========================================================================= || From the files of The Hack Squad: || by Lee Jackson, Co-Moderator, || FidoNet International Echo SHAREWRE The Hack Report || Volume 2, Number 4 for April, 1993 || Report Date: April 4, 1993 || ========================================================================= Welcome to the fourth 1993 issue of The Hack Report. This is a series of reports that aim to help all users of files found on BBSs avoid fraudulent programs, and is presented as a free public service by the FidoNet International Shareware Echo and the author of the report, Lee Jackson (FidoNet 1:382/95). This month's issue was delayed a bit, due to some severe weather in the area of Hack Central Station. However, and I hope you'll agree with me, the wait was worth it: more ARJ hacks have appeared, seemingly in anticipation of a new release of the popular archiver, and the Power Pump is sighted once again. Also, in what seems to be a never-ending attack against a well-known program, someone has released yet another tampered archive of TheDraw. Thanks to everyone who has helped put this report together, and to those that have sent in comments and suggestions. NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on your BBS, subject to these conditions: 1) the latest version is used, 2) it is posted in its entirety, and 3) it is not altered in any way. NOTE TO OTHER READERS: The Hack Report (file version) may be freely uploaded to any BBS, subject to the above conditions, and only if you do not change the filename. You may convert the archive type as you wish, but please leave the filename in its original HACK????.* format. The Hack Report may also be cross-posted in other networks (with the permission of the other network) as long as it meets the above conditions and you give appropriate credit to the FidoNet International Shareware Echo (and the author ). The idea is to make this information available freely. However, please don't cut out the disclaimers and other information if you use it, or confuse the issue by spreading the file under different names. Thanks! DISCLAIMER: The listings of Official Versions are not a guarantee of the files' safety or fitness for use. Someone out there might just be sick-minded enough to upload a Trojan with an "official" file name, so >scan everything you download | Jack Cross (1:3805/13) forwarded a copy of a DEBUG script posted in the | FidoNet BATPOWER echo. The script, which has created a great deal of | discussion in that echo, created an archive (LZH) of the program | TinyCache (filename TNYCACHE), a small disk cache program. | | A couple of folks who ran the program state that this is not a legitimate | file. In fact, it appears (from their reported symptoms) to be a Trojan. | Destroyed FATs and reformatted hard drives have been reported after this | program is run. | | I ran the script through DEBUG and un-archived the TNYCACHE.COM file. | Afterwards, I checked it for viruses and looked at it with Vern Buerg's | LIST Enhanced. At first glance, the file doesn't even look like a real | program: it appears to be a corrupted file of some sort, and bears no | resemblance to any .COM file I have ever seen. If it is in fact a | corrupted file, then the damage it could cause if run would be | unpredictable at best. My guess is that the file might not be an | intentional dirty trick, but that the person who distributed it may have | some cross-linked clusters on their hard drive. | | As I have said before to folks who contact Hack Central Station, I'm a | reporter, not an AV expert: my analysis is not as reliable as one coming | from a real expert. I have been offline for several days due to | circumstances beyond my control, so I might have missed a report from | Jack on this. If not, I will forward a copy for testing. HW Bill Dennison captured a message from Marshall Dudley (Data World BBS, (615)966-3574) in the ILink VIRUS FILE conference about the archive ASCDEMO. Marshall says that McAfee's ViruScan doesn't detect any infection until after you run it and it has infected other files. No further information was supplied, other than the internal filenames (ASCDEMO.DOC and ASCDEMO.EXE). I need further data on this before I can list it in the Trojan Wars section, so please advise if you have any. Emanuel Levy (1:266/63) says the file IM, reported by Michael Santos in the Intelec Net Chat conference and listed in the 1992 Full Archive edition of The Hack Report. Michael's report was a "hearsay" report from one of his friends, and stated that the IM screen saver file caused a viral infection. Emanuel says the file is an "outer space screen saver," currently under the filename IM17. Scott Wunsch (1:140/23.1701) says the program name is "Inner Mission," and he currently has version 1.6. In both cases, the files were clean. So, it looks like either Michael's friend's system became infected from a different source than the IM file, or that an isolated incident