
















                             FLU_SHOT+, Version 1.4

                            A Form of Protection from
                            Viral and Trojan Programs


                                       by
                                Ross M. Greenberg
                                       and
                            Software Concepts Design
                                594 Third Avenue
                            New York, New York 10016
                       BBS:(212)-889-6438 1200|2400|N/8/1








































              FLUSHOT+ is a trademark of Software Concepts Design.
                Copyright (C), 1988 by Software Concepts Design.
                              All Rights Reserved.


        Not for Commercial Distribution without written permission by the
        copyright holder. Noncommercial copying of this software and this
        documentation  is encouraged.   Commercial Distribution is easily
        defined:  if  you  distribute  this  software,  or  the  enclosed
        documentation, for more than your cost of such distribution, then
        you're   a  Commercial  Distributor  and  require   our   written
        permission.    Not-for-profit  organizations  and  computer  user
        groups,   and   their   bulletin  board  systems  (if  any)   are
        specifically *not* considered commercial distributors.

        By  your  using this software,  you agree to  the  terms  herein. 
        Specifically,  that  you  do  not  have the right  to  copy  this
        software  except as outlined above,  and that you are  granted  a
        license to use this software only by registering this software as
        mentioned elsewhere in this document.  (Legitimate subscribers to
        the Big Blue Disk magazine may have a separate agreement allowing
        them to use this code without registering, but the other terms of
        this  agreement are still to be agreed to before you can use  the
        program)

        You  also  agree,  and  signify  that  agreement  by  using  this
        software,  that  Software Concepts Design and Ross  M.  Greenberg
        will  not  be  held liable for any reason for any  cost  you  may
        incur,  or  any  potential income you might lose as a  result  of
        using this software.  Finally, this software is provided "AS IS",
        meaning  that  what  you see is what you get.   If you  use  this
        software  and a tree falls on your house,  or your spouse  leaves
        you  for someone younger and more virile,  please do  not  bother
        having your lawyer call -- it isn't the fault of the software, no
        matter what the lawyer tries to convince you!































        Table of Contents

        I.   Introduction
             a.   What is a Trojan.....................................1
             b.   What is a Virus......................................4
             c.   The Challenge to the Worm............................6

        II.  About the FLUSHOT Series
             a.   A Brief History......................................8
             b.   FLU_SHOT+ Features and Enhancements..................9
             c.   Registering FLU_SHOT+................................10
             d.   Site Licensing of FLU_SHOT+..........................10

        III. Using FLU_SHOT+

             a.   The FLUSHOT.DAT file.................................11
                  1.   Protecting files from Write Access..............12
                  2.   Protecting files from Read Access...............12
                  3.   Excluding files.................................12
                  4.   Checksumming files..............................13
                  5.   Registering a TSR program.......................14
                  6.   Protecting the FLUSHOT.DAT file.................14
                  7.   Protection Recommendations......................15
                  8.   Allowing "dangerous" programs to run............15

             b.   Running FLU_SHOT+....................................16
                  1.   Checking CMOS - How often?......................16
                  2.   Checksumming the in-memory table................16
                  3.   Intercepting Direct Disk Writes Through INT13...17
                  4.   What about INT26................................17
                  5.   Turning off the header message..................17
                  6.   Allowing trusted TSR's to work..................17
                  7.   Disabling FLU_SHOT+.............................17
                  8.   Disabling FLU_SHOT+ Toggle Display..............18
                  9.   Forcing FLU_SHOT+ to only use the BIOS..........18
                 10.   Putting FLU_SHOT+ to sleep when run.............18

        IV.  Interpreting a FLU_SHOT+ Trigger..........................19

        V.   How Good is FLUSHOT+, Really?.............................24

        VI.  Reward Offered............................................26























                                  Introduction

        What is a Trojan?
        =================

        Back  in the good old days (before there were  computers),  there
        was  this  bunch  of  soldiers who had no  chance  of  beating  a
        superior  force or of even making it into their  fortress.   They
        had this nifty idea:   present the other side with a gift.   Once
        the gift had been accepted, soldiers hiding within the gift would
        sneak out and overtake the enemy from within.

        We can only think of the intellectual giants of the day who would
        accept  a  gift  large enough to  house  enemy  soldiers  without
        checking its contents.  Obviously, they had little opportunity to
        watch  old WWII movies to see the same device used over and  over
        again.   They  probably wouldn't have appreciated Hogan's  Heroes
        anyway.   No  color  TV's -- or at least not ones  with  reliable
        reception.

        Consider the types of people who would be thrilled at the concept
        of owning their own rough hewn, large wooden horse!  Perhaps they
        wanted  to  be the first one on their block,  or something  silly
        like that.

        Anyway, you're all aware of the story of The Trojan Horse.

        Bringing ourselves a bit closer to the reality we've all grown to
        know and love,  there's a modern day equivalent:   getting a gift
        from  your  BBS or user group which contains a little  gem  which
        will attack your hard disk, destroying whatever data it contains.

        In order to understand how a potentially useful program can cause
        such damage when corrupted by some misguided soul, it's useful to
        understand  how your disk works,  and how absurdly easy it is  to
        cause  damage  to  the  data  contained  thereon.   So,  a  brief
        technical  discussion of the operation of your disk is in  order. 
        For those who aren't concerned, turn the page or something.

        Data  is preserved on a disk in a variety of  different  physical
        ways  having  to do with how the data is encoding in  the  actual
        recording  of  that data.  The actual *structure* of  that  data,
        however,  is  the same between MS-DOS machines.   Other operating
        systems have a different structure,  but that doesn't concern  us
        now.

        Each  disk has a number of "tracks".  These are sometimes  called
        cylinders from the old type IBMer's.   These are the same  people
        who call hard disks DASDs (Direct Access Storage Devices),  so we
        can safely ignore their techno-speak,  and just call them tracks. 
        Tracks  can be thought of as the individual little grooves on  an
        audio record, sort of.

        Anyway,  each track is subdivided into a number of sectors.  Each
        track  has the same number of sectors.   Tracks are numbered,  as


                                        1








        are  sectors.   Any given area on the disk can be accessed  if  a
        request  is  made to read or write data into or out  of  Track-X,
        Sector  Y.   The  read  or  write command is given  to  the  disk
        controller, which is an interface between the computer itself and
        the hard disk.   The controller figures out what commands to send
        to the hard disk,  the hard disk responds and the data is read or
        written as directed.

        The  first track on the hard disk typically will contain a  small
        program  which  is read from the hard disk and executed when  you
        first  power up your machine.   The power up sequence  is  called
        "booting" your machine,  and therefore the first track is typical
        known as the "boot track".

        In  order  to  read  information  from your  disk  in  a  logical
        sequence,  there has to be some sort of index.   An unusual index
        method was selected for MS-DOS.   Imagine going to the card index
        in  a library,  looking up the title you desire,  and  getting  a
        place  in another index which tells you where on the racks  where
        the book is stored.   Now,  when you read the book,  you discover
        that  only the first chapter of the book is there.   In order  to
        find  the next chapter of the book,  you have to go back to  that
        middle  index,  which tells you where the next chapter is stored. 
        This  process  continues until you get to the end  of  the  book. 

        Sounds  pretty convoluted,  right?   You bet!   However,  this is
        pretty much how MS-DOS does its "cataloguing" of files.

        The  directory structure of MS-DOS allows for you to look  up  an
        item  called the "first cluster".   A cluster represents a set of
        contiguous  ("touching or in contact" according to Random  House)
        tracks  and sectors.   It is the smallest amount  of  information
        which the file structure of MS-DOS knows how to read or write.

        Based on the first cluster number as stored in the directory, the
        first  portion  of  a file can be  read.   When  the  information
        contained  therein is exhausted,  MS-DOS goes to  that  secondary
        index  for a pointer to the next cluster.   That index is  called
        the  File Allocation Table,  commonly abbreviated to "FAT".   The
        FAT contains an entry for each cluster on the disk.  An FAT entry
        can  have a few values:  ones which indicate that the cluster  is
        unused,  another which indicates that the associated cluster  has
        been  damaged  somehow  and that it should be marked  as  a  "bad
        cluster",  and  a  pointer to the next cluster for a given  file. 
        This  allows for what is called a linked list:   once  you  start
        looking up clusters associated with a given file,  each FAT entry
        tells  you  what the next cluster is.   At the end of the  linked
        list  is  a special indicator which indicates that there  are  no
        more clusters associated with the file.

        There are actually two copies of the FAT stored on your disk, but
        no  one  really  knows  what the second copy  was  intended  for. 
        Often, if the first copy of the FAT is corrupted for some reason,
        a  clever  programmer could recover information from  the  second
        copy to restore to the primary FAT.  These clever programmers can


                                        2








        be called "hackers",  and should not be confused with the thieves
        who break into computer systems and steal things,  or the "worms"
        [Joanne Dow gets credit for *that* phrase!] who would get joy out
        of causing you heartache!

        But  that  heartache is exactly what can happen if the  directory
        (which  contains the pointer to the first cluster a  file  uses),
        the  FAT  (which contains that linked list to other areas on  the
        disk  which  the  file uses),  or other areas  of  the  disk  get
        corrupted.

        And  that's what the little worms who create Trojan programs  do: 
        they  cause  what  at  first appears to be a  useful  program  to
        eventually corrupt the important parts of your disk.  This can be
        as simple as changing a few bytes of data,  or can include wiping
        entire tracks clean.

        Not  all  programs  which write to your hard disk are  bad  ones,
        obviously.    Your  word  processor,  spreadsheet,  database  and
        utility programs have to write to the hard disk.  Some of the DOS
        programs  (such as FORMAT),  if used improperly,  can also  erase
        portions of your hard disk causing you massive amounts of  grief. 
        You'd  be  surprised what damage the simple "DEL" command can  do
        with just a simple typo.

        But, what defines a Trojan program is its delivery mechanism: the
        fact  that you're running something you didn't  expect.   Typical
        Trojan programs cause damage to your data,  and were designed  to
        do  so by the worms who writhe in delight at causing this damage. 
        May they rot in hell -- a mind is a terrible thing to waste!

        Considering  the personality required to cause such  damage,  you
        can  rest  assured  that they have few friends,  and  even  their
        mother doesn't like to be in the same room with them.   They  sit
        back  and chortle about the damage they do with a few other lowly
        worms.   This  is their entire social universe.  You should  pity
        them.  I know that I do.




















                                        3








                                  Introduction

        What is a Virus?
        ================

        Trojan  programs are but a delivery mechanism,  as stated  above. 
        They  can  be implemented in a clever manner,  so that they  only
        trigger  the  malicious part on a certain date,  when  your  disk
        contains certain information or whatever.  However they're coded,
        though,  they  typically  affect the disk only in  a  destructive
        manner once triggered.

        A new breed of programs has the capability of not only  reserving
        malicious  damage  for a given event's occurrence,  but  of  also
        replicating itself as well.

        This  is what people refer to when they mention the  term  "Virus
        Program".

        Typically, a virus will spread itself by replicating a portion of
        itself  onto another program.   Later,  when that  normally  safe
        program  is run it will,  in part,  execute a set of instructions
        which  will infect other programs and then  potentially,  trigger
        the Trojan portion of the program contained within the virus.

        The danger of the virus program is twofold.  First, it contains a
        Trojan  which will cause damage to your hard  disk.   The  second
        danger is the reason why everyone is busy building bomb shelters. 
        This danger is that the virus program will infect other  programs
        and  they  in  turn  will infect other  programs  and  so  forth. 
        Since it can also infect programs on your floppy disks, you could
        unknowingly  infect  other  machines!   Pretty  dangerous  stuff,
        alright!

        Kenneth  van  Wyck,  one  of the computer folks  over  at  Lehigh
        University,  first brought a particular virus to the attention of
        the  computer  community.   This virus infects a  program,  which
        every MS-DOS computer must have, called COMMAND.COM.  This is the
        Command  Line  Interpreter  and is  the  interface  between  your
        keyboard  and the MS-DOS operating system itself.   Whatever  you
        type at the C> prompt will be interpreted by it.

        Well,  the  virus  subverts this intended function,  causing  the
        infection  of  neighboring COMMAND.COMs  before  continuing  with
        normal  functionality of the command you typed.   After a certain
        number  of "infections",  the Trojan aspect of the  program  goes
        off, causing you to lose data.

        The  programmer  was  clever.   But  still  a  worm.   And  still
        deserving  of contempt instead of respect.   Think of  what  good
        purposes  the  programmer  could have put his or her  talents  to
        instead  of  creating  this  damage.    And  consider  what  this
        programmer  must  do,  in covering up what  they've  done.   They
        certainly   can't   tell  anyone   what   they've   accomplished. 
        Justifiable homicide comes to mind, but since the worms they must


                                        4








        hang  around are probably as disreputable as they are,  they must
        hold their little creation a secret.

        A pity.   Hopefully, the worm is losing sleep.  Or getting a sore
        neck  looking behind them wondering which of their "friends"  are
        gonna turn them in for the reward I list towards the end of  this
        document.


















































                                        5








                                  Introduction

        The Challenge to the Worm
        =========================

        When  I first released a program to try to thwart their  demented
        little efforts,  I published this letter in the archive (still in
        the FLU_SHOT+ archive of which this is a part of).  What I say in
        it still holds:
        
                 As for the designer of the virus program: most
                 likely  an impotent adolescent,  incapable  of
                 normal social relationships, and attempting to
                 prove  their  own worth to themselves  through
                 these type of terrorist attacks.

                 Never  succeeding  in  that task  (or  in  any
                 other),  since they have no worth,  they  will
                 one  day  take a look at themselves  and  what
                 they've   done   in  their  past,   and   kill
                 themselves in disgust.   This is a Good Thing,
                 since  it  saves the  taxpayers'  money  which
                 normally   would  be  wasted  on  therapy  and
                 treatment of this miscreant.

