[comp.sys.ibm.pc] FLUSHOT3.ARC protect against Trojans program

w8sdz@eddie.MIT.EDU (Keith Petersen) (02/22/88)

[Because of its importance this is being posted to both comp.sys.ibm.pc
and comp.binaries.ibm.pc.  Followups directed to comp.sys.ibm.pc]

Below is a uuencoded copy of FLUSHOT3.ARC.  This is an update to
FLUSHOT2, announced previously, a program to protect your COMMAND.COM,
FAT, boot sector, NOVRAM, etc., against Trojan horses.

The following is a list of its contents.  If you get this file from
other sources be sure to check the CRCs to make sure they match this
listing. (more comments on this below).

Name          Length    Stowage    SF   Size now  Date       Time    CRC
============  ========  ========  ====  ========  =========  ======  ====
DISCLAIM.TXT       640  Crunched   27%       469  10 Feb 88   0:00a  4B65
FLUSHOT2.INF      2176  Crunched   38%      1361  10 Feb 88   0:00a  C709
FLUSHOT3.COM      2363  Crunched   20%      1912  10 Feb 88   0:00a  6C75
FLUSHOT3.INF      2432  Crunched   34%      1627  10 Feb 88   0:00a  2DA1
FLU_SHOT.DOC      4045  Crunched   43%      2322  10 Feb 88   0:00a  4C6A
REGISTER.TXT      2816  Crunched   57%      1220  10 Feb 88   0:00a  15D8
        ====  ========            ====  ========
Total      6     14472             39%      8911  

--from file FLUWARN2.TXT--

                FURTHER INFORMATION ON "FLUSHOT" FILES!

The program FLU-SHOT.arc has had "some" copies "BUGGED". Instead of
protecting you from the so called "COMMAND VIRUS"...they actually
erase Command interpreters and files!

I spoke to the author today. A new version of Flushot has been
released called FLUSHOT3.ARC. USE ONLY THIS VERSION ! Other versions
"M A Y" have been tampered with and be Trojan. To get a working copy
of the "GOOD" FLUSHOT PROGRAM call 212-889-6438 and download
FLUSHOT3.ARC.

If you have a copy of any other release...please check it out                

                          C A R E F U L L Y !

FLUSHOT3 is and excellent program....and has been installed on my
Board with no problems. I was NOT so lucky with the original version I
received. It had been tampered with and....erased over 15 files and
Command.com interpreters from my system and the systems of 5 other
users. Some had to completely re-format!

There "may" be other so-called "cures" that ( in actuality ) are
Trojan. ALWAYS test these programs before installation and BE SURE
they are OK!

WARNING: ON tampered versions of FLU-SHOT, most Bomb programs detect
no problems with the program...I know because I ran three of them
before installing to my system. After my disaster...I looked at the
program using various utility files. I can still detect nothing out of
the ordinary. However, looking at command.com (after the installation)
you will note "garbage" at the end of your current command.com file.
If you see this "DO NOT RE-BOOT YOUR SYSTEM! TAKE YOUR ORIGINAL DOS
BOOT DISK and COPY COMMAND.COM OVER THE OLD VERSION ON YOUR HARD-DISK!
I did not do this and....... you know the rest.

                           Leonard Lee..Sysop
                             VoiceQuest RBBS
                             (601) 638-3390

---end included text--

Good advice.  The file FLUSHOT3.ARC on SIMTEL20 came direct from Ross
Greenberg, the author of FLUSHOT.  I downloaded it myself from his BBS.

--Keith Petersen
Arpa: W8SDZ@SIMTEL20.ARPA
Uucp: {decwrl,harvard,lll-crg,ucbvax,uunet,uw-beaver}!simtel20.arpa!w8sdz

