TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ROD FEWSTER
from: DANNY SOSEBEE
date: 1997-01-18 11:41:00
subject: On-Topic?
rf> If the program is doing the dirty on your data then it's either a virus
rf> or a Trojan, and you're more than welcome to expose it here.
Thanks for the reply, Rod.  While the program has done ME no harm as yet, 
it's probably because I caught it BEFORE I installed it and spotted the 
warning signs.  Here are what details I can give you (and everybody else):
One of my users sent me a file called LORDHOME.ZIP, which he said was some 
sort of IGM (In-Game Module) used with Seth Able's successful Legend Of the 
Red Dragon online game.  This user knows I am always searching for new IGM's 
for my BBS, so he sent me this thing.
Being the curious type, I unzipped the archive and took a look inside.  What 
I found made me extremely suspicious, as you will see, so I zipped it back up 
and have not attempted to install or run it.
First, the technical details as reported by PKUNZIP -V LORDHOME.ZIP:
 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
     80  DeflatX     80   0%  12-25-96  07:51  d3602239 --w-  READ.ME
  37858  DeflatX  37733   1%  04-17-96  13:54  12f6df9f --w-  IGMSCR1.SCO
  45292  DeflatX  45243   1%  09-10-96  12:28  97a8d9f8 --w-  IGMSCR2.SCO
     49  Stored      49   0%  12-24-96  23:17  d3bad93e --w-  LORD.ICO
  29378  DeflatX  29086   1%  02-01-93  02:04  00832770 --w-  LORDGMAN.SCO
   5844  DeflatX   3560  40%  12-24-96  23:18  dcc75ed4 --w-  IGMLORD.EXE
 ------          ------  ---                                  -------
 118501          115751   3%                                        6
As for the files themselves, here is what I found when I went 'poking 
ound':
The file READ.ME contains the following text:
Run IGMLORD.EXE to install IGM.
It Will Prompt For Path, and Other Options.
The files IGMSCR1.SCO and IGMSRC2.SCO appear to contain executable code or
encrypted data of some kind.
The file LORDGMAN.SCO also appears to contain executable code, and has the 
following text imbedded close to the top of the file:
PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
The file IGMLORD.EXE contained text segments near the end which appear to be 
DOS commands involved with renaming files contained in the archive and 
changing attributes on some files.
The file LORD.ICO containst what appears to be a plain-text batch file 
utilizing directory changes along with the DOS DELTREE command to apparently 
wipe out your primary HD.  I didn't want to get too detailed here in case 
some unfriendly person is reading this echo.
This whole series of files look VERY suspicious to me, although I'm hardly an 
expert on the subject.  I shudder to think what might have happened to me had 
I actually tried out this program.  The user who sent it to me apparently had 
no idea of the potential danger, but did admit that the BBS he got it from 
went down suddenly and is still down.  After looking at that file, I suspect 
I know why...
Is there anyone who I can send this thing to for a detailed examination?  I 
didn't want to get too detailed just incase some unfriendly person tried to 
copy it.  I still have the file, and am willing to send it to a valid virus 
and/or trojan researcher if necessary.  I can be reached via Netmail at 
FidoNet 1:3616/20 or via BBS E-Mail at (770) 869-3410.
                                                                Danny
--- PB2.01+FE1.45+DB1.54
---------------
* Origin: Phoenix StarFighter BBS (1:3616/20)
SOURCE: echomail via exec-pc

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.