!!! THE
HOAX FAQ!!!
Last Updated Thursday October 09, 1997
by Martin Overton
ADMINISTRIVIA
Disclaimer
This document is primarily concerned with defending the integrity of computing systems and preventing damage caused by misinformation regarding hoax viruses or other claimed malicious email. It attempts to address many of the issues which are frequently discussed on alt.comp.virus, but does not claim to represent all shades of opinion among the users of a.c.v.
This document is an honest attempt to help individuals with hoax virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document.
Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer.
Martin Overton
Copyright Notice
Copyright on all contributions to this FAQ remains with the authors
and all rights are reserved. It may, however, be freely distributed and
quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as a whole
with any product for which a charge is made, except with the prior permission
of the copyright holders.
To obtain such permission, please contact the maintainer of the FAQ.
Availability
The latest HTML version of this document is available from: http://www.salig.demon.co.uk/hoaxfaq.htm
Here's The Entries From Various Dictionaries:
Hoax \Hoax\, n. [Prob. contr. fr. hocus, in hocus-pocus.] A deception for mockery or mischief; a deceptive trick or story; a practical joke. --Macaulay.
OR
Hoax \Hoax\, v. t. [imp. & p. p. Hoaxed; p. pr. & vb. n. Hoaxing.] To deceive by a story or a trick, for sport or mischief; to impose upon sportively. --Lamb.
OR
hoax n : deliberate trickery intended to gain an advantage [syn: fraud, fraudulence, dupery, put-on] v : subject to a hoax [syn: play a joke on]
So now you know!
The Returned or Unable To Deliver "Virus" Email Warning Is A Hoax
by Bruce P. Burrell (bpb@umich.edu
for the U-M Virus Busters (virus.busters@umich.edu)
Last Modified: 28 August 1997
This information can be freely reproduced in any medium, as long as the information is unmodified.
More silliness:
There is a new virus going arround in the last couple of days!!! DO
NOT open or even look at any mail that you get thar says: "Returned
or Unable to Deliver" This virus will attach itself to your computer
components and render them useless. Immediately delete any mail
items that says this. AOL has said this is a very danderous virus,
and there is NO remedy for it at this time, Please Be Careful, And
forward to all your on-line friends A.S.A.P.
Naturally, you should:
Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- informing the originators that this is a hoax. I suggest that you provide a pointer to this URL (http://www.umich.edu/~wwwitd/virus-busters/hoaxes/unable.html) or to another reputable site, like DataFellows (leaving our site).
-BPB
This hoax started in mid January 1997. The NaughtyRobot is an e-mail that states "Your security has been breached by NaughtyRobot". First of all it is nonsense, so if you get it "Don't Panic", just have a good laugh and ignore it. Your system has NOT been "exploited", nor has your personal information been "captured".
What the NaughtyRobot really is
Basically it seems to be a "robot" that sends you its e-mail message at random. (See the text of the message below.) When I say robot here, I mean a program that searches the Web automatically, jumping from website to website through the pages' links. There are many robots (AKA "bots", AKA "spiders") wandering around the Internet and most of them are well behaved and useful things. This is just a case of a robot "gone bad" (actually robots are not really bad, they are just programmed that way...) In this case the program seems to look at the HTML source for the "mailto" tag. It then sends its e-mail message to the tag's e-mail address and pastes whatever text link is used into the "From" field.
For example if your page has the HTML tag
<A HREF="mailto:yourname@youraddress.com"> yourname@youraddress.com</A>
then the "From" field will be
"yourname@youraddress.com"
However if your page has
the HTML tag
<A HREF="mailto:yourname@youraddress.com"> Your Real Name</A>
then the "From" field will be "Your Real Name".
It seems unusual enough to receive e-mail with your own e-mail address appearing in the "From" field, (as if you mailed it to yourself), but for those who have had their "Real Name" used, it seems even odder. This automatic "personal touch" is what makes the NaughtyRobot so naughty. So who is doing this? Or more to the point...
How can I find out who REALLY sent this (or any other) e-mail to me?
You can see how easy it is to fake e-mail, (for more info on e-mail fraud Read This). But you can trace e-mail to see who really sent it this way.
