========================================================================= || From the files of The Hack Squad: || by Lee Jackson, Co-Moderator, || FidoNet International Echo SHAREWRE The Hack Report || Volume 2, Number 2 for February,1993 || Report Date: February 7, 1993 || ========================================================================= Welcome to the second 1993 issue of The Hack Report. This is a series of reports that aim to help all users of files found on BBSs avoid fraudulent programs, and is presented as a free public service by the FidoNet International Shareware Echo and the author of the report, Lee Jackson (FidoNet 1:382/95). This month, your Hack Squad receives input on a long-standing question from an unexpected source: IBM. Also, the Trojan writers seem to have put in some serious overtime. Thanks to everyone who has helped put this report together, and to those that have sent in comments and suggestions. NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on your BBS, subject to these conditions: 1) the latest version is used, 2) it is posted in its entirety, and 3) it is not altered in any way. NOTE TO OTHER READERS: The Hack Report (file version) may be freely uploaded to any BBS, subject to the above conditions, and only if you do not change the filename. You may convert the archive type as you wish, but please leave the filename in its original HACK????.* format. The Hack Report may also be cross-posted in other networks (with the permission of the other network) as long as it meets the above conditions and you give appropriate credit to the FidoNet International Shareware Echo (and the author ). The idea is to make this information available freely. However, please don't cut out the disclaimers and other information if you use it, or confuse the issue by spreading the file under different names. Thanks! DISCLAIMER: The listings of Official Versions are not a guarantee of the files' safety or fitness for use. Someone out there might just be sick-minded enough to upload a Trojan with an "official" file name, so >scan everything you download Telix Pro Reported By: Jason Engebretson (1:114/36), in the FidoNet TELIX echo | Wolfenstein-3D WOLF2-1 #1WOLF14 | WOLF2-2 | Reported By: Wen-Chung Wu (1:102/342) | * - According to the author of F-Prot, Fridrik Skulasson, version 2.06A | is the latest version released to BBS distribution by him. However, | he has written "personalized" versions, numbered 2.06B, 2.06C, and | 2.06D, for individual clients. These versions were not intended for | general release, but may have entered distribution. ========================================================================= Hoax Alert: | In response to my question about version 2.0 of Scorched Earth, Brian | Dhatt (1:3648/2.5) responded that he has seen a file called SCORCHV2 | which was described as being v2.0 of this program. However, when he | downloaded it and ran it, it turned out that he had apparently received | the program and doc files for v1.2. The program even identified itself | as v1.2, leading Brian and myself to believe that someone simply renamed | the archive and uploaded it in an attempt to help out their file ratio. | A simple hoax, but awfully irritating if you happen to be on the | receiving end (and you only have a 2400bps modem). Other previously reported hoaxes: Filename Claimed use/Actual activity/Reporter(s) ============ ========================================================== PKZ305 Hacked "new version" of PKZip. However, a message in wide circulation claimed this was infected with a virus called PROTO-T. This message is the actual hoax: there may be one or more PROTO-T viruses around now, but none do what was claimed in the hoax message. This hack, PKZ305, was not infected with any virus, nor did it contain Trojan code, per testing by Bill Logan (1:300/22), Jeff White (1:300/23), and Bill Lambdin (1:343/45). RAOPT "Optimizes" your RemoteAccess BBS files and claims to be from Continental Software. Actually does nothing but read your USERS.BBS file and report the number of users. The program is _not_ from Continental Software, according to Andrew Milner. Reported by Kai Sundren (2:201/150), via HW Mikael Winterkvist. ========================================================================= The Trojan Wars Readers of The Hack Updates, published as a series of messages in several networks and echos, will remember that I managed to place a rather large foot into my mouth by publishing a typo concerning the first release of the new PKZip. I had inadvertently listed it as v2.03c, while the real release was in fact v2.04c. Before you decide to send NetMail to correct what you have just read, please be aware that your Hack Squad is aware that the current latest version of PKZip/PKUnzip is v2.04E, being circulated under the filename PKZ204E.EXE. Why is this being explained in this section of The Hack Report? Well, it would seem that during the time period between the release of 2.04c and 2.04e, someone else managed to stick their foot in their own mouth by releasing a possible Trojan that claimed to "fix" some of the bugs in version 2.04c. For all the dirty details, read on. | In the time period mentioned above, three files appeared that claimed to | correct problems with the -$ (store disk volume) option of PKZip v2.04c. | Your Hack Squad found one copy of this file, PKZIPFIX, Chad Wagner | found another, named PKZFX24C, and Scott Jibben (1:282/115) found both | PKZFX24C and PKZFX24D. | | I sent my copy to Jeff White and Bill Logan, veterans of several previous | tests for The Hack Report. Here is their report: | | ====== Begin Report ====== | | Results of test on: PKZIPFIX.ZIP | | File description: Fix for volume bug in PKZIP v2.04c | | Synopsis: | | When the latest release of PKZ from PKWare came out, there was a bug | with the volume label being added to the archive. This program was | designed (?) to fix that bug. | | It does indeed fix the bug, but remains a hacked copy of a copyrighted | piece of software and therefore is suspicious. | | First of all, the author managed to crack PKWare's Commercial PKLite | compression, which shouldn't be able to be expanded. When the author | hacked PKZ204C, he