---------------------------------------------------------------- | THE GUARDIAN LIST | | | | -- An Uploaded Trojan/Virus Program Alert List. | | This list is distributed thru FidoNet and | | LCRNET. | ---------------------------------------------------------------- | Issue #1: Sept 25, 1989 | | | | Revision Stage 'B' | | | |Compiled by Sysops of FidoNet and LCRNET and other sources | |Edited by Tom Sirianni of FidoNet 105/301 | ---------------------------------------------------------------- Introductory Note: This Trojan Alert List is dedicated to the efforts of the End User and the Sysop who have had very little support. Now, through The Guardian List, those Users/Sysops stand a chance in the fight against worms, trojans, and viruses, reporting the results to you, the User. It is because of the efforts of many Sysops who have spent countless hours to have a BBS online and because of the End Users who love PD and ShareWare programs that this list is presented and aggressively maintained. Although there are other lists available, the Guardian is the only list that is constantly maintained and distributed through FidoNet's SDS network, assuring its distribution internationally in a matter of days. Much of what goes into The Guardian List comes from the DIRTY_DOZEN echo conference. Within this conference are Sysops and Users from around the world who help in the determination of what are and are not trojans/virii. There are also groups in Colleges abd Universities around the country participating in the List's development and maintenance. What's in the future? As the SDNet/Works! (The Shareware Distribution Network) takes affect, you will see fewer attacks on Sysops as files are distributed through a controlled source, direct from the Authors. Until this concept is fully mobilized, The Guardian List will be here to help you, the Usesr and the Sysops, including those Sysops not in FidoNet or LCRNET. Tom Sirianni SCP Business BBS FidoNet 105/301 LCRNET 1010/0 SCP Business BBS, nor its Sysop or Editor, assumes any responsibility for the validity or completeness of this list. Many sources contribute to the list, and it is very possible that one of the reported files works perfectly and is in the Public Domain. But all the same, it is quite possible that a mistake will slip in somewhere. Since this is the case, please keep in mind while reading this list that, however unlikely, it is possible that I am (or my sources are) incorrect in any accusation. Note: ** Some TROJANS are designed to work only on [Hard] Drives ** HELP FROM USERS REQUESTED: Users upload bad software to hundreds of boards every day, and often times, the software is not yet in this list, or the file may have been corrupted due to a bad ARCHIVE. However, if you run a trojan horse program that is not listed here, please don't send it to SCP Business BBS. Instead, give me a call (SCP Business BBS phone 1-503-648-6687 9600-v42/2400/1200/300 baud supported) and leave me a message about the program (with a complete filename and any other information you may have) so that I can get the destructive program in the next issue. It is important to verify that the program is a TROJAN and not an OPERATOR error. If anyone is unsure whether or not a file is a Trojan, and it's not listed in the GL, I recommend using a utility like BOMBSQAD.COM or CHK4BOMB.EXE to prevent any mishaps. For VIRUSES, use VirusScan or FlusShot+. After your call, I may want you to upload it just to verify it myself if you are unable to. A WORD FROM TOM SIRIANNI: TYPE OF TROJAN -- THE VIRUS... A Virus is a trojan which attaches itself to certain files and at predetermined time attacks your FAT, DIR, and/or BOOT areas, CROSS- LINKing files and looking for ways to attach itself to diskettes and other disks containing files such as IBMDOS, IBMBIO, COMMAND.COM, etc. This type of virus spreads its dirty work to other systems much like the flu or a cold, relying on the user to spread the VIRUS. Protection (to a limited degree) from these virus strains is avail- able with ShareWare programs SENTRY, SCAN (VirusScan), and FSP (FluShot Plus), which are all available on the SCP Business BBS, 105/301 FidoNet, 1-503-648-6687 (PC-Pursuit ORPOR), or through SDS nodes within FidoNet (note that SDS and SDN are two separate enities). The best program, called SCAN, better know as VirusScan, can check any physical or logical drive or diskette for any file infected by a Virus. It will tell what type of Virus and where it is located. WHAT TO DO IF YOU THINK YOU ARE INFECTED WITH A TROJAN/VIRUS There are three ways to tell if you are infected: 1) First, have a GOOD DOS diskette with COMMAND.COM on it, PLUS put a WRITE-PROTECT TAB on your DOS disk. Then, from your system, do a DIR on the good DOS diskette. If you get a WRITE-ERROR, you are infected -- DIR does not do any writing of any kind, whereas the VIRUS does. 2) Another way is to check and compare the time-date stamp of COMMAND.COM. The Virus writes to the COMMAND.COM thereby changing the time-date stamp. 