  ----------------------------------------------------------------
  |                       THE GUARDIAN LIST                      |
  |                                                              |
  |       -- An Uploaded Trojan/Virus Program Alert List.        |
  |          This list is distributed thru FidoNet and           |
  |          LCRNET.                                             |
  ----------------------------------------------------------------
  |                                 Issue #1:      Sept 25, 1989 |
  |                                                              |
  |                                 Revision Stage 'B'           |
  |                                                              |
  |Compiled by Sysops of FidoNet and LCRNET and other sources    |
  |Edited by Tom Sirianni of FidoNet 105/301                     |
  ----------------------------------------------------------------

Introductory Note:

This Trojan Alert List is dedicated to the efforts of the End
User and the Sysop of whom had very little support. Now thru The
Guardian those Users/Sysops stand a chance in fight against worms,
trojans, and viruses, and reporting the results to you, the User.
It is because of these efforts of many Sysops who spent fruitless
hours to have a BBS online and the End User who loves PD and
ShareWare programs that this list is presented to you. And is
aggressively maintained.

Although there are other lists available The Guardian is always
up to date and distributed thru FidoNets SDS network assuring its
distribution Internationally in a matter of days and feel it will
be of most benefit as such. Much of what goes into The Guardian
List comes from the DIRTY_DOZEN echo conference. Within this
conference are Sysops and Users from around the world which help
in its determination of what is and is not trojan/virus. Also
there groups in Universities that are now participating.

What's in the future? As the SDNet/Works! (The Sharware
Distribution Network) takes affect you will see less attack on
the Sysop as files are distributed thru a controlled source -
direct from the Authors. Until this concept is fully utilized
The Guardian List will be here to help you the User and the
Sysop and those Sysops not in FidoNet or LCRNET.

                                   Tom Sirianni
                                   SCP Business BBS
                                   FidoNet 105/301
                                   LCRNET 1010/0

SCP Business BBS nor its Editor assumes any responsibility for the
validity or completeness of this list.  Many sources contribute to
the list, and it is very possible that one of the reported files
works perfectly and is in the Public Domain.

But all the same, it is quite possible that a mistake will slip in
somewhere.  Since this is the case, please keep in mind while
reading this list that, however unlikely, it is possible that I am
(or my sources are) incorrect in any accusation.

Note: ** Some TROJANS are designed to work only on [Hard] Drives **
         so it may work just fine a Diskette System.


HELP FROM USERS REQUESTED:

Users upload bad software to hundreds of boards every day, and
often times, the software is not yet in this list, or the file may
have been corrupted due to a bad ARCHIVE.  However, if you run a
trojan horse program that is not listed here, please don't send it
to SCP Business BBS.  Instead, give me a call (SCP Business BBS
phone 1-503-648-6687 9600-v32/2400/1200/300 baud supported) and
leave me a message about the program (with a complete filename
and any other information you may have) so that I can get the
destructive program in the next issue. It is important to verify
that the program is a TROJAN and not an OPERATOR error.  If anyone
is unsure whether or not a file is a Trojan, and it's not listed in
the DD list, I recommend using a utility like BOMBSQAD.COM or
CHK4BOMB.EXE to prevent any mishaps.  For VIRUSES, use VirusScan
or FlusShot+. If after calling I may want you up load it just to
verify it myself if you are unable to.


A WORD FROM TOM SIRIANNI:  NEW TYPE OF TROJAN -- THE VIRUS...

A Virus is a trojan which attaches itself to certain files and at
predetermined time attacks your FAT, DIR, and/or BOOT areas,
CROSS-LINKing files and looking for ways to attach itself to
diskettes and other disks containing files such as IBMDOS, IBMBIO,
COMMAND.COM, etc.  This type of virus spreads its dirty work to
other systems much like the flu or a cold, relying on the user to
spread the VIRUS.  Protection (to a limited degree) from these
virus strains is available ShareWare programs SENTRY.ZIP,
SCANV37.ZIP (VirusScan), and FSP17.ZIP (FluShot Plus v1.7),
which are all available on the SCP Business BBS, 105/301 FidoNet,
1-503-648-6687 (PC-Pursuit ORPOR). Or SDS nodes within FidoNet
(note that SDS and SDN two seperate enities).

The best program, called SCAN, better know as VirusScan, can
check any physical or logical drive or diskette for any file
infected by a Virus. It will tell what type of Virus and where it
is located.


WHAT TO DO IF YOU THINK YOU ARE INFECTED WITH A TROJAN/VIRUS

There are three ways to tell if you are infected:

1)   First, have a GOOD DOS diskette with COMMAND.COM on it, PLUS
put a WRITE-PROTECT TAB on your DOS disk.  Then, from your system,
do a DIR on the good DOS diskette.  If you get a WRITE-ERROR, you
are infected -- DIR does not do any writing of any kind, whereas
the VIRUS does.