                 If they *really* want a challenge, they'll try
                 to destroy *my* hard disk on my  BBS,  instead
                 of  the  disk  of  some  innocent  person.   I
                 challenge  them  to  upload a virus  or  other
                 Trojan  horse to my BBS that I  can't  disarm. 
                 It  is  doubtful the challenge will be  taken:
                 the  profile of such a person  prohibits  them
                 from  attacking  those  who  can  fight  back. 
                 Alas,  having a go with this  lowlife would be
                 amusing  for  the  five minutes  it  takes  to
                 disarm whatever they invent.

                 Go   ahead,    you   good-for-nothing   little
                 slimebucket:  make *my* day!


        Alas,  somebody  out there opted to do the cowardly thing and  to
        use  the  FLUSHOT programs as a vehicle for wrecking  still  more
        destruction  on  people  like  you.   The  FLUSHOT3  program  was
        redistributed  along  with  a  companion program to  aid  you  in
        reading  the documentation.   It was renamed FLUSHOT4.   And  the
        reader program was turned into a Trojan itself.

        I guess the programmer involved was too cowardly to take me up on
        my offer and prefers to hurt people not capable of fighting back. 
        I should have known that,  I suppose,  but I don't normally think
        of people who attack innocents.  Normally,  I think of people  to
        respect,  not people to pity, certainly not people who must cause
        such damage in order to "get off".



                                        6








        They  are below contempt,  obviously,  and can do little to help
        themselves out of the mire they live in.

        Still, a worm is a worm.





















































                                        7








                                  About FLUSHOT

        A Brief History
        ===============

        The  original incarnation of FLU_SHOT was a quick hack done in my
        spare  time.   It had a couple of bugs in it which caused  it  to
        trigger  when it shouldn't,  and a few conditions which I had  to
        fix.    A   strangeness  in  how  COMMAND.COM  processed  certain
        conditions  when  I "failed" an operation caused people  to  lose
        more data than they had intended -- certainly not my intent!

        FLU_SHOT  was  modified and became FLUSHOT2.   It  included  some
        additional  protections,  protecting some other important  system
        files,  and  protecting  against direct disk writes which can  be
        used to circumvent FLUSHOT's protection mechanisms.

        Additionally,  FLUSHOT2  forced an exit of the program  currently
        running  instead of a fail condition when you indicated  that  an
        operation should not be carried out.

        FLUSHOT2  was also now distributed in the popular archive  format
        (have  you remembered to send your shareware check into Phil Katz
        for his efforts?  You really should.  It ain't that much money!).

        Next  came  FLUSHOT3.  A  bug was fixed which could  have  caused
        certain  weird things when you denied direct disk I/O to  certain
        portions of DOS 3.x.

        The enhancements to FLUSHOT3 included the ability to enter a  'G'
        when  FLUSHOT  was  triggered.   This allowed FLUSHOT  to  become
        inactive  until an exit was called by the foreground  task.   So,
        when you used some trustworthy program which did direct disk I/O,
        you wouldn't be pestered with constant triggering after you enter
        the 'G'.   Primarily this was a quick hack to allow programs such
        as the FORMAT program to run without FLUSHOT being triggered each
        time it tried to do any work it was supposed to.

        Additionally,  a  CMOS RAM check was installed.  If a  foreground
        program attempted to change CMOS memory, you'd be advised.

        What  the  heck  is CMOS  memory,  you  might  be  asking.   Good
        question.   In  AT class and better machines,  certain  important
        parameters  (such as the type of hard disk you're using,  or  how
        much  memory  there is in your machine) are stored up in  special
        non-volatile memory, called CMOS.

        If  this gets changed,  you might have a problem when you reboot.
        FLUSHOT3  sends  at  least one little  slimebucket  back  to  the
        drawing board,  because it will restore the CMOS and prevent this
        hassle from occurring.






                                        8








                                  About FLUSHOT

        FLU_SHOT+ Features and Enhancements
        ===================================

        This  release of FLU_SHOT has a  new  name:  FLU_SHOT+.   Because
        FLUSHOT4  was  a Trojan,  I opted to change the  name.   Besides,
        FLU_SHOT+ is the result of some real effort on my  part,  instead
        of being a part-time quick hack.  I hope the effort shows.

        FLUSHOT  is  now table driven.   That table is in a file which  I
        call  FLUSHOT.DAT.   It  exists in the root directory on your  C:
        drive.   However,  I'll  advise  you later on how to  change  its
        location  so  that a worm can't create a Trojan  to  modify  that
        file.

        This  file  now allows you to write and/or  read  protect  entire
        classes of programs.   This means that you can write protect from
        damage all of your *.COM, *.EXE, *.BAT, and *.SYS files.  You can
        read  protect all of your *.BAT files so that a nasty program can
        not  even  determine what name you used for  FLU_SHOT+  when  you
        invoked it!

        Additionally,  you  can now automatically check programs when you
        first invoke FLU_SHOT+ to determine if they've changed since  you
        last looked at them.   Called checksumming, it allows you to know
        immediately  if  one of the protected programs has  been  changed
        when  you're not looking.   Additionally,  this checksumming  can
        even take place each time you load the program for execution.

        Also, FLU_SHOT+ will advise you when any program "goes TSR".  TSR
        stands  for "Terminate and Stay Resident",  allowing pop-ups  and
        other  useful  programs  to be created.   A worm could  create  a
        program  which  leaves  a bit of  slime  behind.   Programs  like
        Borland's SideKick program, a wonderful program and certainly not
        a  Trojan or virus,  is probably the best known TSR.    FLU_SHOT+
        will  advise  you  if any program attempts to go  TSR  which  you
        haven't already registered in your FLUSHOT.DAT file.

        Finally,  FLU_SHOT+  will also now pop-up a little window in  the
        middle of your screen when it gets triggered.   It also will more
        fully explain why it was triggered.  The pop-up window means that
        your  screen  won't get screwed up beyond  recognition  -- unless
        you're  in  graphics mode when it  pops  up.   Sorry,  'dems  the
        breaks!












                                        9








                                  About FLUSHOT

        Registering FLU_SHOT+
        =====================

        FLU_SHOT+ is not a free program.  You're encouraged to use it, to
        distribute it to your friends and co-workers.   If you end up not
        using  it for some reason,  let me know why and I'll see if I can
        do something about it in the next release.

        But, the right to use FLU_SHOT+ is contingent upon you paying for
        the  right to use it.   I ask for ten dollars as  a  registration
        fee, plus a four dollar shipping and handling fee.  This entitles
        you to get the next update shipped to when available.  And allows
        you  to  pay me,  in part,  for my labor in creating  the  entire
        FLU_SHOT series.  I don't expect to get my normal consulting rate
        or  to  get a return equal to that of other programs  which  I've
        developed and sell through more traditional channels.  That's not
        my  intent,  or I would have made FLU_SHOT+ a commercial  program
        and you'd be paying lots more money for it.

