Alan_J_Roberts@cup.portal.com (12/13/89)
This is an urgent forward from John McAfee:
A distribution diskette from a corporation calling itself
PC Cyborg has been widely distributed to major corporations and
PC user groups around the world and the diskette contains a
highly destructive trojan. The Chase Manhattan Bank and ICL
Computers were the first to report problems with the software.
All systems that ran the enclosed programs had all data on the
hard disks destroyed. Hundreds of systems were affected.
Other reports have come in from user groups, small businesses and
individuals with similar problems. The professionally prepared
documentation that comes with the diskette purports that the
software provides a data base of AIDS information. The flyer
heading reads - "AIDS Information - An Introductory Diskette".
The license agreement on the back of the same flyer reads:
"In case of breach of license, PC Cyborg Corporation reserves the
right to use program mechanisms to ensure termination of the use
of these programs. These program mechanisms will adversely
affect other program applications on microcomputers. You are
hereby advised of the most serious consequences of your failure
to abide by the terms of this license agreement."
Further in the license is the sentence: "Warning: Do not use
these programs unless you are prepared to pay for them".
If the software is installed using the included INSTALL program,
the first thing that the program does is print out an invoice
for the software. Then, whenever the system is re-booted, or
powered down and then re-booted from the hard disk, the system
self destructs.
Whoever has perpetrated this monstrosity has gone to a great deal
of time, and more expense, and they have clearly perpetrated the
largest single targeting of destructive code yet reported. The
mailings are professionally done, and the style of the mailing
labels indicate the lists were purchased from professional
mailing organizations. The estimated costs for printing,
diskette, label and mailing is over $3.00 per package. The
volume of reports imply that many thousands may have been mailed.
In addition, the British magazine "PC Business World" has
included a copy of the diskette with its most recent publication
- - another expensive avenue of distribution. The only indication
of who the perpetrator(s) may be is the address on the invoice to
which they ask that $378.00 be mailed:
PC Cyborg Corporation
P.O. Box 871744
Panama 7, Panama
Needless to say, a check for a registered PC Cyborg Corporation
in Panama turned up negative.
An additional note of interest in the license section reads:
"PC Cyborg Corporation does not authorize you to distribute or
use these programs in the United States of America. If you have
any doubt about your willingness or ability to meet the terms of
this license agreement or if you are not prepared to pay all
amounts due to PC Cyborg Corporation, then do not use these
programs".
John McAfeecdsm@sappho.doc.ic.ac.uk (Chris Moss) (12/15/89)
Alan_J_Roberts@cup.portal.com writes: >This is an urgent forward from John McAfee: > > A distribution diskette from a corporation calling itself >PC Cyborg has been widely distributed to major corporations and >PC user groups around the world and the diskette contains a >highly destructive trojan. Further information from the London "Independent" newspaper 15 Dec bylined by Science Editor Tom Wilkie, titled 'Trojan' threatens 10,000 computers: Fears are growing that more than one mailing list was used todistribute the "Aids Information" computer diskette which is damaging computers. Police said yesterday that they had been "inundated" by thousands of complaints about the disk, which they believe may have been distributed to more than 10,000 addresses in Britain. There are also unconfirmed reports tha delegates to an Aids conference in Sweden have been sent copies of the diskette from London. Experts estimate that the cost of the operation must run to between 8,000 and 10,000 pounds. .. According to Dr Alan Solomon, a leading expert on computer security, the program counts the times a user switches on the machine. After about 90 startups, Dr Solomons said, the damage routine is triggered. The program encrypts the names of all files held on the hard disks and "hides" them. This means that the computer's normal operating software is unable to find anything except one file, "CYBORG.DOC" which contains a demand for payment. According to Steve Robinson of the software company Insoft, the damage routine may be triggered on some machines almost as soon as the program is run. ... >In addition, the British magazine "PC Business World" has >included a copy of the diskette with its most recent publication (I do not confirm the truth of this assertion, but the article continues) PC Business World has produced an "Aidsout" program, written by virus hunter Jim Bates, on a disk which the magazine will distribute free to victims. The program is also available on "Connect" the IBM PC User Group bulletin board. .. (various other symptoms) Experts agree the program is so big and cleverly written that it will take months to tease out all the things it may do. For that reason, users should remove all trace from machines as soon as possible. For free information send a SAE to: IBM PC User Group, PO Box 360, Harrow HA1 4LQ; or Dr. Alan Solomon, S and S, Watermeadow, Chesham, Bucks, HP5 1LP.