---cut-here---
begin 0600 flushot3.arc
M&@A$25-#3$%)32Y46%0`U0$``$H0``!E2X`"```,3,J<"<,&Q!0Z=<R8T9$`
MDH$8+V38>($#1P,%/2`QN'@Q"!LZ:-[4.8,&1!D[9>3D`1&&#ITR;>#0`8$F
MS!P08LJ4<0.B31@R94#0>=,SS)J@1IA4^3(%R1,J(-[`2=DR:!J>84#,"6.F
MS$6?;MRD9'GS*IDT8ZJ2`7%5*!JK;L:PJ0-T+9DW8^JTV4FG99HW;EBPG9F6
MIYLW,^'(05QF#)V+809>G3/S9,J5=!:K"8/5#9D7;^2`L)-&3ITY+D"`"')S
M3ITQ:`0G`5&XZ%$0AT&<J1-&#N>79>9<!-D21!Z1HL_.6</2L]N@9%IF'0.X
M[]4R:T&F+`.8I9R@9NJP8;-2,6/'V%UT)'.6SE\W!,G+9CEF3!F9N(FR21-&
M3)K]=.0A&&=KF4<:4&ZET=H;9M!Q1V]!G1#$%"`D,<4)+%QT1QH@Y0?"@W+X
MYH9[P44EVFZ]_:;330PVM](:9J4&0A;(@7#:56<\!X)Y9_C6QD5FH5753<?5
M8:-G*5%&8'-K1?9=4$,]-P>4*;6!&D<*7"3%&W/<U$1J1SSI1DYRG'$1"C+$
M($,*+5240PLVT#`##B"T`((,--`D1VI""#&%8'C"`,,+:@K*@A,LX,!"#!=I
M`$D,&@A&3%532$]4,BY)3D8`404``$H0```)QX`(```,3M[0*3,'Q!LW((PP
MJ3(%R1,J,G0T4#"1"IHR!N6D.9/&31@V"1=^:?@01)LR<LJPR0,B)9TZ<MR4
M(0,B#`@19L*D82,"Q)B#9-+027,0!)TW1B_Z_,BFXYF)<.2\.2,G3!L0=RXB
M%`J"3)F!8P;2M"D"31@Y;<S4X6D0#LHP0XL6'?*D29,@3HBXH-O$!0@02=Q,
MG//FY-(Y!%F`F%-G#)J:!<,@?&,')9V:=`:V@7/9C-2K=)3^;--&,LVHA3D;
M1?H6\42^=_/NK:LX-,8Q3)V"0$W5*M8W:VFV23.GXT`Y4;\F)5[3#<T[P-G0
M+.-\8ATX-</J#E,PC9F:($X0*<($A`H7*DZ`,$M33!GJ(*@?G^GWKT7FN.L@
M/EWF#1PV&!TUD7M-E5%94G"%5,5(#E$!@E"(L?'='=R!1X=4:D@6PD037:$2
M&XIQ19P;)]"AF!AU7%:<&V-@Q-5'A)FDWV5NO''';E*!=5D89^CDQAR7V:88
M2HI-5)5M<CSH1F5N#'4@A7D4E%4:CNW6WW\8P:69:D=U1="%C3FI$DL#`;F<
M&V?,P<)$29QP8!MO!&7&3`_N"((80BEF6IU=O4'08H5E2490<7D$$FHZ$O4C
M"#7>L:8"'8W!1AU!H8FC0&5H9RF//IKI%9!RA)G&@?Z]56A!7=IF%'3KI3$H
M=8-%J1D(9NR4&&9;TE&0&"SIA]*EO;6!*E)W:#105VFD%-9*R,ZQ1G-CT5K&
M'1,)=%&2QJ'TI6Y"E2%L?19A)-.-E<E17%'X,46G0@PU*,-L37"H0!"#"J4H
M4WDHQBY)$&&U$TB-TOJ&'"TV%Q\>7*6J%&]57:6EMYPY-9&J(OQ;1H]L%=MM
MB#\.%`9-;WRGQHS@X:036R[!Y`:X:#`W!QK1G99CIG1,9"!\H;V!V&(72G8&
M1F[Y!R!6,->4TF(P144<G:$E"!M>>O$E,!MLV(CJ1<E.%)2RIQ*-\T4L23;'
M';^&84:M:,$UZIBK)861"$$<G05P($P!4QD_]!1''=L>M"%%"AC1$;Z*K5@P
M888%C:71&%4-UV-=EH%'IBEFN9A*9K3@50MGC7$"D<M%5IT"X_Z:$H#<_1FR
M@@R6=,>_ZU'7HAD#AW8G1D&!F@:*8BD)'IQ'BU!CVCQ-1#M:!GUW@@M!2#&$
M>C'F03=N"$EN54<8E1%&E2>UX5Z2JZO:><L'=D3K6FQ,]),;M7K%8AGU!0$D
M<,[IEE6"`*(9FI08M4'R&4@)C53J<(;'N"<_.PO?15RC`,?LA`PI<4.(YD"B
MRPCE!W^Y@E9\1P;@B.$R11%?BK0RE#$(A26KLPF[6N>@TVD/,8^:DTIHE9(`