3) Use SCAN to tell if you are infected and it will tell you what type. The psychologically unbalanced individuals writing and uploading these programs will change their viral methods, so beware. Many new viral detection programs are in the works, both commercially and in the public domain, to keep up with the viral programs we have available, to confirmed SYSOPS, Virus/Trojan information texts on SCP Business BBS. The Virus text files are ZIPed and can be File-Requested thru FidoNet BBS's as VIRUS-1.ARC & VIRUS-2.ARC. Simple precautions: The thing to do is to check the contents of your downloads via the verbose command of the type of archiving program used, making sure ANSI.SYS is disbaled first. DO NOT DOWNLOAD any files without any available or known documentation unless you are assured it is safe by the SYSOP. Also, do not accept any ARCHIVE or diskette containing a file named COMMAND.COM. Use VirusScan!!! Remember -- these new TROJANS are no laughing matter. Without causing mass hysteria, use your best judgment, and check your procedures first! Final note: There is a commercial program called C-4 by InterPath Corp. which will (to date) detect and contain ALL known PC-VIRUSES. So for the ultimate 100 percent protection, get C-4. C-4 by InterPath Corp. 4423 Cheeney St. Santa Clara, Calif. 95054 1-408-988-3832 was $40.00 ---------------------- A word on TROJANS - In the course of time trojans/viruses have gained MEDIA attention. Unfortunately, RUMORS have always played a major factor in its notoriety. The truth is, of all those reported are minimal compared to the vast amounts of programs out there in the BBS community. Some are designed to defame people or companies. As an example, Dorn Stickel has been noted to be a supposed Author of several TROJANS. But in real life, he is not that person. So, until verified, do not think it is real and, at the same time, do not ignore the existence either. Be cautious with all types of file transfers and all types of media used. ANSI TEXT FILES/DOC FILES: Did you know a TROJAN can be used in DOC and TEXT files? If your system is configured for ANSI.SYS in your CONFIG.SYS file, your keyboard could be redirected or the keys reconfigured. For example, you could hit the F1 key and the trojan could do a High Level Format; or hit ALT-X and it will say "del *.* and yes". It can answer to the prompts and before you say, "What the '(&^(~*%' is going on?", your system is deleted. And it can also hide those commands. USE A BROWSER OR LISTER PROGRAM WHEN LOOKING AT ANY TEXT/DOC FILE; even an editor or PC Tools Edit or word process will work. This way, no redirection can take place. ANSI IN ARC FILES: It has been noted that it is possible to put ANSI redirection codes within several types of ARCers used to archive files in the BBS community. To be safe, do not do a VERBOSE listing of an ARC unless you make sure ANSI.SYS is disabled in your system's CONFIG.SYS. Also, there are several utilites available through SDS nodes in FidoNet such as STRIPZIP which will take those ANSI codes out of the ARCed file. Current versions of LHARC, PAK, and PKZIP now default to ANSI display turned OFF, so this helps. Final Note: Before we go into the listing as of the current date of this issue, it seems that the Jerusalem Virus is the most natorious or the most promient. When infected, the way to get rid of the Virus is to run VirusScan to determine which file it is then delete that and replace it with known GOOD file. ------------------------------------------------------------------ TITLE DEFINITIONS: TROJAN These programs PURPOSEFULLY damage a user's system upon their invocation. They usually aim to disable [Hard] disks, although they can destroy other equipment, too. VIRUS These programs are the ultimate TROJAN designed to infect as well as destroy the User's and other systems that it infects. Its sole purpose is to replicate itself while destroying the system. This term will be used in conjunction with those files that are infected as well as those files that start the virus. CAREFUL Programs labeled in this manner may may not be trojans; the question is how it's used. Use caution when running these programs! * The asterisks will be used to show that the file may or may not be "BAD" or unresolved. NOTE: If a file extension is not