3.858 Warning: beware the Cyborg bearing gifts! (165)

Willard McCarty (MCCARTY@vm.epas.utoronto.ca)
Mon, 18 Dec 89 08:21:29 EST

Humanist Discussion Group, Vol. 3, No. 858. Monday, 18 Dec 1989.

Date: Fri, 15 Dec 89 13:26:23 PST
From: cbf%faulhaber.Berkeley.EDU@jade.berkeley.edu (Charles Faulhaber)
Subject: PC Cyborg virus

This sounds serious. The message came to me via a colleague in
contact with a Brazilian [!] network.


Date: Tuesday, 12 December 1989 12:26-MST
From: portal!cup.portal.com!Alan_J_Roberts@sun.com
To: Private mailing list <w8sdz@wsmr-simtel20.army.mil>
Subject: Major Trojan Warning

This is an urgent forward from John McAfee:

A distribution diskette from a corporation calling itself PC
Cyborg has been widely distributed to major corporations and PC user
groups around the world and the diskette contains a highly destructive
trojan. The Chase Manhattan Bank and ICL Computers were the first to
report problems with the software. All systems that ran the enclosed
programs had all data on the hard disks destroyed. Hundreds of
systems were affected. Other reports have come in from user groups,
small businesses and individuals with similar problems. The
professionally prepared documentation that comes with the diskette
purports that the software provides a data base of AIDS information.
The flyer heading reads - "AIDS Information - An Introductory
Diskette". The license agreement on the back of the same flyer reads:

"In case of breach of license, PC Cyborg Corporation reserves the
right to use program mechanisms to ensure termination of the use of
these programs. These program mechanisms will adversely affect other
program applications on microcomputers. You are hereby advised of the
most serious consequences of your failure to abide by the terms of
this license agreement."

Further in the license is the sentence: "Warning: Do not use these
programs unless you are prepared to pay for them".

If the software is installed using the included INSTALL program, the
first thing that the program does is print out an invoice for the
software. Then, whenever the system is re-booted, or powered down and
then re-booted from the hard disk, the system self destructs.

Whoever has perpetrated this monstrosity has gone to a great deal of
time, and more expense, and they have clearly perpetrated the largest
single targeting of destructive code yet reported. The mailings are
professionally done, and the style of the mailing labels indicate the
lists were purchased from professional mailing organizations. The
estimated costs for printing, diskette, label and mailing is over
$3.00 per package. The volume of reports imply that many thousands
may have been mailed. In addition, the British magazine "PC Business
World" has included a copy of the diskette with its most recent
publication - another expensive avenue of distribution. The only
indication of who the perpetrator(s) may be is the address on the
invoice to which they ask that $378.00 be mailed:

PC Cyborg Corporation
P.O. Box 871744
Panama 7, Panama

Needless to say, a check for a registered PC Cyborg Corporation in
Panama turned up negative.

An additional note of interest in the license section reads:
"PC Cyborg Corporation does not authorize you to distribute or use
these programs in the United States of America. If you have any doubt
about your willingness or ability to meet the terms of this license
agreement or if you are not prepared to pay all amounts due to PC
Cyborg Corporation, then do not use these programs".

John McAfee

------- End of Forwarded Message

From: IN%"kwe%buitb.BU.EDU@bu-it.bu.edu" 14-DEC-1989 12:46
To: BRADFORD@buastb.bu.edu
Subj: More on the PC Trojan Horse

Subject: More on PC Diskette Trojan...
Date: Thu, 14 Dec 89 12:35:05 -0500
From: Daniel Long <long@BBN.COM>

Here's the latest:

------- Forwarded Message

Date: Wednesday, 13 December 1989 17:56-MST
From: portal!cup.portal.com!Alan_J_Roberts@sun.com
To: Private mailing list <w8sdz@wsmr-simtel20.army.mil>
Subject: AIDS Trojan Update

This is a forward from John McAfee:

A lot more has been discovered about the AIDS Information Trojan
in the past 24 hours. First, the diskette does not contain a virus.
The install program does initiate a counter, and based on a seemingly
random number of re-boots, the trojan will activate and destroy all
data on the hard disk. The diskette was mailed to at least 7,000
corporations, based on information obtained from CW communications -
one of the magazine mailing label houses used by the perpetrators.
The perpetrator's initial investment in disks, printing and mailing is
well in excess of $158,000 according to a Chase Manhattan Bank
estimate that was quoted in a PC Business World press release from
London. The bogus company that sent the diskettes had rented office
space in Bond Street in London under the name of Ketema and
Associates. The perpetrators told the magazine label companies that
they contacted that they were preparing an advertising mailer for a
commercial software package from Nigeria. All offices had been
vacated at the time of the mailing, and all addresses in the software
and documentation are bogus.
The Trojan creates several hidden subdirectories -- made up of
space and ASCII 255's -- in the root of drive C. The install program
is copied into one of these and named REM.EXE. The user's original
AUTOEXEC.BAT file is copied to a file called AUTO.BAT. The first line
of this file reads -- "REM Use this file in place of AUTOEXEC.BAT for
convenience". The installation also creates a hidden AUTOEXEC.BAT
file that contains the commands:

CD \
REM Use this file in place of AUTOEXEC.BAT

The CD \ actually contains ASCII characters 255, which causes the
directory to change to one of the hidden directories containing the
REM.EXE file. The REM file is then executed and decrements a counter
at each reboot. After a random number of reboots, the hard disk is
wiped clean. Definitely a new approach.
So far the mailings appear to be limited to western Europe. No
reports have been received from the U.S. If anyone does have the
diskette, or has already run the install program, a disinfector has
been written by Jim Bates and is available on HomeBase for free
download. 408 988 4004. The name of the disinfector is AIDSOUT.COM.

John McAfee

------- End of Forwarded Message

----- End Forwarded Message -----