Privacy and Legal Notice
_____________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
_____________________________________________________________
Information about the PC CYBORG (AIDS) trojan horse
December 19, 1989, 1600 PST Number A-10
There recently has been considerable attention in the news
media about a new trojan horse which advertises that it
provides information on the AIDS virus to users of IBM PC
computers and PC clones. Once it enters a system, the trojan
horse replaces AUTOEXEC.BAT, and may count the number of
times the infected system has booted until a criterion number
(90) is reached. At this point PC CYBORG hides directories,
and scrambles (encrypts) the names of all files on drive C:
There exists more than one version of this trojan horse, and
at least one version does not wait to damage drive C:, but
will hide directories and scramble file names upon the first
boot after the trojan horse is installed.
At first PC CYBORG was distributed only in Europe, although
several PC CYBORG infections have recently been reported in
the U.S. No DOE site has been affected yet, and the
probability of a widespread infection of this trojan horse
throughout DOE is extremely small. This trojan horse is
introduced into systems through a disk called the AIDS
Information Introductory Diskette, which has been mailed to a
mailing list which the author(s) of this trojan horse
obtained. PC CYBORG is a trojan horse, not a virus, and
thus is limited in ability to spread. This information
bulletin is being distributed in response to questions raised
because of the considerable media attention the trojan horse
has received, more than because of a genuine threat to
systems.
If you receive a disk in the mail which purports to provide
information on AIDS, do not load the disk into your computer.
Please save the disk, and contact CIAC immediately. If you
have already run this disk, please also call CIAC as soon as
possible. It is important to leave your PC on if it is
currently on, or leave it off if it is currently off.
Failure to do so may result in loss of your data, or make
recovery more difficult. CIAC has developed recovery
procedures, which are too lengthy to publish in this
bulletin.
For further information, including information about recovery
procedures, please contact CIAC:
Tom Longstaff
(415) 423-4416 or (FTS) 543-4416
FAX: (415) 294-5054
or send e-mail to: ciac@tiger.llnl.gov
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]