AIDS Trojan update

Gary Williams x3294 gwilliam at mrc-crc.ac.uk
Tue Dec 19 11:40:57 EST 1989


This is a collection of 8 messages on VIRUS-L and other bulletin boards
giving descriptions of the internals and *FREE FIXES* for the AIDS Trojan.

My apologies for clogging up the network to those of you who have not been
hit by the AIDS Trojan, and to those who have already read these messages
on other networks.

Gary Williams

Computing Services Section,		 Janet:       G.Williams at UK.AC.CRC
MRC-Clinical Research Centre,		 Elsewhere:   G.Williams at CRC.AC.UK
Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC at UKACRL
Tel 01-869 3294    Fax 01-423 1275       Usenet: ...!mcvax!ukc!mrccrc!G.Williams

==========================================================================


   NATIONAL PUBLIC DOMAIN                       Micro Software Newsletter
SOFTWARE ARCHIVE AT LANCASTER                   Volume 6 Number 24     14/12/89

   Editor: Steve Jenkins
--------------------------------------------------------------------------------
Special Edition

TROJAN ALERT - "AIDS Information Diskette"

--------------------------------------------------------------------------------

From: National PD Software Archive <syspds>
Date: Thu, 14 Dec 89 15:15:00 GMT
Subject: TROJAN ALERT - "AIDS Information Diskette"

This news got to us just too late for the last newsletter, so we've prepared
this special edition. It's of relevance to IBM PC users only.

There are a large number of reports that a virus-infected disk has been sent
out to people on the "PC Business World" mailing list (and maybe to others?).
The disk is labelled "AIDS Information - Introductory Diskette Version 2.0" and
claims to come from PC Cyborg Corporation.

There are a couple of sheets of information with it, one of which contains a
long license agreement in small type. It states that you must pay a large
amount of money to PC Cyborg Corporation; that they reserve the right to take
program actions to stop unlicensed use of the program; and that your computer
will "stop working normally" if you don't pay the fee.

If you do run the software, it apparently modifies some directories and
modifies AUTOEXEC.BAT.  On the 99th time the machine is booted subsequently,
all the files on the disk are destroyed.

The moral would seem to be to approach this disk with extreme caution.
PC Business World have released an antidote to the virus (the contact there
is Robert Walczy, 01-381-9252). It's available on NPDSA as
micros/ibmpc/e421/e421aids.boo - the program is supplied in good faith,
but has not been used here. Source in QuickBASIC is included with the
executable.

The author of the program notes in the source that the AIDS disk does not
appear to do any lasting damage (presumably if you catch it before the 100th
reboot), and that the program satisfactorily makes repairs.

--------------------------------------------------------------------------------
To receive this Newsletter by electronic mail, send a request to us at one of:

       JANET :    pdsoft at uk.ac.lancs.pdsoft
       PSS   :    pdsoft @ 234223519191.JANET.00001040300096.FTP.MAIL
       BITNET:    pdsoft%uk.ac.lancs.pdsoft at ukacrl
--------------------------------------------------------------------------------

----- Begin Included Message -----

>From davidf at uk.ac.hw.cs Thu Dec 14 17:51:59 1989
Via:  uk.ac.crc; Thu, 14 Dec 89 17:51:56 GMT
Return-Path: <davidf at uk.ac.hw.cs>
Via:        heriot-watt.cs    ; 14 Dec 1989 17:51:53-GMT
Received: from odin.cs.hw.ac.uk (odin) by brahma.cs.hw.ac.uk; Thu, 14 Dec 89
 17:44:24 GMT
From: David.J.Ferbrache <davidf at uk.ac.hw.cs>
Date: Thu, 14 Dec 89 17:42:59 GMT
Message-Id: <19645.8912141742 at odin.cs.hw.ac.uk>
To: uk-virus-l at uk.ac.hw.cs.brahma
Subject: AIDS Trojan Horse Report
Sender: uk-virus-l-request at uk.ac.hw.cs
Status: RO


A summary report of the AIDS trojan horse is enclosed below, this was
received from Sophos and is forwarded with permission.

