alanj@IBMPCUG.CO.UK (Alan Jay) (12/14/89)
AIDS INFORMATION DISK ===================== Update 2 13-Dec-1989 6pm IF you have not run this disk DO NOT INSTALL it appears to be a very cleverly written TROJAN program that can be activated by a number of methods. Currently the activation method that has been detected uses a counter of the number of system reboots. When the counter gets to 90 the system goes into a second phase and encrypts files and directories on your hard disk. The program appears to have a number of embelisments that makes one think that the front door we have been shown MAY not be the only method that the system uses for deciding when to activate. This is a very nasty program and the only 100% safe thing to do is to backup all DATA files and perform a full reformat of your hard disk. Followed by a reinstallation of all DATA, from your backup, and programs from original system disks (or backup prior to installing this software). This should only be attempeted once at least TWO copies of all valuable data have been extracted from the system. Please remember to boot your system off an original DOS disk before starting this procedure. Full details of the suggested procedure will be posted tomorrow. Alan Jay Readers who do not wish to follow this route may be interested to in the folowing information about the primary activation system. 1) A hidden 'ACTOEXEC.BAT' file contains CD \<ALT255> REM<ALT255> it then runs your AUTOEXEC.BAT which the program renamed AUTO.BAT 2) A hidden subdirectory <ALT255> contains a file REM<ALT255>.EXE Each time the system is booted the program is run and the counter incremented/decremented. After 90 activations the system enters phase TWO. Please note that the system uses the <ALT255> character 'hi space' in the file names to stop standard DOS procedures acting on these files. IT MAY be possible to delete these entries and thereby disable the program this is NOT certain and it will take several months to discover if this is a safe course of events to take. I hope that this information helps. I also understand that this is in the hands of the Fraud Squad / Computer Crime Division of the Metropolitan Police. If you have any further information I am sure that they would be interested to here from you. Alan Jay -- IBM PC User Group - 01-863 1191