supplied, that means that the file circulates under many different extensions. For instance, users commonly upload with extensions of .ARC, .PAK, .LZH, .SDN, .ZOO, .ZIP, or as .EXE or .COM files. ----------------------------------------------------------------- | TROJAN HORSE PROGRAMS: | ----------------------------------------------------------------- NAME CATEGORY NOTES -------------- -------- --------------------------------------- 3X3SHR *TROJAN Time Bomb type trojan wipes the [Hard] Drive clean. File size is 78,848. ANTI-PCB *TROJAN The story behind this trojan horse is sickening. Apparently one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS system was better, and in the end the PC-BOARD sysop wrote a trojan and uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC SysOp ran it, and that led to quite a few accusations and a big mess in general. Let's grow up! Every SysOp has the right to run the type of BBS they please, and the fact that a SysOp actually wrote a trojan ntended for another sysop simply blows my mind. ARC2ZIP.EXE VIRUS This Lehigh Virus strain that attacks the COMMAND.COM and is used in converting ARCed files to ZIPed files. This file also copies itself into the ZIPed file while remaining a TSR within COMMAND.COM. Also it is always looking for COMMAND.COM on a FLOPPY diskette, so it has two ways to infect. ARC513.EXE *TROJAN This hacked version of ARC appears normal, so beware! It will write over track 0 of your [hard] disk upon usage, destroying the disk. ARC514.COM *TROJAN This is very similar to ARC version 5.13 in that it will overwrite track 0 (FAT Table) of your [Hard] disk. Also, I have yet to see an .EXE version of this program. ARC533.EXE VIRUS This is a new Virus program designed to emulate Sea's ARC program. It infects OMMAND.COM. Lehigh Virus Type. BACKTALK *TROJAN This program used to be a good PD utility, but someone changed it to be trojan. Now this program will write/ destroy sectors on your [hard] disk drive. Use this with caution if you acquire it, because it's more than likely that you got a bad copy. B30012A.ARC *TROJAN Was supposed to be a Quick BBS utilty to handle 300 baud Users. But what it really does is delete many of the general directories used by a Quick BBS system. CDIR.COM *TROJAN This program is supposed to give you a color directory of files on your disk, but it in fact will scramble your disk's File Allocation Table (FAT). D-XREF60.COM TROJAN A Pascal Utility used for Cross- Referencing, written by the infamous Dorn Stickel. It eats the FAT and BOOT sector after a time period has been met and if the [Hard] Drive is more than half full. DANCERS.BAS *TROJAN This trojan shows some animated dancers in color, and then proceeds to wipe out your [hard] disk's FAT table. There is another perfectly good copy of DANCERS. BAS on BBS's around the country; appar- ently the idiot trojan author altered a legitimate program to do the dirty work. DISKSCAN.EXE TROJAN This was a PC-MAGAZINE program to scan a [hard] disk for bad sectors, but then a joker edited it to WRITE bad sectors Also look for this under other names such as SCANBAD.EXE and BADDISK.EXE. A good original copy is availble on SCP Business BBS. DMASTER *TROJAN This is yet another FAT scrambler. DOSKNOWS.EXE *TROJAN I'm still tracking this one down -- apparently someone wrote a FAT killer and renamed it DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS system-status utility. All I know for sure is that the REAL DOSKNOWS.EXE is 5376 bytes long. If you see something called DOSKNOWS that isn't close to that size, sound the alarm. DOS-HELP TROJAN This trojan, when made memory-resident, is supposed to display a DOS command that the User needs help with. Works fine on a Diskette system, but on a [Hard] DRIVE system, it tries to format the [Hard] Disk with every access of DOS-HELP. DPROTECT *TROJAN Apparently someone tampered with the original, legitimate version of DPROTECT and turned it into a FAT eater. A good version is available on SCP Business BBS. DRAIN2 *TROJAN There really is a DRAIN program, but this revised program goes out does a Low Level Format while it is playing the funny program. DROID.EXE *TROJAN This trojan appears under the guise of a game. You are supposedly an architect who controls futuristic droids in search of relics. In fact, PC-Board sysops (if they run this program from C:\PCBOARD) will find that it copies C:\PCBOARD\ PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. The .EXE file is 54,272 bytes. DRPTR.ARC TROJAN File found on two boards in the 343 Net. After running unsuspected file, the only things left in the Sysop's root directory were the subdirectories and two