AIDS Trojan final update

Gary Williams x3294 gwilliam at mrc-crc.ac.uk
Wed Dec 20 07:03:16 EST 1989


Here is the latest selection of messages on the AIDS Trojan from the
VIRUS-L bboard.  I'll stop sending them now unless I get any more
requests, or a fix program(s) is produced for machines that have had
their disks encrypted.

Gary Williams

Computing Services Section,		 Janet:       G.Williams at UK.AC.CRC
MRC-Clinical Research Centre,		 Elsewhere:   G.Williams at CRC.AC.UK
Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC at UKACRL
Tel 01-869 3294    Fax 01-423 1275       Usenet: ...!mcvax!ukc!mrccrc!G.Williams

==================================================================

Date:    Thu, 14 Dec 89 15:17:28 -0800
From:    Alan_J_Roberts at cup.portal.com
Subject: AIDS Trojan Update (PC)

A forward from John McAfee:

	Our investigation has turned up surprise: PC Cyborg
Corporation has indeed been registered in the country of Panama.  The
registration date was 04-12-89, legal deed #16653.  The resident agent
for due process is listed as Lucia Bernal.  The directors are: Kitain
Mekonen, Asrat Wakjira and Fantu Mekesse.  Since the names of the
directors are all West African, it appears that the story told by
Ketema Corporation about representing a Nigerian software firm may be
close to the truth.  The story unfolds.
	We still have no verified reports of mailings to the U.S.
Let's hope we continue to have none.  Needless to say, if anyone does
receive the AIDS diskette, do not use it.

John McAfee

------------------------------

Date:    15 Dec 89 11:04:05 +0000
From:    Chris Moss <cdsm at sappho.doc.ic.ac.uk>
Subject: Re: Major Trojan Warning (PC)

Alan_J_Roberts at cup.portal.com writes:
>This is an urgent forward from John McAfee:
>
>     A distribution diskette from a corporation calling itself
>PC Cyborg has been widely distributed to major corporations and
>PC user groups around the world and the diskette contains a
>highly destructive trojan.

Further information from the London "Independent" newspaper 15 Dec
bylined by Science Editor Tom Wilkie, titled 'Trojan' threatens 10,000
computers:

Fears are growing that more than one mailing list was used
todistribute the "Aids Information" computer diskette which is
damaging computers.

Police said yesterday that they had been "inundated" by thousands of
complaints about the disk, which they believe may have been
distributed to more than 10,000 addresses in Britain. There are also
unconfirmed reports tha delegates to an Aids conference in Sweden have
been sent copies of the diskette from London.

Experts estimate that the cost of the operation must run to between
8,000 and 10,000 pounds.

..

According to Dr Alan Solomon, a leading expert on computer security,
the program counts the times a user switches on the machine.

After about 90 startups, Dr Solomons said, the damage routine is
triggered. The program encrypts the names of all files held on the
hard disks and "hides" them. This means that the computer's normal
operating software is unable to find anything except one file,
"CYBORG.DOC" which contains a demand for payment.

According to Steve Robinson of the software company Insoft, the damage
routine may be triggered on some machines almost as soon as the
program is run.  ...

>In addition, the British magazine "PC Business World" has
>included a copy of the diskette with its most recent publication

 (I do not confirm the truth of this assertion, but the article continues)

PC Business World has produced an "Aidsout" program, written by virus
hunter Jim Bates, on a disk which the magazine will distribute free to
victims.  The program is also available on "Connect" the IBM PC User
Group bulletin board.

.. (various other symptoms)

Experts agree the program is so big and cleverly written that it will
take months to tease out all the things it may do.  For that reason,
users should remove all trace from machines as soon as possible.

For free information send a SAE to: IBM PC User Group, PO Box 360,
Harrow HA1 4LQ; or Dr. Alan Solomon, S and S, Watermeadow, Chesham,
Bucks, HP5 1LP.

-----------------------------


Date:    Sat, 16 Dec 89 10:24:58 -0800
From:    Alan_J_Roberts at cup.portal.com
Subject: AIDS Trojan Update #3 (PC)

This is a forward from the HomeBase BBS:

AIDS TROJAN UPDATE   Santa Clara, California.   December 16, 1989

     Our reports of the AIDS trojan over the past three days have
been sporadic, incomplete and conflicting.  Much of the
confusion, as we are now beginning to understand, stems from the
fact that the architecture of this trojan is orders of magnitude
more complex and interwoven than any PC based virus or trojan
yet encountered.  No one has yet successfully disassembled this
trojan, nor will they for some time to come.  The two EXE files
comprising the trojan diskette represent over 320K of compiled
Microsoft Basic code, much of it encrypted.  The trojan evolves
over time and uses multiple steps to create hidden and
interrelated directories, DOS shell routines and self modifying
utilities.   Numerous techniques have been employed by the
architects to avoid detection, analysis or tampering.  The
dissection is like peeling an onion with a paper clip.
     At this point, however, having used live trials of five
different samples of the mailing diskette, we have bounded the
beast and have at least uncovered the main elements of the
underlying structure.  We've learned enough to know that a
system can be recovered after the bomb goes off (albeit using
brute force), and we have a program that can disarm the trojan if
caught before activation.  A brief outline follows:

Activation:
     All of our samples consistently and repeatedly activated
after exactly 90 reboots of the system, from the time the install
program was executed.  This agrees with Dr. Solomon's
observations of two additional samples.  An anomaly that cannot
be explained is that more than a dozen verified cases reported
activation after the first reboot.  Did the designers include a
few copies that would activate prematurely as a warning?  Is
there a bug somewhere in the install or count routine?  This is a
question that needs answering.

Installation:
     Installation requires an average of 90 seconds.  A point
that has not been mentioned before, is that a reference number is
prominently displayed during installation.  The instructions are
to include this reference number when registering the program.
After activation, the same reference number is again displayed,
with clear instructions to include the number on all
correspondence.  Could this be used in some way during the
encryption/decryption process?  An example 12 digit reference
number is: A9738-1655603-.
     The Trojan creates several hidden subdirectories -- made up
of space and ASCII 255's  -- in the root of drive C.  The install
program is copied into one of these and named REM.EXE.  The
user's original AUTOEXEC.BAT file is copied to a file called
AUTO.BAT.  The first line of this file reads -- "REM Use this
file in place of AUTOEXEC.BAT for convenience".  The installation
also creates a hidden AUTOEXEC.BAT file that contains the
commands:

          C:
          CD \
          REM  Use this file in place of AUTOEXEC.BAT
          AUTO

     The CD \ actually contains ASCII characters 255, which
causes the directory to change to one of the hidden directories
containing the REM.EXE file.  The REM file is then executed and
decrements a counter at each reboot.

Activation:
     After 90 reboots, a message appears in the center of the
screen:

          The software lease for this computer has expired.  If
          you wish to use this computer, you must renew the
          software lease.  For further information turn on the
          printer and press return.

     When the return key is pressed, the following document is
printed on the printer:

          "If you are reading this message, then your software
lease from PC Cyborg Corporation has expired. Renew the software
lease before using this computer again. Warning: do not
attempt to use this computer until you have renewed your
software lease. Use the information below for renewal.

 Dear Customer:

 It is time to pay for your software lease from PC Cyborg
Corporation.  Complete the INVOICE and attach payment for the
lease option of your choice. If you don't use the printed
INVOICE, then be sure to refer to the important reference numbers
below in all correspondence. In return you will receive:
 - a renewal software package with easy-to-follow, complete
instructions;  - an automatic, self-installing diskette that
anyone can apply in minutes.

 Important reference numbers: A9738-1655603-

 The price of 365 user applications is US$189. The price of a
lease for the lifetime of your hard disk is US$378.  You must
enclose a bankers draft, cashier's check or international money
order payable to PC CYBORG CORPORATION for the full amount of
$189 or $378 with your order. Include your name, company,
address, city, state, country, zip or postal code. Mail your
order to PC Cyborg Corporation, P.O. Box 87-17-44, Panama 7,
Panama.

After this document is printed, the following warning appears:

          Please wait thirty minutes during this operation.  Do
          not turn off the computer since this will damage your
          system.  You will be given instruction later.  A
          flashing hard disk access light means WAIT!!!!!

This message remains displayed for up to an hour and a half on
some machines while heavy disk activity continues.

The Results:
     At the end of the disk activity, a new file appears at the
root of drive C called CYBORG.DOC.  The contents of the file are
the above instructions for registering the program.  There appear
to be 0 bytes remaining on the disk if a directory listing is
attempted.  A shell routine has also been installed in the
system.  It is a program called CYBORG.EXE, with hidden read-only
attributes.  This shell routine displays the following message
after every DOS function call:

          WARNING:  You risk destroying all of the files on drive
          C.  The lease for a key software package has expired.
          Renew the lease before you attempt any further file
          manipulations  or other use of this computer.  Do not
          ignore this message.

