Computer Virus "AIDS" Trojan

 


         *********************************************

         ***   Reports collected and collated by   ***

         ***            PC-Virus Index             ***

         ***      with full acknowledgements       ***

         ***            to the authors             ***

         *********************************************



=== Computer Virus Catalog 1.2: "AIDS" Trojan (10-February-1991) =====

Entry...............: "AIDS" Trojan

Alias(es)...........: PC Cyborg Trojan

Trojan Strain.......: ---

Trojan detected when: December 1989

              where.: USA, Europe

Classification......: Trojan Horse

Carrier of Trojan...: A hidden file named REM<255> of 146188 bytes;

                      (<255> represents the character ASCII(255));

                      distributed with AIDS.EXE as INSTALL.EXE file

                      on AIDS Information Disk of PC Cyborg, Panama

-------------------- Preconditions -----------------------------------

Operating System(s).: MS-DOS, PC-Dos

Version/Release.....: ---

Computer model(s)...: IBM PC, XT, AT and compatibles

-------------------- Attributes --------------------------------------

Easy Identification.: The string "rem<255> PLEASE USE THE auto.bat

                      FILE INSTEAD OF autoexec.bat FOR CONVENIENCE

                      <255>" can be found in AUTOEXEC.BAT

Installation Trigger: Installing the "AIDS Information Diskette" on

                        hard disk drive C.

Storage media affected:Free space on Partition C:, all directories

Interrupts Hooked...: ---

Damage..............: Permanent damage: All directory entry names are

                        encryped by a simple encryption algorithm:

        A -> } , B -> U , C -> _ , D -> @ , E -> 8 , F -> ! , G -> ' ,

        H -> Q , I -> # , J -> D , K -> A , L -> P , M -> C , N -> 1 ,

        O -> R , P -> X , Q -> Z , R -> H , S -> & , T -> 6 , U -> G ,

        V -> 0 , W -> K , X -> V , Y -> N , Z -> I , # -> C , ! -> S ,

        ' -> $ , ^ -> ~ , _ -> 0 , $ -> 3 , 0 -> R , 1 -> F , 2 -> Y ,

        3 -> { , 4 -> J , 5 -> E , 6 -> T , 7 -> ) , 8 -> M , 9 -> - ,

        @ -> L , ~ -> ^ , & -> 7 , } -> 5 , { -> 4 , ) -> % , ( -> B ,

        - -> 2 , % -> W


                         Moreover, 90 extensions known to the program

                         are changed to the following extensions each

                         consisting of one blank plus 2 letters:


 COM -> AK , BAK -> AD , EXE -> AU , PRG -> BR , BAT -> AG , DBF -> AN

 DOC -> AR , WK1 -> CC , DRW -> DI , NDX -> BK , DRV -> CI , BAS -> AF

 OVR -> BN , FNT -> AW , ZBA -> CH , SYS -> BZ , FLB -> DJ , FRM -> AX

 DAT -> AL , LRL -> CJ , OVL -> BM , HLP -> BA , PIC -> DK , XLT -> CF

 MNU -> BI , TXT -> CB , CAL -> CK , FON -> CL , SPL -> CM , PAT -> DL

 MAC -> CN , STY -> BY , VFN -> DM , TST -> CO , GEM -> DN , FIL -> AV

 DEM -> AP , REN -> DO , IMG -> DP , RSC -> DQ , MSG -> BJ , MEM -> DR

 REC -> BX , GLY -> AZ , CMP -> BI , LGO -> CP , DCT -> AO , GRB -> CQ

 CNF -> AJ , INI -> BB , GRA -> CR , DB  -> AM , DTA -> CS , APP -> AC

 CAT -> AH , DIR -> AQ , DVC -> AS , DYN -> AT , INP -> BC , LBR -> BD

 LOC -> BF , MMF -> BH , OUT -> BL , PGG -> BO , PIF -> BP , PRD -> BQ

 PRN -> BS , SCR -> BU , SET -> BV , SK  -> BW , ST  -> BX , TAL -> CA

 WK2 -> CD , WKS -> CE , XQT -> CG , $$$ -> CT , VC  -> CU , TMP -> CV

 PAS -> CW , QBJ -> CX , MAP -> CY , LST -> CZ , LIB -> DA , ASM -> DB

 BLD -> DC , COB -> DD , DIF -> DH , FMT -> DG , MDF -> BG , FOR -> DF


                        The free space on partition C is filled with a

                        file containing a number of strings consisting

                        of blanks followed by CR/LF. Every time the

                        computer boots, a COMMAND.COM is simulated.

