THE DIRTY DOZEN -- An Uploaded Trojan/Virus Program Alert List--This is a FidoNet Version of Dirty Dozen.
----------------------------------------------------------------
| |
|THE DIRTY DOZEN -- An Uploaded Trojan/Virus Program Alert List|
| This is a FidoNet Version of Dirty Dozen. |
----------------------------------------------------------------
| For MSDOS machines ONLY Issue #10: May 27, 1989|
| |
| Revision Stage 'A' |
| |
| Compiled by Tom Sirianni of FidoNet 105/301 - LCRNET 1010/0 |
| Edited by Sally Neuman of FidoNet 105/301 |
----------------------------------------------------------------
IMPORTANT NOTE:
This Trojan Alert List is dedicated to the efforts of the
originator, Eric Newhouse, as well as Tom Neff, who spent tireless
hours/days compiling, researching, and testing various trojans,
pirates, and viruses, and reporting the results to you, the user.
It is because of these efforts that this list must and will be
aggressively maintained.
Tom Sirianni
SCP Business BBS
FidoNet 105/301
SCP Business BBS nor its author assumes any responsibility for the
validity or completeness of this list. Many sources contribute to
the list, and it is very possible that one of the reported 'dirty'
files works perfectly and is in the Public Domain. I will try to
asterisk (*) any programs what I feel are not positively 'bad'.
But all the same, it is quite possible that a mistake will slip in
somewhere. Since this is the case, please keep in mind while
reading this list that, however unlikely, it is possible that I am
(or my sources are) incorrect in any accusation.
Note: ** Some TROJANS are designed to work only on Hard Drives **
so it may work just fine a Diskette System.
HELP FROM USERS REQUESTED:
Users upload bad software to hundreds of boards every day, and
often times, the software is not yet in this list, or the file may
have been corrupted due to a bad ARCHIVE. However, if you run a
trojan horse program that is not listed here, please don't send it
to SCP Business BBS. Instead, give me a call (SCP Business BBS
phone 1-503-648-6687 9600/2400/1200/300 baud supported) and leave
me a message about the program (with a complete filename and any
other information you may have) so that I can get the destructive
program in the next issue. It is important to verify that the
program is a TROJAN and not an OPERATOR ERROR. If anyone is
unsure whether or not a file is a trojan, and it's not listed in
the DD list, I recommend using a utility like BOMBSQAD.COM or
CHK4BOMB.EXE to prevent any mishaps. For VIRUSES, use FLUSHOT Plus.
If after calling I may want you up load it just to verify it myself
if you are unable to.
A WORD FROM TOM SIRIANNI: NEW TYPE OF TROJAN -- THE VIRUS...
A Virus is a trojan which attaches itself to certain files and at
predetermined time attacks your FAT, DIR, and/or BOOT areas,
CROSS-LINKing files and looking for ways to attach itself to
diskettes and other disks containing files such as IBMDOS, IBMBIO,
COMMAND.COM, etc. This type of virus spreads its dirty work to
other systems much like the flu or a cold, relying on the user to
spread the VIRUS. Protection (to a limited degree) from these
virus strains is available in the programs SENTRY.ZIP or
FSP_151.ZIP (FluShot Plus v1.51), which are all available on the
SCP Business BBS, 105/301 FidoNet, by REQUEST ONLY at
1-503-648-6687 (PC-Pursuit/StarLink).
The better program, called FLUSHOT, remains memory resident and
will check for and alert you to any unauthorized any writes to
COMMAND.COM, etc.
*** WARNING ***
Do not use FLUSHOT with DesqView, DoubleDos, AutoCad.
It may hang your system or at least sound a warning
to you. Only testing will tell.
*** What to do with VIRUSES ***
There are three ways to tell if you are infected:
1) First, have a GOOD DOS diskette with COMMAND.COM on it, PLUS
put a WRITE-PROTECT TAB on your DOS disk. Then, from your system,
do a DIR on the good DOS diskette. If you get a WRITE-ERROR, you
are infected -- DIR does not do any writing of any kind, whereas
the VIRUS does.
2) Another way is to check and compare the time-date stamp of
COMMAND.COM. The Virus writes to the COMMAND.COM thereby changing
the time-date stamp.
3) The third way to tell is to use SENTRY and/or FLUSHOT.
Both will tell you if you are infected (:- FluShot will tell you
are about to be :-), hence you can do a CTRL-ALT-DEL and allow a
boot-up from a good DOS DISK (write-protected) and examine your
hard disk or diskette.
You can use SENTRY/FLUSHOT to check against these two strains.
The psychologically unbalanced individuals writing and uploading
these programs will change their viral methods, so beware. Many
new viral detection programs are in the works, both commercially
and in the shareware domain, to keep up with the viral programs we
have available, to confirmed SYSOPS, Virus/Trojan information
texts on SCP Business BBS. The Virus text files are ZIPed,ZIP is a
type of ARCER used on most BBS's, and can be File Requested thru
FidoNet 105/301 as VIRUS-1.ZIP & VIRUS-2.ZIP.
The thing to do is to check the contents of your downloads via
ARC V or PKXARC/PKZIP -V. DO NOT DOWNLOAD any files without any
available or known documentation unless you are assured it is safe
by the SYSOP. Also, do not accept any ARCHIVE or diskette
containing a file named COMMAND.COM or DOS System files.
Remember -- these new TROJANS are no laughing matter. Without
causing mass hysteria, use your best judgment, and check your
procedures first!
Final note there is a commercial program called C-4 by InterPath
Corp., which will to date detect and contain ALL known PC VIRUSES
where as FluShot+, last version 1.3, can handle only 29 of 39
known PC Virus. So for the ultimate 100% protection get C-4 but
for a SHAREWARE program you can not beat FluShot.
C-4 by InterPath Corp. FluShot Plus v1.51 by
4423 Cheeney St. Ross M. Greenberg of
Santa Clara, Calif. RAMNET BBS
95054 1-212-889-6438
1-408-988-3832 ShareWare
was $40.00
------------
FROM ERIC NEWHOUSE:
A word on TROJANS -
I have been hearing more and more reports of these "worm"
programs, from all directions. While I don't doubt their
existence, do not get hysterical. Remember, a Trojan rumor is much
easier to START than it is to STOP. Some people have accused
legitimate *joke* programs like DRAIN (which pretends to
be gurgling excess water out of your A drive) of being "killers."
If a program locks up your system, it isn't necessarily Trojan; it
might not like co-residing with Superkey, or your graphics card.
Ask around a little before you announce something as Trojan.
SIDE NOTE:
Unfortunately there is DRAIN program out now that is a TROJAN
called DRAIN2 so *** BEWARE ***.
MISINFORMED:
Dorn Stickel has been noted to be a supposed Author of several
TROJANS. Please take note that there seems to be someone trying to
discredit the REAL Dorn Stickel. So please do not take your wrath
out on the real person.
Thanks.
ANSI TEXT FILES/DOC FILES and ARC files:
Did you know a TROJAN can be used in DOC and TEXT files? If your
system is configured for ANSI.SYS in your CONFIG.SYS file, your
keyboard could be redirected or the keys reconfigured.
For example, you could hit the F1 key and the trojan could do a
High Level Format; or hit ALT-X and it will say "del *.* and yes".
It can answer to the prompts and before you can say, "What the
'(&^(~*%' is going on?", your system is deleted.
USE A BROWSER OR LISTER PROGRAM WHEN LOOKING AT ANY TEXT/DOC FILE;
even an editor or PC Tools Edit or Word Process will work. This
way, no redirection can take place. And a side note some ARCER's
allow ANSI comments for displaying messages and can redirect your
keybord to DEL files, directories, or a High Level format. This is
caused by having ANSI.SYS installed. Either disable it, ANSI.SYS,
or use an alternate ANSI driver that will NOT allow redirection.
DEFINITIONS:
*TROJAN* BEWARE!! These programs PURPOSEFULLY damage a
user's system upon their invocation.
They usually aim to disable hard disks,
although they can destroy other
equipment, too. It is IMPERATIVE that
you let me know about any new examples of
these that you find.
*VIRUS* BEWARE!! These programs are the ultimate TROJAN
designed to infect as well as destroy
the Users system and others that it
infects.
*CAREFUL* Programs labeled in this manner may or
may not be trojans; the question is
unresolved. Use caution when running
these programs!
NOTE: If a file extension is not supplied, that means that the
file circulates under many different extensions. For instance,
users commonly upload with extensions of .EQE, .CQM, .LBR, .LQR,
and .ARC.
-----------------------------------------------------------------
| TROJAN HORSE PROGRAMS: |
-----------------------------------------------------------------
NAME CATEGORY NOTES
-------------- -------- ---------------------------------------
3X3SHR *TROJAN* Time Bomb type trojan wipes the Hard
Drive clean. File size is 78848.
ANTI-PCB *TROJAN* The story behind this trojan horse is
sickening. Apparently one RBBS-PC
sysop and one PC-BOARD sysop started
feuding about which BBS system is
better, and in the end the PC-BOARD
sysop wrote a trojan and uploaded it to
the rbbs SysOp under ANTI-PCB.COM. Of
course the RBBS-PC SysOp ran it, and
that led to quite a few accusations and
a big mess in general. Let's grow up!
Every SysOp has the right to run the
type of BBS that they please, and the
fact that a SysOp actually wrote a
trojan intended for another simply
blows my mind.