     If an attempt is made to run a program or perform any file
manipulation, an illegal command or filename message appears.  If
the system is powered down and booted from a floppy, the only
file that appears on the disk is the CYBORG.DOC file.  There are
0 bytes free.  In reality all files that existed before have been
encrypted and given hidden attributes.  The following directory
listing is a sample from one of the activated 20 megabyte disks
where the file attributes have been cleared:

 Volume in drive C has no label
 Directory of  C:\

#UCU#R    AK    10071  13-07-85   1:43p
#UC at R&    AK    27760   3-07-85   1:43p
COMMAND  COM    23717  13-07-85   1:43p
#1!8_68@  AU      587   3-19-89   9:11a
6#1N      AK       32   2-27-89  12:33p
KF$0U     AK      853  13-12-89   4:07p
G6R      AG       98   1-04-80  12:01a
AUTOEXEC BAT      108   1-04-80  12:01a
AUTOEXEC BAK       17   1-04-80  12:01a
#@&      AU   172562   8-07-89  10:40a
&_1      AU    46912  12-07-89  11:58a
!        AU     7294   3-01-87   4:00p
1G        AU   102383   3-01-87   4:00p
H8C       AU   146188   1-04-80  12:11a
CYBORG   DOC     1326   1-04-80  12:05a
CYBORG   EXE      642   1-04-80  12:05a
AUTO     BAT      117   1-04-80  12:06a
       17 File(s)         0 bytes free

     In addition to the above, a number of hidden
subdirectories exist containing what appears to be an indexed
sequential data base with fields initialised to 20H.  This data
base occupies the entire free space of the disk.  The AUTOEXEC
file calls the CYBORG.EXE program, which is the above mentioned
DOS shell routine.  After the system is powered down, the hard
disk will no longer boot.  However, if the file AUTOEXEC is
executed at least once, the a <ctrl><alt><del> sequence will
appear to perform a re-boot and the system will on the surface
appear to be normal as described above, with the exception of the
warning message after a DIR or other DOS command.  If the file
CYBORG.EXE is examined using Norton or other similar utility the
following text is found at offset 560:

     <false end-file-marker>  <The Norton Utilities cannot read
     this file because the FAT has been locked> BORG  EXE

     No code can be found in the file.  However, a sector search
of the disk finds the CYBORG.EXE code at various offsets.  Inside
the code is the text listing of the hard disk directory structure
prior to the encryption.  The text corresponding to the above
encrypted root directory is:

 Volume in drive C has no label
 Directory of  C:\

IBMBIO   COM    10071  13-07-85   1:43p
IBMDOS   COM    27760   3-07-85   1:43p
COMMAND  COM    23717  13-07-85   1:43p
INFECTED EXE      587   3-19-89   9:11a
TINY     COM       32   2-27-89  12:33p
W13_B    COM      853  13-12-89   4:07p
AUTO     BAT       98   1-04-80  12:01a
AUTOEXEC BAT      108   1-04-80  12:01a
AUTOEXEC BAK       17   1-04-80  12:01a
AIDS     EXE   172562   8-07-89  10:40a
SCAN     EXE    46912  12-07-89  11:58a
FA       EXE     7294   3-01-87   4:00p
NU       EXE   102383   3-01-87   4:00p
REM      EXE   146188   1-04-80  12:11a
       14 File(s)  15872000 bytes free

     A comparison of the encrypted and unencrypted entries
indicates that some form of linear character mapping was used
(i.e.   # = I,  = A, 8 = E, @ = D, etc.)

     All of the data in the system appears to be intact and not
encrypted.  The partition table and boot sector have not been
modified in any way.  The system can be recovered by removing the
hidden directories and their contents, and by replacing the
encrypted entries in the FAT with the entries found in the
CYBORG.EXE file.  Currently this has to done by hand.  We are
working on a program to perform this task.
     If you catch this trojan before it activates, then Jim
Bate's AIDSOUT.COM program available on HomeBase will extract the
trojan and return the system to its original condition.


Remaining questions:
     Dr. Solomon reports that his sample created one additional
file called SHARE.EXE that had instructions to install the SHARE
program on a second computer and then return it to the affected
system.  The instructions stated that running the SHARE program
again on the affected system would provide 30 free re-boots of
the system with all data restored.  Our samples did not create
this SHARE program and no instructions pertaining to it were
given.  Whether this was a difference in diskettes or perhaps
attributable to our non-standard test machines we do not know.

John McAfee


------------------------------

Date:    Sun, 17 Dec 89 17:54:00 -0500
From:    IA96000 <IA96 at PACE.BITNET>
Subject: AIDS TROJAN RESEARCH (PC)

I have been asked to pass this message along to VIRUS-L and VALERT-L
by the fine people at SWE who have been hard at work researching the
AIDS problem. I pass this message along unmodified exactly as it was
received from SWE.

             AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989

First, let us say for the record that everything reported so far by
Mr. McAfee is correct. Our tests bear out the results he has obtained.

Having followed the messages and updates so far, and after conducting
extensive tests, SWE has no doubt that there is more than one version
of the "trojan" disk in circulation. In certain aspects, the two AIDS
"trojan" disks we are testing act differently. One has a counter in it
and one activates on the first re-boot!

