"AIDS" Trojan (10-February-1991)
Entry...............: "AIDS" Trojan
Alias(es)...........: PC Cyborg Trojan
Trojan Strain.......: ---
Trojan detected when: December 1989
              where.: USA, Europe
Classification......: Trojan Horse
Carrier of Trojan...: A hidden file named REM<255> of 146188 bytes;
                      (<255> represents the character ASCII(255));
                      distributed with AIDS.EXE as INSTALL.EXE file
                      on AIDS Information Disk of PC Cyborg, Panama
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS, PC-Dos
Version/Release.....: ---
Computer model(s)...: IBM PC, XT, AT and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: The string "rem<255> PLEASE USE THE auto.bat FILE
                        INSTEAD OF autoexec.bat FOR CONVENIENCE <255>" 
                        can be found in AUTOEXEC.BAT
Installation Trigger: Installing the "AIDS Information Diskette" on
                        hard disk drive C.
Storage media affected:Free space on Partition C:, all directories 
Interrupts Hooked...: ---
Damage..............: Permanent damage: All directory entry names are 
                        encryped by a simple encryption algorithm:
        A -> } , B -> U , C -> _ , D -> @ , E -> 8 , F -> ! , G -> ' , 
        H -> Q , I -> # , J -> D , K -> A , L -> P , M -> C , N -> 1 ,
        O -> R , P -> X , Q -> Z , R -> H , S -> & , T -> 6 , U -> G ,
        V -> 0 , W -> K , X -> V , Y -> N , Z -> I , # -> C , ! -> S ,
        ' -> $ , ^ -> ~ , _ -> 0 , $ -> 3 , 0 -> R , 1 -> F , 2 -> Y , 
        3 -> { , 4 -> J , 5 -> E , 6 -> T , 7 -> ) , 8 -> M , 9 -> - ,
        @ -> L , ~ -> ^ , & -> 7 , } -> 5 , { -> 4 , ) -> % , ( -> B ,
        - -> 2 , % -> W
                         Moreover, 90 extensions known to the program 
                         are changed to the following extensions each
                         consisting of one blank plus 2 letters:
 COM -> AK , BAK -> AD , EXE -> AU , PRG -> BR , BAT -> AG , DBF -> AN
 DOC -> AR , WK1 -> CC , DRW -> DI , NDX -> BK , DRV -> CI , BAS -> AF
 OVR -> BN , FNT -> AW , ZBA -> CH , SYS -> BZ , FLB -> DJ , FRM -> AX
 DAT -> AL , LRL -> CJ , OVL -> BM , HLP -> BA , PIC -> DK , XLT -> CF
 MNU -> BI , TXT -> CB , CAL -> CK , FON -> CL , SPL -> CM , PAT -> DL
 MAC -> CN , STY -> BY , VFN -> DM , TST -> CO , GEM -> DN , FIL -> AV
 DEM -> AP , REN -> DO , IMG -> DP , RSC -> DQ , MSG -> BJ , MEM -> DR
 REC -> BX , GLY -> AZ , CMP -> BI , LGO -> CP , DCT -> AO , GRB -> CQ
 CNF -> AJ , INI -> BB , GRA -> CR , DB  -> AM , DTA -> CS , APP -> AC
 CAT -> AH , DIR -> AQ , DVC -> AS , DYN -> AT , INP -> BC , LBR -> BD
 LOC -> BF , MMF -> BH , OUT -> BL , PGG -> BO , PIF -> BP , PRD -> BQ
 PRN -> BS , SCR -> BU , SET -> BV , SK  -> BW , ST  -> BX , TAL -> CA
 WK2 -> CD , WKS -> CE , XQT -> CG , $$$ -> CT , VC  -> CU , TMP -> CV
 PAS -> CW , QBJ -> CX , MAP -> CY , LST -> CZ , LIB -> DA , ASM -> DB
 BLD -> DC , COB -> DD , DIF -> DH , FMT -> DG , MDF -> BG , FOR -> DF
                        The free space on partition C is filled with 
                        a file containing a number of strings con-
                        sisting of blanks followed by CR/LF. Every 
                        time the computer boots, a COMMAND.COM is 
                        simulated. Almost all commands are requested 
                        by an error message. DIR shows the directory 
                        before encryption.
Damage..............: Transient damages: from time to time, the fol-
                        lowing message is displayed:
 "It is time to pay for your software lease from PC Cyborg Corporation.
  Complete the INVOICE and attach payment for the lease option of your
  choice.If you don't use the printed INVOICE, then be sure to refer to
  the important reference numbers below in all correspondence.
  In return you will recieve:
    - a renewal software package with easy to follow,
      complete instructions;
    - an automatic, self installing diskette
      that anyone can apply in minutes."
Damage Trigger......: Booting the system 90 times (9 in some cases)
Particularities.....: AIDS.EXE will only run after installation on
                        drive C.
                      Some hidden directories are created containing
                        hidden subdirectories and some files which
                        are used by the trojan; filenames contain
                        blanks and can't be accessed via COMMAND.COM.
                      AIDS.EXE and INSTALL.EXE have been written in
                        Microsoft Quick Basic 3.0; according to VTCs 
                        retroanalysis, the program quality and the
                        encryption method show moderate quality; more-
                        over, the dialog as well as the function to
                        evaluate the personal risk of an AIDS infect-
                        ion, are rather primitive.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Ronald Greinke, Uwe Ellermann
Documentation by....: Ronald Greinke
Date................: 10-February-1991

.