home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
- === Computer Virus Catalog 1.2: "AIDS" Trojan (10-February-1991) =====
- Entry...............: "AIDS" Trojan
- Alias(es)...........: PC Cyborg Trojan
- Trojan Strain.......: ---
- Trojan detected when: December 1989
- where.: USA, Europe
- Classification......: Trojan Horse
- Carrier of Trojan...: A hidden file named REM<255> of 146188 bytes;
- (<255> represents the character ASCII(255));
- distributed with AIDS.EXE as INSTALL.EXE file
- on AIDS Information Disk of PC Cyborg, Panama
- -------------------- Preconditions -----------------------------------
- Operating System(s).: MS-DOS, PC-Dos
- Version/Release.....: ---
- Computer model(s)...: IBM PC, XT, AT and compatibles
- -------------------- Attributes --------------------------------------
- Easy Identification.: The string "rem<255> PLEASE USE THE auto.bat
- FILE INSTEAD OF autoexec.bat FOR CONVENIENCE
- <255>" can be found in AUTOEXEC.BAT
- Installation Trigger: Installing the "AIDS Information Diskette" on
- hard disk drive C.
- Storage media affected:Free space on Partition C:, all directories
- Interrupts Hooked...: ---
- Damage..............: Permanent damage: All directory entry names are
- encryped by a simple encryption algorithm:
- A -> } , B -> U , C -> _ , D -> @ , E -> 8 , F -> ! , G -> ' ,
- H -> Q , I -> # , J -> D , K -> A , L -> P , M -> C , N -> 1 ,
- O -> R , P -> X , Q -> Z , R -> H , S -> & , T -> 6 , U -> G ,
- V -> 0 , W -> K , X -> V , Y -> N , Z -> I , # -> C , ! -> S ,
- ' -> $ , ^ -> ~ , _ -> 0 , $ -> 3 , 0 -> R , 1 -> F , 2 -> Y ,
- 3 -> { , 4 -> J , 5 -> E , 6 -> T , 7 -> ) , 8 -> M , 9 -> - ,
- @ -> L , ~ -> ^ , & -> 7 , } -> 5 , { -> 4 , ) -> % , ( -> B ,
- - -> 2 , % -> W
-
- Moreover, 90 extensions known to the program
- are changed to the following extensions each
- consisting of one blank plus 2 letters:
-
- COM -> AK , BAK -> AD , EXE -> AU , PRG -> BR , BAT -> AG , DBF -> AN
- DOC -> AR , WK1 -> CC , DRW -> DI , NDX -> BK , DRV -> CI , BAS -> AF
- OVR -> BN , FNT -> AW , ZBA -> CH , SYS -> BZ , FLB -> DJ , FRM -> AX
- DAT -> AL , LRL -> CJ , OVL -> BM , HLP -> BA , PIC -> DK , XLT -> CF
- MNU -> BI , TXT -> CB , CAL -> CK , FON -> CL , SPL -> CM , PAT -> DL
- MAC -> CN , STY -> BY , VFN -> DM , TST -> CO , GEM -> DN , FIL -> AV
- DEM -> AP , REN -> DO , IMG -> DP , RSC -> DQ , MSG -> BJ , MEM -> DR
- REC -> BX , GLY -> AZ , CMP -> BI , LGO -> CP , DCT -> AO , GRB -> CQ
- CNF -> AJ , INI -> BB , GRA -> CR , DB -> AM , DTA -> CS , APP -> AC
- CAT -> AH , DIR -> AQ , DVC -> AS , DYN -> AT , INP -> BC , LBR -> BD
- LOC -> BF , MMF -> BH , OUT -> BL , PGG -> BO , PIF -> BP , PRD -> BQ
- PRN -> BS , SCR -> BU , SET -> BV , SK -> BW , ST -> BX , TAL -> CA
- WK2 -> CD , WKS -> CE , XQT -> CG , $$$ -> CT , VC -> CU , TMP -> CV
- PAS -> CW , QBJ -> CX , MAP -> CY , LST -> CZ , LIB -> DA , ASM -> DB
- BLD -> DC , COB -> DD , DIF -> DH , FMT -> DG , MDF -> BG , FOR -> DF
-
- The free space on partition C is filled with a
- file containing a number of strings consisting
- of blanks followed by CR/LF. Every time the
- computer boots, a COMMAND.COM is simulated.
- Almost all commands are requested by an error
- message. DIR shows the directory before
- encryption.
-
- Damage..............: Transient damages: from time to time, the fol-
- lowing message is displayed:
-
- "It is time to pay for your software lease from PC Cyborg
- Corporation. Complete the INVOICE and attach payment for the lease
- option of your choice.If you don't use the printed INVOICE, then be
- sure to refer to the important reference numbers below in all
- correspondence.
-
- In return you will recieve:
- - a renewal software package with easy to follow,
- complete instructions;
- - an automatic, self installing diskette
- that anyone can apply in minutes."
-
- Damage Trigger......: Booting the system 90 times (9 in some cases)
- Particularities.....: AIDS.EXE will only run after installation on
- drive C.
- Some hidden directories are created containing
- hidden subdirectories and some files which are
- used by the trojan; filenames contain blanks and
- can't be accessed via COMMAND.COM. AIDS.EXE and
- INSTALL.EXE have been written in Microsoft Quick
- Basic 3.0; according to VTCs retroanalysis, the
- program quality and the encryption method show
- moderate quality; more- over, the dialog as well
- as the function to evaluate the personal risk of
- an AIDS infect- ion, are rather primitive.
-
- -------------------- Acknowledgement --------------------------------
-
- Location............: Virus Test Center,
- University Hamburg, Germany Classification
- by...: Ronald Greinke, Uwe Ellermann
- Documentation by....: Ronald Greinke
- Date................: 10-February-1991
- ==================== End of AIDS Trojan =============================
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- +++++++++++++++++++++++++++++ ends +++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-