ARC2ZIP.EXE *VIRUS* This Leigh Virus strain that attacks
the COMMAND.COM and is used in
converting ARCed files to ZIPed files.
This file also copies itself into the
ZIPed file as well as remaining a TSR
within the COMMAND.COM. Also it is
always looking for the COMMAND.COM on
a FLOPPY diskette. So it has two ways
of infection.
ARC513.EXE *TROJAN* This hacked version of ARC appears
normal, so beware! It will write over
track 0 of your [hard] disk upon usage,
destroying the disk.
ARC514.COM *TROJAN* This is totally similar to ARC version
5.13 in that it will overwrite track 0
(FAT Table) of your hard disk. Also, I
have yet to see an .EXE version of this
program.
ARC533.EXE *TROJAN* This is a new Virus program designed to
*VIRUS* emulate Sea's ARC program. It infects
the COMMAND.COM.
BACKTALK *TROJAN* This program used to be a good PD
utility, but someone changed it to be
trojan. Now this program will write/
destroy sectors on your [hard] disk
drive. Use this with caution if you
acquire it, because it's more than
likely that you got a bad copy.
CDIR.COM *TROJAN* This program is supposed to give you a
color directory of files on your disk,
but it in fact will scramble your
disk's FAT table.
D-XREF60.COM *TROJAN* A Pascal Utility used for Cross-
Referencing, written by the infamous
`Dorn Stickel. It eats the FAT and
BOOT sector after a time period has
been met and if the Hard Drive is more
than half full.
DANCERS.BAS *TROJAN* This trojan shows some animated dancers
in color, and then proceeds to wipe out
your [hard] disk's FAT table. There is
another perfectly good copy of
DANCERS.BAS on BBS's around the
country; apparently the idiot trojan
author in question altered a legitimate
program to do his dirty work.
DISKSCAN.EXE *TROJAN* This was a PC-MAGAZINE program to scan
a [hard] disk for bad sectors, but then
a joker edited it to WRITE bad sectors.
Also look for this under other names
such as SCANBAD.EXE and BADDISK.EXE. A
good original copy is availble on SCP
Business BBS.
DMASTER *TROJAN* This is yet another FAT scrambler.
DOSKNOWS.EXE *TROJAN* I'm still tracking this one down --
apparently someone wrote a FAT killer
and renamed it DOSKNOWS.EXE, so it
would be confused with the real,
harmless DOSKNOWS system-status
utility. All I know for sure is that
the REAL DOSKNOWS.EXE is 5376 bytes
long. If you see something called
DOSKNOWS that isn't close to that size,
sound the alarm.
DOS-HELP *TROJAN* This trojan, when made memory-resident,
is supposed to display a DOS command
for which the User needs help with.
Works fine on a Diskette system but on
a HARD DRIVE system tries to format the
Hard Disk with every access of
DOS-HELP.
DPROTECT *TROJAN* Apparently someone tampered with the
original, legitimate version of
DPROTECT and turned it into a
FAT-table eater. A good version is
available on SCP Business BBS.
DRAIN2 *TROJAN* There really is DRAIN program, but this
revised program goes out does Low Level
Format while it is playing the funny
program.
DROID.EXE *TROJAN* This trojan appears under the guise of
a game. You are supposedly an
architect that controls futuristic
droids in search of relics. In fact,
PC-Board sysops, if they run this
program from C:\PCBOARD, will find that
it copies C:\PCBOARD\PCBOARD.DAT to
C:\PCBOARD\HELP\HLPX. In case you were
wondering, the file size of the .EXE
file is 54,272 bytes.
DRPTR.ARC *TROJAN* File found on two boards in the 343
Net. After running unsuspected file,
the only things left in the Sysop's
root directory were the subdirectories
and two of the three DOS System files,
along with a 0-byte file named
WIPEOUT.YUK. The Sysop's COMMAND.COM
was located in a different directory;
the file date and CRC had not changed.
DSZ (Patch) *CAREFUL* The author of this protocol program,
Chuck Forsberg, warns that anyone using
an Unregistered version of DSZ that was
HACKED with a downloaded PATCH to make
it work fully, might result in a
SCRAMBLED FAT TABLE. Seems someone
created the HACK PATCH and then U/L'd
it to BBS's. *BEWARE* of the PATCH!
It is not the DSZ program that does the
dirty work, but the PATCH.
EGABTR *TROJAN* BEWARE! Description says something like
"improve your EGA display," but when
run, it deletes everything in sight and
prints, "Arf! Arf! Got you!"
EMMCACHE *CAREFUL* This program is not exactly a trojan,
but it (v. 1.0) may have the capability
of destroying hard disks by:
A) Scrambling every file modified after
running the program.
B) Destroying boot sectors.
This program has damaged at least two
hard disks, yet there is a base of
happily registered users. Therefore, I
advise extreme caution if you decide
to use this program.
FILER.EXE *TROJAN* One SysOp complained a while ago that
this program wiped out his 20 Megabyte
hard disk. I'm not so sure that he was
correct and/or telling the truth any
more. I have personally tested an
excellent file manager also named
FILER.EXE, and it worked perfectly.
Also, many other SysOp's have written
to tell me that they have like me used
a FILER.EXE with no problems. If you
get a program named FILER.EXE, it is
probably alright, but better to test it
first using some security measures.
FILES.GBS *TROJAN* When an OPUS BBS system is installed
improperly, this file could spell
disaster for the Sysop. It can let a
user of any level into the system.
Protect yourself. Best to have a
sub-directory in each upload area
called c:\upload\files.gbs (this is an
example only). This would force Opus to
rename a file upload of files.gbs and
prevent its usage.
FINANCE4.ARC *CAREFUL* This program is not a verified trojan;
there is simply a file going around
BBS's warning that it may be a trojan.
In any case, execute extreme care with
it.
FLU4TXT.COM *TROJAN* Man, when I thought we had it licked!
This Trojan was inserted into the
FLUSHOT4.ARC and uploaded to many
BBS's. FluShot is a protector of your
COMMAND.COM. The Author of FluShot
posted this Trojan Warning, and I am
posting it here in the DD. If you need
a good copy, you can get it from here--
SCP Business BBS--or on COMPUSERVE. As
to date, 05/14/88 FLUSHOT.ARC FluShot Plus
v1.1 is the current version, not the
FLUSHOT4.ARC which is Trojaned.
FUTURE.BAS *TROJAN* This "program" starts out with a very
nice color picture (of what, I don't
know) and then proceeds to tell you
that you should be using your computer
for better things than games and
graphics. After making that point, it
trashes your A: drive, B:, C:, D:, and
so on until it has erased all drives.
It does not go after the FAT alone; it
also erases all of your data. As far
as I know, however, it erases only one
sub-directory tree level deep, thus
hard disk users should only be
seriously affected if they are in the
"root" directory. I'm not sure about
this one either, though.
GATEWAY2 *TROJAN* Someone tampered with the version 2.0
of the CTTY monitor GATEWAY. What it
does is ruin the FAT. If you need a
good copy, you can file request it or
pick one up from 105/301--SCP Business
BBS--at 1-503-648-6687.
GRABBER *TROJAN* This program is supposed to be SCREEN
CAPTURE program that copies the screen
to a .COM to be later ran from DOS
command line - and as a TSR it will
also attempt to do a DISK WRITE to hard
drive when you do not want it to. It
will wipe whole Directories when doing
a normal DOS command. One sysop who
ran it lost all of his ROOT DIR
including his SYSTEM files. The file
status is :
Name Size Date Time
GRABBER.COM 2583 05/28/87 22:10
G-MAN *TROJAN* Another FAT killer.
LM *TROJAN* Deletes the COMMAND.COM and other
files from the ROOT directory of the
Hard Drive when the program runs.
MAP *TROJAN* This is another trojan horse written by
the infamous "Dorn Stickel." Designed
to display what TSR's are in memory and
works on FAT and BOOT sector. FAT EATER
MATHKIDS.ARC *TROJAN* This is a fairly benign trojan that
will not reformat your hard disks or do
any system-level damage. It is instead
designed to crack a BBS system. It
will attemp to copy the USERS file on a
BBS to a file innocently called
FIXIT.ARC, which the originator can
later call in and download. Believed
to be designed for PCBoard BBS's.
NOTROJ.COM *TROJAN* This "program" is the most sophisti-
cated trojan horse that I've seen to
date. All outward appearances indicate
that the program is a useful utility
used to FIGHT other trojan horses.
Actually, it is a time bomb that erases
any hard disk FAT table that IT can
find, and at the same time, it warns:
"another program is attempting a
format, can't abort! After erasing the
FAT(s), NOTROJ then proceeds to start a
low level format. One extra thing to
note: NOTROJ only damages FULL hard
drives; if a hard disk is under 50%
filled, this program won't touch it!
If you are interested in reading a
thorough report on NOTROJ.COM, James H.
Coombes has written an excellent text
file on the matter named NOTROJ.TXT.
If you have trouble finding it, you
can get it from SCP Business BBS.
PACKDIR *TROJAN* This utility is supposed to "pack"
(sort and optimize) the files on a
[hard] disk, but apparently it
scrambles FAT tables.