of an infected IM is involved. No way to tell at this writing. Long time readers of this report will remember a question concerning the status of a screen saver called TUNNEL. Ove Lorentzon (2:203/403.6) and Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard Steiner) both stated that the program was an internal IBM test program and was not intended for outside distribution. Your Hack Squad has received word from the author of the program, Dan Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware, the program has never been released to the general public. According to Dan, "it is still owned by IBM, and as such has been given the IBM security classification 'IBM Internal Use Only' which means what it says: the program is not for distribution to non-IBM employees." Dan also says that several other "Internal Use Only" programs have been "leaked" to the outside world, which implies that these files should not be posted for download. One such program was originally called Dazzle (NOT to be confused with the other popular DAZZLE screensaver), but has entered BBS distribution under the filename O-MY-GOD. Another is a program that is usually included inside other archives: the program name is PLAYANI. Dan says this has been distributed "along with various animations," and also falls under the same Internal classification. A prime example of this is an archive called BALLS (not what you think). This is an animation of multiple chrome spheres rotating around each other above a red and white checkerboard platform. In this case, both the player (PLAYANI) _and_ the animation are the property of IBM and are not intended for BBS distribution. Again, to quote Dan, "None of these programs are for external distribution; all are owned by IBM and are only for use inside IBM by IBM employees." Thanks to Dan for all of his help. Donn Bly has cleared up the question on the status of the Sydex program TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson. Donn was kind enough to mail a copy of a letter sent to him by Sydex explaining that Teledisk is no longer shareware. Here is an excerpt from the letter: "Effective April 1991, TeleDisk is no longer a shareware product. After long consideration, we decided to discontinue our offering of the shareware edition of TeleDisk, and license it only as a commercial product. "Commercial licenses of TeleDisk are available from Sydex at $150 a copy. All shareware distributors and BBS sysops who take time to check their sources are requested to remove TeleDisk from shareware distribution." The letter is signed by Miriam St. Clair for Sydex. To summarize, Sydex is no longer accepting shareware registrations for TeleDisk, and asks that it be not be made available for download from BBS systems. Thanks to Donn for his help in this matter. HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen Barnes of Mustang Software, Inc., about a "patch" program aimed at OffLine Xpress (OLX) v1.0. The patch is supposed to allow OLX to read and reply to Blue Wave packets, along with a lot of other seemingly unbelievable feats. Gwen Barnes did not seem to know of the patch, but published the following advice in the WildNet SLMROLX conference to anyone considering trying it: 1. Make a complete backup of your system. 2. Make sure you've got all the latest SCAN stuff from McAfee 3. Try it, keeping in mind that it more than likely does nothing at all, or is a trojan that will hose your system. 4. Get ready to re-format and restore from backups if this is in fact the case. No filename was given for this patch. If anyone runs across a copy of it, please contact one of The HackWatchers or myself so that we can forward a copy to MSI for testing. HW Bill Lambdin reports that someone has taken all of McAfee Associates' antiviral programs and combined them into one gigantic (over 700k) archive. He did not say whether the files had been tampered with, but he did send a copy to McAfee for them to dissect. The file was posted under the filename MCAFEE99. I would not suggest downloading this file: as a matter of fact, this reporter prefers to call McAfee's BBS directly when a new version of any of their utilities comes out. I highly recommend this method, since it insures that you will receive an official copy. HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu also says that there is a warning about these in circulation. If you have a copy of this warning, please send a copy to Hack Central Station (1:382/95). ========================================================================= Information, Please This the section of The Hack Report, where your Hack Squad asks for _your_ help. Several reports come in every week, and there aren't enough hours in the day (or fingers for the keyboards) to verify them all. Only with help from all of you can The Hack Report stay on top of all of the weirdness going on out there in BBSLand. So, if you have any leads on any of the files shown below, please send it in: operators are