        Some  people  are uncomfortable with the  shareware  concept,  or
        believe  that  there  ain't  no such thing  as  Trojan  or  Virus
        programs,  and that a person who profits from the distribution of
        a program such as FLU_SHOT must be in it for the money.

        I've  created  an  alternative for these  folks.   I'll  call  it
        "charityware"  [first  called that,  to my  knowledge,  by  Roedy
        Green].   You  can also register FLU_SHOT+ by sending me a  check
        for $10 made out to your favorite charity.   Be sure to include a
        stamped  and addressed envelope.   I'll forward the  monies  onto
        them and register you fully.

        Of  course,  if you wish,  you can send me a check for more  than
        $10.  I'll cash it gladly (I'm no fool!).

        [Subscribers  of  the  Big  Blue Disk  are  still  encouraged  to
        register  this program,  although a special arrangement with  Big
        Blue  allows  them to distribute this program  without  requiring
        that  subscribers of the program register it.   However,  if  you
        don't register it diorectly with us, you won't be entitled to any
        technical  support  from us,  nor will you be advised  of  future
        releases.  For  more  information,  contact  Big  Blue  directly. 
        They're  pretty  reasonable folks and can provide you  with  very
        good technical support.]

        Site Licensing of FLU_SHOT+
        ===========================

        So, you run the computer department of a big corporation, you got
        a  copy of FLU_SHOT+,  decided it was wonderful and that it   did
        everything  you  wanted and sent in your  ten  bucks.   Then  you
        distributed it to your 1000 users.




                                       10









        Not what is intended by the shareware scheme.   *Each* site using
        FLU_SHOT+  should  be registered.   That's ten bucks a  site,  me
        bucko!    Again,   make  the  check  out  to  charity  if  you're
        uncomfortable with the idea of a programmer actually deriving  an
        income from their work.

        However,  if you've really got 1000 computers, you should give me
        a  call.   As  much as I'd like to get $10 for  each  site,  that
        wouldn't be fair to you.  So, quantity discounts are available.

        Shipping and Handling
        =====================
        Each  order  for  FLU_SHOT+ must also include a $4  shipping  and
        handling charge.  Sorry, but the economics don't allow me not to.










































                                       11








                                 Using FLU_SHOT+

        The FLUSHOT.DAT file
        ====================

        FLU_SHOT+  is  table  driven by the contents of  the  FLUSHOT.DAT
        file.  This file normally exists in the root directory of your C:
        drive (C:\FLUSHOT.DAT).

        A  little  later in this document you'll see how to disguise  the
        data file name, making life tougher for the worms out there.  But
        for the purposes of this document,  we'll assume that the file is
        called C:\FLUSHOT.DAT.

        The FLU_SHOT+ program will read this data file exactly  once.  It
        reads the data from the data file into memory and overwrites  the
        name of the data file in so doing.   A little extra protection in
        hiding the name of the file.

        This data file contains a number of lines of text.   Each line of
        text is of the form:

        <Command>=<filename><options>

        Command can be any one of the following characters:

             P    -    Write Protect the file named
             R    -    Read Protect the file named
             E    -    Exclude the file named from matching P or R lines
             T    -    The named file is a legitimate TSR
             C    -    Perform checksum operations on the file named

        The   filename  can  be an ambiguous file if  you  wish  for  all
        commands except the 'T' and 'C' commands.  This means that:

             C:\level1\*.COM

        will  specify  all  COM  files on your C:  drive  in  the  level1
        directory (or its sub-directories). Specifying:

             C:\level1\*\*.EXE

        would specify all EXE files in subdirectories under the C:\level1
        directory, but would not include that directory itself.

        You can also use the '?' operator to specify ambiguous characters
        as in:

             ?:\usr\bin\?.COM

        would  be  used  to specify files on any drive  in  the  \usr\bin
        directory  on  that  drive.   The files would have to  be  single
        letter filenames with the extension of 'COM'.

        Ambiguous file names are not allowed for the 'T' and 'C' options.


                                       12








                                 Using FLU_SHOT+

        Protecting files from Write Access
        ==================================

        Use  the  'P='  option to protect files from  write  access.   To
        disallow  writes to any of your COM,  EXE,  SYS,  and BAT  files,
        specify lines of the form:

             P=*.COM
             P=*.EXE
             P=*.SYS
             P=*.BAT

        which protects these files on any disk, in any directory.

        Protecting files from Read Access
        =================================

        Similarly,  you  can  use the 'R' command to protect  files  from
        being  read  by  a program (including the  ability  to  'TYPE'  a
        file!).   To prevent read access to all of your BAT files,  use a
        line such as:

             R=*.BAT

        Combinations of R and P lines are allowed,  so the combination of
        the  above lines would prevent read or write access to all  batch
        files.

        Excluding files
        ===============

        Programmers  in particular should find usage for the 'E' command. 
        This  allows  you to exclude matching filenames from other  match
        operations.    Assume  you're  doing  development  work  in   the
        C:\develop directory.

        You  could exclude FLU_SHOT+ from being triggered by including  a
        line such as:

             E=C:\develop\*.*

        Of course,  you might have development work on many disks under a
        directory  of that name.   If you do,  you might include  a  line
        which looks like:

             E=?:\develop\*.*
                  or
             E=*\develop*







                                       13









        Checksumming files
        ==================

        This  line is a little more complicated than others and  involves
        some setup work.  It's worth it though!

        A  checksum  is a method used to reduce a files validity  into  a
        single  number.   Adding up the values of the bytes which make up
        the file would be a simple checksum method.   Doing more  complex
        mathematics  allows for more and more checking information to  be
        included in a test.

        If you use a lie on the form:

             C=C:\COMMAND.COM[12345]

        then when FLU_SHOT+ first loads it will check the validity of the
        file against the number in the square brackets.   If the checksum
        calculated does not match the number presented, you'll be advised
        with  a  triggering  of  FLUSHOT,   which  presents  the  correct
        checksum.

        When  you first set up your FLUSHOT.DAT file,  use a dummy number
        such  as  '12345'  for each of the files you  wish  to  checksum. 
        Then,  when you run FLUSHOT, you should copy down the "erroneous"
        checksum presented.   Then, edit the FLUSHOT.DAT file and replace
        the  dummy number with the actual checksum value you  had  copied
        down.  Voila!  If  even  one byte in the is  changed,  you'll  be
        advised the next time you run FLU_SHOT+.

        But wait! There's more! Not available in stores!

        Sorry.  I got carried away.

        Seriously, there is more.  When a "checksummed" file is loaded by
        MS-DOS,  it will,  by default,  be checksummed again.  So, if you
        had a line such as:

             C=C:\usr\bin\WS.COM[12345]

        the venerable old WordStar program (still *my* editor of choice!)
        would be checksummed each time you went to edit a file.

        Of  course,  you might not want the overhead of that checksumming
        to  take place each time you load a program.   Therefore,  a  few
        switches  have been added.   The switches are  place  immediately
        after the ']' in the checksum line:

             C=C:\usr\bin\WS.COM[12345]<switch>

        These switches are:

             ,n   -    will  only checksum the file only 'n' times.  Only
                       one digit allowed.