The Message-Id will look
something like this:
Message-Id: m0vsdtV-00065zC@frdbib.bibsyst.no
In this example it would be (postmaster@frdbib.bibsyst.no)
Please note: To find who sent YOU the e-mail, you must check your own copy of the message for the message id, and send your e-mail to the postmaster of the system appearing in the message id on YOUR copy of the message. (FYI: I have already notified the postmaster@frdbib.bibsyst.no of this abuse of their system, and Ola is dealing with it. )
The postmaster is a good person and DID NOT write you the NaughtyRobot, they just passed it along to you - so be nice to them :-). The postmaster is like your local snail mail post office worker. You can't blame your mailperson for delivering the junk mail!
When you e-mail the postmaster, send the "Message-Id" and the time you receive the e-mail, it may be possible to check which user on his system had sent the message. The postmaster will probably e-mail you that information if asked, or they might just deal with the "naughty" e-mailers themselves. It is also possible that the postmaster has not kept the records of who sent it (these sorts of records can tend to become very large). Either way you have alerted the postmaster to the fact that somebody is abusing their system by sending this stuff.
In the case of the Naughtyrobot:
There is the possibility that the sender's address the postmaster has, is also a fake one. From feedback I have recieved, it might also be possible that the postmaster's address appearing in your header was a fake one, and that their system never even actually has a log of passing the message to you!
For more info on "Figuring out fake e-mail & posts", read this outstanding FAQ.
Here is the text of the NaughtyRobot letter:
Subject: security breached by NaughtyRobot
From: yourname@youraddress
This message was sent to you by NaughtyRobot, an Internet spider
that crawls into your server through a tiny hole in the World Wide Web.
NaughtyRobot exploits a security bug in HTTP and has visited your
host system to collect personal, private, and sensitive information.
It has captured your Email and physical addresses, as well as your
phone and credit card numbers. To protect yourself against the
misuse of this information, do the following:
1. alert your server SysOp,
2. contact your local police,
3. disconnect your telephone, and
4. report your credit cards as lost.
Act at once. Remember: only YOU can prevent DATA fires.
This has been a public service announcement from the makers of
NaughtyRobot -- CarJacking its way onto the Information SuperHighway.
|
Yukon3u.mp is not a virus. It is a hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to Yukon3u.mp. The text of the hoax appears below:
YUKON3U.mp VIRUS IS ABOUT TO STRIKE THE NEWSGROUPS!
As many of you know, the amount of viruses that have been posted within the past couple of months are tremendous -- now we have 2 new threats to contend with.
To continue... a medium amount of the rec ent posts in some of the Alt.Binaries have contained a time-bomb trojan virus called YUKON3U.mp which is a derivative of a 2nd generation Mutating Engine developed by the Dark Avenger -- a self-described "King" of viruses from Bulgaria. The only differenc e is that this strain has a stealth capability beyond the reach of Norton or McAfee Anti-Virus programs latest updates, with the possible, but not probable exception of Dr. Soloman's Anti-Virus version 7.69. The encryption technique is incredible. The YUK ON3U.mp virus is somehow compiled within the UUE code of the JPG itself, and when decoded will install the virus onto the boot sector of the hard drive, and lie in wait for the trigger date sometime in April (changing your internal system clock won't help since the trigger day changes with each infection). The only constant is the month itself. The simple fact of decoding the file via a newsreader or third-party decoder such as Wincode automatically runs and installs the virus without detection, thereby e liminating the wait for somebody actually launching the file by accident (we all know viruses do nothing unless they're launched). For all intents and purposes, the JPG is viewable without any problems and normal in every way, but there is a second file hiding within your boot sector without detection. One of the effects carries a nasty manipulation task which damages hardware -- an interrupt call set to a track value beyond 39, which will cause the drive heads to move past the inner track of the hard drive, causing the heads to stick on some models. That isn't the worst of it. Untitled posts which contain special BOTS that are basically invisible and cannot be seen or read by newsgroup readers have also been recently posted according to Dr. Soloman's web-site. These BOTS are capable of replacing ASCII characters within all posts in the Alt. Binaries newsgroups (i,e. H becomes S, G becomes F, and so on). The BOTS are triggered to alter other user posts by certain words contained in the post, or by calling upon the Cancel Date of the article ( probably some time in April ).It's very possible that the same group who posted the KILL-BOTS last July are behind this second posting along with the YUKON3U.mp virii.
