========================================================================= || From the files of The Hack Squad: || Compiled by W.H. (Bill) Lambdin || Volume 3, Issue 1 The Hack Report || Report Date: January 29. 1994 for Jan/Feb, 1994 || || ========================================================================= Welcome to the first 1994 issue of The Hack Report. This is a series of reports that aim to help all users of files found on BBSs avoid fraudulent programs, and is presented as a free public service by the Hack Watchers and other people that report these suspect files, and Compiled by Bill Lambdin. I was expecting some diskettes with material from Lee, but they haven't arrived as yet. However; the Hack Report will be monthly after this late issue. With my new status as Hack Central. I am going to make a few changes to the Hack Report. I believe all of these changes are necessary, and for the better for all that read the Hack Report. I do not expect to make any radical changes. 1. I intend to minimize the number of files in the Hack Report archive. Because some people read the Hack Report in conferences and distribute this version as the Hack Report. 2. I will be using CHKFILE (written by Wolfgang Stiller) to generate CRC Values for the Hack Report. HACK????.CRC will contain the CRC values for the Hack Report, and newest versions of A-V software. 3. I am considering changing the HACK????.COL to the .IDX format. This will make it easier for me to update. NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on your BBS, subject to these conditions: 1) the latest version is used, 2) it is posted in its entirety, and 3) it is not altered in any way. NOTE TO OTHER READERS: The Hack Report (file version) may be freely uploaded to any BBS, subject to the above conditions, and only if you do not change the filename. You may convert the archive type as you wish, but please leave the filename in its original HACK????.* format. The Hack Report may also be cross-posted in other networks (with the permission of the other network) as long as it meets the above conditions and you give appropriate credit to the FidoNet International Shareware and Warnings Echos (and the author ). The idea is to make this information available freely. However, please don't cut out the disclaimers and other information if you use it, or confuse the issue by spreading the file under different names. Thanks! DISCLAIMER: The listings of Official Versions are not a guarantee of the files' safety or fitness for use Someone out there might just be sick-minded enough to upload a Trojan with an "official" file name, so >scan everything you downloadNULL" (instead of "NUL"). Seems to be at least a Trojan, | although I don't see any evidence of a virus... | | Definitely a trojan! Oddly coded, too. I can't decide if it's | in some HLL with a bizarre compiler, or hand-coded by someone | with a very strange mind. First thing it does is alter the | PATH to point to only a few directories (DOS and SYSTEM on | C: and D:, I think), and then look in the current dir and | along the path for a FORMAT.COM or FORMAT.EXE or FORMAT.BAT. | Oh, first it's created a T_M_P.!!! file (or some similar | name) containing "y". Having found a FORMAT command, | it invokes it with arguments to do a quikformat of C:. | That's as far as I've traced it; after that it does something | that causes about 50 "Bad command or filename" messages. | | DC ========================================================================= Way To Go! ========================================================================= | This type of activity should be encouraged, and the users need to know | of companies that react to problems in a positive matter instead of | trying to cover it up. | | If you see a company reacting in a positive manner to viruses, or other | problems, send a message to me, and I will happy to add it to this | section | Leading Edge sold 500 computers infected with the Michelangelo virus in | 1993. After they were aware of the problem, they reported this problem | publicly and sent Anti-Virus Software to their customers to detect and | remove the virus. | Winfred Hu accidentaly released telemate 4.11 with two infected VESA | drivers. These drivers were infected with the Butterfly virus. Winfred | distributed a note about the problem to several Net Mail conferences, | then removed the two infected files and released an updated version of | Telemate. | Power Up Software accidentaly sold the "So Much Share Ware Vol II" CD-ROM | With a file infected with the Power Pump Virus. After they were aware of | the problem, they distributed a note, and stopped producing copies of So | Much Share Ware VOL II. Power Up Software is not responsible for this | virus slipping through because McAfee's Scan (The scanner Power Up | Software used) could not detect the Power Pump virus at that time. | The company that produces the Night Owl CDs released Night Owl 10 CD | with several infected files. After they were aware of the problem, they | sent letters to all of their customers offering to send an update of the | CD. Night Owl 10.1. They removed the files, and re-mastered the CD. I | wish more companies would react positively when they encounter problems | like this. ========================================================================= Pirated Commercial Software Program Archive Name(s) Reported By ======= =============== =========== 2400 A.D. (game) 2400AD Kevin Brott (Internet, dp03%ccccs.uucp@pdxgate.cs.pdx.edu) 3-D Pool 3DPOOL Michael Gibbs (via HW Bill Lambdin) 4DOS v4.02 (reg.) 4DOS402R HW Scott Raymond 4DOSREG Airball (game) AIRBALL Michael Gorse (1:101/346) Alone in the Dark ALONEDEM Mark Mistretta (1:102/1314) (full game-not a demo) ArcMaster (registered) AM91REG HW Scott Raymond AM92REG Arctic Fox (game, by AFOX from the Meier/Morlan List, Electronic Arts) conf. by HW Emanuel Levy and Brendt Hess (1:105/362) ARJ Archiver ARJ239RG HW Scott Raymond (registered) AJ241ECR Arkanoid II: Revenge ARKNOID James Crawford (1:202/1809) of DoH (game) Atomix (game) ATOMIX_ HW Matt Kracht A-Train by Maxis ATRAIN1 through Chris Blackwell of Maxis ATRAIN6, also (zoinks@netcom.com) A-TRAIN1 through A-TRAIN6 BannerMania BANMANIA Harold Stein (1:107/236) Battle Chess CHESS Ron Mahan (1:123/61) | BTLCHESS Michael Wagoner (1:105/331) BeetleJuice (game) BEETLE Mark Harris (1:121/99) BETLEJUC