Info-IBMPC@WSMR-SIMTEL20.ARMY.MIL (12/14/89)
Info-IBMPC Digest Thu, 14 Dec 89 Volume 89 : Issue 116a
Today's Editor:
Gregory Hicks - Chinhae Korea <COMFLEACT@Taegu-EMH1.army.mil>
Today's Topics:
'AIDS' Virus diskette
AIDS Trojan Program on the loose
AIDS Trojan Update
AIDS Trojan Update #3
The Lending Library is available from: WSMR-SIMTEL20.ARMY.MIL (see
file PD1:<MSDOS.FILEDOCS>AAAREAD.ME details on file directories
and descriptions.)
Archives of past issues of the Info-IBMPC Digest are available from
WSMR-SIMTEL20.ARMY.MIL in directory PD2:<ARCHIVES.IBMPC>.
WSMR-SIMTEL20.ARMY.MIL can be accessed using LISTSERV commands from BITNET
via LISTSERV@NDSUVM1, LISTSERV@RPIECS, LISTSERV@FINTUVM and in Europe from
EARN TRICKLE servers. Send commands to TRICKLE@<host-name> (example:
TRICKLE@TREARN). The following TRICKLE servers are presently available:
AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11
(Germany), IMIPOLI (Italy), EB0UB011 (Spain), TAUNIVM (Tel-Aviv) and
TREARN (Turkey).
Send Replies or notes for publication to: <INFO-IBMPC@WSMR-SIMTEL20.ARMY.MIL>
Send requests of an administrative nature (addition to, deletion from the
distribution list, et al) to: <INFO-IBMPC-REQUEST@WSMR-SIMTEL20.ARMY.MIL>
----------------------------------------------------------------------
Date: Sat, 16 Dec 89, 00:00:01 KST
From: Gregory Hicks <ghicks@wsmr-simtel20.army.mil>
Subject: 'AIDS' Virus diskette
From the Pacific Edition, Stars & Stripes, Sat, 16 Dec 89:
"...
A computer disk on AIDS was mailed to thousands of people in Europe,
Africa, and California contains a "virus" that has sabotaged information
in some personal computers, police and news reports said.
At least 10,000 copies of the "AIDS Information Introductory Diskette"
were sent, said a Scotland Yard spokeswoman...
The London newspaper "The Independent" reported Thursday that rumors in
the computer world put the figure much higher and that hospital systems
were among those damaged. It said thae disks also turned up in
California, Belgium and Zimbabwe but gave no details about precisely
where.
..."
Also hit was the Chase Manhattan Bank [type and amount of software
problems not disclosed] (reported by the Computer Virus Industry
Association)
CW Communications, the company that publishes the British PC Business
World magazine, confirmed that the virus was sent out using a 7,000 name
mailing list that it sold to a company called Ketema Associates.
The Diskette is in an envelope that appears to be printed in several
languages and bears a diskette label in the upper left corner (where a
manufacturers label would be placed) bearing instructions on how to boot
up the AIDS Introductory program.
Gregory Hicks
------------------------------
Date: Fri, 15 Dec 89 00:00:49 -0500 (EST)
From: John Duchowski <jd3a+@andrew.cmu.edu>
Subject: AIDS Trojan Program on the loose
Hello Everyone "Out There" !
It seems that the there always must be a "prankster" of sorts among us,
who is ready to play practical jokes, as long as he is on the "dishing
out" end.
I have received this from Antek@TAMBIGRF, who in turn, has received it
from someone else. Please keep forwarding this further, and be on the
lookout.
John Duchowski
<jd3a+@andrew.cmu.edu>
P.S.
I don't know if this is serious and for real, but I thought in view of
the info below I'd better not take that chance.
---------- Forwarded message begins here ----------
[parts of the header deleted]
From: ANTEK%TAMBIGRF.BITNET@vma.cc.cmu.edu
FORWARDED TO BIOSPH-LIST AS RECEIVED 14 DEC 89 BY R SMYTHE
From: Carolyn M. Kotlas <kotlas@ecsvax>
Subject: Warning: new MS-DOS Trojan Horse on the loose
This is an urgent forward from John McAfee:
A distribution diskette from a corporation calling itself PC Cyborg
has been widely distributed to major corporations and PC user groups
around the world and the diskette contains a highly destructive trojan.
