bruce@dolqci.UUCP (Bruce Limber) (08/05/87)
[The following is quoted without permission from Fidonet News # 4.26]
From rlgvax!sundc!seismo!husc6!mit-eddie!ll-xn!ames!amdcad!sun!hoptoad!pozar Mon Jul 20 12:11:05 EDT 1987
From: pozar@hoptoad.uucp (Tim Pozar)
THE DIRTY DOZEN -- An Uploaded Program Alert List
Issue #7 Compiled by Eric Newhouse
Recently, many unlawfully copied or modified programs have
appeared on various IBM PC bulletin boards across the country.
THE DIRTY DOZEN is a list of known examples.
There are four major categories of bad software: commercial
pirate jobs, unauthorized copies of otherwise legitimate freeware
programs, malicious "TROJAN" programs which damage your system,
and miscellaneous illegal software. Please look in the
definitions section of this document for a more detailed
explanation of these terms.
SysOps: Please be careful with the files you post in your
download libraries! An professional quality uploaded game or
disk utility should arouse your suspicions, especially if it
doesn't include the author's name, address, and distribution
policy. Such programs are probably NOT public domain! The BBS
community is already under legislative threat at the State and
Federal level. We cannot fight this trend effectively while our
directories sit stocked with cracked Sega games, wargames
dialers, and malicious "trojan horses!" Let's demonstrate a
little social responsibility by cleaning up our download
libraries.
If you as a SysOp have any of these files on your system, please
delete them and post "blocking" dummy file entries like this one:
ZAXXON.COM DELETED!! NOT PUBLIC DOMAIN!!
If everyone works together to fight this new brand of software,
the growing numbers of piraters and trojan horse writers may well
be put 'out of business!'
The idea behind THE DIRTY DOZEN is to bring this important issue
to the attention of more SysOps and users - to act as an
information "clearing -house" for the latest known examples of
"bogusware," so that an educated public can fight effectively for
safe downloadable files.
The Dirty Dozen is a big project, and it needs your help to
succeed! Please call in any updates of bad software that you
know of, but DO NOT modify this article yourself. If everyone
who discovers a pirated program starts modifying the DD, there
would be hundreds of issues in circulation.
Also, I think it's quite unfair, especially considering that
I've spent over a hundred hours of my time on this list, for just
anyone to put their name at the top of the list and say that they
write, or helped write, the DD. For example, someone named
Gerhard Barth added two files, both of which were already listed
in the DD, and proceeded to write "Updated by Gerhard Barth,
please send all further updates to Gerhard Barth," etc. If
everyone does this, how will anyone know which file is the latest
and TRUE Dirty Dozen? If you have an update, please see the end
of this article for information on how to reach me with new
information.
A word on TROJANS: I have been hearing more and more reports of
these "worm" programs, from all directions. While I don't doubt
their existence, do not get hysterical. Remember, a Trojan rumor
is much easier to START than it is to STOP. Some people have
accused legitimate *joke* programs, like DRAIN (which pretends to
be gurgling excess water out of your A drive) of being "killers."
If a program locks up your system, it isn't necessarily Trojan;
it might not like co-residing with Superkey, or your graphics
card. Ask around a little before you announce something as
Trojan. I would appreciate a bagged specimen of any real Trojan
program that you might have the (un)luck to find.
A word on Pirated programs: Recently many pirated programs such
as AUTODEX have been going under many different names. Although
I will try to keep all these names current in the DD, the best
way to check for piracy in a file is to run that file yourself --
checking for (C)opyright notices of commercial manufactures,
similarities in looks and operations of commercial programs, and
of course whether the name is in this list.
Finally I want to thank all BBS SysOps and users that notified
me of updates, additions, and/or corrections to DIRTYDOZ.006.
It's great to see so much support! In this issue more people
than ever called in with updates. Everyone else who reads this
list, along with myself, really appreciates the effort!
NOTE: If I do not supply a file extension, that means that the
file circulates under many different extensions. For instance,
users commonly upload with extensions of either: .EXE, .COM,
.EQE, .CQM, .LBR, .LQR, and .ARC.