PCW271xx.ARC *TROJAN* A modified version of the popular
PC-WRITE word processor (v. 2.71) has
now scrambled at least 10 FAT tables
that I know of. If you want to
download version 2.71 of PC-WRITE, be
very careful! The bogus version can be
identified by its size; it uses 98,274
bytes whereas the good version uses
98,644. For reference, version 2.7 of
PC-WRITE occupies 98,242 bytes.
PKX35B35.ARC } *TROJAN* This was supposed to be an update to
PKB35B35.ARC } *VIRUS* PKARC file compress utility - which
when used *EATS your FATS* and is or
at least RUMORED to infect other files
so it can spread - possible VIRUS?
PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of 3.61
v3.61 *CAREFUL* that when used interfers with PC's
interupts.
PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what really
does is when extracted from the .EXE
does a DIRECT access to DRIVE
CONTROLLER and does Low-Level format.
Thereby bypassing checking programs.
PK362.EXE *CAREFUL* This is a NON-RELEASED version and is
suspected as being a *TROJAN* - not
verified.
PK363.EXE *CAREFUL* This is a NON-RELEASED version and is
suspected as being a *TROJAN* - not
verified.
QUIKRBBS.COM *TROJAN* This Trojan horse advertises that it
will install program to protect your
RBBS but it does not. It goes and eats
away at the FAT.
QUIKREF *TROJAN* This ARChive contains ARC513.COM.
Loads RBBS-PC's message file into
memory two times faster than normal.
What it really does is copy RBBS-PC.DEF
into an ASCII file named HISCORES.DAT.
RCKVIDEO *TROJAN* This is another trojan that does what
it's supposed to do, and then wipes out
hard disks. After showing some simple
animation of a rock star ("Madonna," I
think), the program will go to work on
erasing every file it can lay it's
hands on. After about a minute of
this, it will create three ascii files
that say "You are stupid to download a
video about rock stars," or something
of the like.
SECRET.BAS *TROJAN* BEWARE!! This may be posted with a note
saying it doesn't seem to work, and
would someone please try it; when you
do, it formats your disks.
SIDEWAYS.COM *TROJAN* Be careful with this trojan; there is a
perfectly legitimate version of
SIDEWAYS.EXE circulating. Both the
trojan and the good SIDEWAYS advertise
that they can print sideways, but
SIDEWAYS.COM will trash a [hard] disk's
boot sector instead. The trojan .COM
file is about 3 KB, whereas the
legitimate .EXE file is about 30 KB
large.
STAR.EXE *TROJAN* Beware RBBS-PC SysOps! This file puts
some stars on the screen while copying
RBBS-PC.DEF to another name that can be
downloaded later!
STRIPES.EXE *TROJAN* Similar to STAR.EXE, this one draws an
American flag (nice touch), while it's
busy copying your RBBS-PC.DEF to
another file (STRIPES.BQS) so the joker
can log in later, download STRIPES.BQS,
and steal all your passwords. Nice,
huh!
SUG.COM *TROJAN* This one is supposed to go out and
unprotect copy protected programs disks
by Softguard Systems, Inc. After it
trashes your disk it comes back and
displays:
"This destruction constitutes a prima
facie evidence of your violation. If
you attempt to challenge Softguard
Systems Inc..., you will be vigorously
counter-sued for copyright infringement
and theft of services."
AND it by-passes any attempt by
CHK4BOMB to search for the any hidden
messages that tell you, "YOU BEEN
HAD... or GOTCHA>>> Ar..Ar..Ar..; it
encrypts the Gotcha message so no
Trojan checker can scan for it.
TIRED *TROJAN* Another scramble the FAT trojan by Dorn
W. Stickel.
TOPDOS *TROJAN* This is a simple high level [hard] disk
formatter.
TSRMAP *TROJAN* This program does what it's supposed to
do: give a map outlining the location
(in RAM) of all TSR programs, but it
also erases the boot sector of drive
"C:".
ULTIMATE.EXE *TROJAN* Another FAT eater - File status:
Name Size
ULTIMATE.EXE 3090
ULTIMATE.ARC 2432
UNIX *VIRUS* The UNIX operating system by Berkley
verson 4.3, is an INTERNET virus, a
Patch is available on SCP Business
BBS. This is MAIL PACKET VIRUS.
VDIR.COM *TROJAN* This is a disk killer that Jerry
Pournelle wrote about in BYTE Magazine.
I have never seen it, although a
responsible friend of mine has.
WOW *VIRUS* Also known as the 1701 Virus. This
is a new strain of the Leigh Virus
as it not only looks for the
COMMAND.COM but any .COM file. As it
does it, the infected file is enlarged
1,701 bytes in SIZE. The infection
takes as you run the .COM, WOW is a
TSR. What it does when you run WOW is
display an advertisement:
""The Wizards of Warez"
in assocoation with
the copycats
the Pirates Unlimited
OUTRUN
WOW 1989 "
The virus is also known as WOWTITLE.
-----------------------------------------------------------------
| If you run a trojan horse..... |
-----------------------------------------------------------------
While reading this, bear in mind that there is no better remedy
for a drive that has run a trojan horse and been damaged than a
recent backup.
The first thing to do after running what you think to be a trojan
horse is to diagnose the damage. Was your [hard] drive formatted?
Did the trojan scramble your FAT table? Did every file get
erased? Did your boot sector on the [hard] drive get erased/
formatted? Odds are that the trojan incurred one of these four
disasters. After the initial diagnosis, you are ready to remedy
the problem.
1) If the trojan low-level formatted your [hard] disk:
Hope that you have a recent backup; that's the only sure
remedy for this disease.
2) If the trojan high-level formatted your [hard] disk:
There is only one way out of this mess, and that is to use
the MACE+ utilities by Paul Mace. MACE+ has two devices in
it to recover formatted disks, and believe me, they work! I
will talk more about the MACE+ utilities later.
3) If the trojan scrambled your FAT table:
Once again, there is nothing to do. However, there is a
program called FATBACK.COM (available on my board named as
FATBACK.ARC) that will back up your FAT table in under a
minute to floppy. Using FATBACK, it is easy and non time
consuming to back up your FAT regularly.
4) If the trojan erased file(s), and the FAT table is undamaged:
There are many packages to undelete deleted files. Norton
Utilities, PC-Tools, MACE+, and there are others that'll do
the job. I recommend the first three, they are commercial
availble at most coputer software stores or mailorder stores.
When you are undeleting, be sure to undelete files in the
order of last time written to disk. I know that PC-Tools
automatically lists undeletable files in the correct order,
but the other two may not.
5) If the boot sector on your [hard] disk gets erased/formatted:
There are four things to do if this happens, and the worst
that can happen is that you will go without a [hard] disk for
a while. To be on the safest side, back up everything before
even proceeding to step "A," although I can not see why it
would be necessary.
A) Try doing a "SYS C:" (or "SYS A:") from your original
DOS disk, and copy COMMAND.COM back onto the [hard]
drive after that. Try booting, and if that doesn't
work, try step B.
B) If you have the MACE+ utilities, go to the "other
utilities" section and "restore boot sector." This
should do the job if you have been using MACE+
correctly. If using PCTOOLS Delux us the MIRROR
REBUILD utility function.
C) If you are still stuck, BACK UP EVERYTHING and proceed
to do a low-level format. Instructions on how to
perform a low-level format should come with your [hard]
disk controller card. Be sure to map out bad sectors
using either SCAV.COM by Chris Dunford or by manually
entering the locations of bad sectors into the low-level
format program. After the low level format on your hard
disk, run FDISK.COM (it comes with DOS) and create a DOS
partition. Refer to your DOS manual for help in using
FDISK. Then put your original DOS diskette in drive A:
and do a FORMAT <drive letter>:/S/V. Drive letter can
stand for "C" or "B" depending on whether you are
reformatting a hard disk or not. Finally you are ready
to attempt a reboot.
D) If you are still stuck, either employ some professional
computer repair person to fix your drive, or live with a
non-bootable [hard] drive.
A few words of caution on prevention:
1) Get the protection programs from a RELIABLE source. Always ask
about any unkown program - virus protection or otherwise - before
downloading or running it.
2) Don't let down your guard! Most virus protection programs
intercept specific types of activites (disk writes, for example)
or specific viruses(such as Apple's VirusRX targeting the Scores
virus).
3) Make peridodic file listings and compare them regularly to
prior listings. Look for unusual changes or unfamilial files
like Hidden or System files. INVESTIGATE ANYTHING OUT OF THE
ORDINARY!
4) BACKUP - BACKUP - BACKUP! Keep current backups. I know, I
know. Everyone tells you even your mom (smile). At least make
regular copies of your most important databases and files and
most importantly KEEP your OLD COPIES around a little longer
just to be on the safe side. I have a set devoted to strickly a
MASTER BACKUP in case my systems current backup is bad. Then all
is not lost as I have a MASTER to put me back up.
5) Don't run programs, that you got off a BBS, on your BOSS's
machine! Use your own PC first. This could save you the
embarrassment of facing his ugly mug (smile) and loosing your
job.
REMEMBER: The Best Defense is Good * BACKUP *
---------------------------------------------------------------
| Update History: |
---------------------------------------------------------------
Version 1.0 Plans were drawn up for a "bad file" list and a
dozen bad files were entered in the list.
Version 2.0 Saw the addition of a short introduction and three
more files. All work up to here was done by Tom
Neff.