                                       14









             -    -    Only  checksum  this  file  when  FLU_SHOT+  first
                       loads.  ',1' and '-' are equivalent.

             +    -    Only  checksum  this  file when it is  loaded  and
                       executed, not when FLU_SHOT+ first loads

        Therefore,  if you wished to only check your WS.COM file when you
        first loaded the FLU_SHOT+ program, you'd specify a line as:

             C=C:\usr\bin\ws.com[12345],1
                  or
             C=C:\usr\bin\ws.com[12345]-

        If  you wished to checksum your program called "MY_PROG.EXE" only
        when it was used, try:

             C=C:\path\MY_PROG.EXE+


        Registering a TSR program
        =========================

        Any  unregistered  TSR program which is run after FLU_SHOT+  will
        cause a trigger when they "go TSR".   You can register a  program
        so no trigger goes off by specifying it in a line such as:

             T=C:\usr\bin\tsr_s\sk.com

        which  will keep FLU_SHOT+ from complaining about  sk.com.   Make
        sure  to  take a look at the '-T' option,  specified in the  next
        section.


        Protecting the FLUSHOT.DAT file
        ===============================

        Obviously,  the  weak link in the chain of the  protection  which
        FLU_SHOT+ offers you is the FLUSHOT.DAT file.

        You  would think that you'd want to protect the FLUSHOT.DAT  file
        from  reads and writes as specified above.   However  this,  too,
        leaves  a gaping security hole:  memory could be searched for it,
        and it could be located that way.   A better alternative  exists. 
        In  the distribution package for FLUSHOT+ exists a program called
        FLU_POKE.COM.   This  program allows you to specify the new  name
        you wish to call the FLUSHOT.DAT file. Simply type:

             FLU_POKE <flushot_name>

        where  <flushot_name>  represents the full path filename of  your
        copy of FLU_SHOT+.

        You'll be prompted for the name of the FLUSHOT.DAT  file.   Enter
        the  name  you've  selected  (remember to specify  the  disk  and


                                       15








        directory as part of the name).  Voila!  Nothing could be easier.

        Protection Recommendations
        ==========================

        Here's a sample FLUSHOT.DAT file, basically the same one included
        in the archive.  Your actual checksums will differ, and you may
        want to modify what files and directories are protected.
        Obviously, your exact needs are different than mine, so consider
        this a generic FLUSHOT.DAT:

        P=*.bat
        P=*.sys
        P=*.exe
        P=*.com
        R=*AUTOEXEC.BAT
        R=*CONFIG.SYS
        E=?\dev\*
        C=C:\COMMAND.COM[12345]-
        C=C:\IBMBIO.COM[12345]-
        C=C:\IBMDOS.COM[12345]-

        Allowing "dangerous" programs to run
        ====================================
        In  some  cases,  though,  you'll still want the ability  to  ler
        "trusted"  programs  to  run  -- even  if  they  are  potentially
        dangerous.   A  good example of this is the DOS  FORMAT  program: 
        here  is a program specifically designed to overwrite the data on
        your disk in such a way that it would be difficult,  at best,  to
        recover.  Yet, the program is a necessary part of your day-to-day
        computer usage.

        Therefore,  the 'X=' switch has been added in to allow a  program
        such as FORMAT to run without interruption.   THIS IS A POTENTIAL
        SECURITY HOLE.   To prevent an 'X=' program from being corrupted,
        I suggest you also include any 'X=' program as both a 'C=' and  a
        'P='  program  as  well:  any  writes to  the  file  would  cause
        FLU_SHOT  to trigger,  and you wouldn't be able to run a modified
        program  without  first giving  FLU_SHOT  permission.   Use  'X='
        sparingly.  I'm rather uncomfortable with it myself.

















                                       16








                               Invoking FLU_SHOT+

        Running FLUSHOT+
        ================

        For  extra  protection,  after you've run  FLU_POKE,  you  should
        rename  the FLU_SHOT+ program is something unique and  meaningful
        to you, but not a worm.

        Assuming  you didn't rename it,  however,  you could  invoke  the
        program simply by typing:

             FSP

        when  at the prompt.   That's all there is to  it.   When  you're
        satisfied, you can add it to your AUTOEXEC.BAT file, after all of
        your trusted programs have run.

        But there are some options you should know about:

        Checking CMOS - How often?
        ==========================

        The  CMOS,  as  described  earlier in this document,  is  a  spot
        wherein a worm can just make things a bit miserable for you  when
        you  next  boot your system.   However,  FLU_SHOT+ allows you  to
        protect the contents of your CMOS against such a worm.

        *CMOS Only exists on AT class and better machines!!!*

        You  must specify the '-C' option when you invoke  the  FLU_SHOT+
        program in order to have your CMOS safeguarded.  There is a check
        done  whenever  DOS  is  accessed to determine if  the  CMOS  has
        changed.   This  causes  a slight performance penalty.   CMOS  is
        checked on a regular basis  -- a reasonable trade-off between the
        utility  of  the  CMOS  check  and  the  annoyance  of  a  slight
        performance degradation.   The default is set to one second.  You
        may modify that default,  if you wish, by using the '-In' option,
        where  the 'n' represents how frequently,  in seconds you wish to
        have CMOS checked.

        Checksumming the in-memory table
        ================================
        Since  the  wily  worm may well be able to  thwart  some  of  the
        efforts  of  FLU_SHOT+ by playing nasty games with the  in-memory
        copy  of  the FLUSHOT.DAT file,  FLU_SHOT+ will also  check  this
        table against a checksum it generates on a regular basis.  If the
        table  gets corrupted,  you'll be advised of it.   This table  is
        checked with the same frequency as the CMOS is checked,  and this
        frequency  can,  therefore,  be changed with the '-In' option  as
        well.






                                       17








        Intercepting Direct Disk Writes Through INT13
        =============================================

        The  default operation of FLU_SHOT+ is to intercept  and  examine
        every  call to the direct disk routines.   You can *disable* this
        by including the '-F' switch on your command line:

             FSP -F

        This is not recommended,  but exists primarily for developers who
        can't  use  the  constant triggering one of  their  programs  may
        cause.


        What about INT26
        ================
        Similarly,  the same exists for the direct writes which normally
        are  only  made by DOS through interrupt 26.   Again,  I  do  not
        recommend you disable the checking,  but if you desire to do  so,
        use the '-D' switch.

        Turning off the header message
        ==============================
        If  you've  no desire to see the rather lengthy  welcome  message 
        which  is  displayed when you first use FLU_SHOT+,  use the  '-h'
        switch.


