Path: utzoo!attcan!utgpu!watserv1!watmath!uunet!tut.cis.ohio-state.edu!cica!iuvax!bionet!mrc-crc.ac.uk!gwilliam From: gwilliam@mrc-crc.ac.uk (Gary Williams x3294) Newsgroups: bionet.general Subject: AIDS Trojan update Message-ID: <8912191640.AA17039@uk.ac.crc> Date: 19 Dec 89 16:40:57 GMT Sender: daemon@genbank.BIO.NET Lines: 617 This is a collection of 8 messages on VIRUS-L and other bulletin boards giving descriptions of the internals and *FREE FIXES* for the AIDS Trojan. My apologies for clogging up the network to those of you who have not been hit by the AIDS Trojan, and to those who have already read these messages on other networks. Gary Williams Computing Services Section, Janet: G.Williams@UK.AC.CRC MRC-Clinical Research Centre, Elsewhere: G.Williams@CRC.AC.UK Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC@UKACRL Tel 01-869 3294 Fax 01-423 1275 Usenet: ...!mcvax!ukc!mrccrc!G.Williams ========================================================================== NATIONAL PUBLIC DOMAIN Micro Software Newsletter SOFTWARE ARCHIVE AT LANCASTER Volume 6 Number 24 14/12/89 Editor: Steve Jenkins -------------------------------------------------------------------------------- Special Edition TROJAN ALERT - "AIDS Information Diskette" -------------------------------------------------------------------------------- From: National PD Software Archive Date: Thu, 14 Dec 89 15:15:00 GMT Subject: TROJAN ALERT - "AIDS Information Diskette" This news got to us just too late for the last newsletter, so we've prepared this special edition. It's of relevance to IBM PC users only. There are a large number of reports that a virus-infected disk has been sent out to people on the "PC Business World" mailing list (and maybe to others?). The disk is labelled "AIDS Information - Introductory Diskette Version 2.0" and claims to come from PC Cyborg Corporation. There are a couple of sheets of information with it, one of which contains a long license agreement in small type. It states that you must pay a large amount of money to PC Cyborg Corporation; that they reserve the right to take program actions to stop unlicensed use of the program; and that your computer will "stop working normally" if you don't pay the fee. If you do run the software, it apparently modifies some directories and modifies AUTOEXEC.BAT. On the 99th time the machine is booted subsequently, all the files on the disk are destroyed. The moral would seem to be to approach this disk with extreme caution. PC Business World have released an antidote to the virus (the contact there is Robert Walczy, 01-381-9252). It's available on NPDSA as micros/ibmpc/e421/e421aids.boo - the program is supplied in good faith, but has not been used here. Source in QuickBASIC is included with the executable. The author of the program notes in the source that the AIDS disk does not appear to do any lasting damage (presumably if you catch it before the 100th reboot), and that the program satisfactorily makes repairs. -------------------------------------------------------------------------------- To receive this Newsletter by electronic mail, send a request to us at one of: JANET : pdsoft@uk.ac.lancs.pdsoft PSS : pdsoft @ 234223519191.JANET.00001040300096.FTP.MAIL BITNET: pdsoft%uk.ac.lancs.pdsoft@ukacrl -------------------------------------------------------------------------------- ----- Begin Included Message ----- >From davidf@uk.ac.hw.cs Thu Dec 14 17:51:59 1989 Via: uk.ac.crc; Thu, 14 Dec 89 17:51:56 GMT Return-Path: Via: heriot-watt.cs ; 14 Dec 1989 17:51:53-GMT Received: from odin.cs.hw.ac.uk (odin) by brahma.cs.hw.ac.uk; Thu, 14 Dec 89 17:44:24 GMT From: David.J.Ferbrache Date: Thu, 14 Dec 89 17:42:59 GMT Message-Id: <19645.8912141742@odin.cs.hw.ac.uk> To: uk-virus-l@uk.ac.hw.cs.brahma Subject: AIDS Trojan Horse Report Sender: uk-virus-l-request@uk.ac.hw.cs Status: RO A summary report of the AIDS trojan horse is enclosed below, this was received from Sophos and is forwarded with permission. - D.Ferbrache, VIRUS-l support - AIDS Disk through the post Report by Dr J Hruska, Sophos Ltd, 0844 292392 Compiled on Wednesday 13th December 1989, 22:30 Throughout the report $ means the non-printing hex character ff 1 Introduction On 11th December some 7 thousand envelopes 135x135mm were posted in London, stamped first class (20p). They contain a 5 1/4" floppy disk marked "AIDS information version 2.00", and an instruction leaflet printed on blue paper with american spelling. The instruction leaflet induces the user to insert the disk and install the package. The reverse of the leaflet has the license agreement which requests the user to send US dollars 189 for using the software. The agreement threatens unspecified action if that fee is not paid ("Most serious consequences may haunt you for the rest of your life; you will owe compensation ...") The labels (36mm x 81mm) on the front of the envelopes are printed on a line-printer. Some reports suggest that the mailing list was obtained from the PC Business world. 