M(<4QF7H65X"S(^=DI$]W<(/C:+)#A*A*"$*8`@B:`B0Z$<A&+I!7$-R0!R@I
MIDU7`1+LJO:&->CF>$@[P\^T>)""I*1'<JC4&<[WDJ-1QRSO.TF3AC6QA4F%
M#&'2DP^U2+7+E<&+EOH)'-*@NN^HR@[)TD^=(F2&^K2))DU9@^4$F8=J?2=A
M2('C&HO2!I:4IDD`&F2FRJ`8F>`A2,2Z%D:2H*2!^+!+FG2;4:0"!S144@$*
MS-Y91$>3G[E!*!])@TURN1BSG*0%1^$<U5I@EC%(TEQ$NV%*X,(TI2`R5'.8
M"(0P%T7`39$E>^O;CS"8D/>`Q#/O:=OZZ+"]RQB&DRP1PQO.0A,42,$J3E!.
M<0:B@X;)A`XIF$B"4""#&,@@!2W``0YRT`(;T&`&.'#D4A`"(Z2XIR7:PR'(
M$"*$)&`!,N&ARGO<\+WER6L*D=+62AXE!9T5I"\@.$(-28J2IRA``Y"H`AH(
M1DQ54TA/5#,N0T]-`'@'``!*$```=6P["0``#.DV&````,H4*[L.`%@D3Q$!
M'B3H'*#EH!D$(^OF>=F"91@M`,TL#.,$Q<HB>C86$4'@8H>!`0'\7'`QR`<>
M`@'H/$"7@<`<!5ZP=,J'2P``94:#=G+QSP4<`IP`\2M`9X'4`70,+&U*AT#)
MDRE7MGP9<V;-FSEW:AOP4RE1HT@!*&7JHJN+8P9N$J3+!FJ/!__J%,`5($"G
M9S1]3"J0,T/B2HSI1+AK8'$``.BJ$*"\F*!4)G042`5`IX#4&'4.4-8+0&H%
M.FFDBJ!#1BH*.E^D]J"C02H/.CJD[J!30ZH5VE(OX-[J`HW7$@I[$,1"!QZZ
M'@'FK$N,ELXX=.P$S/'6B3`3NL[1B<@.C3M..LC011,_K'R`\TW3)P(PIY;[
MG*V@8XMXJ'0"RS_[Q(4.'`#(<8X4@P@3`3IG`*"%'-VL`PEFW30(B@=2&/#!
M(M:@(XV%'\@Q23I[_`/%%5,LXL\BVIC@$$3`*7*"5"#0X<)H=*0@55T72!4$
M'[WQHX4?#4@5!A\02*7''U:Q`X(.Q-1!@!%#K)/,$(O<LPXQ^&SQ14?YF-F1
M%09((80#JN%E!@'Q#.!+.0.@`\H_%R[A)F5S(D"`+_WDZ0B?<N3PIYP$E#"H
M!P2@PP>B)RQJP)P^#+I#I&H@6H&E<THQ*!.18H'H``=X,0R$PB3@2SMY(H%H
M`ZRZ2D"D.R`*0*K#L`DGH'3:62<Z)/PC!Q[`"NJ+H.A48&P:P#KJBZ/H&&"L
M%L!FZDNFZ-SCCQQ+`"NJ+Z*B@\ZW/``[P:#KHI/-MRT`"\.@\Z*CS+<>`%O$
MH/NBL\NW#P#+Q:`#H\/*M[NJ.L033301A!-$D+!P$Q(S[##$+DQ,0A)"-"%$
M$D^0,$464VS<\<=/N#!RR1Q[#'+&#)O<!!%/L-PQS5.H3++,.,-,,<@;I[QR
MT#Z3T,04.!N-=,TZEWQTSQH#``D%!U1]0`,*7"%'&G24`4(88XQ1QAQS]/@&
M""2`($89:;AQQM=T=-T&'%V3@344<HQ=M@A9B&#VUVRP\<8=+(`@PA%^TW'V
M&6?#%C@(9>#!=>%AN)$'"&_0@489<H"P1AF7*PZYY,"1@#4)5E^M`!%IY#T&
M'2!HS;778EP.AQQOG"%'&&U@KCGG/:)1.0A)0R&%!PY\H(L>D9ZSCPN+6#`G
M.M_LHTLDD6:S#SKO6#].I-#LP\.3`A3.0Q9T3,##$74HL!I.`*QCP(;Y?*!%
M1_C8WY'QR"MO3J0``=^1\<@K;TZD`*/VZ8I$`%VG?>AF"1Q7D-(^'F'X"&`!
M@D<6.A-X'*FCP,4Q`W@(!`"PS@`D`/D^:,$R#)]*E@``C(04Z,JO:P70L0#P
M!9T!`',&H!L#8!B4*%:NY((!P->I`K_.%7"AB(`+'07J'#!R1!P]?.L"Y/OB
M)0O+HU(,.#@@(YDN.``4!7,GA)TJ?\$`Y0,B!]X!+6:-1I%BQ</:1C:>QH+P
M-NY<(:S<X=7+UZ\7P&>E&/Z@"Y@!='#TH3.D3Q=#=&?T091(T2(=!NAX_=/%