2)   Another way is to check and compare the time-date stamp of
COMMAND.COM.  The Virus writes to the COMMAND.COM thereby changing
the time-date stamp.

3)   Use SCAN to tell if you are infected and it will tell you
what type.

     
The psychologically unbalanced individuals writing and uploading
these programs will change their viral methods, so beware.  Many
new viral detection programs are in the works, both commercially
and in the public domain, to keep up with the viral programs we
have available, to confirmed SYSOPS, Virus/Trojan information
texts on SCP Business BBS. The Virus text files are ZIPed and can
be File Requested thru FidoNet BBS's as VIRUS-1.ARC & VIRUS-2.ARC.


Simple precatuions:

The thing to do is to check the contents of your downloads via
the verbose command of the type of arcer used, make sure ANSI.SYS
is disbaled first.  DO NOT DOWNLOAD any files without any
available or known documentation unless you are assured it is safe
by the SYSOP.  Also, do not accept any ARCHIVE or diskette
containing a file named COMMAND.COM. Use VirusScan!!!
 
Remember -- these new TROJANS are no laughing matter.  Without
causing mass hysteria, use your best judgment, and check your
procedures first!

Final note there is a commercial program called C-4 by InterPath
Corp., which will to date detect and contain ALL known
PC-VIRUSES. So for the ultimate 100% protection get C-4.

                       C-4 by InterPath Corp.
                       4423 Cheeney St.
                       Santa Clara, Calif.
                                       95054
                       1-408-988-3832
                                 was $40.00

                       ----------------------


A word on TROJANS -

In the course of time trojans/viruses have gained MEDIA attention
unfortunately RUMORS have always played a major factor in its
notoriety. Truth is of all those reported are minimal compared
to the vast amounts of programs out there in the BBS community.
Some are designed to defame people or companies as an example -
Dorn Stickel has been noted to be a supposed Author of several
TROJANS. But in real life he is not that person. So until
verified do not think it is real at the same time do not ignore
the existence either. Be cautious with all types of file
transfers in all types of media used.


ANSI TEXT FILES/DOC FILES:

Did you know a TROJAN can be used in DOC and TEXT files?  If your
system is configured for ANSI.SYS in your CONFIG.SYS file, your
keyboard could be redirected or the keys reconfigured.

For example, you could hit the F1 key and the trojan could do a
High Level Format; or hit ALT-X and it will say "del *.* and yes". 
It can answer to the prompts and before you say, "What the
'(&^(~*%' is going on?", your system is deleted. And it can also
hide those commands.

USE A BROWSER OR LISTER PROGRAM WHEN LOOKING AT ANY TEXT/DOC FILE;
even an editor or PC Tools Edit or Word Process will work.  This
way, no redirection can take place.


ANSI IN ARC FILES:

It has noted that it is possible to put ANSI redirection codes
within several types of ARCERS used to arc files in the BBS
community. To be safe do not do a VERBOSE listing at a ARC unless
you make sure ANSI.SYS is disabled in the CONFIG.SYS of your
system. Also there are several utilites available thru a SDS nodes
in FidoNet such as STRIPZIP which will takes those ANSI codes out
of the ARCed file. A note: current versions of LHARC, PAK, and
PKZIP now defualt to ANSI display turned OFF so this help.

Final Note:

Before we go into the listing as current date of this issue it
seems to be that the Jeruselem Virus is the most natorious or
most promient. When infected the way to get rid of the Virus is
to run VirusScan to determine which file it is then delete that
and replace it with GOOD file.

------------------------------------------------------------------


TITLE DEFINITIONS:

 TROJAN                  These programs PURPOSEFULLY damage a
                         user's system upon their invocation. 
                         They usually aim to disable [Hard] disks,
                         although they can destroy other
                         equipment, too.

 VIRUS                   These programs are the ultimate TROJAN
                         designed to infect as well as destroy
                         the Users system and others that it
                         infects. Its sole purpose is to
                         replicate itself while destroying the
                         system. This term will be used in
                         conjunction with those files that are
                         infected as well as those files that
                         start the virus.

 CAREFUL                 Programs labeled in this manner may
                         may not be trojans; the question is
                         how its used. Use caution when running
                         these programs!

 *                       The asterisks will be used to show that
                         the file may or may not be "BAD" or
                         unresolved.


NOTE:  If a file extension is not supplied, that means that the
file circulates under many different extensions.  For instance,
users commonly upload with extensions of .ARC, .PAK, .LZH, .SDN,
.ZOO, .ZIP or as .EXE or .COM file.

 -----------------------------------------------------------------
 |                   TROJAN HORSE PROGRAMS:                      |
 -----------------------------------------------------------------

NAME             CATEGORY  NOTES
--------------   --------  ---------------------------------------
3X3SHR           *TROJAN   Time Bomb type trojan wipes the [Hard]
                           Drive clean. File size is 78848.