Jason Robertson (1:250/802.2) BJUICE Alan Hess (1:261/1000) BJ Bill Blakely (RIME Shareware echo) BTLJWC the Hack Squad (1:124/4007) Big Bird (game?) BIGBIRD Cindy McVey, via Harold Stein Budokan: the Martial BUDOKAN Michael Gibbs (Intelec, via Spirit (game) HW Bill Lambdin) Caveman Ninja CAVEMAN Dave Lartique (1:3800/22), ver. by HW Emanuel Levy Check-It PC CHECKIT HW Bert Bredewoud Diagnostic Software CHKIT20 HW Bill Lambdin Cisco Heat (game) CISCO Jason Robertson Commander Keen Pt. 5 _1KEEN5 Scott Wunsch (1:140/23.1701) KEEN5E Carson Hanrahan (CompuServe, 71554,2652) {COMMO} v5.4 COMO54X Allan Bowhill (1:343/555) CompuShow GIF Viewer CSHW860B HW Scott Raymond Copy II PC COPYPC70 Ryan Park (1:283/420) Cyber Chess C-CHESS Shane Paul, RIME, via HW Richard Steiner Darkside (game) DARKSIDE Ralph Busch (1:153/9) Disk Copy Fast 4.0 DCF4UNT HW Scott Raymond (registered) DCF41AR DiskDupe Pro v4.03 DD403PRO Jan Koopmans (2:512/163) Energizer Bunny Screen ENERGIZR Kurt Jacobson, PC Dynamics, Saver for Windows Inc., via HW Bill Dennison F-Prot Professional FP206SF Mikko Hypponen (mikko.hypponen@compart.fi) Family Feud (game) FAM-FEUD Harold Stein FAST! Disk Cache FAST_1V4 Ryan Park (1:283/420), via v4.03.08 HW Bill Lambdin FaxTalk (Thought FAXTALK Lyle Taylor (1:293/644), Communications) via Steve Fuqua FaxPlus (Thought FAXPLUS Lyle Taylor (1:293/644), Communications) via Steve Fuqua FaxPower FAXPWR Carson Hanrahan (CompuServe, 71544,2652) Freddy Pharkas, FREDDY-1 HW Bob Seaborn Frontier Pharmacist FREDDY-2 FREDDY-3 FREDDY-4 FREDDY-5 FREDDY-6 GEcho Mail Tosser GE_1000K HW Scott Raymond GE_100CK GifLite 2.0 (regist.) GL2-ECR HW Scott Raymond Gods (game) GODS Ron Woods (1:134/144) Golden Axe (game) GOLDAXE Harold Stein GSZ Protocol Driver GSZ0503R HW Scott Raymond (registered) GSZ0529R Home Lawyer HOMELAWY Kim Miller (1:103/700) HMLAWYER Harvey Woien (1:102/752) Hoyle's Classic Games HOYLECL1 HW Bob Seaborn HOYLECL2 HOYLECL3 HOYLECL4 HS/Link Protocol HS121R Don Becker (Internet, v1.21 (registered) grendel@jaflrn.linet.org) HS121REG HW Scott Raymond HyperWare Speedkit SPKT460R HW Scott Raymond v4.60 (registered) Ian Bothams Cricket IBCTDT Vince Sorensen (1:140/121) Intelcom Modem Test TESTCOM from the Meier/Morlan List, Utility (dist. with confirmed by Onno Tesink Intel modems) (RIME, via HW Richard Steiner) INTELCOM HW Jason Robertson Intermail Mailer IM221U HW Scott Raymond (registered) IM22FIX Jetsons (game) JETSONS Kevin Brott (Internet, dp03%ccccs.uucp@pdxgate.cs.pdx.edu) Jill of the Jungle JILL2 Harold Stein (non-shareware files) JILL3 $JILL2 HW Bert Bredewoud $JILL3 Killing Cloud (game) CLOUD Mike Wenthold Kings of the Beach VBALL Jason Robertson (game) Landmark System SPEED330 Larry Dingethal (1:273/242) Speed Test SPEED600 Joe Morlan (1:125/28) Life & Death (game) L&D1 Harold Stein L&D2 List Enhanced LIST8 Richard Dale (1:280/333) LISTE18D HW Scott Raymond MegaMan (game) MEGAMAN HW Emanuel Levy Microsoft Flight FS Michael Gibbs (Intelec, via Simulator HW Bill Lambdin) FS50TDT1 HW Bob Seaborn FS50TDT2 Microsoft Mouse Driver MOUSE901 Alex Morelli (CompuServe, 75050,2130) Microsoft Ramdrive RAMDRIVE Barry Martin (Intelec, via HW Bill Lambdin) MS-DOS 6.0 MSDOS6-1 Harold Stein MSDOS6-2 MSDOS6-3 Oh No, More Lemmings ONMLEMM Larry Dingethal (1:273/231) (complete-not demo) Over the Net OTNINC1 Tim Sitzler (1:206/2708) (volleyball game) PGA Tour Golf GOLF HW Bill Lambdin PKLite (registered) PKL15REG HW Scott Raymond PKZip v2.04c PK204REG HW Scott Raymond (Registered) PKZip v2.04c PKZCFG Mark Mistretta (1:102/1314) Configuration Editor PKZip v2.04e PK204ERG HW Scott Raymond (Registered) PKZip v2.04g PKZ204R HW Bill Dennison (Registered) PKZ204GR HW Jason Robertson Populous (game) POPULOUS Harold Stein The Price is Right PRICE Harold Stein (game) Prince of Persia PRINCE Kenneth Darling (2:231/98.67) Eric Alexander (1:3613/10) HW Emanuel Levy PRINCE2A Todd Crawford (1:3616/40), PRINCE2B via HW Jeff White PRINCE2C PrintShop PSHOP Michael Gibbs, Intelec, via HW Bill Lambdin Psion Chess 3D-CHESS Matt Farrenkopf (1:105/376) Pyro! PC DOSPYRO Jay Kendall (1:141/338), via (Fifth Generation) HW Scott Raymond Q387 (registered) Q387UTG Michael Toth (1:115/439.7) QModem Pro QMPRO-1 Mark Mistretta QMPRO-2 QuickLink II Fax v2.0.2 QLINK1 Carson Hanrahan (CompuServe, QLINK2 71554,2652) Rack 'Em (game) RACKEM Ruth Lee (1:106/5352) Rawcopy PC RAWCOPY HW Chris Wise Sequencer Plus Pro SPPRO Tom Dunavold (Intelec, via Larry Dingethal) Shadow Warriors (game) SHADOWG Mark Mistretta Sharky's 3D Pool POOL Jason Robertson (1:250/801) Shez (Registered) SHEZ84R Eric Vanebrick (2:291/712) SHEZ85R HW Scott Raymond SHEZ87R SHEZ88R SHEZ89R SHEZ91R SideKick 2.0 SK3 Harold Stein SimCity (by Maxis)* SIMCITY1 Peter Kirn, WildNet Shareware SIMCITY2 conf., via HW Ken Whiton SIMCITY3 SIM_CITY Kevin Brott (Internet, dp03%ccccs.uucp@pdxgate.cs.pdx.edu) SIMCTYSW Scott Wunsch Smartdrive Disk Cache SMARTDRV Barry Martin (Intelec, via HW Bill Lambdin) SMTDRV40 Michael Toth (1:115/220) Spidey (game) SPIDEY Brian Henry (ILink, via HW Richard Steiner) SPIDRMAN Alan Hess (address unknown) Squish 2.1 SQUISH Jason Robertson (1:250/802.2) (Sundog Software) SQUISH21 Several (ver. by Joe Morlan) Star Control Vol. 4 STARCON Carson M. Hanrahan (CompuServe 71554,2652) Streets on a Disk STREETS Harvey Woien SuperZModem SZMO200 HW Jason Robertson (registered) Teledisk (files TDISK214 Mark Mistretta dated after Apr. 1991) TELE214R Staale Fagerland (Internet, staale.fagerland@euronetis.no) Telemate TM411REG HW Scott Raymond TheDraw v4.61 (reg.) TDRW461R HW Scott Raymond Vegas Casino 2 (game) VEGAS2 The Hack Squad VOpt Disk Defragmenter VOPT30 The Hack Squad VPic v6.0 (registered) VPIC60CR HW Scott Raymond Wheel of Fortune WHEEL Harold Stein Where in the USA is CARMEN Carson Hanrahan Carmen Sandiego? CARMENUS Cindy McVey, via Harold Stein Where in Time is CARMENT Cindy McVey, via Harold Stein Carmen Sandiego? WinWay Resume for WINRES Erez Carmel (CompuServe, Windows 70523,2574) World Class Rugby WCRFNTDT Vince Sorensen ZipMaster (registered) ZM31REG HW Scott Raymond * - Peter Kirn's report on SimCity indicated that Maxis has in fact released a demo of SimCity onto ZiffNet which limits play to 5 minutes. This is not the same file as he reported, however - the ones he found are indeed pirate copies. ========================================================================= ?????Questionable