AIDS Trojan
Alias: PC Cyborg Trojan
Strain: 
detected when: 
where: 
Classification: Trojan Horse
Length: 

Preconditions
Operating System(s): MS-DOS, PC-Dos
Version/Release: ---
Computer model(s): IBM PC, XT, AT and compatibles
Caroname: AIDS_Trojan

Attributes 
Easy identification: The string "rem<255> PLEASE USE THE auto.bat FILE INSTEAD OF autoexec.bat FOR CONVENIENCE <255>" can be found in AUTOEXEC.BAT
Type of Infection:
 
 
Infection Technique: 
Infection Trigger: 
Storage Media affected: Free space on Partition C:, all directories
Interrupts hooked: 
Stealth: 
Tunneling/Selfprot: 
Oligo/Polymorphism: 
Encoding Method: 
Damage: Transient damages: from time to time, the fol- lowing message is displayed: "It is time to pay for your software lease from PC Cyborg Corporation. Complete the INVOICE and attach payment for the lease option of your choice.If you don't use the printed INVOICE, then be sure to refer to the important reference numbers below in all correspondence. In return you will recieve: - a renewal software package with easy to follow, complete instructions; - an automatic, self installing diskette that anyone can apply in minutes."
Damage Trigger: Booting the system 90 times (9 in some cases)
Particularities: AIDS.EXE will only run after installation on drive C. Some hidden directories are created containing hidden subdirectories and some files which are used by the trojan; filenames contain blanks and can't be accessed via COMMAND.COM. AIDS.EXE and INSTALL.EXE have been written in Microsoft Quick Basic 3.0; according to VTCs retroanalysis, the program quality and the encryption method show moderate quality; more- over, the dialog as well as the function to evaluate the personal risk of an AIDS infect- ion, are rather primitive.
Similarities: 

Agents
Countermeasures: 
Standard means: 

Acknowledgements
Location: Virus Test Center, University Hamburg, Germany
Classification by: Ronald Greinke, Uwe Ellermann
Documentation by: Ronald Greinke
Date: 10-February-1991
Information Source: