Alan_J_Roberts@cup.portal.COM (12/17/89)
This is a forward from the HomeBase BBS:
AIDS TROJAN UPDATE Santa Clara, California. December 16, 1989
Our reports of the AIDS trojan over the past three days have been
sporadic, incomplete and conflicting. Much of the confusion, as we
are now beginning to understand, stems from the fact that the
architecture of this trojan is orders of magnitude more complex and
interwoven than any PC based virus or trojan yet encountered. No one
has yet successfully disassembled this trojan, nor will they for some
time to come. The two EXE files comprising the trojan diskette
represent over 320K of compiled Microsoft Basic code, much of it
encrypted. The trojan evolves over time and uses multiple steps to
create hidden and interrelated directories, DOS shell routines and
self modifying utilities. Numerous techniques have been employed by
the architects to avoid detection, analysis or tampering. The
dissection is like peeling an onion with a paper clip.
At this point, however, having used live trials of five different
samples of the mailing diskette, we have bounded the beast and have at
least uncovered the main elements of the underlying structure. We've
learned enough to know that a system can be recovered after the bomb
goes off (albeit using brute force), and we have a program that can
disarm the trojan if caught before activation. A brief outline
follows:
Activation:
All of our samples consistently and repeatedly activated after
exactly 90 reboots of the system, from the time the install program
was executed. This agrees with Dr. Solomon's observations of two
additional samples. An anomaly that cannot be explained is that more
than a dozen verified cases reported activation after the first
reboot. Did the designers include a few copies that would activate
prematurely as a warning? Is there a bug somewhere in the install or
count routine? This is a question that needs answering.
Installation:
Installation requires an average of 90 seconds. A point that has
not been mentioned before, is that a reference number is prominently
displayed during installation. The instructions are to include this
reference number when registering the program. After activation, the
same reference number is again displayed, with clear instructions to
include the number on all correspondence. Could this be used in some
way during the encryption/decryption process? An example 12 digit
reference number is: A9738-1655603-.
The Trojan creates several hidden subdirectories -- made up of
space and ASCII 255's -- in the root of drive C. The install program
is copied into one of these and named REM.EXE. The user's original
AUTOEXEC.BAT file is copied to a file called AUTO.BAT. The first line
of this file reads -- "REM Use this file in place of AUTOEXEC.BAT for
convenience". The installation also creates a hidden AUTOEXEC.BAT
file that contains the commands:
C:
CD \
REM Use this file in place of AUTOEXEC.BAT
AUTO
The CD \ actually contains ASCII characters 255, which causes the
directory to change to one of the hidden directories containing the
REM.EXE file. The REM file is then executed and decrements a counter
at each reboot.
Activation:
After 90 reboots, a message appears in the center of the
screen:
The software lease for this computer has expired. If
you wish to use this computer, you must renew the
software lease. For further information turn on the
printer and press return.
When the return key is pressed, the following document is printed
on the printer:
"If you are reading this message, then your software lease
from PC Cyborg Corporation has expired. Renew the software lease
before using this computer again. Warning: do not attempt to use this
computer until you have renewed your software lease. Use the
information below for renewal.
Dear Customer:
It is time to pay for your software lease from PC Cyborg Corporation.
Complete the INVOICE and attach payment for the lease option of your
choice. If you don't use the printed INVOICE, then be sure to refer to
the important reference numbers below in all correspondence. In return
you will receive:
- a renewal software package with easy-to-follow, complete
instructions;
- an automatic, self-installing diskette that anyone can apply in
minutes.
Important reference numbers: A9738-1655603-
The price of 365 user applications is US$189. The price of a lease
for the lifetime of your hard disk is US$378. You must enclose a
bankers draft, cashier's check or international money order payable to
PC CYBORG CORPORATION for the full amount of $189 or $378 with your
order. Include your name, company, address, city, state, country, zip
or postal code. Mail your order to PC Cyborg Corporation, P.O. Box
87-17-44, Panama 7, Panama.
After this document is printed, the following warning appears:
Please wait thirty minutes during this operation. Do
not turn off the computer since this will damage your
system. You will be given instruction later. A
flashing hard disk access light means WAIT!!!!!
This message remains displayed for up to an hour and a half on some
machines while heavy disk activity continues.
The Results:
At the end of the disk activity, a new file appears at the root
of drive C called CYBORG.DOC. The contents of the file are the above
instructions for registering the program. There appear to be 0 bytes
remaining on the disk if a directory listing is attempted. A shell
routine has also been installed in the system. It is a program called
CYBORG.EXE, with hidden read-only attributes. This shell routine
displays the following message after every DOS function call:
WARNING: You risk destroying all of the files on drive
C. The lease for a key software package has expired.
Renew the lease before you attempt any further file
manipulations or other use of this computer. Do not
ignore this message.