Programs????? This section of The Hack Report is for the "misfits" - in other words, files that are hacks, hoaxes, Trojans, or pirated, but either do not quite fit into one of the main sections of the report or require more explanation than the format of the appropriate section allows. The extra material presented here is usually included for a good reason, so please take the time to read at least the new entries quite carefully. Also, if you have any input on any of the listed files, do not hesitate to send it in to your Hack Squad. Quite a few folks questioned a release of Vern Buerg's LIST calling itself v7.8a. This one actually came down one of the file distribution networks, if memory serves. However, in response to these inquiries, your Hack Squad called up The Motherboard BBS, Mr. Buerg's home system. On that system was posted the following bulletin: ================================ === July 15: LIST78A.ZIP is bogus =============================== ================================ A beta test version of LIST 7.8a was uploaded to other systems by mistake. It is not an official version, and it has bugs, e.g. the mouse doesn't work. A new version will be released next week. Those waiting for registered copies will be sent their's first, then it will be posted on VOR and CIS. The manual was dramatically updated and is now 54 pages with full color cover. We'll have some on the shelves at the store next week. So, this definitely qualifies as a "misfit" - it isn't a hack, hoax, or Trojan - it's an accident. Robert Jung's ARJ archiver has had a new release in non-beta form. The legitimate file can be identified by an ARJ-SECURED envelope. However, making equally big news (unfortunately) were several sightings of pirated versions of the registered v2.41 file. These were most often seen as a ZIP file (?) with the following internal files: Length Method Size Ratio Date Time CRC-32 Name ------ ------ ----- ----- ---- ---- -------- ---- 1436 DeflatX 614 58% 06-09-93 16:05 23af995c README 223594 DeflatX 222850 1% 06-04-93 09:19 fe351d41 ARJ241.EXE 127882 Stored 127882 0% 06-04-93 09:27 54fdf489 ARJUTIL.ARJ 55301 DeflatX 54641 2% 06-04-93 09:18 6d4e75fe UNARJ241.EXE 244816 Stored 244816 0% 06-10-93 09:23 0abdb4be ARJHLP24.ARJ ------ ------ --- ------- 653029 650803 1% 5 The giveaway here is the ARJUTIL.ARJ file - this contains programs that are only available to registered users. This causes a problem as far as listing this in the .col/.idx files is concerned: the person who distributed the pirated version used the same filename as the real thing. The only way you're going to be able to tell the pirated version from the legitimate one will be to look inside your copy of the archive. If you see either the ARJUTIL.ARJ file inside, or the files ARJR.EXE or DEARJ.EXE, then you have the pirated copy. Please delete it. (Note - version 2.41 has been superseded - please see the Hacked Files section of this report for the latest version as of this writing.) Dotti Rosier (1:114/107) found a message on a local BBS system that might be worth reading. The text read as follows: WARNING: Nobody download PHACS1.EXE and NETWORK1.EXE..They have the Yankee Doodle virus that is only detectable by SCANV99.... please clean these two exe files IMMEDIATELY and in case you have run them already, there might b some other files that are infected. CLEAN99 will clean them just fine. Sorry for the inconvenience but I recently found out that my HD was infected and therefore, every file that I compile is infected. Thank you for your patience. I can only assume that these were self extracting archives - no descriptions of the files were available. Steve Winter (1:153/7070) reported on a file called SUB1_V21. This claimed to be a program called SUB, a directory list utility. Steve checked out the file prior to running the install program and found no anomalies. However, once installed, he says he began to get conflicting directory reads, disk full errors, and problems booting. Somehow, his boot record had been damaged. According to his testing, the file passes scans with F-Prot v2.08a and does not alert McAfee's VShield v104. He says the archive contains two files - INSTALL.EXE and SUB.SPZ, which contains the executable. INSTALL creates a subdirectory and extracts files from the SUB.SPZ file. Steve says he is attempting to get another copy for testing. Until that time, I can't say for sure if he was the victim of a system glitch, buggy software, or a true Trojan. If anyone out there has this file, please contact your local HackWatcher or myself so that we can arrange for testing. Mark Harris (1:121/26.1) found a pair of archives called DEATH_1 and DEATH_2 on a local system. The files were described as a new Apogee game called Deathbringer. The archives contained no documentation, and all program files were dated 1990 or 1991. When run, the game displayed the name "Deathbringer," but gave no company or copyright information. Scans by McAfee's ViruScan and Frisk's F-Prot proved negative. Mark has provided additional information that adds to the suspicion that this is a pirated file. The program begins with the following screen: Empire, in association with ODE and The Mystery Machine, presents -=*=- DEATHBRINGER -=*=- Select Vidoe Mode: 1) VGA 16 color 2) EGA 16 color 3) Tandy 4 color 4) CGA 4 color 5) Tandy 16 color Roland, Adlib and Tandy music supported (Playing now, if found, M to toggle on/off) J to select Joystick, K for keyboard = to speed up, - to slow down game (fast PCs) THOSE WHO LABOURED: John Wood...................Atari ST, Commodore Amiga, Design Kevin Ayre.....................................IBM PC, Design Colin Swinbourne.....................................Graphics Richard Yapp...................................Levels, Design Sound Images............................................Music Deathbringer, Karn and all Deathbringer Characters and the distinctive likenesses thereof are Trademarks of Abaddon Duke of Hell Group Inc. Mark goes on to say: There was no documentation in the archive (which I will continue to hold on to, in case you need it for any reason) giving any playing instructions, no shareware notice or registration request, nothing whatsoever to indicate the origin of this program except for the above. That's what prompted me to write in the first place; it looks to me (especially considering