"It’s the End of
the World
(as we know it)"
by Graham Cluley
[See also: Hoaxes and Hypes or The Hoax FAQ]
April 1997
Good Times/ Irina/
Deeyenda/ PenPal Greetings/
Ghost/ Free Money/ Eyes/
Sheep/ References/ AOL4FREE
Finally
In the old days only bearded techies with sandals were on the Internet. They were heavily into computers, they understood how computers worked (they had to in order to get on the net in the first place) - in a nutshell they were academic types.
But times have changed. Today "the information superhighway" has caught the public’s imagination, and Joe Public can’t go anywhere without seeing magazines blaring on about the importance of being "wired" and how they’re not anyone in the nineties if they’ve not got a webpage.
And today the guys with the beards and sandals are in the minority – becoming vastly outnumbered by the masses on America OnLine, CompuServe, MSN, and other easy-to-use service providers. Not all these service providers necessarily offer the same abilities as a raw direct connection to the net, but that doesn’t matter to the masses. They want something that’s pretty, and simple to navigate about with using a mouse, and - most vitally - gives them email.
With email they can make friends, and keep in touch with people they would never dream of telephoning or writing a letter to. It’s quick and simple and doesn’t require walking down the road to a post box.
Furthermore if someone emails you a funny joke you can forward it to all your friends. Very little effort and everyone thinks you’re the funniest chap around.. and no chance of you fluffing the punch line.
Another great thing about the internet is it can give people a sense of community. Anyone who has dropped into a newsgroup like alt.comp.virus soon finds out that it’s the equivalent of meeting friends down the pub. Although people are always quick to assist those who have a virus problem, they’re also there to chat about anything and everything.
I have an account with an online conferencing system. Its Internet connection is pretty lousy, its newsfeed is patchy, but the reason why I and thousands of others choose to stay with it is because it’s "comfortable", it’s a community, it’s where our friends hang out.
As well as sharing jokes with friends to keep them amused, we’re also concerned about their welfare. And if we hear about a problem it’s natural to warn our friends as well.
It is this concern for fellow computer users which has ignited hoaxes into a significant problem.
The "Mother" of all hoaxes has to be "Good Times":
There are a number of different versions of Good Times, some are more elaborate than others. Here’s an example Good Times warning:
| Here is some important information. Beware of a file
called Goodtimes.
Happy Chanukah everyone, and be careful out there.There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot. |
Messages similar to the one above began to be spread around the net and the internal mail systems of corporate companies in 1994. It has propagated itself extremely well, and media organizations have not helped the problem by on occasion printing the hoax as fact (and thus adding even more credibility to the story).
Those of us with knowledge of how viruses can and cannot work knew instantly that Good Times was a hoax, but the average user who knows little about computers let alone viruses could easily believe the message. This belief was further encouraged when another version of the hoax claimed that the US FCC (Federal Communications Commission) had issued a warning about the "virus". The FCC were quick to debunk this but of course few people took time to check.
After it’s initial burst in 1994, Good Times went quiet for a while. Many people breathed a sigh of relief hoping we had seen the last of it. But then it burst into life again - if anything even more brightly than before.
The theory is that every so often a hoax will "get lucky" again. Just like a virus can "get lucky" by being accidentally shipped with commercial software, or being made available on a popular website, so a hoax can become lucky if some (albeit well-intentioned) individual or company receives the hoax warning and decides to "tell all their friends".
This behaviour has also been seen in many of the other hoaxes discussed in this paper.
In summary (I feel I have to say this every time): Good Times is a hoax, not a real virus.
I first heard of Irina on the morning of September 20th 1996. It was the second morning of the Virus Bulletin conference in Brighton, England, and I received a message to call Robert Uhlig of The Daily Telegraph about a brand new virus called "Irina".
Uhlig asked me if we detected the virus and I responded that the name was unfamiliar to me (maybe it was a new virus which another anti-virus company had named?) and asked him for more information.
It transpired that Robert Uhlig had received a mail from a Professor Edward Prideaux at the College of Slavonic Studies warning of the new virus.
| A computer virus is being sent across the Internet. If you receive an e-mail message with the subject line "Irina", DO NOT read the message. DELETE it immediately. Some miscreant is sending people and files under the title "Irina". If you receive this mail or file, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please surf carefully and forward this mail to anyone you care about. |
As Uhlig began to describe what the virus was supposed to do it became obvious that it was a hoax. After a little investigation the whole story then began to emerge..
The Irina hoax was a "marketing ploy" by a UK publisher, Penguin Books, to promote a new book of theirs. Guy Gadney, the former head of electronic publishing at Penguin, sent out a "virus alert" in an attempt to stir up interest in their new book. Unfortunately the alert did not make clear that it was a hoax and not supposed to be taken seriously.
The alert claimed to be from a Professor Edward Prideaux at the College of Slavonic Studies in London. The College of Slavonic Studies does not exist, but London's School of Slavonic and East European Studies was reportedly inundated with calls to the fictitious Professor Prideaux.
