Copy Link
Add to Bookmark
Report
The Hack Report Vol 02 No 05
=========================================================================
||
From the files of The Hack Squad: || by Lee Jackson, Moderator, FidoNet
|| Int'l Echos SHAREWRE & WARNINGS
The Hack Report || Volume 2, Number 5
File Test Results || Result Report Date: April 27, 1993
||
=========================================================================
*************************************************************************
* *
* The following test was performed by and the results are courtesy *
* of Jeff White and Bill Logan of the Pueblo Group in Tuscon, *
* Arizona. Their assistance is greatly appreciated. *
* *
*************************************************************************
File: PHYLOX.ARJ
Description: Fun VGA game from Britain. Has you battling insects & monsters
in subterranean caves. Needs 640k, 286+.
Brief: This popular Shareware game has been hacked. It is now a trojan
that will wipe out your C: drive. The author's changes are easy to
spot. The time/date stamp on the files that were added/altered are
all from February 1993, whereas the files that came with the original
archive are dated until November 1992. Two added programs, SETUP.EXE
and INSTALL.EXE are exact matches of each other (by date/time, size,
CRC) and are the programs responsible for wiping the hard drive.
Another added program, PHYLOX.EXE, is reported to be suspicious by
F-Prot 2.07 (heuristics mode) as possibly containing a memory-resident
infector. INSTALL.DAT contains a vulgar message. The author also did
something strange: included the original PHYLOX game with his hack
distribution. This file, called PHYLOX.DAT, is actually the original,
authenticated ARJ file of the unaltered Phylox game!
Contents: (listed in wide form because of amount)
-------------------------------------------------
Directory of D:\PHYLOX
[.] [..] AR.SP ARM1.PIC ARM2.PIC
ARM3.PIC ARM4.PIC ARM5.PIC ASCENE.PIC AUDIO.INS
BACKSCR.TXT CAVPIC.PIC COMING.EXE COMP.BPR COMP.SAV
COMP.SPR CONFIG.PIC D.LEV EC.PAL EG.SPR
EG2.SPR EOL.SPR EOL1.SPR EOL2.SPR EX1.BPR
EX1.SAV EX1.SPR FLAME.SPR FONT.SP FOOT.BPR
FOOT.SAV FOOT.SPR GAMEOV.SP GETRED.SP GREN.BPR
GREN.SAV GREN.SPR GUN.BPR GUN.SAV GUN.SP
GUN.SPR GUNC.SP HAT.SP HEART.BPR HEART.SAV
HEART.SPR HI.SP HI.TBL HOOK.BPR HOOK.SAV
HOOK.SPR INC-VIOL.EXE INS.SP INSTALL.DAT INTRO.SPR
JET.SP LAUGH1.BPR LAUGH1.SAV LAUGH1.SPR LEGAL.TXT
MENU.PIC MISCC.SP OBJ.SP PAL.SCR PCAV.EXE
PHYLOX.EXE PHYLOX.CFG PHYLOX.DAT PING.BPR PING.SAV
PING.SPR PMAIN.EXE PMAIN.PAL PRUN.EXE PSP.PLB
PT1.SP PT2.SP PT3.SP PY.EXE RAZEI.SP
RETB.SP RETROXA.SP RETROXC.SP RETROXU.SP RETS.SP
RIC.BPR RIC.SAV RIC.SPR RICO.SP RUN1.BLA
RUN1.BLK RUN1.ELE RUN1.INF RUN1.INS RUN1.IR
RUN1.LEV RUN1.MAP RUN1.MOV RUN1.PAL RUN1.PAT
RUNPIC.PIC SC.PAL SCORE.BPR SCORE.SAV SCORE.SPR
SCORE1.SP SCREAM.BPR SCREAM.SAV SCREAM.SPR SHOUT.BPR
SHOUT.SAV SHOUT.SPR SMART.SP SOLD.BPR SOLD.SAV
SOLD.SPR SPLAT.BPR SPLAT.SAV SPLAT.SPR STORE.BLA
STORE.BLK STORE.ELE STORE.INF STORE.INS STORE.IR
STORE.LEV STORE.MAP STORE.MOV STORE.PAL STORE.PAT
STORE.TMP STORY.PIC TDN.SP TUP.SP WINCH.BPR
WINCH.SAV WINCH.SPR MAIN.DOC PHYLOX.PAL INSTALL.EXE
RUNME.BAT SETUP.EXE
142 file(s) 1615125 bytes
Altered/added files:
--------------------
INSTALL DAT 1527 02-20-93 11:44p
* (Vulgar message) *
PHYLOX EXE 898 02-17-93 12:08a
* (Suspicious program [F-Prot]) *
PHYLOX CFG 788 02-08-93 8:01p
* (Phylox's configuration file - harmless) *
INSTALL EXE 7360 02-14-93 8:36p
SETUP EXE 7360 02-14-93 8:36p
* (Trojan files - wipe out drive C: - same file [CRC check]) *
RUNME BAT 22 02-16-93 1:36a
* (Runs PHYLOX.EXE then PY.EXE - executes suspicious file) *
Virus Activity:
---------------
Virus scanning report - 27. April 1993 11:22
F-PROT 2.07 created 3. February 1993
Virus signatures created 30. January 1993
Method: Heuristics
Targets: Boot/File
Files: Standard executables
Scanning boot sector D:
Analysing D:\PHYLOX\PHYLOX.EXE - Very suspicious file
This program seems to contain a memory-resident virus, which infects
other programs when they are executed.
Results of virus scanning:
Files: 140 (1.5 MB) Scanned: 9 (415 KB)
Infected: 0
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0
Notes:
------
The file PHYLOX.DAT included with the archive is actually an ARJ file
that has been renamed to a DAT file. It is an authenticated ARJ which
contains the original, unaltered Phylox game. Authentication follows:
Processing archive: D:\PHYLOX\PHYLOX.DAT
Archive date : 1992-11-27 10:45:52
ARJ archive created by Precision Software Publishing. Tel:0223 208288 R#0493