of the three DOS System files, along with a 0-byte file named WIPEOUT.YUK. The Sysop's COMMAND.COM was located in a different directory; the file date and CRC had not changed. DSZ (Patch) *CAREFUL The author of this protocol program, Chuck Forsberg, warns that anyone using an Unregistered version of DSZ that was HACKED with a downloaded PATCH to make it work fully, might get a SCRAMBLED FAT. Seems someone created the HACK PATCH and then uploaded it to BBS's. *BEWARE* of the PATCH! It is not the DSZ program that does the dirty work, but the invalid PATCH. EGABTR *TROJAN BEWARE! Description says something like "improve your EGA display," but when run, it deletes everything in sight and prints, "Arf! Arf! Got you!" EMMCACHE *CAREFUL This program is not exactly a trojan, but it (v. 1.0) may have the capability of destroying [Hard] disks by: A) Scrambling every file modified after running the program. B) Destroying boot sectors. This program has damaged at least two [Hard] disks; yet there is a base of happily registered users. Therefore, extreme caution is advised if you decide to use this program. FILER.EXE *TROJAN One SysOp complained a while ago that this program wiped out his 20 Megabyte [Hard] disk. I'm not so sure that he was correct and/or telling the truth any more. I have personally tested an excellent file manager also named FILER.EXE, and it worked perfectly. Also, many other SysOp's have written to tell me that they have like me used a FILER.EXE with no problems. If you get a program named FILER.EXE, it is probably alright, but better to test it first using some security measures. FILES.GBS CAREFUL When an OPUS BBS system is installed improperly, this file could spell disaster for the Sysop. It can let a user of any level into the system. Protect yourself. Best to have a sub-directory in each upload area called c:\upload\files.gbs (this is an example only). This would force Opus to rename a file upload of files.gbs and prevent its usage. FINANCE4.ARC *CAREFUL This program is not a verified trojan; there is simply a file going around BBS's warning that it may be a trojan. In any case, exercise extreme care with it. FLU4TXT.COM TROJAN Man, when I thought we had it licked! This Trojan was inserted into the FluShot4.ARC and uploaded to many BBS's. FluShot is a protector of your COMMAND.COM. The author of FluShot posted this Trojan warning, and I am posting it here in the GL. If you need a good copy, you can get it from here-- SCP Business BBS--or on COMPUSERVE. FOX2.ARC TROJAN The show program was put into the FOX (SHOW.COM) archive to display a porono on VGA. While doing so it corrupts the FAT of the HD. Even NU can not recover it. A FAT recover program like MIRROR has not yet been tested for it. Name Size Date Show.com 14562 06/02/85 FUTURE.BAS *TROJAN This "program" starts out with a very nice color picture (of what, I don't know) and then proceeds to tell you that you should be using your computer for better things than games and graphics. After making that point, it trashes your A: drive, and B:, C:, D: drives until it has erased all drives. It does not go after the FAT alone; it also erases all of your data. As far as I know, however, it erases only one sub-directory tree level deep, thus [Hard] disk users should only be seriously affected if they are in the "root" directory. I'm not sure about this one either, though. GATEWAY2 *TROJAN Someone tampered with version 2.0 of the CTTY monitor GATEWAY. What it does is ruin the FAT. If you need a good copy, you can file-request it or pick one up from 105/301--SCP Business BBS. GRABBER TROJAN This program is supposed to be a SCREEN CAPTURE program that copies the screen to a .COM to be run later from the DOS command line. As a TSR, it will also attempt to do a DISK WRITE to the [Hard] drive when you do not want it to. It will wipe whole Directories when doing a normal DOS command. One sysop who ran it lost all of his ROOT directory including his SYSTEM files. The file status is : Name Size Date Time GRABBER.COM 2583 05/28/87 22:10 GRASPRT.EXE VIRUS This file was in a porno file called SEXSHOE.LZH originating from PC-EXEC BBS. The Sysop took it off, but it had been downloaded by a few people. This is one of the Jerusalem-B Virus strains. The status is: Name Size Date Time GRASPRT.EXE 73376 06/03/86 09:49 G-MAN TROJAN Another FAT killer. HEART.EXE VIRUS Infected with the Israeli Virus. Displays the HEART logo on CGA monitor while infecting the HD. File is found on some SHAREWARE houses watch for it. Name Size Date HEART.EXE 13744 ????? JIV40.LZH VIRUS Hacked propgram of JIV - current real program is v3.3 NOT v4.0 - It is also infected by a Virus which