alanj@IBMPCUG.CO.UK (Alan Jay) (12/14/89)
The following, written by Alan Solomon, gives details of the AIDS Information Disk sent out by PC-CYBORG and gives a method for restoring your disk to its former state. Remember if you have not run this disk DO NOT run it. This information is believed to be correct BUT the program appears to be very clever and therefore we suggest that you must be very careful in carring out any of the followig instructions. Alan Jay -- IBM PC User Group -- 01-863 1191 PRELIMINARY INFORMATION ON THE "AIDS" DISKETTE FROM PC CYBORG CORPORATION. This is bulletin number AS/3 You will probably have read in the press about the AIDS diskette, a diskette that was mailed out to a great subscribers to PC Business World (through absolutely no fault of the magazine's). This diskette is a trojan - DO NOT RUN IT. It is a diskette that was sent through the post, unsolicited, and claiming to be a program that gave you useful information about the AIDS disease. The accompanying licence was abit suspicious, so many people didn't run it (it threatened to do dire things to your computer if you didn't pay for the software). We've done a preliminary analysis on it, and it works like this. If you run the INSTALL program, it creates two subdirectories with "impossible" names on the hard disk - one of these has a one-character name, and that character is [Alt-255] (hexadecimal FF). In that subdirectory , it puts a program called REM[Alt-255] .EXE. The [Alt-255] character is invisible. It copies your AUTOEXEC to a file called AUTO.BAT, and puts an Echo off and a REM statement in front. It creates a new AUTOEXEC.BAT file, and makes it hidden and readonly. In that AUTOEXEC, it does a "CD \[Alt255]" and then "REM[Alt-255]" followed by a plausible-looking remark. After you run the AUTOEXEC, and therefore the REM [Alt-255] program, a number of times (we triggered it with 90, but this is only a preliminary result, and it may be triggerable with fewer or more), the damage routine is triggered. This would usually happen when the machine has been booted that many times. A series of messages are put up on the screen, aimed at persuading you not to switch off, and the trojan then encrypts your directory and makes all the files hidden except one called CYBORG.DOC. If you then boot from the hard disk, it tells you that a software licence has expired, and tells you to renew it - another request for money. If you do a Ctrl-Alt-Del, it fakes a reboot, and pretends to be running the Dos prompt - actually, a program is now running which fakes Dos. If you do a DIR, it shows you the unencrypted filenames, followed by a warning not to use the computer. it tells you that you must renew the lease in the software. Any other command, it also fakes a response to, and shows you the same message. It also has a routine that could be called the SHARE routine. When this runs, it tells you that you can have 30 more applications of the program if you follow it's instructions. It tells you to put a blank formatted floppy in drive A, and it then copies files onto it. Then you are asked to put the diskette in another computer and type A:SHARE. We're still pursing this path. It may also do other damage - we're still investigating, but what we've found so far is enough to make me want to issue an urgent warning. If you've already installed it, remove it. You can do this temporarily by making the AUTOEXEC.BAT file (in the root directory) read/write, and non-hidden, which you can do using one of a number of utilities. Then delete the AUTOEXEC.BAT. This disables the trojan lines that the install program put in. This APPEARS to deal with the trojan, but since there is a lot of deep stuff going on, we would not assume that it actually does fully deal with it. Our recommendation at this point in time, is based on the fact that this thing is doing some pretty deep work on the disk, and since it contains a lot of code, it will be a long time before it is completely understood. So as of now, our suggestion is: First, switch off the computer, put a known CLEAN DOS diskette in drive A, and switch on again. This makes sure that the trojan has no control. Back up all your data files using a file-by-file backup. Format the disk, reload all your executables from known clean diskettes, and restore the data files. You should take two backups, in case the first one fails to restore. If you haven't installed it, don't and tell everyone else not to. The police have been brought into this case; if you wish to make a formal complaint to the Computer crime unit, please contact Detective Sergeant Donovan on 01-725 2434. Also, contact him if you have any useful information. If you want more information about this trojan, it will be covered in full in Virus Fax International - please call if you want to know more about this. Please note that the information has been got out quickly as possible, and is therefore subject to change in the details. ALAN SOLOMON