=========================================================================
                                    ||
  From the files of The Hack Squad: ||  by Lee Jackson, Co-Moderator,
                                    ||  FidoNet International Echo SHAREWRE
          The Hack Report           ||  Volume 1, Number 21
         for September 1992         ||  Report Date: September 5, 1992
                                    ||
  =========================================================================


  Welcome to the twenty-first issue of The Hack Report.  This is a series
  of reports that aim to help all users of files found on BBSs avoid
  fraudulent programs, and is presented as a free public service by the
  FidoNet International Shareware Echo and the author of the report, Lee
  Jackson (FidoNet 1:382/95).

  This issue introduces a few minor formatting changes to The Hack Report,
  notably in the introduction section.  The information on how to contact
  The Hack Squad and The HackWatchers has been moved to a separate message
  and a separate file for the archive.  Of course, there are new reports to
  share this month as well, so thanks to everyone who has helped put this
  report together, and to those that have sent in comments and suggestions.

  NOTE TO SYSOPS: The Hack Report may be freely posted as a bulletin on
  your BBS, subject to these conditions:

             1) the latest version is used,
             2) it is posted in its entirety, and
             3) it is not altered in any way.

  NOTE TO OTHER READERS: The Hack Report (file version) may be freely
  uploaded to any BBS, subject to the above conditions, and only if you do
  not change the filename.  You may convert the archive type as you wish,
  but please leave the filename in its original HACK????.* format.  The
  Hack Report may also be cross-posted in other networks (with the
  permission of the other network) as long as it meets the above conditions
  and you give appropriate credit to the FidoNet International Shareware
  Echo (and the author <g>).

  The idea is to make this information available freely.  However, please
  don't cut out the disclaimers and other information if you use it, or
  confuse the issue by spreading the file under different names.  Thanks!

  DISCLAIMER: The listings of Official Versions are not a guarantee of the
  files' safety or fitness for use.  Someone out there might just be
  sick-minded enough to upload a Trojan with an "official" file name, so
  >scan everything you download<!!!  The author of this report will not be
  responsible for any damage to any system caused by the programs listed as
  Official Versions, or by anything using the name of an Official Version.

  ************************************************************************
  ************************************************************************

                              Hacked Programs

  Here are the latest versions of some programs known to have hacked copies
  floating around.  Archive names are listed when known, along with the
  person who reported the fraud (thanks from us all!).

   Program              Hack(s)            Latest Official Version
   -------              -------            -----------------------
   Aliens Ate           !ALIENS                    K6DEMO
    My Babysitter
      Reported by:  Christopher Baker (1:374/14)

   ARJ Archiver         ARJ250                     ARJ230
      Reported by:  Tommy Vielkanowitz    (also ARJ239A, a beta test)
                     (1:151/2305)

   AutoMenu             AUTO48                     AUTO47
      Reported by:  Tony Blair (WildNet)
                via Ken Whiton (1:132/152)
      Verified by Marshall Magee, Magee Enterprises, Inc.

   CatDisk              CDISK510                   CDISK631
                        CDISK530
                        CDISK661
      Reported by:  Jeff Kaplow (1:120/234)

   CompuShow            CSHOW801                   CSHW846A
                        CSHOW831
                        CSHOW851
      Reported by:  Paul Brazil
                        CSHOW91
      Reported by:  Harold Stein (Wildnet)
      (Note:  Any version ending with a B, such as CSHW841B, is _not_
       a shareware version.  This is the enhanced version received
       with the user's registration and is not to be distributed.
       Consider all B archives to be pirated copies.)

   HS/Link              HSLK113                    HSLK112
      Reported by:  Samuel H. Smith, Author

   Las Vegas EGA Casino (unknown)
      Reported by the author, Diana Gruber, in the ILink net,
      relayed by Richard Steiner (1:282/85)
      (Note:  a version of this program sold through Gemini
       shareware outlets with the title screen "Special GEMINI
       game disk" and a version calling itself the "Ledyard$
       EGA Casino" have been distributed.  No archive names
       have been supplied yet.)

   LHA Archiver         LHA214                     LHA213
      Reported by: Patrick Lee (RIME address RUNNINGB)
                        LHA300
      Reported by: Mark Church (1:260/284)

   List                 LIST8                      LIST76B
                        LIST18
      Reported by: The Hack Squad (from the Buerg BBS)

   Math Master          MATHMSTR                   M-MST301
      Reported by: James Frazee (1:343/158)

   PKZip                PKZIP120                   PKZIP110
                        PKZIP20B
                        PKZIP_V2.EXE
      Reported by: Mike Burger (WildNet)
               via Ken Whiton (1:132/152)
      Reported by: Fred Towner (1:134/73)
                        PKZ201.ARJ
      Reported by: Frank Pizer (5:71/0)
                        PKZ201.ZIP
                        PKZ201.EXE
      Reported by: Jim Westbrook (1:382/29)
                        PKX201.EXE
      Reported by: Bill Logan (1:300/22)
                        PKZ210F.EXE
      Reported by: Bert Bredewoud (2:281/703)
                        PKZIPV2
      (Claims to be v2.2 of PKZip - reported via PKWare Tech Support)
                        PKUNZIP.COM
      Reported by: Harold Stein, via Ken Whiton
                        PKZIP203.EXE
      Reported by: Mark Clark (2:440/107)


   QEdit Advanced       XEDIT                      QEDIT215
      Reported by: Sammy Mitchell, Author
      (thanks to Rand Nowell and Joe Morlan for relaying the report)
                        QEDIT500
      Reported by: Onno Tesink (ILink, via Richard Steiner, 1:282/85)

   Qmodem               QM451                      QM452TD
      Reported by: Bill Lambdin, via Arthur Shipkowski (1:260/213.2)

==========================================================================

                              Hacked Programs

   Program              Hack(s)            Latest Official Version
   -------              -------            -----------------------
   Shez                 SHEZ72A                    SHEZ80
                        SHEZ73
      Reported By: Bill Lambdin (1:343/45)

   Telegard             TG29EALP                   Telegard 2.7
      Reported by: Karen Maynor (1:3640/5)
      (Found on the NightOwl CD-ROM disc version 5.0)
                        JIGSAWV2
      Reported by: Tommy Smith, via Mark Evans (formerly 1:382/87)

   Telix                Telix v3.20                Telix v3.15
                        Telix v3.25
      Reported by: Brian C. Blad (1:114/107)
                   Peter Kirn (WildNet, via Ken Whiton)
                        Telix v4.00
                        Telix v4.15
      Reported by: Barry Bryan (1:370/70)
                        Telix v4.25
      Reported by: Daniel Zuck (2:247/30,
               via Chris Lueders (2:241/5306.1)
                        MegaTelix
      Verified by Jeff Woods, Exis, Inc., in the TELIX echo,
      who also states that there will be _no_ release titled
      Telix 4.0.  He states the next release of Telix will be
      under a completely new name, which has not been decided
      upon yet.  Any version with a number higher than 3.15
      can be considered a confirmed hack, unless reported
      here otherwise.
                        Telix Pro
      Reported by: Jason Engebretson (address unknown),
                   in the FidoNet TELIX echo

   TheDraw              TDRAW430                   TDRAW451
                        TDRAW500
      Reported by: Ian Davis, Author
                        TDRAW550
      Reported by: Steve Klemetti (1:228/19)
                        TDRAW600
      Reported by: Hawley Warren (1:120/297)
                        THEDR60
      Reported by: Larry Owens (PDREVIEW echo, 1:280/17)
                        TDRAW800
      Reported by: James Carswell (1:153/775)

   Turbo Antivirus      Version 9.00b              Version 8.10
                        Version 9.01a
                        (Archive names unknown)
      Reported by: Thomas Ruess (2:246/24)

   ViruScan             SCAN92                     SCAN95B
      Reported by: Don Dunlop (1:153/715)

   X00 Fossil           X00V130                    X00V124
                        X00V130J                   (also official is
                                                    X00V149A, a beta
                                                    test of an OS/2 ver.)

  *** More Hacks

  Bill Lambdin (1:343/45), host of the Intelec Virus Info conference, sent
  a list of versions of McAfee's ViruScan (better known as just SCAN) that
  have been hacked.  Here are the version numbers he sent:

                        SCAN74    SCAN81     SCAN88
                        SCAN78    SCAN83     SCAN92
                        SCAN79    SCAN87     SCAN96

  More information on ViruScan can be found in The Trojan Wars section.


  HackWatcher Bill Dennison saw a copy of the PKZ201.EXE file mentioned
  above, but with a twist:  when he used the file view feature of the BBS
  he saw it on, he saw that the file was not a PKZip SFX (self-extracting)
  file, but was an LHA SFX (using -lh5- compression).  This, folks, is a
  bit of a giveaway.  PKWare isn't likely to use any archiver other than
  ZIP to distribute their next release.


  Chris Lueders (2:241/5306.1) reports that a file calling itself VPIC50DT
  is a hack of version 4.5 of the VPic graphics file viewer.  Specifically,
  the 5.0dt file ("dt" indicates a German language edition, per Chris) is a
  hack of the English version 4.5.  At the time of the report, version 4.9
  was the latest official release, but now a legitimate version 5.0 is out.
  Be careful, then: if your copy of VPIC50 starts up in German, delete it.


  Zone 2 (especially UK) users might want to watch out for a disk being
  distributed by Personal Computer World magazine.  Shakib Otaqui (2:
  440/74) reports that all of the files on the August issue's "free" cover
  disk are zipped using the PKZip 1.93 alpha test release, and that the
  version of PKZip distributed with the disk is the hacked version 2.01.
  The PKZip 2.01 file is 19793 bytes, dated March 15, 1992, and is PKLited
  with the extra compression (non-expandable) option.  Shakib tested the
  file and confirmed that it is a simple hack with no viral or Trojan code.


  Finally, here's one I'm not sure how to handle: It's a hack, but it
  appears to be a hack of a commercial program.  HackWatcher Frank Pizer
  has found a hack of a program called BitFax.  The hack, calling itself
  ZIPFAX.ZIP (at 146320 bytes), has been altered so that all occurrences of
  the word Bit with the word Zip.  The archive contains configuration files
  with the words "Technopoint - Avi Miller" in them.  Thanks to Frank for
  the report from Zone 5: let's hope the rest of us can keep it from
  spreading beyond there.

  =========================================================================

                                Hoax Alert:

  Finally, the news we've all been waiting for:  Bill Logan's test results
  on Xtratank.  If you recall, Mr. Logan, an agent of McAfee Associates,
  agreed to test out this file to see once and for all if it really works,
  or if it is a hoax.

  Bill tested the program on two IBM compatible computers and one AT&T XT
  clone.  The PC Clones were 286s, one with a 40meg IDE hard drive, the
  other with a 40meg MFM hard drive.  The AT&T had a 10meg hard drive.

  To weed out possible clashes with DOS versions, the test was repeated on
  each computer using 4 different DOS flavors:  MS-DOS 3.30, IBM DOS 3.30,
  MS-DOS 4.01, and MS-DOS 5.0.

  The hard drives were formatted and Xtratank was installed on each.  The
  PC Clones now reported that their drive capacity was now doubled.  The
  AT&T XT did not, since it was not a true IBM compatible.  Bill then
  attempted to copy 80 megabytes of raw, non-compressed files from floppy
  disks onto the hard drives.  All of the hard drives ran out of disk space
  after only 40 megs of files had been copied.

  The testing did not reveal any viral or Trojan code.  To quote Bill, "It
  is our opinion that this program is simply nothing but a hoax."
  (However, see the ???Questionable Files??? section for more on this.)


  In addition to Bill's testing, Gary Weinfurther (1:120/301) sent a
  summary of his disassembly of the programs in the archive.  He found that
  the XTRATANK.EXE and the XTRATANK.COM files contained the exact same
  code, with one padded with "garbage" that made it look larger.  The code
  is designed to intercept the DOS 21h interrupt, function 36h, which is
  for determining free space on a drive.  Xtratank then doubles the result.

  None of the warning messages in the docs are present in the files, and no
  check is performed to see if it could be correctly installed.  Gary says
  that since it is a simple interrupt-intercept TSR, "it can be
  successfully installed every time."  He suggests (humorously) that
  installing it twice would theoretically result in a report that your hard
  drive space had quadrupled.


  This should settle the debate once and for all - XTRATANK IS A HOAX AND
  DOES NOT ACTUALLY WORK.  All of Bill's and Gary's results completely
  verify the Fitzgerald Test results, so if you _still_ don't believe it,
  run the test for yourself.

  *** The Fitzgerald Test

  Here is the now-famous Fitzgerald Test, devised by Tim Fitzgerald of
  1:3800/18.0 and validated by Bill Logan's test results.  Try this if you
  think you have managed to get XTRATANK to work on your system.  Follow
  these simple steps:

      1. Run CHKDSK and write down the free space it reports as free.
      2. Do a DIR command and write down what XTRATANK reports.
      3. Copy any text file to a new text file.
      4. Repeat steps 1 and 2, and compare.

  You will see that XTRATANK reports that twice as much disk space is taken
  up by the new text file.


  Scott Raymond (1:278/624), who runs an Alpha Test site for the Telegard
  BBS package, reports a hoax version of Telegard called TG27E.  It claims
  to be an upgrade of Telegard 2.7, but Scott says, "it is nothing more
  than Telegard 2.7 Standard."  The archive contains four LHA SFX files
  that are meant to be extracted over an existing Telegard installation.
  In short, it completely overwrites your current setup with a different
  one.  Scott says the main TELEGARD.EXE file is exactly the same as the
  official release - no evidence of hacking was found.

  According to Scott, true upgrades to Telegard will "NEVER destroy an
  existing configuration and replace it with a different one - especially
  one with a horrendous color combination that looks like a bad acid trip."

  =========================================================================

  Other previously reported hoaxes:

  Filename       Claimed use/Actual activity/Reporter(s)
  ------------   ---------------------------------------------------------
  2496           This, and all files that claim to run a 2400 bps
                 modem at 9600 or 14400 bps, are hoaxes.  If you
                 follow their instructions, you will have a 0 bps
                 modem.  Reported by several people.

  AMIGA          Claims to allow IBM/Clones to read Amiga Workbench
                 Disks: displays a picture of an Amiga Workbench disk
                 on your screen, then spins your A: drive and locks
                 your system.  From Suriya Matsuda, Jacob Kanafoski
                 (1:3613/4), Derek Vanmunster (1:229/418), and Jeff
                 Hancock (1:3600/7).

  BIMOD126       Claims to be version 1.26 of BiModem - actually v1.24
                 renamed and re-archived.

  HIMEM500       Looks like v5.00 of the HIMEM.SYS driver from MS-DOS and
                 Windows, but is actually v3.07 with the numbers changed.
                 Pirated as well (HIMEM.SYS is not shareware).  From
                 Joe Morlan (1:125/28) and Mike Bray (RIME address COFFEE).

  MAXRES         Claims to "check your graphics interface and show you
                 resolutions of your interface card."  Elaborate hoax
                 that lists the author as Samuel H. Smith (of HS/Link
                 fame).  Mr. Smith has confirmed that he did not write
                 this program.  Possible Trojan, but no Trojan activity
                 has been reported.

  SPEEDUP        Claims to increase system clock speed - instead doubles
                 the length of each second and resets the system clock to
                 use 30 of the new seconds each minute.  From Kim Miller
                 (1:103/700).

  WOLFXXX        Claims to patch your copy of Wolfenstein-3D to version
                 1.3.  No such version exists.  Also has a fake address
                 that you are asked to send money to.  From Jay Wilbur of
                 Id Software (1:124/6300).

  =========================================================================

                              The Trojan Wars

  This past month was not a good month by any stretch of the imagination.
  More Trojans came out than we've ever seen before here at Hack Central
  Station.  I strongly recommend that you take time and read this section
  very carefully this month - the hard drive you save may be your own.


  HackWatcher Richard Steiner forwarded a message from Eric Hamel (RIME
  address SOFTC, Shareware Conference) about the file MSTLST10.  A user of
  a board local to Eric found the file, described as "like Sidekick, only
  better," and downloaded it.  An INSTALL.BAT file in the archive had
  references to copying the command interpreter.  Eric ran the install
  program, and wound up with an overwritten command interpreter - the file
  MASTLAST.COM had been copied to his root directory and had been renamed
  to the same name as what was pointed to in his COMSPEC setting.


  Another forwarding from Richard involves a report from Steve Bogacz of
  the Rice Lake PCUG (via George Goza, ILink (Channel 1 BBS)).  Steve found
  a file called FLIP-IT that contains a variant of the Wisconsin virus.  No
  file description was given.  Here comes the sermon again - SCAN
  EVERYTHING YOU DOWNLOAD.  Before you run it, preferably.


  Malte Eppert (2:240/500.6) forwarded a message into the FidoNet
  DIRTY_DOZEN echo from Dick Hazeleger about EARLYWA, an "AV warning
  program."  He ran the main program, DAILY.COM, after scanning it with
  McAfee's SCAN95 and getting a clean result.  The program crashed when it
  tried to invoke the DOS DEBUG program, which Dick doesn't have on his
  system.  After this, he checked the file using Fridrik Skulasson's F-Prot
  virus scanner in "Heuristic" mode, and received the message, "...the
  first 71 bytes of this program contain a primitive virus."  Malte goes on
  to say that "the program was 'spread' by Romulus Software Crete
  (Greece)."


  Matthew Peddelsden (2:440/302) has received a report of a virus in a copy
  of the GSZ ZModem protocol driver archive by Chuck Forsberg.  He says
  that "running any file in the archive will infect the file COMMAND.COM,
  and subsequent program (sic) that is run is infected so that it is
  corrupted and when run simply displays rubbish on the screen and beeps
  madly out of the speaker."  Matthew received an archive listing from the
  person whose system was infected by this.  Here's the info:

   Length  Method   Size  Ratio   Date    Time   CRC-32  Attr  Name
   ------  ------   ----- -----   ----    ----   ------  ----  ----
       76  Shrunk      72   6%  13-12-91  13:32  0a33cf32 --w  DS.BAT
      340  Implode    287  16%  13-12-91  13:35  631a91b6 --w  FIX.BAT
      110  Shrunk      98  11%  13-12-91  13:27  6836df0d --w  RZ.BAT
       36  Shrunk      31  14%  13-12-91  13:22  d8d5d2f9 --w  SZ.BAT
      151  Shrunk     140   8%  13-12-91  13:27  b5400e97 --w  ZDOWN.BAT
      123  Shrunk     115   7%  13-12-91  13:27  5cffa510 --w  ZMODEMAD.BAT
      116  Shrunk     106   9%  13-12-91  13:28  c38f9bfe --w  ZMODEMD.BAT
      134  Shrunk     123   9%  13-12-91  13:28  89aeacd7 --w  ZMODEMDR.BAT
      140  Shrunk     123  13%  13-12-91  13:28  eeba3b6f --w  ZMODEMU.BAT
       59  Stored      59   0%  13-12-91  13:28  3eedc27b --w  ZUP.BAT
      898  Implode    683  24%  24-11-90  04:20  07d84f0d --w  DSZ.10
    71424  Implode  42742  41%  27-04-92  15:00  ccda0966 --w  GSZ.EXE
    33936  Implode  21315  38%  26-04-92  08:44  cd04b5ea --w  GCOLORS.EXE
   130736  Implode  45830  65%  27-04-92  15:38  ead89b23 --w  GSZ.DOC
     3067  Implode   1230  60%  27-04-92  15:03  da90ea8b --w  MAILER
   ------          ------  ---                                 -------
   241346          112954  54%                                      15

  His source says the virus is in both GSZ.EXE and GCOLORS.EXE.  McAfee's
  SCAN95B doesn't detect it, but they have been informed.  The virus
  contains the string, "APACHE WARRIER," along with a few others.

  It seems very unlikely that this infected copy originated from the
  author:  it is almost certainly a situation where someone else down the
  line unpacked the archive, infected the files, re-archived them, and
  uploaded the bad archive to a BBS.  If you have _any_ qualms about the
  copy of GSZ that you find, you can always go to the source and download a
  copy from Chuck Forsberg's BBS.

  Scott Scoville (1:282/3006) reports DOS501, described as a beta version
  of MS-DOS with some new features for Windows 3.1.  A friend of Scott's
  loaded the file on a spare computer and found that it contains a variant
  of the DISKILLER virus.

  Cal Gardner previously reported a file called 800II224, claiming to be
  version 2.24 of the 800 II disk formatting program.  He did some testing,
  disabling his hard drive from the CMOS and booting from a floppy.  When
  he ran the program, it deleted all files on both drive A and drive B.
  His information is that the latest version is v1.80.  The author, Alberto
  Pasquale, is in Italy according to Isaac Salpeter (1:3612/210), so he is
  a bit difficult for me to contact.  However, the behavior of the file Cal
  found leads me to believe he has located a Trojan copy.


  John Wagner (1:209/760), the author of IMPROCES, reports that his program
  has been the victim of a Trojan version.  The Trojan is in a file called
  IMPROC50.*, which is actually v3.1 of IMPROCES that has been "infected
  with about 10 viruses" according to a report received by John.  John also
  reports that his source said the file "waxed" a hard drive when it was
  run.  For the record, the latest version of IMPROCES is 4.0, so avoid any
  higher numbers.


  Bryan Nylin (1:343/116) reports a Trojan version of SCAN95 that has the
  SCAN.EXE file in the archive replaced with a SCAN.COM file.  Bryan says
  this wipes out your boot sector and media descriptor byte, then
  overwrites the FAT and data areas with a continuous stream of the string
  "NOT!NOT!NOT!NOT!NOT!NOT!" (and so on).  Sounds like this was written by
  a bored programmer who watched Wayne's World once too often.

  Note that this seems to be an isolated sighting:  McAfee did in fact
  release a valid SCAN95.  They also released v94b, a beta test, but
  skipped over that version number due to a report of a Trojan version
  found in Mexico.  The latest official version is SCAN95B.


  Bill Lambdin (1:343/35) forwards a message from Phil Helms of the
  CircuitNET Virus Conference.  The file in question, ATTRUE.*, is listed
  as "a DOS utility to change file attributes."  Instead, one of the
  internal files (README.COM) deletes all .EXE and .COM files in your DOS
  directory and tries to do the same to your .SYS and .BAT files in your
  root directory.  Phil says it looks like another compiled .BAT file.

  Please note that Phil did _not_ run the actual program file in the
  archive (i.e., ATTR.COM).  This program may be legitimate, and simply was
  archived along with a Trojan README.COM file.  The safest way to avoid a
  problem like this is to look inside any README.COM file with a file
  viewer (such as PC Tools VIEW or Buerg's LIST) before you run it.  Most
  of these will have readable text strings that look like documentation
  inside them.  If yours doesn't, be careful with it.


  Enoch Ceshkovsky (RIME Shareware Conference, address NSTTZ) found a file
  called ENVIRED.* that claims to be a DOS Environment Editor.  However,
  the copy that Enoch found was infected with a strain of the Family virus.
  I'm not sure if the file is a legitimate program, since I'm not familiar
  with it.  Either way, this is a single sighting:  the virus in it can be
  detected by SCAN v93 or higher.


  Michael Mac Nessa (1:2250/2) reported in the AMIGA_PDREVIEW echo on an
  attack by a file called DW171.LHA.  This was described as "the best
  directory utility" ever seen by the uploader.  The file claims to be a
  program called DirWork, version 1.71.

  The program checked clean for viruses, so Michael ran it and got a grey
  screen and nothing else.  After 30 seconds of this, he rebooted.  On
  bootup, his dh0: drive started to access rapidly, and he was then asked
  by his system for dh1:, a drive he didn't even have.

  Fortunately, his boot drive setup uses a different setup (not booting
  from dh0), so his boot drive survived the attack.  However, his File:
  hard drive was wiped out.

  I apologize if I have massacred Amiga terminology, so please correct me
  via NetMail if I'm wrong on any of the drive names.  For the record,
  however, this Trojan has been verified by the author of DirWork, Chris
  Hames (via Robert Poole, 1:142/886).  The latest version is 1.62.


  Michael Nelson (1:125/20) received a file called FAST!.*, an apparent
  pirate of the commercial disk cache program FAST!.  However, upon further
  inspection, this really looks like a Trojan.  The archive contains the
  following files:

            NAME             SIZE     DATE  TIME
            ------------------------------------
            README   ANS      320 01/01/80 02:25
            INSTALL  COM     1459 03/26/92 19:08
            FAST     DAT    20927 03/26/92 19:14
            FAST     TXT      588 03/26/92 19:00

  The text file says the installation is slow, since it has to check every
  program on your hard drive.  A look inside the .COM file reveals the line
  "REN fast.dat fast.com c: /q /u".  The FAST.DAT file contains lines that
  lead one to believe that this is an MS-DOS FORMAT.COM file, with added
  commands that will try and format all of your drives.  Both the
  INSTALL.COM and the FAST.DAT file have gone through a batch file compiler
  somehow, with the INSTALL.COM having a registration notice for the batch
  file compiler.

  Although Michael didn't run the program (smart move), he does suspect a
  serious Trojan here.  So do I.

  Harold Stein (CompuServe address 72377,3075) forwards a report from a
  SysOp in his area, Danny Swerdloff, about a file called JOKE.*.  The file
  is described variously as either "the best fake FBI database joke
  available," or "a very believeable hard disk crash simulator."  The
  archive contains only two files:  JOKE.BAT and JOKE.DOC.  The doc file
  reassures the user that the batch file is completely harmless.  However,
  the batch file contains the following lines:

            c:
            cd\dos
            del keyboard.sys
            format C:

  This is a rather amateurish Trojan, and can be easily thwarted by giving
  your hard drive a volume label.  However, a better precaution is to
  examine any strange batch file you are given before you run it, since
  virus scanners do not look into batch files.  That way, if you see the
  word FORMAT in one, you can delete it before it hits.


  An update on #1BLAST, reported in the last full issue of The Hack Report.
  Rick Rosinski (1:239/1004) reports in the PDREVIEW echo that the SysOp
  who was hit by it (Pete Kehrer) experienced some rather bad results from
  it.  In short, it overwrites your COMMAND.COM file and replaces it with
  the characters "///", and writes similar garbage over your config.sys and
  autoexec.bat files.  It also creates several other files, all ASCII, with
  characters like "////asdfasdf" in them.  (In case you're wondering, look
  at the four keys on the left side of the home row of your keyboard - the
  letters are "asdf" on a standard Qwerty keyboard.)

  This file at first looks like a real Apogee game - it even has Apogee's
  catalogue in it.  It is easy to repair the damage, but it's a shame that
  someone would want to do this to another person's system.


  Bill Lambdin (1:343/45) forwards a message from Reidar Lilleboth (ILink
  OS/2 Conference) about TEDP090.ZOO.  This appears to be an isolated
  incident of a copy of the file being infected with the Maltese Amoeba
  virus.  TEDP090 is a small OS/2 text editor.  If you see this file,
  please scan it before running to make sure you have a clean copy.


  HackWatcher Mikael Winterkvist (2:205/422) found a file named BREV.*,
  described as "SysOps Sex Habits."  However, this is a "device bomb,"
  which contains the names of DOS devices in the archive.  Similar to a
  file reported in the full report, this is aimed at your CLOCK$ device.
  When unarchived, the CLOCK$ is opened, and about 50K worth of the letter
  A are written to your system clock.  Irritating, and to be avoided.


  Paul Drapeau (1:322/594) reported in the FidoNet VIRUS_INFO echo a new
  virus called Power Pump.  Normally, viruses by themselves are not
  reported in The Hack Report/Update, but this is an unusual situation.
  According to Paul's research, all droppers of this virus have a file in
  their archives called POWER.EXE, with instructions to the user not to run
  this file.  He does not understand the connection, but the virus will not
  run without the POWER.EXE file.

  A few specifics on Power Pump:  it doesn't actually attach its code to
  files, but uses the "corresponding file" technique.  It looks for .EXE
  extension files, then creates a file with the same root name but with
  a .COM extension.  Since DOS executes .COM files before .EXE files, the
  viral file (1199 bytes long) is run first, where it executes the viral
  code and passes execution on to the corresponding .EXE file.  The virus
  also looks for empty directories:  if it finds one, it creates a hidden
  file called COM (with no file extension) that contains the viral code.

  To date, Paul says the virus has been found in two archives (one of
  SCAN89.ZIP and one of VSUMX204.ZIP).  These may have been localized
  occurrences, but be on the lookout for any file with a POWER.EXE file in
  the archive.

  Dan Christman (1:520/519) reported that there is a version of TheDraw
  that contains "several viruses." He says to watch for a file within the
  archive called THEDRAW.PCK.  This file is only created after the program
  is initially executed and is not part of the official archive.  Dan gave
  no filename for this dropper, but be on the lookout for any archive that
  already has a THEDRAW.PCK file in it.

  Just for the record (once again), the latest official release of TheDraw
  is v4.51.


  Please be aware that the PKZip v2.0B hack reported in the hack
  section of this report could be a Trojan.  According to the report
  filed in the VIRUS_INFO echo by Fred Towner, the archive (an ARJ
  archive, no less(!)) had these files in it:

        PKZIP20B.EXE
        UNKNOWN.NFO
        MUSTREAD.COM (archived with PKLITE)
        WATCHME!.EXE (archived with PKLITE)

  Fred was wise enough not to try and run any of these programs, so
  Trojan activity has not been confirmed.


  Other previously reported Trojans/Droppers:

  Filename        Claimed use/Actual activity/Reporter(s)
  ------------    --------------------------------------------------------
  240TOMNP        Small file that trashes disks (no elaboration on
                  symptoms).  From Eric Pullen (USTGNET).

  ARJ240          Supposed "latest version" of the popular Archiver by
                  Robert Jung (ARJ).  This is a dropper of the FISH virus,
                  reportedly with a "secure envelope." Latest official
                  version of ARJ is 2.30, with an official wide beta
                  release under filename ARJ239A.  Reported by Hazel Clarke
                  (1:134/68) via Ken Miller (1:134/111).

  BACKFIND        Activity unknown, but has many obscene text strings in
                  the executable that seem to indicate that it will trash
                  your hard drive.  From Dan Stark (1:247/101).

  BILLNTED        No claim reported - begins its "bogus journey" with the
                  message "Decompressing database, please wait......", then
                  prints more messages and formats the first 50 tracks of
                  your hard drive.  From David Elkins (2:254/78).

  COMPILER        Claimed freeware version of Stacker - phone numbers in
                  the text files are fake (one is a phone sex number).
                  Erases your COMMAND.COM file.  From several reporters.

  CSHOW900        Fake version of the CompuShow .GIF viewer - the .EXE file
                  in the archive tries to truncate your COMMAND.COM file.
                  From Tim Spofford (1:105/99).

  CUBULOUS        No claim reported for this file - apparently contains
                  a dropper of the REX virus (detected by SCAN v91 and
                  higher).  Reported by Bill Arlofski in the CNET Spitfire
                  Support Conference, forward by several through Mark
                  Wurlitzer (1:294/9).

  CVIR            Advertised as a virus scanner - executable has the
                  strings, "/Checking drive for VIRII/TROJANs.  Please
                  wait.EHAHA  God your a ****ing moron.  YOU HAVE BEEN
                  HIT BY A TROJAN!  HAHA". (String edited for family
                  viewing.)  From Dan Stark (1:247/101).

  EPW27           Purported new version of EPW, a file that protects
                  executables with an encrypted password.  Instead, this
                  Trojan contains droppers of the ITTI-A, ITTI-B, and
                  Rock Steady viruses.  Latest official version is v1.2.
                  From Patrick Pfadenhauer (via Mark Evans, formerly
                  1:382/87).

  FONTS           Advertised as additional fonts for TheDraw - the
                  FONTS.COM file in the archive is a compiled batch file
                  that changes to your C: drive root directory and deletes
                  all files within the root.  A legitimate FONTS archive
                  exists as well.  From Glen Appleton (1:260/371) via
                  Arthur Shipkowski (1:260/213.2).

  FREEHST         ANSI bomb - remaps your keyboard, making some keys invoke
                  the FORMAT command.  Described as how to get a free HST
                  modem (steal one, it advises).  Avoid by using an ANSI
                  driver that disables keyboard remapping.  From Tom Ward,
                  SysOp of the BCS TI99 BBS (617-331-4181), via Herb Oxley
                  (1:101/435).


  Other previously reported Trojans/Droppers:

  Filename        Claimed use/Actual activity/Reporter(s)
  ------------    --------------------------------------------------------
  GREYSCAL        Claims to be a monitor adjustment utility - actually
                  a dropper - infects files on your hard drive with the
                  FISH virus through the README.EXE file in the archive.
                  Not detectable by any scanner.  From Bill Logan
                  (1:300/22).

  MOBYZ           Does "a number on your hard drive" - no further details
                  given, but apparently confirmed by McAfee.  From Michael
                  Masters, SysOp of the Conceptual CAD Design BBS (Tempe,
                  AZ) via Mark Evans (formerly 1:382/87).

  MONOP3-0        Supposed to be Monopoly for Windows.  Contains
                  FORMAT.COM from DOS 4.01 and STACKEY v2.1 (renamed as
                  MONOP1.COM and MONOPOLY.COM and invoked by a batch
                  file called README!!.BAT).  Will try and format your
                  hard drive - a volume label on your HD will thwart
                  this one.  From Derek Vanmunster (1:229/418).

  NPV2            The "Non-Programmer's Virus" - a claimed aid to testing
                  anti-viral programs.  Contains an infected copy of Vern
                  Buerg's LIST.COM.  From Michael Kerr (1:309/7).

  Obnoxious       "Tetris" clones for the Macintosh - actually droppers
    Tetris        of the MBDFA virus.  Via Paul Ferguson (1:109/229)
  Tetriscycle     in the VIRUS_INFO echo.
  Ten Tile Puzzle

  OCEAN.ZIP       From the BBS description: "Wonderful Game, Reward for
  PLANTS.ZIP      the person who conquers it 1 time, Good luck, how does

  RAINBOW.ZIP     30,000 bucks sound to you if you break the pattern, try
                  this game, it is wonderful, waht a challenge, bet you
                  can't break the pattern. $50, 000 if you do it twice."
                  Actually a compiled batch file that tries to erase all
                  files on your C: drive.  From Richard Dale (1:280/333).

  PSI3.ARJ        Passing itself as the LHA Archiver, version 3.00.  It
                  destroys your partition table, boot sector, and parts
                  of FAT 1 and FAT 2.  From Nemrod Kedem (2:403/138).

  QUICKEYS        Claims to increase keyboard speed - turns out to be the
                  actual executable file of the BURGER virus.  The virus
                  file is called QUICKEYS.COM and is 542 bytes long.
                  This is not to be confused with the PC Magazine Utility
                  of the same name.  Reported by Jay Siegel (1:153/151).

  RAMBO           Contains files with the names of DOS devices that are
                  affected when the archive is viewed or unpacked.
                  Reported by Michael Toth (1:115/439.7).

  SCAN87          Suspected of Trojan activity, but not confirmed.  The
  SCAN88          latest official release is SCAN95B.  Reported by
  SCAN94          several.
  SCAN96

  SHIELD20        Claims to protect you from Trojans, but are possible
  SHIELD21        Trojans themselves.  From Jim Lambert (CircuitNet) via
                  HackWatcher Ken Whiton and via Michael Toth
                  (1:115/439.7).

  TG27FAST        Trojan "speed-up" for Telegard 2.7 - damages disks to
                  the extent that they require reformatting.  From Eric
                  Pullen (USTGNET) via Robert Hinshaw (1:291/16) and Eric
                  Kimminau (1:120/335).

  TGSEC16         Trojan version of Telegard Security Package - both
                  executables in the archive will infect your system
                  with the Dark Avenger virus, and the text files show
                  you how to ease access to your system by hackers instead
                  of prevent access.  By Scott Raymond, author of the
                  real package (latest official version is TGSEC17.*).

  TIME            Several files reported under this name - one dropper,
                  one Trojan.  Be wary of any file with this name.

  TMFIX           Claims to fix a problem with the dialing directory used
                  by the communication program Telemate.  Formats your hard
                  drive (or at least part of it) instead.  Reported by
                  Brian Hess (WildNet), via HackWatcher Ken Whiton.

  VGA835          Claimed VGA game - wipes out your hard drive.  From Gary
                  Meade, SysOp of the Tiger Run BBS in Sioux Falls, SD, via
                  HackWatcher Ken Whiton.

  VIRTUAL         Supposed to be a virtual reality game.  One file in the
                  archive has the string, "This bombing was   compliments
                  of A.C.K. and its affiliates."  Trashes hard drives.
                  From Dan Stark (1:247/101).

  VPIC47          One circulating version of this seems to contain the
                  Dark Avenger virus, "split" so that no scanner can pick
                  it up.  Get the latest version of VPic, VPIC50, to avoid
                  this.  From Tim Tim Sawchuck and Jeff Simmons in the
                  WildNet VIRUSES_MN conference.

  WHALE           Not a VGA graphic of a whale as described, but the actual
                  WHALE virus.  From Dan Stark (1:247/101).

  WLFCHEAT        Claims to be a "cheat" file for the Apogee/Id game
                  Wolfenstein-3D.  Actually wipes out your hard drive's
                  boot sector and trashes the File Allocation Tables.
                  Not to be confused with WLF1CHT, a legitimate "cheat"
                  file written by Michael P. Hoffman.  Reported by
                  R. Wallace Hale, SysOp of the Driftnet BBS
                  (PC Virus Research Foundation), via Clayton Manson
                  (1:3612/140).

  ZAPPER15        PSI3, mentioned above, recommends an "antivirus"
                  program called ZAPPER15.* to remove a virus called
                  "PSQR".  ZAPPER15 is another Trojan which overwrites
                  your hard disk's boot sector with random garbage data
                  from memory.  It contains no viral code.  Also from
                  Nemrod Kedem (2:403/138)

  =========================================================================

                        Pirated Commercial Software

  Program                 Archive Name(s)     Reported By
  -------                 ---------------     -----------
  4X4 off-road racing     4X4                 Jon Jasiunas (WildNet, via
   (Epyx)                                      HackWatcher Ken Whiton)

  Above Disk v3.00A       EXP-MEM             Dale Woloshin (1:163/211.3)
                                               and Wolfgang Fritz

  Alf and the Alley Cats  ALF                 Bill Dennison (1:273/216)

  Amiga ARexx Manual      AREXXMAN            HTom Trites (1:282/62),
   (Verified by William Hawes, author)         via Derek Oldfather

  Backgammon Royale       BGROYALE            Shakib Otaqui (2:440/74)
                          BGROYDOX

  Bargames                BARGAMES            Scott Lewis (1:107/607)
   (game from Accolade)

  Battle Chess            BCHESS              Bill Roark (RIME, via
                                               HackWatcher Richard Steiner)

  Battle Chess for        BCWIN1              Harold Stein
   Windows                BCWIN2               (CompuServe)

  BeetleJuice (game)      BJUICE              Alan Hess (1:261/1000)
                          BJ                  Bill Blakely
                                               (RIME Shareware echo)
                          BTLJWC              the Hack Squad
                                               (1:382/95)

  BitFax 1.22B            Unknown             Antonio Rezende (RIME)

  Blockout                BLOCKOUT            Bill Lambdin (1:343/45)
   (California Dreams)

  Commander Keen          #2KEEN              Steve Hodsdon (1:132/199)
   (parts 2 and 3)        #3KEEN              Harold Stein
                                               (via Ken Whiton, 1:132/152)
   (part 5)               #5KEEN              John Van Eekelen (2:500/228)

  Crystal Caves pt. 2     CRYSTL-2            John Van Eekelen
   (Apogee)

  Desert Storm (Windows)  DSTORM              Bill Roark (RIME, via
                                               HackWatcher Richard Steiner)

  DiskDupe Professional   DDPRO339            John Van Eekelen

  Disk Manager 5.0        DM50                Philip Perlman (1:278/709)

  Double Disk             DDISK214            Ronald McGill (1:167/149)

  DoubleDos v5.5          DDOS55              Ove Lorentzon (2:203/403.6)

  Duke Nukem parts 2 & 3  DUKEZIP2.EXE        Steve Hodsdon (1:132/199),
                          #2DUKE              Craig Demarsh (1:260/213),
                          DUKEZIP3.EXE        and Hal Thompson (1:353/220)
                          DUKETRIL            Harold Stein (WildNet)
   (also under various other names - only the first game in the trilogy
    is shareware:  #2 & #3 are for registered users only and are pirated.)

  Dune (game)             DUNEFLT1            Michael Toth (1:115/439.7)
                          DUNEFLT2
                          DUNEFLT3

  Eagle's Nest (game)     EAGLE               Mike Headley (1:362/112)
                                              Frank R Pizer (5:71/0)

  EMM386                  EMM386              Jeff Hancock (1:3600/7)
                                              George Staikos
                                               via Mark Evans (1:382/87)
                          EMM441              John Van Eekelen

  Fastback Plus v2.0      FBPL200             Bogie Bugsalewicz (1:115/738)

  Flashlink MNP Emulator  FLASHLNK            Several

  Gauntlet (game)         GAUNTLET            Cimarron Mittlesteadt
                                               (via Ken Whiton, WildNet)

  GIFLite v1.40           GIFLT14R            Stephen Kawamoto
   (Registered Version)                        (1:153/7004)

  GSZ                     GSZ0410             Arthur Taber (1:125/28)
                                               (via Stuart Kremsky)
                          GSZ1214R            Harold Stein,
   NOTE: GSZ is a shareware program,           via Ken Whiton (1:132/152)
   but these particular archives were
   the registered versions.

  Harmony (game)          EMOTION             John Van Eekelen

  HIMEM.SYS (from         HIMEM307            John Van Eekelen
   Microsoft)

  IronMan off-road racing IRONMAN             Jon Jasiunas (WildNet, via
                                               HackWatcher Ken Whiton)

  Jill of the Jungle      JILL2               Harold Stein (CompuServe)
   (non-shareware files)  $JILL2              HackWatcher Bert Bredewoud
                          $JILL3

  KDREAMS                 KDREAMS             John Van Eekelen (2:500/228)
   (game from Softdisk)


  Program                 Archive Name(s)     Reported By
  -------                 ---------------     -----------
  LotusWorks v1.0         LWORKS              Brian Luker (1:167/149)

  Mac-in-Dos              CLINK               Arthur Taber (1:125/28)
                     (not the SEALink protocol)
                          MAC-DOS             Ron Bass (1:128/13.3)
                                              Leslie Meehan, original
                                               reporter (unknown)
                          MACON-5             Kimberly Avery (1:324/278)

  Microsoft Mouse Driver  MOUSE810            Bat Lang (1:382/91)

  Monopoly                MONINC              Chris Nelson
   (by Virgin Games)

  MS-DOS 6.0 Beta         DOS6BETA            Chris Astorquiza (1:250/316)

  MTE MNP Emulator        4800BAUD            George Staikos,Trenton,ON,
                                               via Mark Evans (1:382/87)
                          MNPEMUL             Larry Dinkoff (1:115/622)
                          MTE215              Bat Lang (1:382/91)
                          MTE210E
                          MTE210F
                          MTE210G
                          MX5                 Wolfgang Fritz
                                              Verified by Steve Lieberman
                                               of MagicSoft, Inc.
                          MX6

  MTEZ (MagicSoft)        MTZ115B1            Kim Miller (1:103/700)

  Nederlandse Spoorwegen  NS9293              John Van Eekelen
   (Dutch Railroad        NS_92_93
    System Info Book)

  Nightmare on Elm        FREDDY              Chris Nelson (1:238/500)
    Street (game)

  Optune                  OPTUNE              Bat Lang (1:382/91)
                          OPTUNE11
                          OPTUNE12            Jeff Dunlop (1:203/16)
                          OPTUNE13            Michael Toth (1:115/439.7)

  Paganitzu part 2        #2PAGA              Harold Stein
                                               (via Ken Whiton, 1:132/152)

  Physician's Desk        PDR-1               Bret Dunning (1:123/85)
    Reference             PDR-2
                          PDR-3
                          PDR-4

  PKLite Professional     PKLT_PRO            Eric Vaneberck (2:291/712)
   Version 1.13

  QModem 5.0              QM50                Daniel Hagerty (1:208/216)
                          QMODEM50            Larry Owens (1:280/87)
                          QMODEM1             Jon Jasiunas (WildNet, via
                          QMODEM2              HackWatcher Ken Whiton)
                          QMODEM3
                          QMODEM4

  Rambo (game)            RAMBO               Cimarron Mittlesteadt
                                               (via Ken Whiton, WildNet)

  Rampage (game)          RAMPAGE             HackWatcher Bill Dennison

  Red Baron game          unknown             Nolan Taylor (1:157/537)
    (by Dynamix)

  Robin Hood (game)       ROBNHOOD            HackWatcher Bill Dennison

  SimCGA                  SIMCGA40            Joe Morlan (1:125/28)
                          SIMCGA41
   NOTE: SimCGA went commercial with release 4.0, according to the
   publisher (via Joe Morlan).  Versions prior to this were copyrighted
   free programs.

  SimCity (by Maxis)      SIMCITY             Mark Visser
                          SHRCTY-1            Richard Steiner,
                          SHRCTY-2             HackWatcher

  Smartdrive Disk Cache   SMTDRV40            Michael Toth (1:115/439.7)

  Solitare Royale         SOLITRYL            Dan Brady (1:282/108)
                          SOLIT               Bud Webster (1:264/165.7)

  Sourcer disassembler    SOURCER             Bill Lambdin (1:343/45)

  Space Quest (game by    SQUEST1             Chris Nelson
    Sierra On-Line)

  Spidey (game)           SPIDEY              Brian Henry (ILink,
                                               via Richard Steiner,
                                                HackWatcher

  Spot (7-Up game)        SPOT                Steve Hodsdon (1:132/199)
                          COOLSPOT            Jason Arthurs (WildNet,
                                               via HackWatcher Ken Whiton)

  Squish 2.1              SQUISH21            Several
                                               (verified by Joe Morlan)

  Squish Plus 2.01        SQUISH21            Stephen Kawamoto
   (Sundog Software)                           (1:153/7004)

  StormLord               unknown             Mark Visser (1:221/76)
   (game)

  Supaplex                Unknown             Kevin Donald (1:123/54)
                                              Rick Rosinski (1:239/1004)
                                              Dennis Matney (1:230/12)

  SuperStor               SSTOR204            John Van Eekelen (2:500/228)

  System Control          PCSSCC              Ken Whiton, HackWatcher
   Commander (from
   PC Sources Mag)

  Tetris (the original)   #1TETRIS            Harold Stein (WildNet)

  The Bard's Tale pt. 3   BARDS-1             Chris Nelson (1:238/500)
   (game)                 BARDS-2

  Tidbits                 TIDBITS             Art Taber
   (game? from Softdisk)                       via Stuart Kremsky
                                                (1:125/28)

  Times of Lore (game)    LORE                Chris Nelson

  Toobin' (game)          TOOBIN              Joseph Lowe (1:387/1201)

  Top Gun                 TOPGUN              Cimarron Mittelsteadt
                                               (WildNet, via Ken Whiton)

  Tunnels of Armageddon   TUNNELS1            Wolfgang Fritz (1:249/140)
                          TUNNELS2

  UTscan                  UTSCAN              Bill Lambdin (1:343/45)
   (part of the Untouchable package by Fifth Generation Systems)

  VGA-Copy v4.6           VGACPY46            Bert Bredewoud (2:281/703)
   (Registered Copy)

  Wolfenstein-3D          WOLFSINC            Jeff Kaplow (1:120/364)
   (Non-Shareware modules)

  =========================================================================

                      ?????Questionable Programs?????

  Cory Daehn (1:395/12) reports in the FidoNet PDREVIEW echo that there are
  three versions of our old friend XTRATANK.  A recent message circulating
  in FidoNet about XTRATANK placing a two-part virus (half when installed,
  half when uninstalled) on your HD is true for the third version of
  XTRATANK, according to Cory.  I have not seen this version, nor have I
  received any file sizes to compare to the version I sent to Bill Logan.
  However, I will report these when received.


  HackWatcher Matt Kracht forwarded a message from Stu Turk in the DR_DEBUG
  echo about possible Trojans going around as PKZIP 2.21 and/or 2.22.  Stu
  also says that there is a warning about these in circulation.  If you
  have a copy of this warning, please send a copy to Hack Central Station
  (1:382/95).


  On the game front, some official information about which Apogee releases
  are shareware.  According to Jay Wilbur (1:124/6300) of Id Software,
  episodes 1 and 4 of Commander Keen, along with the demo version of
  episode 6 are distributable, as is episode 1 of Wolfenstein 3-D.  Other
  versions of these games are not supposed to be posted for download.


  Rajeev Seth (1:250/328) reports in the FidoNet PDREVIEW echo on TGCHAT21,
  a program claiming to use the Soundblaster or AdLib card as the bell for
  paging the SysOp in Telegard.  He says he tried to run this from a floppy
  disk and wound up trashing the floppy and his hard drive (drive D:).
  This might be due to the fact that it was run from the floppy, but it
  doesn't seem likely that a file like this could be that disk specific
  without being dangerous.  As usual, if someone has further info, please
  forward it.


  Jan Welch (1:382/87) has reported in the FidoNet VIRUS echo a file called
  W3DEDIT.ZIP, which she claims is a Trojan that will attack your hard
  drive's boot sector.  At first glance, this looks like a renamed
  WLFCHEAT, but I can't be sure.  I've sent NetMail for more information,
  so be on the lookout and report anything you know about it, if you would.


  Steve Klemetti (1:228/19) has found an archive of the Apogee game
  Paganitzu (#1PAGA.ZIP) that may either be a hack or a corrupted archive.
  The file size is 281K, and the .EXE file within is 8K (vs 11K for the
  official archive.  Steve says the opening screens go by "too fast," then
  the program puts your hard drive in "a constant seek mode." The file
  passed viral scanning.  Like I said, this could just be a corrupt
  archive, but you never know.  Just be on the lookout for an archive that
  meets these specs, and avoid it.  The real thing is a pretty decent game,
  though, according to my 5-year old son, so don't avoid _all_ #1PAGA.*
  files just because of a bad version.


  BiModem is the subject this time, but the situation doesn't quite fit
  into any of the other categories of this report.  A few users have seen a
  version called BIMOD125.* floating around, and wondered if it was a hack.
  Steve Baker (1:114/116.0) called the support BBS and verified your Hack
  Squad's information: v1.25 is a closed beta.  Version 1.24 is the latest
  public release.  This information was also verified by the Hack Squad (in
  lurk mode over in the BIMODEM echo) through a message posted by Michael
  Ingram (1:114/151).  In short, if you see BIMOD125, delete it - it's a
  beta that shouldn't be out yet.


  Yet another one that doesn't seem to fit anywhere is a Windows program
  called WinSpeed.  Bill Eastman (1:382/35) relayed a message from Alan
  Zisman (1:153/9) in the WINDOWS echo about this file, and Piyadaroon
  Kalayanamit (1:382/87) quickly cleared the confusion.  Apparently, there
  are _two_ different programs called WinSpeed: one is a commercial package
  of Windows video drivers, which should not be posted for download on any
  BBS.  The other is a small utility that will report your system speed
  from within Windows, and is a legitimate shareware file.

  James Brown (1:266/22.0) has reported in the WINDOWS echo that the
  shareware WinSpeed has been renamed to WINDSOCK.  According to James,
  the author(s) took the original off of CompuServe, renamed it, and
  resubmitted it.  Hopefully, this will ease the confusion, but there
  _will_ be copies floating around under the old name.  So, be careful
  with this one.  If you get a copy of the video driver file from
  someone, delete it: it is not shareware.


  Finally, several people have been wondering whether a shareware version
  of XTreeGold has been released.  According to XTree Support (in the XTREE
  forum on CompuServe), the last shareware release of XTree was version
  2.00E (XTREE20E).  This is _not_ XTreeGold: in fact, no shareware release
  of XTreeGold has ever been made.  It is unclear as to whether a copy of
  XTreeGold has spread beyond the "pirate boards," but this much is clear:
  if you receive a version later than 2.00E that is described as shareware,
  delete it.  It's pirated.

  =========================================================================

                            Information, Please

  This the section of The Hack Report, where your Hack Squad asks for
  _your_ help.  Several reports come in every week, and there aren't enough
  hours in the day (or fingers for the keyboards) to verify them all.  Only
  with help from all of you can The Hack Report stay on top of all of the
  weirdness going on out there in BBSLand.  So, if you have any leads on
  any of the files shown below, please send it in: operators are standing
  by.


  There have been some sightings of a version of PKZip called 1.99b.  This
  is a supposed "beta" release.  Your Hack Squad called up the PKWare BBS
  and found no mention of this version.  Also, nothing has been said about
  it on the RIME PKWare Conference.  I have posted an inquiry in the RIME
  conference, which should have an answer soon.  In the meantime, if you
  see this file, please let me know about it.


  A message forwarded by Troy Dowding (WARNINGS echo, address unknown) from
  the Wildcat! support network points out a virus in a file named REGLITE.
  This message, originally from Michelle Mauro, reports that the file is
  infected with the Particle Man virus.  It is not picked up by SCAN v95.
  I have no idea what the file in question claims to do, so I have asked
  for further information from Troy.  In the meantime, if you see this
  file or know anything about it, please let me know.


  James Collins (1:102/1013) has found a program called Virus Simulator 2.0
  (archive name unknown) that is supposed to be used to test virus
  scanners.  He says the documentation looks authentic, but the program
  "looks like someone has hacked it so that it crashes purposefully."  The
  file performs a self-check at startup, then crashes.  I'm not sure if
  this is merely a corrupted copy of the program or one that has been
  tampered with.  Also, I have no information on what the latest (if any)
  official version is.  Please lend a hand here, folks - your Hack Squad
  could use it.


  Kim Miller (1:103/700) found a file called HOMELAWY.*, which is titled
  "Home Legal Form Helper."  The program is copyrighted by OverDrive
  Systems, Inc. in 1989, and is shown as Licensed to MECA Ventures, Inc.
  Several people in the FidoNet SHAREWRE echo have reported this as a
  possible pirated file.  I am not familiar with either company mentioned
  above, but Kyle Pinkley (1:3803/3.2) reports that they are the producers
  of the commercial package Managing Your Money.  I haven't been able to
  completely verify any of this, so please forward any info you may have.


  Bud Webster (1:264/165.7) reports an Apogee game being distributed under
  the filename BLOCK5.ZIP.  He says that the game displayed a message that
  said, "This game is not in the public domain or shareware."  There was
  only an .EXE file in the archive, and no documentation.  I need to know
  what the real name of this game is so that I can include it in the pirated
  files section (if necessary).


  Now, a sensitive subject.  Arthur Shipkowski (1:260/213.2) forwarded a
  message from Kenny Root (GT-Net Shareware Forum), about a file called
  SHAMpage (SHMPG310.*).  Kenny claims he downloaded this from a Door
  Distribution Network board, unzipped and ran it, and wound up with
  thousands of directories and the 1260 virus.  This is the only report I
  have of this, and it is unconfirmed.

  I posted a question about this in a local echo in Austin, and found no
  one who had experienced the same symptoms.  I also consulted George
  Vandervort (1:382/8), a beta tester for SHAMpage, and learned that the
  file that went out over the Door Distribution Network was perfectly
  legitimate and not harmful in any way.

  George speculates, and I agree, that if this situation is true, then it
  was possibly caused by someone infecting it in transit by adding a Zip
  comment (please contact George for details).  George also says that if
  any copy does not have a "DrawBridge Zip Comment and Auto CRC check when
  unzipped," it was probably tampered with by some other system.  For the
  record, the latest version according to George is SHAMpage v3.14.

  In summary, SHAMpage 3.10 is a legitimate file, but a tampered archive of
  it may be floating around.  If anyone sees an altered archive of this
  file, please forward the information so that I can post specifics on it.


  A message in the FidoNet ASIAN_LINK echo from Choon Hwee (1:3603/263)
  grabbed my attention the moment I saw it: in capital letters, it said,
  "DO NOT RUN this file called MODTEXT.EXE, cause it is a TROJAN!!!".  He
  goes on to say that two BBSs have been destroyed by the file.  However,
  that's about all that was reported.  I really need more to go on before I
  can classify this as a Trojan and not just a false alarm (i.e., archive
  name, what it does, etc.).  Please advise.


  Greg Mills (1:16/390) posted a question to Robert Jung in the ARJ Support
  Echo (FidoNet) about a version of ARJ called 2.33.  It was unclear as to
  whether or not Mr.  Mills had seen the file.  Mr.  Jung has repeated that
  the latest version of ARJ is v2.30 (however, there is a legitimate public
  beta version numbered 2.39b).  It is possible that the references Greg
  saw about 2.33 were typos, but you never know.  Please help your Hack
  Squad out on this one - if you see it, report it.


  I still have no further confirmation of MTG2400, reported by Zach Adam of
  1:2200/103.  The description says this program will run a 2400bps modem
  like a 4800bps modem, which sounds a bit like the MTE program listed in
  the Pirated Commercial Software section.  Any information would be
  appreciated.


  Larry Dinkoff (1:115/622) found a program called PCHOOKER, claiming to be
  a shareware serial file transfer utility.  He says that he bought this as
  a commercial program about 4 years ago.  I am unfamiliar with this
  program, so any info would be welcome.


  As the last item in this report, your Hack Squad could use some info on
  the TUNNEL screen saver.  Ove Lorentzon (2:203/403.6) reports that this
  is an internal IBM test program for VGA monitors.  HackWatcher Richard
  Steiner forwarded a message from Bill Roark (RIME address BOREALIS,
  Shareware Conference) that had some quoted text strings from the
  executable.  One says, "IBM INTERNAL USE ONLY."

  This file is extremely widespread, however, so I need to hear from
  someone who knows what IBM's position on this is.  Has IBM changed its
  mind and made it legal to distribute this via BBS?  If you know for
  certain, please advise.

  =========================================================================

                               Clarifications

  George Staikos (via Mark Evans, formerly 1:382/87) previously reported a
  file called ADDMEM21 that is supposed to create additional low DOS memory
  by using your VGA memory.  All it did was blank out his SVGA monitor.
  However, this seems to have been caught in a case of hardware
  incompatibility.  Russ Johnson (1:103/132) states that this program is
  now up to version 2.5, and is a utility for increasing the amount of
  conventional memory by "remapping into the video area of the UMB."  The
  symptom reported, a blanked-out screen, would not be an uncommon problem
  with any program that does this.  Russ goes on to say that "the 2.1
  version is good shareware."


  I had hoped to be able to post some information sent to me by Joe Morlan
  (1:125/28) from a list compiled by Wes Meier, SysOp of the WCBBS
  (1-510-937-0156) and author of the AUNTIE BBS program.  However, your
  intrepid Hack Squad fell victim to some extremely persistant illnesses
  over the last month, so there just wasn't enough time to validate
  everything in the huge list he sent.  This will not be a "vaporware"
  situation, however - look in the next issue of The Hack Report for the
  proof of the pudding.  I apologize for the delay.

  =========================================================================

                                    Notes

  FidoNet Node 1:382/87, The ECS BBS, referenced several times in this
  report, is no longer an active node.  Reports from that node and its
  SysOp, Mark Evans, will not be removed from this report.

  *************************************************************************

                                Conclusion

  If you see one of these on a board near you, it would be a very friendly
  gesture to let the SysOp know.  Remember, they can get in just as much
  trouble as the fiend who uploads pirated files, so help them out if you
  can.

                          ***HACK SQUAD POLICY***

  The intent of this report is to help SysOps and Users to identify
  fraudulent files.  To this extent, I give credit to the reporter of a
  confirmed hack.  On this same note, I do _not_ intend to "go after" any
  BBS SysOps who have these programs posted for d/l.  The Shareware World
  operates best when everyone works together, so it would be
  counter-productive to "rat" on anyone who has such a file on their board.
  Like I said, my intent is to help, not harm.  SysOps are strongly
  encouraged to read this report and remove all files listed within from
  their boards.  I can not and will not take any "enforcement action" on
  this, but you never know who else may be calling your board.  Pirated
  commercial software posted for d/l can get you into _deeply_ serious
  trouble with certain authorities.

  Updates of programs listed in this report need verification.  It is
  unfortunate that anyone who downloads a file must be paranoid about its
  legitimacy.  Call me a crusader, but I'd really like to see the day that
  this is no longer true.  Until then, if you _know_ of a new official
  version of a program listed here, please help me verify it.

  On the same token, hacks need to be verified, too.  I won't be held
  responsible for falsely accusing the real thing of being a fraud.  So,
  innocent until proven guilty, but unofficial until verified.

  Upcoming official releases will not be included or announced in this
  report.  It is this Co-Moderator's personal opinion that the hype
  surrounding a pending release leads to hacks and Trojans, which is
  exactly the opposite of what I'm trying to accomplish here.

  If you know of any other programs that are hacks, bogus, jokes, hoaxes,
  etc., please let me know.  Thanks for helping to keep shareware clean!

       ========== HOW DO I GET A COPY OF THE HACK REPORT? ==========

The Hack Report is a monthly publication of the FidoNet International Echo
SHAREWRE and the author, Lee Jackson (1:382/95).  If you would like a
complete (non-split) copy of the report, please read on to learn how to get
one.

In addition to being posted in the FidoNet International Echos SHAREWRE and
PDREVIEW, the WildNet Shareware Conference, the ILink Shareware_Support
conference, and the RIME Shareware Conference, all issues of The Hack
Report are distributed as an archive.  You may obtain a copy of the latest
archive from the following sources:

   * FidoNet BBSs *

   Location and address               Phone Numbers       Filenames
   ====================               ==============      ============
   Zone 1, USA:
     Far Point Station   1:382/77     (512) 259-4896      HACK0992.LZH
     FLOTOM Enterprises  1:382/91     (512) 282-3941      HACK0992.LZH
   Zone 1, Canada:
     The Data Dump       1:140/12     (306) 956-3383      HACK0992.ARJ
      (BBS d/l on first call:
       F'Req by NodeListed systems
       only)
     Misty Mountain BBS  1:241/7      (613) 687-2497      HACK0992.LZH
   Zone 5:
     Chaos Manor         5:7102/713   27-21-557-6775      HACK0992.LZH
      (F'Req only - no BBS calls)

   (In Zone 1, current issues of The Hack Report are available on the
    first Saturday of each month for F'Req from all Zone 1 sources
    using the magic name HACK.  Back issues are not made available, due
    to the cumulative nature of the report.  Files are requestable from
    5am-2am Central Time, first time d/ls allowed.  The report is also
    available via TICK from all sources:  contact the SysOps of each
    system to have your system set up in their TIC.CFG files.)

   * CompuServe *

   Location                         Area's GO code      Filename
   ====================             ==============      ============
   IBM BBS Forum                    GO IBMBBS           HK0992.ZIP

   * SDNet/Works! *

   The Hack Report is distributed as two files, HACK0992.SDA (text
   description) and HACK0992.SDN (the full archive), via the SDNet/Works!
   file distribution system.  The files are available in the SDN_TEXT area
   of your local SDNet/Works! distribution BBS.

   * EXEC-PC *

   The Hack Report is also available in the Mahoney IBM Compatible Files
   Collection (Text - No Docs) on EXEC-PC under the filename HACK0992.ZIP.
   Call (414)789-4210 (8N1) by modem to join.

*************************************************************************
For verification purposes, here is the 32-bit CRC for the September issue
of The Hack Report, as calculated by Barry Geller's CRC-32 program (v2.0,
copyright 1989 by Barry Geller):

    Calculating CRC-32 for HACK0992.RPT  3628460347 Dec. D845E93B Hex
*************************************************************************

***I actively encourage the distribution of the archive in its original,
   unmodified state (except for archive type conversion) to other BBS
   systems.  If you upload it to a board that isn't hooked into this echo,
   please leave a message for the SysOp to let them know what you've
   sent.  Ask them (politely) to read it and respond (if they have
   comments) through you or by calling one of the systems listed in the
   report and posting their comments.

My thanks go out to all who have made this report a reality (with the
exception of the hackers who made the report a necessity, of course).  The
report is not "my" report: rather, it's a report _from_ me _to_ you, based
on your posts in FidoNet and other networks.  Thanks for your support, and
for helping to keep shareware clean!

Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)

HOW TO CONTACT THE HACK SQUAD,

  If you have a report or comment, I can be reached through any of the
  following systems and/or networks:

      FidoNet:
         FidoNet Backbone Echos: SHAREWRE, PDREVIEW, DIRTY_DOZEN
         NetMail Address   1:382/95 (Private Node - Hub Route all NetMail)
      RIME Address
         Route messages to MAH (Modem Addictus Hospital (512)443-8941)
          in the Shareware conference
      CompuServe:
         IBM BBS Forum (GO IBMBBS)
         Mail Address   76040,2743
      Internet:
         ljackson@mdf.fidonet.org
         Hack Report notices to hackreport@mdf.fidonet.org
         (NOTE - the Internet addresses are working again!  Sorry for
          any inconvenience.)

  THE HACKWATCHERS:

  If you are unable to contact me directly, you should try and contact one
  of The HackWatchers.  This is a small group of people who cover other
  parts of the world with their eyes wide open for hacks and other frauds.
  They may be reached as follows:

     HackWatcher           Network/Conference/Other Info
     ===============       =============================
     Bert Bredewoud        SDS/SDN/Win*Net
                           FidoNet NetMail Address 2:281/703

     Bill Dennison         Smartnet
                           FidoNet NetMail Address 1:273/216

     Nemrod Kedem          FidoNet Zone 2 - Israel
                           McAfee Associates Agent
                           VIRNET - all conferences
                           FidoNet NetMail Address 2:403/138

     Matt Kracht           FidoNet Echos DR_DEBUG, GAMING, PDNECHO, TECH
                           FidoNet NetMail Address 1:272/38

     Steve Lager           GlobalNet Address 51:5190/0, 51:5190/1
                           K12_Net and WIN_NET File Dist. Network
                           FidoNet NetMail Address 1:229/710

     Frank R Pizer         FidoNet Zone 5 - South Africa
                           FidoNet NetMail Address 5:7102/713

     Richard Steiner       RIME (RelayNet) Shareware Conference
                           FidoNet NetMail Address 1:282/85

     Ken Whiton            WildNet! Shareware Conference
                           FidoNet NetMail Address 1:132/152

     Mikael Winterkvist    VirNet/ACNet/HamNet
                           FidoNet NetMail Address 2:205/422 & 2:205/423

     Chris Wise            Prognet DBase Conference Moderator
                           Devnet, Tnet:  all conferences
                           FidoNet NetMail Addresses 1:275/99, 1:275/52

  This is a partial list of The HackWatchers.  New selections have been
  made, but I have not heard back from all of them yet.
Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE (1:382/95)

;;  HACK0992.COL - An ASCII columnar report of all filenames
;;  reported in The Hack Report for September, 1992.
;;
;;  By Lee Jackson, Co-Moderator, FidoNet International Echo SHAREWRE
;;  (1:382/95)
;;
;;  Please note that there are some files listed in the report
;;  that do not have filenames.  These are not listed in this file,
;;  for obvious reasons.  Also, no file extensions are listed, since
;;  they tend to change more often than the weather. :-)
;;
;;  All lines beginning with two semicolons (;;) are comments and should
;;  be ignored, as should all blank lines.  If anyone comes up with a
;;  program that reads this file, I'd appreciate seeing it before you
;;  distribute it to the general public, for reasons that are about to
;;  be made clearer.
;;
;;  UNDER NO CIRCUMSTANCES SHOULD THE FILES LISTED HERE BE AUTOMATICALLY
;;  DELETED FROM YOUR SYSTEM!  ANY PROGRAM THAT CHECKS THIS LIST AGAINST
;;  ANY FILE LISTING SHOULD INSTEAD FLAG ANY MATCHES FOR REVIEW.  ABOVE
;;  ALL, !!!READ THE HACK REPORT BEFORE DELETING ANY FILES!!!
;;  THE AUTHOR OF THE HACK REPORT AND THIS LIST WILL NOT BE HELD
;;  RESPONSIBLE FOR ANY DAMAGE AND/OR LOSS OF DATA RESULTING FROM THE
;;  USE (OR MISUSE) OF THIS LIST.
;;
;;

!ALIENS
#1BLAST
#1TETRIS
#2DUKE
#2KEEN
#2PAGA
#3KEEN
#5KEEN
$JILL2
$JILL3
240TOMNP
2496
4800BAUD
4X4
800II224
ALF
AMIGA
AREXXMAN
ARJ240
ARJ250
ATTRUE
AUTO48
BACKFIND
BARDS-1
BARDS-2
BARGAMES
BCHESS
BCWIN1
BCWIN2
BGROYALE
BGROYDOX
BILLNTED
BIMOD125
BIMOD126
BJ
BJUICE
BLOCK5
BLOCKOUT
BREV
BTLJWC
CDISK510
CDISK530
CDISK661
CLINK
COMPILER
COOLSPOT
CRYSTL-2
CSHOW801
CSHOW831
CSHOW851
CSHOW900
CSHOW91
CSHW841B
CUBULOUS
CVIR
DDISK214
DDOS55
DDPRO339
DM50
DOS501
DOS6BETA
DSTORM
DUKETRIL
DUKEZIP2
DUKEZIP3
DUNEFLT1
DUNEFLT2
DUNEFLT3
DW171
EAGLE
EARLYWA
EMM386
EMM441
EMOTION
ENVIRED
EPW27
EXP-MEM
FAST!
FBPL200
FLASHLNK
FLIP-IT
FONTS
FREDDY
FREEHST
GAUNTLET
GIFLT14R
GREYSCAL
GSZ
GSZ0410
GSZ1214R
HIMEM307
HIMEM500
HOMELAWY
HSLK113
IMPROC50
IRONMAN
JIGSAWV2
JILL2
JOKE
KDREAMS
LHA214
LHA300
LIST18
LIST8
LORE
LWORKS
MAC-DOS
MACON-5
MATHMSTR
MAXRES
MNPEMUL
MOBYZ
MODTEXT
MONINC
MONOP3-0
MOUSE810
MSTLST10
MTE210E
MTE210F
MTE210G
MTE215
MTG2400
MTZ115B1
MX5
MX6
NPV2
NS9293
NS_92_93
OCEAN
OPTUNE
OPTUNE11
OPTUNE12
OPTUNE13
PCHOOKER
PCSSCC
PDR-1
PDR-2
PDR-3
PDR-4
PKLT_PRO
PKUNZIP
PKX201
PKZ201
PKZ210F
PKZIP120
PKZIP203
PKZIP20B
PKZIP_V2
PKZIPV2
PLANTS
PSI3
QEDIT500
QM451
QM50
QMODEM1
QMODEM2
QMODEM3
QMODEM4
QMODEM50
QUICKEYS
RAINBOW
RAMBO
RAMPAGE
REGLITE
ROBNHOOD
SCAN74
SCAN78
SCAN79
SCAN81
SCAN83
SCAN87
SCAN88
SCAN92
SCAN94
SCAN95
SCAN96
SHEZ72A
SHEZ73
SHIELD20
SHIELD21
SHRCTY-1
SHRCTY-2
SIMCGA40
SIMCGA41
SIMCITY
SMTDRV40
SOLIT
SOLITRYL
SOURCER
SPEEDUP
SPIDEY
SPOT
SQUEST1
SQUISH21
SSTOR204
TDRAW430
TDRAW500
TDRAW550
TDRAW600
TDRAW800
TEDP090
TG27E
TG27FAST
TG29EALP
TGCHAT21
TGSEC16
THEDR60
TIDBITS
TIME
TMFIX
TOOBIN
TOPGUN
TUNNEL
TUNNELS1
TUNNELS2
UTSCAN
VGA835
VGACPY46
VIRTUAL
VPIC47
VPIC50DT
W3DEDIT
WHALE
WLFCHEAT
WOLFSINC
WOLFXXX
X00V130
X00V130J
XEDIT
XTRATANK
ZAPPER15
ZIPFAX