Michael Mac Nessa (1:2250/2) reported in the AMIGA_PDREVIEW echo on an
attack by a file called DW171.LHA. This was described as "the best
directory utility" ever seen by the uploader. The file claims to be a
program called DirWork, version 1.71.
The program checked clean for viruses, so Michael ran it and got a grey
screen and nothing else. After 30 seconds of this, he rebooted. On
bootup, his dh0: drive started to access rapidly, and he was then asked
by his system for dh1:, a drive he didn't even have.
Fortunately, his boot drive setup uses a different setup (not booting
from dh0), so his boot drive survived the attack. However, his File:
hard drive was wiped out.
I apologize if I have massacred Amiga terminology, so please correct me
via NetMail if I'm wrong on any of the drive names. For the record,
however, this Trojan has been verified by the author of DirWork, Chris
Hames (via Robert Poole, 1:142/886). The latest version is 1.62.
Michael Nelson (1:125/20) received a file called FAST!.*, an apparent
pirate of the commercial disk cache program FAST!. However, upon further
inspection, this really looks like a Trojan. The archive contains the
following files:
NAME SIZE DATE TIME
------------------------------------
README ANS 320 01/01/80 02:25
INSTALL COM 1459 03/26/92 19:08
FAST DAT 20927 03/26/92 19:14
FAST TXT 588 03/26/92 19:00
The text file says the installation is slow, since it has to check every
program on your hard drive. A look inside the .COM file reveals the line
"REN fast.dat fast.com c: /q /u". The FAST.DAT file contains lines that
lead one to believe that this is an MS-DOS FORMAT.COM file, with added
commands that will try and format all of your drives. Both the
INSTALL.COM and the FAST.DAT file have gone through a batch file compiler
somehow, with the INSTALL.COM having a registration notice for the batch
file compiler.
Although Michael didn't run the program (smart move), he does suspect a
serious Trojan here. So do I.
Harold Stein (CompuServe address 72377,3075) forwards a report from a
SysOp in his area, Danny Swerdloff, about a file called JOKE.*. The file
is described variously as either "the best fake FBI database joke
available," or "a very believeable hard disk crash simulator." The
archive contains only two files: JOKE.BAT and JOKE.DOC. The doc file
reassures the user that the batch file is completely harmless. However,
the batch file contains the following lines:
c:
cd\dos
del keyboard.sys
format C:
This is a rather amateurish Trojan, and can be easily thwarted by giving
your hard drive a volume label. However, a better precaution is to
examine any strange batch file you are given before you run it, since
virus scanners do not look into batch files. That way, if you see the
word FORMAT in one, you can delete it before it hits.
An update on #1BLAST, reported in the last full issue of The Hack Report.
Rick Rosinski (1:239/1004) reports in the PDREVIEW echo that the SysOp
who was hit by it (Pete Kehrer) experienced some rather bad results from
it. In short, it overwrites your COMMAND.COM file and replaces it with
the characters "///", and writes similar garbage over your config.sys and
autoexec.bat files. It also creates several other files, all ASCII, with
characters like "////asdfasdf" in them. (In case you're wondering, look
at the four keys on the left side of the home row of your keyboard - the
letters are "asdf" on a standard Qwerty keyboard.)
This file at first looks like a real Apogee game - it even has Apogee's
catalogue in it. It is easy to repair the damage, but it's a shame that
someone would want to do this to another person's system.
Bill Lambdin (1:343/45) forwards a message from Reidar Lilleboth (ILink
OS/2 Conference) about TEDP090.ZOO. This appears to be an isolated
incident of a copy of the file being infected with the Maltese Amoeba
virus. TEDP090 is a small OS/2 text editor. If you see this file,
please scan it before running to make sure you have a clean copy.
HackWatcher Mikael Winterkvist (2:205/422) found a file named BREV.*,
described as "SysOps Sex Habits." However, this is a "device bomb,"
which contains the names of DOS devices in the archive. Similar to a
file reported in the full report, this is aimed at your CLOCK$ device.
When unarchived, the CLOCK$ is opened, and about 50K worth of the letter
A are written to your system clock. Irritating, and to be avoided.
Paul Drapeau (1:322/594) reported in the FidoNet VIRUS_INFO echo a new
virus called Power Pump. Normally, viruses by themselves are not
reported in The Hack Report/Update, but this is an unusual situation.
According to Paul's research, all droppers of this virus have a file in
their archives called POWER.EXE, with instructions to the user not to run
this file. He does not understand the connection, but the virus will not
run without the POWER.EXE file.