the quality of the graphics,) like this is a commercial program with as much of the copyright and identifying screens hacked out of it as possible. As an Apogee Tech Support Specialist, I can personally verify that this is not a product of Apogee. Mark's opinion is that this is a hack of a commercial game: I tend to agree. Jim Wells (1:2613/261) forwarded the file contents, along with some other information still being looked into: he feels that this is a "hacked" version of the official release, whether shareware or commercial. Rick McBride (1:363/178) says it is indeed commercial, as he saw it on a CD-ROM about a year ago. However, he does not remember the publisher's name (possibly Psygnosis, he says) - only that it is an arcade-style D&D game. This is still being researched. In the meantime, I would appreciate any information that a user of the possible commercial version could forward - please help your Hack Squad verify this one. Chuck Cypert (1:124/2113) reported in the FidoNet VIRUS_INFO echo that the SysOp of the CompUSA BBS in Carrollton, TX had a problem with a file called UNIXHAC. The SysOp reports that this file formatted his hard drive. No further details were available, as the SysOp had already deleted the file. If someone has a copy of this, again, please contact one of The HackWatchers or myself. Harvey Woien (1:102/752) forwarded a report from a user of The Motherboard (Vern Buerg's BBS), Ted R. Marcus, about a version of the Microsoft Mouse Driver claiming to be version 9.0. It also appears that this file came down a file distribution network under the filename MSMAUS90, possibly originating in Germany. Your Hack Squad has found a copy of the same archive Ted reported on, and confirms some of his observations on the file (MOUSE900), quoted here: 1. Microsoft Diagnostics and InfoPlus report this "9.00" driver as version 8.00. The latest "official" version of which I am aware is 8.20a. 2. The "new" driver is significantly smaller than version 8.20a. 3. The "new" driver supports the undocumented /U switch (which loads much of the driver into the HMA). Version 8.0 and 8.1 supported this feature, but Microsoft removed it from version 8.2 (shipped with DOS 6.0). The support for the /U switch suggests that the driver is, in fact, version 8.0. 4. Examining the MOUSE.COM driver file reveals one instance where the version number (repeated in the initialization message for each language the driver supports) is "9.40". That indicates either uncharacteristic sloppiness on the part of Microsoft -- or, more likely, sloppiness on the part of a hacker. More information on MOUSE900 comes from Jeffery Bradley (1:3635/35). He informed the folks here at Hack Central Station that there is indeed a legitimate v9.0 of the Microsoft Mouse Driver. However, after talking with Microsoft, he did confirm that this should not be distributed via BBS systems: it is commercial only, as previously reported. Yet another file that doesn't fit into any of the report categories: a report from Wen-Chung Wu (1:102/342) concerns the archive PKLT120R, which claims to be version 1.20 of PKLite. This is actually PKLite Professional v1.12, a commercial product, which has been hacked to show version 1.20 instead of 1.12. To make matters worse, the PKLITE.EXE file was compressed "by PKLITE itself more than three times and once by LZEXE." So, what we have here is a hack of a pirated commercial file - jeez, this job gets confusing at times. ;-) Here's an update on the report from Bud Webster (1:264/165.7) on the Apogee game being distributed under the filename BLOCK5.ZIP. As reported by Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan Stratton (via HW Ken Whiton), this program was part of an Apogee disk called the "Super Game Pack," and that it is a game called "Block Five." Joe Siegler (1:124/9006), the online support representative for Apogee Software Productions, confirms this, and states that the majority of the games on this disk, including this one, have been officially discontinued. The official company stand is that this game should not be distributed via BBS systems, as it is no longer supported in any way by Apogee Software Productions. Thanks to everyone who helped on this one. HW Bill Lambdin says he found a file in the Knoxville, Tennessee area called BIBLEPR (no description available) that appears a bit suspicious. The file contents are: Length Time CRC-32 Attr Name ------ ---- -------- ---- ---- 34176 11:26 d267f5de --w- BIBLEPR.COM 158493 00:04 4298ac2d --w- DATAPR-0.DAT 158493 00:04 d87adf4b --w- DATAPR-1.DAT 158493 00:08 1213c6b3 --w- DATAPR-2.DAT 159764 00:08 38d7cc06 --w- DATAPR-3.DAT 1572 24:05 3a60c80e --w- BIBLEPR.DOC ------ ------- 670991 6 When BIBLEPR.COM executes, Bill says it displays the following message: Greets from DOA! Don't say I didn't warn you! You are also busted! Expect a visit from the SPA! Omni, I will avenge you! Bill's disassembly shows the file contains two INT 26 calls, which are DOS Absolute Disk Write instructions. He said that if it contains a virus, he was unable to get it to replicate. A copy of the archive has been sent to Glenn Jordan at Datawatch Software for testing. Here's an interesting point, brought to my attention by HW Richard Steiner and John Weiss of the RIME Shareware Conference. In previous issues, I have listed two files, QM60IST1 and QM60IST2 (reported by Francois Thunus, 2:270/25), as pirated copies of QModem v6.0. However, Richard and John quite correctly point out that there was no release of QModem v6.0 - the program changed to QModem Pro after v5. This file, or a variant, has also been spotted by Jerry Van Laer of 2:292/805.7, under the name QM60D1-2 and QM60D2-2. In this case, an internal "brag" screen stated the program was QmodemPro 1.0. From what Francois reported, I believe that what he saw was indeed Qmodem Pro, now a commercial-only program. However, it was "released" under the above filenames. So, is it a Hack? Pirated File? Or what? Doesn't matter - it shouldn't be distributed. Thanks, Richard and John, for making me fully engage my brain for a change. HW Bill Dennison captured a message from Marshall Dudley (Data World BBS, (615)966-3574) in the ILink VIRUS FILE conference about the archive ASCDEMO. Marshall says that McAfee's ViruScan doesn't detect any infection until after you run it and it has infected other files. No further information