littauer@amdahl.amdahl.com (Tom Littauer) (12/15/87)
I've just tried the program aquarium and while it paints a nice picture, itsju tries to write to disk on termination. I don't have the time right now to see what it's trying to do. It *MIGHT* be innocent and legitimate, but I'm a little suspicious... use at your own risk. -- UUCP: littauer@amdahl.amdahl.com or: {sun,decwrl,hplabs,pyramid,ihnp4,ames,uunet,cbosgd}!amdahl!littauer DDD: (408) 737-5056 USPS: Amdahl Corp. M/S 330, 1250 E. Arques Av, Sunnyvale, CA 94086 I'll tell you when I'm giving you the party line. The rest of the time it's my very own ravings (accept no substitutes).
wtm@neoucom.UUCP (Bill Mayhew) (12/15/87)
<<<Aquarium tries to write to disk upon exit>> Are you sure? I'll bet that it is rloading the overlay portion of COMMAND.COM when it exits. If you run a big program that uses all available memory, COMMAND.COM unloads itself. Note that eventhough you always are allocated the entire free memory pool when you run a program, COMMAND.COM only reloads when the memory it is residing in was actually used. Here's a way to test. Boot from a floppy. Run aquarium from a different floppy that does not have COMMAND.COM on it. When aquarium exits, see if the system prompts "INSERT DISK WITH COMMAND.COM". Naturally, one possibility is that the aquarium *is* a trojan. The only way to be sure is to whip out DEBUG and pick it apart. --Bill
lowey@sask.UUCP (Kevin Lowey) (12/16/87)
In article <19637@amdahl.amdahl.com>, Tom Littauer) writes: > I've just tried the program aquarium and while it paints a nice picture, > tries to write to disk on termination. I don't have the time right now > to see what it's trying to do. It *MIGHT* be innocent and legitimate, It is innocent. The program is not trying to WRITE to the disk, it is instead trying to reload COMMAND.COM from the disk after the program terminates. This is normal for large programs which ask for all the memory available. To test it, boot from a floppy diskette that is write protected and run the program from there. You don't get a "write protect error" when the program finishes so it is not writing to the disk. Now rename COMMAND.COM something else and run the program again. You will get the "INVALID COMMAND.COM -- SYSTEM HALTED" error message. ______________________________________________________________________________ | Kevin Lowey |The above is the personal opinion of Kevin | | University of Saskatchewan |Lowey. It does not reflect the position of| | Computing Services |the University of Saskatchewan in any way. | | SaskTel: (306) 966-4826 | | | Bitnet:LOWEY@SASK. (preferred) |I am in no way affiliated with any of the | | UUCP: ihnp4!sask!lowey.uucp |above mentioned companies other than U of S| |________________________________|___________________________________________|
cc743810@sjuvax.UUCP (Chuck Conway) (12/16/87)
In article <19637@amdahl.amdahl.com> littauer@amdahl.amdahl.com (Tom Littauer) writes:
+ I've just tried the program aquarium and while it paints a nice picture, itsju
+ tries to write to disk on termination. I don't have the time right now
+ to see what it's trying to do. It *MIGHT* be innocent and legitimate,
+ but I'm a little suspicious... use at your own risk.
+ --
+ UUCP: littauer@amdahl.amdahl.com
+ or: {sun,decwrl,hplabs,pyramid,ihnp4,ames,uunet,cbosgd}!amdahl!littauer
+ DDD: (408) 737-5056
+ USPS: Amdahl Corp. M/S 330, 1250 E. Arques Av, Sunnyvale, CA 94086
+
+ I'll tell you when I'm giving you the party line. The rest of the time
+ it's my very own ravings (accept no substitutes).
ARGH! I should have posted a "use at your own risk" clause, but from
personal experience (eg I've run it a zillion times on my 30 meg XT)
I can say that I've seen nothing out of the ordinary with the programs
function, nor the functioning of the PC in general. HOWEVER - I have
not run CHK4BOMB or anything on it, so I feel compelled to state to
the world that I will not be responsible for any/all damages that
may or may not happen to your computer system and its peripherals
as a direct or indirect result of using this public domain program.
So there. If you have questions, run it on a 2 floppy machine,
and get the address of the program author.
