RY15@DKAUNI11.BITNET (Christoph Fischer) (12/18/89)
A I D S - D I S C E T T E
===========================
Dr. Solomon and I just had a phone conversation on possible cures for
the affects of the AIDS disc.
In STAGE ONE
(the disc has been installed but the filenames are not encrypted)
Several hidden directories, a file REM.EXE, and an altered AUTOEXEC.BAT
have been installed. Some sources suggest removing these directories,
the added files, and restoring the original AUTOEXEC.BAT will cure all
effects of STAGE ONE.
Because of the uncertainty what else the program does, people who want
maximum security are advised to copy the files to diskettes after the
above procedure. Low-level format the discs and restore all programs
and data.
Dr. Solomon and I are not sure that all discs behave the same way.
Our samples don't touch harddiscs higher than C: (D:, E:, ...) but there
are reports of discs that do! (maybe just rumors?)
STAGE TWO is entered after 90 executions of the AUTOEXEC.BAT with our
samples but there are victims that claim that their version of the
software skips STAGE ONE.
In STAGE TWO the program encrypts the filenames and alters other things.
A mockup is started after reboot from the harddisc that gives you a
correct directory listing plus an added comment that the lease of the
CYBORG software has expired.
In this stage the disc contense appears to be useless.
Dr. Solomon was the first to discover a principle behind the encryption
and is working on a program to recover the original filenames.
We both think that this mechanism should only be used to backup all
data of an infected disc. A LOW-LEVEL format of the harddisc and
reinstallation of programs and data are the safest means to remove
all affects.
Sincerely Chris Fischer (University of Karlsruhe, West-Germany)
and Dr. Alan Solomon (S&S Enterprises, Chesham, Bucks, Great-Britain)