
Date: 03-02-89 (18:18)              Number: 7706
  To: SAMUEL SMITH                  Refer#: 7704
From: FRED CLARK                      Read: 03-03-89 (18:15)
Subj: "VIRUS"                       Status: RECEIVER ONLY

I know Sam.  At this point we are not sure of what is going on with the
two sysops involved.  As ytou indicate, one lost his '\pcb' location
several times, the other his root.
 
However, their comments as to what program they were running does not
necessary correlate to the problem - since the damage may have occured
at some other point in time.
 
We are trying to obtain more information from them on what they have
installed on their systems recently - since at this point it appears to
be isolated to only those two people.
 
Hopefully someone is not spreading some hacked code which is doing
system damage.
 
Fred

Date: 03-03-89 (06:10)              Number: 7707
  To: SAMUEL SMITH                  Refer#: 7704
From: DAVID TERRY                     Read: NO
Subj: "VIRUS"                       Status: RECEIVER ONLY

Sam,
 
The trojan appears to be a DSZ module dated 1/17/89.  See further
information in the support conference.
 
                                           David W. Terry 

Date: 03-03-89 (17:50)              Number: 7716
  To: SYSOP                         Refer#: NONE
From: ROBERT BLACHER                  Read: NO
Subj: DSZGOOD.ZIP                   Status: PUBLIC MESSAGE

DSZGOOD.ZIP is really DSZ0223.ZIP, but you already have a file by that
name on the system.  In light of the messages in the support conference,
I've sent this along anyway as I *know* it's an untampered-with copy --
our Xenix machine polls Omen daily and got this copy directly from him.
 
So, I'd suggest you purge the 4-5 copies of DSZ sitting on your dir 9,
rename this one, and hopefully that will be the end of this latest
"virus" scare.

Date: 03-03-89 (05:45)              Number: 56816
  To: MILES LESTER                  Refer#: 56808
From: DAVID TERRY                     Read: 03-03-89 (15:44)
Subj: HELP!                         Status: PUBLIC MESSAGE

Miles,
 
We've had several people here confirm that they are using DSZ dated
1/17/89 ... and the description seems to be the same so far -- the files
are wiped out AFTER a DSZ file transfer.  I would recommend that you
replace your DSZ and see if that cures the problem.
 
                                           David W. Terry 

Date: 03-03-89 (00:56)              Number: 56820
  To: SYSOP                         Refer#: NONE
From: KEVIN FONG                      Read: 03-03-89 (09:02)
Subj: CONFIRMED DSZ TROJAN          Status: PUBLIC MESSAGE

I have uploaded the trojan DSZ file as DSZTROJ.ARC.  Take a look at it. 
It will delete any subdirectory it is called from, as well as delete the
root directory (including hidden files such as Paul Mace's BACKUP.M_U. 
You must execute it with command line params while connected.  Executing
it locally doesn't seem to trigger it.
 
It will not "go off" prior to 3/2/89 at 7am, nor will it "go off" on
3/3/89, so it may be limited to one day (who knows?).
 
---------------
 
One other user just reported losing 18 megs on his system after running
his release of DSZ (a REGISTERED version!).  
 
Kevin.

Date: 03-03-89 (07:53)              Number: 56826
  To: MICHAEL CLEVERLY              Refer#: 56822
From: DAVID TERRY                     Read: NO
Subj: CAUTION ...                   Status: PUBLIC MESSAGE

Michael,
 
It appears to be a copy of DSZ dated 1/17/89 that might be creating all
of the havoc ... please check your files and see if you too are using
this program.
 
                                           David W. Terry 

Date: 03-03-89 (10:19)              Number: 56847
  To: ALL                           Refer#: NONE
From: FRED CLARK                      Read: HAS REPLIES
Subj: CAUTION                       Status: PUBLIC MESSAGE

As a follow up to the previous CAUTION message.  A pattern appears to be
developing in that sysops who are having the problem of wiped out drive
locations are all experiencing the problem when using the 01/27/89
version of DSZ.COM.
 
If you are using that version of the program, we suggest you consider
removing it from your system and replacing it with a different version
of the program - since it may be that a corrupted or hacked version of
that module is being passed around.
 
Again, we urge eveyone to use caution when installing new PD programs on
their system to insure the reliability of the source location of the
file.
 
Fred

Date: 03-03-89 (10:24)              Number: 56849
  To: FRED CLARK                    Refer#: 56847
From: CARL EVANS                      Read: 03-03-89 (10:51)
Subj: CAUTION                       Status: PUBLIC MESSAGE

1-29-89? or 1-17-89? All of the previous messages referred to the 1-17
DSZ, but your message pointed at 1-29. Which one is the trojan or is it
both?
 
Carl

Date: 03-03-89 (10:51)              Number: 56853
  To: CARL EVANS                    Refer#: 56849
From: FRED CLARK                      Read: NO
Subj: CAUTION                       Status: PUBLIC MESSAGE

Carl - I goofed on the other messages.  It shoudl be the 01/29/89
version.
 