While being slightly more elaborate and claiming that information regarding Yukon has already been put onto the Dr. Solomon's Web site to lend credibility, this is still a hoax claim. Viewing a JPEG file cannot result in viral infection in the same way that you won' t get a biological virus by looking at a photograph of somebody who's infected. Despite intense discussion, nobody has been able to provide proof of a virus damaging hardware. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Recently there has been a lot of confusion regarding "AOL4FREE". The confusion has been generated by three separate events:
The AOL4FREE Macintosh Program
This was originally written to provide illegal free access to America Online. In the March 1997 issue of the CSI Computer Security Alert the following statement was made concerning the creator of that program:
"A former Yale computer science student has pleaded guilty to defrauding America Online. AOL estimates it lost between $40,000 and $70,000 in service charges because the student distributed his computer program, AOL4FREE, to hundreds of other users."
Note that any attempt to use the original AOL4FREE.COM program may subject you to prosecution.
THE AOL4FREE (Virus) HOAX
AOL4Free is not a virus. It is a hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to AOL4Free. The e-mail "warning" has been widely distributed on the largest online service provider, America Online (AOL), beginning sometime in March 1997. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
The AOL4FREE Virus Warning Hoax message follows:
************************************************************************************
VIRUS ALERT!!!
DON'T OPEN E-MAIL NOTING "AOL4FREE"
Anyone who receives this must send it to as many people as you can. It
is essential that this problem be reconciled as soon as possible. A few
hours ago, I opened an E-mail that had the subject heading of "AOL4FREE.COM".
Within seconds of opening it, a window appeared and began to display my files
that were being deleted. I immediately shut down my computer, but it was too
late. This virus wiped me out. It ate the Anti-Virus Software that comes with
the Windows '95 Program along with F-Prot AVS. Neither was able to detect it.
Please be careful and send this to as many people as possible, so maybe this
new virus can be eliminated.
************************************************************************************
THE AOL4FREE.COM TROJAN HORSE
The AOL4FREE.COM trojan horse displays a message listing the directories on your hard drive it is deleting and may be followed by the message:
"YOUR COMPUTER HAS JUST BEEN FUCKED BY *VP* FUCK YOU AOL-LAMER"
A Trojan Horse is a program that deliberately does unpleasant things, as well as (or instead of) its declared function. They are not capable of spreading themselves and rely on users copying them. Because trojan horses do not replicate they are not viruses and are not frequently encountered.
It seems highly likely that this trojan horse was written as a response to the original hoax warning in an attempt to confuse computer users.
Please note: it does not attack users via use of the subject line of the email. The only way users can be damaged by this trojan is (like any other trojan) if they decide to run it.
We do not believe this trojan horse is particularly common.
Good Times is not a virus; it is a complete hoax. There is currently no virus that has the characteristics ascribed to Good Times. The e-mail Good Times "warning" was written by a couple of pranksters on America Online (AOL) sometime in 1994. Since then, it has traveled the Internet electronic mail system, spreading fear wherever it crops up. The message is just convincing enough that people spread the news to all of their friends. Needless to say, it has propagated itself well over the years. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax on serves only to further propagate it.
The original "Good Times" hoax was posted and circulated in November and December of 1994 follows:
Here is some important information. Beware of a file called Goodtimes.
Happy Chanukah everyone, and be careful out there. There is a virus on
America Online being sent by E-Mail. If you get anything called "Good Times",
DON'T read it or download it. It is a virus that will erase your hard drive.
Forward this to all your friends. It may help them a lot.
Soon after the release of CIAC NOTES 04, another "Good Times" message was circulated. This is the same message that is being circulated during this recent "Good Times" rebirth. This message includes a claim that the Federal Communications Commission (FCC) released a warning about the danger of the "Good Times" virus, but the FCC did not and will not ever issue a virus warning.