If an attempt is made to run a program or perform any file
manipulation, an illegal command or filename message appears. If the
system is powered down and booted from a floppy, the only file that
appears on the disk is the CYBORG.DOC file. There are 0 bytes free.
In reality all files that existed before have been encrypted and given
hidden attributes. The following directory listing is a sample from
one of the activated 20 megabyte disks where the file attributes have
been cleared:
Volume in drive C has no label
Directory of C:\
#UCU#R AK 10071 13-07-85 1:43p
#UC@R& AK 27760 3-07-85 1:43p
COMMAND COM 23717 13-07-85 1:43p
#1!8_68@ AU 587 3-19-89 9:11a
6#1N AK 32 2-27-89 12:33p
KF{0U AK 853 13-12-89 4:07p
}G6R AG 98 1-04-80 12:01a
AUTOEXEC BAT 108 1-04-80 12:01a
AUTOEXEC BAK 17 1-04-80 12:01a
}#@& AU 172562 8-07-89 10:40a
&_}1 AU 46912 12-07-89 11:58a
!} AU 7294 3-01-87 4:00p
1G AU 102383 3-01-87 4:00p
H8C AU 146188 1-04-80 12:11a
CYBORG DOC 1326 1-04-80 12:05a
CYBORG EXE 642 1-04-80 12:05a
AUTO BAT 117 1-04-80 12:06a
17 File(s) 0 bytes free
In addition to the above, a number of hidden subdirectories exist
containing what appears to be an indexed sequential data base with
fields initialised to 20H. This data base occupies the entire free
space of the disk. The AUTOEXEC file calls the CYBORG.EXE program,
which is the above mentioned DOS shell routine. After the system is
powered down, the hard disk will no longer boot. However, if the file
AUTOEXEC is executed at least once, the a <ctrl><alt><del> sequence
will appear to perform a re-boot and the system will on the surface
appear to be normal as described above, with the exception of the
warning message after a DIR or other DOS command. If the file
CYBORG.EXE is examined using Norton or other similar utility the
following text is found at offset 560:
<false end-file-marker> <The Norton Utilities cannot read
this file because the FAT has been locked> BORG EXE
No code can be found in the file. However, a sector search of
the disk finds the CYBORG.EXE code at various offsets. Inside the
code is the text listing of the hard disk directory structure prior to
the encryption. The text corresponding to the above encrypted root
directory is:
Volume in drive C has no label
Directory of C:\
IBMBIO COM 10071 13-07-85 1:43p
IBMDOS COM 27760 3-07-85 1:43p
COMMAND COM 23717 13-07-85 1:43p
INFECTED EXE 587 3-19-89 9:11a
TINY COM 32 2-27-89 12:33p
W13_B COM 853 13-12-89 4:07p
AUTO BAT 98 1-04-80 12:01a
AUTOEXEC BAT 108 1-04-80 12:01a
AUTOEXEC BAK 17 1-04-80 12:01a
AIDS EXE 172562 8-07-89 10:40a
SCAN EXE 46912 12-07-89 11:58a
FA EXE 7294 3-01-87 4:00p
NU EXE 102383 3-01-87 4:00p
REM EXE 146188 1-04-80 12:11a
14 File(s) 15872000 bytes free
A comparison of the encrypted and unencrypted entries
indicates that some form of linear character mapping was used
(i.e. # = I, } = A, 8 = E, @ = D, etc.)
All of the data in the system appears to be intact and not
encrypted. The partition table and boot sector have not been modified
in any way. The system can be recovered by removing the hidden
directories and their contents, and by replacing the encrypted entries
in the FAT with the entries found in the CYBORG.EXE file. Currently
this has to done by hand. We are working on a program to perform this
task.
If you catch this trojan before it activates, then Jim Bate's
AIDSOUT.COM program available on HomeBase will extract the trojan and
return the system to its original condition.
Remaining questions:
Dr. Solomon reports that his sample created one additional file
called SHARE.EXE that had instructions to install the SHARE program on
a second computer and then return it to the affected system. The
instructions stated that running the SHARE program again on the
affected system would provide 30 free re-boots of the system with all
data restored. Our samples did not create this SHARE program and no
instructions pertaining to it were given. Whether this was a
difference in diskettes or perhaps attributable to our non-standard
test machines we do not know.
John McAfee