VIRUS-L Digest Tuesday, 19 Dec 1989 Volume 2 : Issue 264 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: AIDS disk (PC) Motivation behind the AIDS trojan WDEF protection strategy for servers (Mac) WDEF virus.... (Mac) AIDS TROJAN STAGE 2 UPDATE (PC) Re: AIDS Trojan Update (PC) AIDS Trojan Update #4 (PC) Legal Ramifications of PC-Cyborg License The missing viruses (PC) --------------------------------------------------------------------------- Date: 18 Dec 89 21:49:52 +0000 From: attcan!ram@uunet.UU.NET (Richard Meesters) Subject: Re: AIDS disk (PC) martin@EASBY.DURHAM.AC.UK (Martin Ward) writes: > I feel that I should point out that the effects of this disk are > entirely in accordance with the standard warrenty used by most > commercial software developers (the ones which disclaim that the > programs are fit for any purpose at all, that XXX will disclaims all > responsibility for any damage or loss caused etc.) Either these > warrenties are ILLEGAL or the perpetrators of this disk are entirely > within their legal rights to do what they have done. Does anyone (eg a > lawyer) know which is the case? I'm afraid I can't agree with you, Martin. Warranty implies that the product was purchased and you are following the terms of the purchase agreement. The trojan runs for a time and then demands that you pay for the product (Which, as it has been presented appears to be a demo.) If you don't pay the price, the trojan, in effect, kidnaps your data and holds it for ransom. Illegal, or at least extremely Immoral (presumably the former). Regards, Richard Meesters ------------------------------ Date: 18 Dec 89 22:47:23 +0000 From: Steven Den Beste Subject: Motivation behind the AIDS trojan Like everyone who's heard of this thing, we here have been asking "What are they trying to accomplish that makes them willing to spend this much money?" I've come up with a model for their motivation which I think explains everything. I'd be very interested in any reactions to it: 1. They deliberately distributed two versions of the program. One version fires immediately, while the other stays silent for 90 reboots. I'll call these "scrambled" and "infected" systems respectively. 2. It is my guess that there are very few copies of the fire-immediately version. It is my guess that this version was deliberately mailed later than the others. 3. The purpose of the fire-immediately version is to make an example of a few users. It is my guess that the authors thought they had hidden things sufficiently well that a person who knew his system was infected still could not find and remove the infection. This then explains why the scrambled systems indentify clearly which program caused the scrambling. 4. Therefore: A lot of people receive the disks "for free" and install immediately. Infection becomes rampant. 5. A few people get their systems scrambled immediately. Word gets out that the program is dangerous - but not immediately in most cases. 6. People with infected systems are given 90 reboots (presumably at least a couple of months under normal usage) to send in their money and get a dis-infector disk back. 7. Each system derives part of its encryption key from local information. Thus the dis-infector disk can only be used on the system for which it was returned. An organization with 10 infected systems has to pay 10 times, and receive 10 disks. 8. The money must be sent through a dummy corporation in Panama, with its notoriously unstrict banking laws. Payment is in US dollars because that's what Panamanian banks deal in. 9. For a person whose system is infected but not yet scrambled, an obvious tactic is to do a file-by-file backup onto disks or tape (as opposed to a block-level backup), followed by a disk reformat and rebuild, and restoration of the files. To thwart that end, I predict that the trojan has inserted itself into one or more executable files which would be expected to be retrieved in the backup. This may not include the full encryption algorithm - a simple "destroy all data and make the disk image unusable" would do. If several people get nailed in this way, word spreads and most people won't try to escape this way anymore. [If one is careful about what is restored and what gets recovered from original release disks, this approach should be pretty safe. But the kind of people who would routinely install a program like this in the face of a "shrink-wrap" license are likely to have other software they use for which original release disks are not readily available. It would be my guess that such programs would be particularly inviting targets. Likewise, the process of a file-by-file backup and restore on an almost full 100 MB. disk is not a pleasant prospect. It might actually cost more in floppy disks and time than the decryptor costs.] 10. The reason the disk was not distributed in the US and that the "license" doesn't allow it to be used here is that the behavior of this program is in direct violation of the federal "virus" law. It would be very interesting to know if there are any directly applicable statute in Great Britain preventing this kind of activity. If not, then the authors of this would be outside of the purvue of criminal law, and protected against civil suit by their "license". They might actually get away with it. 11. The motivation behind all this, then, is extortion. The cover story of an AIDS database may or may not be a sick attempt at an analogy. It may instead be a deliberate choice of a subject likely to intrigue many people into installing the program on their systems. (No-one has made any comment about what, if any, cover program is on the distribution disk. Does it really contain an AIDS database?) 