was supplied, other than the internal filenames (ASCDEMO.DOC and ASCDEMO.EXE). I need further data on this before I can list it in the Trojan Wars section, so please advise if you have any. HW Emanuel Levy says the file IM, reported by Michael Santos in the Intelec Net Chat conference and listed in the 1992 Full Archive edition of The Hack Report. Michael's report was a "hearsay" report from one of his friends, and stated that the IM screen saver file caused a viral infection. Emanuel says the file is an "outer space screen saver," currently under the filename IM17. Scott Wunsch (1:140/23.1701) says the program name is "Inner Mission," and he currently has version 1.6. In both cases, the files were clean. So, it looks like either Michael's friend's system became infected from a different source than the IM file, or that an isolated incident of an infected IM is involved. No way to tell at this writing. Long time readers of this report will remember a question concerning the status of a screen saver called TUNNEL. Ove Lorentzon (2:203/403.6) and Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard Steiner) both stated that the program was an internal IBM test program and was not intended for outside distribution. Your Hack Squad has received word from the author of the program, Dan Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware, the program has never been released to the general public. According to Dan, "it is still owned by IBM, and as such has been given the IBM security classification 'IBM Internal Use Only' which means what it says: the program is not for distribution to non-IBM employees." Dan also says that several other "Internal Use Only" programs have been "leaked" to the outside world, which implies that these files should not be posted for download. One such program was originally called Dazzle (NOT to be confused with the other popular DAZZLE screensaver), but has entered BBS distribution under the filename O-MY-GOD (also seen as OMG, per Michael Burkhart (RIME address CENTER, via HW Richard Steiner). However, note that the O-MY-GOD/OMG file was hacked, according to Dan, so that all of the "Internal Use Only" references were removed. Another is a program that is usually included inside other archives: the program name is PLAYANI. Dan says this has been distributed "along with various animations," and also falls under the same Internal classification. A prime example of this is an archive called BALLS (not what you think). This is an animation of multiple chrome spheres rotating around each other above a red and white checkerboard platform. In this case, both the player (PLAYANI) _and_ the animation are the property of IBM and are not intended for BBS distribution. Again, to quote Dan, "None of these programs are for external distribution; all are owned by IBM and are only for use inside IBM by IBM employees." Thanks to Dan for all of his help. Donn Bly has cleared up the question on the status of the Sydex program TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson. Donn was kind enough to mail a copy of a letter sent to him by Sydex explaining that Teledisk is no longer shareware. Here is an excerpt from the letter: "Effective April 1991, TeleDisk is no longer a shareware product. After long consideration, we decided to discontinue our offering of the shareware edition of TeleDisk, and license it only as a commercial product. "Commercial licenses of TeleDisk are available from Sydex at $150 a copy. All shareware distributors and BBS sysops who take time to check their sources are requested to remove TeleDisk from shareware distribution." The letter is signed by Miriam St. Clair for Sydex. To summarize, Sydex is no longer accepting shareware registrations for TeleDisk, and asks that it be not be made available for download from BBS systems. Thanks to Donn for his help in this matter. HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen Barnes of Mustang Software, Inc., about a "patch" program aimed at OffLine Xpress (OLX) v1.0. The patch is supposed to allow OLX to read and reply to Blue Wave packets, along with a lot of other seemingly unbelievable feats. Gwen Barnes did not seem to know of the patch, but published the following advice in the WildNet SLMROLX conference to anyone considering trying it: 1. Make a complete backup of your system. 2. Make sure you've got all the latest SCAN stuff from McAfee 3. Try it, keeping in mind that it more than likely does nothing at all, or is a trojan that will hose your system. 4. Get ready to re-format and restore from backups if this is in fact the case. No filename was given for this patch. If anyone runs across a copy of it, please contact one of The HackWatchers or myself so that we can forward a copy to MSI for testing. HW Bill Lambdin reports that someone has taken all of McAfee Associates' antiviral programs and combined them into one gigantic (over 700k) archive. He did not say whether the files had been tampered with, but he did send a copy to McAfee for them to dissect. The file was posted under the filename MCAFEE99. I would not suggest downloading this file: as a matter of fact, this reporter prefers to call McAfee's BBS directly when a new version of any of their utilities comes out. I highly recommend this method, since it insures that you will receive an official copy. HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG echo about possible Trojans going around as PKZIP 2.21 and/or 2.22. Stu also says that there is a warning about these in circulation. If you have a copy of this warning, please send a copy to Hack Central Station (1:124/4007). ========================================================================= Information, Please This the section of The Hack Report, where your Hack Squad asks for _your_ help. Several reports come in every week, and there aren't enough hours in the day (or fingers for the keyboards) to verify them all. Only with help from all of you can The Hack Report stay on top of all of the weirdness going on out there in BBSLand. So, if you have any leads on any of the files shown below, please send it in: operators are standing by. Chuck Hammock (1:392/20) reported in the FidoNet DIRTY_DOZEN echo that one of his users uploaded a file called PASTUT24. The user warned Chuck that this file was infected with the Kamikazee virus. I was unable to get further information on this, so