A few specifics on Power Pump: it doesn't actually attach its code to
files, but uses the "corresponding file" technique. It looks for .EXE
extension files, then creates a file with the same root name but with
a .COM extension. Since DOS executes .COM files before .EXE files, the
viral file (1199 bytes long) is run first, where it executes the viral
code and passes execution on to the corresponding .EXE file. The virus
also looks for empty directories: if it finds one, it creates a hidden
file called COM (with no file extension) that contains the viral code.
To date, Paul says the virus has been found in two archives (one of
SCAN89.ZIP and one of VSUMX204.ZIP). These may have been localized
occurrences, but be on the lookout for any file with a POWER.EXE file in
the archive.
Dan Christman (1:520/519) reported that there is a version of TheDraw
that contains "several viruses." He says to watch for a file within the
archive called THEDRAW.PCK. This file is only created after the program
is initially executed and is not part of the official archive. Dan gave
no filename for this dropper, but be on the lookout for any archive that
already has a THEDRAW.PCK file in it.
On this subject, Matt Weese (1:170/610) found an archive with the
THEDRAW.PCK file inside. However, his copy (archive version 5.00) was
not infected - merely hacked.
Just for the record (once again), the latest official release of TheDraw
is v4.51.
Please be aware that the PKZip v2.0B hack reported in the hack section of
this report could be a Trojan. According to the report filed in the
VIRUS_INFO echo by Fred Towner, the archive (an ARJ archive, no less(!))
had these files in it:
PKZIP20B.EXE
UNKNOWN.NFO
MUSTREAD.COM (archived with PKLITE)
WATCHME!.EXE (archived with PKLITE)
Fred was wise enough not to try and run any of these programs, so
Trojan activity has not been confirmed.
Other previously reported Trojans/Droppers:
Filename Claimed use/Actual activity/Reporter(s)
--------- -----------------------------------------------------------
240TOMNP Small file that trashes disks (no elaboration on symptoms).
From Eric Pullen (USTGNET).
ARJ240 Supposed "latest version" of the popular Archiver by Robert
Jung (ARJ). This is a dropper of the FISH virus, reportedly
with a "secure envelope." Latest official version of ARJ is
2.30, with an official wide beta release under filename
ARJ239A. Reported by Hazel Clarke (1:134/68) via Ken Miller
(1:134/111).
BACKFIND Activity unknown, but has many obscene text strings in the
executable that seem to indicate that it will trash your hard
drive. From Dan Stark (1:247/101).
BILLNTED No claim reported - begins its "bogus journey" with the message
"Decompressing database, please wait......", then prints more
messages and formats the first 50 tracks of your hard drive.
From David Elkins (2:254/78).
COMPILER Claimed freeware version of Stacker - phone numbers in the text
files are fake (one is a phone sex number). Erases your
COMMAND.COM file. From several reporters.
CSHOW900 Fake version of the CompuShow .GIF viewer - the .EXE file in
the archive tries to truncate your COMMAND.COM file. From Tim
Spofford (1:105/99).
CUBULOUS No claim reported for this file - apparently contains a dropper
of the REX virus (detected by SCAN v91 and higher). Reported
by Bill Arlofski in the CNET Spitfire Support Conference,
forward by several through Mark Wurlitzer (1:294/9).
CVIR Advertised as a virus scanner - executable has the strings,
"/Checking drive for VIRII/TROJANs. Please wait.EHAHA God
your a ****ing moron. YOU HAVE BEEN HIT BY A TROJAN! HAHA".
(String edited for family viewing.) From Dan Stark
(1:247/101).
EPW27 Purported new version of EPW, a file that protects executables
with an encrypted password. Instead, this Trojan contains
droppers of the ITTI-A, ITTI-B, and Rock Steady viruses.
Latest official version is v1.2. From Patrick Pfadenhauer
(via Mark Evans, formerly 1:382/87).
FONTS Advertised as additional fonts for TheDraw - the FONTS.COM
file in the archive is a compiled batch file that changes to
your C: drive root directory and deletes all files within the
root. A legitimate FONTS archive exists as well. From Glen
Appleton (1:260/371) via Arthur Shipkowski (1:260/213.2).
FREEHST ANSI bomb - remaps your keyboard, making some keys invoke the
FORMAT command. Described as how to get a free HST modem
(steal one, it advises). Avoid by using an ANSI driver that
disables keyboard remapping. From Tom Ward, SysOp of the BCS
TI99 BBS (617-331-4181), via Herb Oxley (1:101/435).
GREYSCAL Claims to be a monitor adjustment utility - actually a dropper
- infects files on your hard drive with the FISH virus through
the README.EXE file in the archive. Not detectable by any
scanner. From Bill Logan (1:300/22).
