Beijing Paradise BBS Backup

home *** CD-ROM | disk | FTP | other *** search

/ Beijing Paradise BBS Backup / PARADISE.ISO / software / BBSDOORW / HACK1292.ZIP / HACK92FA.RPT < prev next >

Wrap

Text File | 1992-12-05 | 102.7 KB | 2,132 lines

========================================================================= || From the files of The Hack Squad: || by Lee Jackson, Co-Moderator, || FidoNet International Echo SHAREWRE The Hack Report || Volume 1, Number 24 for December 1992 || Report Date: December 5, 1992 || ========================================================================= Welcome to the twenty-fourth issue of The Hack Report. This is a series of reports that aim to help all users of files found on BBSs avoid fraudulent programs, and is presented as a free public service by the FidoNet International Shareware Echo and the author of the report, Lee Jackson (FidoNet 1:382/95). It is hard to believe, but this issue marks the end of a full year of The Hack Report. Over this time, many extremely nasty Trojans and ingenious hoaxes have been seen, as well an large allotment of hacks and pirated files. It seems that no file is immune - even The Hack Report has been the victim of a hack. So, here are the final 1992 entries to the hall of shame (with apologies to Fred Roggin), including a Trojan that attacks .GIF files, yet another hack of TheDraw, and updates to the Meier/Morlan list. Thanks to everyone who has helped put this report together, and to those that have sent in comments and suggestions. NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on your BBS, subject to these conditions: 1) the latest version is used, 2) it is posted in its entirety, and 3) it is not altered in any way. NOTE TO OTHER READERS: The Hack Report (file version) may be freely uploaded to any BBS, subject to the above conditions, and only if you do not change the filename. You may convert the archive type as you wish, but please leave the filename in its original HACK????.* format. The Hack Report may also be cross-posted in other networks (with the permission of the other network) as long as it meets the above conditions and you give appropriate credit to the FidoNet International Shareware Echo (and the author <g>). The idea is to make this information available freely. However, please don't cut out the disclaimers and other information if you use it, or confuse the issue by spreading the file under different names. Thanks! DISCLAIMER: The listings of Official Versions are not a guarantee of the files' safety or fitness for use. Someone out there might just be sick-minded enough to upload a Trojan with an "official" file name, so >scan everything you download<!!! The author of this report will not be responsible for any damage to any system caused by the programs listed as Official Versions, or by anything using the name of an Official Version. ************************************************************************* Hacked Programs Here are the latest versions of some programs known to have hacked copies floating around. Archive names are listed when known, along with the person who reported the fraud (thanks from us all!). Program Hack(s) Latest Official Version ------- ------- ----------------------- Aliens Ate !ALIENS K6DEMO My Babysitter Reported by: Christopher Baker (1:374/14) ARJ Archiver ARJ250 ARJ230 | Reported by: Tommy Vielkanowitz (also ARJ239B, a beta test) (1:151/2305) AutoMenu AUTO48 AUTO47 Reported by: Tony Blair (WildNet) via Ken Whiton (1:132/152) Verified by Marshall Magee, Magee Enterprises, Inc. | BNU FOSSIL Driver BNU202 BNU170 | Reported By: Amauty Lambrecht (2:291/712) (not counting betas) CatDisk CDISK510 CDISK632 CDISK530 CDISK661 Reported by: Jeff Kaplow (1:120/234) CompuShow CSHOW801 CSHW850A CSHOW831 CSHOW851 Reported by: Paul Brazil CSHOW91 Reported by: Harold Stein (Wildnet) (Note: Any version ending with a B, such as CSHW841B, is _not_ a shareware version. This is the enhanced version received with the user's registration and is not to be distributed. Consider all B archives to be pirated copies.) | Disk OrGanizer DOG320 DOG317 | Verified by G. Allen Morris, author of DOG GoldED SysOp GED241B6 GED0240 Message Reader GED0241B (patch 0720) Reported By: Andrew Owens (3:690/333.11) verified by Odinn Sorensen, Author HS/Link HSLK113 HSLK112 Reported by: Samuel H. Smith, Author (Note - beta copies of HS/Link v1.13 are currently in distribution, and are legitimate. The filenames tend change daily. As of December 3rd, 1992, the latest beta was HSL113D0.) Las Vegas EGA Casino (unknown) Reported by the author, Diana Gruber, in the ILink net, relayed by Richard Steiner (1:282/85) (Note: a version of this program sold through Gemini shareware outlets with the title screen "Special GEMINI game disk" and a version calling itself the "Ledyard$ EGA Casino" have been distributed. No archive names have been supplied yet.) LHA Archiver LHA214 LHA213 Reported by: Patrick Lee (RIME address RUNNINGB) LHA300 Reported by: Mark Church (1:260/284) | List LIST8 LIST77A | LIST18 (Also LIST77A2) Reported by: The Hack Squad (from the Buerg BBS) LIST80 | Reported by: Brad Crochet, FidoNet 4DOS Support Echo Math Master MATHMSTR M-MST301 Reported by: James Frazee (1:343/158) PKLite PKLTE120 PKL115 Reported By: HW Nemrod Kedem PKZip PKZIP120 PKZIP110 PKZ199B Verified by Mark Gresbach, PKWare PKZIP20B PKZIP_V2.EXE Reported by: Mike Burger (WildNet) via Ken Whiton (1:132/152) Reported by: Fred Towner (1:134/73) PKZ201.ARJ Reported by: HW Frank Pizer PKZ201.ZIP PKZ201.EXE Reported by: Jim Westbrook (1:382/29) PKZ202 Reported by: Scott Drake (1:107/900) PKZ2010 Reported By: Stephen Walker (Internet, stephen.walker@nitelog.com) PKZ305 Reported by: Scott Raymond (1:278/624) PKX201.EXE Reported by: Bill Logan (1:300/22) PKZ210F.EXE Reported by: Bert Bredewoud (2:281/703) PKZIPV2 (Claims to be v2.2 of PKZip - reported via PKWare Tech Support) PKUNZIP.COM Reported by: Harold Stein, via Ken Whiton PKZIP203.EXE Reported by: Mark Clark (2:440/107) VER201 Reported by: Harold Stein (CIS 72377,3075) QEdit Advanced XEDIT QEDIT215 Reported by: Sammy Mitchell, Author (thanks to Rand Nowell and Joe Morlan for relaying the report) QEDIT500 Reported by: Onno Tesink (ILink, via Richard Steiner, 1:282/85) Qmodem QM451 QM452TD Reported by: Bill Lambdin, via Arthur Shipkowski (1:260/213.2) Shez SHEZ72A SHEZ82 SHEZ73 Reported By: Bill Lambdin (1:343/45) Telegard TG29EALP Telegard 2.7 Reported by: Karen Maynor (1:3640/5) (Found on the NightOwl CD-ROM disc version 5.0) TG30 Reported by: Doug Sorber, via Martin Pollard (1:120/187) JIGSAWV2 Reported by: Tommy Smith, via Mark Evans (formerly 1:382/87) Telix Telix v3.20 Telix v3.15 Telix v3.25 Reported by: Brian C. Blad (1:114/107) Peter Kirn (WildNet, via Ken Whiton) Telix v4.00 Telix v4.15 Reported by: Barry Bryan (1:370/70) Telix v4.25 Reported by: Daniel Zuck (2:247/30, via Chris Lueders (2:241/5306.1) MegaTelix Verified by Jeff Woods, Exis, Inc. (now deltaComm), in the TELIX echo, who also states that there will be _no_ commercial release titled Telix 4.0. He states the next release of Telix will be under a "modified" form of the name Telix, which has not been decided upon yet. Any version with a number higher than 3.15 and claiming to be shareware can be considered a confirmed hack, unless reported here otherwise. Telix Pro Reported by: Jason Engebretson (1:114/36), in the FidoNet TELIX echo TheDraw TDRAW430 TDRAW451 TDRAW500 Reported by: Ian Davis, Author TDRAW550 Reported by: Steve Klemetti (1:228/19) TDRAW600 Reported by: Hawley Warren (1:120/297) THEDR60 Reported by: Larry Owens (PDREVIEW echo, 1:280/17) TDRAW601 Reported by: Jesper Tragardh (2:200/109) TDRAW800 Reported by: James Carswell (1:153/775) Turbo Antivirus Version 9.00b Version 8.10 Version 9.01a (Archive names unknown) Reported by: Thomas Ruess (2:246/24) | ViruScan SCAN92 SCAN99 Reported by: Don Dunlop (1:153/715) X00 Fossil X00V130 X00V124 X00V130J (also official is X00V149A, a beta test of an OS/2 ver.) *** More Hacks Bill Lambdin (1:343/45), host of the Intelec Virus Info conference, sent a list of versions of McAfee's ViruScan (better known as just SCAN) that have been hacked. Here are the version numbers he sent: SCAN74 SCAN81 SCAN88 SCAN78 SCAN83 SCAN92 SCAN79 SCAN87 SCAN96 More information on ViruScan can be found in The Trojan Wars section. HW Bill Dennison saw a copy of the PKZ201.EXE file mentioned above, but with a twist: when he used the file view feature of the BBS he saw it on, he saw that the file was not a PKZip SFX (self-extracting) file, but was an LHA SFX (using -lh5- compression). This, folks, is a bit of a giveaway. PKWare isn't likely to use any archiver other than ZIP to distribute their next release. Chris Lueders (2:241/5306.1) reports that a file calling itself VPIC50DT is a hack of version 4.5 of the VPic graphics file viewer. Specifically, the 5.0dt file ("dt" indicates a German language edition, per Chris) is a hack of the English version 4.5. At the time of the report, version 5.1 was the latest official release, but a legitimate version 5.0 was released. Just be careful: if your copy of VPic starts up in German, delete it. Zone 2 (especially UK) users might want to watch out for a disk being distributed by Personal Computer World magazine. Shakib Otaqui (2: 440/74) reports that all of the files on the August issue's "free" cover disk are zipped using the PKZip 1.93 alpha test release, and that the version of PKZip distributed with the disk is the hacked version 2.01. The PKZip 2.01 file is 19793 bytes, dated March 15, 1992, and is PKLited with the extra compression (non-expandable) option. Shakib tested the file and confirmed that it is a simple hack with no viral or Trojan code. Finally, here's one I'm not sure how to handle: It's a hack, but it appears to be a hack of a commercial program. HW Frank Pizer has found a hack of a program called BitFax. The hack, calling itself ZIPFAX.ZIP (at 146320 bytes), has been altered so that all occurrences of the word Bit with the word Zip. The archive contains configuration files with the words "Technopoint - Avi Miller" in them. Thanks to Frank for the report from Zone 5: let's hope the rest of us can keep it from spreading beyond there. ========================================================================= Hoax Alert: | Yet another hoax of Microsoft's HIMEM.SYS has turned up, this time under | the name HIMEM600. Shakib Otaqui (2:440/74) says a binary comparison | with the latest official version, v3.07, shows that the only difference | is the date and version number. Not only is this pirated, it is a hoax. | A similar file is being passed around under the filename HIMEM500. Your Hack Squad has seen many posts of a warning about a virus called PROTO-T. The message warns that the virus has the ability to hide in the RAM