        Allowing Trusted TSR's to Work
        ==============================
        Normally, you'd load all of your trusted TSR's before FLUSHOT+ is
        loaded from within your AUTOEXEC.BAT file.   However,  you  might
        want to use SideKick once in a while,  removing it from memory as
        you desire.   This could cause some problems, since SideKick, and
        programs  like it,  take over certain interrupts,  and  FLU_SHOT+
        could  get confused about whether this is a valid call or a  call
        that shouldn't be allowed.   Normally,  FLU_SHOT+ will trigger on
        these calls, which is safer, but can be annoying.  If you use the
        special  '-T'  switch upon program invocation,  then calls  which
        trusted  TSR's  (those specified with the 'T='  command  in  your
        FLUSHOT.DAT file) make will be allowed.  Understand, please, that
        this  basically means that calls made by a Trojan while a trusted
        TSR is loaded may not be caught.   Please,  use this switch  with
        caution!

        Disabling FLU_SHOT+
        ===================
        There  may  be times when you're about to do some work which  you
        know  will  trigger  FLU_SHOT+.   And you might not  want  to  be
        bothered with all of the triggering,  the pop-up windows and your
        need to respond to each trigger.   If you look in the upper right
        hand  corner  of  your screen,  you'll  see  a  '+'  sign.   This
        indicates  that FLU_SHOT+ is monitoring and attempting to protect
        your system.   Depress the ALT key three times.   Notice that the
        '+' sign' turned into a '-'?   Well,  FLU_SHOT+ is now  disabled,


                                       18








        and  will not trigger on any event.   If you depress the ALT  key
        three more times, you'll see the '-' turn back into a '+' -- each
        time  you depress the ALT key three times,  FLU_SHOT+ will toggle
        between being enabled and disabled.

        Disabling FLU_SHOT+ Toggle Display
        ==================================
        Alas, there are graphics applications which will be screwed up be
        the  '-'  or '+' in the upper right hand corner of your  display.
        Therefore,  if  you depress the CTRL key three times,  you'll  be
        able to toggle the display capability of FLU_SHOT+.   The default
        configuration  of FLU_SHOT+ is to "come up" with  display  turned
        on.  You can reverse this capability if you include the '-G' (for
        graphics) switch on your command line when you run FLU_SHOT+.

        Forcing FLU_SHOT+ to only use the BIOS
        ======================================

        Certain  machines  are not totally compatible with the IBM  BIOS,
        which  is  the BIOS for which  FLU_SHOT+  was  written.   Because
        FLU_SHOT  has  to be able to deal with the hardware in  a  pretty
        direct manner in order to "pop-up" a screen,  these machines were
        not able to use FLU_SHOT.  If you specify the '-B' switch in your
        command  line  when you first run FLU_SHOT+,  then only the  BIOS
        will  be used for screen output.   This is  *drastically*  slower
        than  direct  screen  memory writes (the method used  unless  you
        specify to use the BIOS), but at least it works.

        Putting FLU_SHOT+ to sleep when run
        ===================================
        One  of  the  idiosyncrasies  of  DOS is  how  a  batch  file  is
        processed.   Basically,  DOS opens the batch file, reads the next
        command,  closes the batch file,  executes the command,  and then
        starts over again until the batch file is exhausted of commands.

        This would,  normally,  not be a problem, but can become when you
        opt to place the FLU_SHOT command line in your AUTOEXEC.BAT  file
        *and*  you've  opted to Read Protect (with the 'R='  option)  the
        AUTOEXEC  file  itself:   you'll be advised that some program  is
        reading  this  protected file.   Not  a  big  deal,  really,  but
        certainly a hassle when you fist boot up your system.  Therefore,
        protections within FLU_SHOT are not turned on a certain amount of
        time.   The default is set to ten seconds,  or until you enter  a
        key.  You can modify the default "sleep" time by entering a '-Sn'
        option  on the command line,  where 'n' represents the number  of
        eighteenths  of a second (1/18) you wish to have FLU_SHOT+  sleep
        before  becoming  active.    Since  you  will  most  likely  have
        FLU_SHOT+ as one of the final commands in your AUTOEXEC.BAT,  you
        probably won't have to modify this parameter,  but the capability
        exists, nonetheless.







                                       19








        Interpreting a FLU_SHOT+ Trigger
        ================================

        So,  you've run FLU_SHOT+,  and you're at your C> prompt.  Great! 
        Now  stick  a blank disk which you don't care about into your  A:
        drive and try to format it.

        Surprise!   FLU_SHOT+ caught the attempt!  You have three choices
        now:   typing 'Y' allows the operation to continue,  but the next
        one  will be caught as well.   Typing a 'G' (for Go!) allows  the
        operation to continue, disabling FLU_SHOT+ until an exit from the
        program is made.  When FLU_SHOT+ is in the 'G' state,  a 'G' will
        appear in the upper right hand corner of your screen.

        Any other key will cause a failure of the operation to occur.

        When you've got FLU_SHOT+ running and you get signaled that there
        is  a problem,  you should think about what might have caused the
        problem.   Some programs, like FORMAT, or the Norton Utilities or
        PC-Tools,  or DREP have very good reasons for doing direct  reads
        and writes to your hard disk.  However, a public domain checkbook
        accounting program doesn't.   You'll have to be the judge of what
        are legitimate operations and which are questionable.

        There is no reason to write to IBMBIO or IBMDOS, right?

        Wrong!

        When  you  format a disk with the '/S' option,  those  files  are
        created on the target diskette.   The act of creating, opening up
        and  writing  those files will trigger FLU_SHOT+ as part  of  its
        expected  operation.  There are many other legitimate  operations
        which may cause FLU_SHOT+ to trigger.

        So  will  copying a COM or EXE file if you have  those  protected
        with a 'P=' command.   FLU_SHOT+ is not particularly  intelligent
        about  what  is allowed and what isn't.   That's where  you,  the
        pilot, get to decide.

        Here's a fuller listing of the messages which you might see  when
        you're using FLU_SHOT+:


        Checking ===><filename>

        This message is displayed as FLU_SHOT+ checks the checksum on all
        of  the  "C=" files when you first invoke FLU_SHOT+.   The  files
        must  be read in from disk,  their checksum calculated  and  then
        compared against the value you claim the checksum should equal.








                                       20








        If  the checksum does *not* equal what you claim it should (which
        means that the file may have been written to and might  therefore
        be suspect), a window will pop up in the middle of your screen:

        +===============================================================+
        |  Bad Checksum on <filename>                                   |
        |  Actual Checksum is: <checksum>                               |
        |Press "Y" to allow, "G" to go till exit, any other key to exit.|
        +===============================================================+

        This  message simultaneously advises you there is a problem  with
        the checksums not matching, shows you what the checksum should be
        and then awaits your response.

        Except  for the initial run of FLU_SHOT+,  if you type a 'Y' or a
        'G',  then the program will load and execute.   Typing any  other
        key will cause the program to abort and for you to be returned to
        the  C> prompt.   When FLU_SHOT+ is in the 'G' state,  a 'G' will
        appear in the upper right hand corner of your screen.

        If  this  is the initial run of  FLU_SHOT+,  however,  you'll  be
        advised  of  the program's actual checksum,  but  FLU_SHOT+  will
        continue  to  run,  checking  all  remaining "C="  files  in  the
        FLUSHOT.DAT file.



