gwilliam@MRC-CRC.AC.UK (Gary Williams x3294) (12/13/89)
I wish to bring the following three latest Bitnet VIRUS-L newsletter messages (received Wed, 13 Dec 89 14:06:17 GMT) to your attention. We have received several copies of this little nasty through the mail at our site. Gary Williams ------------------------------ Date: Tue, 12 Dec 89 14:53:34 +0000 >From: Alan Jay <alanj@ibmpcug.co.uk> Subject: AIDS Disk sent in UK AIDS DISK -- PC Cyborg Corporation This disk was mailed to many people on a major magazine mailing list today 12-DEC-1989. If you recived a copy DO **NOT** RUN it -- We do NOT know what it does. This disk implies that it may cause harm to your PC -- DO NOT RUN IT!!!! If you have run it -- DO NOT PANIC!!!! Currently we have NO proof that the disk is harmful. DO NOT RUN THE PROGRAM AGAIN. The program renames your "autoexec.bat" so you will have to reconstitute your old one. "Autoexec.bat" has been hidden by setting the 'hidden' attribute you may need NORTON or similar to delete the new "Autoexec.bat". There are also a number of other hidden subdirectories. Currently we do not kenow the purpose of this disk and so can not say what damage that it may do, if any, or what you should do about it. Warn other users not to run the program. Currently the only 100% safe course of action is to boot of the original DOS system disk and perfrm a reformat of your disk -- We DO NOT recommend you do this unless you have a recent backup that you are happy with -- We have no proof of any malicious nature in this disk. We hope to update this bulletin later today or tomorrow as more information becomes available. [Ed. See more information below.] Alan Jay @ The IBM PC User Group, PO Box 360, Harrow HA1 4LQ ENGLAND Phone: +44 -1- 863 1191 Email: alanj@ibmpcug.CO.UK Path: ...!ukc!slxsys!ibmpcug!alanj Fax: +44 -1- 863 6095 Disclaimer: All statements made in good faith for information only. ------------------------------ Date: Tue, 12 Dec 89 11:26:29 -0800 >From: Alan_J_Roberts@cup.portal.com Subject: Major Trojan Warning (PC) This is an urgent forward from John McAfee: A distribution diskette from a corporation calling itself PC Cyborg has been widely distributed to major corporations and PC user groups around the world and the diskette contains a highly destructive trojan. The Chase Manhattan Bank and ICL Computers were the first to report problems with the software. All systems that ran the enclosed programs had all data on the hard disks destroyed. Hundreds of systems were affected. Other reports have come in from user groups, small businesses and individuals with similar problems. The professionally prepared documentation that comes with the diskette purports that the software provides a data base of AIDS information. The flyer heading reads - "AIDS Information - An Introductory Diskette". The license agreement on the back of the same flyer reads: "In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement." Further in the license is the sentence: "Warning: Do not use these programs unless you are prepared to pay for them". If the software is installed using the included INSTALL program, the first thing that the program does is print out an invoice for the software. Then, whenever the system is re-booted, or powered down and then re-booted from the hard disk, the system self destructs. Whoever has perpetrated this monstrosity has gone to a great deal of time, and more expense, and they have clearly perpetrated the largest single targeting of destructive code yet reported. The mailings are professionally done, and the style of the mailing labels indicate the lists were purchased from professional mailing organizations. The estimated costs for printing, diskette, label and mailing is over $3.00 per package. The volume of reports imply that many thousands may have been mailed. In addition, the British magazine "PC Business World" has included a copy of the diskette with its most recent publication - - another expensive avenue of distribution. The only indication of who the perpetrator(s) may be is the address on the invoice to which they ask that $378.00 be mailed: PC Cyborg Corporation P.O. Box 871744 Panama 7, Panama Needless to say, a check for a registered PC Cyborg Corporation in Panama turned up negative. An additional note of interest in the license section reads: "PC Cyborg Corporation does not authorize you to distribute or use these programs in the United States of America. If you have any doubt about your willingness or ability to meet the terms of this license agreement or if you are not prepared to pay all amounts due to PC Cyborg Corporation, then do not use these programs". John McAfee ------------------------------ Date: Tue, 12 Dec 89 18:17:04 -0800 >From: Alan_J_Roberts@cup.portal.com Subject: Update on AIDS Trojan (PC) The following is a posting from John McAfee: Early reports from people who have disassembled the AIDS trojan that has been mailed to numerous European corporations indicate that the trojan may be encrypting information on the disk rather than destroying it outright. The results are the same without a decrypting routine but the possibility is] now raised that the perpetrators do have and may offer such a decryptor. The report from Chase Manhattan Bank that the name and address in the Trojan are bogus may not be correct. John Markoff of the New York Times has since stated that his sources found a real corporation corresponding to the name and address in the file. This raises some interesting questions which, I believe, only time will answer. Whatever is happening, this much is known: The trojan will make all data on the hard disk unusable; the change happens suddenly; and no recovery is yet known. If you find or have a copy of this diskette don't use it. John McAfee ------------------------------ Gary Williams Computing Services Section, Janet: G.Williams@UK.AC.CRC MRC-Clinical Research Centre, Elsewhere: G.Williams@CRC.AC.UK Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC@UKACRL Tel 01-869 3294 Fax 01-423 1275 Usenet: ...!mcvax!ukc!mrccrc!G.Williams