Chuck, if you are reading this (or if anyone else can confirm this), please send me some NetMail on your results. Russell Wagner reported a problem with a copy of VMIX222. This shareware multitasker is currently at v2.87. Russell claims to have found a possible isolated incident of a Trojan version of the program. He wound up scrambling the FAT on his C: drive when he ran the program, and was able to reproduce the damage in subsequent tests. He only ran the program on one system, however, so it is not clear as to whether he has found a true Trojan claiming to be the real VMiX, a corrupted copy of the file, or whether he has some sort of hardware incompatibility. If anyone else has run into a problem with v2.22 of this program, please advise. Robert Rothenburg (Internet robert.rothenburg@asb.com) received a file called JAMMER that he says is very suspicious. The archive had a file with the name JAMMER.EXE and a description that said something to the effect of, "run this first and your calls won't be traced." He looked through the executable and found the name "Nmodem Jammer 2.8", along with "some other claims about adjusting the modem configuration" and "some nasty insults to a couple of people." Virus scanners showed nothing, so he looked at the interrupts. He says it "looks like it installs a TSR of sorts and does some disk writes." He concludes that the file possibly "instals a virus or just damages certain files, though i suspect it will go after the comm program, as a message says when it ends to 'run your communications program now!'". I am attempting to get a copy of this from Robert for further testing - please be on the lookout for a copy, and notify your local HackWatcher or myself if you see it. Jim Tinlin (1:206/2604) brought into question a file called CRAPS, which looks like a shareware Craps game for Windows. However, a line inside the internal README.TXT file reads as follows: "As a licensed owner, please do not distribute this copy to others" To further confuse matters, the game displays an opening screen that states it is indeed shareware and should be distributed. The file contents are as follows: CRAPS EXE 264007 05-13-93 9:05aC CRAPS HLP 40043 04-12-93 7:16aC README TXT 5322 04-12-93 7:02aR 5 file(s) 309372 bytes This is another one that makes us scratch our heads here at Hack Central Station. Any information would be appreciated. HW Bob Seaborn forwarded a message from Kevin Haverstock (via Tom Scott, 1:140/47) about a file called TCM_V511. This was described as "The Configuration Manager," a system configuration utility. Kevin's report said that once you finish running the setup, your computer reboots and you get a prompt that "scrolls your screen and locks up your system." He was unable to access his hard drive after booting from a system disk - a reformat was required. I am familiar with a legitimate shareware program called The Configuration Manager, but not under version number 5.11, nor under the above filename. I can't be sure if Kevin's problems were the result of a hardware error, user error, or an isolated incident of a tampered archive. If anyone has any information on what could have caused this, please enlighten me. Harold Stein (1:107/236) found a file called STETRIS, claiming to be a Super Tetris game. He says that there was a shareware version of this that was released about a year ago, but has since been renamed due to a conflict with a commercial game of the same name. He is not sure whether or not he found the old shareware file or a pirated copy of the commercial file. The archive (in .zip format, presumably using v2.04g) was 55,318 bytes long, and the archive date had been "touched" by the BBS it was uploaded to, forcing it to March 23, 1993 (Editorial: this renders filedates rather useless, IMHO. -lj) Based on further information from Jeff Hancock (1:3600/7), it seems now that Harold may have either an older shareware version, an incomplete archive, or a different program altogether. Jeff's copy of the shareware version was only 47480 bytes (compressed with ARJ). He has seen the commercial game, and says it is "MUCH larger". With this information, I consider the matter closed. Thanks to Jeff for his help. Peter Hempel (1:229/15) posted a message in the FidoNet Echo VIRUS about the file BREAKIT!, which was described as follows: BREAKIT!.ZIP 6714 03-29-93 (CRS) A Gw-Basic Code And Cipher Program Allowing You To Enter Ascii Characters, To Save Them, And To Encode And Decode. Peter claims that this program erased his root directory, but says he was able to recover everything by booting from a write-protected system disk and using the Norton Utilities UNERASE command. The archive contents are as follows: Name Original Method Packed CR% Date Time CRC ============ ======== ======== ======== === ======== ======== ======== BREAKIT!.BAS 4453 Implode 2604 58 1-24-93 11:25:24 42CA0CE4 CODEFILE.FIL 1240 Implode 550 44 3-28-92 10:52:44 B6ADEB20 PRINTME.BAT 31 Stored 31 100 1-24-93 11:54:12 965CF8AE VIEW.COM 958 Implode 876 91 3-19-92 19:11:46 47C5E5EF README.BAT 30 Stored 30 100 1-24-93 11:52:32 95294A43 BRK.BAT 40 Stored 40 100 1-24-93 11:53:32 FC9F3B2E BREAKIT!.DOC 2679 Implode 1440 54 1-24-93 11:56:06 EC302AFA ============ ======== ======== ======== === ======== ======== ======== 7 9431 ZIP 5571 59 1-24-93 11:56:06 He did not say which file did the damage. I do not know if this is a Trojan or an infected file - in either case, it may well be an isolated incident. Test results would be greatly appreciated. Lowell Shatraw (1:315/6) states that there may be two pirated commercial fax programs floating around under the filenames FAX and PC_FAX. The archives he reported on were in ARJ format and were 447,693 and 101,089 bytes long, respectively. The file dates were Dec. 4, 1992, and May 26, 1992 - no way to tell if the BBS "touched" the filedates. Lowell is also not sure which commercial products these may be. If you happen to run across one or both of these, please look inside them - if they are commercial, please let me know (after you delete your copies, of course! ). A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13) states that he had a user upload a file called TAG-NFO, which turned out to be a Trojan. No details about the Trojan were given, so any confirmation of this would be appreciated. HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus Conference about two files. The archives, called PHOTON and NUKE, are possibly droppers, containing a file called NUKE.COM which "will trash your HD." Pat Finnerty (1:3627/107) sent a reply to the last report of this, stating that he has a copy of a PC Magazine utility called NUKE.COM, which is used to remove subdirectories which contain "nested subs, hidden, read-only (you name it)." He says that the command NUKE C:\ will effectively delete everything on a hard drive, with no chance of repair. This is merely the way the program is designed. I do not know if this is what happened in Mario's case, or if Mario actually found a copy (read: isolated incident) which was infected. Bill has asked Mario for further information, and I would like to echo his call for help. If you know of this, please lend a hand. Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named Rich Bongiovanni. Rich reports that there is a file floating around called DEMON WARS (archive name DMNWAR52) that is "infected with a virus." If true, this may be an isolated incident. I would appreciate confirmation on this. Greg Walters (1:270/612) reports a possible isolated incident of a problem with #1KEEN7. When he ran the installation, he began seeing on his monitor "what looked like an X-rated GIF." The file apparently scanned clean. Any information on similar sightings would be appreciated. A report from Todd Clayton (1:259/210) concerns a program called ROBO.EXE, which he says claims to apparently "make RoboBoard run 300% faster." He says he has heard that the program fools around with your File Allocation Table. I have not heard any other reports of this, so I would appreciate some confirmation from someone else who has seen similar reports. Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a possible hack of FEBBS called F192HACK. I have not seen this file, nor has the author of FEBBS, Patrik Sjoberg (2:205/208). He forwards the file sizes in the archive, reported here: Name Length Mod Date Time CRC ============ ======== ========= ======== ======== FEBBS.EXE 220841 09 Mar 92 21:17:00 96D2E08D 014734.TXT 1403 26 Aug 92 01:59:18 3B9F717F ============ ======== ========= ======== ======== *total 2 222244 26 Aug 92 01:59:24 Kelvin says the .TXT file is just an advert for a BBS, so it is "not relevant!". As I said, the author of FEBBS has never seen this file, so I've asked Kelvin to forward a copy of it to him. Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley, the author of Maximus, says he did not write any programs that have these names, but he does not know whether they are or are not legitimate third party utilities. I have requested further information from Andrew on this topic, and would appreciate anyone else's information, if they have any. Yet another short warning comes from David Bell (1:280/315), posted in the FidoNet SHAREWRE echo, about a file called PCPLSTD2. All he says is that it is a Trojan, and that he got his information from another "billboard" and is merely passing it on. Again, please help if you know what is going on here. A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263) grabbed my attention the moment I saw it: in capital letters, it said, "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!". He goes on to say that two BBSs have been destroyed by the file. However, that's about all that was reported. I really need more to go on before I can classify this as a Trojan and not just a false alarm (i.e., archive name, what it does, etc.). Please advise. Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support Echo (FidoNet) about a version of ARJ called 2.33. It was unclear as to whether or not Mr. Mills had seen the file. Mr. Jung has stated that this is not a legitimate release number. It is possible that the references Greg saw about 2.33 were typos, but you never know. Please help your Hack Squad out on this one - if you see it, report it. ========================================================================= The Meier/Morlan List Here is the current status of the files contained in the Meier/Morlan List. This is the last month for requests for information on this part of The Hack Report, as I have placed a deadline of September 30th on the files in this list. They've been reported for quite some while now, and the verifications have slowed to a trickle. If the files listed below can't be verified in time for the October issue, I will need to write them off as false alarms. === Previous comments on the files in the list: === Shane Paul of Softdisk Publishing (RIME, via HW Richard Steiner), comments on the SLORDAX game: "If the SLORDAX game if by Gamer's Edge and copyrighted by Softdisk then it is a pirated copy." I can't be sure that this is the case, so the file stays on the list until someone can verify this. Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat Simulator by Mindscape, Inc. He says that he hasn't seen anything from them in quite a while, and doesn't know if the company is still in business. Here are the remaining unresolved reports from HW Emanuel Levy: "387DX - sounds like a Math Co-Processor emulator - might be legit "Barkeep sounds like it may be a version of Tapper. If you send beer mugs down the screen to patrons and then have to pick up the returning mugs and they leave tips, then it is Tapper. Or it may be an OLD game published in Compute Mag. If it is the one from Compute only those who have the Compute issue with the game in it are allowed to have a copy. "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came out for the Commodore 64 in 89 so I would assume it came out for IBM around then too. "Gremlins- There was an Gremlins Text Adventure and a Video Came for the computer. The video game was put out by Atari Thanks, Emanuel. For those who have missed it before, here is what is left of the list of files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system. Joe says Wes keeps a bulletin of all rejected files uploaded to him and the reasons they were rejected. Joe also says he cannot confirm or deny the status of any of the files on the list. There are some that I am not familiar with or cannot confirm. These are listed below, along with the description from Wes Meier's list. Due to the unconfirmed nature of the files below, the filenames are not included in the HACK????.COL and HACK????.IDX files that are a part of the archive of The Hack Report. I