Although Gadney sent out a second letter explaining that the first was a hoax, it has done little to stop the spread of the alert, and it is now beyond anyone's control.
To promote "Irina" Penguin Books targeted the science fiction community and a significant number of science fiction periodicals and writers (many of whom had an internet connection) received the original version of the hoax.
The United Kingdom science fiction magazine Ansible was one of the publications to pick up on the story, and they did their best to limit the spread of the panic in Issue 111 (reprinted with permission from the editor of Ansible magazine):
| "The hoax flyer was traceable, through characteristic typos in
address labels, to the Penguin sf review mailing list! Several people alerted
Penguin to the abuse of their database ... only to be gobsmacked by flyer
#2, this time on Penguin notepaper, which coyly began:
`You may have received a letter from a Professor Edward Prideaux recently falsely warning of a virus called "Irina". Please note that "Irina" _is not a virus_, and the views of Prof. Prideaux are not those of Penguin Books. "Irina" is the title of Penguin Books' ground-breaking interactive novel ... put together by the science fiction author, Stephen Baxter, by Guy Gadney, former Head of Electronic Publishing at Penguin, and Hugh Barnes, an Executive Editor at Penguin.' That is, Penguin had started a virus scare (which of course went round the world by e-mail in mere hours) simply to promote the bloody book. Steve Baxter hastened to proclaim his innocence: `I did know they were planning a teaser-type PR campaign, but....' Various net and virus pundits pissed on Penguin from a great height; the Telegraph (23 Sept) quoted Guy Gadney as blandly saying, `It is very unfortunate that we have created a scare -- it was not our intention.' Ansible wondered whether what seemed daft here would pass unremarked in the hurly-burly of New York publishing ... but Patrick Nielsen Hayden of Tor assured me, `If my publicity people had done that, I'd hang them out to dry, and you may quote me to the fine people at Penguin UK. [] What's most offensive is their obvious belief that their need to publicize Baxter's book is more important than the rules of courtesy and common sense followed by the internet's little people. I'm sure I could get a lot of publicity by towing a billboard for my books down the wrong side of Fifth Avenue at seventy-five miles an hour, too, but it wouldn't make it a smart thing to do.' Now Guy Gadney explains: `The intention of the release was to convey the tone and the conspiratorial nature both of the plot of the novel, and of some areas of the Internet itself.' (Thus, for example, a book about political assassination might similarly have been promoted by mailing death threats to cabinet ministers ... plenty of publicity there.) `Of course, we were keen that the information should be kept by the journalists and not sent out electronically.' (Disingenuous. To quote the first flyer: `Please be careful and forward this mail to anyone you care about ... Alert your friends and local system users.' Now, boys and girls, when people are urgently told to warn their e-mail contacts, what route are they most likely to use?) `To this end, the release was sent in hard copy by post to named individuals to avoid any wider dissemination.' (I'm certainly glad it didn't go to any of that notoriously indiscreet subset of humanity which lacks names. Sending scary information to journalists is of course a well-known way `to avoid any wider dissemination'.) `We also took steps to make sure that neither Professor Prideaux nor the College of Slavonic Studies exist outside the novel itself.' (It's good to know that some people have the integrity to make Really Sure they're signing a false name.) `As regards the project itself, Stephen and I have been working together to produce what we believe is a true and seamless joining of technology and fictional story-telling. Based around the web sites of the key characters rather than an episodic, page-turning exercise, Irina is a ground-breaking project both for Stephen and Penguin. [] I am sorry about any misunderstanding and hope that you will find Irina interesting.' (Er, what misunderstanding? A straightforward `Sorry we acted like utter loons' would have been more to the point, but let it pass....) |
clipping from Ansible Issue 111
Ansible wrote again about the Irina fiasco in their next edition, where they revealed that Penguin Books were taking an interesting approach to the problem.
| MAD PENGUIN DISEASE.
Because I am a kindly soul, I don't really want to go on and on at Penguin for their lame-brained publicity stunt of a computer virus hoax. However ... the lie still continues to propagate around the net, and Penguin's Guy Gadney has developed a damage-control response which irritatingly glosses over little matters like culpability: `There is an Interactive Novel which you can access from the Penguin Books homepage at www.penguin.co.uk called "Irina" after the main character Irina Zotova. This has conflicted with reports of a virus called Irina which does not exist and the Professor Edward Prideaux mentioned is a character in the story. The virus rumour has been checked by experts in the UK and it has been confirmed that there is currently no "Irina" virus to guard against and that an email erroneously circulated to a mailing list was at the root of this rumour.' Admiring this wholehearted apology, this eager readiness to shoulder the blame, one is compelled to the realization that Guy Gadney is wasted in publishing and should move to a career in politics. As soon as possible. |
clipping from Ansible Issue 112
At the time it was suggested that Penguin Books should provide a statement on their website, reassuring computer users that the Irina virus was a hoax, but to my knowledge nothing appeared. Furthermore I was bombarded with requests for Guy Gadney’s email address (I do have it, but I declined all requests in a rare display of mercy) from system administrators who wanted to forward their panicking users directly to him.