MX``Z*OK6)3AI\U+.1_^^O!QVH/B!!@J&-'DR!02:,'-`B"E3Q@V(,<_=G"E#
M)@0()&GH@!"1100(.F^NOW%#)XV;.F4HAG&3!\0;.FC*R`&QIDQ]]"#(4<8<
MZ`FH`PG(*<=<@`,6R!UR).#RP#_-A-!#``'4@8`NK"2`SC7Y-`."+DL@@,XS
M^:`C"P`N#.)#)04$0`<"O>4D0'"XA%!#A2XDX@$:5C%B@!H$Z-))`)OE6$*%
M'^`"PHXA].@!&T$:X$:1D2#I0),@+!G"!RWZ<(,",FZ`BPE02@E'E7(4.8*6
M39K@)9@NYD`F'69.D*:/=%1I1Y%2P(G+!'/B`@`-/`HY0`"&QJ"+!P>$"6.&
M`^CB6S3J8(JI$!6*N)DO@,3%@`SM#)(/`'0\800@/+10AQ%&),%J&'X,``A%
MK!I1!V/I>`@//AX98.=(ZZ!P$JM$[*K+``J@LPVP'XU)[`3'\C!$'0WHTD&S
MQD!K`(PQ&2&.+!\,@YP""AC!1!53(/$$%3.`D(0;!(;!!AO<N0#"%7*$-^!Y
MZ0WQ1!--!.$$$2X(W`0(=Z1QKW1E@.`>'?J-408<%)/A`G)/X*<?"&Y`1T=]
M;\"A7QCMK1<=@'F\4<=^<^1!8!EM,.PP&R#8.T=ZTX$`AX!V5)?QQ@J@``6^
MT$6,=-`Y6Q<&&7:DL;,<];4QX!QA;">?&V3D?!W2<K!1'QMA3(=OUV.4G`=R
M]IEQ7GX@6)&$%.S:9YW'($@11AM.E"&>$$(TAS((*,@0@PPIM(`##CFT8`,-
M,^!`T<X2BS?&?`HT`#$(9$@]1QEC9-QTUV'X+$?)']L1QAACN!<Q&64$S0;J
M&J?`-B0.M-!"WF_,$5T3^AXA8'73R7$&X3*\$`,,+RQN.[H*(*C`#^JRZRZ\
M.;,AX-/UN5?OO?F"`,(30<M!1N_N'>_&?=G/?D>^+L0/81).4!%#O"HX<9\*
M\K)7\<49FU_]9&`#$.1O?_VCF!PLAK$'14]!S5'!%6[&/R%$K`AXV)OKR``A
M`$""`!H(1DQ54TA/5#,N24Y&`%L&``!*$```H2V`"0``#`T4.'E"I<@4$$^<
M@##"I,H4)`1GZ`@8D*%#B%1F@$@S!T08-R#*N$'S<4R9-B+I@*#S9F'#AP1E
MN``!(@@(,77.@+@3IJ.9-'C*D-F))LT8-"#&O*G#9BA).V4"C@E39X[0I&7D
MT`F3!N2=,FGD#*53U,V9CG?0B`219RD(,B+37"43MLP8E73GK`&1Y,63E2U-
M:N7J)B"<-UK3O''3\8T9$$2>')SA`L],$%2*=B3944R9M3^#DG%!40$4-F5Z
ME@$A)_58S2#<E,&CTLT;.JNGMC;#E$V>B0JF)&D"A4D6$$**#`GBL`AF),Z-
M/)'2)`@5$$.>-*GNA`@+A%)J0DXR90D(*46@!$D2O@J5)$R24,GR?3J(*=J+
M!"0(/3R3)U>TP$015A3!Q'CE@0"%%$\<(44036`F11)''%&$%`=9!!,5W\D'
MV1,&.7'"=4T4$81"5"!A74!9/%%%>$209QYY?#EAA'(%$1$"3?B5J""##D)X
MT(!'R#><=08>IV*!SSGG1!%%$('9$P%%=E]^(/P7X(`%'GC%=$N$4%IF'(&`
MTD<=D16&2FFMU58=;[44!@@B9`?%<2JXH`)R.H@``F(@S/$&2F1UI=-'0TU5
MU6ISRG9'0-EM=R(1+D0*V$VYM;;F58NQM90<?+XE1QI0?:<A1CNEP08;F*XT
MZAEG9"743$G0$1`9;Y31D6TJG0F2FBJ]&2@:2S45:!UDP.6&;TF%L:J9J]4!
MAT<J:11&&Y?VM-><4,F11T!GR/$&K'F``$=6@GI%DDHLQ1G;;'1<EH5;;:1Q
M!AJUW08"&VFLL1I9C#+V%:C"QDK'CCJTD,*8:H4T4DDGI91F2Z=&M)$;8["!
M[+\-AR&&JFG046Z[*67E$0@GG'$"46M53$5`9=+Q:JRMC483F6BIRJJB5KET
M$4&7>J842A>'<1>IT;I!AZH>@31;R!O-(96SJ`TEQL@-FX%8&>$NY<98VEXV