MOBYZ Does "a number on your hard drive" - no further details given,
but apparently confirmed by McAfee. From Michael Masters,
SysOp of the Conceptual CAD Design BBS (Tempe, AZ) via Mark
Evans (formerly 1:382/87).
MONOP3-0 Supposed to be Monopoly for Windows. Contains FORMAT.COM from
DOS 4.01 and STACKEY v2.1 (renamed as MONOP1.COM and
MONOPOLY.COM and invoked by a batch file called README!!.BAT).
Will try and format your hard drive - a volume label on your HD
will thwart this one. From Derek Vanmunster (1:229/418).
NPV2 The "Non-Programmer's Virus" - a claimed aid to testing
anti-viral programs. Contains an infected copy of Vern Buerg's
LIST.COM. From Michael Kerr (1:309/7).
Obnoxious "Tetris" clones for the Macintosh - actually droppers of the
Tetris MBDFA virus. Via Paul Ferguson (1:109/229) in the VIRUS_INFO
Tetris- echo.
cycle
Ten Tile
Puzzle
OCEAN From the BBS description: "Wonderful Game, Reward for the
PLANTS person who conquers it 1 time, Good luck, how does 30,000
RAINBOW bucks sound to you if you break the pattern, try this game, it
is wonderful, waht a challenge, bet you can't break the
pattern. $50, 000 if you do it twice." Actually a compiled
batch file that tries to erase all files on your C: drive.
From Richard Dale (1:280/333).
PSI3 Passing itself as the LHA Archiver, version 3.00. It destroys
your partition table, boot sector, and parts of FAT 1 and FAT
2. From Nemrod Kedem (2:403/138).
QUICKEYS Claims to increase keyboard speed - turns out to be the actual
executable file of the BURGER virus. The virus file is called
QUICKEYS.COM and is 542 bytes long. This is not to be confused
with the PC Magazine Utility of the same name. Reported by Jay
Siegel (1:153/151).
RAMBO Contains files with the names of DOS devices that are affected
when the archive is viewed or unpacked. Reported by Michael
Toth (1:115/439.7).
SCAN87 Suspected of Trojan activity, but not confirmed. The latest
SCAN88 official release is SCAN95B. Reported by several.
SCAN94
SCAN96
SHIELD20 Claims to protect you from Trojans, but are possible Trojans
SHIELD21 themselves. From Jim Lambert (CircuitNet) via HackWatcher Ken
Whiton and via Michael Toth (1:115/439.7).
TG27FAST Trojan "speed-up" for Telegard 2.7 - damages disks to the
extent that they require reformatting. From Eric Pullen
(USTGNET) via Robert Hinshaw (1:291/16) and Eric Kimminau
(1:120/335).
TGSEC16 Trojan version of Telegard Security Package - both executables
in the archive will infect your system with the Dark Avenger
virus, and the text files show you how to ease access to your
system by hackers instead of prevent access. By Scott Raymond,
author of the real package (latest official version is
TGSEC17.*).
TIME Several files reported under this name - one dropper, one
Trojan. Be wary of any file with this name.
TMFIX Claims to fix a problem with the dialing directory used by the
communication program Telemate. Formats your hard drive (or at
least part of it) instead. Reported by Brian Hess (WildNet),
via HackWatcher Ken Whiton.
VGA835 Claimed VGA game - wipes out your hard drive. From Gary Meade,
SysOp of the Tiger Run BBS in Sioux Falls, SD, via HackWatcher
Ken Whiton.
VIRTUAL Supposed to be a virtual reality game. One file in the archive
has the string, "This bombing was compliments of A.C.K. and
its affiliates." Trashes hard drives. Possible isolated
incident. From Dan Stark (1:247/101). See also ??Questionable
Files?? section.
VPIC47 One circulating version of this seems to contain the Dark
Avenger virus, "split" so that no scanner can pick it up.
Get the latest version of VPic, VPIC50, to avoid this. From
Tim Tim Sawchuck and Jeff Simmons in the WildNet VIRUSES_MN
conference.
WHALE Not a VGA graphic of a whale as described, but the actual WHALE
virus. From Dan Stark (1:247/101).
WLFCHEAT Claims to be a "cheat" file for the Apogee/Id game
Wolfenstein-3D. Actually wipes out your hard drive's boot
sector and trashes the File Allocation Tables. Not to be
confused with WLF1CHT, a legitimate "cheat" file written by
Michael P. Hoffman. Reported by R. Wallace Hale, SysOp of the
Driftnet BBS (PC Virus Research Foundation), via Clayton Manson
(1:3612/140).