standing by. | Eric Alexander (1:3613/10) reported a file called PRINCE that appears to | be a cracked commercial game of some sort. One internal file, | "predit.doc", contained a reference to someone called "The Fang." I am | not familiar with this game, so if anyone comes across Fang's version of | PRINCE, please let me know what they've found. | Dave Lartique (1:3800/22) found a game described as "a shareware game | from Great Britain" called CAVEMAN. This was described on another BBS he | saw it on (under the filename CAVE) as an Apogee game, but it is not an | Apogee release. The game is called Caveman Ninja, and Dave says one of | the internal files contains the following (somewhat garbled) text: | | "DISTRIBUTED BY ELITE SYSTEM LTD (C) 1991 DATA EAST CORPORATION" | | If memory serves, Data East is a producer of commercial games. However, | I have no knowledge of this game. Can someone verify this? Please | advise. | A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13) | states that he had a user upload a file called TAG-NFO, which turned out | to be a Trojan. No details about the Trojan were given, so any | confirmation of this would be appreciated. Onno Tesink (2:283/318) has sighted a file called LHA255B. This claims to be version 2.55b of the LHA archiver, with a file date in the executable of 12/08/92. He compared the file to the latest known official release, v2.13, and found two additional program options which were mentioned when the program was invoked with no command line (generating a help screen). The archive contained nothing but the executable file. Viral scans were negative. Many, MANY other folks have seen this file, as well as one called LHA252. Your Hack Squad has copies of both files. The LHA252 file contains Japanese documentation, so it is a bit of a tough nut to crack. I have not heard of any further development going on by the author of LHA, H. Yoshi, but that wouldn't be a first. He is supposedly contactable via the NIFTY-SERVE service of CompuServe. However, this service requires some knowledge of Japanese, and my only foreign language training was a semester of Czech at the University of Texas. If anyone knows of a new version of LHA, or has CompuServe access and the ability to converse in Japanese (and would be willing to assist), please contact your nearest HackWatcher or me and lend a hand. This is getting very frustrating. HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus Conference about two files. The archives, called PHOTON and NUKE, are possibly droppers, containing a file called NUKE.COM which "will trash your HD." Pat Finnerty (1:3627/107) sent a reply to the last report of this, stating that he has a copy of a PC Magazine utility called NUKE.COM, which is used to remove subdirectories which contain "nested subs, hidden, read-only (you name it)." He says that the command NUKE C:\ will effectively delete everything on a hard drive, with no chance of repair. This is merely the way the program is designed. I do not know if this is what happened in Mario's case, or if Mario actually found a copy (read: isolated incident) which was infected. Bill has asked Mario for further information, and I would like to echo his call for help. If you know of this, please lend a hand. Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named Rich Bongiovanni. Rich reports that there is a file floating around called DEMON WARS (archive name DMNWAR52) that is "infected with a virus." If true, this may be an isolated incident. I would appreciate confirmation on this. Greg Walters (1:270/612) reports a possible isolated incident of a problem with #1KEEN7. When he ran the installation, he began seeing on his monitor "what looked like an X-rated GIF." The file apparently scanned clean. Any information on similar sightings would be appreciated. A report from Todd Clayton (1:259/210) concerns a program called ROBO.EXE, which he says claims to apparently "make RoboBoard run 300% faster." He says he has heard that the program fools around with your File Allocation Table. I have not heard any other reports of this, so I would appreciate some confirmation from someone else who has seen similar reports. Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a possible hack of FEBBS called F192HACK. I have not seen this file, nor has the author of FEBBS, Patrik Sjoberg (2:205/208). He forwards the file sizes in the archive, reported here: Name Length Mod Date Time CRC ============ ======== ========= ======== ======== FEBBS.EXE 220841 09 Mar 92 21:17:00 96D2E08D 014734.TXT 1403 26 Aug 92 01:59:18 3B9F717F ============ ======== ========= ======== ======== *total 2 222244 26 Aug 92 01:59:24 Kelvin says the .TXT file is just an advert for a BBS, so it is "not relevant!". As I said, the author of FEBBS has never seen this file, so I've asked Kelvin to forward a copy of it to him. Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS | Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley, the author of Maximus, says he did not write any programs that have these names, but he does not know whether they are or are not legitimate third party utilities. I have requested further information from Andrew on this topic, and would appreciate anyone else's information, if they have any. Yet another short warning comes from David Bell (1:280/315), posted in the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is that it is a Trojan, and that he got his information from another "billboard" and is merely passing it on. Again, please help if you know what is going on here. A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263) grabbed my attention the moment I saw it: in capital letters, it said, "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He goes on to say that two BBSs have been destroyed by the file. However, that's about all that was reported. I really need more to go on before I can classify this as a Trojan and not just a false alarm (i.e., archive name, what it does, etc.). Please advise. Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to whether or not Mr. Mills had seen the file. Mr. Jung has repeated that the latest version of ARJ is v2.30 (however, there is a legitimate public "pre-release" version numbered 2.39d). It is possible that the references Greg saw about 2.33 were typos, but you never know. Please help your Hack Squad out on this one - if you see it, report it. ========================================================================= The Meier/Morlan List Here are this month's updates on the status of the files contained in the Meier/Morlan List. | Matthew Revelle (1:2608/27) lent a hand on the file WINGIF14, which he | found as WGIF14. The documentation from this file includes the | following: | | "This is a beta release. Please do not distribute | publicly but you can go ahead and give it to WinGIF | users that might need some of these new features. | The real release should be available soon! Please | let me know about bugs as well as what you think of | the new features." | | What we seem to have here is a limited beta that has escaped into | distribution. However, from documentation excerpts sent to me by Michael | Pfister (CompuServe address 100042,102), there has since been a full, | non-beta release of WinGIF v1.4 that is being distributed under the same | filename (WINGIF14). | | This is a confusing situation, to be sure. However, it is simple to | resolve: just look at your documentation. If your copy is a beta | release, go find the new one. Thanks to Matthew and Michael for their | help - WINGIF14 is now off the list. | Several reports came in on NAVM, all indicating that this was the version | of Norton AntiVirus released in 1992 in response to the Michelangelo | virus scare. The reports, from Mark Murphy (1:132/119) and Jerry Murphy | (1:157/2 (no relation, I think)), struck a note of recognition here at | Hack Central Station: thanks to both of you. NAVM comes off the list as | well. Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat Simulator by Mindscape, Inc. He says that he hasn't seen anything from them in quite a while, and doesn't know if the company is still in business. Here are the remaining unresolved reports from Emanuel Levy (1:266/63): "387DX - sounds like a Math Co-Processor emulator - might be legit "Barkeep sounds like it may be a version of Tapper. If you send beer mugs down the screen to patrons and then have to pick up the returning mugs and they leave tips, then it is Tapper. Or it may be an OLD game published in Compute Mag. If it is the one from Compute only those who have the Compute issue with the game in it are allowed to have a copy. "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came out for the Commodore 64 in 89 so I would assume it came out for IBM around then too. "Gremlins- There was an Gremlins Text Adventure and a Video Came for the computer. The video game was put out by Atari Thanks, Emanuel. For those who have missed it before, here is what is left of the list of files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system. Joe says Wes keeps a bulletin of all rejected files uploaded to him and the reasons they were rejected. Joe also says he cannot confirm or deny the status of any of the files on the list. There are some that I am not familiar with or cannot confirm. These are listed below, along with the description from Wes Meier's list. | Due to the unconfirmed nature of the files below, the filenames are not | included in the HACK????.COL and HACK????.IDX files that are a part of | the archive of The Hack Report. I would appreciate any help that | anyone can offer in verifying the status of these files. Until I receive | verification on them, I will not count them as either hacks or pirated | files. Remember - innocent until proven guilty. My thanks go to Joe and Wes for their help. Filename Reason for Rejection ======== ============================================= BARKEEP Too old, no docs and copyrighted with no copy permission. HARRIER Copyrighted. No permission to copy granted. SLORGAME Copyrighted. No docs. No permission to copy granted. NOVELL Copyrighted material with no permission to BBS distribute DRUMS I have no idea if these are legit or not. No docs. GREMLINS No documantation or permission to copy given. CLOUDKM A hacked commercial program. MENACE Copyrighted. No docs. No permission to copy granted. AIRBALL A hacked commercial program. SNOOPY Copyrighted. No docs. No permission to copy granted. SLORDAX Copyrighted. No docs. No permission to copy granted. ESCAPE Copyrighted. No docs. No permission to copy granted. BANNER Copyrighted. No docs. No permission to copy granted. 