of VGA cards, hard disks, and "possibly, in modem buffers." It goes on to warn that the virus was placed in two files: one called "TEMPLE," and in a hack of PKZip, version "3.x". Joe Morlan (1:125/28) has stated that this message is a hoax. I have seen other information that leads me to agree with Joe's statement. In the meantime, I have sent a copy of PKZ305 (from your Hack Squad's | "TOXIC" diskette) to Bill Logan for testing. In the meantime, Bill | Lambdin (1:343/45) has disassembled the file and stepped through it with | a debugger Here are his results: | | "I received PKzip 305 supposedly infected with the Proto-T virus. | | "I disassembled the file, and stepped through the code with a debugger. | | "i found suspicious code, and lots of interrupt 3s (debug break points), | but there was no replication routine in it whatsoever." | | He concludes... | | "Let me say it this way. If there is a Proto-T Virus, it deffinately | wasn't in PKzip3.05 that I received." | | Sounds good to me. I am under the impression that Mr. Logan's results | will confirm Bill Lambdin's findings. Here are Bill Logan's test results on Xtratank. If you recall, Mr. Logan, an agent of McAfee Associates, agreed to test out this file to see once and for all if it really works, or if it is a hoax. Bill tested the program on two IBM compatible computers and one AT&T XT clone. The PC Clones were 286s, one with a 40meg IDE hard drive, the other with a 40meg MFM hard drive. The AT&T had a 10meg hard drive. To weed out possible clashes with DOS versions, the test was repeated on each computer using 4 different DOS flavors: MS-DOS 3.30, IBM DOS 3.30, MS-DOS 4.01, and MS-DOS 5.0. The hard drives were formatted and Xtratank was installed on each. The PC Clones now reported that their drive capacity was now doubled. The AT&T XT did not, since it was not a true IBM compatible. Bill then attempted to copy 80 megabytes of raw, non-compressed files from floppy disks onto the hard drives. All of the hard drives ran out of disk space after only 40 megs of files had been copied. The testing did not reveal any viral or Trojan code. To quote Bill, "It is our opinion that this program is simply nothing but a hoax." (However, see the ???Questionable Files??? section for more on this.) In addition to Bill's testing, Gary Weinfurther (1:120/301) sent a summary of his disassembly of the programs in the archive. He found that the XTRATANK.EXE and the XTRATANK.COM files contained the exact same code, with one padded with "garbage" that made it look larger. The code is designed to intercept the DOS 21h interrupt, function 36h, which is for determining free space on a drive. Xtratank then doubles the result. None of the warning messages in the docs are present in the files, and no check is performed to see if it could be correctly installed. Gary says that since it is a simple interrupt-intercept TSR, "it can be successfully installed every time." He suggests (humorously) that installing it twice would theoretically result in a report that your hard drive space had quadrupled. This should settle the debate once and for all - XTRATANK IS A HOAX AND DOES NOT ACTUALLY WORK. All of Bill's and Gary's results completely verify the Fitzgerald Test results, so if you _still_ don't believe it, run the test for yourself. *** The Fitzgerald Test Here is the now-famous Fitzgerald Test, devised by Tim Fitzgerald of 1:3800/18.0 and validated by Bill Logan's test results. Try this if you think you have managed to get XTRATANK to work on your system. Follow these simple steps: 1. Run CHKDSK and write down the free space it reports as free. 2. Do a DIR command and write down what XTRATANK reports. 3. Copy any text file to a new text file. 4. Repeat steps 1 and 2, and compare. You will see that XTRATANK reports that twice as much disk space is taken up by the new text file. Other previously reported hoaxes: Filename Claimed use/Actual activity/Reporter(s) ------------ --------------------------------------------------------- 2496 This, and all files that claim to run a 2400 bps modem at 9600 or 14400 bps, are hoaxes. If you follow their instructions, you will have a 0 bps modem. Reported by several people. AMIGA Claims to allow IBM/Clones to read Amiga Workbench Disks: displays a picture of an Amiga Workbench disk on your screen, then spins your A: drive and locks your system. From Suriya Matsuda, Jacob Kanafoski (1:3613/4), Derek Vanmunster (1:229/418), and Jeff Hancock (1:3600/7). BIMOD126 Claims to be version 1.26 of BiModem - actually v1.24 renamed and re-archived. HIMEM500 Looks like v5.00 of the HIMEM.SYS driver from MS-DOS and Windows, but is actually v3.07 with the numbers changed. Pirated as well (HIMEM.SYS is not shareware). From Joe Morlan (1:125/28) and Mike Bray (RIME address COFFEE). MAXRES Claims to "check your graphics interface and show you resolutions of your interface card." Elaborate hoax that lists the author as Samuel H. Smith (of HS/Link fame). Mr. Smith has confirmed that he did not write this program. Possible Trojan, but no Trojan activity has been reported. SPEEDUP Claims to increase system clock speed - instead doubles the length of each second and resets the system clock to use 30 of the new seconds each minute. From Kim Miller (1:103/700). TG27E Hoax "upgrade" of the Telegard BBS package. Completely overwrites an existing configuration, but does no real damage, with the exception of creating a "horrendous color combination that looks like a bad acid trip." From Scott Raymond (1:278/624), Telegard Alpha Tester. WOLFXXX Claims to patch your copy of Wolfenstein-3D to version 1.3. No such version exists. Also has a fake address that you are asked to send money to. From Jay Wilbur of Id Software (1:124/6300). ========================================================================= The Trojan Wars There are quite a few new Trojans that popped up last month, some of them quite nasty. Read on for the gruesome details. | Michael Toth (1:115/220) forwards a report from John Kristoff, a member | of FidoNet Net115, about a Trojan called BATMAN. The file contains a | single executable, called BATMAN.EXE, and the archive is only 7k in size. | The description left by the user said, "Don't be fooled by it's (sic) | size, after the pretty long installation it will be like 10 times | bigger." It is described as a "Very Nice Ega Batman Card Game." | | John looked inside the .exe for text strings, and here is what he found, | edited for television: | | SPIDER-OPT Version | Hard Disk Optimizer | System/Disk Information: | Instaling | : will take approximately | minutes. | Instaling Game | -3YOU STUPID #$% #$%^$# #$%#$%! HOW STUPID CAN YOU BE | SPIDER.HAH2<<< YOU HAVE BEEN HIT BY | S.W.A.T. | YOU LOSER! >>> | Done INSTALING! U | | From the looks of this, it isn't such a nice game after all. | Lincoln Decoursey (1:260/220) reported in the FidoNet VIRUS echo a | problem he had with a file called PDESK. He says that he found it on a | CD-ROM, and that a virus scanner reported that the executables in the | file had suspicious code within. As a test, he ran one of the .exe | files, and all of the .exe file on his hard drive were deleted. The | files were recoverable using undelete, so it would appear that this was a | simple Trojan. | Charles Strusz (RBBS Net 970/201) reports that Southern Illinois has seen | a Trojan constructed from an archive of VPIC. Charles says that the file | contains a VPIC.COM file in addition to the VPIC.EXE file. The Trojan is | apparently either within or triggered by the .com file, since DOS will, | when given a filename with no extension, load a .com file with that | filename before loading a similarly named .exe file. | | When the Trojan runs, it seeks out all .GIF files on the drive it is run | from, overwrites the first few bytes (essentially ruining the .GIF), and | then deletes itself, leaving the original archive. | Bill Lambdin (1:343/45) forwarded a message posted in the Intelec | PC-Security conference by Bill Ziegler about an instance of a file called | CRPBATL.*. The copy of the file circulating in the Tulsa, Oklahoma area | is an apparent dropper of a virus using the Mutation Engine for | encryption. | | The virus is dropped in a unique way: initial scanning with popular | anti-viral utilities will not detect the infection. However, when the | main executable (CRPBTL.EXE) is run, it overwrites itself and almost | doubles in size, at which point the MtE can be detected. When the file | is run a second time, the virus tries to infect COMMAND.COM and | (possibly) some Novell Netware files as well. Infection can be cleaned | with most AV utilties at this point. | | Mr. Ziegler was not able to make the file infect his test system, and | those in the Tulsa area which were infected were easily cleaned. | However, this is a particularly nasty way of spreading a potentially | destructive bit of code, and should be avoided. | Bill also forwards a message by Jay Blethen from the U'ni Net Virus | Conference (via Michael Burkhart) about COPY2-HD, which claims to be a | "FAT table cache to speed disk access." Jay says that this file is | actually a Trojan which disables reboot calls, scrambles the FAT, and | then formats the disk. Jay says that the "screen message is pretty mean, | too...." | Eric J. Essman (CompuServe, 74656,557) posted an article in the Internet | comp.virus newsgroup about a dropper included in an archive of LARRY5.