The following is the expanded "Good Times" hoax message:
The FCC released a warning last Wednesday concerning a matter of
major importance to any regular user of the InterNet. Apparently,
a new computer virus has been engineered by a user of America
Online that is unparalleled in its destructive capability. Other,
more well-known viruses such as Stoned, Airwolf, and Michaelangelo
pale in comparison to the prospects of this newest creation by a
warped mentality.
What makes this virus so terrifying, said the FCC, is the fact that
no program needs to be exchanged for a new computer to be infected.
It can be spread through the existing e-mail systems of the
InterNet. Once a computer is infected, one of several things can
happen. If the computer contains a hard drive, that will most
likely be destroyed. If the program is not stopped, the computer's
processor will be placed in an nth-complexity infinite binary loop
- which can severely damage the processor if left running that way
too long. Unfortunately, most novice computer users will not
realize what is happening until it is far too late.
The following spoof of the good times hoax is too well done not to include here. It is only included for a little light relief.
READ THIS:
Goodtimes will re-write your hard drive. Not only that, but
it will scramble any disks that are even close to your computer. It
will recalibrate your refrigerator's coolness setting so all your ice
cream goes melty. It will demagnetize the strips on all your credit
cards, screw up the tracking on your television and use subspace field
harmonics to scratch any CD's you try to play.
It will give your ex-girlfriend your new phone number. It
will mix Kool-aid into your fishtank. It will drink all your beer and
leave its socks out on the coffee table when there's company coming
over. It will put a dead kitten in the back pocket of your good suit
pants and hide your car keys when you are late for work.
Goodtimes will make you fall in love with a penguin. It will
give you nightmares about circus midgets. It will pour sugar in your
gas tank and shave off both your eyebrows while dating your
girlfriend behind your back and billing the dinner and hotel room to
your Discover card.
It will seduce your grandmother. It does not matter if she
is dead, such is the power of Goodtimes, it reaches out beyond the
grave to sully those things we hold most dear.
It moves your car randomly around parking lots so you can't
find it. It will kick your dog. It will leave libidinous messages on
your boss's voice mail in your voice! It is insidious and subtle. It
is dangerous and terrifying to behold. It is also a rather
interesting shade of mauve.
Goodtimes will give you Dutch Elm disease. It will leave the
toilet seat up. It will make a batch of Methanphedime in your bathtub
and then leave bacon cooking on the stove while it goes out to chase
gradeschoolers with your new snowblower.
Listen to me. Goodtimes does not exist.
It cannot do anything to you. But I can. I am sending this
message to everyone in the world. Tell your friends, tell your
family. If anyone else sends me another E-mail about this fake
Goodtimes Virus, I will turn hating them into a religion. I will do
things to them that would make a horsehead in your bed look like
Easter Sunday brunch.
So there, take that Good Times.
Penpal Greetings is not a virus. It is a hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to Penpal Greetings. The e-mail message describing the virus is similar to the original Good Times virus e-mail hoax. It could even be described as a virus hoax strain. The Penpal Greetings hoax message includes the following "warning": This is a warning for all internet users - there is a dangerous virus propagating across the internet through an e-mail message entitled "PENPAL GREETINGS!" DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The "trojan horse" virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox! Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
The hoax message follows:
FYI!
Subject: Virus Alert
Importance: High
If anyone receives mail entitled: PENPAL GREETINGS! please delete it WITHOUT
reading it. Below is a little explanation of the message, and what it would
do to your PC if you were to read the message. If you have any questions or
concerns please contact SAF-IA Info Office on 697-5059.
This is a warning for all internet users - there is a dangerous virus
propogating across the internet through an e-mail message entitled "PENPAL
GREETINGS!".
DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
This message appears to be a friendly letter asking you if you are
interestedin a penpal, but by the time you read this letter, it is too late.
The "trojan horse" virus will have already infected the boot sector of your hard
drive, destroying all of the data present. It is a self-replicating virus,
and once the message is read, it will AUTOMATICALLY forward itself to anyone
who's e-mail address is present in YOUR mailbox!