ZAPPER15 PSI3, mentioned above, recommends an "antivirus" program
called ZAPPER15.* to remove a virus called "PSQR". ZAPPER15
is another Trojan which overwrites your hard disk's boot sector
with random garbage data from memory. It contains no viral
code. Also from Nemrod Kedem (2:403/138)
=========================================================================
Pirated Commercial Software
Program Archive Name(s) Reported By
------- --------------- -----------
4X4 off-road racing 4X4 Jon Jasiunas (WildNet, via
(Epyx) HackWatcher Ken Whiton)
| 4D Boxing (game) 4DBOX-1 Jason Sabshon (Internet,
4DBOX-2 emperor@delphi.com)
Above Disk v3.00A EXP-MEM Dale Woloshin (1:163/211.3)
and Wolfgang Fritz
Alf and the Alley Cats ALF Bill Dennison (1:273/216)
Amiga ARexx Manual AREXXMAN HTom Trites (1:282/62),
(Verified by William Hawes, author) via Derek Oldfather
| ASQ v2.0 (Qualitas) ASQ20 HackWatcher Nemrod Kedem
| (Note - unlike previous releases of ASQ,
| ASQ v2.0 is not shareware.)
Backgammon Royale BGROYALE Shakib Otaqui (2:440/74)
BGROYDOX
Bargames BARGAMES Scott Lewis (1:107/607)
(game from Accolade)
Battle Chess BCHESS Bill Roark (RIME, via
HackWatcher Richard Steiner)
Battle Chess for BCWIN1 Harold Stein
Windows BCWIN2 (CompuServe)
BeetleJuice (game) BJUICE Alan Hess (1:261/1000)
BJ Bill Blakely
(RIME Shareware echo)
BTLJWC the Hack Squad
(1:382/95)
| BitCom BITCOM Jason Sabshon (Internet,
| emperor@delphi.com)
| BitFax BITFAX Jason Sabshon (Internet,
| emperor@delphi.com)
BitFax 1.22B Unknown Antonio Rezende (RIME)
Blockout BLOCKOUT Bill Lambdin (1:343/45)
(California Dreams)
| Catacomb 3-D CAT3D Jason Culler (1:261/1000)
| Chessmaster 2000 CHSMSTR David Silver (2:2405/12)
Commander Keen #2KEEN Steve Hodsdon (1:132/199)
(parts 2 and 3) #3KEEN Harold Stein
(via Ken Whiton, 1:132/152)
(part 5) #5KEEN John Van Eekelen (2:500/228)
Crystal Caves pt. 2 CRYSTL-2 John Van Eekelen
(Apogee)
Desert Storm (Windows) DSTORM Bill Roark (RIME, via
HackWatcher Richard Steiner)
DiskDupe Professional DDPRO339 John Van Eekelen
Disk Manager 5.0 DM50 Philip Perlman (1:278/709)
Double Disk DDISK214 Ronald McGill (1:167/149)
DoubleDos v5.5 DDOS55 Ove Lorentzon (2:203/403.6)
| DSZ (registered) DSZ0503R HackWatcher Nemrod Kedem
Duke Nukem parts 2 & 3 DUKEZIP2.EXE Steve Hodsdon (1:132/199),
#2DUKE Craig Demarsh (1:260/213),
DUKEZIP3.EXE and Hal Thompson (1:353/220)
DUKETRIL Harold Stein (WildNet)
(also under various other names - only the first game in the trilogy
is shareware: #2 & #3 are for registered users only and are pirated.)
| Duke Nukem (registered) DNUKEM Jason Sabshon (Internet,
emperor@delphi.com)
Dune (game) DUNEFLT1 Michael Toth (1:115/439.7)
DUNEFLT2
DUNEFLT3
Eagle's Nest (game) EAGLE Mike Headley (1:362/112)
Frank R Pizer (5:71/0)
EMM386 EMM386 Jeff Hancock (1:3600/7)
George Staikos
via Mark Evans (1:382/87)
EMM441 John Van Eekelen
| Fatal Challenge FATAL Mark Visser (1:221/76)
Fastback Plus v2.0 FBPL200 Bogie Bugsalewicz (1:115/738)
Flashlink MNP Emulator FLASHLNK Several
| FLINK Jason Sabshon (Internet,
| emperor@delphi.com)
Gauntlet (game) GAUNTLET Cimarron Mittlesteadt
(via Ken Whiton, WildNet)
GIFLite v1.40 GIFLT14R Stephen Kawamoto
(Registered Version) (1:153/7004)
GSZ GSZ0410 Arthur Taber (1:125/28)
(via Stuart Kremsky)
GSZ1214R Harold Stein,
NOTE: GSZ is a shareware program, via Ken Whiton (1:132/152)
but these particular archives were
the registered versions.