Version 3.0 Here Tom Neff and I started collaborating on the
Dirty Dozen; 22 files were added, and the
introduction was completely rewritten. Version 3.0
had a total of 37 files.
Version 4.0 By this time I totally took over responsibility of
the DD, as Tom Neff lost interest. Another 30 or
so files were added to the list, making the DD 65+
files strong, as well as a few more additions to
the introduction.
Version 5.0 By the time I released version 5.0 to the public,
the Dirty Dozen was being greeted favorably and
with enthusiasm around the country. Updates
started coming in with regularity; the list
prospered (if one can say that about a list!). A
few more paragraphs were added to the introduction,
and about 40 new files were bringing the file total
up to 103!
Version 6.0 The Dirty Dozen is now such a big project that I am
now writing it in stages. Although I am going to
make absolutely no effort to spread these
"intermediate versions," they will always be
downloadable from my board. This way, if anyone so
desires, they may keep an extremely current issue
of the DD, although the changes will only be minor.
You might think of stage "a" of issue #6 as version
6.1, stage "b" as version 6.2, stage "c" as version
6.3, etc.
New in version 6.0 is the following:
A) Many minor revisions.
B) 17 more files, bringing the total to 120!
C) Two new paragraphs in the introduction.
D) Instructions on how to recover from a trojan
horse.
E) A comprehensive glossary.
F) This update history.
G) An acknowledgments section set up for major
contributors of information regarding new
"bogusware".
H) A new bogusware category of "miscellaneous
illegalsoftware."
Version 6.0a MOVBASIC.ARC and SBASICA added to the list of
illegal files, as well as six Trojan horses have
been added to the list.
Version 6.0c NOTROJ.COM added to the trojan horse list.
Version 6.0d DOG102A.COM added to the hacked files list. HACKED
files separated from TROJAN files
Version 6.0e DANCERS.BAS added to the trojans list.
Version 6.0f Four pirated files added, plus NODISK-A and DMASTER
to trojans
Version 6.0g NODISK-A removed from trojan horse list and placed
into pirated programs list. Monopoly warning
issued in misc section. Added a few pirated
programs. plus DPROTECT added as trojan.
Version 6.0h EMMCACHE and TIRED added to trojan list, plus PEII
added.
Version 6.0i Added TOPDOS to Trojan list, and AUTOMAXX to HACKED
list.
Version 6.0j Added QUICKREF to trojans list. Revised
introduction, and added a paragraph to the intro
about modifying the DD.
Version 6.0k Moved paragraph about 'I'm not responsible for this
list' to the front of the file for legal reasons.
Also added the '*' convention for HACKED programs.
Version 6.0l Added FINANCE4 as a possible trojan. Added a few
glossary definitions.
Version 7.0 The major changes in this version took place in the
revision stages above. However, I still changed
quite a bit in version 7.0 compared to 6.0 revision
stage 'L;' for example, I added 17 new pirated
programs, bringing the file total to a whopping
165! Moreover, I rewrote virtually every paragraph
in the dirty dozen in order to 'stylize' (clean up
the writing in) the document. Once again, I would
like to thank all users who called in updates to
the Dirty Dozen; those users are the people that
encourage me to keep producing the dirty dozen!
Version 7.0a Added three pirated programs, and the *CAREFUL*
category for the program EMMCACHE.ARC, version 1.0.
Version 7.0b Changed entry for XTREE, deleted monopoly entry,
and added seven new pirated programs.
Version 7.0c Added two new trojans (PC-WRITE 2.71 and DROID.EXE)
and revised entry for AUTOMAXX.
Version 8.0a December 25, 1987. The Official Dirty Dozen List
format and content was adopted for the Official Net
105 DD List; all available information on Trojan
information extracted from the Newhouse Dirty Dozen
List. Added Dos-Help.COM and SUG.COM. Added
special text on VIRUSES.
Version 8.0b Added notes on FLU_SHOT; added DRAIN2 to the Trojan
list.
Version 8.0c Added FLU4TXT.COM, GATEWAY2, DSZ to the list.
Version 8.0d Increased coverage of Virus/Trojan strain
information. Modified introduction.
Version 8.0e Removed Virus Report Information (now contained in
VIRUS000.ARC); added D-XREF60.COM, DRPTR.COM,
MATCHKIDS, and FILES.GBS. Added dedication to Eric
Newhouse and Tom Neff for their tremendous efforts;
added new information to header of report (title,
contact point, etc.). Modified introduction,
edited document to present more professional
appearance.
Version 9.0a Added ULTIMATE.EXE, GRABBER.COM, PKX35B35.ARC,
PKB35B35.ARC to the list.
Also added prevention tactics for Users.
Version 9.0b Added 3X3SHR, G-MAN, PKPAC/PKUNPAC, PKFIX361.EXE,
PK362.EXE, PK363.EXE, UNIX, ARC533.EXE.
Version 10.0a Added ARC2ZIP.EXE, WOW viruses, and LM. Added note
about ANSI in some forms of ARC files.
-----------------------------------------------------------------
| Glossary: |
-----------------------------------------------------------------
I have intended this glossary for the beginning to intermediate
user; all experienced BBS users will be bored to death with this.
?Q? -- (? standing for any character). File
extension for SQueezed files. Squeezed files
are unusable until unsqueezed by a utility
such as NUSQ.COM or USQ.COM. The advantage of
a SQueezed file is that it is smaller than a
regular UnSQueezed file, thus saving disk
space and download time. ARChives are more
efficient than Squeezed files; that's why
there are so many more ARChives on BBS's these
days. Example of the extensions of SQueezed
files: .EQE, .CQM, .LQR, .TQT, .DQC, etc.
ABBRV -- Abbreviation for the word: "abbreviation"
ARC -- File extension for an ARChive file -- many
files combined together to save space and
download time that require ARC.EXE,
PKXARC.COM, ARCE.COM, or ARCLS.EXE to separate
the files in to runnable and readable (in the
case of text) form.
BAS -- Abbrv for "BASIC," as in the programming
language
BBS -- Abbrv for "Bulletin Board System"
BBS's -- Abbrv for "Bulletin Board Systems"
BOARD -- Also "Bulletin Board System"
BOGUSWARE -- Software that is damaging to one or more
parties
BOOT or -- To boot a computer is to restart it from
REBOOT scratch, erasing all TSR programs. One
reboots by either powering off and then back
on, or pressing ctrl-alt-del at the same time.
BYTES -- Bytes measure the length of a file, with one
byte equaling one character in a file.
CACHE [disk] -- Area of memory set aside to hold recent data.
All programs then read recent data from that
memory rather than from disk. CLUSTER -- a
physical block on all [hard] disks, composed
of sectors, that holds data.
COM -- File extension for a file that is executable
from DOS level
DD -- Abbrv for "dirty dozen"
DOC -- Abbrv for "documentation"
EMS -- Enhanced Memory Specification. An EMS card
holds 2 MB extra memory.
EXE -- File extension for a file that is executable
from DOS level
HACKED -- A program that has been changed in some way by
another person or program
HIGH-LEVEL -- This type of format is what most computer
FORMAT users view as a regular DOS-format. That is,
formatting a disk using FORMAT.COM (included
with DOS) is a high-level format.
IBM -- Abbrv for International Business Machines
IBM OR COMP -- IBM computer or a 99% or greater IBM
Compatible computer
KB -- Abbrev for "KiloBytes," one Kb equals 1024
bytes
LBR -- Extension on Library files. Library files are
really many combined files like ARChives, but
they require different utilities to extract
the individual files. Some examples of such
utilities are LUU.EXE, LUE.EXE, LAR.EXE, AND
ZIP.EXE. See "ARC".
LOW-LEVEL -- This type of format is only executed on a hard
FORMAT disk; therefore, most hard disk low-level
format programs come only with a hard disk
controller card. There are a few PD low-level
formatting packages, though. Most
manufacturers low level format their hard
drives at the factory. Low level formatting
is the first step in the three-part formatting
process; the second step is to use FDISK, and
the third is to execute a high-level format.
MB -- Abbrv for "Megabytes," or "millions of bytes."
MISC -- Abbrv for "miscellaneous"
OPTIMIZE -- To make all files on a disk "contiguous," or
physically linked together on a [hard] drive.
PATCH -- A file that is patched (combined) into another
file to change the original file in some way
PD -- Abbrv for "Public Domain"
PIRATED -- See DEFINITIONS section in this issue.
RAM -- Abbrv for "Random Access Memory." (memory
used by software)
RBBS -- Abbrv for RBBS-PC, a type of BBS (Remote
Bulletin Board System)
ROM -- Abbrv for "Read Only Memory" (memory used by
hardware to boot)
SYSOP -- Abbrv for SYStem OPerator of a BBS
*TROJAN* -- See DEFINITIONS section in this issue.
TROJAN HORSE -- See DEFINITIONS section in this issue.
TSR -- Abbrv for "Terminate and Stay Resident";
Synonym = "Memory Resident"
TXT -- Abbrv for "text"
USU -- Abbrv for "usually"
UNP -- Abbrv for "unprotect"
UNPROTECT -- An "unprotect file" is a patch file that
results in the breaking of copy protection (no
doubt for backup purposes).
UTIL -- Abbrv for "utility"
VIRUS/WORM -- The Ultimate Trojan Horse; Infection of the PC
ZOO -- All files compressed with ZOO.EXE bear this
file extension. ZOO-compressed files are NOT
compatible with ARC.EXE.