This virus will DESTROY your hard drive, and holds the potential to DESTROY
the hard drive of anyone whose mail is in your inbox, and who's mail is in
their inbox, and so on. If this virus remains unchecked, it has the potential
to do a great deal of DAMAGE to computer networks worldwide!!!!
Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it!
And pass this message along to all of your friends and relatives, and the
other readers of the newsgroups and mailing lists which you are on, so that
they are not hurt by this dangerous virus!!!!
Join The Crew is not a virus. It is a hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to Join The Crew. The e-mail message describing the virus is similar to the original Good Times virus e-mail hoax. It could even be described as a virus hoax strain.
The hoax message follows:
WARNING!!!!!!
If you receive an e-mail titled "JOIN THE CREW" DO NOT open it!
It will erase EVERYTHING on your hard drive!
Send this letter out to as many people you can.
This is a new virus that is not yet detectable by McAfee or others.
Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax on serves only to further propagate it.
Deeyenda is not a virus; it is a complete hoax. There is currently no virus that has the characteristics ascribed to Deeyenda. The word of this supposed virus has been spread through Internet electronic mail, from an apparent student at Carnegie Mellon University. The mail message describing the virus is taken from the original Good Time virus e-mail hoax. It could even be described as the first virus hoax strain. It even goes so far as to claim the warning is from the FCC (as does the Good Times hoax). Further, the message claims that this "[virus] rewrites your hard drive, obliterating anything on it."Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax on serves only to further propagate it.
The hoax message follows:
**********VIRUS ALERT**********
VERY IMPORTANT INFORMATION, PLEASE READ!
There is a computer virus that is being sent across the Internet. If
you receive an email message with the subject line "Deeyenda", DO NOT
read the message, DELETE it immediately!
Some miscreant is sending email under the title "Deeyenda" nationwide,
if you get anything like this DON'T DOWNLOAD THE FILE! It has a virus
that rewrites your hard drive, obliterates anything on it. Please be
careful and forward this e-mail to anyone you care about.
Please read the message below.
Alex
-----------
FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET
The Internet community has again been plagued by another computer
virus. This message is being spread throughout the Internet, including
USENET posting, EMAIL, and other Internet activities. The reason for
all the attention is because of the nature of this virus and the
potential security risk it makes. Instead of a destructive Trojan
virus (like most viruses!), this virus referred to as Deeyenda Maddick,
performs a comprehensive search on your computer, looking for valuable
information, such as email and login passwords, credit cards, personal
inf., etc.
The Deeyenda virus also has the capability to stay memory resident
while running a host of applications and operation systems, such as
Windows 3.11 and Windows 95. What this means to Internet users is that
when a login and password are send to the server, this virus can copy
this information and SEND IT OUT TO UN UNKNOWN ADDRESS (varies).
The reason for this warning is because the Deeyenda virus is virtually
undetectable. Once attacked your computer will be unsecure. Although
it can attack any O/S this virus is most likely to attack those users
viewing Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet
Explorer 3.0+ which are running under Windows 95). Researchers at
Princeton University have found this virus on a number of World Wide
Web pagesand fear its spread.
Please pass this on, for we must alert the general public at the
security risks.
In September 1996, Penguin Books published a press release, announcing the launch of an interactive novel called Irina. Various part of this press release led some readers to believe that a new virus was spreading over the Internet and World Wide Web. Penguin Books published a second press release soon after, but the word had already spread beyond recall. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax on serves only to further propagate it.
The original hoax message follows:
FYI
There is a computer virus that is being sent across the Internet.
If you receive an e-mail message with the subject line "Irina", DONOT
read the message. DELETE it immediately.
Some miscreant is sending people files under the title "Irina". If
you receive this mail or file, do not download it. It has a virus
that rewrites your hard drive, obliterating anything on it. Please be
careful and forward this mail to anyone you care about.
( Information received from the Professor Edward Prideaux, College of
Slavonic Studies, London ).
