Fritz: All Fritz

home *** CD-ROM | disk | FTP | other *** search

/ Fritz: All Fritz / All Fritz.zip / All Fritz / FILES / VIRUTION / ANTIVIR1.LZH / TROJANS < prev next >

Wrap

Text File | 1987-09-06 | 18KB | 277 lines

A word on TROJANS: I have been hearing more and more reports of these "worm" programs, from all directions. While I don't doubt their existence, do not get hysterical. Remember, a Trojan rumor is much easier to START than it is to STOP. Some people have accused legitimate *joke* programs, like DRAIN (which pretends to be gurgling excess water out of your A drive) of being "killers." If a program locks up your system, it isn't necessarily Trojan; it might not like co-residing with Superkey, or your graphics card. Ask around a little before you announce something as Trojan. I would appreciate a bagged specimen of any real Trojan program that you might have the (un)luck to find. ---------------------------------------------------------------------------- | TROJAN HORSE PROGRAMS: | ---------------------------------------------------------------------------- Name Category Notes -------------- -------- ------------------------------------------------- ANTI-PCB *TROJAN* The story behind this trojan horse is sickening. Apparently one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS system is better, and in the end the PC-BOARD sysop wrote a trojan and uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC SysOp ran it, and that led to quite a few accusations and a big mess in general. Let's grow up! Every SysOp has the right to run the type of BBS that they please, and the fact that a SysOp actually wrote a trojan intended for another simply blows my mind. ARC513.EXE *TROJAN* This hacked version of arc appears normal, so beware! It will write over track 0 of your [hard] disk upon usage, destroying the disk. ARC514.COM *TROJAN* This is totally similar to arc version 5.13 in that it will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet to see an .EXE version of this program.. BACKTALK *TROJAN* This program used to be a good PD utility, but some one changed it to be trojan. Now this program will write/destroy sectors on your [hard] disk drive. Use this with caution if you acquire it, because it's more than likely that you got a bad copy. CDIR.COM *TROJAN* This program is supposed to give you a color directory of files on disk, but it in fact will scramble your disks FAT table. DANCERS.BAS *TROJAN* This trojan shows some animated dancers in color, and then proceeds to wipe out your [hard] disk's FAT table. There is another perfectly good copy of DANCERS.BAS on BBS's around the country; apparently the idiot author in question altered a legitimate program to do his dirty work. DISKSCAN.EXE *TROJAN* This was a PC-MAGAZINE program to scan a (hard) disk for bad sectors, but then a joker edited it to WRITE bad sectors. Also look for this under other names such as SCANBAD.EXE and BADDISK.EXE... DMASTER *TROJAN* This is yet another FAT scrambler.. DOSKNOWS.EXE *TROJAN* I'm still tracking this one down -- apparently someone wrote a FAT killer and renamed it DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS system-status utility. All I know for sure is that the REAL DOSKNOWS.EXE is 5376 bytes long. If you see something called DOSKNOWS that isn't close to that size, sound the alarm. More info on this one is welcomed -- a bagged specimen especially. DPROTECT *TROJAN* Apparently someone tampered with the original, legitimate version of DPROTECT and turned it into a FAT table eater. DROID.EXE *TROJAN* This trojan appears under the guise of a game. You are supposably an architech that controls futuristic droids in search of relics. In fact, PC-Board sysops, if they run this program from C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. In case you were wondering, the file size of the .EXE file is 54,272 bytes. EGABTR *TROJAN* BEWARE! Description says something like "improve your EGA display," but when run it deletes everything in sight and prints "Arf! Arf! Got you!" EMMCACHE *CAREFUL* This program is not exactly a trojan, but it V. 1.0 may have the capability of destroying hard disks by: A) Scrambling every file modified after running the program, B) Destroying boot sectors. This program has damaged at least two hard disks, yet there is a base of happily registered users. Therefore, I advise extreme caution if you decide m. to use this program. FILER.EXE *TROJAN* One SysOp complained a while ago that this program wiped out his 20 Megabyte HD. I'm not so sure that he was correct and/or telling the truth any more. I have personally tested an excellent file manager also named FILER.EXE, and it worked perfectly. Also, many other SysOp's have written to tell me that they have like me used a FILER.EXE with no problems. If you get a program named FILER.EXE, it is probably allright, but better to test it first using some security measures. FINANCE4.ARC *TROJAN* This program is not a verified trojan; there is simply a file going around BBS's warning that it may be trojan. In any case, execute extreme care with it. FUTURE.BAS *TROJAN* This "program" starts out with a very nice color picture (of what I don't know) and then proceeds to tell you that you should be using your computer for better things than games and graphics. After making that point it trashes your A: drive, B:, C:, D:, and so on until it has erased all drives. It does not go after the FAT alone, but it also erases all of your data. As far as I know, however, it erases only one sub-directory tree level deep, thus hard disk users should only be seriously affected if they are in the "root" directory. I'm not sure about this on either, though. MAP *TROJAN* This is another trojan horse written by the infamous NOTROJ.COM *TROJAN* This "program" is the most sophisticated trojan horse that I've seen to date. All outward appearances indicate that the program is a useful utility used to FIGHT other trojan horses. Actually, it is a time bomb that erases any hard disk FAT table that IT can find, and at the same time it warns: "another program is attempting a format, can't abort!" After erasing the FAT(s), NOTROJ then proceeds to start a low level format. One extra thing to note: NOTROJ only damages FULL hard drives; if a hard disk is under 50% filled, this program won't touch it! If you are interested in reading a thorough report on NOTROJ.COM, James H. Coombes has written an excellent text file on the matter named NOTROJ.TXT. If you have trouble finding