                        Almost all commands are requested by an error

                        message. DIR shows the directory before

                        encryption.


Damage..............: Transient damages: from time to time, the fol-

                        lowing message is displayed:


 "It is time to pay for your software lease from PC Cyborg

 Corporation.  Complete the INVOICE and attach payment for the lease

 option of your choice.If you don't use the printed INVOICE, then be

 sure to refer to the important reference numbers below in all

 correspondence.


  In return you will recieve:

    - a renewal software package with easy to follow,

      complete instructions;

    - an automatic, self installing diskette

      that anyone can apply in minutes."


Damage Trigger......: Booting the system 90 times (9 in some cases)

Particularities.....: AIDS.EXE will only run after installation on

                        drive C.

                      Some hidden directories are created containing

                      hidden subdirectories and some files which are

                      used by the trojan; filenames contain blanks and

                      can't be accessed via COMMAND.COM.  AIDS.EXE and

                      INSTALL.EXE have been written in Microsoft Quick

                      Basic 3.0; according to VTCs retroanalysis, the

                      program quality and the encryption method show

                      moderate quality; more- over, the dialog as well

                      as the function to evaluate the personal risk of

                      an AIDS infect- ion, are rather primitive.


-------------------- Acknowledgement --------------------------------


Location............: Virus Test Center,

                      University Hamburg, Germany Classification

                      by...: Ronald Greinke, Uwe Ellermann

Documentation by....: Ronald Greinke

Date................: 10-February-1991

==================== End of AIDS Trojan =============================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  +++++++++++++++++++++++++++++ ends +++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Comments

Post a Comment

Popular posts from this blog

WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED in 1874

  AWAKEN                                                     Issue #33   1874 - WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA        HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED THEN.   This issue will comprise mainly of quotes from Watch Tower publications. Present day Jehovah's Witnesses are unlikely to be aware of any of this material. Why ? The Watch Tower had changed it's theology and does not bother to let it's followers know facts about the past especially since the present theology is totally contradictory to what was promoted in the past. Both sets of incompatible conjectures were promoted as being found  and proven in Scriptures. Prior to 1943 if a follower of the Watch Tower questioned any of the Watch Tower's teaching about 1874, that person risked getting kicked out of the group ...
Read more

Uninterruptable Power Source (UPS) FAQ

Article 61549 of news.answers: Xref: freenet.carleton.ca comp.misc:25723 comp.sys.hp.hardware:5708 comp.sys.sun.hardware:24796 comp.sys.sgi.hardware:9261 comp.sys.next.hardware:16000 comp.sys.dec:27561 comp.unix.admin:28511 comp.answers:8765 news.answers:33422 Path: freenet.carleton.ca!cunews!nott!bcarh189.bnr.ca!bcarh8ac.bnr.ca!bnr.co.uk!pipex!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!hudson.lm.com!netline-fddi.jpl.nasa.gov!phoebe.jpl.nasa.gov!root From: ups@navigator.jpl.nasa.gov Newsgroups: comp.misc,comp.sys.hp.hardware,comp.sys.sun.hardware,comp.sys.sgi.hardware,comp.sys.next.hardware,comp.sys.ibm.hardware,comp.sys.dec,comp.unix.admin,comp.answers,news.answers Subject: Uninterruptible Power Source FAQ Followup-To: comp.misc Date: 10 Dec 1994 13:09:38 GMT Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 1346 Approved: news-answers-request@MIT.Edu Distribution: world Message-ID: <3cc9ai$fus@phoebe.jpl.nasa.gov> Reply-To: npc@minotaur.j...
Read more

Blade Runner FAQ

Archive-Name: movies/bladerunner-faq Version: 1.4 (May 1993) -------------------------------------------------------------------------------                                  BLADE RUNNER                            Frequently Asked Questions                        Copyright (C) 1993 Murray Chapman ------------------------------------------------------------------------------- Compiled by Murray Chapman (muzzle@cs.uq.oz.au), from sources too numerous to mention.  Thank-you one and all.                                INTRODUCTION                                ------------ The movie "Blade Runner"...
Read more