<< End of file >>
| |
|THE DIRTY DOZEN -- An Uploaded Trojan/Virus Program Alert List|
| This is a FidoNet Version of Dirty Dozen. |
----------------------------------------------------------------
| For MSDOS machines ONLY Issue #10: May 27, 1989|
| |
| Revision Stage 'A' |
| |
| Compiled by Tom Sirianni of FidoNet 105/301 - LCRNET 1010/0 |
| Edited by Sally Neuman of FidoNet 105/301 |
----------------------------------------------------------------
IMPORTANT NOTE:
This Trojan Alert List is dedicated to the efforts of the
originator, Eric Newhouse, as well as Tom Neff, who spent tireless
hours/days compiling, researching, and testing various trojans,
pirates, and viruses, and reporting the results to you, the user.
It is because of these efforts that this list must and will be
aggressively maintained.
Tom Sirianni
SCP Business BBS
FidoNet 105/301
SCP Business BBS nor its author assumes any responsibility for the
validity or completeness of this list. Many sources contribute to
the list, and it is very possible that one of the reported 'dirty'
files works perfectly and is in the Public Domain. I will try to
asterisk (*) any programs what I feel are not positively 'bad'.
But all the same, it is quite possible that a mistake will slip in
somewhere. Since this is the case, please keep in mind while
reading this list that, however unlikely, it is possible that I am
(or my sources are) incorrect in any accusation.
Note: ** Some TROJANS are designed to work only on Hard Drives **
so it may work just fine a Diskette System.
HELP FROM USERS REQUESTED:
Users upload bad software to hundreds of boards every day, and
often times, the software is not yet in this list, or the file may
have been corrupted due to a bad ARCHIVE. However, if you run a
trojan horse program that is not listed here, please don't send it
to SCP Business BBS. Instead, give me a call (SCP Business BBS
phone 1-503-648-6687 9600/2400/1200/300 baud supported) and leave
me a message about the program (with a complete filename and any
other information you may have) so that I can get the destructive
program in the next issue. It is important to verify that the
program is a TROJAN and not an OPERATOR ERROR. If anyone is
unsure whether or not a file is a trojan, and it's not listed in
the DD list, I recommend using a utility like BOMBSQAD.COM or
CHK4BOMB.EXE to prevent any mishaps. For VIRUSES, use FLUSHOT Plus.
If after calling I may want you up load it just to verify it myself
if you are unable to.
A WORD FROM TOM SIRIANNI: NEW TYPE OF TROJAN -- THE VIRUS...
A Virus is a trojan which attaches itself to certain files and at
predetermined time attacks your FAT, DIR, and/or BOOT areas,
CROSS-LINKing files and looking for ways to attach itself to
diskettes and other disks containing files such as IBMDOS, IBMBIO,
COMMAND.COM, etc. This type of virus spreads its dirty work to
other systems much like the flu or a cold, relying on the user to
spread the VIRUS. Protection (to a limited degree) from these
virus strains is available in the programs SENTRY.ZIP or
FSP_151.ZIP (FluShot Plus v1.51), which are all available on the
SCP Business BBS, 105/301 FidoNet, by REQUEST ONLY at
1-503-648-6687 (PC-Pursuit/StarLink).
The better program, called FLUSHOT, remains memory resident and
will check for and alert you to any unauthorized any writes to
COMMAND.COM, etc.
*** WARNING ***
Do not use FLUSHOT with DesqView, DoubleDos, AutoCad.
It may hang your system or at least sound a warning
to you. Only testing will tell.
*** What to do with VIRUSES ***
There are three ways to tell if you are infected:
1) First, have a GOOD DOS diskette with COMMAND.COM on it, PLUS
put a WRITE-PROTECT TAB on your DOS disk. Then, from your system,
do a DIR on the good DOS diskette. If you get a WRITE-ERROR, you
are infected -- DIR does not do any writing of any kind, whereas
the VIRUS does.
2) Another way is to check and compare the time-date stamp of
COMMAND.COM. The Virus writes to the COMMAND.COM thereby changing
the time-date stamp.
3) The third way to tell is to use SENTRY and/or FLUSHOT.
Both will tell you if you are infected (:- FluShot will tell you
are about to be :-), hence you can do a CTRL-ALT-DEL and allow a
boot-up from a good DOS DISK (write-protected) and examine your
hard disk or diskette.
You can use SENTRY/FLUSHOT to check against these two strains.
The psychologically unbalanced individuals writing and uploading
these programs will change their viral methods, so beware. Many
new viral detection programs are in the works, both commercially
and in the shareware domain, to keep up with the viral programs we
have available, to confirmed SYSOPS, Virus/Trojan information
texts on SCP Business BBS. The Virus text files are ZIPed,ZIP is a
type of ARCER used on most BBS's, and can be File Requested thru
FidoNet 105/301 as VIRUS-1.ZIP & VIRUS-2.ZIP.
The thing to do is to check the contents of your downloads via
ARC V or PKXARC/PKZIP -V. DO NOT DOWNLOAD any files without any
available or known documentation unless you are assured it is safe
by the SYSOP. Also, do not accept any ARCHIVE or diskette
containing a file named COMMAND.COM or DOS System files.
Remember -- these new TROJANS are no laughing matter. Without
causing mass hysteria, use your best judgment, and check your
procedures first!
Final note there is a commercial program called C-4 by InterPath
Corp., which will to date detect and contain ALL known PC VIRUSES
where as FluShot+, last version 1.3, can handle only 29 of 39
known PC Virus. So for the ultimate 100% protection get C-4 but
for a SHAREWARE program you can not beat FluShot.
C-4 by InterPath Corp. FluShot Plus v1.51 by
4423 Cheeney St. Ross M. Greenberg of
Santa Clara, Calif. RAMNET BBS
95054 1-212-889-6438
1-408-988-3832 ShareWare
was $40.00
------------
FROM ERIC NEWHOUSE:
A word on TROJANS -
I have been hearing more and more reports of these "worm"
programs, from all directions. While I don't doubt their
existence, do not get hysterical. Remember, a Trojan rumor is much
easier to START than it is to STOP. Some people have accused
legitimate *joke* programs like DRAIN (which pretends to
be gurgling excess water out of your A drive) of being "killers."
If a program locks up your system, it isn't necessarily Trojan; it
might not like co-residing with Superkey, or your graphics card.
Ask around a little before you announce something as Trojan.
SIDE NOTE:
Unfortunately there is DRAIN program out now that is a TROJAN
called DRAIN2 so *** BEWARE ***.
MISINFORMED:
Dorn Stickel has been noted to be a supposed Author of several
TROJANS. Please take note that there seems to be someone trying to
discredit the REAL Dorn Stickel. So please do not take your wrath
out on the real person.
Thanks.
ANSI TEXT FILES/DOC FILES and ARC files:
Did you know a TROJAN can be used in DOC and TEXT files? If your
system is configured for ANSI.SYS in your CONFIG.SYS file, your
keyboard could be redirected or the keys reconfigured.
For example, you could hit the F1 key and the trojan could do a
High Level Format; or hit ALT-X and it will say "del *.* and yes".
It can answer to the prompts and before you can say, "What the
'(&^(~*%' is going on?", your system is deleted.
USE A BROWSER OR LISTER PROGRAM WHEN LOOKING AT ANY TEXT/DOC FILE;
even an editor or PC Tools Edit or Word Process will work. This
way, no redirection can take place. And a side note some ARCER's
allow ANSI comments for displaying messages and can redirect your
keybord to DEL files, directories, or a High Level format. This is
caused by having ANSI.SYS installed. Either disable it, ANSI.SYS,
or use an alternate ANSI driver that will NOT allow redirection.
DEFINITIONS:
*TROJAN* BEWARE!! These programs PURPOSEFULLY damage a
user's system upon their invocation.
They usually aim to disable hard disks,
although they can destroy other
equipment, too. It is IMPERATIVE that
you let me know about any new examples of
these that you find.
*VIRUS* BEWARE!! These programs are the ultimate TROJAN
designed to infect as well as destroy
the Users system and others that it
infects.
*CAREFUL* Programs labeled in this manner may or
may not be trojans; the question is
unresolved. Use caution when running
these programs!
NOTE: If a file extension is not supplied, that means that the
file circulates under many different extensions. For instance,
users commonly upload with extensions of .EQE, .CQM, .LBR, .LQR,
and .ARC.
-----------------------------------------------------------------
| TROJAN HORSE PROGRAMS: |
-----------------------------------------------------------------
NAME CATEGORY NOTES
-------------- -------- ---------------------------------------
3X3SHR *TROJAN* Time Bomb type trojan wipes the Hard
Drive clean. File size is 78848.
ANTI-PCB *TROJAN* The story behind this trojan horse is
sickening. Apparently one RBBS-PC
sysop and one PC-BOARD sysop started
feuding about which BBS system is
better, and in the end the PC-BOARD
sysop wrote a trojan and uploaded it to
the rbbs SysOp under ANTI-PCB.COM. Of
course the RBBS-PC SysOp ran it, and
that led to quite a few accusations and
a big mess in general. Let's grow up!
Every SysOp has the right to run the
type of BBS that they please, and the
fact that a SysOp actually wrote a
trojan intended for another simply
blows my mind.
