Alan_J_Roberts@cup.portal.COM (12/14/89)
This is a forward from John McAfee:
A lot more has been discovered about the AIDS Information Trojan
in the past 24 hours. First, the diskette does not contain a virus.
The install program does initiate a counter, and based on a seemingly
random number of re-boots, the trojan will activate and destroy all
data on the hard disk. The diskette was mailed to at least 7,000
corporations, based on information obtained from CW communications -
one of the magazine mailing label houses used by the perpetrators.
The perpetrator's initial investment in disks, printing and mailing is
well in excess of $158,000 according to a Chase Manhattan Bank
estimate that was quoted in a PC Business World press release from
London. The bogus company that sent the diskettes had rented office
space in Bond Street in London under the name of Ketema and
Associates. The perpetrators told the magazine label companies that
they contacted that they were preparing an advertising mailer for a
commercial software package from Nigeria. All offices had been
vacated at the time of the mailing, and all addresses in the software
and documentation are bogus.
The Trojan creates several hidden subdirectories -- made up of
space and ASCII 255's -- in the root of drive C. The install program
is copied into one of these and named REM.EXE. The user's original
AUTOEXEC.BAT file is copied to a file called AUTO.BAT. The first line
of this file reads -- "REM Use this file in place of AUTOEXEC.BAT for
convenience". The installation also creates a hidden AUTOEXEC.BAT
file that contains the commands:
C:
CD \
REM Use this file in place of AUTOEXEC.BAT
AUTO
The CD \ actually contains ASCII characters 255, which causes the
directory to change to one of the hidden directories containing the
REM.EXE file. The REM file is then executed and decrements a counter
at each reboot. After a random number of reboots, the hard disk is
wiped clean. Definitely a new approach.
So far the mailings appear to be limited to western Europe. No
reports have been received from the U.S. If anyone does have the
diskette, or has already run the install program, a disinfector has
been written by Jim Bates and is available on HomeBase for free
download. 408 988 4004. The name of the disinfector is AIDSOUT.COM.
John McAfee