ANTI-PCB         *TROJAN   The story behind this trojan horse is
                           sickening.  Apparently one RBBS-PC
                           sysop and one PC-BOARD sysop started
                           feuding about which BBS system is 
                           better, and in the end the PC-BOARD
                           sysop wrote a trojan and uploaded it to
                           the rbbs SysOp under ANTI-PCB.COM.  Of
                           course the RBBS-PC SysOp ran it, and
                           that led to quite a few accusations and
                           a big mess in general.  Let's grow up! 
                           Every SysOp has the right to run the
                           type of BBS that they please, and the
                           fact that a SysOp actually wrote a
                           trojan intended for another simply
                           blows my mind.

ARC2ZIP.EXE        VIRUS   This Leigh Virus strain that attacks
                           the COMMAND.COM and is used in 
                           converting ARCed files to ZIPed files.
                           This file also copies itself into the
                           ZIPed file as well as remaining a TSR
                           within the COMMAND.COM. Also it is 
                           always looking for the COMMAND.COM on
                           a FLOPPY diskette. So it has two ways
                           of infection.

ARC513.EXE       *TROJAN   This hacked version of ARC appears
                           normal, so beware!  It will write over
                           track 0 of your [hard] disk upon usage,
                           destroying the disk.

ARC514.COM       *TROJAN   This is totally similar to ARC version
                           5.13 in that it will overwrite track 0
                           (FAT Table) of your [Hard] disk.  Also, I
                           have yet to see an .EXE version of this
                           program.

ARC533.EXE         VIRUS   This is a new Virus program designed to
                           emulate Sea's ARC program. It infects
                           the COMMAND.COM. Leigh Virus Type.

BACKTALK         *TROJAN   This program used to be a good PD
                           utility, but someone changed it to be
                           trojan.  Now this program will write/
                           destroy sectors on your [hard] disk
                           drive.  Use this with caution if you
                           acquire it, because it's more than
                           likely that you got a bad copy.

B30012A.ARC       *TROJAN  Was supposed to be a Quick BBS utiltiy
                           to handle 300 baud Users. But what it
                           really does is delete many of the
                           general directories used by a Quick
                           BBS system.

CDIR.COM         *TROJAN   This program is supposed to give you a
                           color directory of files on your disk,
                           but it in fact will scramble your
                           disk's FAT table.

D-XREF60.COM      TROJAN   A Pascal Utility used for Cross-
                           Referencing, written by the infamous
                           `Dorn Stickel.  It eats the FAT and
                           BOOT sector after a time period has
                           been met and if the [Hard] Drive is more
                           than half full.

DANCERS.BAS      *TROJAN   This trojan shows some animated dancers
                           in color, and then proceeds to wipe out
                           your [hard] disk's FAT table.  There is
                           another perfectly good copy of
                           DANCERS.BAS on BBS's around the
                           country; apparently the idiot trojan
                           author in question altered a legitimate
                           program to do his dirty work.

DISKSCAN.EXE      TROJAN   This was a PC-MAGAZINE program to scan
                           a [hard] disk for bad sectors, but then
                           a joker edited it to WRITE bad sectors. 
                           Also look for this under other names
                           such as SCANBAD.EXE and BADDISK.EXE.  A
                           good original copy is availble on SCP
                           Business BBS.

DMASTER          *TROJAN   This is yet another FAT scrambler.

DOSKNOWS.EXE     *TROJAN   I'm still tracking this one down --
                           apparently someone wrote a FAT killer
                           and renamed it DOSKNOWS.EXE, so it
                           would be confused with the real,
                           harmless DOSKNOWS system-status
                           utility.  All I know for sure is that
                           the REAL DOSKNOWS.EXE is 5376 bytes
                           long.  If you see something called
                           DOSKNOWS that isn't close to that size,
                           sound the alarm.

DOS-HELP          TROJAN   This trojan, when made memory-resident,
                           is supposed to display a DOS command
                           for which the User needs help with.
                           Works fine on a Diskette system but on
                           a [Hard] DRIVE system tries to format the
                           [Hard] Disk with every access of
                           DOS-HELP.

DPROTECT         *TROJAN   Apparently someone tampered with the
                           original, legitimate version of
                           DPROTECT and turned  it into a
                           FAT-table eater. A good version is
                           available on SCP Business BBS.

DRAIN2           *TROJAN   There really is DRAIN program, but this
                           revised program goes out does Low Level
                           Format while it is playing the funny
                           program.

DROID.EXE        *TROJAN   This trojan appears under the guise of
                           a game.  You are supposedly an 
                           architect that controls futuristic
                           droids in search of relics.  In fact, 
                           PC-Board sysops, if they run this
                           program from C:\PCBOARD, will find that
                           it copies C:\PCBOARD\PCBOARD.DAT to
                           C:\PCBOARD\HELP\HLPX.  In case you were
                           wondering, the file size of the .EXE
                           file is 54,272 bytes.