The Ghost screen saver program was originally distributed as a freeware product. When activated, the display window shows a Halloween setting with ghosts flying around. If activated on any Friday the 13th, the title screen changes and the ghosts fly around the entire screen, beyond the boundaries of the display window. Word spread that this program was a virus or trojan horse, probably as a result of the program's change in behavior on Friday the 13th. The Symantec AntiVirus Research Center (SARC), amongst others, has analyzed, in exacting detail, the original files in question and determined that the program is innocent of all accusations. It is neither a trojan horse nor a virus. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Free Money is not a virus. It is a hoax. The "virus" does not exist. There is currently no virus that has the characteristics ascribed to Free Money. As outlined below, the supposed capabilities this virus hoax defy all reason and common sense. It is an obvious sham, meant only to panic new or inexperienced computer users. The hoax message includes the following "warning": There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Free Money," DO NOT read the message. DELETE it immediately, UNPLUG your computer, then BURN IT to ASHES in a government-approved toxic waste disposal INCINERATOR.Once a computer is infected, it will be TOO LATE. Your computer will begin to emit a vile ODOR. Then it will secrete a foul, milky DISCHARGE. Verily, it shall SCREECH with the tortured, monitor-shattering SCREAM of 1,000 hell-scorched souls, drawing unwanted attention to your cubicle from co-workers and supervisors alike. After violently ripping itself from the wall, your computer will punch through your office window as it STREAKS into the night, HOWLING like a BANSHEE. Once free, it will spend the rest of its days CRUSHING household PETS and MOCKING the POPE. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Death69 is not a virus; it is a complete hoax. There is currently no virus that has the characteristics ascribed to death69. As with most virus hoaxes, the message over-exaggerates the necessity to pass the message on to everyone the reader knows, claims that the "virus" can perform physical destruction to computer parts and quotes an authority figure in an attempt to lend more credibility to the often absurd claims. The hoax was first discovered posted to a newsgroup on Prodigy in early December 1996. The message includes the following "warning:" There is a new horrible virus on the loose! created late November by elite hacker "DEATH-BLAZE." The virus is full stealth and Trojan, once thought never possible, it first formats the hard drive, then it physically eats at the materials of the drive. researchers are stunned, they say it is probably the most destructive virus ever created.The virus's name is "death69" witch as I stated earlier was created by elite hacker "DEATH-BLAZE" The closing statement of the message claims that the warning was "written by the technicians at Norton Antivirus! distribute freely." Symantec and the Symantec AntiVirus Research Center have never released such a notice.Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Although this trojan horse at one time existed, there has been no reported infection or destruction caused by it since late 1995. The rumor of its existence, however, has been quickly spreading through Internet mail from the time it was first discovered. This trojan horse program, although it did exist at one time, is now more a rumor or hoax than an actual threat to the public. It has caused more damage and concern through its rumored existence than by direct action of the program itself. For those interested, here is a summary of how the original strain functioned. Again, it is not currently considered in distribution and is not considered a threat to the public. 3b Trojan is a Trojan Horse program that claims to be the latest version of PKZIP, Version 3.0g, from PKWARE Inc. 3b Trojan was first received by the Symantec AntiVirus Research Center in late July 1995. The definition (fingerprint) was integrated into the August 1995 virus definition set and has been part of every update since that initial release. 3b Trojan is not a virus. Trojan Horse programs do not replicate and spread themselves. Instead, they masquerade as legitimate programs, in this case, as a new release of PKZIP. Users download these programs, thinking them beneficial, and run them. For the event, or trigger, to take place, users must manually download these files and consciously run them. The vast majority of Trojan Horse programs are written with a destructive intention. 3b Trojan has been distributed under the following names: (a) PKZ300B.EXE (b) PKZ300B.ZIP (c) PKZIP300.EXE (d) PKZIP300.ZIP The triggered event is to format the hard drive. The "self-extracting" versions of the executable (.EXE) files for 3b Trojan (.EXE) and the "PKZIP" program within it have this trigger. There have also been reports that 3b Trojan "affects modems of 1.44 and higher." These accounts are incorrect: 3b Trojan has no such capability.As of November 1996, only the following releases of DOS PKZIP program are valid: (a) 1.10 (b) 1.93 (c) 2.04c (d) 2.04e (e) 2.04g In response to 3b Trojan, PKWARE Inc. has issued the following statement:
!!! PKZIP Trojan Horse Version - (Originally Posted May 1995) !!!