        If you're running a program and you see a screen like:

        +================================================================+
        |  ? WARNING! TSR Request from an unregistered program!          |
        |Number of paragraphs of memory requested (in decimal)  are:<cnt>|  
        |                   (Press any key to continue)                  |
        +================================================================+

        you're being advised that a program is about to go TSR.   If this
        is a program you trust (such as SideKick,  of KBHIT, or a host of
        other  TSR  programs you've grown to know  and  love),  then  you
        should considering installing a "T=" line in the FLUSHOT.DAT file
        so that future runs of this program will not trigger FLU_SHOT+.

        However, if you get this message when running a program you don't
        think  has  any need to go TSR (such as the proverbial  checkbook
        balancing program),  you should be a little suspicious.  Having a
        TSR  program  is  not,  in of and  of  itself,  something  to  be
        suspicious of.   But having one you don't expect --- well, that's
        a different story.

        Most  TSR's  "hook into" an interrupt vector before they go  TSR. 
        These hooks might intercept and process key strokes  ("hotkeys"),
        or  they might hook and intercept direct disk writes  themselves. 
        In  any  event,  FLU_SHOT+  (in this version!) doesn't  have  the
        smarts to do more than advise you of the TSR'ing of the  program. 
        If you're truly suspicious, reboot your machine immediately!



                                       21








        If  a program attempts to write directly to the interrupts  which
        are  reserved for disk writes,  FLU_SHOT+ will also be  triggered
        and you'll see something like:

        +===============================================================+
        |====>Direct Disk Write attempt by program other than DOS! <====|
        |                   (From Interrupt <xx>)                       |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        where  the <xx> represents either a 13 (indicating a direct  BIOS
        write  to  the  disk) or a 26 (indicating a  direct  DOS  write). 
        Again,  pressing a 'Y' or a 'G' allows the operation to continue,
        pressing  any  other  key will cause the operation  to  return  a
        failed status to DOS, and the operation will not take place. When
        FLU_SHOT+  is in the 'G' state,  a 'G' will appear in  the  upper
        right hand corner of your screen.

        If  an  attempt  is made to format your  disk,  which  may  be  a
        legitimate operation made by the DOS FORMAT program, you'll see a
        message such as:

        +===============================================================+
        |          ====>Disk being formatted! Are You Sure?<====        |
        |                                                               |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        which follows similarly to the direct disk write operations.  You
        should  question  whether the format operation is appropriate  at
        the time and take whatever action you think is best.

        If one of your protected files is about to be written to,  you'll
        see a message like:

        +===============================================================+
        |Write access being attempted on:                               |
        | <filename>                                                    |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        where  <filename>  represents the file you're trying  to  protect
        from these write operations.   Your red flag should fly,  and you
        should  question why the program currently running  should  cause
        such an operation.












                                       22








        You may also see the same type of message when one of your "Read-
        Protected" files is being accessed:

        +===============================================================+
        |Read Access being attempted on:                                |
        | <filename>                                                    |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        Again,  the  same red flag should fly,  but it doesn't mean  that
        you're  infected  with some nasty virus  program!   It  could  be
        something harmless or intended.  You'll have to be the judge.

        +===============================================================+
        |Open File with Write access being attempted on:                |
        | <filename>                                                    |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        If you see the above message:  Don't Panic!  When a program opens
        a file,  it may open the file for different types of access.  One
        access method prohibits writing to the file.   Another allows you
        to write to the file.  However, lazy programmers (myself included
        in  this  category from time to time) will often open a file  for
        read  *and* write access,  even though they have no intention  of
        ever doing a write into the file.   FLU_SHOT+ isn;t smart  enough
        to be able to figure out what a program *might* do in the future,
        so  it  will  alert  you  to an attempt  to  open  the  indicated
        protected file with write access allowed.   Again, you'll have to
        consider  whether  the program opening the file  is  a  "trusted"
        program  or  not  and you'll have to then decide what  action  to
        take.

        There  are  three  separate  messages you'll  see  if  a  program
        attempts to rename a protected file (you'll only see one of these
        messages at a time, though):


        +===============================================================+
        |FCB Rename being attempted on source file:                     |
        |FCB Rename being attempted on target file:                     |
        |Handle Rename being attempted on:                              |
        | <filename>                                                    |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        This  indicates what type of operation is attempting to rename  a
        protected file.   FCB's are a relic of the older CP/M  days,  and
        "handles"  are  a newer concept,  a little more modern.   In  any
        event,  this  tells  you that a file is  being  renamed.   It  is
        possible  that a trojan or virus writer will attempt to rename an
        existing  protected  file  to some  other  name,  then  rename  a
        trojaned or virused program in its stead.  FLU_SHOT will alert yu
        to this action:   again, though, you'll have to decide what to do
        about it.


                                       23









        +===============================================================+
        |Delete being attempted on:                                     |
        | <filename>                                                    |
        |Press "Y" to allow, "G" to go till exit, any other key to fail.|
        +===============================================================+

        Pretty  much self-evident as to what's happening here,  there are
        very  few  reasons why one of the files you've opted  to  protect
        should be deleted.

        Finally, you may see a message like:

        +===============================================================+
        |               ====>CMOS has been changed!<====                |
        |                                                               |
        |      Hit "Y" to continue, any other key to restore CMOS.      |
        +===============================================================+

        which indicates that your CMOS has been changed while you weren't
        looking.   Or maybe you were:   if you're running a setup program
        which changes the date or the time,  or the disk type attached to
        your AT class machine,  this message should pop up.   Losing your
        CMOS  is not fatal,  but can be an annoyance.   If you hit a 'Y',
        then  the  new setting of the CMOS will be stored and  you'll  be
        able  to continue,  with alerts to any other change to the  CMOS.
        Any  other  key will result in the original setting of  the  CMOS
        being restored.
        




























                                       24








                          How Good is FLUSHOT+, Really?

        FLU_SHOT+  is  a  pretty handy piece  of  code.   But,  it  can't
        absolutely  protect you from a worm.   No software can  do  that. 
        Discussed  below are some hardware devices which no worm can  get
        through.

        There  are  ways  around  FLU_SHOT+.   I'm  of  two  minds  about
        discussing  them,  since the worms out there are reading it this,
        too.   So I'll only discuss them in passing.   And I'll tell  you
        what I use here to protect myself from worms.   First,  though, a
        little  story to tell you what it's like here,  and how I protect
        myself from getting wormed.

        The  RamNet Bulletin Board System site I run is open  access.  No
        need  to  register,  or to leave your phone  number  or  address,
        although  a  note  to  that effect  is  always  appreciated.   As
        mentioned  above,  I dare the worm to try to affect the  disk  of
        somebody who can fight back.  A couple of of worms have tried and
        I  have a nice collection of Trojans and viruses.   Obviously,  I
        run  FLU_SHOT+ on my board,  along with checking  incoming  files
        with CHK4BOMB.   My procedure for testing out newly uploaded code
        involves  me doing a backup,  installing all sorts of software to
        monitor  what is going on,  and doing a checksum on all files  on
        the  disk.   I then try out all of the code I get,  primarily  to
        determine  if  the code is of high enough quality to  be  posted. 
        After  testing out all of the weeks uploads,  I run the  checksum
        program  again  to determine of any of my files might  have  been
        modified by a worm's virus program.