* | (Leisure Suit Larry). The file, which apparently spread from the | Northeastern United States, is a .com and .exe infector that infects | files over 3k in size when they are opened for any reason. Other | symptoms include file allocation errors reported by CHKDSK, a disabled | left CTRL key, and a message that says: | | VSUM VIRUS - your PC is now infected | (c) 1992 P/S, Inc. | | The virus has polymorphic capabilities. No information was given on what | programs will detect and/or clean this, so you might avoid any "Leisure | Suit Larry" files you see. Even if they were clean, they'd be pirated. | Drew Roberts (1:216/510) forwarded a report from one of his users, Steve | Luzovich, into the VIRUS_INFO echo about the file HOYLE2.EXE. The file | is supposed to be a collection of Solitaire games. However, Steve said | his virus scanner reported that two of the internal files, SIERRA.COM and | EXISTS.COM, were infected with a strain of the TP44 virus. To make | matters worse, Bill Lambdin (1:343/45) and Janne Granberg (2:227/12) | report that the original game is a commercial release by Sierra. Janne | also relays that TP44 is "version 44 of the Yankee Doodle virus...." | Probably an isolated incident, but be on the lookout nonetheless. | An unusual report for this publication: Kelvin Lawson reports the | existance of a file that registers FEBBS, called FEBBSREG. I usually | don't relay reports on "crack" programs, but this one may contain a file | that might be dangerous. First, here is the archive information: | | Name Length Mod Date Time CRC | ============ ======== ========= ======== ======== | FEBBSREG.EXE 4253 08 Jan 92 14:37:40 35BDF8FD | SETPATH.EXE 2368 12 Jan 92 14:10:58 DAC8EECE | 004733.TXT 1406 10 Sep 92 00:57:16 AD32C519 | ============ ======== ========= ======== ======== | *total 3 8027 10 Sep 92 00:57:36 | | The FEBBSREG.EXE file generates a serial number for FEBBS. However, the | problem, according to Kelvin, is with the SETPATH.EXE file. He says it | is a "little program which knackers (sic) your RA (RemoteAccess) BBS by | putting a little ANSI ad for (the hacker's) BBS on the login which has to | be patched out in the FAT." I have no idea if this is widespread, nor do | I have confirmation of its damaging potential. However, it would be a | wise move to avoid _any_ file that claims to register another program | without having to pay for the original. Support shareware, and pay the | author for his or her work. | Bill Lambdin (1:343/45) forwards a message by Stephen Sauls in the Smart | Net Virus conference about a fake update patch program for PCBoard. | Stephen forwarded the message from Joe Crosby, who received it from David | W. Terry of the Salt Air BBS. (Long way around, but at least it got | here.) | | The file in question is not named, but it claims to patch a "stack | overflow" problem with PCBoard. David says no such problem exists, and | that the patch actually performs a low-level format on the first 300 | sectors of your hard drive. | | David concludes that PCBoard users should never make use of patches | unless they are obtained directly from Clark Development Company and/or | downloaded directly from the Salt Air BBS, at (801) 261-8976. Good | advice. | Now, a report that I accidentally left out of last month's issue: Janne | Granberg (2:227/12), Co-Sysop of the Black Crypt BBS, reports that a | Trojan version of their BBS intro file (archive name BCINTRO) is in | distribution. The file contains two executables, README.EXE and | INTRONOW.EXE, both of which are Trojans. The first file is actually the | ADIDAS Trojan, and the second file is the ELEPHANT-2 Trojan. Both can be | detected by Fridrik Skulasson's F-Prot Scanner. (I'm not sure if you | have to use the /TROJAN switch on the command line; it might be the | default in later versions.) | Kyle Pinkley (1:3803/3.2) forwarded a message he found on a local BBS | that appears to be from PKWare, warning of hacked versions of PKZip. In | the message, a Trojan version of the PUTAV program (part of the PKZip | package) calling itself PUTAV193 is reported. I had not heard of this | before, so I am forwarding it here for your consideration. Jef Fraas (CompuServe, 71044,256) has found a hacked archive of the October issue of The Hack Report. He said that there were four files in the archive, one of which was called "README.BAT." When he ran the file, it tried to format his hard drive. Jef sent me a copy of the file for examination. The hacker merely inserted a few commands at the top of the HACK1092.COL file and renamed it README.BAT. Not a very professional hack job, and also a very good argument for visually examining any unknown batch file before you run it. Let me emphasize one important point: >>>>THE OFFICIAL ARCHIVE OF THE HACK REPORT WILL _NEVER_ >>>>CONTAIN ANY FORM OF EXECUTABLE FILE. ONLY TEXT FILES >>>>WILL BE INCLUDED IN THE ARCHIVE. If you find an archive that has an executable file inside, delete it: it's been tampered with. Official copies of the archive are available from sites listed at the end of this report. Thanks to Jef for all his help. Michael Toth (1:115/220) forwarded a message from Doug Bora (1:115/858) about a file someone uploaded to his system called MEM.*. This file contained the RedX virus. The file was described as "a program that upgrades your memory," and was 2048 bytes long. | Doug supplied the file information on the archive, which is reprinted | here for those interested. | | Searching ZIP: MEM.ZIP | | Length Method Size Ratio Date Time CRC-32 Attr Name | ------ ------ ----- ----- ---- ---- ------ ---- ---- | 1818 Stored 1818 0% 01-04-80 00:55 238335e0 --w MEM.COM | ------ ------ --- ------- | 1818 1818 0% 1 Your Hack Squad has seen a listing for two files called AIRCOP.* and PUNK.*. These files were advertised as viruses. The first one, AIRCOP, is supposed to destroy and overwrite files on drive A:, and to attempt to corrupt files on any drive. The second one, PUNK, was advertised as the "smallest virus in the world." It claims to corrupt every .com file it can find. The above files were advertised as being available "for research purposes only," but there is no way to tell if they ever made it into public distribution. Keep an eye open, and scan everything, just in case. Tom Lane (1:382/91) forwarded a message from a caller named David Basile of Daleville, Alabama, about two Trojan files. The first was called HOUSEPAN.*, which appears to be a compiled batch file. It contains a .DAT file which says that "your hard drive has just been infected with a virus and only the PainKiller has the cure." The Trojan then tries to delete files using a program called "House," which is a renamed version of a program called RM that simply removes files. The second file David reports is called RAZOR1.*, which claims to be a game with "great graphics and sound." When it runs, David says it claims it will need "time to expand and a lot of hard drive space." However, it seems to need the same amount of time regardless of the machine it runs on - it estimated 7.5 minutes on both his 486 and his Tandy 1000TL. The program winds up writing to your COMMAND.COM file during this time. If you have a backup copy of COMMAND.COM, David states you can just copy it over the infected file and everything will go back to normal. (Make sure you boot from a clean, write-protected floppy before you do this, though.) Joachim Theile (CompuServe ID 100042,1552), reports a potential problem with a copy of a file called PHANTOM2.*. This program, a copy of The Phantom of the Keyboard II, v1.1, seems to be an "isolated incident" of an infected file. The executable in the archive, PHANTOM2.EXE, was reported to be infected with the Hafen [Hafn] virus by McAfee's ViruScan (no version of SCAN provided). If my memory serves, the program is legitimate. Joachim's copy seems to have been infected by a third party. Jerry Murphy (1:157/2) located a copy of a file called PCS204.* which has been infected with the MIMIC2 [Mim] virus. McAfee's ViruScan v97 detected the infection in the internal files PCS.EXE and PCSLOG.EXE. He has sent a copy to McAfee, who have confirmed that the [Mim] virus is real (it was added to the SCAN program before shipping, but wasn't included in the VIRLIST.TXT in the SCAN archive). | Jerry informs me that PCS is a program called PC-Sentry, and was the | shareware version of the program. This appears to be another "isolated | incident" for everyone to be aware of. Russell Wagner (1:202/307) reports in the FidoNet DIRTY_DOZEN echo that a file called X_COMM.* contains a Trojan. The file claims to increase the speed of your modem. A batch file in the archive, if run, will apparently delete all .exe, .com, .sys, and .bat files in your root, DOS, and WINDOWS directories. A previous report forwarded by Troy Dowding about REGLITE brought in some further information, forwarded by Bill Dennison (1:273/216). One message forwarded from Bill Baer of the ILink Shareware conference (via Larry Dingethal) says that the file contained only an executable file, with no docs. Another message from John Cline gives further info on the virus that infected the REGLITE file, called "Particle Man." It increases the size of a .com file by 690 bytes (no info on .exe files), and is not detectable by SCAN v95. John says you can make SCAN detect it, using the following procedure: First make an ascii consisting of the following line: "b94201313583c702e2f9" Particle Man Type the line exactly, including the quotes, and save the textfile with filename VIR.TXT to the same subdirectory that contains SCAN, next run with the following command line: scan c: /ext vir.txt You can replace "c:" with any drive letter you want to check. The above scan string will detect the virus after it has started to replicate, but before it starts overwriting files in all your directories. HW Richard Steiner forwarded a message from Eric Hamel (RIME address SOFTC, Shareware Conference) about the file MSTLST10. A user of a board local to Eric found the file, described as "like Sidekick, only better," and downloaded it. An INSTALL.BAT file in the archive had references to copying the command interpreter. Eric ran the install program, and wound up with an overwritten command interpreter - the file MASTLAST.COM had been copied to his root directory and had been renamed to the same name as what was pointed to in his COMSPEC setting. Another forwarding from Richard involves a report from Steve Bogacz of the Rice Lake PCUG (via George Goza, ILink (Channel 1 BBS)). Steve found a file called FLIP-IT that contains a variant of the Wisconsin virus. No file description was given. Here comes the sermon again - SCAN EVERYTHING YOU DOWNLOAD. Before you run it, preferably. Malte Eppert (2:240/500.6) forwarded a message into the FidoNet DIRTY_DOZEN echo from Dick Hazeleger about EARLYWA, an "AV warning program." He ran the main program, DAILY.COM, after scanning it with McAfee's SCAN95 and getting a clean result. The program crashed when it tried to invoke the DOS DEBUG program, which Dick doesn't have on his system. After this, he checked the file using Fridrik Skulasson's F-Prot virus scanner in "Heuristic" mode, and received the message, "...the first 71 bytes of this program contain a primitive virus." (See the clarifications section for further information.) Matthew Peddelsden (2:440/302) has received a report of a virus in a copy of the GSZ ZModem protocol driver archive by Chuck Forsberg. He says that "running any file in the archive will infect the file COMMAND.COM, and subsequent program (sic) that is run is infected so that it is corrupted and when run simply displays rubbish on the screen and beeps madly out of the speaker." Matthew received an archive listing from the person whose system was infected by this. Here's the info: Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- ------ ---- ---- 76 Shrunk 72 6% 13-12-91 13:32 0a33cf32 --w DS.BAT 340 Implode 287 16% 13-12-91 13:35 631a91b6 --w FIX.BAT 110 Shrunk 98 11% 13-12-91 13:27 6836df0d --w RZ.BAT 36 Shrunk 31 14% 13-12-91 13:22 d8d5d2f9 --w SZ.BAT 151 Shrunk 140 8% 13-12-91 13:27 b5400e97 --w ZDOWN.BAT 123 Shrunk 115 7% 13-12-91 13:27 5cffa510 --w ZMODEMAD.BAT 116 Shrunk 106 9% 13-12-91 13:28 c38f9bfe --w ZMODEMD.BAT 134 Shrunk 123 9% 13-12-91 13:28 89aeacd7 --w ZMODEMDR.BAT 140 Shrunk 123 13% 13-12-91 13:28 eeba3b6f --w ZMODEMU.BAT 59 Stored 59 0% 13-12-91 13:28 3eedc27b --w ZUP.BAT 898 Implode 683 24% 24-11-90 04:20 07d84f0d --w DSZ.10 71424 Implode 42742 41% 27-04-92 15:00 ccda0966 --w GSZ.EXE 33936 Implode 21315 38% 26-04-92 08:44 cd04b5ea --w GCOLORS.EXE 130736 Implode 45830 65% 27-04-92 15:38 ead89b23 --w GSZ.DOC 3067 Implode 1230 60% 27-04-92 15:03 da90ea8b --w MAILER ------ ------ --- ------- 241346 112954 54% 15 His source says the virus is in both GSZ.EXE and GCOLORS.EXE. McAfee's SCAN95B doesn't detect it, but they have been informed. The virus contains the string, "APACHE WARRIER," along with a few others. It seems very unlikely that this infected copy originated from the author: it is almost certainly a situation where someone else down the line unpacked the archive, infected the files, re-archived them, and uploaded the bad archive to a BBS. If you have _any_ qualms about the copy of GSZ that you find, you can always go to the source and download a copy from Chuck Forsberg's BBS. Cal Gardner previously reported a file called 800II224, claiming to be version 2.24 of the 800 II disk formatting program. He did some testing, disabling his hard drive from the CMOS and booting from a floppy. When he ran the program, it deleted all files on both drive A and drive B. His information is that the latest version is v1.80. The author, Alberto Pasquale, is in Italy according to Isaac Salpeter (1:3612/210), so he is a bit difficult for me to contact. However, the behavior of the file Cal found leads me to believe he has located a Trojan copy. John Wagner (1:209/760), the author of IMPROCES, reports that his program has been the victim of a Trojan version. The Trojan is in a file called IMPROC50.*, which is actually v3.1 of IMPROCES that has been "infected with about 10 viruses" according to a report received by John. John also reports that his source said the file "waxed" a hard drive when it was run. For the record, the latest version of IMPROCES is 4.0, so avoid any higher numbers. Bryan Nylin (1:343/116) reports a Trojan version of SCAN95 that has the SCAN.EXE file in the archive replaced with a SCAN.COM file. Bryan says this wipes out your boot sector and media descriptor byte, then overwrites the FAT and data areas with a continuous stream of the string "NOT!NOT!NOT!NOT!NOT!NOT!" (and so on). Sounds like this was written by a bored programmer who watched Wayne's World once too often. Note that this seems to be an isolated sighting: McAfee did in fact release a valid SCAN95. They also released v94b, a beta test, but skipped over that version number due to a report of a Trojan version | found in Mexico. The latest official version is v99. Bill Lambdin (1:343/35) forwards a message from Phil Helms of the CircuitNET Virus Conference. The file in question, ATTRUE.*, is listed as "a DOS utility to change file attributes." Instead, one of the internal files (README.COM) deletes all .EXE and .COM files in your DOS directory and tries to do the same to your .SYS and .BAT files in your root directory. Phil says it looks like another compiled .BAT file. Please note that Phil did _not_ run the actual program file in the archive (i.e., ATTR.COM). This program may be legitimate, and simply was archived along with a Trojan README.COM file. The safest way to avoid a problem like this is to look inside any README.COM file with a file viewer (such as PC Tools VIEW or Buerg's LIST) before you run it. Most of these will have readable text strings that look like documentation inside them. If yours doesn't, be careful with it. Enoch Ceshkovsky (RIME Shareware Conference, address NSTTZ) found a file called ENVIRED.* that claims to be a DOS Environment Editor. However, the copy that Enoch found was infected with a strain of the Family virus. I'm not sure if the file is a legitimate program, since I'm not familiar with it. Either way, this is a single sighting: the virus in it can be detected by SCAN v93 or higher. Michael Mac Nessa (1:2250/2) reported in the AMIGA_PDREVIEW echo on an attack by a file called DW171.LHA. This was described as "the best directory utility" ever seen by the uploader. The file claims to be a program called DirWork, version 1.71. The program checked clean for viruses, so Michael ran it and got a grey screen and nothing else. After 30 seconds of this, he rebooted. On bootup, his dh0: drive started to access rapidly, and he was then asked by his system for dh1:, a drive he didn't even have. Fortunately, his boot drive setup uses a different setup (not booting from dh0), so his boot drive survived the attack. However, his File: hard drive was wiped out. I apologize if I have massacred Amiga terminology, so please correct me via NetMail if I'm wrong on any of the drive names. For the record, however, this Trojan has been verified by the author of DirWork, Chris Hames (via Robert Poole, 1:142/886). The latest version is 1.62. Michael Nelson (1:125/20) received a file called FAST!.*, an apparent pirate of the commercial disk cache program FAST!. However, upon further inspection, this really looks like a Trojan. The archive contains the following files: NAME SIZE DATE TIME ------------------------------------ README ANS 320 01/01/80 02:25 INSTALL COM 1459 03/26/92 19:08 FAST DAT 20927 03/26/92 19:14 FAST TXT 588 03/26/92 19:00 The text file says the installation is slow, since it has to check every program on your hard drive. A look inside the .COM file reveals the line "REN fast.dat fast.com c: /q /u". The FAST.DAT file contains lines that lead one to believe that this is an MS-DOS FORMAT.COM file, with added commands that will try and format all of your drives. Both the INSTALL.COM and the FAST.DAT file have gone through a batch file compiler somehow, with the INSTALL.COM having a registration notice for the batch file compiler. Although Michael didn't run the program (smart move), he does suspect a serious Trojan here. So do I. Harold Stein (CompuServe address 72377,3075) forwards a report from a SysOp in his area, Danny Swerdloff, about a file called JOKE.*. The file is described variously as either "the best fake FBI database joke available," or "a very believeable hard disk crash simulator." The archive contains only two files: JOKE.BAT and JOKE.DOC. The doc file reassures the user that the batch file is completely harmless. However, the batch file contains the following lines: c: cd\dos del keyboard.sys format C: This is a rather amateurish Trojan, and can be easily thwarted by giving your hard drive a volume label. However, a better precaution is to examine any strange batch file you are given before you run it, since virus scanners do not look into batch files. That way, if you see the word FORMAT in one, you can delete it before it hits. An update on #1BLAST, reported in the October issue of The Hack Report. Rick Rosinski (1:239/1004) reports in the PDREVIEW echo that the SysOp who was hit by it (Pete Kehrer) experienced some rather bad results from it. In short, it overwrites your COMMAND.COM file and replaces it with the characters "///", and writes similar garbage over your config.sys and autoexec.bat files. It also creates several other files, all ASCII, with characters like "////asdfasdf" in them. (In case you're wondering, look at the four keys on the left side of the home row of your keyboard - the letters are "asdf" on a standard Qwerty keyboard.) This file at first looks like a real Apogee game - it even has Apogee's catalogue in it. It is easy to repair the damage, but it's a shame that someone would want to do this to another person's system. Bill Lambdin (1:343/45) forwards a message from Reidar Lilleboth (ILink OS/2 Conference) about TEDP090.ZOO. This appears to be an isolated incident of a copy of the file being infected with the Maltese Amoeba virus. TEDP090 is a small OS/2 text editor. If you see this file, please scan it before running to make sure you have a clean copy. HW Mikael Winterkvist (2:205/422) found a file named BREV.*, described as "SysOps Sex Habits." However, this is a "device bomb," which contains the names of DOS devices in the archive. Similar to a file reported in the full report, this is aimed at your CLOCK$ device. When unarchived, the CLOCK$ is opened, and about 50K worth of the letter A are written to your system clock. | Mikael now reports a new variant of this (filename not yet known) that | contains the files COM1.EXE and COM2.EXE. One version of this wound up | connecting the target system to a board in Australia (an expensive call | from Sweden), and another version called up a board in the United States. Paul Drapeau (1:322/594) reported in the FidoNet VIRUS_INFO echo a new virus called Power Pump. Normally, viruses by themselves are not reported in The Hack Report/Update, but this is an unusual situation. According to Paul's research, all droppers of this virus have a file in their archives called POWER.EXE, with instructions to the user not to run this file. He does not understand the connection, but the virus will not run without the POWER.EXE file. A few specifics on Power Pump: it doesn't actually attach its code to files, but uses the "corresponding file" technique. It looks for .EXE extension files, then creates a file with the same root name but with a .COM extension. Since DOS executes .COM files before .EXE files, the viral file (1199 bytes long) is run first, where it executes the viral code and passes execution on to the corresponding .EXE file. The virus also looks for empty directories: if it finds one, it creates a hidden file called COM (with no file extension) that contains the viral code. To date, Paul says the virus has been found in two archives (one of SCAN89.ZIP and one of VSUMX204.ZIP). These may have been localized occurrences, but be on the lookout for any file with a POWER.EXE file in the archive. Dan Christman (1:520/519) reported that there is a version of TheDraw that contains "several viruses." He says to watch for a file within the archive called THEDRAW.PCK. This file is only created after the program is initially executed and is not part of the official archive. Dan gave no filename for this dropper, but be on the lookout for any archive that already has a THEDRAW.PCK file in it. | On this subject, Matt Weese (1:170/610) found an archive with the | THEDRAW.PCK file inside. However, his copy (archive version 5.00) was | not infected - merely hacked. Another sighting of the THEDRAW.PCK file | comes from Jesper Tragardh (2:200/109), who reported the TDRAW601 hack | listed in the Hacked Files section. Just for the record (once again), the latest official release of TheDraw is v4.51. Please be aware that the PKZip v2.0B hack reported in the hack section of this report could be a Trojan. According to the report filed in the VIRUS_INFO echo by Fred Towner, the archive (an ARJ archive, no less(!)) had these files in it: PKZIP20B.EXE UNKNOWN.NFO MUSTREAD.COM (archived with PKLITE) WATCHME!.EXE (archived with PKLITE) Fred was wise enough not to try and run any of these programs, so Trojan activity has not been confirmed. Other previously reported Trojans/Droppers: Filename Claimed use/Actual activity/Reporter(s) --------- ----------------------------------------------------------- 240TOMNP Small file that trashes disks (no elaboration on symptoms). From Eric Pullen (USTGNET). ARJ240 Supposed "latest version" of the popular Archiver by Robert Jung (ARJ). This is a dropper of the FISH virus, reportedly with a "secure envelope." Latest official version of ARJ is 2.30, with an official wide beta release under filename ARJ239A. Reported by Hazel Clarke (1:134/68) via Ken Miller (1:134/111). BACKFIND Activity unknown, but has many obscene text strings in the executable that seem to indicate that it will trash your hard drive. From Dan Stark (1:247/101). BILLNTED No claim reported - begins its "bogus journey" with the message "Decompressing database, please wait......", then prints more messages and formats the first 50 tracks of your hard drive. From David Elkins (2:254/78). COMPILER Claimed freeware version of Stacker - phone numbers in the text files are fake (one is a phone sex number). Erases your COMMAND.COM file. From several reporters. CORWP22 Isolated incident - Corewars game, with an executable (CORE.EXE) infected by the Dark Avenger virus. From Gary Madison (2:259/22) and Howard Wood (address unknown). CSHOW900 Fake version of the CompuShow .GIF viewer - the .EXE file in the archive tries to truncate your COMMAND.COM file. From Tim Spofford (1:105/99). CUBULOUS No claim reported for this file - apparently contains a dropper of the REX virus (detected by SCAN v91 and higher). Reported by Bill Arlofski in the CNET Spitfire Support Conference, forward by several through Mark Wurlitzer (1:294/9). CVIR Advertised as a virus scanner - executable has the strings, "/Checking drive for VIRII/TROJANs. Please wait.EHAHA God your a ****ing moron. YOU HAVE BEEN HIT BY A TROJAN! HAHA". (String edited for family viewing.) From Dan Stark (1:247/101). DOS501 Described as a beta of MS-DOS: may contain a variant of the DISKILLER virus. From Scott Scoville (1:282/3006). EPW27 Purported new version of EPW, a file that protects executables with an encrypted password. Instead, this Trojan contains droppers of the ITTI-A, ITTI-B, and Rock Steady viruses. Latest official version is v1.2. From Patrick Pfadenhauer (via Mark Evans, formerly 1:382/87). FONTS Advertised as additional fonts for TheDraw - the FONTS.COM file in the archive is a compiled batch file that changes to your C: drive root directory and deletes all files within the root. A legitimate FONTS archive exists as well. From Glen Appleton (1:260/371) via Arthur Shipkowski (1:260/213.2). FREEHST ANSI bomb - remaps your keyboard, making some keys invoke the FORMAT command. Described as how to get a free HST modem (steal one, it advises). Avoid by using an ANSI driver that disables keyboard remapping. From Tom Ward, SysOp of the BCS TI99 BBS (617-331-4181), via Herb Oxley (1:101/435). GREYSCAL Claims to be a monitor adjustment utility - actually a dropper - infects files on your hard drive with the FISH virus through the README.EXE file in the archive. Not detectable by any scanner. From Bill Logan (1:300/22). MOBYZ Does "a number on your hard drive" - no further details given, but apparently confirmed by McAfee. From Michael Masters, SysOp of the Conceptual CAD Design BBS (Tempe, AZ) via Mark Evans (formerly 1:382/87). MONOP3-0 Supposed to be Monopoly for Windows. Contains FORMAT.COM from DOS 4.01 and STACKEY v2.1 (renamed as MONOP1.COM and MONOPOLY.COM and invoked by a batch file called README!!.BAT). Will try and format your hard drive - a volume label on your HD will thwart this one. From Derek Vanmunster (1:229/418). NPV2 The "Non-Programmer's Virus" - a claimed aid to testing anti-viral programs. Contains an infected copy of Vern Buerg's LIST.COM. From Michael Kerr (1:309/7). Obnoxious "Tetris" clones for the Macintosh - actually droppers of the Tetris MBDFA virus. Via Paul Ferguson (1:109/229) in the VIRUS_INFO Tetris- echo. cycle Ten Tile Puzzle OCEAN From the BBS description: "Wonderful Game, Reward for the PLANTS person who conquers it 1 time, Good luck, how does 30,000 RAINBOW bucks sound to you if you break the pattern, try this game, it is wonderful, waht a challenge, bet you can't break the pattern. $50, 000 if you do it twice." Actually a compiled batch file that tries to erase all files on your C: drive. From Richard Dale (1:280/333). PROTOFIX Possible isolated incident of a patch file for RBBS that claims to correct a "flaw" in RBBS - may destroy your hard drive's FAT and wipe out files. From Richie Molinelli, via HW Ken Whiton. PSI3 Passing itself as the LHA Archiver, version 3.00. It destroys your partition table, boot sector, and parts of FAT 1 and FAT 2. From Nemrod Kedem (2:403/138). QUICKEYS Claims to increase keyboard speed - turns out to be the actual executable file of the BURGER virus. The virus file is called QUICKEYS.COM and is 542 bytes long. This is not to be confused with the PC Magazine Utility of the same name. Reported by Jay Siegel (1:153/151). RAMBO Contains files with the names of DOS devices that are affected when the archive is viewed or unpacked. Reported by Michael Toth (1:115/220). RANEW_16 Isolated incident - 12k larger than real version, causes damage to RemoteAccess BBS systems. From HW Nemrod Kedem. SCAN87 Suspected of Trojan activity, but not confirmed. The latest SCAN88 official release is SCAN99. Reported by several. SCAN94 SCAN96 SHIELD20 Claims to protect you from Trojans, but are possible Trojans SHIELD21 themselves. From Jim Lambert (CircuitNet) via HW Ken Whiton and via Michael Toth (1:115/220). SPARKS Possible isolated incident - contains the ICE-9 virus. From Brian Sterrett (2:255/34). TG27FAST Trojan "speed-up" for Telegard 2.7 - damages disks to the extent that they require reformatting. From Eric Pullen (USTGNET) via Robert Hinshaw (1:291/16) and Eric Kimminau (1:120/335). TGCHAT21 Fake Telegard Chat utility - tries to format part of your hard drive. From Rajeev Seth (1:250/328) and Todd Clayton (1:259/210) TGSEC16 Trojan version of Telegard Security Package - both executables in the archive will infect your system with the Dark Avenger virus, and the text files show you how to ease access to your system by hackers instead of prevent access. By Scott Raymond, author of the real package (latest official version is TGSEC17.*). TIME Several files reported under this name - one dropper, one Trojan. Be wary of any file with this name. TMFIX Claims to fix a problem with the dialing directory used by the communication program Telemate. Formats your hard drive (or at least part of it) instead. Reported by Brian Hess (WildNet), via HW Ken Whiton. VGA835 Claimed VGA game - wipes out your hard drive. From Gary Meade, SysOp of the Tiger Run BBS in Sioux Falls, SD, via HW Ken Whiton. VIRTUAL Supposed to be a virtual reality game. One file in the archive has the string, "This bombing was compliments of A.C.K. and its affiliates." Trashes hard drives. Possible isolated incident. From Dan Stark (1:247/101). See also ??Questionable Files?? section. VPIC47 One circulating version of this seems to contain the Dark Avenger virus, "split" so that no scanner can pick it up. Get the latest version of VPic, VPIC50, to avoid this. From Tim Tim Sawchuck and Jeff Simmons in the WildNet VIRUSES_MN conference. WHALE Not a VGA graphic of a whale as described, but the actual WHALE virus. From Dan Stark (1:247/101). WLFCHEAT Claims to be a "cheat" file for the Apogee/Id game Wolfenstein-3D. Actually wipes out your hard drive's boot sector and trashes the File Allocation Tables. Not to be confused with WLF1CHT, a legitimate "cheat" file written by Michael P. Hoffman. Reported by R. Wallace Hale, SysOp of the Driftnet BBS (PC Virus Research Foundation), via Clayton Manson (1:3612/140). ZAPPER15 PSI3, mentioned above, recommends an "antivirus" program called ZAPPER15.* to remove a virus called "PSQR". ZAPPER15 is another Trojan which overwrites your hard disk's boot sector with random garbage data from memory. It contains no viral code. Also from Nemrod Kedem (2:403/138) ========================================================================= Pirated Commercial Software Program Archive Name(s) Reported By ------- --------------- ----------- 4D Boxing (game) 4DBOX-1 Jason Sabshon (Internet, 4DBOX-2 jsabshon@mindvox.phantom.com) | 4th and Inches 4TH Jason Sabshon (Internet, | (Accolade game) jsabshon@mindvox.phantom.com) 4X4 off-road racing 4X4 Jon Jasiunas (WildNet, via (Epyx) HW Ken Whiton) Above Disk v3.00A EXP-MEM Dale Woloshin (1:163/211.3) and Wolfgang Fritz Alf and the Alley Cats ALF Bill Dennison (1:273/216) | AMI Diag v4.0 AMIDIAG4 Dan Westlake (Intelec | Shareware Conference, via | Bill Lambdin (1:343/45)) Amiga ARexx Manual AREXXMAN HTom Trites (1:282/62), (Verified by William Hawes, author) via Derek Oldfather Arkanoid II: ARK Jack Cross (1:3805/13) Revenge of DoH ASQ v2.0 (Qualitas) ASQ20 HW Nemrod Kedem (Note - unlike previous releases of ASQ, ASQ v2.0 is not shareware.) Backgammon Royale BGROYALE Shakib Otaqui (2:440/74) BGROYDOX Bargames BARGAMES Scott Lewis (1:107/607) (game from Accolade) Battle Chess BCHESS Bill Roark (RIME, via HW Richard Steiner) Battle Chess for BCWIN1 Harold Stein Windows BCWIN2 (CompuServe, 72377,3057)) BeetleJuice (game) BJUICE Alan Hess (1:261/1000) BJ Bill Blakely (RIME Shareware echo) BTLJWC the Hack Squad (1:382/95) BitCom BITCOM Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) BitFax BITFAX Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) BitFax 1.22B Unknown Antonio Rezende (RIME) | BLAST Comm Package BLAST-1 Harold Stein, via | (US Robotics) BLAST-2 HW Richard Steiner Blockout BLOCKOUT Bill Lambdin (1:343/45) (California Dreams) Catacomb 3-D CAT3D Jason Culler (1:261/1000) | Check It v2.0 CHKIT20 Bill Lambdin (1:343/45) Chessmaster 2000 CHSMSTR David Silver (2:2405/12) Commander Keen #2KEEN Steve Hodsdon (1:132/199) (parts 2 and 3) #3KEEN Harold Stein (via Ken Whiton, 1:132/152) (part 5) #5KEEN John Van Eekelen (2:500/228) Crystal Caves pt. 2 CRYSTL-2 John Van Eekelen (Apogee) Desert Storm (Windows) DSTORM Bill Roark (RIME, via HW Richard Steiner) Die Hard (game) DIEHARD Harold Stein DiskDupe Professional DDPRO339 John Van Eekelen Disk Manager 5.0 DM50 Philip Perlman (1:278/709) Double Disk DDISK214 Ronald McGill (1:167/149) DoubleDos v5.5 DDOS55 Ove Lorentzon (2:203/403.6) DSZ (registered) DSZ0503R HW Nemrod Kedem Duke