                  From the files of the Hack Squad:
                          The Hack Report
                   -!!!!!!!!!!!!!!!!!!!!!!!!!!!-
                    Report Date: March 13, 1992

  Welcome to the ninth issue of The Hack Report.  This is a series
  of reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by
  the FidoNet International Shareware Echo and the author of the report.

| As usual, there is important new information in this week's
| edition.  Another virus scanner gets hacked, two problem game
| files appear, and your intrepid Hack Squad chief actually gets his
| hands on a previously reported hoax program.  Thanks to everyone
| who has helped put this report together.  If you have any
| comments, please NetMail me at 1:382/87.

| NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin
| on your BBS, subject to these conditions:

|            1) the latest version is used,
|            2) it is posted in its entirety, and
|            3) it is not altered in any way.

| NOTE TO OTHER READERS: The Hack Report (file version) may be freely
| uploaded to any BBS, subject to the above conditions, and only if
| you do not change the filename.  You may convert the archive type
| as you wish, but please leave the filename in its original HKRP???.*
| format.

| The idea is to make this information available freely.  However,
| please don't cut out the disclaimers and other information if you
| use it, or confuse the issue by spreading the file under different
| names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee
  of the files' safety or fitness for use.  Someone out there might
  just be sick-minded enough to upload a Trojan with an "official"
  file name, so >scan everything you download<!!!  The author of
  this report will not be responsible for any damage to any system
  caused by the programs listed as Official Versions, or by anything
  using the name of an Official Version.

  Now that the Draconian stuff is out of the way, let's get to the
  report!

  *****************************************************************

  Here are the latest versions of some programs known to have hacked
  copies floating around.  Archive names are listed when known, along
  with the person who reported the fraud (thanks from us all!).

   Program              Hack(s)            Latest Official Version
   -!!!!!-              -!!!!!-            -!!!!!!!!!!!!!!!!!!!!!-
   CatDisk              CDISK510                   CDISK615
                        CDISK530

   CompuShow            CSHOW801                   CSHW841A
                        CSHOW831
                        CSHOW851
      Reported By:  Paul Brazil
      (Note:  Any version ending with a B, such as CSHW841B, is _not_
       a shareware version.  This is the enhanced version received
       with the user's registration and is not to be distributed.
       Consider all B archives to be pirated copies.)

   PKZip                PKZIP120                   PKZIP110
                        PKZIP20B
      Reported by: Fred Towner (1:134/73)
      (Note:  Version 1.93a is official, but is a wide alpha test
       release.  According to Joe Pantuso of PKWare Tech Support,
       version 2.0 is not out yet, either:  ignore all magazine ads
       to the contrary.)

   QEdit Advanced       XEDIT                      QEDIT215
      Reported by:  Sammy Mitchell, Author
      (thanks to Rand Nowell and Joe Morlan for relaying the report)

   Telegard Security    TGSEC16                    TGSEC17
         Package
      Reported by: Scott Raymond (1:278/624)

   Telix                Telix v3.20                Telix v3.15
                        Telix v3.25
      Reported by: Brian C. Blad (1:114/107)
                       *Telix v4.00
                        Telix v4.15
      Reported by: Barry Bryan (1:370/70)
                        Telix v4.25
                        MegaTelix
      (* - hack reported seen, but not confirmed; anyway,
       4.0 is NOT official yet.)

   TheDraw              TDRAW430                   TDRAW401
                        TDRAW500
      Reported By:  Ian Davis, Author

   Turbo Antivirus      Version 9.00b              Version 8.10
                        Version 9.01a
                        (Archive names unknown)
      Reported by: Thomas Ruess (2:246/24)

   X00 Fossil           X00V130                    X00V124
                        X00V130J

                  From the files of the Hack Squad:
                          The Hack Report
                   -!!!!!!!!!!!!!!!!!!!!!!!!!!!-
                    Report Date: March 13, 1992


(Continued From Previous Message)

  ================================================================

                            Hoax Alert:

| Believe it or not, we have a bit of new information on the XTRATANK
| program.  Tim Fitzgerald of 1:3800/18.0 reports that the doc file
| in the archive lists a company name and address.  Here it is:

|               Tri-Star Software, Inc.
|               1626 No. Wilcox Ave. Suite #198
|               Los Angeles, CA 90028

| Also, a version number (1.14) is listed.  Tim says that the first
| paragraph of the documentation says that the program is "NOT A HOAX."
| If someone in the Los Angeles area would please look in to this,
| you would have the eternal gratitude of the Hack Squad and of users
| everywhere.  However, until some verification of the above company
| is received, the status of XTRATANK will remain the same based on
| the overwhelming amount of reports.  Consider it a hoax that doesn't
| work.