It has come to the attention of PKWARE that a fake version of PKZIP is being
distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an offical version from
PKWARE and it will attempt to erase your hard drive if run. It attempts to
perform a deletion of all the directories of your current drive. If you have
any information as to the creators of this trojan horse, PKWARE would be
extremely interested to hear from you. If you have any other questions about
this fake version, please e-mail support@pkware.com
In November of 1996, a false warning was posted to several sites on the Internet that the Microsoft home page was distributing a virus. The creator of the message quoted a well known anti-virus developer, Mikko Hypponen of Data Fellows, to lend credibility to the false claims. The following statement was issued by Mikko Hypponen: This is a warning on a nasty hoax that has been distributed on several mailing lists and in usenet news. The hoax message is falsely attributed to me (Mikko.Hypponen@datafellows.com).This false warning urges people to stay off Microsoft's home page and not to use Microsoft Internet Explorer, because the 'Microsoft home page is possibly infected by a virus'. This is nonsense. If you have seen this warning, please pass on this message, and please do not redistribute the original warning any more. Please ignore any messages regarding this supposed "virus" and do not pass on any messages regarding it. Passing on messages about this hoax serves only to further propagate it.
Since 1988, computer virus hoaxes have been circulating the Internet. In October of that year, according to Ferbrache ("A pathology of Computer Viruses" Springer, London, 1992) one of the first virus hoaxes was the 2400 baud modem virus:
SUBJ: Really Nasty Virus
AREA: GENERAL (1)
I've just discovered probably the world's worst computer virus
yet. I had just finished a late night session of BBS'ing and file
treading when I exited Telix 3 and attempted to run pkxarc to
unarc the software I had downloaded. Next thing I knew my hard
disk was seeking all over and it was apparently writing random
sectors. Thank god for strong coffee and a recent backup.
Everything was back to normal, so I called the BBS again and
downloaded a file. When I went to use ddir to list the directory,
my hard disk was getting trashed again. I tried Procomm Plus TD
and also PC Talk 3. Same results every time. Something was up so I
hooked up to my test equipment and different modems (I do research
and development for a local computer telecommunications company
and have an in-house lab at my disposal). After another hour of
corrupted hard drives I found what I think is the world's worst
computer virus yet. The virus distributes itself on the modem sub-
carrier present in all 2400 baud and up modems. The sub-carrier is
used for ROM and register debugging purposes only, and otherwise
serves no othr (sp) purpose. The virus sets a bit pattern in one
of the internal modem registers, but it seemed to screw up the
other registers on my USR. A modem that has been "infected" with
this virus will then transmit the virus to other modems that use a
subcarrier (I suppose those who use 300 and 1200 baud modems
should be immune). The virus then attaches itself to all binary
incoming data and infects the host computer's hard disk. The only
way to get rid of this virus is to completely reset all the modem
registers by hand, but I haven't found a way to vaccinate a modem
against the virus, but there is the possibility of building a
subcarrier filter. I am calling on a 1200 baud modem to enter this
message, and have advised the sysops of the two other boards
(names withheld). I don't know how this virus originated, but I'm
sure it is the work of someone in the computer telecommunications
field such as myself. Probably the best thing to do now is to
stick to 1200 baud until we figure this thing out.
Mike RoChenle
This bogus virus description spawned a humorous alert by Robert Morris III :
Date: 11-31-88 (24:60) Number: 32769
To: ALL Refer#: NONE
From: ROBERT MORRIS III Read: (N/A)
Subj: VIRUS ALERT Status: PUBLIC MESSAGE
Warning: There's a new virus on the loose that's worse than
anything I've seen before! It gets in through the power line,
riding on the powerline 60 Hz subcarrier. It works by changing the
serial port pinouts, and by reversing the direction one's disks
spin. Over 300,000 systems have been hit by it here in Murphy,
West Dakota alone! And that's just in the last 12 minutes.
It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
RSX-11, ITS, TRS-80, and VHS systems.
To prevent the spresd of the worm:
1) Don't use the powerline.
