AIDS (malicious program)

Programming and distribution

The Trojan horse AIDS was developed by the biologist Joseph L. Popp Jr. around 1989 . In contrast to today's malware, it was distributed via data carriers. For this purpose, Popp sent around 20,000 5.25 ″ diskettes by post to researchers outside the USA who were researching AIDS . He gave the fictitious "PC Cyborg Corporation" as the sender. The disks were disguised as an interactive database about the syndrome with the label "AIDS Information - Introductory Diskettes" , which was accompanied by an information sheet stating that a license had to be obtained to use the software. The installation was nevertheless carried out on around 1000 computers.

functionality

The diskettes contained two programs developed in QuickBasic 3.0, INSTALL.EXE and AIDS.EXE. "AIDS.EXE" was used here to get the user to run "INSTALL.EXE", which was the actual malware. After running the program, it first created some hidden directories on the drive C:. The " AUTOEXEC.BAT " file was then replaced with a modified version, while the original file was renamed "AUTO.BAT". Initially, the Trojan Horse apparently remained inactive, but counted the number of times the computer started in the background. From the 90th start of the computer, the malicious program changed its behavior: The malware began to C: symmetrically encrypt the names - but not the contents - of almost all files on the drive and to hide its directory trees from the user. The system files were not affected by this. At the next restart, the ransomware tricked the user into a regular start in a DOS environment. A message was then displayed stating that you had to renew the license before using the computer again. Connected printers also printed out a document stating that for an annual license you should send 189  US dollars as a crossed check to a PO box in Panama in order to receive instructions on how to restore the data.

Effects

An Italian AIDS organization is said to have lost research results from ten years due to the Trojan horse.

The program "AIDSOUT", which was able to restore the files encrypted by the ransomware, was requested from over 90 countries, according to its developer.

Legal consequences

Joseph Popp was arrested by the FBI in January 1990 after he was previously noticed by security officers at Amsterdam Airport Schiphol . Due to his unstable mental health, he was released early from prison in 1991.

Individual evidence

1. ↑ ^{a b} Hauke ​​Gierow: The virus of the strange Dr. Popp. In: Golem.de . July 7, 2016. Retrieved June 17, 2017 . 
2. ^ Jim Bates: AIDS Information Version 2.0 . In: Virus Bulletin . January 1990, ISSN  0956-9979 , p. 2–6 (English, virusbulletin.com [PDF; accessed June 17, 2017]). 
3. ^ Alina Simone: The Strange History of Ransomware. In: medium.com. Intel , May 26, 2015, accessed June 17, 2017 . 
4. ^ Edward Wilding: Popp Goes The Weasel . In: Virus Bulletin . January 1992, ISSN  0956-9979 , p. 2–3 (English, virusbulletin.com [PDF]).