Nukem parts 2 & 3 DUKEZIP2.EXE Steve Hodsdon (1:132/199), #2DUKE Craig Demarsh (1:260/213), DUKEZIP3.EXE and Hal Thompson (1:353/220) DUKETRIL Harold Stein (WildNet) (also under various other names - only the first game in the trilogy is shareware: #2 & #3 are for registered users only and are pirated.) Duke Nukem (registered) DNUKEM Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) Dune (game) DUNEFLT1 Michael Toth (1:115/220) DUNEFLT2 DUNEFLT3 Eagle's Nest (game) EAGLE Mike Headley (1:362/112) Frank R Pizer (5:71/0) EMM386 EMM386 Jeff Hancock (1:3600/7) George Staikos via Mark Evans (1:382/87) | Thomas Ryan (1:228/28) EMM441 John Van Eekelen EMM445 Dennis Moore (1:123/81) Fatal Challenge FATAL Mark Visser (1:221/76) Fastback Plus v2.0 FBPL200 Bogie Bugsalewicz (1:115/738) Flashlink MNP Emulator FLASHLNK Several FLINK Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) Gauntlet (game) GAUNTLET Cimarron Mittlesteadt (via Ken Whiton, WildNet) GIFLite v1.40 GIFLT14R Stephen Kawamoto (Registered Version) (1:153/7004) GSZ GSZ0410 Arthur Taber (1:125/28) (via Stuart Kremsky) GSZ1214R Harold Stein, via HW Ken Whiton | GSZ611R Scott Raymond (1:278/624) NOTE: GSZ is a shareware program, but these particular archives were the registered versions. Harmony (game) EMOTION John Van Eekelen HIMEM.SYS (from HIMEM307 John Van Eekelen Microsoft) | Home Lawyer HOMELAWY Kim Miller (1:103/700) | Hunt for Red October HUNTRED Ted Sanft (1:282/1012) IronMan off-road racing IRONMAN Jon Jasiunas (WildNet, via HW Ken Whiton) The Jetsons (game) JETSONS Harold Stein Jill of the Jungle JILL2 Harold Stein (non-shareware files) $JILL2 HW Bert Bredewoud $JILL3 Kiloblaster $KILO2 HW Bert Bredewoud (Missions 2 and 3) $KILO3 LotusWorks v1.0 LWORKS Brian Luker (1:167/149) Mac-in-Dos CLINK Arthur Taber (1:125/28) (not the SEALink protocol) MAC-DOS Ron Bass (1:128/13.3) Leslie Meehan, original reporter (unknown) MACON-5 Kimberly Avery (1:324/278) Microsoft Mouse Driver MOUSE810 Bat Lang (1:382/91) | Mah Jongg for Windows MJWIN Bill Lambdin (1:343/45) (registered) Monopoly MONINC Chris Nelson MONOPOLY Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) MS-DOS 6.0 Beta DOS6BETA Chris Astorquiza (1:250/316) DOS60B-1 Michael Toth (1:115/220) DOS60B-2 DOS60B-3 DOS60B-4 MTE MNP Emulator 4800BAUD George Staikos,Trenton,ON, via Mark Evans (1:382/87) MNPEMUL Larry Dinkoff (1:115/622) MTE215 Bat Lang (1:382/91) MTE210E MTE210F MTE210G MX5 Wolfgang Fritz Verified by Steve Lieberman of MagicSoft, Inc. MX6 MTEZ (MagicSoft) MTZ115B1 Kim Miller (1:103/700) Nederlandse Spoorwegen NS9293 John Van Eekelen (Dutch Railroad NS_92_93 System Info Book) Nightmare on Elm FREDDY Chris Nelson (1:238/500) Street (game) Off-Line Express v2.2 OLX22 Jason Sabshon (registered) Optune OPTUNE Bat Lang (1:382/91) OPTUNE11 OPTUNE12 Jeff Dunlop (1:203/16) OPTUNE13 Michael Toth (1:115/220) Paganitzu part 2 #2PAGA Harold Stein (via Ken Whiton, 1:132/152) Paperboy (Game) PAPERBOY Carlos Bazan (1:102/753) PC-Hooker PCHOOKER Larry Dinkoff (1:115/869) (Brown Bag Software) Physician's Desk PDR-1 Bret Dunning (1:123/85) Reference PDR-2 PDR-3 PDR-4 PKLite Professional PKLT_PRO Eric Vaneberck (2:291/712) Version 1.13 Version 1.20 PKL120R HW Bert Bredewoud PKLT120R Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) PMCamera (IBM) PMCAMERA Jan Scoonenberg(2:512/4.1080) via HW Matt Kracht Print Shop PRINTSHP Harold Stein Print Shop Deluxe PSDLX1 Harold Stein PSDLX2 PSDLX3 QEdit 2.15 (registered) QED215R Jason Sabshon (Internet, jsabshon@mindvox.phantom.com) | QEMM v6.02 QEMM602 Jason Sabshon QModem 5.0 QM50 Daniel Hagerty (1:208/216) QMODEM50 Larry Owens (1:280/87) QMODEM1 Jon Jasiunas (WildNet, via QMODEM2 HW Ken Whiton) QMODEM3 QMODEM4 Quicken 4.0 QUICKEN4 Wes Meier, the WCBBS, via Joe Morlan Rambo (game) RAMBO Cimarron Mittlesteadt (via Ken Whiton, WildNet) Rampage (game) RAMPAGE HW Bill Dennison Red Baron game unknown Nolan Taylor (1:157/537) (by Dynamix) Reversi (Win3 file) REVERSI Wes Meier, the WCBBS, via Joe Morlan Robin Hood (game) ROBNHOOD HW Bill Dennison SimCGA SIMCGA40 Joe Morlan (1:125/28) SIMCGA41 NOTE: SimCGA went commercial with release 4.0, according to the publisher (via Joe Morlan). Versions prior to this were copyrighted free programs. SimCity (by Maxis) SIMCITY Mark Visser SHRCTY-1 Richard Steiner, SHRCTY-2 HW Smartdrive Disk Cache SMTDRV40 Michael Toth (1:115/220) Solitare (Win3 file) SOLITARE Wes Meier, the WCBBS, via Joe Morlan Solitare Royale SOLITRYL Dan Brady (1:282/108) SOLIT Bud Webster (1:264/165.7) Sourcer disassembler SOURCER Bill Lambdin (1:343/45) Space Quest (game by SQUEST1 Chris Nelson Sierra On-Line) | Spear of Destiny SODINC1 Mario Degryse (2:291/1600) | SODINC2 verified by Jay Wilbur, | SODINC3 Id Software (1:124/6300) Spidey (game) SPIDEY Brian Henry (ILink, via Richard Steiner, HW Spot (7-Up game) SPOT Steve Hodsdon (1:132/199) COOLSPOT Jason Arthurs (WildNet, via HW Ken Whiton) Squish 2.1 SQUISH21 Several (verified by Joe Morlan) Squish Plus 2.01 SQUISH21 Stephen Kawamoto (Sundog Software) (1:153/7004) StormLord STRMLORD Mark Visser (1:221/76) (game) Supaplex Unknown Kevin Donald (1:123/54) Rick Rosinski (1:239/1004) Dennis Matney (1:230/12) SuperStor SSTOR204 John Van Eekelen (2:500/228) System Control PCSSCC Ken Whiton, HW Commander (from PC Sources Mag) Tetris (the original) #1TETRIS Harold Stein (WildNet) The Bard's Tale pt. 3 BARDS-1 Chris Nelson (1:238/500) (game) BARDS-2 Tidbits TIDBITS Art Taber (game? from Softdisk) via Stuart Kremsky (1:125/28) Times of Lore (game) LORE Chris Nelson Toobin' (game) TOOBIN Joseph Lowe (1:387/1201) Top Gun TOPGUN Cimarron Mittelsteadt (WildNet, via Ken Whiton) Tunnels of Armageddon TUNNELS1 Wolfgang Fritz (1:249/140) TUNNELS2 UTscan UTSCAN Bill Lambdin (1:343/45) (part of the Untouchable package by Fifth Generation Systems) VGA-Copy v4.6 VGACPY46 Bert Bredewoud (2:281/703) (Registered Copy) Virex-PC VIREX Wes Meier, via Joe Morlan VIREX1 Glenn Jordan (1:3641/1.201) VIREX2 Virhunt 2.0 VIRHUNT2 Bill Lambdin (1:343/45) VRHUNT20 Virus_Safe VSCHECK Bill Lambdin (1:343/45) Wolfenstein-3D WOLFSINC Jeff Kaplow (1:120/364) (Non-Shareware modules) ========================================================================= ?????Questionable Programs????? | Glenn Jordan verifies that a file called VIREX30 (reported by someone | whose name I didn't catch - if you're reading this, please correct me!) | is not a legitimate file. He has not seen it, so he is not sure if it is | a hack of the commercial Virex-PC, or a hoax of the shareware VIRx | program. (Glenn works for the company that produces both.) In the | latter case, the latest official release of VIRx is version 2.5. | Jeff Hancock (1:3600/7) forwarded a thread from the C-GAMING echo (net | unknown) about a "demo" version of the Lemmings! game. This demo, in | excess of 500k archived, is said to have more than the three levels that | the real demo has. The real demo is about 250k archived. Warren | Zatwarniski (1:140/44) confirms the "crack," presenting documentation | from the file that mentions the alias of the group that cracked it. | | Do be aware that at least 2 legitimate demos of Lemmings! have been | released, one using the same filename as the crack. To tell the | difference, look for text files in the archive that mention "trainers" or | other such copy-protection bypass schemes. James FitzGibbon (1:250/428) forwarded a message from a local SysOp conference about a potential problem with a file that came down the Utilnet and SOFTDIST file distribution networks. The file, Vern Buerg's LIST v7.7a, came through both nets, but the file sizes were different. Here is an excerpt of James' message: The 2 versions contain the same FILES, but not the same internal sizes. 4 files are different in the 2 versions. NAME SIZE DATE TIME LENGTH METHOD ======================================================= In the one from Softdist these 4 files are: ARCE DOC 4048 04/12/92 04:10 12165 IMPLOD FV DOC 2711 03/10/92 01:40 7323 IMPLOD LIST DOC 28839 10/07/92 07:07 99429 IMPLOD LISTMOD DOC 5829 10/07/92 07:07 19472 IMPLOD In the one from UtilNet these 4 files are: ARCE DOC 3868 04/12/92 04:10 11829 COMP1 FV DOC 2571 03/10/92 01:40 7144 COMP1 LIST DOC 26814 10/07/92 07:07 96308 COMP1 LISTMOD DOC 5590 10/07/92 07:07 18802 COMP1 Note the LENGTH Column is actual size, SIZE is the compressed size. I have contacted James for further information about the file that came through SOFTDIST. It seems that it may have been altered in transit, possibly accidentally. In the meanwhile, I have verified that the version that came through Utilnet matches the version posted on Vern Buerg's official BBS. | HW Ken Whiton received a message from Phillip Mann over the WildNet about | the differences in the documentation sizes. Phillip contacted the folks | at Mr. Buerg's headquarters, who were unaware of any size differences | until they looked at their own copies: apparently, the LIST.DOC file in | the registered archive is 99429 bytes, the shareware version is 96308, | and the version on their own BBS is 91203 bytes. The Buerg | representative couldn't explain the differences, Phillip says, but | Phillip was assured that all three were "OK." In summary, LIST 7.7a is legitimate, but there may be an isolated incident of a truncated archive out there. Please forward any information you may have on this. Michael Toth (1:115/220) reports that he has a copy of the VIRTUAL file listed in The Trojan Wars section of this report. His copy is a Virtual Reality demo, and is not infected or dangerous. He was unable to find the text strings (mentioned above) in his copy. Sounds like the Trojan version might be an isolated incident. Cory Daehn (1:395/12) reports in the FidoNet PDREVIEW echo that there are three versions of our old friend XTRATANK. A recent message circulating in FidoNet about XTRATANK placing a two-part virus (half when installed, half when uninstalled) on your HD is true for the third version of XTRATANK, according to Cory. I have not seen this version, nor have I received any file sizes to compare to the version I sent to Bill Logan. However, I will report these when received. HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu also says that there is a warning about these in circulation. If you have a copy of this warning, please send a copy to Hack Central Station (1:382/95). On the game front, some official information about which Apogee releases are shareware. According to Jay Wilbur (1:124/6300) of Id Software, episodes 1 and 4 of Commander Keen, along with the demo version of episode 6 are distributable, as is episode 1 of Wolfenstein 3-D. Other versions of these games are not supposed to be posted for download. Jan Welch (1:382/87) has reported in the FidoNet VIRUS echo a file called W3DEDIT.ZIP, which she claims is a Trojan that will attack your hard drive's boot sector. At first glance, this looks like a renamed WLFCHEAT, but I can't be sure. I've sent NetMail for more information, so be on the lookout and report anything you know about it, if you would. Steve Klemetti (1:228/19) has found an archive of the Apogee game Paganitzu (#1PAGA.ZIP) that may either be a hack or a corrupted archive. The file size is 281K, and the .EXE file within is 8K (vs 11K for the official archive. Steve says the opening screens go by "too fast," then the program puts your hard drive in "a constant seek mode." The file passed viral scanning. Like I said, this could just be a corrupt archive, but you never know. Just be on the lookout for an archive that meets these specs, and avoid it. The real thing is a pretty decent game, though, according to my 6-year old son, so don't avoid _all_ #1PAGA.