_____________________________________________________________
  THE COMPUTER INCIDENT ADVISORY CAPABILITY

       CIAC

    INFORMATION    BULLETIN
_____________________________________________________________

Information about the PC CYBORG (AIDS) trojan horse 

December 19, 1989, 1600 PST                      Number A-10

There recently has been considerable attention in the news 
media about a new trojan horse which advertises that it 
provides information on the AIDS virus to users of IBM PC 
computers and PC clones.  Once it enters a system, the trojan 
horse replaces  AUTOEXEC.BAT, and may count the number of 
times the infected system has booted until a criterion number 
(90) is reached.  At this point PC CYBORG hides directories, 
and scrambles (encrypts) the names of all files on drive C:   
There exists more than one version of this trojan horse, and 
at least one version does not wait to damage  drive C:, but 
will hide directories and scramble file names upon the first 
boot after the trojan horse is installed.

At first PC CYBORG was distributed only in Europe, although 
several PC CYBORG infections have recently been reported in 
the U.S.  No DOE site has been affected yet, and the 
probability of a widespread infection of this trojan horse 
throughout DOE is extremely small.    This trojan horse is 
introduced into systems through a disk called the AIDS 
Information Introductory Diskette, which has been mailed to a 
mailing list which the author(s) of this trojan horse 
obtained.   PC CYBORG is a trojan horse, not a virus, and 
thus is limited in ability to spread.  This information 
bulletin is being distributed in response to questions raised 
because of the considerable media attention the trojan horse 
has received, more than because of a genuine threat to 
systems.

If you receive a disk in the mail which purports to provide 
information on AIDS, do not load the disk into your computer.  
Please save the disk, and contact CIAC immediately.  If you 
have already run this disk, please also call CIAC as soon as 
possible.  It is important to leave your PC on if it is 
currently on, or leave it off if it is currently off.  
Failure to do so may result in loss of your data, or make 
recovery more difficult.  CIAC has developed recovery 
procedures, which are too lengthy to publish in this 
bulletin.
 
For further information, including information about recovery 
procedures, please contact CIAC:

  Tom  Longstaff
  (415) 423-4416 or (FTS) 543-4416
  FAX: (415) 294-5054

or send e-mail to:  ciac@tiger.llnl.gov