2 Installing the software The disk contains two files; AIDS.EXE (172562 bytes 07-08-89 10:40am) and INSTALL.EXE (146188 bytes 28-09-89 4:28pm). When INSTALL is run, it transfers AIDS.EXE to the hard disk, copies the original AUTOEXEC.BAT into AUTO.BAT, inserting a REM comment at the beginning ("PLEASE USE THIS FILE ... ") and creates another AUTOEXEC.BAT which contains a REM comment "PLEASE USE THE AUTO.BAT file ... " and invokes the AUTO.BAT file. Both AUTOEXEC.BAT and AUTO.BAT are marked read only. Note that the REM comment in the AUTOEXEC.BAT file is preceeded by the CD$ statement, where $ is the hex character FF. If this file is typed (and not dumped), it does not look unusual. Dump of AUTOEXEC.BAT 65 63 68 6f 20 6f 66 66 0d 0a 43 4a 0d 0a 63 64 echo off ..C:..cd 5c ff 0d 0a 72 65 6d ff 20 50 4c 45 41 53 45 20 \...rem. PLEASE 55 53 45 20 54 48 45 20 61 75 74 6f 2e 62 61 74 USE THE auto.bat 20 46 49 4c 45 20 49 4e 53 54 45 41 44 20 4f 46 FILE IN STEAD OF 20 61 75 74 6f 65 78 65 63 2e 62 61 74 20 46 4f autoexe c.bat FO 52 20 43 4f 4e 56 45 4e 49 45 4e 43 45 20 ff 0d R CONVEN IENCE .. 0a 61 75 74 6f 2e 62 61 74 0d 0a 1a .auto.ba t... Two hidden directories ($ and $$$ $$$ where $ is Hex ff) are created The first subdirectory ($) contains a REM$.EXE ($ is Hex ff) which is a copy of INSTALL.EXE from the floppy disk. The second subdirectory ($$$ $$$) contains a subdirectory $$ $$$$ which contains a subdirectory $$$$ $$ which contains: ERROR IN.THE Directory (empty) and files of 7, 6, 50401, 1 and 18 bytes As part of the installation the user is asked to switch the printer on and an 'invoice' is printed, bearing the "Important reference numbers", A32988-1922662 in the case of the examined disk. These reference numbers are randomly generated values and vary from installation to installation - the floppy disk is written to during installation. The invoice gives the address in Panama where payment should be sent "PC Cyborg Corporation, PO Box 87-17-44, Panama 7, Panama". 3 RUNNING AIDS.EXE When AIDS.EXE is run it appears to be a legitimate program giving information on AIDS and assessing the user's risk group after asking him/her to fill in a questionnaire. 4 INVESTIGATING THE SOFTWARE FOR SIDE EFFECTS The program AIDS.EXE was examined for the presence of known viruses and none were found. All files on the hard disk where checksummed before running AIDS.EXE, the package was run and checksums rechecked. Nothing changed. Things do change when AUTOEXEC.BAT is executed. A counter in the second subdirectory is incremented every time AUTOEXEC.BAT is executed. When the system has been bootstrapped approximately 100 times (ie REM$ - see above) the damage sequence occurs. (Virus bulletin report this value to be highly variable) "Please wait 30 minutes during this operation. WARNING- do not turn off the computer because you will damage the files on the hard disk drive. You will receive more information later". On the test machine this took some 5 minutes. "Sorry for the long delay .. still processing ... please wait" is displayed for 2 minutes. "Please wait during this operation. Warning, do not turn off the computer while the hard disk is working. A flashing hard disk access light means; WAIT!". This goes on for seemingly indefinitely (I waited 30 minutes), while the disk heads seem to be repeat the same movement. When this operation was aborted, the hard disk directory file names were completely scrambled and marked hidden. The only non-hidden file was CYBORG.DOC which is reproduced below: If you are reading this message, then your software lease from PC Cyborg corporation has expired. Renew the software lease before using this computer again. Warning: do not attempt to use this computer until you have renewed your software lease. Use the information below for renewal. Dear Customer: It is time to pay for your software lease from PC Cyborg corporation. Complete the INVOICE and attach payment for the lease option of your choice. If you don't use the printed invoice, then be sure to refer to the important reference numbers below in all correspondence. In return you will receive: a renewal software package with easy to follow, complete instructions; an automatic, self-installing diskette that anyone can apply in minutes. The price of 365 user applications is US$189. The price of a lease for the lifetime of your hard disk is US$378. You must enclose a bankers draft, cashiers check or international money order payable to PC CYBORG CORPORATION for the full amount of $189 or $378 with your order. Include your name, company, address, city, state, country, zip or postal code. Mail your order to PC Cyborg Corporation, PO Box 87-17-44, Panama 7, Panama. 6 DEALING WITH THE PROBLEM IF YOU HAVE INSTALLED THE SOFTWARE It is unlikely that you will have reached the trigger point (bootstrapping the computer 100 or so times), so your disk is still safe, BUT YOU MUST ACT IMMEDIATELY. Do not attempt the following unless you know how to use the appropriate tools. The most important thing is to remove the counter incrementing statements in AUTOEXEC.BAT and AUTO.BAT. First remove the read only attributes from the files AUTOEXEC.BAT and AUTO.BAT. Delete AUTOEXEC.BAT and rename AUTO.BAT as your old AUTOEXEC.BAT. Remove the first 3 lines of AUTOEXEC.BAT to restore it to the previous form. Remove AIDS.EXE from the root directory. You have now removed the incrementing code and can worry about removing the rest later. Enter the first subdirectory and remove REM$.EXE, exit the directory and remove it. Enter the second subdirectory, remove read only attributes from all files and remove the files and ERROR IN.THE subdirectory. Step one directory back and remove ( the now empty) subdirectories. Repeat until root is reached. If the above removal procedure does not make sense, please seek help. Do not use your computer until you do, and only bootstrap it from a floppy disk. Sophos Ltd, Haddenham, Aylesbury, HP17 8JD 0844-292392 ------------------------------------------------------------------------------ Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache ------------------------------------------------------------------------------ ----- Begin Included Message ----- Date: Wed, 13 Dec 89 16:09:36 +0000 From: Alan Jay Subject: Re: AIDS DISK UPDATE (I) AIDS INFORMATION DISK ===================== The latest on this is as follows: If you have run this disk contact ROBERT WALCZY at PC Business World on 01-831 9252 they have a FREE disk that combats the effects of the disk and they will send a copy to users effected. Either call Robert of FAX him on 01-405 2347 with your name and address. The disk should be available in the next day or two. The program will be available on CONNECT (01-863 6646) for download as soon as it has been tested. ======================================================================= The AIDS disk when installed creates a number of hidden files and directories. You can remove these files by running the program mentioned above or by using the Norton Utilities, PC Tools or equivalent program. The files that are hidden include a new AUTOEXEC.BAT and a number of other files and directories that contain characters that can not be accessed by standard DOS commands. You will need to rename the files/ directories before they can be deleted. This information will be updated as we learn more about the disk. Alan Jay -- The IBM PC User Group -- 01-863 1191. ------------------------------ ------------------------------ Date: Wed, 13 Dec 89 18:26:57 +0000 From: Alan Jay Subject: Re: AIDS -- UPDATE II -- What can you do. AIDS INFORMATION DISK ===================== Update 2 13-Dec-1989 6pm IF you have not run this disk DO NOT INSTALL it appears to be a very cleverly written TROJAN program that can be activated by a number of methods. Currently the activation method that has been detected uses a counter of the number of system reboots. When the counter gets to 90 the system goes into a second phase and encrypts files and directories on your hard disk. The program appears to have a number of embelisments that makes one think that the front door we have been shown MAY not be the only method that the system uses for deciding when to activate. This is a very nasty program and the only 100% safe thing to do is to backup all DATA files and perform a full reformat of your hard disk. Followed by a reinstallation of all DATA, from your backup, and programs from original system disks (or backup prior to installing this software). This should only be attempeted once at least TWO copies of all valuable data have been extracted from the system. Please remember to boot your system off an original DOS disk before starting this procedure. Full details of the suggested procedure will be posted tomorrow. Alan Jay Readers who do not wish to follow this route may be interested to in the folowing information about the primary activation system. 1) A hidden 'ACTOEXEC.BAT' file contains CD \ REM it then runs your AUTOEXEC.BAT which the program renamed AUTO.BAT 2) A hidden subdirectory contains a file REM.EXE Each time the system is booted the program is run and the counter incremented/decremented. After 90 activations the system enters phase TWO. Please note that the system uses the character 'hi space' in the file names to stop standard DOS procedures acting on these files. IT MAY be possible to delete these entries and thereby disable the program this is NOT certain and it will take several months to discover if this is a safe course of events to take. I hope that this information helps. I also understand that this is in the hands of the Fraud Squad / Computer Crime Division of the Metropolitan Police. If you have any further information I am sure that they would be interested to here from you. Alan Jay -- IBM PC User Group - 01-863 1191 ------------------------------ Date: Wed, 13 Dec 89 16:58:52 -0800 From: Alan_J_Roberts@cup.portal.com Subject: AIDS Trojan Update (PC) This is a forward from John McAfee: A lot more has been discovered about the AIDS Information Trojan in the past 24 hours. First, the diskette does not contain a virus. The install program does initiate a counter, and based on a seemingly random number of re-boots, the trojan will activate and destroy all data on the hard disk. The diskette was mailed to at least 7,000 corporations, based on information obtained from CW communications - one of the magazine mailing label houses used by the perpetrators. The perpetrator's initial investment in disks, printing and mailing is well in excess of $158,000 according to a Chase Manhattan Bank estimate that was quoted in a PC Business World press release from London. The bogus company that sent the diskettes had rented office space in Bond Street in London under the name of Ketema and Associates. The perpetrators told the magazine label companies that they contacted that they were preparing an advertising mailer for a commercial software package from Nigeria. All offices had been vacated at the time of the mailing, and all addresses in the software and documentation are bogus. The Trojan creates several hidden subdirectories -- made up of space and ASCII 255's -- in the root of drive C. The install program is copied into one of these and named REM.EXE. The user's original AUTOEXEC.BAT file is copied to a file called AUTO.BAT. The first line of this file reads -- "REM Use this file in place of AUTOEXEC.BAT for convenience". The installation also creates a hidden AUTOEXEC.BAT file that contains the commands: C: CD \ REM Use this file in place of AUTOEXEC.BAT AUTO The CD \ actually contains ASCII characters 255, which causes the directory to change to one of the hidden directories containing the REM.EXE file. The REM file is then executed and decrements a counter at each reboot. After a random number of reboots, the hard disk is wiped clean. Definitely a new approach. So far the mailings appear to be limited to western Europe. No reports have been received from the U.S. If anyone does have the diskette, or has already run the install program, a disinfector has been written by Jim Bates and is available on HomeBase for free download. 408 988 4004. The name of the disinfector is AIDSOUT.COM. John McAfee ----- Begin Included Message ----- Date: Thu, 14 Dec 89 11:14:39 +0000 From: Alan Jay Subject: AIDS disk information (PC) The following, written by Alan Solomon, gives details of the AIDS Information Disk sent out by PC-CYBORG and gives a method for restoring your disk to its former state. Remember if you have not run this disk DO NOT run it. This information is believed to be correct BUT the program appears to be very clever and therefore we suggest that you must be very careful in carring out any of the followig instructions. Alan Jay -- IBM PC User Group -- 01-863 1191 PRELIMINARY INFORMATION ON THE "AIDS" DISKETTE FROM PC CYBORG CORPORATION. This is bulletin number AS/3 You will probably have read in the press about the AIDS diskette, a diskette that was mailed out to a great subscribers to PC Business World (through absolutely no fault of the magazine's). This diskette is a trojan - DO NOT RUN IT. It is a diskette that was sent through the post, unsolicited, and claiming to be a program that gave you useful information about the AIDS disease. The accompanying licence was abit suspicious, so many people didn't run it (it threatened to do dire things to your computer if you didn't pay for the software). We've done a preliminary analysis on it, and it works like this. If you run the INSTALL program, it creates two subdirectories with "impossible" names on the hard disk - one of these has a one-character name, and that character is [Alt-255] (hexadecimal FF). In that subdirectory , it puts a program called REM[Alt-255] .EXE. The [Alt-255] character is invisible. It copies your AUTOEXEC to a file called AUTO.BAT, and puts an Echo off and a REM statement in front. It creates a new AUTOEXEC.BAT file, and makes it hidden and readonly. In that AUTOEXEC, it does a "CD \[Alt255]" and then "REM[Alt-255]" followed by a plausible-looking remark. After you run the AUTOEXEC, and therefore the REM [Alt-255] program, a number of times (we triggered it with 90, but this is only a preliminary result, and it may be triggerable with fewer or more), the damage routine is triggered. This would usually happen when the machine has been booted that many times. A series of messages are put up on the screen, aimed at persuading you not to switch off, and the trojan then encrypts your directory and makes all the files hidden except one called CYBORG.DOC. If you then boot from the hard disk, it tells you that a software licence has expired, and tells you to renew it - another request for money. If you do a Ctrl-Alt-Del, it fakes a reboot, and pretends to be running the Dos prompt - actually, a program is now running which fakes Dos. If you do a DIR, it shows you the unencrypted filenames, followed by a warning not to use the computer. it tells you that you must renew the lease