387DX Copyrighted. No docs or permission to copy granted. WINDRV Copyrighted. No permission to copy granted. ========================================================================= Clarifications and Thanks | I have received a message from Amit K. Mathur (Internet address | mathur@SERVER.uwindsor.ca), the author of the KILL program reported by | Mark Stansfield (1:115/404). If you will remember, Mark claimed that | this will delete the user's hard drive when run. | | According to Amit, this is possible if the program was accidentally told | to delete the hard drive, since the program is a recursive directory | deletion tool (with "tons of options" and plenty of progress/warning | messages, according to Amit). If you run it from your root directory | with the proper commands, you could very well wind up with a clean hard | drive. | | So, this reporter's advice is to go ahead and use without fear, but use | with care. Thanks for the help, Amit! | Finally, and coming from an angle I never expected, Rick Moen (CompuServe | address 76711,243) points out quite rightly that your Hack Squad has been | a bit biased toward the American version of the English language. | Specifically, he said that my "Maximus BBS Optimiser (sic)" comment was | not correct, especially since the report came from Australia. Seems that | the folks from Oz and most of the rest of the world tend to use an S | instead of a Z to spell the word OPTIMIZER. | | For those who aren't familiar with it, "sic" is used at times by a writer | to point out that the spelling of the previous word might be incorrect, | but it's a direct copy of the original author's spelling. So, thanks to | Rick's sharp eyes, I have removed the "(sic)" comment from that portion | of the report. (FYI, Rick, I _do_ use the correct spelling for words | like "catalogue" and "theatre". ) ========================================================================= Help!!! Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to The Hack Squad for testing/verification please re-identify themselves via NetMail? Somehow, your message went to the great Bit Bucket in the sky. Thanks in advance! ************************************************************************* Conclusion If you see one of these on a board near you, it would be a very friendly gesture to let the SysOp know. Remember, they can get in just as much trouble as the fiend who uploads pirated files, so help them out if you can. ***HACK SQUAD POLICY*** The intent of this report is to help SysOps and Users to identify fraudulent files. To this extent, I give credit to the reporter of a confirmed hack. On this same note, I do _not_ intend to "go after" any BBS SysOps who have these programs posted for d/l. The Shareware World operates best when everyone works together, so it would be counter-productive to "rat" on anyone who has such a file on their board. Like I said, my intent is to help, not harm. SysOps are strongly encouraged to read this report and remove all files listed within from their boards. I can not and will not take any "enforcement action" on this, but you never know who else may be calling your board. Pirated commercial software posted for d/l can get you into _deeply_ serious trouble with certain authorities. Updates of programs listed in this report need verification. It is unfortunate that anyone who downloads a file must be paranoid about its legitimacy. Call me a crusader, but I'd really like to see the day that this is no longer true. Until then, if you _know_ of a new official version of a program listed here, please help me verify it. On the same token, hacks need to be verified, too. I won't be held responsible for falsely accusing the real thing of being a fraud. So, innocent until proven guilty, but unofficial until verified. Upcoming official releases will not be included or announced in this report. It is this Co-Moderator's personal opinion that the hype surrounding a pending release leads to hacks and Trojans, which is exactly the opposite of what I'm trying to accomplish here. If you know of any other programs that are hacks, bogus, jokes, hoaxes, etc., please let me know. Thanks for helping to keep shareware clean! Lee Jackson, Author, The Hack Report Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95) Moderator, FidoNet Echo WARNINGS (1:382/95)