The Chase Manhattan Bank and ICL Computers were the first to report
problems with the software. All systems that ran the enclosed programs
had all data on the hard disks destroyed. Hundreds of systems were
affected. Other reports have come in from user groups, small businesses
and individuals with similar problems. The professionally prepared
documentation that comes with the diskette purports that the software
provides a data base of AIDS information. The flyer heading reads - "AIDS
Information - An Introductory Diskette". The license agreement on the
back of the same flyer reads:
"In case of breach of license, PC Cyborg Corporation reserves the right to
use program mechanisms to ensure termination of the use of these programs.
These program mechanisms will adversely affect other program applications
on microcomputers. You are hereby advised of the most serious
consequences of your failure to abide by the terms of this license
agreement."
Further in the license is the sentence: "Warning: Do not use these
programs unless you are prepared to pay for them".
If the software is installed using the included INSTALL program, the first
thing that the program does is print out an invoice for the software.
Then, whenever the system is re-booted, or powered down and then re-booted
from the hard disk, the system self destructs.
Whoever has perpetrated this monstrosity has gone to a great deal of time,
and more expense, and they have clearly perpetrated the largest single
targeting of destructive code yet reported. The mailings are
professionally done, and the style of the mailing labels indicate the
lists were purchased from professional mailing organizations. The
estimated costs for printing, diskette, label and mailing is over $3.00
per package. The volume of reports imply that many thousands may have
been mailed. In addition, the British magazine "PC Business World" has
included a copy of the diskette with its most recent publication - another
expensive avenue of distribution. The only indication of who the
perpetrator(s) may be is the address on the invoice to which they ask that
$378.00 be mailed:
PC Cyborg Corporation
P.O. Box 871744
Panama 7, Panama
Needless to say, a check for a registered PC Cyborg Corporation in Panama
turned up negative.
An additional note of interest in the license section reads: "PC Cyborg
Corporation does not authorize you to distribute or use these programs in
the United States of America. If you have any doubt about your
willingness or ability to meet the terms of this license agreement or if
you are not prepared to pay all amounts due to PC Cyborg Corporation, then
do not use these programs".
John McAfee
--
Carolyn Kotlas (kotlas@uncecs.edu)
UNC-Educational Computing Service P. O. Box 12035 2 Davis
Drive
Research Triangle Park, NC 27709 State Courier #59-01-02
919/549-0671
------------------------------
Date: Wednesday, 13 December 1989 17:56-MST
From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM
Subject: AIDS Trojan Update
This is a forward from John McAfee:
A lot more has been discovered about the AIDS Information Trojan in
the past 24 hours. First, the diskette does not contain a virus. The
install program does initiate a counter, and based on a seemingly random
number of re-boots, the trojan will activate and destroy all data on the
hard disk. The diskette was mailed to at least 7,000 corporations, based
on information obtained from CW communications - one of the magazine
mailing label houses used by the perpetrators. The perpetrator's initial
investment in disks, printing and mailing is well in excess of $158,000
according to a Chase Manhattan Bank estimate that was quoted in a PC
Business World press release from London. The bogus company that sent the
diskettes had rented office space in Bond Street in London under the name
of Ketema and Associates. The perpetrators told the magazine label
companies that they contacted that they were preparing an advertising
mailer for a commercial software package from Nigeria. All offices had
been vacated at the time of the mailing, and all addresses in the software
and documentation are bogus.
The Trojan creates several hidden subdirectories -- made up of space
and ASCII 255's -- in the root of drive C. The install program is copied
into one of these and named REM.EXE. The user's original AUTOEXEC.BAT
file is copied to a file called AUTO.BAT. The first line of this file
reads -- "REM Use this file in place of AUTOEXEC.BAT for convenience".
The installation also creates a hidden AUTOEXEC.BAT file that contains the
commands:
C:
CD \
REM Use this file in place of AUTOEXEC.BAT
AUTO
The CD \ actually contains ASCII characters 255, which causes the
directory to change to one of the hidden directories containing the
REM.EXE file. The REM file is then executed and decrements a counter at
each reboot. After a random number of reboots, the hard disk is wiped
clean. Definitely a new approach.
So far the mailings appear to be limited to western Europe. No
reports have been received from the U.S. If anyone does have the
diskette, or has already run the install program, a disinfector has been
written by Jim Bates and is available on HomeBase for free download. 408
988 4004. The name of the disinfector is AIDSOUT.COM.