2) Don't use batteries either, since there are rumors that this
virus has invaded most major battery plants and is infecting the
positive poles of the batteries. (You might try hooking up just
the negative pole.)
3) Don't upload or download files.
4) Don't store files on floppy disks or hard disks.
5) Don't read messages. Not even this one!
6) Don't use serial ports, modems, or phone lines.
7) Don't use keyboards, screens, or printers.
8) Don't use switches, CPUs, memories, microprocessors, or
mainframes.
9) Don't use electric lights, electric or gas heat or
airconditioning, running water, writing, fire, clothing or the
wheel.
I'm sure if we are all careful to follow these 9 easy steps, this
virus can be eradicated, and the precious electronic flui9ds of
our computers can be kept pure.
---RTM III
Since that time virus hoaxes have flooded the Internet.With thousands of viruses worldwide, virus paranoia in the community has risen to an extremely high level. It is this paranoia that fuels virus hoaxes. A good example of this behavior is the "Good Times" virus hoax which started in 1994 and is still circulating the Internet today. Instead of spreading from one computer to another by itself, Good Times relies on people to pass it along.
There are several methods to identify virus hoaxes, but first consider what makes a successful hoax on the Internet. There are two known factors that make a successful virus hoax, they are: (1) technical sounding language, and (2) credibility by association. If the warning uses the proper technical jargon, most individuals, including technologically savy individuals, tend to believe the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". The first time you read this, it sounds like it might be something real. With a little research, you find that there is no such thing as an nth-complexity infinite binary loop and that processors are designed to run loops for weeks at a time without damage.
When we say credibility by association we are referring to whom sent the warning. If the janitor at a large technological organization sends a warning to someone outside of that organization, people on the outside tend to believe the warning because the company should know about those things. Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real. If a manager at the company sends the warning, the message is doubly backed by the company's and the manager's reputations.
Individuals should also be especially alert if the warning urges you to pass it on to your friends. This should raise a red flag that the warning may be a hoax. Another flag to watch for is when the warning indicates that it is a Federal Communication Commission (FCC) warning. According to the FCC, they have not and never will disseminate warnings on viruses. It is not part of their job.
CIAC recommends that you DO NOT circulate virus warnings without first checking with an authoritative source. Authoritative sources are your computer system security administrator or a computer incident advisory team. Real warnings about viruses and other network problems are issued by different response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP. If you download a warning from a teams web site or validate the PGP signature, you can usually be assured that the warning is real. Warnings without the name of the person sending the original notice, or warnings with names, addresses and phone numbers that do not actually exist are probably hoaxes.
What to Do When You Receive a Warning
Upon receiving a warning, you should examine its PGP signature to see that it is from a real response team or antivirus organization. To do so, you will need a copy of the PGP software and the public signature of the team that sent the message. The CIAC signature is available from the CIAC web server at: http://ciac.llnl.gov/ If there is no PGP signature, see if the warning includes the name of the person submitting the original warning. Contact that person to see if he/she really wrote the warning and if he/she really touched the virus. If he/she is passing on a rumor or if the address of the person does not exist or if there is any questions about theauthenticity or the warning, do not circulate it to others. Instead, send the warning to your computer security manager or incident response team and let them validate it. When in doubt, do not send it out to the world. Your computer security managers and the incident response teams teams have experts who try to stay current on viruses and their warnings. In addition, most anti-virus companies have a web page containing information about most known viruses and hoaxes. You can also call or check the web site of the company that produces the product that is supposed to contain the virus. Checking the PKWARE site for the current releases of PKZip would stop the circulation of the warning about PKZ300 since there is no released version 3 of PKZip. Another useful web site is the "Computer Virus Myths home page" (http://www.kumite.com/myths/) which contains descriptions of several known hoaxes. In most cases, common sense would eliminate Internet hoaxes.
A big thank you goes to the following companies/individuals for the some of the content in this FAQ:
Comments, suggestions, etc. on this FAQ, it's contents, new hoaxes, etc., should be addressed to the FAQ maintainer at the email address below.
Author: Martin Overton
E-Mail: ChekWARE@Cavalry.com
Last updated: 09 October 1997