Alan_J_Roberts@cup.portal.com (12/14/89)
This is a forward from John McAfee:
A lot more has been discovered about the AIDS Information
Trojan in the past 24 hours. First, the diskette does not
contain a virus. The install program does initiate a counter,
and based on a seemingly random number of re-boots, the trojan
will activate and destroy all data on the hard disk. The
diskette was mailed to at least 7,000 corporations, based on
information obtained from CW communications - one of the magazine
mailing label houses used by the perpetrators. The perpetrator's
initial investment in disks, printing and mailing is well in
excess of $158,000 according to a Chase Manhattan Bank estimate
that was quoted in a PC Business World press release from
London. The bogus company that sent the diskettes had rented
office space in Bond Street in London under the name of Ketema
and Associates. The perpetrators told the magazine label
companies that they contacted that they were preparing an
advertising mailer for a commercial software package from
Nigeria. All offices had been vacated at the time of the
mailing, and all addresses in the software and documentation are
bogus.
The Trojan creates several hidden subdirectories -- made up
of space and ASCII 255's -- in the root of drive C. The install
program is copied into one of these and named REM.EXE. The
user's original AUTOEXEC.BAT file is copied to a file called
AUTO.BAT. The first line of this file reads -- "REM Use this
file in place of AUTOEXEC.BAT for convenience". The installation
also creates a hidden AUTOEXEC.BAT file that contains the
commands:
C:
CD \
REM Use this file in place of AUTOEXEC.BAT
AUTO
The CD \ actually contains ASCII characters 255, which
causes the directory to change to one of the hidden directories
containing the REM.EXE file. The REM file is then executed and
decrements a counter at each reboot. After a random number of
reboots, the hard disk is wiped clean. Definitely a new
approach.
So far the mailings appear to be limited to western Europe.
No reports have been received from the U.S. If anyone does have
the diskette, or has already run the install program, a
disinfector has been written by Jim Bates and is available on
HomeBase for free download. 408 988 4004. The name of the
disinfector is AIDSOUT.COM.
John McAfeeAlan_J_Roberts@cup.portal.com (12/15/89)
A forward from John McAfee: Our investigation has turned up surprise: PC Cyborg Corporation has indeed been registered in the country of Panama. The registration date was 04-12-89, legal deed #16653. The resident agent for due process is listed as Lucia Bernal. The directors are: Kitain Mekonen, Asrat Wakjira and Fantu Mekesse. Since the names of the directors are all West African, it appears that the story told by Ketema Corporation about representing a Nigerian software firm may be close to the truth. The story unfolds. We still have no verified reports of mailings to the U.S. Let's hope we continue to have none. Needless to say, if anyone does receive the AIDS diskette, do not use it. John McAfee
jwright@atanasoff.cs.iastate.edu (Jim Wright) (12/19/89)
Alan_J_Roberts@cup.portal.com writes (on behalf of John McAfee): | Our investigation has turned up surprise: PC Cyborg | Corporation has indeed been registered in the country of Panama. Is anyone aware of any attempts to actually *pay* for these disks? I'm curious as to what sort of response this would meet. Also, is the information on these disks of any worth, or can one claim the "AIDS information" is just a ploy to propagate a Trojan? Perhaps this is really a monumental blunder in the name of copy protection. Jim Wright jwright@atanasoff.cs.iastate.edu
anigbogu@loria.crin.fr (Julian ANIGBOGU) (12/20/89)
Alan_J_Roberts@cup.portal.com writes: >A forward from John McAfee: > [deleted] >The directors are: Kitain Mekonen, Asrat Wakjira and Fantu Mekesse. Since the > names of the directors are all West African, it appears that the story told >by Ketema Corporation about representing a Nigerian software firm may be >close to the truth. The story unfolds. >[rest deleted] I would like to correct the impression your assertion creates. That is that the AIDS virus is from Nigeria. The names are quite exotic but as a Nigerian I'd like to inform you of a fact you neglected: that the names might be false . Well, Well, Well: the NAMES are all FALSE. We don't answer such names. As a regular user of the PC, just as I would like you to get to the bottom of this problem because it's a real international problem, I would like you to be objective. Somebody somewhere is/are covering his/their track(s) by stringing a red herring. Doesn't the name Mekonen remind you of a personality in Startrek? I'm ready to be flamed but I can assure you that the above names are fictitious. We certainly have not come of age in Computer Science to produce such destructive weapons. It's obvious that some malefactor somewhere is hiding under certain names to do his/their evil deeds. Julian --------------------------------------- e-mail: anigbogu@loria.crin.fr | All opinions expressed here are | | naturally mine. However ... | ----------------------------------------