DRPTR.ARC         TROJAN   File found on two boards in the 343
                           Net.  After running unsuspected file,
                           the only things left in the Sysop's
                           root directory were the subdirectories
                           and two of the three DOS System files,
                           along with a 0-byte file named
                           WIPEOUT.YUK.  The Sysop's COMMAND.COM
                           was located in a different directory;
                           the file date and CRC had not changed.

DSZ (Patch)     *CAREFUL   The author of this protocol program,
                           Chuck Forsberg, warns that anyone using
                           an Unregistered version of DSZ that was
                           HACKED with a downloaded PATCH to make
                           it work fully, might result in a
                           SCRAMBLED FAT TABLE. Seems someone
                           created the HACK PATCH and then U/L'd
                           it to BBS's.  *BEWARE* of the PATCH! 
                           It is not the DSZ program that does the
                           dirty work, but the PATCH.

EGABTR           *TROJAN   BEWARE! Description says something like
                           "improve your EGA display," but when
                           run, it deletes everything in sight and
                           prints, "Arf! Arf! Got you!"

EMMCACHE        *CAREFUL   This program is not exactly a trojan,
                           but it (v. 1.0) may have the capability
                           of destroying [Hard] disks by:
                           A) Scrambling every file modified after
                           running the program.
                           B) Destroying boot sectors.
                           This program has damaged at least two
                           [Hard] disks, yet there is a base of
                           happily registered users.  Therefore, I
                           advise extreme caution if you decide 
                           to use this program.

FILER.EXE        *TROJAN   One SysOp complained a while ago that
                           this program wiped out his 20 Megabyte
                           [Hard] disk.  I'm not so sure that he was
                           correct and/or telling the truth any
                           more.  I have personally tested an
                           excellent file manager also named
                           FILER.EXE, and it worked perfectly. 
                           Also, many other SysOp's have written
                           to tell me that they have like me used
                           a FILER.EXE with no problems.  If you
                           get a program named FILER.EXE, it is
                           probably alright, but better to test it
                           first using some security measures.

FILES.GBS        CAREFUL   When an OPUS BBS system is installed
                           improperly, this file could spell
                           disaster for the Sysop.  It can let a
                           user of any level into the system.
                           Protect yourself.  Best to have a
                           sub-directory in each upload area
                           called c:\upload\files.gbs (this is an
                           example only). This would force Opus to
                           rename a file upload of files.gbs and
                           prevent its usage.

FINANCE4.ARC    *CAREFUL   This program is not a verified trojan;
                           there is simply a file going around
                           BBS's warning that it may be a trojan. 
                           In any case, execute extreme care with
                           it.

FLU4TXT.COM       TROJAN   Man, when I thought we had it licked!
                           This Trojan was inserted into the
                           FluShot4.ARC and uploaded to many
                           BBS's.  FluShot is a protector of your
                           COMMAND.COM. The Author of FluShot
                           posted this Trojan Warning, and I am
                           posting it here in the DD.  If you need
                           a good copy, you can get it from here--
                           SCP Business BBS--or on COMPUSERVE.  As
                           to date, 07/05/89 FSP_16.ZIP FluShot Plus
                           v1.6 is the current version, not the
                           FluShot4.ARC which is Trojaned.

FUTURE.BAS       *TROJAN   This "program" starts out with a very
                           nice color picture (of what, I don't
                           know) and then proceeds to tell you
                           that you should be using your computer
                           for better things than games and
                           graphics.  After making that point, it
                           trashes your A: drive, B:, C:, D:, and
                           so on until it has erased all drives. 
                           It does not go after the FAT alone; it
                           also erases all of your data.  As far
                           as I know, however, it erases only one
                           sub-directory tree level deep, thus
                           [Hard] disk users should only be
                           seriously affected if they are in the
                           "root" directory.  I'm not sure about
                           this one either, though.

GATEWAY2         *TROJAN   Someone tampered with the version 2.0
                           of the CTTY monitor GATEWAY.  What it
                           does is ruin the FAT.  If you need a
                           good copy, you can file request it or
                           pick one up from 105/301--SCP Business
                           BBS--at 1-503-648-6687.

GRABBER           TROJAN   This program is supposed to be SCREEN
                           CAPTURE program that copies the screen
                           to a .COM to be later ran from DOS
                           command line - and as a TSR it will
                           also attempt to do a DISK WRITE to [Hard]
                           drive when you do not want it to.  It
                           will wipe whole Directories when doing
                           a normal DOS command.  One sysop who
                           ran it lost all of his ROOT DIR
                           including his SYSTEM files. The file
                           status is :
                           Name         Size  Date      Time
                           GRABBER.COM  2583  05/28/87  22:10

GRASPRT.EXE        VIRUS   This file was in a porno file called
                           SEXSHOE.LZH - originated of the
                           PC-ECEX BBS, sysop too it off, but was
                           D/L by a few Users. This is infection
                           is of the Jerusalem-B Virus strain.
                           The status is:
                           Name         Size   Date      Time
                           GRASPRT.EXE  73376  06/03/86  09:49

G-MAN            *TROJAN   Another FAT killer.