it, you can get it from my board. TIRED *TROJAN* Another scramble the FAT trojan by Dorn W. Stickle. TSRMAP *TROJAN* This program does what it's supposed to do: give a map outlining the location (in RAM) of all TSR programs, but it also erases the boot sector of drive "C:". PACKDIR *TROJAN* This utility is supposed to "pack" (sort and optimize) the files on a [hard] disk, but apparently it scrambles FAT tables. PCW271xx.ARC *TROJAN* A modified version of the popular PC-WRITE word processor (v. 2.71) has now scrambled at least 10 FAT tables that I know of. If you want to download version 2.71 of PC-WRITE be very careful! The bogus version can be identified by its size; it uses 98,274 bytes wheras the good version uses 98,644. For reference, version 2.7 of PC-WRITE occupies 98,242 bytes. QUIKRBBS.COM *TROJAN* This Trojan horse advertises that it will QUIKREF *TROJAN* This ARChive contains ARC513.COM. load RBBS-PC's message file into memory 2 times faster than normal. What it really does is copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT... RCKVIDEO *TROJAN* This is another trojan that does what it's supposed to do, then wipes out hard disks. After showing some simple animation of a rock star ("Madonna," I think), the program will go to work on erasing every file it can lay it's hands on. After about a minute of this, it will create 3 ascii files that say "You are stupid to download a video about rock stars," or something of the like. SECRET.BAS *TROJAN* BEWARE!! This may be posted with a note saying it doesn't seem to work, and would someone please try it; when you do, it formats your disks. SIDEWAYS.COM *TROJAN* Be careful with this trojan; there is a perfectly legitimate version of SIDEWAYS.EXE circulating. Both the trojan and the good SIDEWAYS advertise that they can print sideways, but SIDEWAYS.COM will trash a [hard] disk's boot sector instead. The trojan .COM file is about 3 KB, whereas the legitimate .EXE file is about 30 KB large. STAR.EXE *TROJAN* Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! STRIPES.EXE *TROJAN* Similar to STAR.EXE, this one draws an American flag (nice touch), while it's busy copying your RBBS-PC.DEF to another file (STRIPES.BQS) so Bozo can log in later, download STRIPES.BQS, and steal all your passwords. Nice, huh! TOPDOS *TROJAN* This is a simple high level [hard] disk formatter. VDIR.COM *TROJAN* This is a disk killer that Jerry Pournelle wrote about in BYTE Magazine. I have never seen it, although a responsible friend of mine has. ---------------------------------------------------------------------------- | If you run a trojan horse.. | ---------------------------------------------------------------------------- While reading this, bear in mind that there is no better remedy for a drive that has run a trojan horse than a recent backup.. The first thing to do after running what you think to be a trojan horse is diagnose the damage. Was your [hard] drive formatted? Did the trojan scramble your FAT table? Did every file get erased? Did your boot sector on the [hard] drive get erased/formatted? Odds are that the trojan incurred one of these four disasters.. After the initial diagnosis, you are ready to remedy the problem. 1) If the trojan low-level formatted your [hard] disk: Hope that you have a recent backup; that's the only remedy for this disease. 2) If the trojan high-level formatted your [hard] disk: There is only one way out of this mess, and that is to use the MACE+ utilities by Paul Mace. MACE+ has two devices in it to recover formatted disks, and believe me, they work! I will talk more about the MACE+ utilities later. 3) If the trojan scrambled your FAT table: Once again, there is nothing to do. However, there is a program called FATBACK.COM (available on my board) that will back up your FAT table in under a minute to floppy. Using FATBACK, it is easy and non time consuming to back up your FAT regularly. 4) If the trojan erased file(s), and the FAT table is undamaged: There are many packages to undelete deleted files. Norton Utilities, PC-tools, MACE+, and UNDEL.COM will all do the job. I recommend the first three, but they are more expensive than the Public Domain program UNDEL.COM. When you are undeleting, be sure to undelete files in the order of last time written to disk. I know that PC-tools automatically lists undeletable files in the correct order, but the other three may not. 5) If the boot sector on your [hard] disk gets erased/formatted: There are four things to do if this happens, and the worst that can happen is that you will go without a [hard] disk for a while. To be on the safest side, back up everything before even proceeding to step "A," although I can not see why it would be necessary. A) Try doing a "SYS C:" (or "SYS A:") from your original DOS disk, and copy COMMAND.COM back onto the [hard] drive after that. Try booting and if that doesn't work try step B. B) If you have the MACE+ utilities go to the "other utilities" section and "restore boot sector." This should do the job if you have been using MACE+ correctly. C) If you are still stuck, BACK EVERYTHING UP and proceed to do a low level format. Instructions on how to perform a low-level format should come with your [hard] disk controller card. Be sure to map out bad sectors using either SCAV.COM by Chris Dunford or by manually entering the locations of bad sectors into the low level format program. After the low level format, if your have a hard disk, run FDISK.COM (it comes with DOS) and create a DOS partition. Refer to your DOS manual for help in using FDISK. Then put your original DOS diskette in drive A: and do a FORMAT <drive letter>:/S/V. Drive letter can stand for "C" or "B" depending on whether you are reformatting a hard disk or not. Finally you are ready to attempt a reboot. D) If you are still stuck, either employ some professional computer repairmen to fix your drive, or live with a non-bootable [hard] drive.. By now you may be saying to yourself: "How can I get a hold of a 'MACE+' utilities package so that I can guard against trojans? Why, MACE+ can recover a formatted drive, undelete files, restore boot sectors, optimize a disk, and provide a disk cache! Anyone can obtain these marvelous utilities in one of two ways: one is to call up the Paul Mace Software Company (tm) and order them at a retail of $ 79.95. The other is place an order for them at the WEST LOS ANGELES PC-STORE, which supports next day UPS shipping! The BBS phone # for the PC-STORE is at the end of this document.