MQ1O?M0F2L(L&.NB_<E1%QQV(D54N'.*&>VU`:1F%%*ZZOE7777[KQ9=?WPD+
MMQLGJ.29N;KB5G.J9"6UV!Q;*>VJO30;&E`89CCN*9PE@PHPRBJ3ID!`020;
MLF)N4)U'X9]BUX1DYVD7=5)JC>'O4-)V6D:WY49VT!OGRK$FZQZ=01CE`8V.
MF+U=.0N"'<[6L1K4)`UE]N<@_"0'Y:Q]Y/.&ER7Q&,"MW3[GK6F888:L&)<!
M>QTG/+MX&&38P9%0WR$*PE,<6PWQEM:I=K6&<EM;2<.>=X;HL0%2LSL(2MJ`
MF#R8+B!76)<"5Y.[O91I"!&$%@6]-3\SV0M?K=*6H2YSA#>\82AQL![E6%<^
MD*Q(`1GK24?\YQG/M<%H9='5=P2SE:YLI`V'&8SEX!`&XQ$*72!`P1SJ<!2/
MI*EA(CO7G\P0$)*()7![>=,)TE<50WT'4,2Z@YFHB)0)5G"#Z2N3$=\$JA\>
MI2ME2(%'6A,0!#Y.6A<+U+G&D`;IV<8-+;##&_BU--2(L()#I-I50"B9"RK`
M?`HLD\$Z<I2/Q(H,):S7O50"P)/1[0UB0`VVMB>LUHC!A?$:'T9FT$>1D&&'
M*D%-3U2RF-4PD@Z.G`._4((3W95!<4;;2[M&1P;CW<%0-WE#$T&)*9Y%10%0
M>^:S#LB2](V.D@?Q']U^EY),;D:'CC2#N+#UAC&,H0ZC,HLE4T<7`K9N5:_C
MGFW46$I!$6V`K.N($5TFD=(0%`1;:`$1NI!0(S"T!4/H0FD2H%"*)H`(+>&5
MF183,D#1I36`R\M>[C`JW'0$!5VA@PQLL#`%4-0(%L5H;/1%03=T%%0?M8M*
MS,`&XL&A7"0-6=]0JK08S*"E%!V"156`T3T=Q2Y[`2<(6E"3Z^1P#CO\&J;H
MX+G%^"8@"0@K,\M@!JJP025=H1S5CM<IOG5$!;QR:@=E)YG2!$&@OUH@^F0)
MM%/:K0US^`X<=-FSQ4W1FRV15D_QU[1R37$.@[25`OSJQ(F9J5ROG":UHBB#
M&,@@!2W``0YRT`(;T&`&..`L#?XGA^_(@`8P@,$+/"O;&<06!$[`00Q2T#^T
ME&%5F\NJ8W,2JQE.[CLB(4G\4**TQH`*)SII31+I,`=YN64J('&6H%B3FBJB
M)""=$D(2L&!%TK5&))Z1PPDL*84W8!4$39C)$<[KAO2>(2`:@$0&`!H(1DQ5
M7U-(3U0N1$]#`!()``!*$```:DS-#P``#"`@P8CQ0H:-%SAP-%"P<"&5-R"H
MH"D#0DJ9,&3*R-'14(%$C13+X$DSA\X<$&%`L'ESIP6;,G;*L`%AYHV<-B#>
MF`%!)HT<.B#NH(%XIHQ)$&K>Y,E9!ZA.GF5*RE&:QLV9A7G>U)$3U.8:%R`B
M3EPJ1^;%.113PIEZ1DZ8-BQ`T,D#)\V8,&S8++V;MPP9E"!.4)FJ)HP;$$AL
MHCW!8J%0NVA`D(0Z)\T9-W[E0M08!FU.KF_H3)1SAR1%,F_#%`61=2M/DFOF
MN.CX$<3:-VW?G@Q3%D39EYTS5Z4#431%.'7$L+'+\TV;,%51NOD[MRY?O2C+
M+B3#TLU*C)EMOI::1DS3S"+#C*&#O3-KK2">+T43)J;O,F/*I(E)'<UD,VF\
M-)L"3[B1GV]UN!&7<4O=H14;?ZTU'`AS.$=1A3_EM!-:;)C1PAAO6.46'76P
M$09Q<BS51E1SJ);6=`O=EE]FQ('`F6>M<84:'6&`!<(38MB1AE9SZ+7@1)Y5
M1]%3M^76QFZ].1':0D&`<,0;;_PE455GQ&787W,,5>)?8J1EQQMI9$2&CXG=
M`9-&<=4Q1QUX8=?:"7GEY-U2:[C!$E9:G6!?F64<)D8:0(FQ5$IT$&882F;0
MH9%<$]&D'AT#+F11?FZPEX>7(&!V!PABE)49?2<1>EA&,:T$AU\^#E%G9BD)
MZI.<C$D&5%5FX&?20G6.%QNE)^I*81E1!85H9"F!",=23R'*H1E>3D=IH3:J
M%]E3QJ&UD+-I),L;17?!$89R2^[$JZ]<HI1G3W,,*UJQ*C"HPK%E9*I`$3%U
M2F=>GZ($5(4KVE961I+>5)5P;I1DV($HI+1C&:#2D<:*H.;W$W2'N5%'&V7*
ML=!3SD+[ZHA#-IS"D10)*8><`O,XQK!?4M:H4B<)=>*;.L)V$J(@W.7&@$(L
M)=ID%F-,J59GH,$R""[#C"J%:UU$1K5_I62&'.%.-\<)\6F[<-B+LE'A0F5*
MYD:OZ_D5U[KKM6N<L"=Q.Y%/-'%=*!F[65LA33:)IF\20-WA7HT@)I@P4G(.
M7,<8S!J,FULXS0O4W(6.L1):$;)%>5S7^;60$4Q4\<442#Q!15R&G\2J3&^\
MNF98M8VQ55F=0GWK2<^M(7>E4R7(M]IL'V7<M\X]9ZV,++;;).5!S_J7"$,\
MT40303A!A`O5-R&"C_QJM)086/*(+@A$/#&%L`NU\7AD]-G7;.S0[G3T20`*
M&!;IIJ.NNHUX>,O"3G(1R`6%:Y*2SE]*DR<_T0%8>6$)8.Z`P"6=[$0IT\RU
M0-`][&F/>]:C28`H4B,>K>$X)CI0:42C%:#D*$8::0-)*A,B'TGI)G4*F'%Z
M$Z8'_04S,>%*VE)"0419D#,6"Y$&[R?"ES1&`7\#6@_'1*J0F*%X^Z%(="QW
MGS/P9DVT@<C+#L._TZ5N=;9)85J"1C\-&2LZ.?)-^5Y3EO78!%J'F1N\UO">
M.J!MCG&<0QY*4@:<;,TY/@H"&7J21#?D$%3+P8P&JW*F$X*@C/ZC`H7$!*$J
MQDB-?X&C5K@2A"I0X0E%P$(1AN`"(01!D_G+5T>2L)/6B-!:<XO:;N@@,]]9
MI8\]BU=<X`"<)*5(@U5#BQSDQ\9G:6@A0*M9C6I"FB\:JT8%*U8;EB($(:RO
M6"B000QDD((6)"0'+;`!#6:``Q\5Z$!)`$'\UEBRD=FO4KJ,2SRGV,DAGJ]&
MKW.5=$(S&LDY*2C^,:"#J*C,F`!K-U!3SQ@6IB\H%),B0S1<;[BX0RU"%`YO
MF$-E#K6<N1"+#F_;"2;/")6$R1`SNW%,!7-RP4;*)0R^/$,:U4-"B,2Q@]G;
M7O?>!A05R.=>0U1)&<Z`J(OM;&22;(%46Q"TB<QL@[:3`^X\A2`WN,%YGGN+
MCU;Z/_FHK2=W22`7P^"0*4C!H-"[4V_&^-5?HJ60)ZE1VNXBIW:I92KH:H./
M:$FIR=`'#J]JV$)JU!JL]?$$/-P*"2M%!;<^=JX)JJM.)Y,2.^`E37JBV+4.
MLZ+?Y.&3/-T@635)R3>L`8-*C*06#Q/'4IXRE:L$@0K"$"F-W&MNE7UK:U_;
MR(7(5E^*9&3*'GG)TIGQ?T(+56A:&L.Q"<4H!8UC5K?*0>MY4*C6@^;/UN8K
MM^D).VG824J`^L'N268WY&N*!M,&-TF!D2$>J526AO<46Y:I7?XIW+(*>Q)=
M9N="RX$+J>1+UW:M=B'\_,L)RP`'`MN&-Q:SG8FX4I6[R,&1-K5;RW:7-^<0
MCUV_?*$"]BB;C@0!?^+18U0L@QG0W'/$+SO)\]ZB@_B$%"C+.6%[#G,QD$HJ
M=QAYPTOFP"F40M-`83#7^9[B)QS.I$(3Q<M]3-3(,*4!#G-P[(DDU08X6.R7
M-;J-?8R#M^XX)G"1*>%$GB23F.05#<%KVK621)=TR44C4^%:26*FGMCHRPD\
MH]#C9M237VZ1/I?K#!]1()[H&`9:.UP9A3H\V3+,ISX4\5-7?N*TQ8Y%67D*
MT6G"8#2<KG$EKA78M>C,!CLK$*'%8I"@3J-JM5W+)S'J#$IO[;L\&8?6MHX.
MO,[0.!]MZ6<0O5*6Q,*EN%3&0%H<&*CG8&H2A@$/YLJ#1K[F8\PT**&1J?)S
M`-85*J:M=?;5T[7<XDQIEN5$*^J4/2TL0R;?NU.#N_%25'!O@-W+<$BNZJRL
M(EI=&_N8`(W*S0:^S7O11PY_V:.\M[F0;D[A;0V3%$;<J$?8N)%@L_53DVTS
M[AJ&)9Z06_AJCJW!.A#S#1@!ENYR_)F<[%`NCCK,4.20)(AL$P0>/RD(8&Z8
M$P`%7KP1[,MWY3JMB($.9BA1MQ7>%X:C>B9I,V&A>CRWV\3RY.\#S,DJ=)C;