KC-PAL.COM        TROJAN   Infects the COMMAND.COM then attaches
                           to any .COM file afterwards using the
                           COMMAND.COM during its use of Internal
                           commands (COPY, DIR, TYPE,etc..). The
                           COMMAND.COM files is enlarged in size
                           by 1538 bytes and in the Time column
                           of the directory listing the seconds
                           are reset from :00 to :62.

LM               *TROJAN   Deletes the COMMAND.COM and other
                           files from the ROOT directory of the 
                           [Hard] Drive when the program runs.

MAP               TROJAN   This is another trojan horse written by
                           the infamous "Dorn Stickel." Designed
                           to display what TSR's are in memory and
                           works on FAT and BOOT sector. Also
                           seems work only when the [Hard] Drive is
                           50% or more full.

MATHKIDS.ARC     *TROJAN   This is a fairly benign trojan that
                           will not reformat your [Hard] disks or do
                           any system-level damage.  It is instead
                           designed to crack a BBS system.  It
                           will attemp to copy the USERS file on a
                           BBS to a file innocently called
                           FIXIT.ARC, which the originator can
                           later call in and download.  Believed
                           to be designed for PCBoard BBS's.

NOTROJ.COM       *TROJAN   This "program" is the most sophisti-
                           cated trojan horse that I've seen to
                           date.  All outward appearances indicate
                           that the program is a useful utility
                           used to FIGHT other trojan horses. 
                           Actually, it is a time bomb that erases
                           any [Hard] disk FAT table that IT can
                           find, and at the same time, it warns:
                           "another program is attempting a
                           format, can't abort!  After erasing the
                           FAT(s), NOTROJ then proceeds to start a
                           low level format. One extra thing to
                           note: NOTROJ only damages FULL [Hard]
                           drives; if a [Hard] disk is under 50%
                           filled, this program won't touch it! 
                           If you are interested in reading a
                           thorough report on NOTROJ.COM, James H.
                           Coombes has written an excellent text
                           file on the matter named NOTROJ.TXT. 
                           If you have trouble finding it, you
                           can get it from SCP Business BBS.

PACKDIR          *TROJAN   This utility is supposed to "pack"
                           (sort and optimize) the files on a
                           [hard] disk, but apparently it
                           scrambles FAT tables.

PCW271xx.ARC     *TROJAN   A modified version of the popular
                           PC-WRITE word processor (v. 2.71) has
                           now scrambled at least 10 FAT tables
                           that I know of.  If you want to
                           download version 2.71 of PC-WRITE, be 
                           very careful!  The bogus version can be
                           identified by its size; it uses 98,274
                           bytes whereas the good version uses
                           98,644.  For reference, version 2.7 of
                           PC-WRITE occupies 98,242 bytes.

PKX35B35.ARC }   *TROJAN   This was supposed to be an update to
PKB35B35.ARC }    *VIRUS   PKARC file compress utility - which
                           when used *EATS your FATS* and is or
                           at least RUMORED to infect other files
                           so it can spread - possible VIRUS?

PKPAK/PKUNPAK   *CAREFUL   There is a TAMPERED version of 3.61
  v3.61                    that when used interfers with PC's
                           interupts.

PKFIX361.EXE     *TROJAN   Supposed patch to v3.61 - what really
                           does is when extracted from the .EXE
                           does a DIRECT access to DRIVE
                           CONTROLLER and does Low-Level format.
                           Thereby bypassing checking programs.

PK362.EXE      *CAREFUL    This is a NON-RELEASED version and is
                           suspected as being a *TROJAN* - not
                           verified.

PK363.EXE      *CAREFUL    This is a NON-RELEASED version and is
                           suspected as being a *TROJAN* - not
                           verified.

PKZ100.EXE       TROJAN    Supposed to be a new release of PKZIP
                           but what it really does is fill up
                           your [Hard] drive with as many of
                           directories until the system no longer
                           functions. The current version is
                           PKZIP v.092 not the v1.0.

QUIKRBBS.COM    *TROJAN    This Trojan horse advertises that it
                           will install program to protect your
                           RBBS but it does not.  It goes and eats
                           away at the FAT.

QUIKREF         *TROJAN    This ARChive contains ARC513.COM.
                           Loads RBBS-PC's message file into
                           memory two times faster than normal. 
                           What it really does is copy RBBS-PC.DEF
                           into an ASCII file named HISCORES.DAT.

RCKVIDEO        *TROJAN    This is another trojan that does what
                           it's supposed to do, and then wipes out
                           [Hard] disks.  After showing some simple
                           animation of a rock star ("Madonna," I
                           think), the program will go to work on
                           erasing every file it can lay it's
                           hands on.  After about a minute of
                           this, it will create three ascii files
                           that say "You are stupid to download a
                           video about rock stars," or something
                           of the like.