attaches to any .COM file it can find. KC-PAL.COM TROJAN Infects the COMMAND.COM and then attaches to any .COM file afterward using the COMMAND.COM during its use of Internal commands (COPY, DIR, TYPE, etc.). The COMMAND.COM files are enlarged in size by 1538 bytes, and in the Time column of the directory, listing the seconds is reset from :00 to :62. LM TROJAN Deletes the COMMAND.COM and other files from the ROOT directory of the [Hard] Drive when the program runs. MAP TROJAN This is another trojan horse written by the infamous Dorn Stickel. Designed to display what TSR's are in memory and works on FAT and BOOT sectors. Also seems towork only when the [Hard] Drive is 50 percent full or more. MATHKIDS.ARC *TROJAN This is a fairly benign trojan that will not reformat your [Hard] disks or do any system-level damage. Instead, it is designed to crack a BBS system. It will attempt to copy the USER file on a BBS to a file innocently called FIXIT.ARC, which the originator can later call in and download. Believed to be designed for PCBoard BBS's. MOUSEKEY.COM VIRUS Mouse device program infected with the CASCADE type virus. NORTSHOT.ZIP TROJAN A supposed VIRUS checker - while NORTSTOP.ZIP listing the DIR during its check displays that the disk is Virus Free - but during Dec. 24th and Dec. 31st it will ERASE files in several DIR's based on their extension. NORTSHOT.ZIP and NORTSTOP.ZIP are same file. Name Size Date NORTSTOP.EXE 38907 ????? NOTROJ.COM *TROJAN This "program" is the most sophisti- cated trojan horse that I've seen to date. All outward appearances indicate that the program is a useful utility used to FIGHT other trojan horses. Actually, it is a time bomb that erases any [Hard] disk FAT IT can find and, at the same time, it warns: "another program is attempting a format, can't abort! After erasing the FAT(s), NOTROJ then proceeds to start a low level format. One extra thing to note: NOTROJ only damages FULL [Hard] drives; if a [Hard] disk is under 50 percent full, this program won't touch it! If you are interested in reading a thorough report on NOTROJ.COM, James H. Coombes has written an excellent text file on the matter named NOTROJ.TXT. If you have trouble finding it, you can get it from SCP Business BBS. PACKDIR *TROJAN This utility is supposed to "pack" (sort and optimize) the files on a [hard] disk, but apparently it scrambles FATs. PCW271xx.ARC *TROJAN A modified version of the popular PC-WRITE word processor (v. 2.71) has now scrambled at least 10 FAT tables that I know of. If you want to download version 2.71 of PC-WRITE, be very careful! The bogus version can be identified by its size; it uses 98,274 bytes whereas the good version uses 98,644. For reference, version 2.7 of PC-WRITE occupies 98,242 bytes. PKX35B35.ARC } *TROJAN This was supposed to be an update to PKB35B35.ARC } *VIRUS PKARC file compress utility. When it is run, it *EATS your FATS* and is said to to infect other files so it can spread. Possible VIRUS. PKPAK/PKUNPAK *CAREFUL There is a TAMPERED version of 3.61 v3.61 that interferes with PC's interrupts. PKFIX361.EXE *TROJAN Supposed patch to v3.61. What it really does when it is extracted from the .EXE file is do DIRECT access to the DRIVE CONTROLLER to perform a Low-Level format, thereby bypassing checking programs. PK362.EXE *CAREFUL This is a NON-RELEASED version and is suspected as being a *TROJAN*. Not verified. PK363.EXE *CAREFUL This is a NON-RELEASED version and is suspected as being a *TROJAN*. Not verified. PKZ100.EXE TROJAN Supposed to be a new release of PKZIP, but what it really does is fill up your [Hard] drive with many directories until the system no longer functions. The current version is PKZIP v.092. PKZ120.EXE TROJAN Modeifies the AREAS.BBS of BBS's that use such a file. Replaces addreses in that file with dummy addreses. then deletest itself to avoid any way to desipher how it works. Name Size Date PKZ120.EXE 172,000approx. 09/13/89 QUIKRBBS.COM *TROJAN This Trojan horse advertises that it will install a program to protect your RBBS but it does not. It goes and eats away at the FAT instead. QUIKREF *TROJAN This ARChive contains ARC513.COM. It is supposed to load RBBS-PC's message file into memory two times faster than normal. What it really does is copy the RBBS-PC.DEF into an ASCII file named HISCORES.DAT. RCKVIDEO *TROJAN This is another trojan that does what it's supposed to do, and then wipes out [Hard] disks. After showing some simple animation of a rock star ("Madonna," I think), the program will go to work on erasing every file it can lay it's hands on. After about a minute of this, it will create three ASCII files that say, "You are stupid to