  A version of BiModem calling itself BIMOD126 has been spotted by
  your intrepid Co-Moderator.  It is really a renamed archive of
  the files from v1.24, with some .LZH SFXs inside to make it look
  real.  This is more of a trick than a hack.  Look for version
  1.24 (BIMOD124) for the real thing.


  Also on the COMM frontier, a text file describing how to upgrade a
  2400 modem to a 9600 has been circulating.  Another similar file
  about converting from 2400 to 14400 has been seen.  If you like
  your modem, please ignore the file: it has been confirmed to be a
  sick joke (one author's alias, "Death Bringer", should be a sure
  tip-off).  Look for and avoid files with names like 2496.ZIP, etc.


  Suriya Matsuda and Jacob Kanafoski have reported the existence of
  a shareware Amiga Emulator which appears to be a joke.  It is
  supposed to allow IBM/Clones to read Amiga Workbench Disks, but it
  seems to do nothing.  Derek Vanmunster of 1:229/418 has seen this
  in his area:  the filename is AMIGA.*.  The file contains an ad for
  a BBS with the names Pig Killer, The Master, and Sicko.  The last
  one in that list is quite appropriate.  Anyway, he says the program
  is harmless except for the fact that it locks up when run.

| Thanks to Jeff Hancock of 1:3600/7, your intrepid Hack Squad now
| possesses a copy of this file.  I looked at it with a file viewer,
| and it has a lot of text in it that looks like it could be "Amiga-
| related."  However, its behavior is confirmed.  It displays a picture
| of an Amiga Workbench disk on your screen, then spins your A: drive
| and locks your system.  Nothing destructive, but nothing useful,
| either.


  Paul Reimche, at 1:206/2404 reported on 2-19-92 the existence of a
  program called CREDITFX.* .  This is, according to Paul, a program
  that promises to repair your credit.  To do this, you are asked to
  buy the full program for $39.00.  Paul said he called to check on
  his order and the number was disconnected.  Sounds like a good file
  to avoid.


                          The Trojan Wars

| A followup on last week's lesson:  apparently, a "dropper" is a
| file that actually does something it says it will do, but also
| "drops" a virus into your system.  A true Trojan Horse does nothing
| but make life miserable for you, your system, and your intrepid
| Hack Squad.  We try to stomp them all, just the same.


| This week's battle begins with a report from Derek Vanmunster at
| 1:229/418.  The archive is MONOP3-0.*, and claims to be Monopoly
| for Windows.  Derek says that this is a Trojan that attempts to
| format your C: drive when you execute a batch file in the archive.
| The file size is 68792 bytes, and the internal files are as follows
| (as quoted from Derek's report):

| INSTALL.BAT    MDUIHEG1.LBM \
| MDUICG1.PCX    MDUIHEG2.LBM   \  These are graphics files from a
| MDUICG2.PCX    MDUITAG1.LBM   /  commercial version of Monopoly.
| MDUIEG2.LBM    MDUITAG2.LBM /

| MONOP1.COM   - This is a renamed version of STACKEY v2.01, a program
|                that feeds keystrokes into the keyboard buffer.
| MONOPOLY.COM - This is a renamed version of FORMAT.COM from DOS 4.01
| README!!.BAT - This is the batch file that sets the Trojan in motion.
|                It contains the following line:
|                MONOP1 "MONOPOLY C:" CR W25 "YES" CR

| Derek goes on to say that when README!!.BAT is run, the combination
| of FORMAT and STACKEY tries to format your hard drive without your
| knowledge.  However, this will fail if you aren't running DOS version
| 4.01.  Also, if your hard drive has a volume label, you will be
| prompted to type in the label (don't do it - your disk will be
| formatted if you do what it asks!).  So, do yourself a favor:  avoid
| this file, and put a volume label on your HD (just in case).


  Bill Logan at 1:300/22 has spotted a dropper called GREYSCAL.ZIP
  that claims to adjust your monitor.  Instead, it adjusts files on
  your hard drive by infecting them with the FISH virus.  This is
  accomplished through one of the three files in the archive: the
  dropper is the README.EXE file.  Bill says this file will scan as
  NEGATIVE when scanned by ANY SCANNER.  Nasty.  The other two files
  just write foul language over and over on your screen.


  There are now two files passing themselves off as the latest
  version of McAfee's SCAN.  The versions in question are SCAN96.*
  and SCAN87.*.  SCAN96 was reported by Sara Gordon (address
  unknown) in the VIRUS_INFO echo.  No details were given on what it
  does.  It has since been seen on at least one other occasion.

  The report on SCAN87 was also filed in the VIRUS_INFO echo by Rob
  Slade of 1:153/733 on 2-15-92.  The archive name is SCAN87.*, and
  the program identifies itself as SCAN8.5A87 when run.  According
  to Rob, the program finds no virii in memory or on disk, and then
  proceeds to write a file called REPORT.SCN.  At this point, if no
  hard disk is present, the program crashes with "Runtime error 105
  at 0000:2725".  If a hard disk is found, the program will erase
  and "zero out" all files on the disk, leaving the directory
  structure intact.

  Your intrepid Hack Squad has verified that the latest versions of
  McAfee's SCAN, CLEAN, and VSHIELD are numbered 86B.  This verification
  is straight from McAfee's own BBS.  Accept no substitutions.


  Our next Trojan was reported in the VIRUS_INFO echo by Nemrod
  Kedem at 2:403/138.  It is going by the archive name PSI3.ARJ, and
  is passing itself as the LHA Archiver, version 3.00.  It destroys
  your partition table, boot sector, and parts of FAT 1 and FAT 2.

  To make matters worse, Nemrod says that PSI3 recommends an "antivirus"
  program called ZAPPER15.* to remove a virus called "PSQR".  As it turns
  out, ZAPPER15 is another Trojan!  This Trojan overwrites your hard disk's
  boot sector with random garbage data from memory.  It contains no viral
  code.

  These are a couple of nasty ones: avoid at _all costs_!!!


  While we're talking about archivers, please be aware that the
  PKZip v2.0B hack reported in the hack section of this report could
  be a Trojan.  According to the report filed in the VIRUS_INFO echo
  by Fred Towner, the archive (an ARJ archive, no less(!)) had these
  files in it:

        PKZIP20B.EXE
        UNKNOWN.NFO
        MUSTREAD.COM (archived with PKLITE)
        WATCHME!.EXE (archived with PKLITE)

  Fred was wise enough not to try and run any of these programs, so
  Trojan activity has not been confirmed.


  Richard Dale, reporting from 1:280/333, has found a file with the
  following description on a board in his area:
  -!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-
  OCEAN.ZIP   4141  01-05-92  Wonderful Game, Reward for the person who
                              conquers it 1 time, Good luck, how does
  (also seen as PLANTS.ZIP    30,000 bucks sound to you if you break the
   or RAINBOW.ZIP)            pattern, try this game, it is wonderful, waht
                              a challenge, bet you can't break the pattern.
  u/led by "Tyler Nagel"      $50, 000 if you do it twice.
  -!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-
  This is actually compiled batch code which will try and erase all
  files on your C: drive.  Consider it armed and dangerous.


  Finally, the first Macintosh Trojan to be listed in The Hack
  Report.  Three game archives, called Obnoxious Tetris,
  Tetriscycle, and Ten Tile Puzzle were infected with a virus called
  MBDFA and intentionally uploaded to Mac archive sites.  This
  report was extracted from the VIRUS-L digest by Paul Ferguson
  (1:109/229) in the VIRUS_INFO echo.  The report comes from an
  article in the Cornell Daily Sun on 2-25-92, quoted in Internet by
  Tom Coradeschi.  Whew!  Hope I got all the credits in there.
  Anyway, the police have two suspects under arrest for this.  If
  guilty, get a rope.


                    Pirated Commercial Software

  Program                 Archive Name(s)       Reported By
  -!!!!!-                 -!!!!!!!!!!!!!-       -!!!!!!!!!-
  Above Disk v3.00A       EXP-MEM.*             Dale Woloshin (1:163/211.3)
                                                and Wolfgang Fritz

  Commander Keen part 2   #2KEEN.*              Steve Hodson (1:132/119.12)

  Double Disk             DDISK214.*            Ronald McGill (1:167/149)

  Duke Nukem parts 2 & 3  DUKEZIP2.EXE          Steve Hodson (1:132/119.12),
                          #2DUKE.*              Craig Demarsh (1:260/213),
                          DUKEZIP3.EXE          and Hal Thompson (1:353/220)

  Eagle's Nest (game)     Unknown               Mike Headley (1:362/112)
                          (not in wide distribution)

  Flashlink MNP Emulator  FLASHLNK.*            Several

| Mac-in-Dos              CLINK.*               Stuart Kremsky (1:125/28)
                          (apparently not related to the
                           SEALink protocol)

  Microsoft Mouse Driver  MOUSE810.*            Bat Lang (1:382/87)

  MTE MNP Emulator        MTE215.*              Bat Lang (1:382/87)
                          MX5.*                 Wolfgang Fritz
                          MX6.*

  Optune                  OPTUNE.*              Bat Lang (1:382/87)
                          OPTUNE11.*

  SimCGA                  SIMCGA40.*            Joe Morlan (1:125/28)
                          SIMCGA41.*

  SIMCITY                 SIMCITY.*             Mark Visser

  Solitare Royale         SOLITRYL.*            Dan Brady (1:282/108)
                          SOLIT.*               Bud Webster (1:264/165.7)

  Spot (7-Up game)        SPOT.*                Steve Hodson (1:132/119.12)

  Squish 2.1              SQUISH21.*            Several
                                                (verified by Joe Morlan)

  Tunnels of Armageddon   TUNNELS1.*            Wolfgang Fritz (1:249/140)
                          TUNNELS2.*

  ================================================================

                  ?????Questionable Programs?????

| Alan Hess of 1:261/1000 has reported that a game called BeetleJuice
| is making the rounds of the BBSs in the Baltimore area.  The file
| name is BJUICE.ZIP, and Alan says this is a pirated commercial
| program.  If anyone has seen the commercial version, please advise:
| your intrepid Hack Squad is not much into games, and does not know
| whether this is commercial.  However, a game based on a movie does
| sound suspiciously commercial. :)

  ================================================================

                           Clarification

  I need to clear up something that was reported as pirated
  commercial software in a recent edition of The Hack Report.

  I spoke with Steve Moraff of Moraffware today concerning the
  possibility of a pirated/hacked version of Moraff's STONES game.
  I relayed to him that one person found a release of this game that
  had an ad for a store on the start-up screen.  I also asked
  whether or not the game was ever released as shareware.

  Mr. Moraff explained to me that the ad (for a store called Teg
  Micro) was not the indication of a hack: in fact, it was coded in
  by Moraffware.  Apparently, they release versions with
  advertisements in them at the request of dealers and other
  individuals.  So, it is possible, he said, to find separate
  legitimate releases of STONES with different start-up screens.

  Mr.  Moraff also said that STONES was released as shareware.  He
  said that the shareware versions of his products give information
  on how to register, while commercial/registered versions do not.

  What does this mean?  It means that if you see a file called !MORAFST.*
  on your local BBS, rest easy: it is legitimate shareware.  Of course,
  scan it before you run it.  ;)

  My thanks go out to Mr. Moraff for his assistance in this matter.

  ****************************************************************

                             Conclusion

  If you see one of these on a board near you, it would be a very
  friendly gesture to let the sysop know.  Remember, they can get
  in just as much trouble as the fiend who uploads pirated files,
  so help them out if you can.


                      ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter
  of a confirmed hack.  On this same note, I do _not_ intend to "go
  after" any BBS SysOps who have these programs posted for d/l.  The
  Shareware World operates best when everyone works together, so it
  would be counter-productive to "rat" on anyone who has such a file
  on their board.  Like I said, my intent is to help, not harm.
  SysOps are strongly encouraged to read this report and remove all
  files listed within from their boards.  I can not and will not
  take any "enforcement action" on this, but you never know who else
  may be calling your board.  Pirated commercial software posted for
  d/l can get you into _deeply_ serious trouble with certain
  authorities.

  Updates of programs listed in this report need verification.  It
  is unfortunate that anyone who downloads a file must be paranoid
  about its legitimacy.  Call me a crusader, but I'd really like to
  see the day that this is no longer true.  Until then, if you
  _know_ of a new official version of a program listed here, please
  help me verify it.

  On the same token, hacks need to be verified, too.  I won't be
  held responsible for falsely accusing the real thing of being a
  fraud.  So, innocent until proven guilty, but unofficial until
  verified.

  Upcoming official releases will not be included or announced in
  this report.  It is this Co-Moderator's personal opinion that the
  hype surrounding a pending release leads to hacks and Trojans,
  which is exactly the opposite of what I'm trying to accomplish
  here.

  If you know of any other programs that are hacks, bogus, jokes,
  hoaxes, etc., please let me know.  Thanks for helping to keep
  shareware clean!

Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/87)