re-PKLited the fix, but with the standard version of | PKLite, which allows it to be expanded. | | Also, there is questionable code contained in this "fix". Most notably, | the words "Erasing contents of drive, completed" appear towards the end | of the program. Every command line switch I could think of that might | prompt this response did not bring these words up. It is possible it | is waiting for some time or criteria to activate, or it could be | associated with an option I am not familiar with. PKZ 193 and 204c are | non-expandable, and therefore couldn't be checked for this text, but | PKZ 110 was checked and it did NOT contain this text. | | Integrity Master was used to ensure that nothing on the drive was | changed that shouldn't have been. McAfee's ViruScan was used to ensure | that PKZIPFIX was not a dropper for an existing virus. | ====================================================================== | File information: | | File Name: pkzipfix.zip | Size: 40,912 | Date: 12-28-1992 | File Authentication: | Check Method 1 - 082F | Check Method 2 - 059C | ====================================================================== | File contents: | | Length Method Size Ratio Date Time CRC-32 Attr Name | ====== ====== ===== ===== ==== ==== ======== ==== ==== | 41935 DeflatX 40796 3% 12-28-92 02:04 7dc49363 --w- PKZIP.EXE | ====== ====== === ======= | 41935 40796 3% 1 | ====================================================================== | PKZIP.EXE check: | | CHK4LITE (tm) Check for files compressed by PKLITE Version 1.15 | 7-30-92 Copyright 1990-1992 by PKWARE Inc. All Rights Reserved. | | PKZIP.EXE Compressed with PKLITE (tm) Ver. 1.15 | ====================================================================== | Validation check on PKZIP.EXE **after** unPKLITEing | | File Name: pkzip.exe | Size: 55,370 | Date: 12-28-1992 | File Authentication: | Check Method 1 - E8B1 | Check Method 2 - 1224 | ====================================================================== | ViruScan of PKZIP.EXE **after** unPKLITEing | | Scanning memory for critical viruses. | | Scanning Volume: DRIVE I | Scanning C:PKZIP.EXE | | No viruses found. | ====================================================================== | Use: | | The PKZIP released in PKZ204C.EXE would not properly add a volume label | when the -$ option was specified. | | The version of PKZIP.EXE release in PKZIPFIX.ZIP does indeed fix this | bug. Example follows. | | Attempt to use the -$ option with PKZIP 2.04c: | | PKZIP (R) FAST! Create/Update Utility Version 2.04c 12-28-92 | Copr. 1989-1992 PKWARE Inc. All Rights Reserved. Shareware Version | PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 | | * XMS version 3.00 detected. | * Using Normal Compression. | | Creating ZIP: PKZTEST2.ZIP | Adding: PKZIP.EXE Deflating % (30%), done. | | = = = | | Attempt to use the -$ option with PKZIP.EXE from PKZIPFIX.ZIP | | PKZIP (R) FAST! Create/Update Utility Version 2.04c 12-28-92 | Copr. 1989-1992 PKWARE Inc. All Rights Reserved. Shareware Version | PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 | | * XMS version 3.00 detected. | * Using Normal Compression. | | Creating ZIP: PKTEST1.ZIP | Adding: PKZIP.EXE Deflating % (30%), done. | Adding: DRIVE I Storing ( 0%), done. | ====================================================================== | Integrity Master v1.41a was reinitialized for drive C: before testing. | Comparing drive C:'s data (after multiple executions of PKZIP.EXE) to | the backup information showed no changes or virus activity. McAfee's | ViruScan confirmed no known virus activity. | ====================================================================== | Suspicious code: | | PKZIP.EXE contains several questionable pieces of code. Although we | were unable to get PKZIP.EXE to do anything damaging, it is possible | that, under the right circumstances, PKZIP.EXE could prove to be a | trojan. | | The suspicious code is as follows: | | Address: 0000d0e0-0000d110 | Code: x:/ x: *.* / Erasing contents of drive, completed. | | The above could be a reference to a temporary drive (although I used a | temporary drive using the -B command line switch and got no such | response) or in conjunction with a switch (unbeknownst to myself) that | might possibly delete files as they are archived. It should be noted | that PKZIP.EXE as included in PKZ110.EXE contains none of this code. | Later releases of PKZIP.EXE cannot be checked since they are compressed | with PKLite and are non-expandable. | ====== End Report ====== | | As always, our thanks go out to Bill and Jeff for their invaluable help. | HW Nemrod Kedem forwards a report from Dviry Segal (2:401/4.1) about a | program called OPTIBBS. This claims to optimize your RemoteAccess BBS | system, but in fact is yet another program that is aimed at the RA | USERS.BBS file. Dviry says it creates a file (on his tests, the filename | created was PKZ193A.ZIP) which contains the names, phone numbers, | security levels, and passwords stored in the USERS.BBS list. | William Gordon (1:369/104) reports BEV105, a file that claims to be a | "Beverly Hills 90210 Adventure Game." This file contains 8 files, but | two seem to be the real culprits: DORINFO.DIR and INSTALL.COM. The | installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it. | This program asks for some sort of wildcard according to William, then | proceeds to delete everything on your drive that matches that wildcard. | However, it doesn't stop there: it continues on and deletes all .bat, | .