SECRET.BAS      *TROJAN    BEWARE!! This may be posted with a note
                           saying it doesn't seem to work, and
                           would someone please try it; when you
                           do, it formats your disks. 

SIDEWAYS.COM    *TROJAN    Be careful with this trojan; there is a
                           perfectly legitimate version of
                           SIDEWAYS.EXE circulating.  Both the
                           trojan and the good SIDEWAYS advertise 
                           that they can print sideways, but
                           SIDEWAYS.COM will trash a [hard] disk's
                           boot sector instead.  The trojan .COM
                           file is about 3 KB, whereas the
                           legitimate .EXE file is about 30 KB
                           large.

STAR.EXE        *TROJAN    Beware RBBS-PC SysOps!  This file puts
                           some stars on the screen while copying
                           RBBS-PC.DEF to another name that can be
                           downloaded later!

STRIPES.EXE     *TROJAN    Similar to STAR.EXE, this one draws an
                           American flag (nice touch), while it's
                           busy copying your RBBS-PC.DEF to
                           another file (STRIPES.BQS) so the joker
                           can log in later, download STRIPES.BQS, 
                           and steal all your passwords.  Nice,
                           huh!

SUG.COM          TROJAN    This one is supposed to go out and
                           unprotect copy protected programs disks
                           by Softguard Systems, Inc.  After it
                           trashes your disk it comes back and
                           displays:
                           "This destruction constitutes a prima
                           facie evidence of your violation.  If
                           you attempt to challenge Softguard
                           Systems Inc..., you will be vigorously
                           counter-sued for copyright infringement
                           and theft of services."
                           AND it by-passes any attempt by
                           CHK4BOMB to search for the any hidden
                           messages that tell you, "YOU BEEN
                           HAD... or GOTCHA>>> Ar..Ar..Ar..; it
                           encrypts the Gotcha message so no
                           Trojan checker can scan for it.

TIRED           *TROJAN    Another scramble the FAT trojan by Dorn
                           W. Stickel.

TOPDOS          *TROJAN    This is a simple high level [hard] disk
                           formatter.

TSRMAP          *TROJAN    This program does what it's supposed to
                           do:  give a map outlining the location
                           (in RAM) of all TSR programs, but it
                           also erases the boot sector of drive
                           "C:".

ULTIMATE.EXE     TROJAN    Another FAT eater - File status:
                           Name         Size
                           ULTIMATE.EXE 3090
                           ULTIMATE.ARC 2432

UNIX              VIRUS    The UNIX operating system by Berkley
                           verson 4.3, is an INTERNET virus, a
                           Patch is available on SCP Business
                           BBS. This is MAIL PACKET VIRUS.

VDIR.COM        *TROJAN    This is a disk killer that Jerry
                           Pournelle wrote about in BYTE Magazine. 
                           I have never seen it, although a
                           responsible friend of mine has.

WOW              *VIRUS    Also known as the 1701 Virus. This
                           is a new strain of the Leigh Virus
                           as it not only looks for the 
                           COMMAND.COM but any .COM file. As it
                           does it, the infected file is enlarged
                           1,701 bytes in SIZE. The infection 
                           takes as you run the .COM, WOW is a 
                           TSR. What it does when you run WOW is
                           display an advertisement:
                           ""The Wizards of Warez"
                             in assocoation with
                                the copycats
                            the Pirates Unlimited
                                    OUTRUN
                           WOW                     1989 "
                           The virus is also known as WOWTITLE.


 -----------------------------------------------------------------
 |                If you run a trojan horse.....                 |
 -----------------------------------------------------------------

While reading this, bear in mind that there is no better remedy
for a drive that has run a trojan horse and been damaged than a
recent backup.

The first thing to do after running what you think to be a trojan
horse is to diagnose the damage.  Was your [hard] drive formatted? 
Did the trojan scramble your FAT table?  Did every file get
erased?  Did your boot sector on the [hard] drive get erased/
formatted?  Odds are that the trojan incurred one of these four
disasters.  After the initial diagnosis, you are ready to remedy
the problem.

1)   If the trojan low-level formatted your [hard] disk:
     Hope that you have a recent backup; that's the only sure
     remedy for this disease.

2)   If the trojan high-level formatted your [hard] disk:  
     There is only one way out of this mess, and that is to use
     the MACE+ utilities by Paul Mace.  MACE+ has two devices in
     it to recover formatted disks, and believe me, they work!  I
     will talk more about the MACE+ utilities later.

3)   If the trojan scrambled your FAT table:
     Once again, there is nothing to do.  However, there is a
     program called FATBACK.COM (available on my board named as
     FATBACK.ZIP) that will back up your FAT table in under a
     minute to floppy.  Using FATBACK, it is easy and non time
     consuming to back up your FAT regularly.

4)   If the trojan erased file(s), and the FAT table is undamaged: 
     There are many packages to undelete deleted files.  Norton
     Utilities, PC-Tools, MACE+, and there are others that'll do
     the job.  I recommend the first three,  they are commercial
     available at most computer software stores or mail-order
     stores. When you are undeleting, be sure to undelete files in
     the order of last time written to disk.