in the software. Any other command, it also fakes a response to, and shows you the same message. It also has a routine that could be called the SHARE routine. When this runs, it tells you that you can have 30 more applications of the program if you follow it's instructions. It tells you to put a blank formatted floppy in drive A, and it then copies files onto it. Then you are asked to put the diskette in another computer and type A:SHARE. We're still pursing this path. It may also do other damage - we're still investigating, but what we've found so far is enough to make me want to issue an urgent warning. If you've already installed it, remove it. You can do this temporarily by making the AUTOEXEC.BAT file (in the root directory) read/write, and non-hidden, which you can do using one of a number of utilities. Then delete the AUTOEXEC.BAT. This disables the trojan lines that the install program put in. This APPEARS to deal with the trojan, but since there is a lot of deep stuff going on, we would not assume that it actually does fully deal with it. Our recommendation at this point in time, is based on the fact that this thing is doing some pretty deep work on the disk, and since it contains a lot of code, it will be a long time before it is completely understood. So as of now, our suggestion is: First, switch off the computer, put a known CLEAN DOS diskette in drive A, and switch on again. This makes sure that the trojan has no control. Back up all your data files using a file-by-file backup. Format the disk, reload all your executables from known clean diskettes, and restore the data files. You should take two backups, in case the first one fails to restore. If you haven't installed it, don't and tell everyone else not to. The police have been brought into this case; if you wish to make a formal complaint to the Computer crime unit, please contact Detective Sergeant Donovan on 01-725 2434. Also, contact him if you have any useful information. If you want more information about this trojan, it will be covered in full in Virus Fax International - please call if you want to know more about this. Please note that the information has been got out quickly as possible, and is therefore subject to change in the details. ALAN SOLOMON ------------------------------ Date: Thu, 14 Dec 89 13:31:49 +0000 From: Martin Ward Subject: Re AIDS disk (PC) I feel that I should point out that the effects of this disk are entirely in accordance with the standard warrenty used by most commercial software developers (the ones which disclaim that the programs are fit for any purpose at all, that XXX will disclaims all responsibility for any damage or loss caused etc.) Either these warrenties are ILLEGAL or the perpetrators of this disk are entirely within their legal rights to do what they have done. Does anyone (eg a lawyer) know which is the case? Martin. My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU OR: martin%uk.ac.dur.easby@nfsnet-relay.ac.uk UUCP:...!mcvax!ukc!easby!martin JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk ------------------------------ Date: Thu, 14 Dec 89 18:02:03 +0000 From: Matthew Moore Subject: Re: Update on AIDS Trojan (PC) This afternoon I was one of a small team which successfully tracked down the method of invocation of the Aids trojan, on a pc clone which was infected, but not devastated. Definition : <255> = the ascii character 255 , aka hex FF The program is called: rem<255>.exe (ie 4 char filename which shows as 3) It resides in a hidden directory called: \<255> (ie a 1 char filename) It is invoked by two lines in the autoexec.bat file :- cd \<255> (which if course usually looks like : cd \ ) rem<255> some statement (which looks like : rem some statement) There two additional features worth noting:- i) there is another root level hidden directory, also using a nonprintable character (I dont know which), containing further hidden subdirectories to four levels down, and at the bottom are files which appear to contain data from elsewhere on the disk, and sundry other info. ii) there is a red herring in the autoexec.bat file. Underneath the two statements listed above, the line 'auto.bat' followed by an EOF (^Z). The file \auto.bat contains the original autoexec.bat Presumably, it would be stopped by removing or renaming \<255>\rem<255>.exe and reverting to a clean auotexec.bat . (Corrections to this presumption welcome!) - -- mjm@cu.neur.lon.ac.uk | Post: Computing & Statistics Unit JANET : mjm@uk.ac.lon.neur.cu | Institute of Neurology INTERNET: try mjm%cu.neur.lon.ac.uk | Queen Square, London, WC1 Phone : 01-837-5141 | London WC1 3BG ========================================================================= End of AIDS Trojan update. Gary Williams Computing Services Section, Janet: G.Williams@UK.AC.CRC MRC-Clinical Research Centre, Elsewhere: G.Williams@CRC.AC.UK Watford Rd, HARROW, Middx, HA1 3UJ, U.K. EARN/Bitnet: G.Williams%CRC@UKACRL Tel 01-869 3294 Fax 01-423 1275 Usenet: ...!mcvax!ukc!mrccrc!G.Williams