download a video about rock stars," or something of the like. SECRET.BAS *TROJAN BEWARE!! This may be posted with a note saying it doesn't seem to work, and would someone please try it; when you do, it formats your disks. SIDEWAYS.COM *TROJAN Be careful with this trojan; there is a perfectly legitimate version of SIDEWAYS.EXE circulating. Both the trojan and the good SIDEWAYS advertise that they can print sideways, but SIDEWAYS.COM will trash a [hard] disk's boot sector instead. The trojan .COM file is about 3 KB, whereas the legitimate .EXE file is about 30 KB large. STAR.EXE *TROJAN Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! STRIPES.EXE *TROJAN Similar to STAR.EXE, this one draws an American flag (nice touch), while it's busy copying your RBBS-PC.DEF to another file (STRIPES.BQS) so the joker can log in later, download STRIPES.BQS, and steal all your passwords. Nice, huh? SUG.COM TROJAN This one is supposed to go out and unprotect copy protected programs disks by Softguard Systems, Inc. After it trashes your disk, it comes back and displays: "This destruction constitutes a prima facie evidence of your violation. If you attempt to challenge Softguard Systems Inc..., you will be vigorously counter-sued for copyright infringement and theft of services." AND it by-passes any attempt by CHK4BOMB to search for the any hidden messages that tell you, "YOU BEEN HAD... or GOTCHA>>> Ar..Ar..Ar... It encrypts the Gotcha message so no Trojan checker can scan for it. TIRED *TROJAN Another scramble-the-FAT trojan by Dorn W. Stickel. TOPDOS *TROJAN This is a simple high level [hard] disk formatter. TSRMAP *TROJAN This program does what it's supposed to do: give a map outlining the location (in RAM) of all TSR programs, but it also erases the boot sector of drive "C:". ULTIMATE.EXE TROJAN Another FAT eater. File status: Name Size ULTIMATE.EXE 3090 ULTIMATE.ARC 2432 UNIX VIRUS The UNIX operating system by Berkley, verson 4.3, is an INTERNET virus. A Patch is available on SCP Business BBS. This is the MAIL PACKET VIRUS. VDIR.COM *TROJAN This is a disk killer that Jerry Pournelle wrote about in BYTE Magazine. I have never seen it, although a responsible friend of mine has. VGA2CGA.ARC VIRUS CGA converter - infected with the AIDS/Hahaha - has been found on many USA West Coast BBS's. VU.EXE *VIRUS Infected with the 1704-B Virus. Has not been confirmed. And is unkown what the file is supposed to do. WOW *VIRUS Also known as the 1701 Virus. This is a new strain of the Lehigh Virus as it not only looks for COMMAND.COM, but any .COM file. As it does it, the infected file is enlarged 1,701 bytes in SIZE. The infection takes as you run the .COM. WOW is a TSR. What happens when you run WOW is that it displays an advertisement: ""The Wizards of Warez" in assocoation with the copycats the Pirates Unlimited OUTRUN WOW 1989 " The virus is also known as WOWTITLE. ----------------------------------------------------------------- | If you run a trojan horse..... | ----------------------------------------------------------------- While reading this, bear in mind that there is no better remedy for a drive that has run a trojan horse and been damaged than a recent backup. The first thing to do after running what you think to be a trojan horse is to diagnose the damage. Was your [hard] drive formatted? Did the trojan scramble your FAT table? Did every file get erased? Did your boot sector on the [hard] drive get erased/ formatted? Odds are that the trojan incurred one of these four disasters. After the initial diagnosis, you are ready to remedy the problem. 1) If the trojan low-level formatted your [hard] disk: Hope that you have a recent backup; that's the only sure remedy for this disease. 2) If the trojan high-level formatted your [hard] disk: There is only one way out of this mess, and that is to use the MACE+ utilities by Paul Mace. MACE+ has two devices in it to recover formatted disks, and believe me, they work! I will talk more about the MACE+ utilities later. 3) If the trojan scrambled your FAT table: Once again, there is nothing to do. However, there is a program called FATBACK.COM (available on my board named as FATBACK.ZIP) that will back up your FAT table in under a minute to floppy. Using FATBACK, it is easy and non time- consuming to back up your FAT regularly. 