Date: 03-02-89 (18:18) Number: 7706 To: SAMUEL SMITH Refer#: 7704 From: FRED CLARK Read: 03-03-89 (18:15) Subj: "VIRUS" Status: RECEIVER ONLY I know Sam. At this point we are not sure of what is going on with the two sysops involved. As ytou indicate, one lost his '\pcb' location several times, the other his root. However, their comments as to what program they were running does not necessary correlate to the problem - since the damage may have occured at some other point in time. We are trying to obtain more information from them on what they have installed on their systems recently - since at this point it appears to be isolated to only those two people. Hopefully someone is not spreading some hacked code which is doing system damage. Fred Date: 03-03-89 (06:10) Number: 7707 To: SAMUEL SMITH Refer#: 7704 From: DAVID TERRY Read: NO Subj: "VIRUS" Status: RECEIVER ONLY Sam, The trojan appears to be a DSZ module dated 1/17/89. See further information in the support conference. ®® David W. Terry ¯¯ Date: 03-03-89 (17:50) Number: 7716 To: SYSOP Refer#: NONE From: ROBERT BLACHER Read: NO Subj: DSZGOOD.ZIP Status: PUBLIC MESSAGE DSZGOOD.ZIP is really DSZ0223.ZIP, but you already have a file by that name on the system. In light of the messages in the support conference, I've sent this along anyway as I *know* it's an untampered-with copy -- our Xenix machine polls Omen daily and got this copy directly from him. So, I'd suggest you purge the 4-5 copies of DSZ sitting on your dir 9, rename this one, and hopefully that will be the end of this latest "virus" scare. Date: 03-03-89 (05:45) Number: 56816 To: MILES LESTER Refer#: 56808 From: DAVID TERRY Read: 03-03-89 (15:44) Subj: HELP! Status: PUBLIC MESSAGE Miles, We've had several people here confirm that they are using DSZ dated 1/17/89 ... and the description seems to be the same so far -- the files are wiped out AFTER a DSZ file transfer. I would recommend that you replace your DSZ and see if that cures the problem. ®® David W. Terry ¯¯ Date: 03-03-89 (00:56) Number: 56820 To: SYSOP Refer#: NONE From: KEVIN FONG Read: 03-03-89 (09:02) Subj: CONFIRMED DSZ TROJAN Status: PUBLIC MESSAGE I have uploaded the trojan DSZ file as DSZTROJ.ARC. Take a look at it. It will delete any subdirectory it is called from, as well as delete the root directory (including hidden files such as Paul Mace's BACKUP.M_U. You must execute it with command line params while connected. Executing it locally doesn't seem to trigger it. It will not "go off" prior to 3/2/89 at 7am, nor will it "go off" on 3/3/89, so it may be limited to one day (who knows?). --------------- One other user just reported losing 18 megs on his system after running his release of DSZ (a REGISTERED version!). Kevin. Date: 03-03-89 (07:53) Number: 56826 To: MICHAEL CLEVERLY Refer#: 56822 From: DAVID TERRY Read: NO Subj: CAUTION ... Status: PUBLIC MESSAGE Michael, It appears to be a copy of DSZ dated 1/17/89 that might be creating all of the havoc ... please check your files and see if you too are using this program. ®® David W. Terry ¯¯ Date: 03-03-89 (10:19) Number: 56847 To: ALL Refer#: NONE From: FRED CLARK Read: HAS REPLIES Subj: CAUTION Status: PUBLIC MESSAGE As a follow up to the previous CAUTION message. A pattern appears to be developing in that sysops who are having the problem of wiped out drive locations are all experiencing the problem when using the 01/27/89 version of DSZ.COM. If you are using that version of the program, we suggest you consider removing it from your system and replacing it with a different version of the program - since it may be that a corrupted or hacked version of that module is being passed around. Again, we urge eveyone to use caution when installing new PD programs on their system to insure the reliability of the source location of the file. Fred Date: 03-03-89 (10:24) Number: 56849 To: FRED CLARK Refer#: 56847 From: CARL EVANS Read: 03-03-89 (10:51) Subj: CAUTION Status: PUBLIC MESSAGE 1-29-89? or 1-17-89? All of the previous messages referred to the 1-17 DSZ, but your message pointed at 1-29. Which one is the trojan or is it both? Carl Date: 03-03-89 (10:51) Number: 56853 To: CARL EVANS Refer#: 56849 From: FRED CLARK Read: NO Subj: CAUTION Status: PUBLIC MESSAGE Carl - I goofed