ARC2ZIP.EXE *VIRUS* This Leigh Virus strain that attacks
the COMMAND.COM and is used in
converting ARCed files to ZIPed files.
This file also copies itself into the
ZIPed file as well as remaining a TSR
within the COMMAND.COM. Also it is
always looking for the COMMAND.COM on
a FLOPPY diskette. So it has two ways
of infection.
ARC513.EXE *TROJAN* This hacked version of ARC appears
normal, so beware! It will write over
track 0 of your [hard] disk upon usage,
destroying the disk.
ARC514.COM *TROJAN* This is totally similar to ARC version
5.13 in that it will overwrite track 0
(FAT Table) of your hard disk. Also, I
have yet to see an .EXE version of this
program.
ARC533.EXE *TROJAN* This is a new Virus program designed to
*VIRUS* emulate Sea's ARC program. It infects
the COMMAND.COM.
BACKTALK *TROJAN* This program used to be a good PD
utility, but someone changed it to be
trojan. Now this program will write/
destroy sectors on your [hard] disk
drive. Use this with caution if you
acquire it, because it's more than
likely that you got a bad copy.
CDIR.COM *TROJAN* This program is supposed to give you a
color directory of files on your disk,
but it in fact will scramble your
disk's FAT table.
D-XREF60.COM *TROJAN* A Pascal Utility used for Cross-
Referencing, written by the infamous
`Dorn Stickel. It eats the FAT and
BOOT sector after a time period has
been met and if the Hard Drive is more
than half full.
DANCERS.BAS *TROJAN* This trojan shows some animated dancers
in color, and then proceeds to wipe out
your [hard] disk's FAT table. There is
another perfectly good copy of
DANCERS.BAS on BBS's around the
country; apparently the idiot trojan
author in question altered a legitimate
program to do his dirty work.
DISKSCAN.EXE *TROJAN* This was a PC-MAGAZINE program to scan
a [hard] disk for bad sectors, but then
a joker edited it to WRITE bad sectors.
Also look for this under other names
such as SCANBAD.EXE and BADDISK.EXE. A
good original copy is availble on SCP
Business BBS.
DMASTER *TROJAN* This is yet another FAT scrambler.
DOSKNOWS.EXE *TROJAN* I'm still tracking this one down --
apparently someone wrote a FAT killer
and renamed it DOSKNOWS.EXE, so it
would be confused with the real,
harmless DOSKNOWS system-status
utility. All I know for sure is that
the REAL DOSKNOWS.EXE is 5376 bytes
long. If you see something called
DOSKNOWS that isn't close to that size,
sound the alarm.
DOS-HELP *TROJAN* This trojan, when made memory-resident,
is supposed to display a DOS command
for which the User needs help with.
Works fine on a Diskette system but on
a HARD DRIVE system tries to format the
Hard Disk with every access of
DOS-HELP.
DPROTECT *TROJAN* Apparently someone tampered with the
original, legitimate version of
DPROTECT and turned it into a
FAT-table eater. A good version is
available on SCP Business BBS.
DRAIN2 *TROJAN* There really is DRAIN program, but this
revised program goes out does Low Level
Format while it is playing the funny
program.
DROID.EXE *TROJAN* This trojan appears under the guise of
a game. You are supposedly an
architect that controls futuristic
droids in search of relics. In fact,
PC-Board sysops, if they run this
program from C:\PCBOARD, will find that
it copies C:\PCBOARD\PCBOARD.DAT to
C:\PCBOARD\HELP\HLPX. In case you were
wondering, the file size of the .EXE
file is 54,272 bytes.
DRPTR.ARC *TROJAN* File found on two boards in the 343
Net. After running unsuspected file,
the only things left in the Sysop's
root directory were the subdirectories
and two of the three DOS System files,
along with a 0-byte file named
WIPEOUT.YUK. The Sysop's COMMAND.COM
was located in a different directory;
the file date and CRC had not changed.
DSZ (Patch) *CAREFUL* The author of this protocol program,
Chuck Forsberg, warns that anyone using
an Unregistered version of DSZ that was
HACKED with a downloaded PATCH to make
it work fully, might result in a
SCRAMBLED FAT TABLE. Seems someone
created the HACK PATCH and then U/L'd
it to BBS's. *BEWARE* of the PATCH!
It is not the DSZ program that does the
dirty work, but the PATCH.
EGABTR *TROJAN* BEWARE! Description says something like
"improve your EGA display," but when
run, it deletes everything in sight and
prints, "Arf! Arf! Got you!"
EMMCACHE *CAREFUL* This program is not exactly a trojan,
but it (v. 1.0) may have the capability
of destroying hard disks by:
A) Scrambling every file modified after
running the program.
B) Destroying boot sectors.
This program has damaged at least two
hard disks, yet there is a base of
happily registered users. Therefore, I
advise extreme caution if you decide
to use this program.
FILER.EXE *TROJAN* One SysOp complained a while ago that
this program wiped out his 20 Megabyte
hard disk. I'm not so sure that he was
correct and/or telling the truth any
more. I have personally tested an
excellent file manager also named
FILER.EXE, and it worked perfectly.
Also, many other SysOp's have written
to tell me that they have like me used
a FILER.EXE with no problems. If you
get a program named FILER.EXE, it is
probably alright, but better to test it
first using some security measures.
FILES.GBS *TROJAN* When an OPUS BBS system is installed
improperly, this file could spell
disaster for the Sysop. It can let a
user of any level into the system.
Protect yourself. Best to have a
sub-directory in each upload area
called c:\upload\files.gbs (this is an
example only). This would force Opus to
rename a file upload of files.gbs and
prevent its usage.
FINANCE4.ARC *CAREFUL* This program is not a verified trojan;
there is simply a file going around
BBS's warning that it may be a trojan.
In any case, execute extreme care with
it.
FLU4TXT.COM *TROJAN* Man, when I thought we had it licked!
This Trojan was inserted into the
FLUSHOT4.ARC and uploaded to many
BBS's. FluShot is a protector of your
COMMAND.COM. The Author of FluShot
posted this Trojan Warning, and I am
posting it here in the DD. If you need
a good copy, you can get it from here--
SCP Business BBS--or on COMPUSERVE. As
to date, 05/14/88 FLUSHOT.ARC FluShot Plus
v1.1 is the current version, not the
FLUSHOT4.ARC which is Trojaned.
FUTURE.BAS *TROJAN* This "program" starts out with a very
nice color picture (of what, I don't
know) and then proceeds to tell you
that you should be using your computer
for better things than games and
graphics. After making that point, it
trashes your A: drive, B:, C:, D:, and
so on until it has erased all drives.
It does not go after the FAT alone; it
also erases all of your data. As far
as I know, however, it erases only one
sub-directory tree level deep, thus
hard disk users should only be
seriously affected if they are in the
"root" directory. I'm not sure about
this one either, though.
GATEWAY2 *TROJAN* Someone tampered with the version 2.0
of the CTTY monitor GATEWAY. What it
does is ruin the FAT. If you need a
good copy, you can file request it or
pick one up from 105/301--SCP Business
BBS--at 1-503-648-6687.
GRABBER *TROJAN* This program is supposed to be SCREEN
CAPTURE program that copies the screen
to a .COM to be later ran from DOS
command line - and as a TSR it will
also attempt to do a DISK WRITE to hard
drive when you do not want it to. It
will wipe whole Directories when doing
a normal DOS command. One sysop who
ran it lost all of his ROOT DIR
including his SYSTEM files. The file
status is :
Name Size Date Time
GRABBER.COM 2583 05/28/87 22:10
G-MAN *TROJAN* Another FAT killer.
LM *TROJAN* Deletes the COMMAND.COM and other
files from the ROOT directory of the
Hard Drive when the program runs.
MAP *TROJAN* This is another trojan horse written by
the infamous "Dorn Stickel." Designed
to display what TSR's are in memory and
works on FAT and BOOT sector. FAT EATER
MATHKIDS.ARC *TROJAN* This is a fairly benign trojan that
will not reformat your hard disks or do
any system-level damage. It is instead
designed to crack a BBS system. It
will attemp to copy the USERS file on a
BBS to a file innocently called
FIXIT.ARC, which the originator can
later call in and download. Believed
to be designed for PCBoard BBS's.
NOTROJ.COM *TROJAN* This "program" is the most sophisti-
cated trojan horse that I've seen to
date. All outward appearances indicate
that the program is a useful utility
used to FIGHT other trojan horses.
Actually, it is a time bomb that erases
any hard disk FAT table that IT can
find, and at the same time, it warns:
"another program is attempting a
format, can't abort! After erasing the
FAT(s), NOTROJ then proceeds to start a
low level format. One extra thing to
note: NOTROJ only damages FULL hard
drives; if a hard disk is under 50%
filled, this program won't touch it!
If you are interested in reading a
thorough report on NOTROJ.COM, James H.
Coombes has written an excellent text
file on the matter named NOTROJ.TXT.
If you have trouble finding it, you
can get it from SCP Business BBS.
PACKDIR *TROJAN* This utility is supposed to "pack"
(sort and optimize) the files on a
[hard] disk, but apparently it
scrambles FAT tables.
PCW271xx.ARC *TROJAN* A modified version of the popular
PC-WRITE word processor (v. 2.71) has
now scrambled at least 10 FAT tables
that I know of. If you want to
download version 2.71 of PC-WRITE, be
very careful! The bogus version can be
identified by its size; it uses 98,274
bytes whereas the good version uses
98,644. For reference, version 2.7 of
PC-WRITE occupies 98,242 bytes.
