This virus is developed under an organization called CPI (Corrupted Programming International), discovered in 1989.
There are 2 variants in 2 versions:
AIDS is the first virus known to exploit the vulnerability on MS-DOS's "corresponding file". When the virus is run, it overwrites the first uninfected DOS executable, and clears the screen (for the first run).
The size of the original file is 13,847 bytes, while the infection size is 105 bytes longer.
The virus overwrites the first 13,952 bytes in the file to be infected, the date stamp of the file will also be changed to the time of infection. If the file is smaller than the infection size, the file size change will be noticeable.
The following text string can be found in any infected file:
This File Has Been Infected By AIDS! HaHa!
Files overwritten by the virus are not possible to recover and they must be deleted or replaced by clean copies.
The another version of the virus is a demo virus as it does not infect any file.
Although the virus does not stay in memory, but it would still crash the system when some of the EXE program are run (but they will not be infected).
Every time when a program infected (or overwritten) by AIDS, it draws a random number between 1 and 10, if the number is 7, the virus activates and displays a message with an ASCII art of the word "AIDS" in bright white color and hangs the system.
The another version also activates by random, and then it displays the same message but in yellow color.
Other details Edit
This virus is originally named NumberOne.
There are two known variants of AIDS also in wild by modifying the original code:
- AIDS B
The AIDS II virus appears a more elegant revision of AIDS. AIDS II also employs the corresponding file technique to execute infected code.
There exists another virus sharing the same name, they are relatively harmless version, and the creator was also different.
Source code of HLLO.AIDS, AIDS - Virus for MS-DOS by Doctor Dissector