4) If the trojan erased file(s), and the FAT table is undamaged: There are many packages to undelete deleted files. Norton Utilities, PC-Tools, MACE+, and many others will do the job. I recommend the first three, they are commercially available at most computer software stores or mail-order stores. Mace Utilities can also be purchased from SOFTEX on CompuServe. When you are undeleting, be sure to undelete files in the order of last time written to disk. 5) If the boot sector on your [hard] disk gets erased/formatted: There are four things to do if this happens, and the worst that can happen is that you will go without a [hard] disk for a while. To be on the safest side, back up everything before even proceeding to step "A," although I cannot see why it would be necessary. A) Try doing a "SYS C:" (or "SYS A:") from your original DOS disk, and copy COMMAND.COM back onto the [hard] drive after that. Try booting, and if that doesn't work, try step B. B) If you have the MACE+ utilities, go to the "other utilities" section and "restore boot sector." This should do the job if you have been using MACE+ correctly. If using PCTOOLS Delux us the MIRROR REBUILD utility function. C) If you are still stuck, BACK UP EVERYTHING and proceed to do a low-level format. Instructions on how to perform a low-level format should come with your [hard] disk controller card. Be sure to map out bad sectors using either SCAV.COM by Chris Dunford or by manually entering the locations of bad sectors into the low-level format program. After the low level format on your hard disk, run FDISK.COM (it comes with DOS) and create a DOS partition. Refer to your DOS manual for help in using FDISK. Then put your original DOS diskette in drive A: and do a FORMAT :/S/V. Drive letter can stand for "C" or "B" depending on whether you are reformatting a [Hard] disk or not. Finally you are ready to attempt a reboot. D) If you are still stuck, either employ some professional computer repair person to fix your drive, or live with a non-bootable [hard] drive. A few words of caution on prevention: 1) Get the protection programs from a RELIABLE source. Always ask about any unknown program - virus protection or otherwise - before downloading or running it. Know your source! Get it from SDNet/Works! FidoNet nodes if they come through SDN. 2) Don't let down your guard! Most virus protection programs intercept specific types of activities (disk writes, for example) or specific viruses (such as Apple's VirusRX targeting the Scores virus). So USE A VIRAL CHECKER when running new BBS programs. Use ** VirusScan! ** 3) Make periodic file listings and compare them regularly to prior listings. Look for unusual changes or unfamiliar files like Hidden or System files. INVESTIGATE ANYTHING OUT OF THE ORDINARY! Is your system slowing down or failing all the time? 4) BACKUP - BACKUP - BACKUP! Keep current backups. I know, I know. Everyone tells you, even your mom (smile). At least make regular copies of your most important databases and files, and most important, KEEP your OLD COPIES around a little longer just to be on the safe side. I have a set devoted strictly to a MASTER BACKUP in case my system's current backup is bad. Then all is not lost as I have a MASTER to put me back up. 5) Don't run programs that you got off a BBS on your BOSS's machine! Use your own PC first. This could save you the embarrassment of facing his ugly mug (smile) and loosing your job. Many companies now have policies regarding this. 6) Never run or access a diskette that might contain the SYSTEM files. These may be contaminated and could infect your system. Know your source! The same goes for the COMMAND.COM. 7) USE WRITE PROTECT TABS! A virus can't infect something it can't write to. Use them; they are the cheapest method of prevention. * REMEMBER: The Best Defense is Good * BACKUP * --------------------------------------------------------------- | Update History: | --------------------------------------------------------------- Version 1.0a The first list of The Guardian compiled from the Dirty Dozen List and from the DIRTY_DOZEN echo conference. The Guardian List will be distributed thru FidoNet and LCRNET. It, unlike the Dirty Dozen List, is comprised of only Trojans and Viruses and is sent out more often than The Dirty Dozen List. Added PK100.EXE, B30012A.ARC. Version 1.0b Added plug for SDNet/Works!, and a plug for VirusScan utility. Added GRASPRT.EXE, KC-PAL.COM Version 1.0c Added FOX2.ARC(Show.com), HEART.EXE, JIV40.LZH, JIV.COM, MOUSEKEY.COM, NORTSTOP.ZIP/NORTSHOT.ZIP, PKZ120.EXE, VGA2CGA.ARC, VU.EXE - also reworded text file by Sally Nueman. ----------------------------------------------------------------- | Glossary: | ----------------------------------------------------------------- I have intended this glossary for the beginning to intermediate user; all experienced BBS users will be bored to death with this. ?Q? -- (? standing for any character). File extension for SQueezed files. Squeezed files are unusable until unsqueezed by a utility such as NUSQ.COM or USQ.COM. The advantage of a SQueezed file is that it is smaller than a regular UnSQueezed file, thus saving disk space and download time. ARChives are more efficient than Squeezed files; that's why there are so many more ARChives on BBS's these days. Example of the extensions of SQueezed files: .EQE, .CQM, .LQR, .TQT, .DQC, etc. ABBRV -- Abbreviation for the word: "abbreviation". ARC -- File extension for an ARChive file -- many files combined together to save space and download time that require ARC.EXE, PKXARC.COM, ARCE.COM, or ARCLS.EXE to separate the files in to runnable and readable (in the case of text) form. BAS -- Abbrv for "BASIC," as in the programming language. BBS -- Abbrv for "Bulletin Board System". BBS's -- Abbrv for "Bulletin Board Systems". BOARD -- Also "Bulletin Board System". BOGUSWARE -- Software that is damaging to one or more parties. BOOT or -- To boot a computer is to restart it from REBOOT scratch, erasing all TSR programs. One reboots by either powering off and then back on, or pressing ctrl-alt-del at the same time. BYTES -- Bytes measure the length of a file, with one byte equaling one character in a file. CACHE [disk] -- Area of memory set aside to hold recent data. All programs then read recent data from that memory rather than from disk. CLUSTER -- A physical block on all [hard] disks composed of sectors that hold data. COM -- File extension for a file that is executable from DOS level. DD -- Abbrv for "dirty dozen". DOC -- Abbrv for "documentation". EMS -- Enhanced Memory Specification. An EMS card holds 2 MB extra memory. EXE -- File extension for a file that is executable from DOS level. FIDONET -- A network designed and created by Tom Jennings and his software. A TRADEMARK. HACKED -- A program that has been changed in some way by another person or program. HIGH-LEVEL -- This type of format is what most computer FORMAT users view as a regular DOS-format. That is, formatting a disk using FORMAT.COM (included with DOS) is a high-level format. IBM -- Abbrv for International Business Machines IBM OR COMP -- IBM computer or a 99% or greater IBM Compatible computer. KB OR K -- Abbrv for "KiloBytes." One Kb equals 1024 bytes. LBR -- Extension on Library files. Library files are really many combined files like ARChives, but they require different utilities to extract the individual files. Some examples of such utilities are LUU.EXE, LUE.EXE, LAR.EXE, AND ZIP.EXE. See "ARC". LOW-LEVEL -- This type of format is only executed on a FORMAT [Hard]disk; therefore, most [Hard] disk low- level format programs come only with a [Hard] disk controller card. There are a few PD low- level formatting packages, though. Most manufacturers low level format their [Hard] drives at the factory. Low level formatting is the first step in the three-part formatting process; the second step is to use FDISK, and the third is to execute a high-level format. MB -- Abbrv for "Megabytes," or "millions of bytes." MISC -- Abbrv for "miscellaneous". OPTIMIZE -- To make all files on a disk "contiguous," or physically linked together on a [hard] drive. PAK -- An alternate ARCer used in the BBS community. PATCH -- A file that is patched (combined) into another file to change the original file in some way. PD -- Abbrv for "Public Domain". PIRATED -- An altered program that normally is sold but hacked to resemble a PD program. RAM -- Abbrv for "Random Access Memory" (memory used by software). RBBS -- Abbrv for RBBS-PC, a type of BBS (Remote Bulletin Board System). ROM -- Abbrv for "Read Only Memory" (memory used by hardware to boot). SDN -- File extension used by SDNet/Works! to identify an SDNet/Works! published ShareWare files. These files are direct from the Author and are be Virus/Trojan free if obtained from participating SDNetWorks! BBS. SDS -- System Distribution System. A FidoNet subsystem that is used to distribute BBS software, utilities, and newsletters. SYSOP -- Abbrv for SYStem OPerator of a BBS. TROJAN -- Program used to destroy or hamper a computer in some manner. TSR -- Abbrv for "Terminate and Stay Resident"; Synonym = "Memory Resident". TXT -- Abbrv for "text". USU -- Abbrv for "usually". UNP -- Abbrv for "unprotect". UNPROTECT -- An "unprotect file" is a patch file that results in the breaking of copy protection (no doubt for backup purposes). UTIL -- Abbrv for "utility". VIRUS/WORM -- The Ultimate Trojan! Designed to infect the computer system and to replicate itself to survive. ZIP -- An alternate ARCer used by the BBS community. ZOO -- All files compressed with ZOO.EXE bear this file extension. ZOO-compressed files are NOT compatible with ARC.EXE. << End of file >>