Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: microsoft!alonzo@uunet.uu.net Newsgroups: comp.virus Subject: Re: AIDS TROJAN RESEARCH Message-ID: <0003.9001021304.AA00688@ge.sei.cmu.edu> Date: 2 Jan 90 14:18:51 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu > AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989 > > First, let us say for the record that everything reported so far by > Mr. McAfee is correct. Our tests bear out the results he has obtained. > > A form of public key encryption is then used to perform the actual > encryption. This was determined by the brute force decryption method. > SWE has several 80486's and access to a VAX and they were put to work > decrypting the files. It was made easier by the fact that the original > contents of the test disk were known. One nasty little trick the AIDS > "trojan" uses is that after each file is encrypted the encryption key > is modified slightly. Can either of you shed some light on the above message? It contains serious contradictions with both itself and the statements of Mr. McAfee with whom it purports to agree. The comments about DES and public key encryption contained in the above message are extremely confused. All indication is that the AIDS trojan does simple substitutions on file names. The above message claims that the entire disk is encrypted with a public key encryption scheme. My conclusion is that this message was not posted in good faith. The last thing anyone needs is this kind of purposeful misinformation. This conclusion is supported by the claim that the so-called SWE company has moved and "returned" their sample disks to the owners. By associating yourselves with this nonsense, you have seriously impaired your reputations. sincerely, Alonzo Gariepy alonzo@microsoft