* files just because of a bad version. BiModem is the subject this time, but the situation doesn't quite fit into any of the other categories of this report. A few users have seen a version called BIMOD125.* floating around, and wondered if it was a hack. Steve Baker (1:114/116.0) called the support BBS and verified your Hack Squad's information: v1.25 is a closed beta. Version 1.24 is the latest public release. This information was also verified by the Hack Squad (in lurk mode over in the BIMODEM echo) through a message posted by Michael Ingram (1:114/151). In short, if you see BIMOD125, delete it - it's a beta that shouldn't be out yet. Yet another one that doesn't seem to fit anywhere is a Windows program called WinSpeed. Bill Eastman (1:382/35) relayed a message from Alan Zisman (1:153/9) in the WINDOWS echo about this file, and Piyadaroon Kalayanamit (1:382/87) quickly cleared the confusion. Apparently, there are _two_ different programs called WinSpeed: one is a commercial package of Windows video drivers, which should not be posted for download on any BBS. The other is a small utility that will report your system speed from within Windows, and is a legitimate shareware file. James Brown (1:266/22.0) has reported in the WINDOWS echo that the shareware WinSpeed has been renamed to WINDSOCK. According to James, the author(s) took the original off of CompuServe, renamed it, and resubmitted it. Hopefully, this will ease the confusion, but there _will_ be copies floating around under the old name. So, be careful with this one. If you get a copy of the video driver file from someone, delete it: it is not shareware. Finally, several people have been wondering whether a shareware version of XTreeGold has been released. According to XTree Support (in the XTREE forum on CompuServe), the last shareware release of XTree was version 2.00E (XTREE20E). This is _not_ XTreeGold: in fact, no shareware release of XTreeGold has ever been made. It is unclear as to whether a copy of XTreeGold has spread beyond the "pirate boards," but this much is clear: if you receive a version later than 2.00E that is described as shareware, delete it. It's pirated. ========================================================================= Information, Please This the section of The Hack Report, where your Hack Squad asks for _your_ help. Several reports come in every week, and there aren't enough hours in the day (or fingers for the keyboards) to verify them all. Only with help from all of you can The Hack Report stay on top of all of the weirdness going on out there in BBSLand. So, if you have any leads on any of the files shown below, please send it in: operators are standing by. | First, an update on a file reported in the second update to the November | full report. Bill Lambdin (1:343/45) reported a "working copy" of | Microsoft's Visual Basic on a local BBS. The two files were over 1meg | each, so they seemed a bit suspicious. However, Margaret Romao | (1:3603/150) reports that the working demo is a file which does | everything that the real program does except create executable files. | She also says that the file has been around for some while now. Mark | Allan (1:259/431) verifies this, having seen it on Microsoft's BBS. | Thanks for the clarifications, folks - that's what this report is all | about! | Now, for this month's "help wanted" notices. The first one is again from | Bill Lambdin, who forwarded a message from Mario Giordani in the ILink | Virus Conference about two files. The archives, called PHOTON and NUKE, | are possibly droppers, containing a file called NUKE.COM which "will | trash your HD." Bill has asked Mario for further information, and I | would like to echo his call for help. If you know of this, please lend a | hand. | Another one forwarded by Bill comes from Michael Santos in the Intelec | Net Chat conference, concerning a screen saver named IM. This is only a | "hearsay" report from one of Michael's friends, who says he downloaded it | and wound up with a virus. There is no way to tell if the infection came | from the file itself or if it was already present on his friend's system. | Once again, if anyone can clear this up, please do so. | One more such warning comes from Mark Stansfield (1:115/404) concerning | the files KILL and PROTECT. He claims that these delete the user's hard | drive when run. I have received no confirmation of these, and would | appreciate some if anyone has any. | Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN | echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named | Rich Bongiovanni. Rich reports that there is a file floating around | called DEMON WARS (archive name DMNWAR52) that is "infected with a | virus." If true, this may be an isolated incident. I would appreciate | confirmation on this. | Brian Keahl (1:133/524) stated in the VIRUS_INFO echo that a program | called PC-Mix (no archive name given) is a commercial program that is | being erroneously distributed as shareware. I had not heard this before, | and would appreciate confirmation. | Greg Walters (1:270/612) reports a possible isolated incident of a | problem with #1KEEN7. When he ran the installation, he began seeing on | his monitor "what looked like an X-rated GIF." The file apparently | scanned clean. Any information on similar sightings would be | appreciated. | A report from Todd Clayton (1:259/210) concerns a program called | ROBO.EXE, which he says claims to apparently "make RoboBoard run 300% | faster." He says he has heard that the program fools around with your | File Allocation Table. I have not heard any other reports of this, so I | would appreciate some confirmation from someone else who has seen similar | reports. | Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a | possible hack of FEBBS called F192HACK. I have not seen this file, nor | has the author of FEBBS, Patrik Sjoberg (2:205/208). He forwards the | file sizes in the archive, reported here: | | Name Length Mod Date Time CRC | ============ ======== ========= ======== ======== | FEBBS.EXE 220841 09 Mar 92 21:17:00 96D2E08D | 014734.TXT 1403 26 Aug 92 01:59:18 3B9F717F | ============ ======== ========= ======== ======== | *total 2 222244 26 Aug 92 01:59:24 | | Kelvin says the .TXT file is just an advert for a BBS, so it is "not | relevant!". As I said, the author of FEBBS has never seen this file, so | I've asked Kelvin to forward a copy of it to him. Mark Draconis (1:120/324) has found a file called TELE214R, claiming to be the latest version of Teledisk. He asked for verification in the FidoNet SHAREWRE echo of its status. On this same line, Kelvin Lawson reports TELE215R. Steve Quarrella (1:311/405) believes that the program has gone commercial, perhaps after version 2.12 or 2.13. Your Hack Squad has no idea, and has not yet had a chance to call Sydex by voice. Please help. An update on the report from James Collins (1:102/1013) on Virus Simulator 2.0 (archive name unknown) - if you remember, he says the documentation looks authentic, but the program "looks like someone has hacked it so that it crashes purposefully." The file performs a self-check at startup, then crashes. George C. Smith (CompuServe 70743,1711) says this sounds like a hack of the Rosenthal Engineering Virus Simulator. George explains that this program performs an integrity check at startup and will abort if it has been modified. He says his information comes from the file's documentation. I found a copy of this file on the IBMSYS forum of CompuServe under the filename VIRSIM.COM. This program does perform an integrity check at startup and will abort if it has been modified. So, it would appear that James has found a copy of Virus Simulator that was tampered with. Fortunately, the program is smart enough to know the difference. | Your Hack Squad has seen several references to a release of Scorched | Earth calling itself v2.0 (SCORCH20). The latest official version I am | aware of is v1.2. If someone can verify the latest release number, | please do so. Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS Optimiser (sic)," going under the filenames MAX-XD and MAXXD20. Scott Dudley, the author of Maximus, says he did not write any programs that have these names, but he does not know whether they are or are not legitimate third party utilities. I have requested further information from Andrew on this topic, and would appreciate anyone else's information, if they have any. Stephen Furness (1:163/273) left a short message in the FidoNet VIRUS echo about a file called RUNME. He says it claims to be a VGA ad for a BBS, but actually trashes your hard drive's boot sector. Now, a file with a name like RUNME makes me raise an eyebrow immediately, but this is still a single sighting. Please forward details if you see this file. Yet another short warning comes from David Bell (1:280/315), posted in the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is that it is a Trojan, and that he got his information from another "billboard" and is merely passing it on. Again, please help if you know what is going on here. Bud Webster (1:264/165.7) reports an Apogee game being distributed under the filename BLOCK5.ZIP. He says that the game displayed a message that said, "This game is not in the public domain or shareware." There was only an .EXE file in the archive, and no documentation. I need to know what the real name of this game is so that I can include it in the pirated files section (if necessary). Now, a sensitive subject. Arthur Shipkowski (1:260/213.2) forwarded a message from Kenny Root (GT-Net Shareware Forum), about a file called SHAMpage (SHMPG310.