TROJAN HORSE PROGRAMS:
Name Category Notes
ANTI-PCB *TROJAN* The story behind this trojan horse is
sickening. Apparently one RBBS-PC
sysop and one PC-BOARD sysop started
feuding about which BBS system is
better, and in the end the PC-BOARD
sysop wrote a trojan and uploaded it to
the rbbs SysOp under ANTI-PCB.COM. Of
course the RBBS-PC SysOp ran it, and
that led to quite a few accusations and
a big mess in general. Let's grow up!
Every SysOp has the right to run the
type of BBS that they please, and the
fact that a SysOp actually wrote a
trojan intended for another simply
blows my mind.
ARC513.EXE *TROJAN* This hacked version of arc appears
normal, so beware! It will write over
track 0 of your [hard] disk upon usage,
destroying the disk.
ARC514.COM *TROJAN* This is totally similar to arc version
5.13 in that it will overwrite track 0
(FAT Table) of your hard disk. Also, I
have yet to see an .EXE version of this
program..
BACKTALK *TROJAN* This program used to be a good PD
utility, but some one changed it to be
trojan. Now this program will
write/destroy sectors on your [hard]
disk drive. Use this with caution if
you acquire it, because it's more than
likely that you got a bad copy.
CDIR.COM *TROJAN* This program is supposed to give you a
color directory of files on disk, but
it in fact will scramble your disks FAT
table.
DANCERS.BAS *TROJAN* This trojan shows some animated dancers
in color, and then proceeds to wipe out
your [hard] disk's FAT table. There is
another perfectly good copy of
DANCERS.BAS on BBS's around the
country; apparently the idiot author in
question altered a legitimate program
to do his dirty work.
DISKSCAN.EXE *TROJAN* This was a PC-MAGAZINE program to scan
a (hard) disk for bad sectors, but then
a joker edited it to WRITE bad sectors.
Also look for this under other names
such as SCANBAD.EXE and BADDISK.EXE...
DMASTER *TROJAN* This is yet another FAT scrambler..
DOSKNOWS.EXE *TROJAN* I'm still tracking this one down --
apparently someone wrote a FAT killer
and renamed it DOSKNOWS.EXE, so it
would be confused with the real,
harmless DOSKNOWS system-status
utility. All I know for sure is that
the REAL DOSKNOWS.EXE is 5376 bytes
long. If you see something called
DOSKNOWS that isn't close to that size,
sound the alarm. More info on this one
is welcomed -- a bagged specimen
especially.
DPROTECT *TROJAN* Apparently someone tampered with the
original, legitimate version of
DPROTECT and turned it into a FAT table
eater.
DROID.EXE *TROJAN* This trojan appears under the guise of
a game. You are supposedly an
architect that controls futuristic
droids in search of relics. In fact,
PC-Board sysops, if they run this
program from C:\PCBOARD, will find that
it copies C:\PCBOARD\PCBOARD.DAT to
C:\PCBOARD\HELP\HLPX. In case you were
wondering, the file size of the .EXE
file is 54,272 bytes.
EGABTR *TROJAN* BEWARE! Description says something like
"improve your EGA display," but when
run it deletes everything in sight and
prints "Arf! Arf! Got you!"
EMMCACHE *CAREFUL* This program is not exactly a trojan,
but it may have the capability of
destroying hard disks by:
A) Scrambling every file modified
after running the program,
B) Destroying boot sectors.
This program has damaged at least two
hard disks, yet there is a base of
happily registered users. Therefore, I
advise extreme caution if you decide to
use this program.
FILER.EXE *TROJAN* One SysOp complained a while ago that
this program wiped out his 20 Megabyte
HD. I'm not so sure that he was
correct and/or telling the truth any
more. I have personally tested an
excellent file manager also named
FILER.EXE, and it worked perfectly.
Also, many other SysOp's have written
to tell me that they have like me used
a FILER.EXE with no problems. If you
get a program named FILER.EXE, it is
probably alright, but better to test it
first using some security measures.
FINANCE4.ARC *CAREFUL* This program is not a verified trojan;
there is simply a file going around
BBS's warning that it may be trojan.
