brunnstein@rz.informatik.uni-hamburg.dbp.de (Klaus Brunnstein) (12/20/89)
The AIDS diskette contains 2 programs,
INSTALL.EXE 146.188 Bytes 9-28-89 4:28p
AIDS. EXE 172.562 Bytes 8-07-89 10:28p
the first of which is described by J.McAfee and others (INSTALL.EXE and it's
installed versions REM,SHARE) in VIRUS-L; this is the Trojan horse.
The AIDS-program itself contains a question/answering session with AIDS-
related question, where a `risk' (on 7 levels) is computed for the specific
answers. While most other groups are analysing the INSTALLed Trojan horse,
one group at Virus Test Center Hamburg actually analyses the AIDS program.
We have run several sessions, and we regard the program as *not very
intelligent* from the Informatics standpoint, and *not highly reliable*
from the medical standpoint (we will prove this with some medical experts; we
received 4 copies from specialists in immunology, and 3 more copies from
banks etc).
The AIDS program works rather linearly; the dialogue is done with simple
multiple choices, where the 1st option is alwys HELP-text. If you analyse the
HELP texts, they are not very specific (many of them may have been generated
from an ordinary lexikon). In section 1, BACKGROUND INFORMATION is gathered,
e.g. residence country, sex, age (in 9 clusters), ancestors origin continent,
sexual behaviour (heterosexual, no sexual experience, homosexual or bisexual),
and number of sex partners since 1980 (in 8 clusters from 0 to 100+)are asked.
In section 2, MEDICAL HISTORY is examined, e.g. how many blood transfusions
since 1980, active tuberculosis, drug injection, sexually transmitted
diseases, sexual habits (use of condom..). For some positive answers,
there may be additional details asked for. No mechanism is visible whcih
safeguards the extensive personal data; on the other side, no data are
gathered which may be used to authenticate a person and relate their name
with the data gathered.
After an evaluation procedure (less than 1 minute on an AT), `you' are
assigned to one of seven Levels of AIDS Risk (`no risk, very low risk,
low risk, medium risk, high risk, very high risk, extremely high risk).
Depending on the list of answers, a PERSONAL ADVICE is given, e.g. stating
`Your risk of exposure to the AIDS virus is low but presently increasing..',
suggesting to use condoms, etc. Finally, you are asked to input YOUR
COMMENTS (`Use the computer like a typewriter. Type anything that comes to
your mind ... The computer will then analyze your remarks and respond to you
with further comments..'). The answers are rather unspecific.
Based on some experiments (with more systematic testing to be done
after having reverse-engineered the code), my best estimation is, that
the question-answering is done in typical BASIC style, and that the
risk evaluation function is only very rudimentary (we received a 'low
risk' for a young female drug addict). The personal advice seems to be
programmed from a few types of answers, and the analysis of Your
Comments fails with even simple, AIDS-related questions.
The 'loose' relation between INSTALL/REM/SHARE and AIDS (probably influencing
the catastrophic counter, evidently initialised at 90 and decremented during
bootup) will very probably allow to use the INSTALL process also *in connection
with other 'interesting programs'*. With so may diskettes distributed, we may
face similar (and maybe more serious) threats. I therefore appreciate
J.McAfee's remark that he has included his ANTI-Trojan in his ANTIVIRUS tool.
Though mixing up an Antivirus Tool with Anti-Trojan functions may produce
new problems (e.g. misunderstanding the respective threats and the limitations
of such tools), I suggest that also other antivirus tools should contain a
diagnostic featrue for Trojan AIDS.
Evaluating the given situation, I conclude that the business procedure (the
e.g. distribution of diskettes) was professional, and that the Trojan horses
mechanisms were rather intelligent, though some parts of the INSTALL/REM/SHARE
are primitively linear programmed, e.g. the `encryption' part. The AIDS
program is of neither good programming nor medical standard.
Klaus Brunnstein
- -----------------------------------------------------------------------
PostAdress: Prof.Dr. Klaus Brunnstein
Faculty for Informatics, Univ.Hamburg
Schlueterstr.70
D 2000 Hamburg 13
Tel: (40) 4123-4158 / -4162 Secr.
ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de
FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net
FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet
FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp
- -----------------------------------------------------------------------