Harmony (game) EMOTION John Van Eekelen
HIMEM.SYS (from HIMEM307 John Van Eekelen
Microsoft)
IronMan off-road racing IRONMAN Jon Jasiunas (WildNet, via
HackWatcher Ken Whiton)
Jill of the Jungle JILL2 Harold Stein (CompuServe)
(non-shareware files) $JILL2 HackWatcher Bert Bredewoud
$JILL3
LotusWorks v1.0 LWORKS Brian Luker (1:167/149)
Mac-in-Dos CLINK Arthur Taber (1:125/28)
(not the SEALink protocol)
MAC-DOS Ron Bass (1:128/13.3)
Leslie Meehan, original
reporter (unknown)
MACON-5 Kimberly Avery (1:324/278)
Microsoft Mouse Driver MOUSE810 Bat Lang (1:382/91)
Monopoly MONINC Chris Nelson
| MONOPOLY Jason Sabshon (Internet,
| emperor@delphi.com)
MS-DOS 6.0 Beta DOS6BETA Chris Astorquiza (1:250/316)
| DOS60B-1 Michael Toth (1:115/439.7)
| DOS60B-2
| DOS60B-3
| DOS60B-4
MTE MNP Emulator 4800BAUD George Staikos,Trenton,ON,
via Mark Evans (1:382/87)
MNPEMUL Larry Dinkoff (1:115/622)
MTE215 Bat Lang (1:382/91)
MTE210E
MTE210F
MTE210G
MX5 Wolfgang Fritz
Verified by Steve Lieberman
of MagicSoft, Inc.
MX6
MTEZ (MagicSoft) MTZ115B1 Kim Miller (1:103/700)
Nederlandse Spoorwegen NS9293 John Van Eekelen
(Dutch Railroad NS_92_93
System Info Book)
Nightmare on Elm FREDDY Chris Nelson (1:238/500)
Street (game)
Optune OPTUNE Bat Lang (1:382/91)
OPTUNE11
OPTUNE12 Jeff Dunlop (1:203/16)
OPTUNE13 Michael Toth (1:115/439.7)
Paganitzu part 2 #2PAGA Harold Stein
(via Ken Whiton, 1:132/152)
| PC-Hooker PCHOOKER Larry Dinkoff (1:115/869)
| (Brown Bag Software)
Physician's Desk PDR-1 Bret Dunning (1:123/85)
Reference PDR-2
PDR-3
PDR-4
PKLite Professional PKLT_PRO Eric Vaneberck (2:291/712)
Version 1.13
| Version 1.20 PKLT120R Jason Sabshon (Internet,
| emperor@delphi.com)
| QEdit 2.15 (registered) QED215R Jason Sabshon (Internet,
| emperor@delphi.com)
QModem 5.0 QM50 Daniel Hagerty (1:208/216)
QMODEM50 Larry Owens (1:280/87)
QMODEM1 Jon Jasiunas (WildNet, via
QMODEM2 HackWatcher Ken Whiton)
QMODEM3
QMODEM4
Rambo (game) RAMBO Cimarron Mittlesteadt
(via Ken Whiton, WildNet)
Rampage (game) RAMPAGE HackWatcher Bill Dennison
Red Baron game unknown Nolan Taylor (1:157/537)
(by Dynamix)
Robin Hood (game) ROBNHOOD HackWatcher Bill Dennison
SimCGA SIMCGA40 Joe Morlan (1:125/28)
SIMCGA41
NOTE: SimCGA went commercial with release 4.0, according to the
publisher (via Joe Morlan). Versions prior to this were copyrighted
free programs.