5)   If the boot sector on your [hard] disk gets erased/formatted:
     There are four things to do if this happens, and the worst
     that can happen is that you will go without a [hard] disk for
     a while.  To be on the safest side, back up everything before
     even proceeding to step "A," although I can not see why it
     would be necessary.

     A)   Try doing a "SYS C:" (or "SYS A:") from your original
          DOS disk, and copy COMMAND.COM back onto the [hard]
          drive after that.  Try booting, and if that doesn't
          work, try step B.

     B)   If you have the MACE+ utilities, go to the "other
          utilities" section and "restore boot sector."  This
          should do the job if you have been using MACE+
          correctly. If using PCTOOLS Delux us the MIRROR
          REBUILD utility function.

     C)   If you are still stuck, BACK UP EVERYTHING and proceed
          to do a low-level format.  Instructions on how to
          perform a low-level format should come with your [hard]
          disk controller card.  Be sure to map out bad sectors
          using either SCAV.COM by Chris Dunford or by manually
          entering the locations of bad sectors into the low-level
          format program.  After the low level format on your hard 
          disk, run FDISK.COM (it comes with DOS) and create a DOS
          partition.  Refer to your DOS manual for help in using
          FDISK.  Then put your original DOS diskette in drive A:
          and do a FORMAT <drive letter>:/S/V.  Drive letter can
          stand for "C" or "B" depending on whether you are
          reformatting a [Hard] disk or not.  Finally you are ready
          to attempt a reboot.

     D)   If you are still stuck, either employ some professional
          computer repair person to fix your drive, or live with a
          non-bootable [hard] drive.


A few words of caution on prevention:

1) Get the protection programs from a RELIABLE source.  Always ask
about any unknown program - virus protection or otherwise - before
downloading or running it. Know your source! Get it from SDN
FidoNet nodes if they come thru SDN.

2) Don't let down your guard!  Most virus protection programs
intercept specific types of activities (disk writes,  for example)
or specific viruses(such as Apple's VirusRX targeting the Scores
virus). So USE A VIRAL CHECKER when running new BBS programs. Use
**  VirusScan! **

3) Make periodic file listings and compare them regularly to
prior listings.  Look for unusual changes or unfamiliar files
like Hidden or System files.  INVESTIGATE ANYTHING OUT OF THE
ORDINARY! Is your system slowing down or failing all the time?

4) BACKUP - BACKUP - BACKUP!  Keep current backups.  I know,  I
know.  Everyone tells you even your mom (smile).  At least make
regular copies of your most important databases and files and
most importantly KEEP your OLD COPIES around a little longer
just to be on the safe side.  I have a set devoted to strictly a
MASTER BACKUP in case my systems current backup is bad.  Then all
is not lost as I have a MASTER to put me back up.

5) Don't run programs, that you got off a BBS, on your BOSS's
machine! Use your own PC first. This could save you the
embarrassment of facing his ugly mug (smile) and loosing your
job. Many companies now have policies regarding this.

6) Never run or access a diskette that might contain the SYSTEM
files. These may be contaminated and could infect your system.
Know your source! Same goes for the COMMAND.COM.

7) USE WRITE PROTECT TABS! A virus can't infect something it
can't write to. Use them they are the cheapest method of
prevention.
 
  REMEMBER: The Best Defense is Good * BACKUP *


  ---------------------------------------------------------------
 |                       Update History:                         |
  ---------------------------------------------------------------

Version 1.0a   The first list of The Guardian compiled from the
               Dirty Dozen List and from the DIRTY_DOZEN echo
               conference. The Guardian List will be distributed
               thru FidoNet and LCRNET. It, unlike the Dirty
               Dozen List, is comprised of only Trojans and
               Viruses and is sent out more often than The Dirty
               Dozen List. Added PK100.EXE, B30012A.ARC.

Version 1.0b  Added plug for SDNet/Works!, and a plug for
              VirusScan utility. Added GRASPRT.EXE, KC-PAL.COM

 -----------------------------------------------------------------
 |                           Glossary:                           |
 -----------------------------------------------------------------


I have intended this glossary for the beginning to intermediate   
user; all experienced BBS users will be bored to death with this. 

