bruce@dolqci.UUCP (Bruce Limber) (08/05/87)
[The following is quoted without permission from Fidonet News # 4.26] From rlgvax!sundc!seismo!husc6!mit-eddie!ll-xn!ames!amdcad!sun!hoptoad!pozar Mon Jul 20 12:11:05 EDT 1987 From: pozar@hoptoad.uucp (Tim Pozar) THE DIRTY DOZEN -- An Uploaded Program Alert List Issue #7 Compiled by Eric Newhouse Recently, many unlawfully copied or modified programs have appeared on various IBM PC bulletin boards across the country. THE DIRTY DOZEN is a list of known examples. There are four major categories of bad software: commercial pirate jobs, unauthorized copies of otherwise legitimate freeware programs, malicious "TROJAN" programs which damage your system, and miscellaneous illegal software. Please look in the definitions section of this document for a more detailed explanation of these terms. SysOps: Please be careful with the files you post in your download libraries! An professional quality uploaded game or disk utility should arouse your suspicions, especially if it doesn't include the author's name, address, and distribution policy. Such programs are probably NOT public domain! The BBS community is already under legislative threat at the State and Federal level. We cannot fight this trend effectively while our directories sit stocked with cracked Sega games, wargames dialers, and malicious "trojan horses!" Let's demonstrate a little social responsibility by cleaning up our download libraries. If you as a SysOp have any of these files on your system, please delete them and post "blocking" dummy file entries like this one: ZAXXON.COM DELETED!! NOT PUBLIC DOMAIN!! If everyone works together to fight this new brand of software, the growing numbers of piraters and trojan horse writers may well be put 'out of business!' The idea behind THE DIRTY DOZEN is to bring this important issue to the attention of more SysOps and users - to act as an information "clearing -house" for the latest known examples of "bogusware," so that an educated public can fight effectively for safe downloadable files. The Dirty Dozen is a big project, and it needs your help to succeed! Please call in any updates of bad software that you know of, but DO NOT modify this article yourself. If everyone who discovers a pirated program starts modifying the DD, there would be hundreds of issues in circulation. Also, I think it's quite unfair, especially considering that I've spent over a hundred hours of my time on this list, for just anyone to put their name at the top of the list and say that they write, or helped write, the DD. For example, someone named Gerhard Barth added two files, both of which were already listed in the DD, and proceeded to write "Updated by Gerhard Barth, please send all further updates to Gerhard Barth," etc. If everyone does this, how will anyone know which file is the latest and TRUE Dirty Dozen? If you have an update, please see the end of this article for information on how to reach me with new information. A word on TROJANS: I have been hearing more and more reports of these "worm" programs, from all directions. While I don't doubt their existence, do not get hysterical. Remember, a Trojan rumor is much easier to START than it is to STOP. Some people have accused legitimate *joke* programs, like DRAIN (which pretends to be gurgling excess water out of your A drive) of being "killers." If a program locks up your system, it isn't necessarily Trojan; it might not like co-residing with Superkey, or your graphics card. Ask around a little before you announce something as Trojan. I would appreciate a bagged specimen of any real Trojan program that you might have the (un)luck to find. A word on Pirated programs: Recently many pirated programs such as AUTODEX have been going under many different names. Although I will try to keep all these names current in the DD, the best way to check for piracy in a file is to run that file yourself -- checking for (C)opyright notices of commercial manufactures, similarities in looks and operations of commercial programs, and of course whether the name is in this list. Finally I want to thank all BBS SysOps and users that notified me of updates, additions, and/or corrections to DIRTYDOZ.006. It's great to see so much support! In this issue more people than ever called in with updates. Everyone else who reads this list, along with myself, really appreciates the effort! NOTE: If I do not supply a file extension, that means that the file circulates under many different extensions. For instance, users commonly upload with extensions of either: .EXE, .COM, .EQE, .CQM, .LBR, .LQR, and .ARC. TROJAN HORSE PROGRAMS: Name Category Notes ANTI-PCB *TROJAN* The story behind this trojan horse is sickening. Apparently one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS system is better, and in the end the PC-BOARD sysop wrote a trojan and uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC SysOp ran it, and that led to quite a few accusations and a big mess in general. Let's grow up! Every SysOp has the right to run the type of BBS that they please, and the fact that a SysOp actually wrote a trojan intended for another simply blows my mind. ARC513.EXE *TROJAN* This hacked version of arc appears normal, so beware! It will write over track 0 of your [hard] disk upon usage, destroying the disk. ARC514.COM *TROJAN* This is totally similar to arc version 5.13 in that it will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet to see an .EXE version of this program.. BACKTALK *TROJAN* This program used to be a good PD utility, but some one changed it to be trojan. Now this program will write/destroy sectors on your [hard] disk drive. Use this with caution if you acquire it, because it's more than likely that you got a bad copy. CDIR.COM *TROJAN* This program is supposed to give you a color directory of files on disk, but it in fact will scramble your disks FAT table. DANCERS.BAS *TROJAN* This trojan shows some animated dancers in color, and then proceeds to wipe out your [hard] disk's FAT table. There is another perfectly good copy of DANCERS.BAS on BBS's around the country; apparently the idiot author in question altered a legitimate program to do his dirty work. DISKSCAN.EXE *TROJAN* This was a PC-MAGAZINE program to scan a (hard) disk for bad sectors, but then a joker edited it to WRITE bad sectors. Also look for this under other names such as SCANBAD.EXE and BADDISK.EXE... DMASTER *TROJAN* This is yet another FAT scrambler.. DOSKNOWS.EXE *TROJAN* I'm still tracking this one down -- apparently someone wrote a FAT killer and renamed it DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS system-status utility. All I know for sure is that the REAL DOSKNOWS.EXE is 5376 bytes long. If you see something called DOSKNOWS that isn't close to that size, sound the alarm. More info on this one is welcomed -- a bagged specimen especially. DPROTECT *TROJAN* Apparently someone tampered with the original, legitimate version of DPROTECT and turned it into a FAT table eater. DROID.EXE *TROJAN* This trojan appears under the guise of a game. You are supposedly an architect that controls futuristic droids in search of relics. In fact, PC-Board sysops, if they run this program from C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. In case you were wondering, the file size of the .EXE file is 54,272 bytes. EGABTR *TROJAN* BEWARE! Description says something like "improve your EGA display," but when run it deletes everything in sight and prints "Arf! Arf! Got you!" EMMCACHE *CAREFUL* This program is not exactly a trojan, but it may have the capability of destroying hard disks by: A) Scrambling every file modified after running the program, B) Destroying boot sectors. This program has damaged at least two hard disks, yet there is a base of happily registered users. Therefore, I advise extreme caution if you decide to use this program. FILER.EXE *TROJAN* One SysOp complained a while ago that this program wiped out his 20 Megabyte HD. I'm not so sure that he was correct and/or telling the truth any more. I have personally tested an excellent file manager also named FILER.EXE, and it worked perfectly. Also, many other SysOp's have written to tell me that they have like me used a FILER.EXE with no problems. If you get a program named FILER.EXE, it is probably alright, but better to test it first using some security measures. FINANCE4.ARC *CAREFUL* This program is not a verified trojan; there is simply a file going around BBS's warning that it may be trojan. In any case, execute extreme care with it. FUTURE.BAS *TROJAN* This "program" starts out with a very nice color picture (of what I don't know) and then proceeds to tell you that you should be using your computer for better things than games and graphics. After making that point it trashes your A: drive, B:, C:, D:, and so on until it has erased all drives. It does not go after the FAT alone, but it also erases all of your data. As far as I know, however, it erases only one sub-directory tree level deep, thus hard disk users should only be seriously affected if they are in the "root" directory. I'm not sure about this on either, though. NOTROJ.COM *TROJAN* This "program" is the most sophisticated trojan horse that I've seen to date. All outward appearances indicate that the program is a useful utility used to FIGHT other trojan horses. Actually, it is a time bomb that erases any hard disk FAT table that IT can find, and at the same time it warns: "another program is attempting a format, can't abort!" After erasing the FAT(s), NOTROJ then proceeds to start a low level format. One extra thing to note: NOTROJ only damages FULL hard drives; if a hard disk is under 50% filled, this program won't touch it! If you are interested in reading a thorough report on NOTROJ.COM, James H. Coombes has written an excellent text file on the matter named NOTROJ.TXT. If you have trouble finding it, you can get it from my board. TIRED *TROJAN* Another scramble the FAT trojan by Dorn W.Stickle. TSRMAP *TROJAN* This program does what it's supposed to do: give a map outlining the location (in RAM) of all TSR programs, but it also erases the boot sector of drive "C:". PACKDIR *TROJAN* This utility is supposed to "pack" (sort and optimize) the files on a [hard] disk, but apparently it scrambles FAT tables. PCW271xx.ARC *TROJAN* A modified version of the popular PC- WRITE word processor (v. 2.71) has now scrambled at least 10 FAT tables that I know of. If you want to download version 2.71 of PC-WRITE be very careful! The bogus version can be identified by its size; it uses 98,274 bytes whereas the good version uses 98,644. For reference, version 2.7 of PC-WRITE occupies 98,242 bytes. QUIKREF *TROJAN* This ARChive claims that it will load RBBS-PC's message file into memory 2 times faster than normal. What it really does is copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT... RCKVIDEO *TROJAN* This is another trojan that does what it's supposed to do, then wipes out hard disks. After showing some simple animation of a rock star ("Madonna," I think), the program will go to work on erasing every file it can lay it's hands on. After about a minute of this, it will create 3 ascii files that say "You are stupid to download a video about rock stars," or something of