Alan_J_Roberts@cup.portal.com (12/13/89)
The following is a posting from John McAfee: Early reports from people who have disassembled the AIDS trojan that has been mailed to numerous European corporations indicate that the trojan may be encrypting information on the disk rather than destroying it outright. The results are the same without a decrypting routine but the possibility is] now raised that the perpetrators do have and may offer such a decryptor. The report from Chase Manhattan Bank that the name and address in the Trojan are bogus may not be correct. John Markoff of the New York Times has since stated that his sources found a real corporation corresponding to the name and address in the file. This raises some interesting questions which, I believe, only time will answer. Whatever is happening, this much is known: The trojan will make all data on the hard disk unusable; the change happens suddenly; and no recovery is yet known. If you find or have a copy of this diskette don't use it. John McAfee
teexmmo@isis.educ.lon.ac.uk (Matthew Moore) (12/15/89)
This afternoon I was one of a small team which successfully tracked
down the method of invocation of the Aids trojan, on a pc clone which
was infected, but not devastated.
Definition : <255> = the ascii character 255 , aka hex FF
The program is called: rem<255>.exe
(ie 4 char filename which shows as 3)
It resides in a hidden directory called: \<255>
(ie a 1 char filename)
It is invoked by two lines in the autoexec.bat file :-
cd \<255> (which if course usually looks like : cd \ )
rem<255> some statement (which looks like : rem some statement)
There two additional features worth noting:-
i) there is another root level hidden directory, also using a nonprintable
character (I dont know which), containing further hidden subdirectories
to four levels down, and at the bottom are files which appear to contain
data from elsewhere on the disk, and sundry other info.
ii) there is a red herring in the autoexec.bat file.
Underneath the two statements listed above, the line 'auto.bat'
followed by an EOF (^Z).
The file \auto.bat contains the original autoexec.bat
Presumably, it would be stopped by removing or renaming \<255>\rem<255>.exe
and reverting to a clean auotexec.bat .
(Corrections to this presumption welcome!)
- --
mjm@cu.neur.lon.ac.uk | Post: Computing & Statistics Unit
JANET : mjm@uk.ac.lon.neur.cu | Institute of Neurology
INTERNET: try mjm%cu.neur.lon.ac.uk | Queen Square, London, WC1
Phone : 01-837-5141 | London WC1 3BG