                -  D.Ferbrache, VIRUS-l support -

AIDS Disk through the post

Report by Dr J Hruska, Sophos Ltd, 0844 292392

Compiled on Wednesday 13th December 1989, 22:30

Throughout the report $ means the non-printing hex character ff

1 Introduction

On 11th December some 7 thousand envelopes 135x135mm were posted in London,
stamped first class (20p). They contain a 5 1/4" floppy disk marked "AIDS
information version 2.00", and an instruction leaflet printed on blue paper
with american spelling. The instruction leaflet induces the user to insert
the disk and install the package. The reverse of the leaflet has the
license agreement which requests the user to send US dollars 189 for using the
software. The agreement threatens unspecified action if that fee is not paid
("Most serious consequences may haunt you for the rest of your life; you will
owe compensation ...")

The labels (36mm x 81mm) on the front of the envelopes are printed on a
line-printer. Some reports suggest that the mailing list was obtained from the
PC Business world.

2 Installing the software

The disk contains two files; AIDS.EXE (172562 bytes 07-08-89 10:40am) and
INSTALL.EXE (146188 bytes 28-09-89 4:28pm). When INSTALL is run, it transfers
AIDS.EXE to the hard disk, copies the original AUTOEXEC.BAT into AUTO.BAT,
inserting a REM comment at the beginning ("PLEASE USE THIS FILE ... ") and
creates another AUTOEXEC.BAT which contains a REM comment "PLEASE USE THE
AUTO.BAT file ... " and invokes the AUTO.BAT file. Both AUTOEXEC.BAT and
AUTO.BAT are marked read only.

Note that the REM comment in the AUTOEXEC.BAT file is preceeded by the CD$
statement, where $ is the hex character FF. If this file is typed (and not
dumped), it does not look unusual.

Dump of AUTOEXEC.BAT
65 63 68 6f 20 6f 66 66   0d 0a 43 4a 0d 0a 63 64  echo off  ..C:..cd
5c ff 0d 0a 72 65 6d ff   20 50 4c 45 41 53 45 20  \...rem.   PLEASE
55 53 45 20 54 48 45 20   61 75 74 6f 2e 62 61 74  USE THE   auto.bat
20 46 49 4c 45 20 49 4e   53 54 45 41 44 20 4f 46   FILE IN  STEAD OF
20 61 75 74 6f 65 78 65   63 2e 62 61 74 20 46 4f   autoexe  c.bat FO
52 20 43 4f 4e 56 45 4e   49 45 4e 43 45 20 ff 0d  R CONVEN  IENCE ..
0a 61 75 74 6f 2e 62 61   74 0d 0a 1a              .auto.ba  t...

Two hidden directories ($ and $$$ $$$ where $ is Hex ff) are created

The first subdirectory ($) contains a REM$.EXE ($ is Hex ff) which is
a copy of INSTALL.EXE from the floppy disk.

The second subdirectory ($$$ $$$) contains a subdirectory $$ $$$$ which
contains a subdirectory $$$$ $$ which contains:

ERROR IN.THE         Directory (empty)
and files of 7, 6, 50401, 1 and 18 bytes

As part of the installation the user is asked to switch the printer on and an
'invoice' is printed, bearing the "Important reference numbers", A32988-1922662
in the case of the examined disk. These reference numbers are randomly generated
values and vary from installation to installation - the floppy disk is written
to during installation. The invoice gives the address in Panama where
payment should be sent "PC Cyborg Corporation, PO Box 87-17-44, Panama 7,
Panama".

3 RUNNING AIDS.EXE

When AIDS.EXE is run it appears to be a legitimate program giving information
on AIDS and assessing the user's risk group after asking him/her to fill in
a questionnaire.

4 INVESTIGATING THE SOFTWARE FOR SIDE EFFECTS

The program AIDS.EXE was examined for the presence of known viruses and none
were found.

All files on the hard disk where checksummed before running AIDS.EXE, the
package was run and checksums rechecked. Nothing changed.

Things do change when AUTOEXEC.BAT is executed. A counter in the second
subdirectory is incremented every time AUTOEXEC.BAT is executed.

When the system has been bootstrapped approximately 100 times (ie REM$ -
see above) the damage sequence occurs. (Virus bulletin report this value
to be highly variable)

"Please wait 30 minutes during this operation. WARNING- do not turn off the
computer because you will damage the files on the hard disk drive. You will
receive more information later". On the test machine this took some 5 minutes.