SimCity (by Maxis) SIMCITY Mark Visser
SHRCTY-1 Richard Steiner,
SHRCTY-2 HackWatcher
Smartdrive Disk Cache SMTDRV40 Michael Toth (1:115/439.7)
Solitare Royale SOLITRYL Dan Brady (1:282/108)
SOLIT Bud Webster (1:264/165.7)
Sourcer disassembler SOURCER Bill Lambdin (1:343/45)
Space Quest (game by SQUEST1 Chris Nelson
Sierra On-Line)
Spidey (game) SPIDEY Brian Henry (ILink,
via Richard Steiner,
HackWatcher
Spot (7-Up game) SPOT Steve Hodsdon (1:132/199)
COOLSPOT Jason Arthurs (WildNet,
via HackWatcher Ken Whiton)
Squish 2.1 SQUISH21 Several
(verified by Joe Morlan)
Squish Plus 2.01 SQUISH21 Stephen Kawamoto
(Sundog Software) (1:153/7004)
| StormLord STRMLORD Mark Visser (1:221/76)
(game)
Supaplex Unknown Kevin Donald (1:123/54)
Rick Rosinski (1:239/1004)
Dennis Matney (1:230/12)
SuperStor SSTOR204 John Van Eekelen (2:500/228)
System Control PCSSCC Ken Whiton, HackWatcher
Commander (from
PC Sources Mag)
Tetris (the original) #1TETRIS Harold Stein (WildNet)
The Bard's Tale pt. 3 BARDS-1 Chris Nelson (1:238/500)
(game) BARDS-2
Tidbits TIDBITS Art Taber
(game? from Softdisk) via Stuart Kremsky
(1:125/28)
Times of Lore (game) LORE Chris Nelson
Toobin' (game) TOOBIN Joseph Lowe (1:387/1201)
Top Gun TOPGUN Cimarron Mittelsteadt
(WildNet, via Ken Whiton)
Tunnels of Armageddon TUNNELS1 Wolfgang Fritz (1:249/140)
TUNNELS2
UTscan UTSCAN Bill Lambdin (1:343/45)
(part of the Untouchable package by Fifth Generation Systems)
VGA-Copy v4.6 VGACPY46 Bert Bredewoud (2:281/703)
(Registered Copy)
| Virex-PC VIREX1 Glenn Jordan (1:3641/1.201)
| VIREX2
| Virhunt 2.0 VIRHUNT2 Bill Lambdin (1:343/45)
| VRHUNT20
Wolfenstein-3D WOLFSINC Jeff Kaplow (1:120/364)
(Non-Shareware modules)
=========================================================================
?????Questionable Programs?????
| Michael Toth (1:115/439.7) reports that he has a copy of the VIRTUAL file
| listed in The Trojan Wars section of this report. His copy is a Virtual
| Reality demo, and is not infected or dangerous. He was unable to find
| the text strings (mentioned above) in his copy. Sounds like the Trojan
| version might be an isolated incident.
Cory Daehn (1:395/12) reports in the FidoNet PDREVIEW echo that there are
three versions of our old friend XTRATANK. A recent message circulating
in FidoNet about XTRATANK placing a two-part virus (half when installed,
half when uninstalled) on your HD is true for the third version of
XTRATANK, according to Cory. I have not seen this version, nor have I
received any file sizes to compare to the version I sent to Bill Logan.
However, I will report these when received.
HackWatcher Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu
also says that there is a warning about these in circulation. If you
have a copy of this warning, please send a copy to Hack Central Station
(1:382/95).
On the game front, some official information about which Apogee releases
are shareware. According to Jay Wilbur (1:124/6300) of Id Software,
episodes 1 and 4 of Commander Keen, along with the demo version of
episode 6 are distributable, as is episode 1 of Wolfenstein 3-D. Other
versions of these games are not supposed to be posted for download.
Jan Welch (1:382/87) has reported in the FidoNet VIRUS echo a file called
W3DEDIT.ZIP, which she claims is a Trojan that will attack your hard
drive's boot sector. At first glance, this looks like a renamed
WLFCHEAT, but I can't be sure. I've sent NetMail for more information,
so be on the lookout and report anything you know about it, if you would.
Steve Klemetti (1:228/19) has found an archive of the Apogee game
Paganitzu (#1PAGA.ZIP) that may either be a hack or a corrupted archive.
The file size is 281K, and the .EXE file within is 8K (vs 11K for the
official archive. Steve says the opening screens go by "too fast," then
the program puts your hard drive in "a constant seek mode." The file
passed viral scanning. Like I said, this could just be a corrupt
archive, but you never know. Just be on the lookout for an archive that
meets these specs, and avoid it. The real thing is a pretty decent game,
though, according to my 5-year old son, so don't avoid _all_ #1PAGA.*
files just because of a bad version.
BiModem is the subject this time, but the situation doesn't quite fit
into any of the other categories of this report. A few users have seen a
version called BIMOD125.* floating around, and wondered if it was a hack.
Steve Baker (1:114/116.0) called the support BBS and verified your Hack
Squad's information: v1.25 is a closed beta. Version 1.24 is the latest
public release. This information was also verified by the Hack Squad (in
lurk mode over in the BIMODEM echo) through a message posted by Michael
Ingram (1:114/151). In short, if you see BIMOD125, delete it - it's a
beta that shouldn't be out yet.
Yet another one that doesn't seem to fit anywhere is a Windows program
called WinSpeed. Bill Eastman (1:382/35) relayed a message from Alan
Zisman (1:153/9) in the WINDOWS echo about this file, and Piyadaroon
Kalayanamit (1:382/87) quickly cleared the confusion. Apparently, there
are _two_ different programs called WinSpeed: one is a commercial package
of Windows video drivers, which should not be posted for download on any
BBS. The other is a small utility that will report your system speed
from within Windows, and is a legitimate shareware file.
