Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: SLCLANCY@UCI.BITNET (Steve Clancy)
Newsgroups: comp.virus
Subject: Trojan horse on CompuServe
Message-ID: <0004.y8907031857.AA11952@ge.sei.cmu.edu>
Date: 3 Jul 89 16:18:38 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU
Lines: 45
Approved: krvw@sei.cmu.edu

I posted this message on the CompuServe Information Service today, and
thought I would share it with the other members of Virus-L.  The text
of the message follows:
.
"I recently downloaded a file from library #2 of the SCIFI forum.
The file, called STARS3.EXE is a trojan horse.  It has been
mentioned for at least a couple of years in a listing of known
trojan horses and viruses called "The Dirty Dozen."  The
description (from DIRTY DOZEN VER. 8B) is included below:
*
*
STAR.EXE        3072  T   Beware RBBS-PC SysOps!  This file puts
                         some stars on the screen while copying
                         RBBS-PC.DEF to another name that can be
                         downloaded later!
*
After downloading this file, I checked it carefully using a
program called CHK4BOMB.EXE which, among other things, dumps the
program listing to the screen so that any ASCII threats, taunts,
etc. can be seen.  I found the strings "RBBS-PC DEF" and
"RBBS-PC" in this program.
*
Now the security present in current versions of RBBS does not allow
any file with the extension "DEF" to be downloaded by users.  In
addition, running this program DID NOT copy my RBBS-PC.EXE file
to RBBS-PC.DEF as explained above, however, there may be some
timing feature that I am not aware of.
*
In any event, I would highly suggest that you remove this file as
soon as possible!  It is potentially a dangerous file that is
designed (though not very well!) to compromise the security of
anyone who runs the RBBS-PC bulletin board software.
*
Please don't hesitate to contact me if you have any further
questions.
*
Steve Clancy
714-856-7309, 71066,416"
.
.
%   Steve Clancy, Biomedical Library  %  WELLSPRING RBBS            %
%   P.O. Box 19556                    %  714-856-7996 300-9600      %
%   University of California, Irvine  %  714-856-5087 300-1200      %
%   Irvine, CA  92713                 %                             %
%   SLCLANCY@UCI                      %  "Are we having fun yet?"   %