Alan_J_Roberts@cup.portal.COM (12/14/89)
This is a forward from John McAfee: A lot more has been discovered about the AIDS Information Trojan in the past 24 hours. First, the diskette does not contain a virus. The install program does initiate a counter, and based on a seemingly random number of re-boots, the trojan will activate and destroy all data on the hard disk. The diskette was mailed to at least 7,000 corporations, based on information obtained from CW communications - one of the magazine mailing label houses used by the perpetrators. The perpetrator's initial investment in disks, printing and mailing is well in excess of $158,000 according to a Chase Manhattan Bank estimate that was quoted in a PC Business World press release from London. The bogus company that sent the diskettes had rented office space in Bond Street in London under the name of Ketema and Associates. The perpetrators told the magazine label companies that they contacted that they were preparing an advertising mailer for a commercial software package from Nigeria. All offices had been vacated at the time of the mailing, and all addresses in the software and documentation are bogus. The Trojan creates several hidden subdirectories -- made up of space and ASCII 255's -- in the root of drive C. The install program is copied into one of these and named REM.EXE. The user's original AUTOEXEC.BAT file is copied to a file called AUTO.BAT. The first line of this file reads -- "REM Use this file in place of AUTOEXEC.BAT for convenience". The installation also creates a hidden AUTOEXEC.BAT file that contains the commands: C: CD \ REM Use this file in place of AUTOEXEC.BAT AUTO The CD \ actually contains ASCII characters 255, which causes the directory to change to one of the hidden directories containing the REM.EXE file. The REM file is then executed and decrements a counter at each reboot. After a random number of reboots, the hard disk is wiped clean. Definitely a new approach. So far the mailings appear to be limited to western Europe. No reports have been received from the U.S. If anyone does have the diskette, or has already run the install program, a disinfector has been written by Jim Bates and is available on HomeBase for free download. 408 988 4004. The name of the disinfector is AIDSOUT.COM. John McAfee