PKX35B35.ARC } *TROJAN* This was supposed to be an update to
PKB35B35.ARC } *VIRUS* PKARC file compress utility - which
when used *EATS your FATS* and is or
at least RUMORED to infect other files
so it can spread - possible VIRUS?
PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of 3.61
v3.61 *CAREFUL* that when used interfers with PC's
interupts.
PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what really
does is when extracted from the .EXE
does a DIRECT access to DRIVE
CONTROLLER and does Low-Level format.
Thereby bypassing checking programs.
PK362.EXE *CAREFUL* This is a NON-RELEASED version and is
suspected as being a *TROJAN* - not
verified.
PK363.EXE *CAREFUL* This is a NON-RELEASED version and is
suspected as being a *TROJAN* - not
verified.
QUIKRBBS.COM *TROJAN* This Trojan horse advertises that it
will install program to protect your
RBBS but it does not. It goes and eats
away at the FAT.
QUIKREF *TROJAN* This ARChive contains ARC513.COM.
Loads RBBS-PC's message file into
memory two times faster than normal.
What it really does is copy RBBS-PC.DEF
into an ASCII file named HISCORES.DAT.
RCKVIDEO *TROJAN* This is another trojan that does what
it's supposed to do, and then wipes out
hard disks. After showing some simple
animation of a rock star ("Madonna," I
think), the program will go to work on
erasing every file it can lay it's
hands on. After about a minute of
this, it will create three ascii files
that say "You are stupid to download a
video about rock stars," or something
of the like.
SECRET.BAS *TROJAN* BEWARE!! This may be posted with a note
saying it doesn't seem to work, and
would someone please try it; when you
do, it formats your disks.
SIDEWAYS.COM *TROJAN* Be careful with this trojan; there is a
perfectly legitimate version of
SIDEWAYS.EXE circulating. Both the
trojan and the good SIDEWAYS advertise
that they can print sideways, but
SIDEWAYS.COM will trash a [hard] disk's
boot sector instead. The trojan .COM
file is about 3 KB, whereas the
legitimate .EXE file is about 30 KB
large.
STAR.EXE *TROJAN* Beware RBBS-PC SysOps! This file puts
some stars on the screen while copying
RBBS-PC.DEF to another name that can be
downloaded later!
STRIPES.EXE *TROJAN* Similar to STAR.EXE, this one draws an
American flag (nice touch), while it's
busy copying your RBBS-PC.DEF to
another file (STRIPES.BQS) so the joker
can log in later, download STRIPES.BQS,
and steal all your passwords. Nice,
huh!
SUG.COM *TROJAN* This one is supposed to go out and
unprotect copy protected programs disks
by Softguard Systems, Inc. After it
trashes your disk it comes back and
displays:
"This destruction constitutes a prima
facie evidence of your violation. If
you attempt to challenge Softguard
Systems Inc..., you will be vigorously
counter-sued for copyright infringement
and theft of services."
AND it by-passes any attempt by
CHK4BOMB to search for the any hidden
messages that tell you, "YOU BEEN
HAD... or GOTCHA>>> Ar..Ar..Ar..; it
encrypts the Gotcha message so no
Trojan checker can scan for it.
TIRED *TROJAN* Another scramble the FAT trojan by Dorn
W. Stickel.
TOPDOS *TROJAN* This is a simple high level [hard] disk
formatter.
TSRMAP *TROJAN* This program does what it's supposed to
do: give a map outlining the location
(in RAM) of all TSR programs, but it
also erases the boot sector of drive
"C:".
ULTIMATE.EXE *TROJAN* Another FAT eater - File status:
Name Size
ULTIMATE.EXE 3090
ULTIMATE.ARC 2432
UNIX *VIRUS* The UNIX operating system by Berkley
verson 4.3, is an INTERNET virus, a
Patch is available on SCP Business
BBS. This is MAIL PACKET VIRUS.
VDIR.COM *TROJAN* This is a disk killer that Jerry
Pournelle wrote about in BYTE Magazine.
I have never seen it, although a
responsible friend of mine has.
WOW *VIRUS* Also known as the 1701 Virus. This
is a new strain of the Leigh Virus
as it not only looks for the
COMMAND.COM but any .COM file. As it
does it, the infected file is enlarged
1,701 bytes in SIZE. The infection
takes as you run the .COM, WOW is a
TSR. What it does when you run WOW is
display an advertisement:
""The Wizards of Warez"
in assocoation with
the copycats
the Pirates Unlimited
OUTRUN
WOW 1989 "
The virus is also known as WOWTITLE.
-----------------------------------------------------------------
| If you run a trojan horse..... |
-----------------------------------------------------------------
While reading this, bear in mind that there is no better remedy
for a drive that has run a trojan horse and been damaged than a
recent backup.
The first thing to do after running what you think to be a trojan
horse is to diagnose the damage. Was your [hard] drive formatted?
Did the trojan scramble your FAT table? Did every file get
erased? Did your boot sector on the [hard] drive get erased/
formatted? Odds are that the trojan incurred one of these four
disasters. After the initial diagnosis, you are ready to remedy
the problem.
1) If the trojan low-level formatted your [hard] disk:
Hope that you have a recent backup; that's the only sure
remedy for this disease.
2) If the trojan high-level formatted your [hard] disk:
There is only one way out of this mess, and that is to use
the MACE+ utilities by Paul Mace. MACE+ has two devices in
it to recover formatted disks, and believe me, they work! I
will talk more about the MACE+ utilities later.
3) If the trojan scrambled your FAT table:
Once again, there is nothing to do. However, there is a
program called FATBACK.COM (available on my board named as
FATBACK.ARC) that will back up your FAT table in under a
minute to floppy. Using FATBACK, it is easy and non time
consuming to back up your FAT regularly.
4) If the trojan erased file(s), and the FAT table is undamaged:
There are many packages to undelete deleted files. Norton
Utilities, PC-Tools, MACE+, and there are others that'll do
the job. I recommend the first three, they are commercial
availble at most coputer software stores or mailorder stores.
When you are undeleting, be sure to undelete files in the
order of last time written to disk. I know that PC-Tools
automatically lists undeletable files in the correct order,
but the other two may not.
5) If the boot sector on your [hard] disk gets erased/formatted:
There are four things to do if this happens, and the worst
that can happen is that you will go without a [hard] disk for
a while. To be on the safest side, back up everything before
even proceeding to step "A," although I can not see why it
would be necessary.
A) Try doing a "SYS C:" (or "SYS A:") from your original
DOS disk, and copy COMMAND.COM back onto the [hard]
drive after that. Try booting, and if that doesn't
work, try step B.
B) If you have the MACE+ utilities, go to the "other
utilities" section and "restore boot sector." This
should do the job if you have been using MACE+
correctly. If using PCTOOLS Delux us the MIRROR
REBUILD utility function.
C) If you are still stuck, BACK UP EVERYTHING and proceed
to do a low-level format. Instructions on how to
perform a low-level format should come with your [hard]
disk controller card. Be sure to map out bad sectors
using either SCAV.COM by Chris Dunford or by manually
entering the locations of bad sectors into the low-level
format program. After the low level format on your hard
disk, run FDISK.COM (it comes with DOS) and create a DOS
partition. Refer to your DOS manual for help in using
FDISK. Then put your original DOS diskette in drive A:
and do a FORMAT <drive letter>:/S/V. Drive letter can
stand for "C" or "B" depending on whether you are
reformatting a hard disk or not. Finally you are ready
to attempt a reboot.
D) If you are still stuck, either employ some professional
computer repair person to fix your drive, or live with a
non-bootable [hard] drive.
A few words of caution on prevention:
1) Get the protection programs from a RELIABLE source. Always ask
about any unkown program - virus protection or otherwise - before
downloading or running it.
2) Don't let down your guard! Most virus protection programs
intercept specific types of activites (disk writes, for example)
or specific viruses(such as Apple's VirusRX targeting the Scores
virus).
3) Make peridodic file listings and compare them regularly to
prior listings. Look for unusual changes or unfamilial files
like Hidden or System files. INVESTIGATE ANYTHING OUT OF THE
ORDINARY!
4) BACKUP - BACKUP - BACKUP! Keep current backups. I know, I
know. Everyone tells you even your mom (smile). At least make
regular copies of your most important databases and files and
most importantly KEEP your OLD COPIES around a little longer
just to be on the safe side. I have a set devoted to strickly a
MASTER BACKUP in case my systems current backup is bad. Then all
is not lost as I have a MASTER to put me back up.
5) Don't run programs, that you got off a BBS, on your BOSS's
machine! Use your own PC first. This could save you the
embarrassment of facing his ugly mug (smile) and loosing your
job.
REMEMBER: The Best Defense is Good * BACKUP *
---------------------------------------------------------------
| Update History: |
---------------------------------------------------------------
Version 1.0 Plans were drawn up for a "bad file" list and a
dozen bad files were entered in the list.
Version 2.0 Saw the addition of a short introduction and three
more files. All work up to here was done by Tom
Neff.
Version 3.0 Here Tom Neff and I started collaborating on the
Dirty Dozen; 22 files were added, and the
introduction was completely rewritten. Version 3.0
had a total of 37 files.