M^.=0QIOS0@Z)DS$7^G<AI8A0(!)=`#4M485.I(G"+,_Z^!4$9X#("N/LGY.L
MI"7+Z=6;W9T6]UU;I]3<((#L\]+S_"S2)\PK1*!^$UQ+*HC76@HE"X6ICEP)
M)1/!2%QLF?@LM8":+7"@?WY94O8@^&)E,,_,C-+CL%G2J'FX%VKR$(*.2"&D
M)VD"6(Y@*C>$["H*".<XRWG.=*X3!R"0`0WPC'1OQD7\,(#!"\:9?A8X@04X
M8$$,.J(!&@A214=)4U1%4BY46%0`Q`0``$H0``#8%0`+```,3]R4`1&&#)DT
M=-*\<1.&#8@Q:,*X.3.0SAL01IA4F8+D"949.D"`@%.'3L*)(-Z4Q*B1HT<6
M+#=VI"(#ID0R#12X>7,GILN/,,F4:9@&Y1V$:$:B63AP3$,V<PC226D0Q-(Z
M<J*^,0."#IJ!;M*<04,'IIF26,ODA,-&8E0S;^3XG$D#IE<Y0^EHY6I'(9LR
M;L8,-"/G31L0>51.G$.G3-:N:(JN*7H&<A@Z.9.<L#.PZ)PZ;!J3@5RF#<RV
M=_(XCNJ4#1O*(-H,O-FUC&O8LBU/U7P8[QPX"^>D$?,W)URY81[*"3/GZ^B#
M<]:`(",G#6<0=R+_!3''<!FFV)E/Y^F&S9N"L#/*].BB_1W;;%CD]'KYH400
M8F:/+$R\M(N<.5'Q%5['E0&39M<)-48:0HU&WU3J_30#""C0]ID8<Y011QV`
M38777\R5,4<*(*01U4X]A9%3'1G*]1D<P,DAVGYOG+%<&RZ`(*")L0WE1E0/
MPI0&5XG5`8(918T6X4Q=790?""R6<18;\UU4)$%NC':'2FR,]MH:%5TTQD(G
M<=@D=V6`549/G&6ET(\I<>750'`49F,8ILWWE1N(J72":VAF21`(),0`PT-?
MC2'=5G)>E%M]<^)G&T\$&>1;5"AL]9!*61F8$T1E*/I67+'%55%$?#Y(4!N*
M3744H`UU)ZE]S95!1@@@\`;"3D>^\08;N.K0`HDI_*=`3DV$`29W:9U9U!AL
MU"%4GUCMBN=L@A9$G8A1R9J$?7QF**BFR8T)1QYQYK2D1S2<>>5!>(U!!QOH
M9@=8B72<$!5>!>618ZY$^HD7E($9=AP=8?27TXLQGE399Q`-.F9@9<!1%FE\
MLC54AK$I>VI3B4H'1QAY)+R=1=3*85P8=L2%$,AA5$<'NJ3*UD9^<K3`<%PS
M+G?01:0V]E=?PBW$'<()&7W3PH"-AM"9N1WEU=%XPF$K"(!Q9I[5E6X[1X8.
M7C0GC@`J@(1C9>AKU1MPP':E0&V"0-%48CPM!KH2H4M'86K<1VI?<K"(I8,1
M[7;"86JPB)D"=S#G<&QZIR%;"&4SD%,+D#Q1=@*<K_L1"%*4<8:)>U_V9ME0
M@,@QDH"J-)57/!YG&L8=I^'0TPTM5)G4294;<J\J*U#HH9G*Q2I>(9!HD0Z;
M<R[%&U^#T$2.1^`%&,YGY,1Y`E-L14?C`P^QD&`61T6$B&*YH3WG->30[HYR
MC!8$9VYPN'X"3JP)0A9QK0%3_CWAGQRD8R@8Q,`&90L0JM8P*KD4R45U@!'/
M*'<L!3CA6CKX`B1R4#8J(.0O&80$#LHFOC:,S`UY""$"*Q@$2W%+A64#`200
MH,$5YF0("$FA2$"@P0KL4"130%H90J+!!(A$"VF`0P@-T$';5&PI`@FA"$AH
M&-FX02^#`\$4ZG`&BC#F37,((0UB"(D$:)`(9#0C)-!801FJD8TY<>,9$ZB`
M*PQH(`<9S97F-A>/3(@PAJ$0J!25$H&8Q7:W2]57\-,6-ZPA!3\@(P*V\(4O
M=$$D56@1"*JG$CB(!`7924/$F!)"%*1`DI2TI$B$((0I?/*"L@GA!5*``BK8
K!@0C"&$%3MG&&:;RDB!XPISD@H(M1HPY(80!+R^7N9Q83@$:@(0*`!H``"K8
`
end
-- 
Keith Petersen
Arpa: W8SDZ@SIMTEL20.ARPA
Uucp: {bellcore,decwrl,harvard,lll-crg,ucbvax,uw-beaver}!simtel20.arpa!w8sdz
GEnie: W8SDZ

ttang@puff.cs.wisc.edu (Theodore Tang) (02/23/88)

After reading about all these dangers comming along with virus and trojan
horse programs, I've got a question:

Couldn't one just rename their COMMAND.COM to something like PROTECT.COM
and hack at the IBMDOS.COM or IBMBIOS.COM so they can find the boot program
and others can't?

I mean, how are these viruses doing this?  Do they search for COMMAND.COM
explicitly and if so, wouldn't renaming them help?


Theodore Tang
University of Wisconsin at Madison

USENET:       ttang@puff.wisc.edu.UUCP
FIDONET:      1:121/3 (Opus's Internat'l Archives BBS)
BBS:          Opus's Internat'l Archives BBS
	      (608)251-4755 9600 USR HST MNP 5

"No, no, it wasn't me!" -anonymous

wee@pyuxf.UUCP (W Evans) (02/24/88)

The summary says it.  Did this program uudecode and unarchive successfully for 
others?

Bill Evans
. . . bellcore!pyuxf!wee

conway@hplb29a.HPL.HP.COM (Daniel F. Conway) (02/25/88)

> / hplb29a:comp.sys.ibm.pc / w8sdz@eddie.MIT.EDU (Keith Petersen) /  4:44 pm  Feb 21, 1988 /

The following is a perfect example of why I only use bulletin board programs
that I have *source* for.  Could someone (preferably the author) please post
the source for FLUSHOT?

Dan Conway
Hewlett-Packard
Palo Alto CA
hplabs!dan_conway

[Some text deleted for brevity]

> 
> 
> Below is a uuencoded copy of FLUSHOT3.ARC.  This is an update to
> FLUSHOT2, announced previously, a program to protect your COMMAND.COM,
> FAT, boot sector, NOVRAM, etc., against Trojan horses.
> 
> 
>                 FURTHER INFORMATION ON "FLUSHOT" FILES!
> 
> The program FLU-SHOT.arc has had "some" copies "BUGGED". Instead of
> protecting you from the so called "COMMAND VIRUS"...they actually
> erase Command interpreters and files!
> 
> I was NOT so lucky with the original version I
> received. It had been tampered with and....erased over 15 files and
> Command.com interpreters from my system and the systems of 5 other
> users. Some had to completely re-format!
> 
> There "may" be other so-called "cures" that ( in actuality ) are
> Trojan. ALWAYS test these programs before installation and BE SURE
> they are OK!
> 
> WARNING: ON tampered versions of FLU-SHOT, most Bomb programs detect
> no problems with the program...I know because I ran three of them
> before installing to my system. After my disaster...I looked at the
> program using various utility files. I can still detect nothing out of
> the ordinary. However, looking at command.com (after the installation)
> you will note "garbage" at the end of your current command.com file.
> If you see this "DO NOT RE-BOOT YOUR SYSTEM! TAKE YOUR ORIGINAL DOS
> BOOT DISK and COPY COMMAND.COM OVER THE OLD VERSION ON YOUR HARD-DISK!
> I did not do this and....... you know the rest.
> 
> Good advice.  The file FLUSHOT3.ARC on SIMTEL20 came direct from Ross
> Greenberg, the author of FLUSHOT.  I downloaded it myself from his BBS.
> 
> Keith Petersen
> Arpa: W8SDZ@SIMTEL20.ARPA
> Uucp: {bellcore,decwrl,harvard,lll-crg,ucbvax,uw-beaver}!simtel20.arpa!w8sdz
> GEnie: W8SDZ
> ----------

jv@mhres.mh.nl (Johan Vromans) (02/26/88)

In article <8221@eddie.MIT.EDU> w8sdz@eddie.MIT.EDU (Keith Petersen) writes:
>Below is a uuencoded copy of FLUSHOT3.ARC.  This is an update to
> ...
etc.

I am not going to trust *ANY* anti-virus program unless it is distributed
in clearly documented source.