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files. William also | says the file "comes with the following virii: Bootkill and Genesis." A | copy of this file has been sent to Bill Logan and Jeff White for | analysis. | Andreas Reinicke (2:284/402) posted a warning in the FidoNet VIRUS echo | about an archive called GRAFIX. This file contains a program called | WAIT.COM, which Andreas says is a modified version of the program | DELDIR.COM. He states this program managed to erase one of his users' | hard drive info. | Bill Lambdin forwards a report posted in the Virtual Net Anti-Virus | conference by a user identified as "Khamsin #1 @9168*1". This message | was also seen by HW Ken Whiton and HW Bill Dennison, forwarded by Ken | Green of the CentraLink BBS. This report concerned a file called | DBSOUND, which claims to be an updated version of the Drum Blaster .MOD | file player. The reporter states this incident of the program deletes | the current directory and all directories beneath it. Especially | dangerous if you happen to invoke it from your root directory, I'd say. | Larry Dingethal (1:273/231) found a message on a local BBS from a user | named Richard Meyers. This message concerned a file called CHROME, | described as "the Chrome Lady .fli" animation file. Here's the file | info: | | GO.BAT 137 09-18-92 04:58p | PLAY.EXE 19832 07-10-89 10:08a | AAPLAY.EXE 81904 08-15-89 10:03a | INVOKE.FLI 675108 12-06-90 07:42p | FGDS.COM 812 04-27-92 01:56a | | The GO.BAT file apparently has a bug, since it tries to invoke a file | named FDGS.COM (instead of the FGDS.COM in the archive). This results in | a "Bad command or file name" error, which is just as well - Richard says | that a look inside the FGDS.COM file with PC Tools' "VIEW FILE" option | shows the following text, beginning at address 0096 (and edited for | television): | | "Skism Rythem Stack Virus-808. Smart kids into sick methods. | Don't alter this code into your own strain, f*****. hr/sss | NYCity, this is the fifth of many, many more...you sissys." | | Richard said that McAfee's ViruScan did not detect an infection, and that | the latest issue of VSUM by Patricia Hoffman did not list such a virus. | Todd Clayton (1:259/210) reports a Trojan dubbed the "Malhavoc Trojan." | The file involved, called AANSI100, claims to be an Auto-ANSI detector | for Telegard v2.5q+. When invoked, the program displays a verse of a | song by a Toronto band called Malhavoc (hence the name), and then does an | absolute disk write on drives C: through F:. Finally, it displays the | message, "Ha! You've been hit!". | | George Goode (1:229/15) has also seen a file called AANSI100, which may | or may not be the same Trojan. He says the documentation says the | program adds ANSI auto detection to a Telegard 2.7 BBS, and should be | inserted in your mailer batch file. | | This version has similar symptoms, notably what George calls "some cruddy | poetry." He says the only real symptom, though, is seen when FrontDoor | v2.01 is loaded by your AUTOEXEC.BAT file. He says your system will go | into a continuous reboot cycle, which can be stopped only by breaking out | of your batch file before FrontDoor loads. When he replaced the FrontDoor | overlay file with a fresh copy of the original, the problem stopped. | | From this information, it is hard to tell if one or two Trojans are | involved here. In either case, you might want to avoid anything called | AANSI100. | Gary Marden (2:258/27) reports a file, QOUTES (yes, that's how it is | spelled), that claims to be a Christmas quotation generator. The file, | which Gary says is a "crude trojan written in one of the Borland compiled | languages," contains quite a few text messages, beginning with "unpacking | christmas qoutes" (sic) and ending with "Ho, Ho, Ho! Merry Christmas! | Hope you get a new HD in your stocking!". A C> prompt displays, and when | you press a key, you get a message that says, "See you next Noel, Fool!", | as well as a cold boot. | | By the time you see this, the damage has been done. The program | overwrites the first 128 cylinders of your first physical HD, trashing | the MBR/boot sector, partition tables, FAT, and root directory. FDISK | will skip these 128 cylinders if you try to repartition the drive, as | will FORMAT. A low level format is required for complete recovery. Gary | surmises that if an IDE drive is hit by this, it may need to be sent back | to the manufacturer for a low level format. | | Here is the archive information: | | Archive date : 1992-12-21 18:23:30 | Pathname/Comment | Rev Host OS Original Compressed Ratio DateTime modified CRC-32 | ------------ -------- ---------- ----- ----------------- -------- | QOUTES.EXE | 4 MS-DOS 4512 4512 1.000 92-12-21 18:01:08 26AADA9D | QOUTES.DAT | 4 MS-DOS 14492 14492 1.000 92-12-21 18:22:28 21FAA40B | READ.ME | 4 MS-DOS 534 534 1.000 92-12-21 18:17:08 702CCA29 | ------------ -------- ---------- ----- | 3 files 19538 19538 1.000 | | This is definitely a file to avoid. | Bill Lambdin (1:343/45) forwards a report from James Powell in the | Intelec PC-Security conference about an archive named BATMAN. It | contains a single file called BATMAN.EXE, about 30k, which will search | your DOS PATH and "delete the executable file that loads WildCat BBSs." | Another report from Bill Lambdin comes from a user on 1:343/45, Reinhardt | Mueller, concerning a dropper/Trojan called AVENGER. When the file is | uploaded with a description, it usually claims to be an "amazing game | that supports all kinds of sound cards, and has everything you can | imagine in a game." | | Reinhardt states that most upload checker/scanners will miss the embedded | viruses, since they are contained in two internal passworded .ZIP format | archives named AVENGER2.DAT and AVENGER3.DAT. He says that these can be | unzipped using the following command line after you open the main | archive: | | pkunzip -sGotcha! AVENGER?.DAT | | This will unzip two files, RUNTIME1.COM and RUNTIME2.COM. The first file | contains the N1 virus, while the second contains the Anthrax virus. | Mark Histed (1:268/332) has located a file called XYPHR2 that, at first | look, appears to have an instance of our old friend, the Power Pump | virus. Mark posted the filenames and data in the FidoNet VIRUS_INFO | echo: | | Searching ZIP: XYPHR2.ZIP | | Length Method Size Ratio Date Time CRC-32 Name | ====== ====== ===== ===== ==== ==== ======== ==== | 28126 Implode 8757 69% 02-24-92 14:06 f664a51f LEVEL1.DAT | 31795 Implode 11429 65% 02-24-92 14:08 806c0efc LEVEL2.DAT | 45036 Implode 15204 67% 02-24-92 01:03 d6d9547a MAIN.DAT | 6990 Implode 2454 65% 02-24-92 14:07 f774d292 REG.DAT | 13109 Implode 1714 87% 02-24-92 14:06 e2c7a0b9 TITLE.DAT | 22534 Stored 22534 0% 02-24-92 23:22 b367e528 XYPHR2.EXE | 1181 Implode 471 61% 02-24-92 17:53 f81be401 AUTOEXEC.CMT | 17354 Implode 14682 16% 02-24-92 21:04 02eac55c POWER.EXE | 1199 Implode 