SWE has been working 24 hours a day since we received a copies of the
AIDS disks. Let me clarify that statement. We did not receive these in
the mail directly from the "trojan" authors. We received our copies
from two of our clients.

The suspicion that some form of encryption is being used is accurate.
The versions of the disks we tested checks the following criteria:

1) The version of DOS in use. Both major and minor numbers are used.
   The major number would be 3 and the minor number would .30 in
   DOS version 3.30.

2) The file length, date and time stamp of certain files are checked.

3) The amount of total disk space and free disk space are checked.

These three items are then combined and processed into the "initial"
encryption key.

A form of public key encryption is then used to perform the actual
encryption. This was determined by the brute force decryption method.
SWE has several 80486's and access to a VAX and they were put to work
decrypting the files. It was made easier by the fact that the original
contents of the test disk were known. One nasty little trick the AIDS
"trojan" uses is that after each file is encrypted the encryption key
is modified slightly.

Fortunately, the authors did not use a long encryption key. Files
encrypted using the public key protocol become harder to decipher as
the length of the encryption key increases. Government studies
indicate that a file encrypted using this protocol, with a 200 digit
key could take as long as ten (10) years to decrypt, if you devoted a
CRAY exclusively to the problem!

SWE first suspected and tested for the public key encryption method
for several reasons. The major reason was the lack of access people
outside of the United States would have to the DES encryption formula.

For those not aware, the U.S. Government guards the DES formula, and
software which makes use of this formula may not be exported out of
the United States. Should it turn out that the DES formula was also
used, the authors of the AIDS "trojan", could possibly be prosecuted
under United States statutes pertaining to national security.

The second reason deals with the DES encryption method. Students of
cryptology are well aware that the DES formula has been considered
vulnerable for some time now. It is also a well know fact that DES
specific processors have been produced, which make "cracking" a DES
encrypted file much easier than the public key method. The DES method
also limits to a greater degree the length of the encryption key.

Combining these two reasons along with the extraordinary expense the
authors of the AIDS "trojan" went to, we guessed that they would also
use a "first class" encryption method.

It also makes sense from another point of view. Since the "trojan"
authors have gone to great care and expense, it seems prudent they
would not want to use an encryption method which could easily be
copied and distributed as a "master" cure all. Public key encryption
is perfect in this regard. Many different versions of DOS are now
in use, and depending upon the version of DOS in use and other factors
the "trojan" checks for, the decryption methods which must be used
will vary for different "trashed" disks.

This is not to say that other copies of the AIDS "trojan" will use
this same encryption method, or create the encryption keys in the same
manner. That is yet to be determined!

Once we were able to decipher one file, it was a relatively simple
matter to decipher the rest. We have been able to completely restore a
disk trashed by the version of AIDS "trojan".

SWE went about this research in a different manner than everyone else.
We have not reverse engineered the "trojans" to any great extent, nor
do we plan to do so. This is best left to Mr. McAfee and the other
experts.

It is our considered opinion that Quick Basic along with several
machine language modules were used to develop these "trojans". Reverse
engineering a Quick Basic program along with the libraries included at
link time produces huge amounts of code.

As far as releasing the "fixes", not enough is yet known by SWE to be
able to provide a substantial program. We need more information about
how many versions of the AIDS "trojan" are in circulation, as well as
samples of these for study. SWE has no intention of publicly releasing
a "fix" at this time or in the future.

It is our opinion that the best course SWE can take is to share our
knowledge with others who have the knowledge and experience to take
what we learned and investigate further.

To that end, SWE is willing to forget past differences with a specific
company and share our files as well as the "fixes" and our knowledge
on cryptology with them, for the good of the computing community. If
they are interested, leave a public message on your BBS in the virus
SIG. Some type of agreement can be reached if you are interested in
doing so!

The opinions and statements expressed herein are those of SWE. These
are based on research done on two copies of the AIDS "trojan" disk we
have tested. Findings produced by other people working on this problem
may agree, vary, or contradict our findings. So be it! SWE is not
competing with anyone else working on this problem. We present this
information solely to acquaint the computing community on the details
we have discovered so far.

The information contained in the message above was supplied by the
people at SWE, who have postponed their vacation closing to conduct
research into the AIDS problem.

It is my opinion that everyone should band together on this one! The
AIDS disk seems to be very complicated and it will probably take the
combined knowledge of everyone working on this disaster to come up
with a solution.

===================================================================
End of AIDS Trojan update.

Gary Williams

Computing Services Section,		 Janet:       G.Williams at UK.AC.CRC
MRC-Clinical Research Centre,		 Elsewhere:   G.Williams at CRC.AC.UK
Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC at UKACRL
Tel 01-869 3294    Fax 01-423 1275       Usenet: ...!mcvax!ukc!mrccrc!G.Williams





More information about the Bioforum mailing list