the like. SECRET.BAS *TROJAN* BEWARE!! This may be posted with a note saying it doesn't seem to work, and would someone please try it; when you do, it formats your disks. SIDEWAYS.COM *TROJAN* Be careful with this trojan; there is a perfectly legitimate version of SIDEWAYS.EXE circulating. Both the trojan and the good SIDEWAYS advertise that they can print sideways, but SIDEWAYS.COM will trash a [hard] disk's boot sector instead. The trojan .COM file is about 3 KB, whereas the legitimate .EXE file is about 30 KB large. STAR.EXE *TROJAN* Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! STRIPES.EXE *TROJAN* Similar to STAR.EXE, this one draws an American flag (nice touch), while it's busy copying your RBBS-PC.DEF to another file (STRIPES.BQS) so Bozo can log in later, download STRIPES.BQS, and steal all your passwords. Nice, huh! TOPDOS *TROJAN* This is a simple high level [hard] disk formatter. VDIR.COM *TROJAN* This is a disk killer that Jerry Pournelle wrote about in BYTE Magazine. I have never seen it, although a responsible friend of mine has. ------------------------------------------------------------------------- This is the end of the "bad files list." The rest of this document contains instructions on what to do if YOU run a trojan horse, an update history, a glossary, and information on how and where to contact me with updates. If you run a trojan horse.. While reading this, bear in mind that there is no better remedy for a drive that has run a trojan horse than a recent backup.. The first thing to do after running what you think to be a trojan horse is diagnose the damage. Was your [hard] drive formatted? Did the trojan scramble your FAT table? Did every file get erased? Did your boot sector on the [hard] drive get erased/formatted? Odds are that the trojan incurred one of these four disasters.. After the initial diagnosis, you are ready to remedy the problem. 1) If the trojan low-level formatted your [hard] disk: Hope that you have a recent backup; that's the only remedy for this disease. 2) If the trojan high-level formatted your [hard] disk: There is only one way out of this mess, and that is to use the MACE+ utilities by Paul Mace. MACE+ has two devices in it to recover formatted disks, and believe me, they work! I will talk more about the MACE+ utilities later. 3) If the trojan scrambled your FAT table: Once again, there is nothing to do. However, there is a program called FATBACK.COM (available on my board named as FATBCK11.ARC) that will back up your FAT table in under a minute to floppy. Using FATBACK, it is easy and non time consuming to back up your FAT regularly. 4) If the trojan erased file(s), and the FAT table is undamaged: There are many packages to undelete deleted files. Norton Utilities, PC-tools, MACE+, and UNDEL.COM will all do the job. I recommend the first three, but they are more expensive than the Public Domain program UNDEL.COM. When you are undeleting, be sure to undelete files in the order of last time written to disk. I know that PC-tools automatically lists undeletable files in the correct order, but the other three may not. 5) If the boot sector on your [hard] disk gets erased/formatted: There are four things to do if this happens, and the worst that can happen is that you will go without a [hard] disk for a while. To be on the safest side, back up everything before even proceeding to step "A," although I can not see why it would be necessary. A) Try doing a "SYS C:" (or "SYS A:") from your original DOS disk, and copy COMMAND.COM back onto the [hard] drive after that. Try booting and if that doesn't work try step B. B) If you have the MACE+ utilities go to the "other utilities" section and "restore boot sector." This should do the job if you have been using MACE+ correctly. C) If you are still stuck, BACK EVERYTHING UP and proceed to do a low level format. Instructions on how to perform a low-level format should come with your [hard] disk controller card. Be sure to map out bad sectors using either SCAV.COM by Chris Dunford or by manually entering the locations of bad sectors into the low level format program. After the low level format, if your have a hard disk, run FDISK.COM (it comes with DOS) and create a DOS partition. Refer to your DOS manual for help in using FDISK. Then put your original DOS diskette in drive A: and do a FORMAT <drive letter>:/S/V. Drive letter can stand for "C" or "B" depending on whether you are reformatting a hard disk or not. Finally you are ready to attempt a reboot. D) If you are still stuck, either employ some professional computer repairmen to fix your drive, or live with a non- bootable [hard] drive.. By now you may be saying to yourself: "How can I get a hold of a 'MACE+' utilities package so that I can guard against trojans? Why, MACE+ can recover a formatted drive, undelete files, restore boot sectors, optimize a disk, and provide a disk cache! Anyone can obtain these marvelous utilities in one of two ways: one is to call up the Paul Mace Software Company (tm) and order them at a retail of $ 79.95. The other is place an order for them at the WEST LOS ANGELES PC-STORE, which supports next day UPS shipping! The BBS phone # for the PC-STORE is at the end of this document. Finally: If you have any additions or corrections for this list, send them to Eric Newhouse at any of the following places: (in order of most frequented) [These are Fidonet nodes.] * The Crest RBBS (213-471-2518) (1200/2400) (80 MB) * The West LA PC-STORE (213-559-6954)(300/1200/2400) -- Bruce Limber (seismo!dolqci!bruce) (202) 535-0640 If we are not careful, we are liable to wind up where we are headed. (Chinese proverb)