In any case, execute extreme care with
it.
FUTURE.BAS *TROJAN* This "program" starts out with a very
nice color picture (of what I don't
know) and then proceeds to tell you
that you should be using your computer
for better things than games and
graphics. After making that point it
trashes your A: drive, B:, C:, D:, and
so on until it has erased all drives.
It does not go after the FAT alone, but
it also erases all of your data. As
far as I know, however, it erases only
one sub-directory tree level deep, thus
hard disk users should only be
seriously affected if they are in the
"root" directory. I'm not sure about
this on either, though.
NOTROJ.COM *TROJAN* This "program" is the most
sophisticated trojan horse that I've
seen to date. All outward appearances
indicate that the program is a useful
utility used to FIGHT other trojan
horses. Actually, it is a time bomb
that erases any hard disk FAT table
that IT can find, and at the same time
it warns: "another program is
attempting a format, can't abort!"
After erasing the FAT(s), NOTROJ then
proceeds to start a low level format.
One extra thing to note: NOTROJ only
damages FULL hard drives; if a hard
disk is under 50% filled, this program
won't touch it! If you are interested
in reading a thorough report on
NOTROJ.COM, James H. Coombes has
written an excellent text file on the
matter named NOTROJ.TXT. If you have
trouble finding it, you can get it from
my board.
TIRED *TROJAN* Another scramble the FAT trojan by Dorn
W.Stickle.
TSRMAP *TROJAN* This program does what it's supposed to
do: give a map outlining the location
(in RAM) of all TSR programs, but it
also erases the boot sector of drive
"C:".
PACKDIR *TROJAN* This utility is supposed to "pack"
(sort and optimize) the files on a
[hard] disk, but apparently it
scrambles FAT tables.
PCW271xx.ARC *TROJAN* A modified version of the popular PC-
WRITE word processor (v. 2.71) has now
scrambled at least 10 FAT tables that I
know of. If you want to download
version 2.71 of PC-WRITE be very
careful! The bogus version can be
identified by its size; it uses 98,274
bytes whereas the good version uses
98,644. For reference, version 2.7 of
PC-WRITE occupies 98,242 bytes.
QUIKREF *TROJAN* This ARChive claims that it will load
RBBS-PC's message file into memory 2
times faster than normal. What it
really does is copy RBBS-PC.DEF into an
ASCII file named HISCORES.DAT...
RCKVIDEO *TROJAN* This is another trojan that does what
it's supposed to do, then wipes out
hard disks. After showing some simple
animation of a rock star ("Madonna," I
think), the program will go to work on
erasing every file it can lay it's
hands on. After about a minute of
this, it will create 3 ascii files that
say "You are stupid to download a video
about rock stars," or something of the
like.
SECRET.BAS *TROJAN* BEWARE!! This may be posted with a note
saying it doesn't seem to work, and
would someone please try it; when you
do, it formats your disks.
SIDEWAYS.COM *TROJAN* Be careful with this trojan; there is a
perfectly legitimate version of
SIDEWAYS.EXE circulating. Both the
trojan and the good SIDEWAYS advertise
that they can print sideways, but
SIDEWAYS.COM will trash a [hard] disk's
boot sector instead. The trojan .COM
file is about 3 KB, whereas the
legitimate .EXE file is about 30 KB
large.
STAR.EXE *TROJAN* Beware RBBS-PC SysOps! This file puts
some stars on the screen while copying
RBBS-PC.DEF to another name that can be
downloaded later!
STRIPES.EXE *TROJAN* Similar to STAR.EXE, this one draws an
American flag (nice touch), while it's
busy copying your RBBS-PC.DEF to
another file (STRIPES.BQS) so Bozo can
log in later, download STRIPES.BQS, and
steal all your passwords. Nice, huh!
TOPDOS *TROJAN* This is a simple high level [hard] disk
formatter.
VDIR.COM *TROJAN* This is a disk killer that Jerry
Pournelle wrote about in BYTE Magazine.
I have never seen it, although a
responsible friend of mine has.
-------------------------------------------------------------------------
This is the end of the "bad files list." The rest of this
document contains instructions on what to do if YOU run a trojan
horse, an update history, a glossary, and information on how and
where to contact me with updates.