"Sorry for the long delay .. still processing ... please wait" is displayed
for 2 minutes.

"Please wait during this operation. Warning, do not turn off the computer
while the hard disk is working. A flashing hard disk access light means;
WAIT!". This goes on for seemingly indefinitely (I waited 30 minutes), while
the disk heads seem to be repeat the same movement.

When this operation was aborted, the hard disk directory file names were
completely scrambled and marked hidden. The only non-hidden file was
CYBORG.DOC which is reproduced below:

  If you are reading this message, then your software lease
  from PC Cyborg corporation has expired. Renew the software
  lease before using this computer again. Warning: do not
  attempt to use this computer until you have renewed your
  software lease. Use the information below for renewal.

Dear Customer:

It is time to pay for your software lease from PC Cyborg corporation.
Complete the INVOICE and attach payment for the lease option of your choice.
If you don't use the printed invoice, then be sure to refer to the important
reference numbers below in all correspondence. In return you will receive:
a renewal software package with easy to follow, complete instructions;
an automatic, self-installing diskette that anyone can apply in minutes.

The price of 365 user applications is US$189. The price of a lease for the
lifetime of your hard disk is US$378. You must enclose a bankers draft,
cashiers check or international money order payable to PC CYBORG CORPORATION
for the full amount of $189 or $378 with your order. Include your name,
company, address, city, state, country, zip or postal code. Mail your order
to PC Cyborg Corporation, PO Box 87-17-44, Panama 7, Panama.

6 DEALING WITH THE PROBLEM

IF YOU HAVE INSTALLED THE SOFTWARE

It is unlikely that you will have reached the trigger point (bootstrapping
the computer 100 or so times), so your disk is still safe, BUT YOU MUST
ACT IMMEDIATELY. Do not attempt the following unless you know how to use the
appropriate tools.

The most important thing is to remove the counter incrementing statements
in AUTOEXEC.BAT and AUTO.BAT. First remove the read only attributes from the
files AUTOEXEC.BAT and AUTO.BAT.

Delete AUTOEXEC.BAT and rename AUTO.BAT as your old AUTOEXEC.BAT. Remove the
first 3 lines of AUTOEXEC.BAT to restore it to the previous form. Remove
AIDS.EXE from the root directory.

You have now removed the incrementing code and can worry about removing the
rest later.

Enter the first subdirectory and remove REM$.EXE, exit the directory and
remove it.

Enter the second subdirectory, remove read only attributes from all
files and remove the files and ERROR IN.THE subdirectory. Step one
directory back and remove ( the now empty) subdirectories. Repeat until
root is reached.

If the above removal procedure does not make sense, please seek help.
Do not use your computer until you do, and only bootstrap it from a
floppy disk.

Sophos Ltd, Haddenham, Aylesbury, HP17 8JD
0844-292392


------------------------------------------------------------------------------
Dave Ferbrache                            Internet   <davidf at cs.hw.ac.uk>
Dept of computer science                  Janet      <davidf at uk.ac.hw.cs>
Heriot-Watt University                    UUCP       ..!mcvax!hwcs!davidf
79 Grassmarket                            Telephone  +44 31-225-6465 ext 553
Edinburgh, United Kingdom                 Facsimile  +44 31-220-4277
EH1 2HJ                                   BIX/CIX    dferbrache
------------------------------------------------------------------------------

----- Begin Included Message -----

Date:    Wed, 13 Dec 89 16:09:36 +0000
From:    Alan Jay <alanj at IBMPCUG.CO.UK>
Subject: Re: AIDS DISK UPDATE (I)

			AIDS INFORMATION DISK
			=====================


The latest on this is as follows:

If you have run this disk contact ROBERT WALCZY at PC Business World
on 01-831 9252 they have a FREE disk that combats the effects of the
disk and they will send a copy to users effected.

Either call Robert of FAX him on 01-405 2347 with your name and address.

The disk should be available in the next day or two.

The program will be available on CONNECT (01-863 6646) for download as
soon as it has been tested.