on the other messages. It shoudl be the 01/29/89 version. Fred Date: 03-03-89 (13:56) Number: 56860 To: FRED CLARK Refer#: 56835 From: MARK TURNER Read: 03-03-89 (14:10) Subj: 'VIRUS' Status: PUBLIC MESSAGE I'm at work now but will get it this evening and let you know... For the time being I have gone back to a DSZ dated 9/something/88 I did do some testing and found if I used the 1/17/89 version straight out of the package it was OK, if I registered it then the problem occured... Thanks again... Date: 03-03-89 (15:23) Number: 56869 To: MARK TURNER Refer#: 56860 From: RAY CRAMER Read: NO Subj: 'VIRUS' Status: PUBLIC MESSAGE Mark, I lost my files too and see to be running a version between 1-17 and 2-09 . I am too a registered user and I think the 2-09 is when I put my number into the program. Ray Cramer == > SysOp of "The DogHouse BBS" (713) 422-3146 Baytown,Tx Date: 03-03-89 (15:41) Number: 56871 To: FRED CLARK Refer#: 56758 From: MARK HICKS Read: 03-03-89 (15:43) Subj: CAUTION ... Status: PUBLIC MESSAGE I too just yesterday had all non-read-only files erased in my ROOT dir, as well as some other *.exe files (like zdoor.exe); however i saw the message fatal error system error ( 53 9365 ) pcboard fatal 0 9365 strange, huh? Date: 03-03-89 (15:42) Number: 56872 To: ALL Refer#: NONE From: FRED CLARK Read: HAS REPLIES Subj: CAUTION - CONTINUED! Status: PUBLIC MESSAGE Folks - this wiping out of drives is really getting serious! It seems that there may be a wide variation of dates involved here - but all seem to be centered around later versions of DSZ. Due to the fact that some dates may be different based on the type of download performed to obtain the file (i.e. an XMODEM, etc. downlod would produce a new date, where a DSZ download would preserve the original date), we caution all of you to try and obtain a 'known' good working copy of DSZ from any source. We will post the version we are currently using here (although it is very, very old), in the event some of you wish to use it instead of one of the later versions. Fred Date: 03-03-89 (15:43) Number: 56873 To: MARK HICKS Refer#: 56871 From: FRED CLARK Read: 03-03-89 (15:46) Subj: CAUTION ... Status: PUBLIC MESSAGE Well - that error message is simply a result of all the files being wiped out after whatever it is is doing it's dirty work. At the point all of the files are gone, PCBoard will return the error message - since many of the files needed for it to operate are now missing! Fred Date: 03-03-89 (15:54) Number: 56878 To: FRED CLARK Refer#: 56872 From: MILES LESTER Read: 03-03-89 (17:12) Subj: CAUTION - CONTINUED! Status: PUBLIC MESSAGE Fred, PRODOOR and several other doors required a DSZ dated after 08/88 in order to do their transfers. Do you think you could locate a good copy after that date for us? Miles Lester Date: 03-03-89 (17:12) Number: 56882 To: MILES LESTER Refer#: 56877 From: FRED CLARK Read: NO Subj: HELP! Status: PUBLIC MESSAGE Nope - other than to possibly try the version we have posted here. Again, at this point no one is quite sure what program or version of a specific program is causing the problem. However, the pattern (as indicated) is all pointing to a recent version of DSZ. Fred Date: 03-03-89 (17:12) Number: 56883 To: MILES LESTER Refer#: 56878 From: FRED CLARK Read: NO Subj: CAUTION - CONTINUED! Status: PUBLIC MESSAGE I don't have one here - but will open up your message so that in case someone else does - they can upload it. Fred Date: 03-03-89 (17:22) Number: 56884 To: FRED CLARK Refer#: NONE From: ROBERT BLACHER Read: NO Subj: DSZ VERSIONS Status: PUBLIC MESSAGE Sigh -- if folks would only read the docs. The current version of DSZ as I write this message is 2/23/89. However, for the last several versions of DSZ, the following warning has appeared in the DOC file under CHANGES: A problem in the 1/17/89 and 2/2/89 versions corrupts files under unusual circustances. Please delete all instances of the 1/17/89 and 2-02-89 version. In short, if folks are using either of those 2 versions, they should either get a newer one or drop back to an earlier version. DSZ 2/23 seems fine and I'll happily upload a copy I received directly from Chuck on a later call (I don't have it on this machine). (H)elp, (55861-56887), Message Read Command?