denbeste@bbn.com (Steven Den Beste) (12/15/89)
The following two articles are about a new trojan horse for clones,
from comp.viruses:
---------------------------------------------------------------
A distribution diskette from a corporation calling itself
PC Cyborg has been widely distributed to major corporations and
PC user groups around the world and the diskette contains a
highly destructive trojan. The Chase Manhattan Bank and ICL
Computers were the first to report problems with the software.
All systems that ran the enclosed programs had all data on the
hard disks destroyed. Hundreds of systems were affected.
Other reports have come in from user groups, small businesses and
individuals with similar problems. The professionally prepared
documentation that comes with the diskette purports that the
software provides a data base of AIDS information. The flyer
heading reads - "AIDS Information - An Introductory Diskette".
The license agreement on the back of the same flyer reads:
"In case of breach of license, PC Cyborg Corporation reserves the
right to use program mechanisms to ensure termination of the use
of these programs. These program mechanisms will adversely
affect other program applications on microcomputers. You are
hereby advised of the most serious consequences of your failure
to abide by the terms of this license agreement."
Further in the license is the sentence: "Warning: Do not use
these programs unless you are prepared to pay for them".
If the software is installed using the included INSTALL program,
the first thing that the program does is print out an invoice
for the software. Then, whenever the system is re-booted, or
powered down and then re-booted from the hard disk, the system
self destructs.
Whoever has perpetrated this monstrosity has gone to a great deal
of time, and more expense, and they have clearly perpetrated the
largest single targeting of destructive code yet reported. The
mailings are professionally done, and the style of the mailing
labels indicate the lists were purchased from professional
mailing organizations. The estimated costs for printing,
diskette, label and mailing is over $3.00 per package. The
volume of reports imply that many thousands may have been mailed.
In addition, the British magazine "PC Business World" has
included a copy of the diskette with its most recent publication
- - another expensive avenue of distribution. The only indication
of who the perpetrator(s) may be is the address on the invoice to
which they ask that $378.00 be mailed:
PC Cyborg Corporation
P.O. Box 871744
Panama 7, Panama
Needless to say, a check for a registered PC Cyborg Corporation
in Panama turned up negative.
An additional note of interest in the license section reads:
"PC Cyborg Corporation does not authorize you to distribute or
use these programs in the United States of America. If you have
any doubt about your willingness or ability to meet the terms of
this license agreement or if you are not prepared to pay all
amounts due to PC Cyborg Corporation, then do not use these
programs".
---------------------------------------------------------------
Early reports from people who have disassembled the AIDS
trojan that has been mailed to numerous European corporations indicate
that the trojan may be encrypting information on the disk rather than
destroying it outright. The results are the same without a decrypting
routine but the possibility is] now raised that the perpetrators do
have and may offer such a decryptor. The report from Chase Manhattan
Bank that the name and address in the Trojan are bogus may not be
correct. John Markoff of the New York Times has since stated that his
sources found a real corporation corresponding to the name and address
in the file. This raises some interesting questions which, I believe,
only time will answer. Whatever is happening, this much is known: The
trojan will make all data on the hard disk unusable; the change
happens suddenly; and no recovery is yet known. If you find or have a
copy of this diskette don't use it.
---------------------------------------------------------------
Steven C. Den Beste || denbeste@bbn.com (ARPA/CSNET)
BBN Communications Corp. || {apple, usc, husc6, csd4.milw.wisc.edu,
150 Cambridge Park Dr. || gatech, oliveb, mit-eddie,
Cambridge, MA 02140 || ulowell}!bbn.com!denbeste (USENET)