1109 8% 02-24-92 21:00 f61885bd XYPHR2.COM | 848 Implode 443 48% 02-24-92 21:41 43d9bfd0 REGISTER.DOC | 6027 Implode 3125 49% 02-24-92 21:22 3d42937f XYPHR2.DOC | ====== ====== === ======= | 174199 81922 53% 11 | | Mark says that XYPHR2.COM is a compiled batch file that spawns the | POWER.EXE file. He says that this results in a "NUL POINTER ASSIGNMENT" | error message, and passing of control back to command.com. | | Bill Lambdin received a copy of this file and confirmed that it does | contain the Power Pump virus. For first time readers, Power Pump is a | "companion" infector, in that it seeks out .EXE files and creates hidden | .COM files with the same base filename. If you try to run an affected | program by just typing the filename (no extension), the .COM file will | run before the .EXE, due to the way DOS processes the command line. | Fortunately, Bill reports that the virus is a very poor replicator - he | only managed to produce 2 infections out of 14 tries. | Art Mason (1:229/15) reports that a file called QSCAN20, posing as a | small virus scanner, is actually a Trojan that "identifies itself as | being a stealth bomber and proceeds to destroy your FAT." He posts the | following file information: | | Q.chk 281 bytes | qscan.com 777 bytes | qscan.txt 3287 bytes | qx.cld 118 bytes | Dates on the files are 10-22-92 | | All of the text messages displayed by the program are visible by viewing | the QSCAN.COM file. | Zack Jones (1:387/641) reports a file called GAGS which was seen in the | San Antonio area. The file, described as "Some Christmas practical | jokes," was analyzed by Bill Dirks (1:385/17) and confirmed as a Trojan. | The program grabs control of several interrupt vectors, including the | critical error handler. The only way to stop it once it starts is to hit | the reset button or power down. | | When invoked, it displays a countdown from 8 to 0, which corresponds to | drives H through A, in that order. For each found drive, it overwrites | the first 255 sectors with random data from a block of memory. To add | insult to injury, if drives B and A are empty, you are prompted to insert | disks (so that they can be trashed as well). | | After this, the Trojan displays the message, including something like, | "the disk was trashed but it's only a joke and they are only kidding." | It then prompts you to reboot, which is rather hard to do unless you have | a bootable "panic disk" floppy on hand - you certainly won't be able to | boot from your HD. | | Bill says that if your HD is smaller than 60 megs, you're better off | trying to recover your disk from scratch. Between 60-120 megs, you have | a better chance of recovery via disk utilities: over 120 megs, you | should be able to accomplish a complete recovery if you're careful and | you know what you're doing. | | Bill posted the following scan string that can be used to detect this | Trojan - if your scanner can use external strings, be sure to read the | instructions carefully before trying to add this: | | 9A46027205B003B9FF00BA0000CD26 | | If your scanner requires a name for the string, Bill suggests using | "AlamoXmasTrojan." | John Miezitis (Internet, John.Miezitis@cc.utas.edu.au) reported in the | Internet comp.virus newsgroup that a file named YPCBR101, found on | Simtel-20 and the oak mirror on archie.au, contained the 1800 variant of | the Dark Avenger virus in the executable file YAPCBR.EXE. F-Prot v2.06a | was able to remove the infection. | | I since received information from John that the original program, which | he says will be re-released as a clean archive, is a "cheap alternative | to hardware bridges." He says it works with two ethernet cards (any card | supported by the crynwr packet drivers) and a 286 or better machine to | "turn it into a bridge." | | John did not know what the archive name of the re-release will be. So, | if you need this file, go ahead and grab a copy, but check it out with an | anti-viral utility first to make sure your copy is clean. | Peter Janssens (2:512/1) reports yet another pair of Trojans aimed at | RemoteAccess BBS systems. These do no physical damage, but they are | dangerous enough in what they do. | | The Trojans, named RAMANAGE and RA111TO2, claim to be different from each | other: the first claims to be a USERS.BBS file manager, while the second | claims to upgrade RemoteAccess v1.11 to v2.0 (which doesn't exist, FYI). | Both have the same effect, though - they pack your USERS.BBS file into an | archive, named either MIX1.ARJ or WISE.ARJ, and move the archive into a | download directory. | | Peter Hoek (2:281/506.15) reports that he has found a similar situation - | his USERS.BBS file was placed in his GAMES directory under the name | RUNNING.ARJ. He did not say what program (or if any program) created | this archive. | | This could cause a serious security problem for RA SysOps, as you can | guess. If you run a RemoteAccess system, it would be a good idea to | check your download directories for files that you don't recognize, then | take a good look at them. Even if you've never seen one of these Trojans | before - just in case. | Clayton Mattatall (1:247/400) reports in the FidoNet VIRUS_INFO echo that | a file named SBBSFIX is a Trojan that attempts to format drive C:. He | says it contains two files, SBBSFIX.EXE and COM_P.OVL, and was written in | C++. It also asks for a $10 fee. At first glance, I wouldn't send it. | This Trojan report comes from an article in MacWeek magazine, Volume 7, | Number 2, issued January 11, 1993. The article, posted in the FidoNet | VIRUS_INFO echo by Robert Cummings, states that a program called CPro | 1.41.sea, claiming to be a new version of Compact Pro (a Macintosh | shareware compression utility), will reformat any floppy in drive 1 and | tries to reformat the user's start-up hard drive when launched. | | The file can be identified by a 312K sound resource file called "log | jingle," which is digitized sound from the Ren and Stimpy cartoons. | Mike Wenthold (1:271/47) found a program under the filename GS2000 which | contained the VCL 3 [Con] Virus. I am attempting to get further details | on what this file is, but until then, here is the archive data that Mike | sent: | | Length