12. Lastly, it is my guess that the authors have badly underestimated both the quantity and quality of the effort which has been and will be applied to defending against this trojan (see point 3 above). This story is not yet completely written, though - it may be that only the first layer of defenses have been opened to our vision, and that this thing runs much deeper (see point 9 above). 13. How do we find them? a. Follow the bank accounts from which the mailing lists were bought and from which the rent money in London was paid. (Probably tough.) b. Follow the bank accounts in Panama. (Forget it!) c. Send in your money and try to figure out where the decryptor disk was sent. (IF it gets sent. There is no guarantee that they'll follow through on the bargain.) d. Try to trace where they bought their computers originally to do the development. (Sure thing.) e. Just where DO we (editorial "we") start looking, and what do we do with them when they're found? Is there actually any way to bring these guys to justice under British, Swedish or West German law? Could they be extradited from Nigeria or somewhere like that? Steven C. Den Beste || denbeste@bbn.com (ARPA/CSNET) BBN Communications Corp. || {apple, usc, husc6, csd4.milw.wisc.edu, 150 Cambridge Park Dr. || gatech, oliveb, mit-eddie, Cambridge, MA 02140 || ulowell}!bbn.com!denbeste (USENET) ------------------------------ Date: Mon, 18 Dec 89 19:19:00 -0500 From: When I grow up I wanna be a Redneck Subject: WDEF protection strategy for servers (Mac) Just an idea that may make most of our lives a bit easier. On our servers at SMU students often save their papers on the system disks. Well as anybody knows this is not cool when they fill up. Soo I throw them away. Not nice but I thought it got the job done until I noticed that the desktop remembers the icons (and other stuff) that these files contained. Sooo I did some thinking and locked the desktops. The result is that when papers are saved their icon's are not so throwing them away still restores the disk to it's original free space. Hmmmmm (I said to my self) Wouldn't this work well in preventing those disks from getting WDEF? If the message from the last Virus-l was true then this should halt the spread of our new little virus. But only use it if you do not expect the contents of your disk to change - as in adding or removing files. I hope this works. - Alex Zavatone Mac Software Southeastern Mass U ------------------------------ Date: 19 Dec 89 01:04:18 +0000 From: gford%nunki.usc.edu@usc.edu (Greg Ford) Subject: WDEF virus.... (Mac) Sure enough, my Mac II had WDEF on it. It's first attack (on four partitions) was December 9. Funny thing was, immediately prior to my discovery of this virus, my Mac II had been experiencing these same symptoms of slow-closing windows. In fact, it was common for the mouse-depression lines in the go-away box of the window to take up to 5 seconds to appear and for the window to close. This follows what has been said about the virus earlier. The other problem I had (which has now gone away since erradication 5 days ago) was that when opening a large file from the HD (Rodime, 140 Meg, Internal), it would often crash during the read, and MacBugs would say it was damaged. This scared me because I haven't done a backup since September (I know, I know no flames please), and this crash was coupled with the sound that the HD makes when it starts up (you Rodime people know what I mean - that click, and spinning sound). Anyway, the problem has gone away, and those same files open fine now that WDEF is gone. Anyone else had this problem? As a side note, every single Mac on campus is infected near as I can tell. One lab with ~80 macs was infected in all 10 macs I randomly sampled. I gave the lab-room operator a copy of Disinfectant 1.5, but he (get this) was unsure what to do with it. I hope they've cleaned it up. If this thing (WDEF) passes from disk to disk just by inserting an infected disk into a mac, can you imagine the headache created by users who have they're own disks? The whole lab can become reinfected in one day. What a mess. ******************************************************************************* * Greg Ford GEnie: G.FORD3 * * University of Southern California Internet: gford%nunki.usc.edu@usc.edu * ******************************************************************************* ------------------------------ Date: Mon, 18 Dec 89 20:46:00 -0500 From: IA96000 Subject: AIDS TROJAN STAGE 2 UPDATE (PC) Forgot to mention this in yesterday's update. Sorry about that! PKSCRYPT.EXE is a fine shareware program designed by Lloyd Miller in Canada, a year or two ago. It is a public key encryption program and can be used (at least SWE used it) to decrypt files encrypted by the AIDS trojan. It is available on many BBS's and Lloyd runs a FIDO BBS in Canada.It is available at (201) 249-1898 as CRYPT.ZIP Start off using 13 digit (numbers not characters) decryption keys. Three of the digits will be the major and minor numbers of your DOS version. For example DOS 4.01 would be 401, etc; Two of the digits will be the last two digits in the length of command.com if it was on the disk when stage two was triggered. It is not yet known what is used for these two digits if command.com was not present. Hope this helps somewhat! ------------------------------ Date: 19 Dec 89 07:24:21 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: AIDS Trojan Update (PC) Alan_J_Roberts@cup.portal.com writes (on behalf of John McAfee): | Our investigation has turned up surprise: PC Cyborg | Corporation has indeed been registered in the country of Panama. Is anyone aware of any attempts to actually *pay* for these disks? I'm curious as to what sort of response this would meet. Also, is the information on these disks of any worth, or can one claim the "AIDS information" is just a ploy to propagate a Trojan? Perhaps this is really a monumental blunder in the name of copy protection. Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Tue, 19 Dec 89 00:29:59 -0800 From: Alan_J_Roberts@cup.portal.com Subject: AIDS Trojan Update #4 (PC) A forward from John McAfee: ========================================================================== It's now reasonably certain that there exists only one version of the AIDS Trojan that has been mailed so far. All copies that have been reported so far (31) have the same file size - 146188, date - 9-28-89, and time - 4:28 P. File compares have been performed on nine of the 31 samples and they compare exactly. All have been programmed in Microsoft Quick Basic Version 3 and none have padding bytes at either end of the program. The samples have been taken from England, Germany, Sweden, Finland, France and the one reported case in the U.S. Diskettes from two different mailing lists were included in the sample. The significant reported contradictions in the behaviour of the trojan now appear to be cleared up. The difference in the reported activation trigger is now known to be caused by the varying inputs to the AIDS Information program when it is executed. The Information program modifies the count field according to the final "score" on the quiz. Those who fall in the high risk categories are given the most time; those whose answers place them in low risk categories have their count fields decremented substantially. If the AIDS program is never executed, the user has 90 reboots before activation. The reported differences in the occurance of the SHARE.EXE program after activation are now known to be caused by differences in printer configurations and printer status. If no printer is attached to LPT1, or if the printer is turned off after the initial activation, no SHARE.EXE program of share message is produced. The encryption of the file names and extensions is now also known to be constant for all samples. There is no encryption key or encryption algorithm. The file names are modified by using a simple character substitution which is constant for all samples and execution environments. The extensions are likewise substituted. For example: All COM files are given the extension AK, EXE files are changed to AU and BAT files are changed to AG. If a file extension is unknown to the trojan, then it leaves the extension as is. Disappointingly trivial, considering the complexity of the remainder of the trojan code. It is also known now that the INSTALL program will place and activate the time bomb with or without the accompanying AIDS program. This seems to imply that the install program may have been written for additional purposes. Watch out for potential additional mailings covering completely different subject matter. John McAfee ------------------------------ Date: 19 Dec 89 09:19:37 +0000 From: bb@beach.cis.ufl.edu (Brian Bartholomew) Subject: Legal Ramifications of PC-Cyborg License I too would like to hear the opinions of a competent legal counsel regarding the legality of PC-Cyborg's actions. I feel that the current crop of microcomputer licenses bear more resemblance to the screenplay for a con job, than a contract describing a reasonable use of a product for a reasonable compensation. For a long time, there have been laws in effect that state that a product purchased should perform in a manner similar to the way that it is advertised. A article of machinery purchased as a "car" should perform at least minimally as a "car". In the absence of pride, responsibility, and craftsmanship on the part of the maker, the law should be written to protect the consumer; a license disclaiming all connection with the product except the collection of profit does not do this. Law is like programming; the media the artist works in is the imagination, and vision is only limited by the limitations that are inherited from history. Make the law serve the people, not the lawyers. "Any sufficiently advanced technology is indistinguishable from a rigged demo." - ------------------------------------------------------------------------------- Brian Bartholomew UUCP: ...gatech!uflorida!beach.cis.ufl.edu!bb University of Florida Internet: bb@beach.cis.ufl.edu ------------------------------ Date: Tue, 19 Dec 89 10:49:33 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: The missing viruses (PC) A few PC viruses have been reported but not made generally available to the virus research community. The "missing" viruses are listed below. If anyone can confirm the existence of any of them, I would appreciate it. 2730. It seems that this "virus" does not exist. Agiplan. This virus was described in a W-German newspaper. It is a bit similar to the "Zero-Bug" virus. Both add 1536 bytes to the start of .COM programs they infect. Fallboot. A BSV that is reported by the VIRSCAN program from IBM. Produces a display similar to that produced by 1701/1704. Missouri, Nichols. Two boot sector viruses that were reported by McAfee/Homebase, but are not included in a recent list by him. Screen. Reported by Ross Greenberg, it may be just a variant of the South African virus. Ross said it was uploaded to his BBS earlier this year. He described it in an article in BYTE. Jerusalem variants. Of the 13-14 different Jerusalem variants, only five are "available". Palette. Adds 1538 bytes to .COM files. In addition the following viruses have been mentioned, but probably they do not exist: Cookie. .COM infector Retro Hyperspace The rest of the PC viruses is probably in the hands of most virus researchers by now. - -frisk ------------------------------ End of VIRUS-L Digest