John McAfee
------------------------------
Date: Saturday, 16 December 1989 11:22-MST
From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM
Subject: AIDS Trojan Update #3
This is a forward from the HomeBase BBS:
AIDS TROJAN UPDATE Santa Clara, California. December 16, 1989
Our reports of the AIDS trojan over the past three days have been
sporadic, incomplete and conflicting. Much of the confusion, as we are
now beginning to understand, stems from the fact that the architecture of
this trojan is orders of magnitude more complex and interwoven than any PC
based virus or trojan yet encountered. No one has yet successfully
disassembled this trojan, nor will they for some time to come. The two
EXE files comprising the trojan diskette represent over 320K of compiled
Microsoft Basic code, much of it encrypted. The trojan evolves over time
and uses multiple steps to create hidden and interrelated directories, DOS
shell routines and self modifying utilities. Numerous techniques have
been employed by the architects to avoid detection, analysis or tampering.
The dissection is like peeling an onion with a paper clip.
At this point, however, having used live trials of five different
samples of the mailing diskette, we have bounded the beast and have at
least uncovered the main elements of the underlying structure. We've
learned enough to know that a system can be recovered after the bomb goes
off (albeit using brute force), and we have a program that can disarm the
trojan if caught before activation. A brief outline follows:
Activation:
All of our samples consistently and repeatedly activated after
exactly 90 reboots of the system, from the time the install program was
executed. This agrees with Dr. Solomon's observations of two additional
samples. An anomaly that cannot be explained is that more than a dozen
verified cases reported activation after the first reboot. Did the
designers include a few copies that would activate prematurely as a
warning? Is there a bug somewhere in the install or count routine? This
is a question that needs answering.
Installation:
Installation requires an average of 90 seconds. A point that has not
been mentioned before, is that a reference number is prominently displayed
during installation. The instructions are to include this reference
number when registering the program. After activation, the same reference
number is again displayed, with clear instructions to include the number
on all correspondence. Could this be used in some way during the
encryption/decryption process? An example 12 digit reference number is:
A9738-1655603-.
The Trojan creates several hidden subdirectories -- made up of space
and ASCII 255's -- in the root of drive C. The install program is copied
into one of these and named REM.EXE. The user's original AUTOEXEC.BAT
file is copied to a file called AUTO.BAT. The first line of this file
reads -- "REM Use this file in place of AUTOEXEC.BAT for convenience".
The installation also creates a hidden AUTOEXEC.BAT file that contains the
commands:
C:
CD \
REM Use this file in place of AUTOEXEC.BAT
AUTO
The CD \ actually contains ASCII characters 255, which causes the
directory to change to one of the hidden directories containing the
REM.EXE file. The REM file is then executed and decrements a counter at
each reboot.
Activation:
After 90 reboots, a message appears in the center of the screen:
The software lease for this computer has expired. If you wish
to use this computer, you must renew the software lease. For further
information turn on the printer and press return.
When the return key is pressed, the following document is printed on
the printer:
"If you are reading this message, then your software lease from
PC Cyborg Corporation has expired. Renew the software lease before using
this computer again. Warning: do not attempt to use this computer until
you have renewed your software lease. Use the information below for
renewal.
Dear Customer:
It is time to pay for your software lease from PC Cyborg Corporation.
Complete the INVOICE and attach payment for the lease option of your
choice. If you don't use the printed INVOICE, then be sure to refer to the
important reference numbers below in all correspondence. In return you
will receive:
- a renewal software package with easy-to-follow, complete instructions;
- an automatic, self-installing diskette that anyone can apply in
minutes.
Important reference numbers: A9738-1655603-
The price of 365 user applications is US$189. The price of a lease for
the lifetime of your hard disk is US$378. You must enclose a bankers
draft, cashier's check or international money order payable to PC CYBORG
CORPORATION for the full amount of $189 or $378 with your order. Include
your name, company, address, city, state, country, zip or postal code.
Mail your order to PC Cyborg Corporation, P.O. Box 87-17-44, Panama 7,
Panama.
After this document is printed, the following warning appears:
Please wait thirty minutes during this operation. Do not turn
off the computer since this will damage your system. You will be given
instruction later. A flashing hard disk access light means WAIT!!!!!
This message remains displayed for up to an hour and a half on some
machines while heavy disk activity continues.
The Results:
At the end of the disk activity, a new file appears at the root of
drive C called CYBORG.DOC. The contents of the file are the above
instructions for registering the program. There appear to be 0 bytes
remaining on the disk if a directory listing is attempted. A shell
routine has also been installed in the system. It is a program called
CYBORG.EXE, with hidden read-only attributes. This shell routine displays
the following message after every DOS function call:
WARNING: You risk destroying all of the files on drive C. The
lease for a key software package has expired. Renew the lease before you
attempt any further file manipulations or other use of this computer. Do
not ignore this message.