Method Size CF Date Time CRC Filename | ======== ======== ======== ==== ========= ====== ======== ============ | 1984 1304 34% 22-Dec-91 01:40p 3527B16B GS2000.COM | 543 363 33% 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC | ======== ======== ======== ==== ========= ====== ======== ============ | 2527 1667 34% 2 files. | | The compression method (on this ZIP archive) was not included in his | data. Frans Hagelaars (2:512/2) posted a message in several echos last month concerning a Trojan version of the Blue Wave Offline Mail Reader that had been circulating in his area. According to the warning, the "hacked" version attacks your hard drive boot sector and partition table, and will then "play tricks" with RemoteAccess userlists and phone numbers. The filename of this version was not given in the report, nor was it made clear whether the BBS door or the Reader was involved. If you have any questions about the security of your copy, remember that you can always obtain a safe copy from the BBS of the author, George Hatchew, at FidoNet address 1:2240/176, phone number 1-313-743-8464, or from any of the official distribution sites (which I believe are listed in the documentation for the program). Filename Claimed use/Actual activity/Reporter(s) ========= ============================================================== ANSISCR VGA BBS ad - contains a self-extracting archive of the Yankee Doodle and AntiChrist viruses. Can trash hard drives as well through Trojan behaviour. Reported by Bill Dirks (1:385/17), and under the filename RUNME by Stephen Furness (1:163/273). LOGIM613 Possible isolated incident - one internal file, MOUSE.COM, reports as being infected with the VCL virus when checked with McAfee's ViruScan v95. Reported by Mike Wenthold (1:271/47). MUVBACK Claimed keyboard utility - actual ANSI bomb that remaps the D key of your keyboard to invoke DEBUG and create a couple of Trojans from script files. Reported by Bill Dirks. RAFIX "Fixes little bugs" in RemoteAccess - program contains the string "COMMAND /C FORMAT C:" internally. Reported by Sylvain Simard (1:242/158). REAPER ANSI bomb - remaps the keyboard to force file deletion and hard disk formatting - also generates insults. Reported by Victor Padron (1:3609/14), via Rich Veraa (1:135/907). REDFOX Batch file which deletes all DOS and system files. Reported by Mike Wenthold. ROLEX Possible isolated incident of an infection by the Keypress [Key] virus. Reported by David Gibbs, via Michael Toth (1:115/220). SPEED Claims to "check your PC speed" - actually deletes all files on drive C:, including directories. Reported by HW Nemrod Kedem. ========================================================================= Pirated Commercial Software Program Archive Name(s) Reported By ======= =============== =========== | 3-D Pool 3DPOOL Michael Gibbs (via Bill | Lambdin) | Atomix (game) ATOMIX_ HW Matt Kracht Battle Chess CHESS Ron Mahan (1:123/61) | Check-It PC CHECKIT HW Bert Bredewoud | Diagnostic Software CHKIT20 Bill Lambdin (1:343/45) Commander Keen _1KEEN5 Scott Wunsch (1:140/23.1701) (part 5) Darkside (game) DARKSIDE Ralph Busch (1:153/9) | Energizer Bunny Screen ENERGIZR Kurt Jacobson, PC Dynamics, | Saver for Windows Inc., via HW Bill Dennison F-Prot Professional FP206SF Mikko Hypponen (mikko.hypponen@compart.fi) | Killing Cloud (game) CLOUD Mike Wenthold | MegaMan (game) MEGAMAN Emanuel Levy (1:266/63) Over the Net OTNINC1 Tim Sitzler (1:206/2708) (volleyball game) | PKZip v2.04c PK204REG Scott Raymond (1:278/624) | (Registered) | PKZip v2.04c PKZCFG Mark Mistretta (1:102/1314) | Configuration Editor | PKZip v2.04e PK204ERG Scott Raymond | (Registered) | PrintShop PSHOP Michael Gibbs, Intelec, via | Bill Lambdin (1:343/45) Psion Chess 3D-CHESS Matt Farrenkopf (1:105/376) | QModem v6.0 QM60IST1 Francois Thunus (2:270/25) | QM60IST2 | QModem Pro QMPRO-1 Mark Mistretta | QMPRO-2 Rack 'Em (game) RACKEM Ruth Lee (1:106/5352) | Shadow Warriors (game) SHADOWG Mark Mistretta | Sharky's 3D Pool POOL Jason Robertson (1:250/801) | Shez (Registered) SHEZ85R Scott Raymond SimCity (by Maxis) SIMCTYSW Scott Wunsch | Streets on a Disk STREETS Harvey Woien (1:102/752) | Teledisk (files TDISK214 Mark Mistretta | dated after Apr. 1991) | Vegas Casino 2 (game) VEGAS2 The Hack Squad | WinWay Resume for | Windows WINRES Erez Carmel (CompuServe, | 70523,2574) ========================================================================= ?????Questionable Programs????? First, a quick note - this section, along with the Information, Please section, are the only ones that have any information carried over from the 1992 report. This is because many of the listings in these sections were not completely resolved when the last 1992 issue was published. As usual, if anyone has any additional information on anything listed in these sections, _please_ help! | Long time readers of this report will remember a question concerning the | status of a screen saver called TUNNEL. Ove Lorentzon (2:203/403.6) and | Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard | Steiner) both stated that the program was an internal IBM test program | and was not intended for outside distribution. | | Your Hack Squad has received word from the author of the program, Dan | Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware, | the program has never been released to the general public. According to | Dan, "it is still owned by IBM, and as such has been given the IBM | security classification 'IBM Internal Use Only' which means what it says: | the program is not for distribution to non-IBM employees." | | Dan also says that several other "Internal Use Only" programs have been | "leaked" to the outside world, which implies that these files should not | be posted for download. One such program was originally called Dazzle | (NOT to be confused with the other popular DAZZLE screensaver), but has | entered BBS distribution under the filename O-MY-GOD. Another is a | program that is usually included inside other archives: the program name | is PLAYANI. Dan says this has been distributed "along with various | animations," and also falls under the same Internal classification. | | A prime example of this is an archive called BALLS (not what you think). | This is an animation of multiple chrome spheres rotating around each | other above a red and white checkerboard platform. In this case, both | the player (PLAYANI) _and_ the animation are the property of IBM and are | not intended for BBS distribution. | | Again, to quote Dan, "None of these programs are for external | distribution; all are owned by IBM and are only for use inside IBM by IBM | employees." Thanks to Dan for all of his help. | Donn Bly has cleared up the question on the status of the Sydex program | TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson. | Donn was kind enough to mail a copy of a letter sent to him by Sydex | explaining that Teledisk is no longer shareware. Here is an excerpt from | the letter: | | "Effective April 1991, TeleDisk is no longer a shareware | product. After long consideration, we decided to | discontinue our offering of the shareware edition of | TeleDisk, and license it only as a commercial product. | | "Commercial licenses of TeleDisk are available from Sydex at | $150 a copy. All shareware distributors and BBS sysops who | take time to check their sources are requested to remove | TeleDisk from shareware distribution." | | The letter is signed by Miriam St. Clair for Sydex. To summarize, Sydex | is no longer accepting shareware registrations for TeleDisk, and asks | that it be not be made available for download from BBS systems. | | Thanks to Donn for his help in this matter. HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen Barnes of Mustang Software, Inc., about a "patch" program aimed at OffLine Xpress (OLX) v1.0. The patch is supposed to allow OLX to read and reply to Blue Wave packets, along with a lot of other seemingly unbelievable feats. Gwen Barnes did not seem to know of the patch, but published the following advice in the WildNet SLMROLX conference to anyone considering trying it: 1. Make a complete backup of your system. 2. Make sure you've got all the latest SCAN stuff from McAfee 3. Try it, keeping in mind that it more than likely does nothing at all, or is a trojan that will hose your system. 4. Get ready to re-format and restore from backups if this is in fact the case. No filename was given for this patch. If anyone runs across a copy of it, please contact one of The HackWatchers or myself so that we can forward a copy to MSI for testing. Bill Lambdin (1:343/45) reports that someone has taken all of McAfee Associates' antiviral programs and combined them into one gigantic (over 700k) archive. He did not say whether the files had been tampered with, but he did send a copy to McAfee for them to dissect. The file was posted under the filename MCAFEE99. I would not suggest downloading this file: as a matter of fact, this reporter prefers to call McAfee's BBS directly when a new version of any of their utilities comes out. I highly recommend this method, since it insures that you will receive an official copy. HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu also says that there is a warning about these in circulation. If you have a copy of this warning, please send a copy to Hack Central Station (1:382/95). ========================================================================= Information, Please This the section of The Hack Report, where your Hack Squad asks for _your_ help. Several reports come in every week, and there aren't enough hours in the day (or fingers for the keyboards) to verify them all. Only with help from all of you can The Hack Report stay on top of all of the weirdness going on out there in BBSLand. So, if you have any leads on any of the files shown below, please send it in: operators are standing by. Onno Tesink (2:283/318) has sighted a file called LHA255B. This claims to be version 2.55b of the LHA archiver, with a file date in the executable of 12/08/92. He compared the file to the latest known official release, v2.13, and found two additional program options which were mentioned when the program was invoked with no command line (generating a help screen). The archive contained nothing but the executable file. Viral scans were negative. I have not heard of any further development going on by the author of LHA, H. Yoshi, but that wouldn't be a first. If anyone knows of a new version of LHA, please contact your nearest HackWatcher and lend a hand. Travis Griggs (1:3807/4.25) forwarded a report from a local board called The Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen. The message referred to a file called BOUNCE, which she said was infected with the Russian Mirror virus. The file, according to Travis, claimed to be a game. I would appreciate further confirmation of this sighting. An update on a warning from Mark Stansfield (1:115/404), concerning the files KILL and PROTECT. He claims that these delete the user's hard drive when run. Dan Onstott (1:100/470) reported in the FidoNet SHAREWRE echo that he has a small utility called PROTECT.COM (205 bytes, dated 12-10-86), which is a write-protect utility for your hard drive. He says he has never had a problem with it. So, Mark's report may be an isolated incident. If anyone else sees the files Mark mentioned, please advise. Bill Lambdin forwards a message from Mario Giordani in the ILink Virus Conference about two files. The archives, called PHOTON and NUKE, are possibly droppers, containing a file called NUKE.COM which "will trash your HD." Pat Finnerty (1:3627/107) sent a reply to the last report of this, stating that he has a copy of a PC Magazine utility called NUKE.COM, which is used to remove subdirectories which contain "nested subs, hidden, read-only (you name it)." He says that the command NUKE C:\ will effectively delete everything on a hard drive, with no chance of repair. This is merely the way the program is designed. I do not know if this is what happened in Mario's case, or if Mario actually found a copy (read: isolated incident) which was infected. Bill has asked Mario for further information, and I would like to echo his call for help. If you know of this, please lend a hand. Another one forwarded by Bill comes from Michael Santos in the Intelec Net Chat conference, concerning a screen saver named IM. This is only a "hearsay" report from one of Michael's friends, who says he downloaded it and wound up with a virus. There is no way to tell if the infection came from the file itself or if it was already present on his friend's system. Once again, if anyone can clear this up, please do so. Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named Rich Bongiovanni. Rich reports that there is a file floating around called DEMON WARS (archive name DMNWAR52) that is "infected with a virus." If true, this may be an isolated incident. I would appreciate confirmation on this. Greg Walters (1:270/612) reports a possible isolated incident of a problem with #1KEEN7. When he ran the installation, he began seeing on his monitor "what looked like an X-rated GIF." The file apparently scanned clean. Any information on similar sightings would be appreciated. A report from Todd Clayton (1:259/210) concerns a program called ROBO.EXE, which he says claims to apparently "make RoboBoard run 300% faster." He says he has heard that the program fools around with your File Allocation Table. I have not heard any other reports of this, so I would appreciate some confirmation from someone else who has seen similar reports. Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a possible hack of FEBBS called F192HACK. I have not seen this file, nor has the author of FEBBS, Patrik Sjoberg (2:205/208). He forwards the file sizes in the archive, reported here: Name Length Mod Date Time CRC ============ ======== ========= ======== ======== FEBBS.EXE 220841 09 Mar 92 21:17:00 96D2E08D 014734.TXT 1403 26 Aug 92 01:59:18 3B9F717F ============ ======== ========= ======== ======== *total 2 222244 26 Aug 92 01:59:24 Kelvin says the .TXT file is just an advert for a BBS, so it is "not relevant!". As I said, the author of FEBBS has never seen this file, so I've asked Kelvin to forward a copy of it to him. Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS Optimiser (sic)," going under the filenames MAX-XD and MAXXD20. Scott Dudley, the author of Maximus, says he did not write any programs that have these names, but he does not know whether they are or are not legitimate third party utilities. I have requested further information from Andrew on this topic, and would appreciate anyone else's information, if they have any. Yet another short warning comes from David Bell (1:280/315), posted in the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is that it is a Trojan, and that he got his information from another "billboard" and is merely passing it on. Again, please help if you know what is going on here. Bud Webster (1:264/165.7) reports an Apogee game being distributed under the filename BLOCK5.ZIP. He says that the game displayed a message that said, "This game is not in the public domain or shareware." There was only an .EXE file in the archive, and no documentation. I need to know what the real name of this game is so that I can include it in the pirated files section (if necessary). A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263) grabbed my attention the moment I saw it: in capital letters, it said, "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He goes on to say that two BBSs have been destroyed by the file. However, that's about all that was reported. I really need more to go on before I can classify this as a Trojan and not just a false alarm (i.e., archive name, what it does, etc.). Please advise. Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to whether or not Mr. Mills had seen the file. Mr. Jung has repeated that the latest version of ARJ is v2.30 (however, there is a legitimate public beta version numbered 2.39b). It is possible that the references Greg saw about 2.33 were typos, but you never know. Please help your Hack Squad out on this one - if you see it, report it. ========================================================================= The Meier/Morlan List | Here are this month's updates on the status of the files contained in the | Meier/Morlan List. | Emanuel Levy (1:266/63) forwards some of his observations on these files. | Here is the text of his report: | | "Barkeep sounds like it may be a version of Tapper. If you send beer mugs | down the screen to patrons and then have to pick up the returning mugs | and they leave tips, then it is Tapper. Or it may be an OLD game | published in Compute Mag. If it is the one from Compute only those who | have the Compute issue with the game in it are allowed to have a copy. | | "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came | out for the Commodore 64 in 89 so I would assume it came out for IBM | around then too. | | "Gremlins- There was an Gremlins Text Adventure and a Video Came for the | computer. The video game was put out by Atari | | "Megaman is sold in Stores and is out for Nintendo. It is a pirated | program. | | "Antix may be Artic Antix one lof the Spy vs Spy games | | "Win_Trek information follows | | "I got it at a convention from a dealer at a Star Trek COnvention. The guy | got it off of The Network BBS. It is located in Bal imore Maryland. The | number there is t(420)247-3797 | | Files in archive are | WINTREK1.DLL 242112 4-07-92 6:53p | WINTREK2.DLL 519163 4-07-92 6:53p | WINTREK .EXE 144144 4-07-92 7:03p | WINTREK .HLP 7109 3-29-92 2:55p | README .WRI 4224 4-07-92 7:12p | | "I hope I have been able to help." | | I'd say you have - thanks! The confirmed pirated file, Megaman, is now | listed in the Pirated Files section. On the other hand, WinTrek will be | removed, as Emanuel confirms that it is shareware. | Andrew McCullough (1:2614/409) has a copy of a game called ANTIX, | mentioned above. According to Andrew, "as far as I can tell it is | legit." He says it is a "'dinky' little program where you try to eat | away 75% of the screen without being hit by the 'bad guys'." If anyone | can confirm either report on this, please do so. | Finally, Bill Lambdin forwards a message from Michael Gibbs (RIME address | EXHIBITA, from the Intelec Shareware conference), about 3DPOOL. Michael | says this contains no docs, except for an ANSI file touting some pirate | group. This is usually clear evidence of a pirated commercial program, | so this file moves to the Pirated Files section. For those who have