Fred

Date: 03-03-89 (13:56)              Number: 56860
  To: FRED CLARK                    Refer#: 56835
From: MARK TURNER                     Read: 03-03-89 (14:10)
Subj: 'VIRUS'                       Status: PUBLIC MESSAGE

I'm at work now but will get it this evening and let you know...  For
the time being I have gone back to a DSZ dated 9/something/88 
 
I did do some testing and found if I used the 1/17/89 version straight
out of the package it was OK, if I registered it then the problem
occured...  Thanks again...
 

Date: 03-03-89 (15:23)              Number: 56869
  To: MARK TURNER                   Refer#: 56860
From: RAY CRAMER                      Read: NO
Subj: 'VIRUS'                       Status: PUBLIC MESSAGE

Mark,
  I lost my files too and see to be running a version between 1-17 and
2-09 . I am too a registered user and I think the 2-09 is when I put my
number into the program.
 
Ray Cramer == > SysOp of "The DogHouse BBS"  (713) 422-3146  Baytown,Tx

Date: 03-03-89 (15:41)              Number: 56871
  To: FRED CLARK                    Refer#: 56758
From: MARK HICKS                      Read: 03-03-89 (15:43)
Subj: CAUTION ...                   Status: PUBLIC MESSAGE

I too just yesterday had all non-read-only files erased in my ROOT dir,
as well as some other *.exe files (like zdoor.exe); however i saw the
message fatal error 
system error ( 53 9365 )
  pcboard fatal 0 9365
strange, huh?

Date: 03-03-89 (15:42)              Number: 56872
  To: ALL                           Refer#: NONE
From: FRED CLARK                      Read: HAS REPLIES
Subj: CAUTION - CONTINUED!          Status: PUBLIC MESSAGE

Folks - this wiping out of drives is really getting serious!  It seems
that there may be a wide variation of dates involved here - but all seem
to be centered around later versions of DSZ.
 
Due to the fact that some dates may be different based on the type of
download performed to obtain the file (i.e. an XMODEM, etc. downlod
would produce a new date, where a DSZ download would preserve the
original date), we caution all of you to try and obtain a 'known' good
working copy of DSZ from any source.
 
We will post the version we are currently using here (although it is
very, very old), in the event some of you wish to use it instead of one
of the later versions.
 
Fred

Date: 03-03-89 (15:43)              Number: 56873
  To: MARK HICKS                    Refer#: 56871
From: FRED CLARK                      Read: 03-03-89 (15:46)
Subj: CAUTION ...                   Status: PUBLIC MESSAGE

Well - that error message is simply a result of all the files being
wiped out after whatever it is is doing it's dirty work.  At the point
all of the files are gone, PCBoard will return the error message - since
many of the files needed for it to operate are now missing!
 
Fred

Date: 03-03-89 (15:54)              Number: 56878
  To: FRED CLARK                    Refer#: 56872
From: MILES LESTER                    Read: 03-03-89 (17:12)
Subj: CAUTION - CONTINUED!          Status: PUBLIC MESSAGE

Fred,
PRODOOR and several other doors required a DSZ dated after 08/88 in
order to do their transfers. Do you think you could locate a good copy
after that date for us?
  
Miles Lester

Date: 03-03-89 (17:12)              Number: 56882
  To: MILES LESTER                  Refer#: 56877
From: FRED CLARK                      Read: NO
Subj: HELP!                         Status: PUBLIC MESSAGE

Nope - other than to possibly try the version we have posted here.
 
Again, at this point no one is quite sure what program or version of a
specific program is causing the problem.  However, the pattern (as
indicated) is all pointing to a recent version of DSZ.
 
Fred

Date: 03-03-89 (17:12)              Number: 56883
  To: MILES LESTER                  Refer#: 56878
From: FRED CLARK                      Read: NO
Subj: CAUTION - CONTINUED!          Status: PUBLIC MESSAGE

I don't have one here - but will open up your message so that in case
someone else does - they can upload it.
 
Fred

Date: 03-03-89 (17:22)              Number: 56884
  To: FRED CLARK                    Refer#: NONE
From: ROBERT BLACHER                  Read: NO
Subj: DSZ VERSIONS                  Status: PUBLIC MESSAGE

Sigh -- if folks would only read the docs.
 
The current version of DSZ as I write this message is 2/23/89.  However,
for the last several versions of DSZ, the following warning has appeared
in the DOC file under CHANGES:
 
A problem in the 1/17/89 and 2/2/89 versions corrupts files under
unusual circustances.  Please delete all instances of the 1/17/89 and
2-02-89 version.
 
In short, if folks are using either of those 2 versions, they should
either get a newer one or drop back to an earlier version. DSZ 2/23
seems fine and I'll happily upload a copy I received directly from Chuck
on a later call (I don't have it on this machine).

(H)elp, (55861-56887), Message Read Command? 

