Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!cs.utexas.edu!wuarchive!brutus.cs.uiuc.edu!apple!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: teexmmo@isis.educ.lon.ac.uk (Matthew Moore) Newsgroups: comp.virus Subject: Re: Update on AIDS Trojan (PC) Message-ID: <0005.8912181735.AA25789@ge.sei.cmu.edu> Date: 14 Dec 89 18:02:03 GMT Sender: Virus Discussion List Lines: 39 Approved: krvw@sei.cmu.edu This afternoon I was one of a small team which successfully tracked down the method of invocation of the Aids trojan, on a pc clone which was infected, but not devastated. Definition : <255> = the ascii character 255 , aka hex FF The program is called: rem<255>.exe (ie 4 char filename which shows as 3) It resides in a hidden directory called: \<255> (ie a 1 char filename) It is invoked by two lines in the autoexec.bat file :- cd \<255> (which if course usually looks like : cd \ ) rem<255> some statement (which looks like : rem some statement) There two additional features worth noting:- i) there is another root level hidden directory, also using a nonprintable character (I dont know which), containing further hidden subdirectories to four levels down, and at the bottom are files which appear to contain data from elsewhere on the disk, and sundry other info. ii) there is a red herring in the autoexec.bat file. Underneath the two statements listed above, the line 'auto.bat' followed by an EOF (^Z). The file \auto.bat contains the original autoexec.bat Presumably, it would be stopped by removing or renaming \<255>\rem<255>.exe and reverting to a clean auotexec.bat . (Corrections to this presumption welcome!) - -- mjm@cu.neur.lon.ac.uk | Post: Computing & Statistics Unit JANET : mjm@uk.ac.lon.neur.cu | Institute of Neurology INTERNET: try mjm%cu.neur.lon.ac.uk | Queen Square, London, WC1 Phone : 01-837-5141 | London WC1 3BG