If an attempt is made to run a program or perform any file
manipulation, an illegal command or filename message appears. If the
system is powered down and booted from a floppy, the only file that
appears on the disk is the CYBORG.DOC file. There are 0 bytes free. In
reality all files that existed before have been encrypted and given hidden
attributes. The following directory listing is a sample from one of the
activated 20 megabyte disks where the file attributes have been cleared:
Volume in drive C has no label
Directory of C:\
#UCU#R AK 10071 13-07-85 1:43p
#UC@R& AK 27760 3-07-85 1:43p
COMMAND COM 23717 13-07-85 1:43p
#1!8_68@ AU 587 3-19-89 9:11a
6#1N AK 32 2-27-89 12:33p
KF{0U AK 853 13-12-89 4:07p
}G6R AG 98 1-04-80 12:01a
AUTOEXEC BAT 108 1-04-80 12:01a
AUTOEXEC BAK 17 1-04-80 12:01a
}#@& AU 172562 8-07-89 10:40a
&_}1 AU 46912 12-07-89 11:58a
!} AU 7294 3-01-87 4:00p
1G AU 102383 3-01-87 4:00p
H8C AU 146188 1-04-80 12:11a
CYBORG DOC 1326 1-04-80 12:05a
CYBORG EXE 642 1-04-80 12:05a
AUTO BAT 117 1-04-80 12:06a
17 File(s) 0 bytes free
In addition to the above, a number of hidden subdirectories exist
containing what appears to be an indexed sequential data base with fields
initialised to 20H. This data base occupies the entire free space of the
disk. The AUTOEXEC file calls the CYBORG.EXE program, which is the above
mentioned DOS shell routine. After the system is powered down, the hard
disk will no longer boot. However, if the file AUTOEXEC is executed at
least once, the a <ctrl><alt><del> sequence will appear to perform a
re-boot and the system will on the surface appear to be normal as
described above, with the exception of the warning message after a DIR or
other DOS command. If the file CYBORG.EXE is examined using Norton or
other similar utility the following text is found at offset 560:
<false end-file-marker> <The Norton Utilities cannot read
this file because the FAT has been locked> BORG EXE
No code can be found in the file. However, a sector search of the
disk finds the CYBORG.EXE code at various offsets. Inside the code is the
text listing of the hard disk directory structure prior to the encryption.
The text corresponding to the above encrypted root directory is:
Volume in drive C has no label
Directory of C:\
IBMBIO COM 10071 13-07-85 1:43p
IBMDOS COM 27760 3-07-85 1:43p
COMMAND COM 23717 13-07-85 1:43p
INFECTED EXE 587 3-19-89 9:11a
TINY COM 32 2-27-89 12:33p
W13_B COM 853 13-12-89 4:07p
AUTO BAT 98 1-04-80 12:01a
AUTOEXEC BAT 108 1-04-80 12:01a
AUTOEXEC BAK 17 1-04-80 12:01a
AIDS EXE 172562 8-07-89 10:40a
SCAN EXE 46912 12-07-89 11:58a
FA EXE 7294 3-01-87 4:00p
NU EXE 102383 3-01-87 4:00p
REM EXE 146188 1-04-80 12:11a
14 File(s) 15872000 bytes free
A comparison of the encrypted and unencrypted entries indicates that
some form of linear character mapping was used (i.e. # = I, } = A, 8 =
E, @ = D, etc.)
All of the data in the system appears to be intact and not encrypted.
The partition table and boot sector have not been modified in any way.
The system can be recovered by removing the hidden directories and their
contents, and by replacing the encrypted entries in the FAT with the
entries found in the CYBORG.EXE file. Currently this has to done by hand.
We are working on a program to perform this task.
If you catch this trojan before it activates, then Jim Bate's
AIDSOUT.COM program available on HomeBase will extract the trojan and
return the system to its original condition.
Remaining questions:
Dr. Solomon reports that his sample created one additional file
called SHARE.EXE that had instructions to install the SHARE program on a
second computer and then return it to the affected system. The
instructions stated that running the SHARE program again on the affected
system would provide 30 free re-boots of the system with all data
restored. Our samples did not create this SHARE program and no
instructions pertaining to it were given. Whether this was a difference
in diskettes or perhaps attributable to our non-standard test machines we
do not know.
John McAfee
------------------------------
End of Info-IBMPC Digest
************************
-------