=======================================================================


The AIDS disk when installed creates a number of hidden files and
directories.  You can remove these files by running the program
mentioned above or by using the Norton Utilities, PC Tools or equivalent
program.

The files that are hidden include a new AUTOEXEC.BAT and a number of
other files and directories that contain characters that can not be
accessed by standard DOS commands.  You will need to rename the files/
directories before they can be deleted.


This information will be updated as we learn more about the disk.


Alan Jay -- The IBM PC User Group -- 01-863 1191.

------------------------------
------------------------------

Date:    Wed, 13 Dec 89 18:26:57 +0000
From:    Alan Jay <alanj at IBMPCUG.CO.UK>
Subject: Re: AIDS -- UPDATE II -- What can you do.

				AIDS INFORMATION DISK
				=====================

Update 2  13-Dec-1989 6pm

IF you have not run this disk DO NOT INSTALL it appears to be a very
cleverly written TROJAN program that can be activated by a number of
methods.  Currently the activation method that has been detected uses
a counter of the number of system reboots.  When the counter gets to
90 the system goes into a second phase and encrypts files and
directories on your hard disk.

The program appears to have a number of embelisments that makes one
think that the front door we have been shown MAY not be the only
method that the system uses for deciding when to activate.  This
is a very nasty program and the only 100% safe thing to do is to
backup all DATA files and perform a full reformat of your hard disk.

Followed by a reinstallation of all DATA, from your backup, and
programs from original system disks (or backup prior to installing
this software).

This should only be attempeted once at least TWO copies of all
valuable data have been extracted from the system.  Please remember to
boot your system off an original DOS disk before starting this
procedure.

Full details of the suggested procedure will be posted tomorrow.

Alan Jay

Readers who do not wish to follow this route may be interested to
in the folowing information about the primary activation system.

1)  A hidden 'ACTOEXEC.BAT' file contains

CD \<ALT255>
REM<ALT255>

	it then runs your AUTOEXEC.BAT which the program renamed AUTO.BAT

2) A hidden subdirectory <ALT255> contains a file REM<ALT255>.EXE

Each time the system is booted the program is run and the counter
incremented/decremented.  After 90 activations the system enters phase
TWO.

Please note that the system uses the <ALT255> character 'hi space' in the
file names to stop standard DOS procedures acting on these files.


IT MAY be possible to delete these entries and thereby disable the
program this is NOT certain and it will take several months to discover
if this is a safe course of events to take.

I hope that this information helps.  I also understand that this is in the
hands of the Fraud Squad / Computer Crime Division of the Metropolitan
Police.  If you have any further information I am sure that they would
be interested to here from you.


Alan Jay -- IBM PC User Group -  01-863 1191

------------------------------

Date:    Wed, 13 Dec 89 16:58:52 -0800
From:    Alan_J_Roberts at cup.portal.com
Subject: AIDS Trojan Update (PC)

This is a forward from John McAfee:

     A lot more has been discovered about the AIDS Information
Trojan in the past 24 hours.  First, the diskette does not
contain a virus.  The install program does initiate a counter,
and based on a seemingly random number of re-boots, the trojan
will activate and destroy all data on the hard disk.  The
diskette was mailed to at least 7,000 corporations, based on
information obtained from CW communications - one of the magazine
mailing label houses used by the perpetrators.  The perpetrator's
initial investment in disks, printing and mailing is well in
excess of $158,000 according to a Chase Manhattan Bank estimate
that was quoted in a PC Business World press release from
London.  The bogus company that sent the diskettes had rented
office space in Bond Street in London under the name of Ketema
and Associates.  The perpetrators told the magazine label
companies that they contacted that they were preparing an
advertising mailer for a commercial software package from
Nigeria.  All offices had been vacated at the time of the
mailing, and all addresses in the software and documentation are
bogus.
     The Trojan creates several hidden subdirectories -- made up
of space and ASCII 255's  -- in the root of drive C.  The install
program is copied into one of these and named REM.EXE.  The
user's original AUTOEXEC.BAT file is copied to a file called
AUTO.BAT.  The first line of this file reads -- "REM Use this
file in place of AUTOEXEC.BAT for convenience".  The installation
also creates a hidden AUTOEXEC.BAT file that contains the
commands:

          C:
          CD \
          REM  Use this file in place of AUTOEXEC.BAT
          AUTO

     The CD \ actually contains ASCII characters 255, which
causes the directory to change to one of the hidden directories
containing the REM.EXE file.  The REM file is then executed and
decrements a counter at each reboot.   After a random number of
reboots, the hard disk is wiped clean.  Definitely a new
approach.
     So far the mailings appear to be limited to western Europe.
No reports have been received from the U.S.  If anyone does have
the diskette, or has already run the install program, a
disinfector has been written by Jim Bates and is available on
HomeBase for free download.  408 988 4004.  The name of the
disinfector is AIDSOUT.COM.

John McAfee

----- Begin Included Message -----

Date:    Thu, 14 Dec 89 11:14:39 +0000
From:    Alan Jay <alanj at IBMPCUG.CO.UK>
Subject: AIDS disk information (PC)

The following, written by Alan Solomon, gives details of the AIDS
Information Disk sent out by PC-CYBORG and gives a method for
restoring your disk to its former state.  Remember if you have not run
this disk DO NOT run it.

This information is believed to be correct BUT the program appears to be
very clever and therefore we suggest that you must be very careful in
carring out any of the followig instructions.

Alan Jay  -- IBM PC User Group -- 01-863 1191


PRELIMINARY INFORMATION ON THE "AIDS" DISKETTE FROM PC
CYBORG CORPORATION.

This is bulletin number AS/3


You will probably have read in the press about the AIDS diskette, a
diskette that was mailed out to a great subscribers to PC Business
World (through absolutely no fault of the magazine's).  This diskette
is a trojan - DO NOT RUN IT.

It is a diskette that was sent through the post, unsolicited, and
claiming to be a program that gave you useful information about the
AIDS disease.  The accompanying licence was abit suspicious, so many
people didn't run it (it threatened to do dire things to your computer
if you didn't pay for the software).

We've done a preliminary analysis on it, and it works like this.  If
you run the INSTALL program, it creates two subdirectories with
"impossible" names on the hard disk - one of these has a one-character
name, and that character is [Alt-255] (hexadecimal FF).  In that
subdirectory , it puts a program called REM[Alt-255] .EXE.  The
[Alt-255] character is invisible.  It copies your AUTOEXEC to a file
called AUTO.BAT, and puts an Echo off and a REM statement in front.
It creates a new AUTOEXEC.BAT file, and makes it hidden and readonly.
In that AUTOEXEC, it does a "CD \[Alt255]" and then "REM[Alt-255]"
followed by a plausible-looking remark.

After you run the AUTOEXEC, and therefore the REM [Alt-255] program, a
number of times (we triggered it with 90, but this is only a
preliminary result, and it may be triggerable with fewer or more), the
damage routine is triggered.  This would usually happen when the
machine has been booted that many times.  A series of messages are put
up on the screen, aimed at persuading you not to switch off, and the
trojan then encrypts your directory and makes all the files hidden
except one called CYBORG.DOC.

If you then boot from the hard disk, it tells you that a software
licence has expired, and tells you to renew it - another request for
money.  If you do a Ctrl-Alt-Del, it fakes a reboot, and pretends to
be running the Dos prompt - actually, a program is now running which
fakes Dos.  If you do a DIR, it shows you the unencrypted filenames,
followed by a warning not to use the computer.  it tells you that you
must renew the lease in the software.  Any other command, it also
fakes a response to, and shows you the same message.

It also has a routine that could be called the SHARE routine.  When
this runs, it tells you that you can have 30 more applications of the
program if you follow it's instructions.  It tells you to put a blank
formatted floppy in drive A, and it then copies files onto it.  Then
you are asked to put the diskette in another computer and type
A:SHARE.  We're still pursing this path.

It may also do other damage - we're still investigating, but what
we've found so far is enough to make me want to issue an urgent
warning.

If you've already installed it, remove it.  You can do this
temporarily by making the AUTOEXEC.BAT file (in the root directory)
read/write, and non-hidden, which you can do using one of a number of
utilities.  Then delete the AUTOEXEC.BAT.  This disables the trojan
lines that the install program put in.  This APPEARS to deal with the
trojan, but since there is a lot of deep stuff going on, we would not
assume that it actually does fully deal with it.