missed it before, here is what is left of the list of files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system. Joe says Wes keeps a bulletin of all rejected files uploaded to him and the reasons they were rejected. Joe also says he cannot confirm or deny the status of any of the files on the list. There are some that I am not familiar with or cannot confirm. These are listed below, along with the description from Wes Meier's list. Due to the unconfirmed nature of the files below, the filenames are not included in the columnar lists. I would appreciate any help that anyone can offer in verifying the status of these files. Until I receive some verification on them, I will not count them as either hacks or pirated files. Remember - innocent until proven guilty. My thanks go to Joe and Wes for their help. Filename Reason for Rejection ======== ============================================= BARKEEP Too old, no docs and copyrighted with no copy permission. HARRIER Copyrighted. No permission to copy granted. SLORGAME Copyrighted. No docs. No permission to copy granted. NOVELL Copyrighted material with no permission to BBS distribute DRUMS I have no idea if these are legit or not. No docs. SPACEGOO STARGOSE in disguise. Copyrighted. GREMLINS No documantation or permission to copy given. NAVM Copyrighted. No permission to copy granted. TESTCOM Copyrighted. No permission to copy granted. CLOUDKM A hacked commercial program. ANTIX Couldn't make this work. No docs. MENACE Copyrighted. No docs. No permission to copy granted. AIRBALL A hacked commercial program. SNOOPY Copyrighted. No docs. No permission to copy granted. SLORDAX Copyrighted. No docs. No permission to copy granted. ESCAPE Copyrighted. No docs. No permission to copy granted. AFOX A cracked commercial program. BANNER Copyrighted. No docs. No permission to copy granted. FIXDOS50 Copyrighted. No permission to copy granted. WINGIF14 The author's documentation specifically requests this file to not be distributed. INTELCOM Copyrighted. No docs. No permission to copy granted. 387DX Copyrighted. No docs or permission to copy granted. WINDRV Copyrighted. No permission to copy granted. ========================================================================= Help!!! | Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to | The Hack Squad for testing/verification please re-identify themselves via | NetMail? Somehow, your message went to the great Bit Bucket in the sky. | Thanks in advance! ========================================================================= Clarification | I need to apologize once again - this time, to Brent Lynch (1:103/132), | concerning the file SF2BETA. In my attempt to consolidate all of the | information on several files of this name, I apparently misquoted Brent. | In an attempt to rectify the situation, here is the entire text of the | report from Brent, as forwarded by Harold Stein (1:107/236). | | This message was from BRENT LYNCH to ALL, | originally in conference Games | and was forwarded to you by HAROLD STEIN. | | ========================= | | Be careful of the game Sf2beta! Although there are no | trojans or viruses in it looks VERY suspicious and is prob. | pirated. If you really are curious I did play it before | deleting it as soon as I surmized it wasnt an authorized | copy. | | First of all the Game is in Vietamese (The setup program | isnt though strangly enough). The graphics are VERY good | infact other then being a little smaller (not much though) | almost identical to the arcade version. The music is also | excellent and a good reproduction of the arcade version. The | animation is great at 61 frames per second on a 486! No | digitized voice and you can only play as Guile or Ryu. Its | really a pity that Capcom hasnt made a Legal version for the | USA as this version shows that a great game of SF2 is | possible. | | Be careful and DONT SPREAD THIS FILE AROUND as the folks at | Capcom have worked very hard to make a great game. I REPEAT | DO NOT SPREAD it around. | | ========================= | | I apologize for any confusion that may have developed from this | situation. ************************************************************************* Conclusion If you see one of these on a board near you, it would be a very friendly gesture to let the SysOp know. Remember, they can get in just as much trouble as the fiend who uploads pirated files, so help them out if you can. ***HACK SQUAD POLICY*** The intent of this report is to help SysOps and Users to identify fraudulent files. To this extent, I give credit to the reporter of a confirmed hack. On this same note, I do _not_ intend to "go after" any BBS SysOps who have these programs posted for d/l. The Shareware World operates best when everyone works together, so it would be counter-productive to "rat" on anyone who has such a file on their board. Like I said, my intent is to help, not harm. SysOps are strongly encouraged to read this report and remove all files listed within from their boards. I can not and will not take any "enforcement action" on this, but you never know who else may be calling your board. Pirated commercial software posted for d/l can get you into _deeply_ serious trouble with certain authorities. Updates of programs listed in this report need verification. It is unfortunate that anyone who downloads a file must be paranoid about its legitimacy. Call me a crusader, but I'd really like to see the day that this is no longer true. Until then, if you _know_ of a new official version of a program listed here, please help me verify it. On the same token, hacks need to be verified, too. I won't be held responsible for falsely accusing the real thing of being a fraud. So, innocent until proven guilty, but unofficial until verified. Upcoming official releases will not be included or announced in this report. It is this Co-Moderator's personal opinion that the hype surrounding a pending release leads to hacks and Trojans, which is exactly the opposite of what I'm trying to accomplish here. If you know of any other programs that are hacks, bogus, jokes, hoaxes, etc., please let me know. Thanks for helping to keep shareware clean! Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)