?Q?            --   (? standing for any character).  File
                    extension for SQueezed files.  Squeezed files
                    are unusable until unsqueezed by a utility
                    such as NUSQ.COM or USQ.COM.  The advantage of
                    a SQueezed file is that it is smaller than a
                    regular UnSQueezed file, thus saving disk
                    space and download time.  ARChives are more
                    efficient than Squeezed files; that's why
                    there are so many more ARChives on BBS's these
                    days.  Example of the extensions of SQueezed
                    files:  .EQE, .CQM, .LQR, .TQT, .DQC, etc.
ABBRV          --   Abbreviation for the word: "abbreviation".
ARC            --   File extension for an ARChive file -- many
                    files combined together to save space and
                    download time that require ARC.EXE,
                    PKXARC.COM, ARCE.COM, or ARCLS.EXE to separate
                    the files in to runnable and readable (in the
                    case of text) form.
BAS            --   Abbrv for "BASIC," as in the programming
                    language.
BBS            --   Abbrv for "Bulletin Board System".
BBS's          --   Abbrv for "Bulletin Board Systems".
BOARD          --   Also "Bulletin Board System".
BOGUSWARE      --   Software that is damaging to one or more
                    parties.
BOOT or        --   To boot a computer is to restart it from
 REBOOT             scratch, erasing all TSR programs.  One
                    reboots by either powering off and then back
                    on, or pressing ctrl-alt-del at the same time.
BYTES          --   Bytes measure the length of a file, with one
                    byte equaling one character in a file.
CACHE [disk]   --   Area of memory set aside to hold recent data. 
                    All programs then read recent data from that
                    memory rather than from disk. CLUSTER -- a
                    physical block on all [hard] disks, composed
                    of sectors, that holds data.
COM            --   File extension for a file that is executable
                    from DOS level.
DD             --   Abbrv for "dirty dozen".
DOC            --   Abbrv for "documentation".
EMS            --   Enhanced Memory Specification. An EMS card
                    holds 2 MB extra memory.
EXE            --   File extension for a file that is executable
                    from DOS level.
FIDONET        --   A network designed and created by Tom
                    Jennings and his software. A TRADEMARK.
HACKED         --   A program that has been changed in some way by
                    another person or program.
HIGH-LEVEL     --   This type of format is what most computer
 FORMAT             users view as a regular DOS-format.  That is,
                    formatting a disk using FORMAT.COM (included
                    with DOS) is a high-level format.
IBM            --   Abbrv for International Business Machines
IBM OR COMP    --   IBM computer or a 99% or greater IBM
                    Compatible computer.
KB OR K        --   Abbrev for "KiloBytes," one Kb equals 1024
                    bytes.
LBR            --   Extension on Library files.  Library files are
                    really many combined files like ARChives, but
                    they require different utilities to extract
                    the individual files. Some examples of such
                    utilities are LUU.EXE, LUE.EXE, LAR.EXE, AND
                    ZIP.EXE.  See "ARC".
LOW-LEVEL      --   This type of format is only executed on a [Hard]
 FORMAT             disk; therefore, most [Hard] disk low-level
                    format programs come only with a [Hard] disk
                    controller card.  There are a few PD low-level
                    formatting packages, though.  Most
                    manufacturers low level format their [Hard]
                    drives at the factory.  Low level formatting
                    is the first step in the three-part formatting
                    process; the second step is to use FDISK, and
                    the third is to execute a high-level format.
MB             --   Abbrv for "Megabytes," or "millions of bytes."
MISC           --   Abbrv for "miscellaneous".
OPTIMIZE       --   To make all files on a disk "contiguous," or
                    physically linked together on a [hard] drive.
PAK            --   An alternate ARCer used in the BBS community.
PATCH          --   A file that is patched (combined) into another
                    file to change the original file in some way.
PD             --   Abbrv for "Public Domain".
PIRATED        --   An altered program that normally is sold but
                    hacked to resemble a PD program.
RAM            --   Abbrv for "Random Access Memory."  (memory
                    used by software).
RBBS           --   Abbrv for RBBS-PC, a type of BBS (Remote
                    Bulletin Board System).
ROM            --   Abbrv for "Read Only Memory" (memory used by
                    hardware to boot).
SDN            --   File extension used by SDNet/Works! to
                    identify an SDNet/Works! published ShareWare
                    files. These files are direct from the Author
                    and should be Virus/Trojan free if obtained
                    from a participating SDNetWorks! BBS.
SDS            --   System Distribution System. A FidoNet
                    subsystem that is used to distribute BBS
                    software and utilities and newsletters.
SYSOP          --   Abbrv for SYStem OPerator of a BBS.
TROJAN         --   Program used to destroy or hamper a computer
                    in some manner.
TSR            --   Abbrv for "Terminate and Stay Resident";
                    Synonym = "Memory Resident".
TXT            --   Abbrv for "text".
USU            --   Abbrv for "usually".
UNP            --   Abbrv for "unprotect".
UNPROTECT      --   An "unprotect file" is a patch file that
                    results in the breaking of copy protection (no
                    doubt for backup purposes).
UTIL           --   Abbrv for "utility".
VIRUS/WORM     --   The Ultimate Trojan! Designed to infect the
                    computer system and to replicate itself to
                    servive.
ZIP            --   An alternate ARCer used by the BBS community.
ZOO            --   All files compressed with ZOO.EXE bear this
                    file extension.  ZOO-compressed files are NOT
                    compatible with ARC.EXE.


                        << End of file >>