James Brown (1:266/22.0) has reported in the WINDOWS echo that the
shareware WinSpeed has been renamed to WINDSOCK. According to James, the
author(s) took the original off of CompuServe, renamed it, and
resubmitted it. Hopefully, this will ease the confusion, but there
_will_ be copies floating around under the old name. So, be careful with
this one. If you get a copy of the video driver file from someone,
delete it: it is not shareware.
Finally, several people have been wondering whether a shareware version
of XTreeGold has been released. According to XTree Support (in the XTREE
forum on CompuServe), the last shareware release of XTree was version
2.00E (XTREE20E). This is _not_ XTreeGold: in fact, no shareware release
of XTreeGold has ever been made. It is unclear as to whether a copy of
XTreeGold has spread beyond the "pirate boards," but this much is clear:
if you receive a version later than 2.00E that is described as shareware,
delete it. It's pirated.
=========================================================================
Information, Please
This the section of The Hack Report, where your Hack Squad asks for
_your_ help. Several reports come in every week, and there aren't enough
hours in the day (or fingers for the keyboards) to verify them all. Only
with help from all of you can The Hack Report stay on top of all of the
weirdness going on out there in BBSLand. So, if you have any leads on
any of the files shown below, please send it in: operators are standing
by.
| Stephen Furness (1:163/273) left a short message in the FidoNet VIRUS
| echo about a file called RUNME. He says it claims to be a VGA ad for a
| BBS, but actually trashes your hard drive's boot sector. Now, a file
| with a name like RUNME makes me raise an eyebrow immediately, but this is
| still a single sighting. Please forward details if you see this file.
| Yet another short warning comes from David Bell (1:280/315), posted in
| the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is
| that it is a Trojan, and that he got his information from another
| "billboard" and is merely passing it on. Again, please help if you know
| what is going on here.
| Steve Baker (1:114/116) reports the existence of a copy of the
| Thunderbyte virus scanner, version 4.3 (filename TBSCAN43), that may not
| be legitimate. Your Hack Squad is only aware of versions up to 4.2, and
| has not heard of a later release. If you can verify the latest official
| release, please contact either me or one of The HackWatchers.
James Collins (1:102/1013) has found a program called Virus Simulator 2.0
(archive name unknown) that is supposed to be used to test virus
scanners. He says the documentation looks authentic, but the program
"looks like someone has hacked it so that it crashes purposefully." The
file performs a self-check at startup, then crashes. I'm not sure if
this is merely a corrupted copy of the program or one that has been
tampered with. Also, I have no information on what the latest (if any)
official version is. Please lend a hand here, folks - your Hack Squad
could use it.
Kim Miller (1:103/700) found a file called HOMELAWY.*, which is titled
"Home Legal Form Helper." The program is copyrighted by OverDrive
Systems, Inc. in 1989, and is shown as Licensed to MECA Ventures, Inc.
Several people in the FidoNet SHAREWRE echo have reported this as a
possible pirated file. I am not familiar with either company mentioned
above, but Kyle Pinkley (1:3803/3.2) reports that they are the producers
of the commercial package Managing Your Money. I haven't been able to
completely verify any of this, so please forward any info you may have.
Bud Webster (1:264/165.7) reports an Apogee game being distributed under
the filename BLOCK5.ZIP. He says that the game displayed a message that
said, "This game is not in the public domain or shareware." There was
only an .EXE file in the archive, and no documentation. I need to know
what the real name of this game is so that I can include it in the
pirated files section (if necessary).
Now, a sensitive subject. Arthur Shipkowski (1:260/213.2) forwarded a
message from Kenny Root (GT-Net Shareware Forum), about a file called
SHAMpage (SHMPG310.*). Kenny claims he downloaded this from a Door
Distribution Network board, unzipped and ran it, and wound up with
thousands of directories and the 1260 virus. This is the only report I
have of this, and it is unconfirmed.
I posted a question about this in a local echo in Austin, and found no
one who had experienced the same symptoms. I also consulted George
Vandervort (1:382/8), a beta tester for SHAMpage, and learned that the
file that went out over the Door Distribution Network was perfectly
legitimate and not harmful in any way.
| Rich Waugh, the author of SHAMpage, posted a message in the SHAREWRE echo
| about this: according to him, he hatches the latest releases from his
| system into the DDSDOORS file distribution net. All copies of SHAMpage
| hatched from his system contain a "DrawBridge" ZIP comment. For
| reference, the latest version (as of September 8, 1992) is v3.24.
| Mr. Waugh further states (and I agree) that he has "a lot of faith in the
| various file distribution networks," and he finds it hard to believe that
| the file picked up any sort of infection in the net itself.
| In summary, SHAMpage 3.10 is a legitimate file, but a tampered archive of
| it may be floating around. How it was tampered with is anyone's guess.
| If anyone sees an altered archive of this file, please forward the
| information so that I can post specifics on it.
