Alan_J_Roberts@cup.portal.com (12/19/89)
A forward from John McAfee: ========================================================================== It's now reasonably certain that there exists only one version of the AIDS Trojan that has been mailed so far. All copies that have been reported so far (31) have the same file size - 146188, date - 9-28-89, and time - 4:28 P. File compares have been performed on nine of the 31 samples and they compare exactly. All have been programmed in Microsoft Quick Basic Version 3 and none have padding bytes at either end of the program. The samples have been taken from England, Germany, Sweden, Finland, France and the one reported case in the U.S. Diskettes from two different mailing lists were included in the sample. The significant reported contradictions in the behaviour of the trojan now appear to be cleared up. The difference in the reported activation trigger is now known to be caused by the varying inputs to the AIDS Information program when it is executed. The Information program modifies the count field according to the final "score" on the quiz. Those who fall in the high risk categories are given the most time; those whose answers place them in low risk categories have their count fields decremented substantially. If the AIDS program is never executed, the user has 90 reboots before activation. The reported differences in the occurance of the SHARE.EXE program after activation are now known to be caused by differences in printer configurations and printer status. If no printer is attached to LPT1, or if the printer is turned off after the initial activation, no SHARE.EXE program of share message is produced. The encryption of the file names and extensions is now also known to be constant for all samples. There is no encryption key or encryption algorithm. The file names are modified by using a simple character substitution which is constant for all samples and execution environments. The extensions are likewise substituted. For example: All COM files are given the extension AK, EXE files are changed to AU and BAT files are changed to AG. If a file extension is unknown to the trojan, then it leaves the extension as is. Disappointingly trivial, considering the complexity of the remainder of the trojan code. It is also known now that the INSTALL program will place and activate the time bomb with or without the accompanying AIDS program. This seems to imply that the install program may have been written for additional purposes. Watch out for potential additional mailings covering completely different subject matter. John McAfee