Our recommendation at this point in time, is based on the fact that
this thing is doing some pretty deep work on the disk, and since it
contains a lot of code, it will be a long time before it is completely
understood.  So as of now, our suggestion is:

First, switch off the computer, put a known CLEAN DOS diskette in
drive A, and switch on again.  This makes sure that the trojan has no
control.  Back up all your data files using a file-by-file backup.
Format the disk, reload all your executables from known clean
diskettes, and restore the data files.  You should take two backups,
in case the first one fails to restore.

If you haven't installed it, don't and tell everyone else not to.  The
police have been brought into this case; if you wish to make a formal
complaint to the Computer crime unit, please contact Detective
Sergeant Donovan on 01-725 2434.  Also, contact him if you have any
useful information.

If you want more information about this trojan, it will be covered in
full in Virus Fax International - please call if you want to know more
about this.

Please note that the information has been got out quickly as possible,
and is therefore subject to change in the details.

ALAN SOLOMON

------------------------------

Date:    Thu, 14 Dec 89 13:31:49 +0000
From:    Martin Ward <martin at EASBY.DURHAM.AC.UK>
Subject: Re AIDS disk (PC)

I feel that I should point out that the effects of this disk are
entirely in accordance with the standard warrenty used by most
commercial software developers (the ones which disclaim that the
programs are fit for any purpose at all, that XXX will disclaims all
responsibility for any damage or loss caused etc.) Either these
warrenties are ILLEGAL or the perpetrators of this disk are entirely
within their legal rights to do what they have done. Does anyone (eg a
lawyer) know which is the case?

			Martin.

My ARPANET address is:  martin%EASBY.DUR.AC.UK at CUNYVM.CUNY.EDU
OR: martin%uk.ac.dur.easby at nfsnet-relay.ac.uk  UUCP:...!mcvax!ukc!easby!martin
JANET: martin at uk.ac.dur.easby    BITNET: martin%dur.easby at ac.uk

------------------------------

Date:    Thu, 14 Dec 89 18:02:03 +0000
From:    Matthew Moore <teexmmo at isis.educ.lon.ac.uk>
Subject: Re: Update on AIDS Trojan (PC)

This afternoon I was one of a small team which successfully tracked
down the method of invocation of the Aids trojan, on a pc clone which
was infected, but not devastated.

Definition : <255> = the ascii character 255 , aka  hex FF

The program is called:                     rem<255>.exe
(ie 4 char filename which shows as 3)

It resides in a hidden directory called:   \<255>
(ie a 1 char filename)

It is invoked by two lines in the autoexec.bat file :-

cd \<255>                    (which if course usually looks like : cd \ )
rem<255> some statement      (which looks like : rem  some statement)

There two additional features worth noting:-

i)  there is another root level hidden directory, also using a nonprintable
    character (I dont know which), containing further hidden subdirectories
    to four levels down, and at the bottom are files which appear to contain
    data from elsewhere on the disk, and sundry other info.

ii) there is a red herring in the autoexec.bat file.
    Underneath the two statements listed above, the line 'auto.bat'
    followed by an EOF (^Z).
    The file \auto.bat contains the original autoexec.bat

Presumably, it would be stopped by removing or renaming \<255>\rem<255>.exe
and reverting to a clean auotexec.bat .

(Corrections to this presumption welcome!)

- --
mjm at cu.neur.lon.ac.uk                   | Post: Computing & Statistics Unit
JANET   :  mjm at uk.ac.lon.neur.cu        |       Institute of Neurology
INTERNET: try mjm%cu.neur.lon.ac.uk     |       Queen Square, London, WC1
Phone   : 01-837-5141                   |       London   WC1 3BG

=========================================================================
End of AIDS Trojan update.

Gary Williams

Computing Services Section,		 Janet:       G.Williams at UK.AC.CRC
MRC-Clinical Research Centre,		 Elsewhere:   G.Williams at CRC.AC.UK
Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC at UKACRL
Tel 01-869 3294    Fax 01-423 1275       Usenet: ...!mcvax!ukc!mrccrc!G.Williams









More information about the Bioforum mailing list