A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
grabbed my attention the moment I saw it: in capital letters, it said,
"DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He
goes on to say that two BBSs have been destroyed by the file. However,
that's about all that was reported. I really need more to go on before I
can classify this as a Trojan and not just a false alarm (i.e., archive
name, what it does, etc.). Please advise.
Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to
whether or not Mr. Mills had seen the file. Mr. Jung has repeated that
the latest version of ARJ is v2.30 (however, there is a legitimate public
beta version numbered 2.39b). It is possible that the references Greg
saw about 2.33 were typos, but you never know. Please help your Hack
Squad out on this one - if you see it, report it.
I still have no further confirmation of MTG2400, reported by Zach Adam of
1:2200/103. The description says this program will run a 2400bps modem
like a 4800bps modem, which sounds a bit like the MTE program listed in
the Pirated Commercial Software section. Any information would be
appreciated.
As the last item in this report, your Hack Squad could use some info on
the TUNNEL screen saver. Ove Lorentzon (2:203/403.6) reports that this
is an internal IBM test program for VGA monitors. HackWatcher Richard
Steiner forwarded a message from Bill Roark (RIME address BOREALIS,
Shareware Conference) that had some quoted text strings from the
executable. One says, "IBM INTERNAL USE ONLY."
This file is extremely widespread, however, so I need to hear from
someone who knows what IBM's position on this is. Has IBM changed its
mind and made it legal to distribute this via BBS? If you know for
certain, please advise.
=========================================================================
Clarifications
| Malte Eppert (2:240/500.6) wishes it to be known that the report he
| forwarded from Dick Hazeleger about EARLYWA was just that, a forwarding,
| and not an agreement with or confirmation of the forwarded report. The
| report he forwarded does not express or include his opinions. I
| apologize to Malte for misinterpreting his message, and I regret any
| confusion this may have caused.
| Once again, I had hoped to be able to post some information sent to me by
| Joe Morlan (1:125/28) from a list compiled by Wes Meier, SysOp of the
| WCBBS (1-510-937-0156) and author of the AUNTIE BBS program. However,
| your intrepid Hack Squad once again had some well-publicized difficulties
| last month, so there just wasn't enough time to validate everything in
| the huge list he sent. This will not be a "vaporware" situation, however
| - look in the next issue of The Hack Report for the proof of the pudding.
I apologize for the delay.
=========================================================================
Notes
FidoNet Node 1:382/87, The ECS BBS, referenced several times in this
report, is no longer an active node. Reports from that node and its
SysOp, Mark Evans, will not be removed from this report.
*************************************************************************
Conclusion
If you see one of these on a board near you, it would be a very friendly
gesture to let the SysOp know. Remember, they can get in just as much
trouble as the fiend who uploads pirated files, so help them out if you
can.
***HACK SQUAD POLICY***
The intent of this report is to help SysOps and Users to identify
fraudulent files. To this extent, I give credit to the reporter of a
confirmed hack. On this same note, I do _not_ intend to "go after" any
BBS SysOps who have these programs posted for d/l. The Shareware World
operates best when everyone works together, so it would be
counter-productive to "rat" on anyone who has such a file on their board.
Like I said, my intent is to help, not harm. SysOps are strongly
encouraged to read this report and remove all files listed within from
their boards. I can not and will not take any "enforcement action" on
this, but you never know who else may be calling your board. Pirated
commercial software posted for d/l can get you into _deeply_ serious
trouble with certain authorities.
Updates of programs listed in this report need verification. It is
unfortunate that anyone who downloads a file must be paranoid about its
legitimacy. Call me a crusader, but I'd really like to see the day that
this is no longer true. Until then, if you _know_ of a new official
version of a program listed here, please help me verify it.
On the same token, hacks need to be verified, too. I won't be held
responsible for falsely accusing the real thing of being a fraud. So,
innocent until proven guilty, but unofficial until verified.
Upcoming official releases will not be included or announced in this
report. It is this Co-Moderator's personal opinion that the hype
surrounding a pending release leads to hacks and Trojans, which is
exactly the opposite of what I'm trying to accomplish here.
If you know of any other programs that are hacks, bogus, jokes, hoaxes,
etc., please let me know. Thanks for helping to keep shareware clean!
Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)