*). Kenny claims he downloaded this from a Door Distribution Network board, unzipped and ran it, and wound up with thousands of directories and the 1260 virus. This is the only report I have of this, and it is unconfirmed. I posted a question about this in a local echo in Austin, and found no one who had experienced the same symptoms. I also consulted George Vandervort (1:382/8), a beta tester for SHAMpage, and learned that the file that went out over the Door Distribution Network was perfectly legitimate and not harmful in any way. Rich Waugh, the author of SHAMpage, posted a message in the SHAREWRE echo about this: according to him, he hatches the latest releases from his system into the DDSDOORS file distribution net. All copies of SHAMpage hatched from his system contain a "DrawBridge" ZIP comment. For reference, the latest version (as of September 8, 1992) is v3.24. Mr. Waugh further states (and I agree) that he has "a lot of faith in the various file distribution networks," and he finds it hard to believe that the file picked up any sort of infection in the net itself. In summary, SHAMpage 3.10 is a legitimate file, but a tampered archive of it may be floating around. How it was tampered with is anyone's guess. If anyone sees an altered archive of this file, please forward the information so that I can post specifics on it. A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263) grabbed my attention the moment I saw it: in capital letters, it said, "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He goes on to say that two BBSs have been destroyed by the file. However, that's about all that was reported. I really need more to go on before I can classify this as a Trojan and not just a false alarm (i.e., archive name, what it does, etc.). Please advise. Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to whether or not Mr. Mills had seen the file. Mr. Jung has repeated that the latest version of ARJ is v2.30 (however, there is a legitimate public beta version numbered 2.39b). It is possible that the references Greg saw about 2.33 were typos, but you never know. Please help your Hack Squad out on this one - if you see it, report it. I still have no further confirmation of MTG2400, reported by Zach Adam of 1:2200/103. The description says this program will run a 2400bps modem like a 4800bps modem, which sounds a bit like the MTE program listed in the Pirated Commercial Software section. Any information would be appreciated. As the last item in this report, your Hack Squad could use some info on the TUNNEL screen saver. Ove Lorentzon (2:203/403.6) reports that this is an internal IBM test program for VGA monitors. HW Richard Steiner forwarded a message from Bill Roark (RIME address BOREALIS, Shareware Conference) that had some quoted text strings from the executable. One says, "IBM INTERNAL USE ONLY." This file is extremely widespread, however, so I need to hear from someone who knows what IBM's position on this is. Has IBM changed its mind and made it legal to distribute this via BBS? If you know for certain, please advise. ========================================================================= The Meier/Morlan List | A couple of updates: first, Jeff Hancock (1:3600/7) states that KAEON is | "freeware, a scrolling horizontal space shootemup, requires VGA and | supports Adlib/SB. Size 423k, about 301 arjed." Jeff says that if there | is another Kaeon out there, he hasn't heard of it. HW Matt Kracht | confirms this, saying that the game was written by a guy named "Tran," | and is freeware. So, with this, Kaeon comes off the list. | Also from the Meier/Morlan list, HW Nemrod Kedem reports that TDWIN31, | TF386, and TLINK4 were made available by Borland International on their | public download BBS. Nemrod is a Borland support site in Israel, and he | has all of these on his board with the "permission of the Israeli | representative of Borland International." With this, these files also | come off the list. | Kevan McWhorter (1:3637/1) and Jerry Murphy (1:157/2) report that the | file SYSID602 is a legitimately distributable file. It is a utility that | generates several screens of information about the machine it is run on, | similar to Norton's SI program. Again, two confirmations, and the file | comes off the list. Thanks to Kevan and Jerry for their help! For those of you who missed it last time, here is the list of files that were forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system. Joe says Wes keeps a bulletin of all rejected files uploaded to him and the reasons they were rejected. Joe also says he cannot confirm or deny the status of any of the files on the list. I have included some of the files I can verify from this list in the Pirated Commercial Files section of this report. However, there are some that I am not familiar with or cannot confirm. These are listed below, along with the description from Wes Meier's list. Due to the unconfirmed nature of the files below, the filenames are not included in the HACK1192.COL file. I would appreciate any help that anyone can offer in verifying the status of these files. Until I receive some verification on them, I will not count them as either hacks or pirated files. Remember - innocent until proven guilty. My thanks go to Joe and Wes for their help. Filename Reason for Rejection ======== ============================================= BARKEEP Too old, no docs and copyrighted with no copy permission. HARRIER Copyrighted. No permission to copy granted. SLORGAME Copyrighted. No docs. No permission to copy granted. NOVELL Copyrighted material with no permission to BBS distribute DRUMS I have no idea if these are legit or not. No docs. SPACEGOO STARGOSE in disguise. Copyrighted. GREMLINS No documantation or permission to copy given. NAVM Copyrighted. No permission to copy granted. TESTCOM Copyrighted. No permission to copy granted. CLOUDKM A hacked commercial program. ANTIX Couldn't make this work. No docs. MEGAMAN Copyrighted. No docs. No permission to copy granted. MENACE Copyrighted. No docs. No permission to copy granted. AIRBALL A hacked commercial program. WIN_TREK No documentation. No permission to copy. SNOOPY Copyrighted. No docs. No permission to copy granted. SLORDAX Copyrighted. No docs. No permission to copy granted. ESCAPE Copyrighted. No docs. No permission to copy granted. AFOX A cracked commercial program. BANNER Copyrighted. No docs. No permission to copy granted. FIXDOS50 Copyrighted. No permission to copy granted. WINGIF14 The author's documentation specifically requests this file to not be distributed. INTELCOM Copyrighted. No docs. No permission to copy granted. 3DPOOL Copyrighted. No docs. No permission to copy granted. 387DX Copyrighted. No docs or permission to copy granted. WINDRV Copyrighted. No permission to copy granted. ========================================================================= Clarifications/Acknowledgements | When I put the last full report together, I apparently missed a couple of | "latest version" listings. First, I neglected to update the latest | version of Vern Buerg's LIST.COM, now at v7.7a. (A later release, | LIST77A2, may be in circulation, and is also legitimate.) | | Also, I missed an item concerning McAfee's ViruScan. The latest version | of this file is now 99. | | Thanks to those who wrote in and caught these - quite embarassing, but I | needed it. | Also, in the last report, I listed a crack of Id Software's Spear of | Destiny under the filename !SOD!. However, I have since been informed | by Jay Wilbur of Id Software that there is a legitimate demo of Spear of | Destiny going around under this filename. Jay says that the legitimate | file quite clearly identifies itself as a demo when run. However, Jay | does confirm that there is a crack of the full commercial game out there | somewhere - I just used the wrong filename. My apologies. | In the second November update, there was some confusion about the latest | version of Con>Format by Sydex. Jeff White (1:300/23) has verified that | the latest official release is v1.08a. My thanks go out to him. | Thanks also to Bill Logan of The Pueblo Group for his assistance in the | research of the GSZ611R file (listed in the Pirated files section). He | has verified that this is simply a registered version of the GSZ | protocol, and not a dropper or Trojan as had been feared. | Finally, in the last issue, I managed to misspell the name of one of the | reporters. To Warren Zatwarniski, I also extend my apologies. ========================================================================= Notes FidoNet Node 1:382/87, The ECS BBS, referenced several times in this report, is no longer an active node. Reports from that node and its SysOp, Mark Evans, will not be removed from this report. Mark may now be contacted at 1:382/91.1. Malte Eppert (2:240/500.6) wishes it to be known that the report he forwarded from Dick Hazeleger about EARLYWA was just that, a forwarding, and not an agreement with or confirmation of the forwarded report. The report he forwarded does not express or include his opinions. ************************************************************************* Conclusion If you see one of these on a board near you, it would be a very friendly gesture to let the SysOp know. Remember, they can get in just as much trouble as the fiend who uploads pirated files, so help them out if you can. ***HACK SQUAD POLICY*** The intent of this report is to help SysOps and Users to identify fraudulent files. To this extent, I give credit to the reporter of a confirmed hack. On this same note, I do _not_ intend to "go after" any BBS SysOps who have these programs posted for d/l. The Shareware World operates best when everyone works together, so it would be counter-productive to "rat" on anyone who has such a file on their board. Like I said, my intent is to help, not harm. SysOps are strongly encouraged to read this report and remove all files listed within from their boards. I can not and will not take any "enforcement action" on this, but you never know who else may be calling your board. Pirated commercial software posted for d/l can get you into _deeply_ serious trouble with certain authorities. Updates of programs listed in this report need verification. It is unfortunate that anyone who downloads a file must be paranoid about its legitimacy. Call me a crusader, but I'd really like to see the day that this is no longer true. Until then, if you _know_ of a new official version of a program listed here, please help me verify it. On the same token, hacks need to be verified, too. I won't be held responsible for falsely accusing the real thing of being a fraud. So, innocent until proven guilty, but unofficial until verified. Upcoming official releases will not be included or announced in this report. It is this Co-Moderator's personal opinion that the hype surrounding a pending release leads to hacks and Trojans, which is exactly the opposite of what I'm trying to accomplish here. If you know of any other programs that are hacks, bogus, jokes, hoaxes, etc., please let me know. Thanks for helping to keep shareware clean! Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)