Chuck Conway
(....try and do something nice for people........sheesh)
--
Chuck Conway, Mopar Pilot ...!allegra\
cc743810@sjuvax.UUCP -or- ...!rutgers!cbmvax!bpa!sjuvax!cc743810
...!princeton/
"If it won't do 150 mph, take it back." -Corvette Engineering Group
farren@gethen.UUCP (Michael J. Farren) (12/16/87)
In article <19637@amdahl.amdahl.com> littauer@amdahl.amdahl.com (Tom Littauer) writes: >I've just tried the program aquarium and while it paints a nice picture, itsju >tries to write to disk on termination. I don't have the time right now >to see what it's trying to do. It *MIGHT* be innocent and legitimate, >but I'm a little suspicious... use at your own risk. Hmmmmmmm... A while ago, I got AQUARIUM and a couple of other demo-type things. A little while after I ran 'em, I found that several files on the disk had been corrupted, weirdly. Take this as a REAL warning - I'm going to check AQUARIUM out carefully, now. -- Michael J. Farren | "INVESTIGATE your point of view, don't just {ucbvax, uunet, hoptoad}! | dogmatize it! Reflect on it and re-evaluate unisoft!gethen!farren | it. You may want to change your mind someday." gethen!farren@lll-winken.arpa | Tom Reingold, from alt.flame
littauer@amdahl.amdahl.com (Tom Littauer) (12/16/87)
In article <1078@sjuvax.UUCP> cc743810@sjuvax.UUCP (Chuck Conway) writes: >In article <19637@amdahl.amdahl.com> I wrote: >+ I've just tried the program aquarium and ... it >+ tries to write to disk on termination. > >ARGH! I should have posted a "use at your own risk" clause, but from >personal experience (eg I've run it a zillion times on my 30 meg XT) > >Chuck Conway >(....try and do something nice for people........sheesh) Further investigation points to an interaction with WPHD, a hard disk protection program. I haven't tried with a pure 2-floppy system and won't (since I don't have one :-). Relax, Chuck. It seems to be a nice program, thanks for posting it. When I saw the write error (just before running off to a meeting) I figured better safe than sorry so posted a warning. My apologies to anyone unduly alarmed. Tom -- UUCP: littauer@amdahl.amdahl.com or: {sun,decwrl,hplabs,pyramid,ihnp4,ames,uunet,cbosgd}!amdahl!littauer DDD: (408) 737-5056 USPS: Amdahl Corp. M/S 330, 1250 E. Arques Av, Sunnyvale, CA 94086 I'll tell you when I'm giving you the party line. The rest of the time it's my very own ravings (accept no substitutes).
rde@eagle.ukc.ac.uk (R.D.Eager) (12/17/87)
Expires: Sender: Followup-To: I tested the aquarium program with something that analysed disk access. All it seemed to do was reload COMMAND.COM. -- Bob Eager rde@ukc.UUCP ...!mcvax!ukc!rde Phone: +44 227 764000 ext 7589
tgr@picuxa.UUCP (Dr. Emilio Lizardo) (12/17/87)
In article <850@neoucom.UUCP>, wtm@neoucom.UUCP (Bill Mayhew) writes:
->
-> <<<Aquarium tries to write to disk upon exit>>
->
-> Are you sure? I'll bet that it is rloading the overlay portion of
-> COMMAND.COM when it exits. If you run a big program that uses all
-> available memory, COMMAND.COM unloads itself. Note that eventhough
-> you always are allocated the entire free memory pool when you run a
-> program, COMMAND.COM only reloads when the memory it is residing in
-> was actually used.
->
-> Here's a way to test. Boot from a floppy. Run aquarium from a
-> different floppy that does not have COMMAND.COM on it. When
-> aquarium exits, see if the system prompts "INSERT DISK WITH
-> COMMAND.COM".
->
-> Naturally, one possibility is that the aquarium *is* a trojan.
-> The only way to be sure is to whip out DEBUG and pick it apart.
I ran aquarium from a write-protected floppy, and it did not give me any
access errors. Can this be considered an adequate test?
--
Tom Gillespie ( ...ihnp4!picuxa!tgr) | (attmail!tgillespie) (201) 952-1178
AT&T/EDS Product Integration Center 299 Jefferson Rd. Parsippany NJ 07054
"Don't take life so serious ... it ain't nohow permanent." -- Walt Kelly
jgray@toad.pilchuck.Data-IO.COM (Jerry Late Nite Gray) (12/18/87)
In article <451@gethen.UUCP>, farren@gethen.UUCP (Michael J. Farren) writes: > In article <19637@amdahl.amdahl.com> littauer@amdahl.amdahl.com (Tom Littauer) writes: > >I've just tried the program aquarium and while it paints a nice picture, itsju > >tries to write to disk on termination. I don't have the time right now > >to see what it's trying to do. It *MIGHT* be innocent and legitimate, > >but I'm a little suspicious... use at your own risk. > > Hmmmmmmm... A while ago, I got AQUARIUM and a couple of other demo-type > things. A little while after I ran 'em, I found that several files on the > disk had been corrupted, weirdly. Take this as a REAL warning - I'm going > to check AQUARIUM out carefully, now. > After using a an anti-trojan program called "Bombsqad" which intercepts disk access interrupts, it seems that the trailing disk accesses after aquarium termination are actually disk reads instead of writes. Reloading of COMMAND.COM as a previous poster suggested is probably most likely. This isn't positive proof however. DOS can be bypassed. Anybody care to take this further? --------------- Jerrold L. Gray UUCP:{ihnp4|caip|tektronix|ucbvax}!uw-beaver!tikal!pilchuck!jgray USNAIL: 10525 Willows Road N.E. /C-46 Redmond, Wa. 98052 (206) 881 - 6444 x470 Telex: 15-2167
nwc@cunixc.columbia.edu (Nick Christopher) (12/18/87)
People have mentioned various trojan detectors, bombsquad was mentioned, could one be posted? \n -- "I am the Lorvax. I speak for the machines." ______________________________________________________________________________ nwc%cunixc@columbia, columbia!cunixc!nwc BITNET: nwcus@cuvma USENET: topaz!columbia!cunixc!nwc
robinson@dalcsug.UUCP (John Robinson) (12/20/87)
In article <418@picuxa.UUCP>, tgr@picuxa.UUCP (Dr. Emilio Lizardo) writes: > In article <850@neoucom.UUCP>, wtm@neoucom.UUCP (Bill Mayhew) writes: > -> > -> <<<Aquarium tries to write to disk upon exit>> > -> > -> > > I ran aquarium from a write-protected floppy, and it did not give me any That should be an adequate test. -John Robinson robinson@dalcsug!dalcs > access errors. Can this be considered an adequate test?
wimp@sphinx.uchicago.edu (Jeff Haferman) (12/20/87)
I'm not much of a PC hacker, but I've uudecoded the aquarium program, and have aquarium.arc. I know that I once knew what to do with '.arc' files, but seem to have forgotten. Could someone or two e-mail me the steps I should take from here to get the thing going? Thanks. -- Jeff Haferman Usenet: ...!ihnp4!gargoyle!sphinx!wimp Bitnet: wimp%sphinx@UChicago -- Jeff Haferman Usenet: ...!ihnp4!gargoyle!sphinx!wimp Bitnet: wimp%sphinx@UChicago
wtm@neoucom.UUCP (Bill Mayhew) (12/20/87)
Well, aquarium finally arrived at neoucom. The version that arrived here seems to be safe. Examination with DEBUG.COM revealed that aquarium appears to be completely written in Microsoft's compiled basic. No suspicious INT's were found. All in all, not a bad little diversion. Happy holidays, Bill
maxwell@ablnc.ATT.COM (Robert Maxwell) (12/22/87)
If I boot my PC from the floppy, and then run aquarium from another floppy, on termination I get the "insert disk with command.com" message. -- ----------------------------------------------------------------------------- Bob Maxwell AT&T DP&CT | All standard (and most non_standard) Maitland, FL ihnp4!ablnc!maxwell | disclaimers apply. -----------------------------------------------------------------------------
jjboritz@watcgl.waterloo.edu (Jim Boritz) (12/23/87)
In article <2395@ihlpe.ATT.COM> psfales@ihlpe.ATT.COM (Pete Fales) writes: > >I have a program downloaded from a BBS (WPDH.COM) which allows me to put >a software write protect on the hard disk. Any attempts to write result >in the infamous "Abort, Ignore, or Retry" message. Very handy for testing >out suspicious software. >-- >Peter Fales UUCP: ...ihnp4!ihlpe!psfales Could the above poster, or someone else please post this program. It sounds like it would be very useful to most of us. Especially the paranoid ones. :-)
sutedjok@polyslo.UUCP (Sukanto Tedjokusuma) (12/25/87)
In article <2786@watcgl.waterloo.edu> jjboritz@watcgl.waterloo.edu (Jim Boritz) writes: ]In article <2395@ihlpe.ATT.COM> psfales@ihlpe.ATT.COM (Pete Fales) writes: ]> ]>I have a program downloaded from a BBS (WPDH.COM) which allows me to put ]>a software write protect on the hard disk. Any attempts to write result ]>in the infamous "Abort, Ignore, or Retry" message. Very handy for testing ]>out suspicious software. ]>-- ]>Peter Fales UUCP: ...ihnp4!ihlpe!psfales ] ]Could the above poster, or someone else please post this program. It sounds ]like it would be very useful to most of us. Especially the paranoid ones. :-) Yes, I also vote for posting this program. Thanks.
sean@ms.uky.edu (Sean Casey) (12/26/87)
In article <249@dalcsug.UUCP> robinson@dalcsug.UUCP (John Robinson) writes: >In article <418@picuxa.UUCP>, tgr@picuxa.UUCP (Dr. Emilio Lizardo) writes: >> In article <850@neoucom.UUCP>, wtm@neoucom.UUCP (Bill Mayhew) writes: >> -> <<<Aquarium tries to write to disk upon exit>> >> >> I ran aquarium from a write-protected floppy, and it did not give me any >That should be an adequate test. No way! If I were writing a disk bomber, I'd definitely have it immune to any disk access errors. If someone stuck in a write protected floppy and got an error from a program that isn't supposed to be writing to disk, they'd immediately get suspicious. Then there's always the possibility that some dope would think that because the program didn't bomb it was only reading the floppy. The aquarium program is probably not a bomb, but don't assume it isn't simply because there are no errors when you write protect a floppy. Sean -- -- Sean Casey sean@ms.uky.edu, sean@UKMA.BITNET -- (the Empire guy) {rutgers,uunet,cbosgd}!ukma!sean -- University of Kentucky in Lexington Kentucky, USA -- "Inconceivable!"