If you run a trojan horse..
While reading this, bear in mind that there is no better remedy
for a drive that has run a trojan horse than a recent backup..
The first thing to do after running what you think to be a
trojan horse is diagnose the damage. Was your [hard] drive
formatted? Did the trojan scramble your FAT table? Did every
file get erased? Did your boot sector on the [hard] drive get
erased/formatted? Odds are that the trojan incurred one of these
four disasters.. After the initial diagnosis, you are ready to
remedy the problem.
1) If the trojan low-level formatted your [hard] disk: Hope that
you have a recent backup; that's the only remedy for this
disease.
2) If the trojan high-level formatted your [hard] disk: There is
only one way out of this mess, and that is to use the MACE+
utilities by Paul Mace. MACE+ has two devices in it to
recover formatted disks, and believe me, they work! I will
talk more about the MACE+ utilities later.
3) If the trojan scrambled your FAT table: Once again, there is
nothing to do. However, there is a program called
FATBACK.COM (available on my board named as FATBCK11.ARC)
that will back up your FAT table in under a minute to floppy.
Using FATBACK, it is easy and non time consuming to back up
your FAT regularly.
4) If the trojan erased file(s), and the FAT table is undamaged:
There are many packages to undelete deleted files. Norton
Utilities, PC-tools, MACE+, and UNDEL.COM will all do the
job. I recommend the first three, but they are more
expensive than the Public Domain program UNDEL.COM. When you
are undeleting, be sure to undelete files in the order of
last time written to disk. I know that PC-tools
automatically lists undeletable files in the correct order,
but the other three may not.
5) If the boot sector on your [hard] disk gets erased/formatted:
There are four things to do if this happens, and the worst
that can happen is that you will go without a [hard] disk for
a while. To be on the safest side, back up everything before
even proceeding to step "A," although I can not see why it
would be necessary.
A) Try doing a "SYS C:" (or "SYS A:") from your original DOS
disk, and copy COMMAND.COM back onto the [hard] drive
after that. Try booting and if that doesn't work try step
B.
B) If you have the MACE+ utilities go to the "other
utilities" section and "restore boot sector." This should
do the job if you have been using MACE+ correctly.
C) If you are still stuck, BACK EVERYTHING UP and proceed to
do a low level format. Instructions on how to perform a
low-level format should come with your [hard] disk
controller card. Be sure to map out bad sectors using
either SCAV.COM by Chris Dunford or by manually entering
the locations of bad sectors into the low level format
program. After the low level format, if your have a hard
disk, run FDISK.COM (it comes with DOS) and create a DOS
partition. Refer to your DOS manual for help in using
FDISK. Then put your original DOS diskette in drive A:
and do a FORMAT <drive letter>:/S/V. Drive letter can
stand for "C" or "B" depending on whether you are
reformatting a hard disk or not. Finally you are ready to
attempt a reboot.
D) If you are still stuck, either employ some professional
computer repairmen to fix your drive, or live with a non-
bootable [hard] drive..
By now you may be saying to yourself:
"How can I get a hold of a 'MACE+' utilities package so that I
can guard against trojans? Why, MACE+ can recover a formatted
drive, undelete files, restore boot sectors, optimize a disk, and
provide a disk cache!
Anyone can obtain these marvelous utilities in one of two ways:
one is to call up the Paul Mace Software Company (tm) and order
them at a retail of $ 79.95. The other is place an order for
them at the WEST LOS ANGELES PC-STORE, which supports next day
UPS shipping! The BBS phone # for the PC-STORE is at the end of
this document.
Finally:
If you have any additions or corrections for this list, send them
to Eric Newhouse at any of the following places: (in order of
most frequented)
[These are Fidonet nodes.]
* The Crest RBBS (213-471-2518) (1200/2400) (80 MB)
* The West LA PC-STORE (213-559-6954)(300/1200/2400)
--
Bruce Limber (seismo!dolqci!bruce) (202) 535-0640
If we are not careful, we are liable to wind up where we are headed.
(Chinese proverb)