Version 4.0 By this time I totally took over responsibility of
the DD, as Tom Neff lost interest. Another 30 or
so files were added to the list, making the DD 65+
files strong, as well as a few more additions to
the introduction.
Version 5.0 By the time I released version 5.0 to the public,
the Dirty Dozen was being greeted favorably and
with enthusiasm around the country. Updates
started coming in with regularity; the list
prospered (if one can say that about a list!). A
few more paragraphs were added to the introduction,
and about 40 new files were bringing the file total
up to 103!
Version 6.0 The Dirty Dozen is now such a big project that I am
now writing it in stages. Although I am going to
make absolutely no effort to spread these
"intermediate versions," they will always be
downloadable from my board. This way, if anyone so
desires, they may keep an extremely current issue
of the DD, although the changes will only be minor.
You might think of stage "a" of issue #6 as version
6.1, stage "b" as version 6.2, stage "c" as version
6.3, etc.
New in version 6.0 is the following:
A) Many minor revisions.
B) 17 more files, bringing the total to 120!
C) Two new paragraphs in the introduction.
D) Instructions on how to recover from a trojan
horse.
E) A comprehensive glossary.
F) This update history.
G) An acknowledgments section set up for major
contributors of information regarding new
"bogusware".
H) A new bogusware category of "miscellaneous
illegalsoftware."
Version 6.0a MOVBASIC.ARC and SBASICA added to the list of
illegal files, as well as six Trojan horses have
been added to the list.
Version 6.0c NOTROJ.COM added to the trojan horse list.
Version 6.0d DOG102A.COM added to the hacked files list. HACKED
files separated from TROJAN files
Version 6.0e DANCERS.BAS added to the trojans list.
Version 6.0f Four pirated files added, plus NODISK-A and DMASTER
to trojans
Version 6.0g NODISK-A removed from trojan horse list and placed
into pirated programs list. Monopoly warning
issued in misc section. Added a few pirated
programs. plus DPROTECT added as trojan.
Version 6.0h EMMCACHE and TIRED added to trojan list, plus PEII
added.
Version 6.0i Added TOPDOS to Trojan list, and AUTOMAXX to HACKED
list.
Version 6.0j Added QUICKREF to trojans list. Revised
introduction, and added a paragraph to the intro
about modifying the DD.
Version 6.0k Moved paragraph about 'I'm not responsible for this
list' to the front of the file for legal reasons.
Also added the '*' convention for HACKED programs.
Version 6.0l Added FINANCE4 as a possible trojan. Added a few
glossary definitions.
Version 7.0 The major changes in this version took place in the
revision stages above. However, I still changed
quite a bit in version 7.0 compared to 6.0 revision
stage 'L;' for example, I added 17 new pirated
programs, bringing the file total to a whopping
165! Moreover, I rewrote virtually every paragraph
in the dirty dozen in order to 'stylize' (clean up
the writing in) the document. Once again, I would
like to thank all users who called in updates to
the Dirty Dozen; those users are the people that
encourage me to keep producing the dirty dozen!
Version 7.0a Added three pirated programs, and the *CAREFUL*
category for the program EMMCACHE.ARC, version 1.0.
Version 7.0b Changed entry for XTREE, deleted monopoly entry,
and added seven new pirated programs.
Version 7.0c Added two new trojans (PC-WRITE 2.71 and DROID.EXE)
and revised entry for AUTOMAXX.
Version 8.0a December 25, 1987. The Official Dirty Dozen List
format and content was adopted for the Official Net
105 DD List; all available information on Trojan
information extracted from the Newhouse Dirty Dozen
List. Added Dos-Help.COM and SUG.COM. Added
special text on VIRUSES.
Version 8.0b Added notes on FLU_SHOT; added DRAIN2 to the Trojan
list.
Version 8.0c Added FLU4TXT.COM, GATEWAY2, DSZ to the list.
Version 8.0d Increased coverage of Virus/Trojan strain
information. Modified introduction.
Version 8.0e Removed Virus Report Information (now contained in
VIRUS000.ARC); added D-XREF60.COM, DRPTR.COM,
MATCHKIDS, and FILES.GBS. Added dedication to Eric
Newhouse and Tom Neff for their tremendous efforts;
added new information to header of report (title,
contact point, etc.). Modified introduction,
edited document to present more professional
appearance.
Version 9.0a Added ULTIMATE.EXE, GRABBER.COM, PKX35B35.ARC,
PKB35B35.ARC to the list.
Also added prevention tactics for Users.
Version 9.0b Added 3X3SHR, G-MAN, PKPAC/PKUNPAC, PKFIX361.EXE,
PK362.EXE, PK363.EXE, UNIX, ARC533.EXE.
Version 10.0a Added ARC2ZIP.EXE, WOW viruses, and LM. Added note
about ANSI in some forms of ARC files.
-----------------------------------------------------------------
| Glossary: |
-----------------------------------------------------------------
I have intended this glossary for the beginning to intermediate
user; all experienced BBS users will be bored to death with this.
?Q? -- (? standing for any character). File
extension for SQueezed files. Squeezed files
are unusable until unsqueezed by a utility
such as NUSQ.COM or USQ.COM. The advantage of
a SQueezed file is that it is smaller than a
regular UnSQueezed file, thus saving disk
space and download time. ARChives are more
efficient than Squeezed files; that's why
there are so many more ARChives on BBS's these
days. Example of the extensions of SQueezed
files: .EQE, .CQM, .LQR, .TQT, .DQC, etc.
ABBRV -- Abbreviation for the word: "abbreviation"
ARC -- File extension for an ARChive file -- many
files combined together to save space and
download time that require ARC.EXE,
PKXARC.COM, ARCE.COM, or ARCLS.EXE to separate
the files in to runnable and readable (in the
case of text) form.
BAS -- Abbrv for "BASIC," as in the programming
language
BBS -- Abbrv for "Bulletin Board System"
BBS's -- Abbrv for "Bulletin Board Systems"
BOARD -- Also "Bulletin Board System"
BOGUSWARE -- Software that is damaging to one or more
parties
BOOT or -- To boot a computer is to restart it from
REBOOT scratch, erasing all TSR programs. One
reboots by either powering off and then back
on, or pressing ctrl-alt-del at the same time.
BYTES -- Bytes measure the length of a file, with one
byte equaling one character in a file.
CACHE [disk] -- Area of memory set aside to hold recent data.
All programs then read recent data from that
memory rather than from disk. CLUSTER -- a
physical block on all [hard] disks, composed
of sectors, that holds data.
COM -- File extension for a file that is executable
from DOS level
DD -- Abbrv for "dirty dozen"
DOC -- Abbrv for "documentation"
EMS -- Enhanced Memory Specification. An EMS card
holds 2 MB extra memory.
EXE -- File extension for a file that is executable
from DOS level
HACKED -- A program that has been changed in some way by
another person or program
HIGH-LEVEL -- This type of format is what most computer
FORMAT users view as a regular DOS-format. That is,
formatting a disk using FORMAT.COM (included
with DOS) is a high-level format.
IBM -- Abbrv for International Business Machines
IBM OR COMP -- IBM computer or a 99% or greater IBM
Compatible computer
KB -- Abbrev for "KiloBytes," one Kb equals 1024
bytes
LBR -- Extension on Library files. Library files are
really many combined files like ARChives, but
they require different utilities to extract
the individual files. Some examples of such
utilities are LUU.EXE, LUE.EXE, LAR.EXE, AND
ZIP.EXE. See "ARC".
LOW-LEVEL -- This type of format is only executed on a hard
FORMAT disk; therefore, most hard disk low-level
format programs come only with a hard disk
controller card. There are a few PD low-level
formatting packages, though. Most
manufacturers low level format their hard
drives at the factory. Low level formatting
is the first step in the three-part formatting
process; the second step is to use FDISK, and
the third is to execute a high-level format.
MB -- Abbrv for "Megabytes," or "millions of bytes."
MISC -- Abbrv for "miscellaneous"
OPTIMIZE -- To make all files on a disk "contiguous," or
physically linked together on a [hard] drive.
PATCH -- A file that is patched (combined) into another
file to change the original file in some way
PD -- Abbrv for "Public Domain"
PIRATED -- See DEFINITIONS section in this issue.
RAM -- Abbrv for "Random Access Memory." (memory
used by software)
RBBS -- Abbrv for RBBS-PC, a type of BBS (Remote
Bulletin Board System)
ROM -- Abbrv for "Read Only Memory" (memory used by
hardware to boot)
SYSOP -- Abbrv for SYStem OPerator of a BBS
*TROJAN* -- See DEFINITIONS section in this issue.
TROJAN HORSE -- See DEFINITIONS section in this issue.
TSR -- Abbrv for "Terminate and Stay Resident";
Synonym = "Memory Resident"
TXT -- Abbrv for "text"
USU -- Abbrv for "usually"
UNP -- Abbrv for "unprotect"
UNPROTECT -- An "unprotect file" is a patch file that
results in the breaking of copy protection (no
doubt for backup purposes).
UTIL -- Abbrv for "utility"
VIRUS/WORM -- The Ultimate Trojan Horse; Infection of the PC
ZOO -- All files compressed with ZOO.EXE bear this
file extension. ZOO-compressed files are NOT
compatible with ARC.EXE.
<< End of file >>
Comments
Post a Comment