        Recently,  what looked like a decent little directory lister  was
        posted  to  the  board.   For  some reason I've  yet  to  fathom,
        directory aid programs seem to be the ones which have the highest
        percentage of Trojans attached to them.

        This  directory aid program listed my directories in a  wonderful
        tree  structure,  using different colors for different  types  of
        files.   Nice program.   When it exited, however, it went out and
        looked for a directory with the word "FLU" in it.   Once it found
        a directory with a match in it,  it proceeded to try to erase all
        of the files in that directory.  An assault! No big deal.  That's
        what backups are for.

        But  it  brings  up an interesting point:   I was attacked  by  a
        clever  worm,  and it erased a bunch of files which  were  pretty
        valuable.  All of the protection I had would have been for naught
        if I didn't use the first line of defense from these worms:  full
        and adequate backup.

        I've  spent  three  years of my life  developing  one  particular
        software  package.   Imagine what would have happened if that had
        been erased by a worm!  Fortunately, I make backups at least once
        a day, and usually more frequently than that.  You should, too.

        Now,  I  quarantine that machine as well.   I spent a  couple  of


                                       25








        dollars and bought a bunch of bright red floppy disks.  The basic
        rule  around  here is that Red Disks are the only disks  that  go
        into the BBS machine, and the Red Disks go into no other machine. 
        You see,  I *know* that there is some worm out there who is gonna
        find  some  way  to infect my system.   No matter  what  software
        protection I use, there *is* a way around it.

        You  needn't  be concerned though -- you're making backups  on  a
        regular basis, right?  And, you aren't asking for trouble.  I am,
        I  expect to find it,  and it is sort of amusing to see what  the
        worms out there are wasting their efforts on.

        At this point,  Trojans and Viruses are becoming a hobby with me:
        watching what the worms try to do,  figuring out a way to  defend
        against it, and then updating the FLU_SHOT series.

        However, there is a possibility that the FLU_SHOT series (as well
        as  other  protection  programs which are just as  valuable)  are
        causing  an escalation of the terms of this war.   The worms  out
        there are sick individuals.   They must enjoy causing the  damage
        they  do.   But they haven't the guts to stand up and actually do
        something  in  person.   They  prefer to hide behind  a  mist  of
        anonymity.

        But  you  have  the ultimate  defense!   No,  not  the  FLU_SHOT+
        program.

        FULL AND ADEQUATE BACKUPS!

        There  are a variety of very good backup programs which can  save
        you more work than you can imagine.  I use the FASTBACK+ program,
        which  is  a great little program.   I backup 30Megs  once  in  a
        while,  and  do  an incremental backup on a very frequent  basis. 
        There are a variety of very good commercial,  public domain,  and
        shareware  backup programs out there.   Use  them!   Because,  no
        matter what software protection you use, somebody will find a way
        around  it  once  day.   But they can't find a  way  around  your
        backups.   And,  if  you (and everyone else) do regular  backups,
        you'll  remove  the only joy in life these worms  have.   They'll
        kill  themselves,  hopefully,  and an entire subspecies  will  be
        wiped out -- and you'll be partially responsible!

        My  advance  thanks  for  helping  to  exterminate  these  little
        slimebuckets.  But that brings me to something else.













                                       26








                                 Reward Offered

        Somebody out there knows who the worms are.   Even they must have
        someone  who  is a friend.  True,  I can't think  of  any  reason
        someone  would  befriend a worm.   But somebody who doesn't  know
        better has.

        Well,  I'm  offering a reward for the capture and  conviction  of
        these worms.

        Enough   already  with  software  protection  schemes,   hardware
        protection schemes,  or any protection at all.   It shouldn't  be
        required, dammit!

        Here's the deal:

        In  this  archive  is a form  called  REWARD.FRM.   If  you're  a
        software  or hardware manufacturer,  or you have some software or
        hardware  you don't need,  consider filling out  that  form,  and
        donating  it to a worthy cause.   I don't know what the legal and
        tax  ramifications of that donation would be.   I'm not a  lawyer
        and we can cross that bridge when we get to it.

        Anyway,  if you know one of these worms,  turn them in!   Call me
        up, send me a letter, a telegram, or leave a message for me on my
        BBS.   Indicate who you *know* is worming about.   I'll keep your
        name confidential.

        It  is  surprisingly easy to get the authorities in  on  this  --
        they're  as concerned about what is happening to our community as
        we are.   I'll presume that they'll end up putting a data tap  on
        the phone line of the accused worm.  Then, when he next uploads a
        Trojan  or a virus to a BBS,  he'll get nailed.   The authorities
        are pretty good about this stuff: they'll not tap a phone or take
        any action whatsoever without adequate proof.  Will your dropping
        a dime on this worm be adequate proof?   I don't know.   Again, a
        bridge to cross when we approach it.

        However, assuming that this slimeball gets nailed, you'll get all
        of the software and hardware which other people have donated. And
        the  satisfaction of knowing that you've done a Good Thing,  that
        you've  helped an industry and community continue to grow.   This
        *is*  your community,  and the vast majority of people in it  are
        good  people who shouldn't have to fear from your  friend.   Your
        friend  is  not really a friend:  he uses you to justify his  own
        existence.   When  someone  uses you like  that,  they're  not  a
        friend,  they're a leach.   And you've probably got better things
        to do then let somebody use you like that.

        Most  importantly,  the worm out there won't know if one  of  his
        friends has already turned him in.  So he won't know if his phone
        is  tapped.   If *I* were a worm,  and considering what  kind  of
        friends I would have, I'd be sure that somebody dropped a dime on
        me.   And  therefore an intelligent worm (perhaps I'm giving  the
        worm too much credit?) must presume that their line is tapped and


                                       27








        that  they're  gonna  go to jail if they  continue  what  they're
        doing.

        So just stop, you miserable little lowlife, huh?  You're going to
        be  arrested.  You're  going to have to put up  with  indignities
        which   even   you  don't  deserve!    Your  equipment  will   be
        confiscated.   You'll  never get a job in the  industry.   You're
        going to go to jail. 

        All  because  one of your friend's actually has a conscience  and
        knows what is right and what is wrong.   And what you're doing is
        wrong.

        So,  let  me  get  back to the kind of  programming  I  enjoy  --
        productive  programming.   And  turn your programming to  useful,
        interesting,  and productive programming.  You have the talent to
        do something useful and good with your life.   What you're  doing
        is  hurting  the industry and hurting the community  which  would
        welcome someone with your talents with open arms.

        And  the satisfaction of helping far surpasses  the  satisfaction
        you must get from hurting innocent people.

        So just stop.


        Sincerely, Ross M. Greenberg






























                                       28