would appreciate any help that anyone can offer in verifying the status of these files. Until I receive verification on them, I will not count them as either hacks or pirated files. Remember - innocent until proven guilty. My thanks go to Joe and Wes for their help. Filename Reason for Rejection ======== ============================================= BARKEEP Too old, no docs and copyrighted with no copy permission. HARRIER Copyrighted. No permission to copy granted. SLORGAME Copyrighted. No docs. No permission to copy granted. NOVELL Copyrighted material with no permission to BBS distribute DRUMS I have no idea if these are legit or not. No docs. GREMLINS No documantation or permission to copy given. CLOUDKM A hacked commercial program. MENACE Copyrighted. No docs. No permission to copy granted. SNOOPY Copyrighted. No docs. No permission to copy granted. SLORDAX Copyrighted. No docs. No permission to copy granted. ESCAPE Copyrighted. No docs. No permission to copy granted. BANNER Copyrighted. No docs. No permission to copy granted. 387DX Copyrighted. No docs or permission to copy granted. WINDRV Copyrighted. No permission to copy granted. ========================================================================= Help!!! Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to The Hack Squad for testing/verification please re-identify themselves via NetMail? Somehow, your message went to the great Bit Bucket in the sky. Thanks in advance! ========================================================================= Clarifications and Thanks Folks, the LHA mystery has finally been resolved, thanks to Scott Fell (1:124/6119), Steve Quarrella (1:124/9005), and Kenjirou Okubo, the support person for LHA. Your Hack Squad finally received the Internet address for Kenjirou Okubo (kenjirou@mathdent.im.uec.ac.jp), and managed to verify Scott Fell's own contact, relayed via Steve. If you recall, Onno Tesink (2:283/318) found a file called LHA255B. This claims to be version 2.55b of the LHA archiver, with a file date in the executable of 12/08/92. Onno's report was the one that started the search. Kenjirou knew of this version and verified its legitimacy. He also provided some other very helpful information, which is best relayed by quoting his message to me: "For DOS, currently lha256a1 is under testing in a closed circle for networking environment. After LHA213, dos5 appeared in Japan and Yoshi started his series LHA25x series. The two versions you mentioned seem to fall under this series. The latest version which might be distributed by me is LHA254 for people who wants to test -lh6- algorithm." He went on to provide the following information on how to verify your copy of LHA: "Any version ending with LHA25xb is a beta test version, and LHA25xa is for a limited circulation. To test whether these files are legitimate release either from Yoshi or me, please use -t option to check two dimensional CRC self-validation check. We believe our test will check the validation with 10E-38 % of error probability." From my own testing, here is the best way to run the verification: 1. Extract LHA.EXE from the suspect archive and place it in an empty subdirectory that is not on your path. (example: c:\foo\lha.exe). 2. Change directories to the one which contains a known good copy of LHA.EXE. 3. Execute the command LHA t drive:\path\LHA.EXE. Using the above example, your command line would look like this: C:\LHADIR>LHA t C:\FOO\LHA.EXE This will execute the known good copy of lha, which will test the suspect copy and report whether or not the file "appears" to be the original or not. Even though the older LHA is doing the testing, it will be able to verify the newer copy. Please note that Scott Fell's information was that the author does not want these copies distributed. However, it seems that the folks working on LHA are aware that some betas have "escaped" into circulation. In other words, use any betas _entirely_ at your own risk. Scott and Steve have my undying gratitude for helping to lay this to rest, most notably by locating Kenjirou's Internet address and following through on it. Thanks from all of us! ************************************************************************* Conclusion If you see one of the listed files on a board near you, it would be a very friendly gesture to let the SysOp know. Remember, in the case of pirated files, they can get in just as much trouble as the fiend who uploads pirated files, so help them out if you can. ***HACK SQUAD POLICY*** The intent of this report is to help SysOps and Users to identify fraudulent files. To this extent, I give credit to the reporter of a confirmed hack. On this same note, I do _not_ intend to "go after" any BBS SysOps who have these programs posted for d/l. The Shareware World operates best when everyone works together, so it would be counter-productive to "rat" on anyone who has such a file on their board. Like I said, my intent is to help, not harm. SysOps are strongly encouraged to read this report and remove all files listed as "confirmed" from their boards. I can not and will not take any "enforcement action" on this, but you never know who else may be calling your board. Pirated commercial software posted for d/l can get you into _deeply_ serious trouble with certain authorities. Updates of programs listed in this report need verification. It is unfortunate that anyone who downloads a file must be paranoid about its legitimacy. Call me a crusader, but I'd really like to see the day that this is no longer true. Until then, if you _know_ of a new official version of a program listed here, please help me verify it. On the same token, hacks need to be verified, too. I won't be held responsible for falsely accusing the real thing of being a fraud. So, innocent until proven guilty, but unofficial until verified. Upcoming official releases will not be included or announced in this report. It is this Moderator's personal opinion that the hype surrounding a pending release leads to hacks and Trojans, which is exactly the opposite of what I'm trying to accomplish here. If you know of any other programs that are hacks, bogus, jokes, hoaxes, etc., please let me know. Thanks for helping to keep shareware clean! Bill Lambdin Moderator: Intelec (PC-Security/Share Ware) Compulink (PC-Security) Wild Net (Virus) WME Net (PC-Security) Internet: Hreport@aol.com vfreak@aol.com