It seems I wasn’t alone in receiving requests for details on how to have Gadney’s head on a silver plate, as in the 3rd December 1996 edition of PC Week (UK Edition) one reader wrote in:
| Getting back at Penguin
Thank you for revealing Penguin Books’ cruel Irina hoax (PC Week 26 November) which has caused us a lot of problems with concerned users. Why don’t you publish the Email address of the person responsible or of the editor-in-chief? We could then forward every single mail we’ve received from our panicked users over the past few weeks Mat Ellis Mat.Ellis@pepsicofoodinstl.sprint.com Editor replies: We have received a letter from Penguin’s publicity director apologizing (sic) for the concern its spoof caused. |
clipping from PC Week (UK), December 3rd 1996
I am sure that Penguin Books are extremely embarrassed by the whole incident, and will be vary wary of conducting a similar spoof to promote a new publication in the future. Other companies should observe Penguin’s discomfort and avoid engaging in similar publicity stunts.
None of this, of course, stops the hoax from spreading and unfortunately, many companies and individuals continue to fall for this hoax. Ironically one victim was the anti-virus company McAfee whose Moscow office deemed the hoax genuine (!) and faxed out a warning about the "virus" alongside a genuine alert about Bandung to its customers on October 31st 1996:
It could be argued that in this way Irina "got lucky". By sneaking into a message from an anti-virus company it gained the ultimate credibility.
In summary (sorry if this is getting tedious.. but we need to get the
message across): Irina is a hoax, not a real virus.
In many ways Deeyenda is similar to the Good Times hoax. The warning shares similarities (even dragging the FCC in again) and claims to spread in the same way (by reading a message with a particular subject line).
| VERY IMPORTANT INFORMATION. PLEASE READ! There is a computer virus
that is being sent across the internet. If you receive an email message
with the subject line "Deeyenda", DO NOT read the message. DELETE
it immediately! If you run across anything like this DON'T DOWNLOAD THE
FILE! It has a virus that rewrites your hard drive, obliterating anything
on it. Please be careful and forward this message to anyone who you believe
this may affect. The message below gives additional information.
FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET The Internet community has again been plagued by another computer virus. This message is being spread throughout the Internet, including USENET posting, EMAIL, and other Internet activities. The reason for all the attention is because of the nature of this virus and the potential security risk it makes. Instead of a destructive Trojan virus (like most viruses!), this virus referred to as Deeyenda Maddick, performs a comprehensive search on your computer, looking for valuable information such as email and login passwords, credit cards, personal inf., etc. The Deeyenda virus also has the capability to stay memory resident while running a host of applications and operation systems, such as Windows 3.11 and Windows 95. What this means to Internet users is that when a login and Password are sent to the server, this virus can copy this information and SEND IT OUT TO AN UNKNOWN ADDRESS (varies). The reason for this warning is because the Deeyenda virus is virtually undetectable. Once attacked, your computer will be unsecure. Although it can attack any O/S, this virus is most likely to attack those viewing Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet Explorer 3.0+ which are running under Windows 95). Researchers at Princeton University have found this virus on a number of World Wide Web pages and fear its spread. Please pass this on, for we must alert the general public of the security risks. |
It was pointed out to me sometime after I first encountered the Deeyenda hoax that "Deeyenda Maddick" sounds phonetically like "The end of my dick". I guess that I was not alone in failing to spot that, and maybe that is once again an effect of communicating via email. If I was discussing this email message face-to-face with someone then the crude joke in the name would have become apparent. Electronic discussion, however, fails to make it obvious.
In summary: Deeyenda is a hoax, not a real virus.
In many ways PenPal Greetings is similar to "Good Times":
| If anyone receives mail entitled: PENPAL GREETINGS! please delete it
WITHOUT reading it. Below is a little explanation of the message, and what
it would do to your PC if you were to read the message:
This is a warning for all internet users - there is a dangerous virus propagating across the internet through an e-mail message entitled "PENPAL GREETINGS!". DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!" This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The "trojan horse" virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox! This virus will DESTROY your hard drive, and holds the potential to DESTROY the hard drive of anyone whose mail is in your inbox, and who's mail is in their inbox, and so on. If this virus remains unchecked, it has the potential to do a great deal of DAMAGE to computer networks worldwide!!!! Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it! And pass this message along to all of your friends and relatives, and the other readers of the newsgroups and mailing lists which you are on, so that they are not hurt by this dangerous virus!!!! |
The sad truth is that despite users having been barraged with the Good Times hoax, and the Deeyenda hoax not everyone was aware that they had been the victim of a hoax. Furthermore there were still many more users who hadn’t received a similar warning in the past. So, despite the similarities in this hoax to previous examples the PenPal Greetings hoax has also managed to spread far and wide.
In summary: PenPal Greetings is a hoax, not a real virus.
Ghost is not a virus. But it’s also not quite the same as the e-mail chain letter hoaxes such as Good Times and Deeyenda.
Ghost is an innocent program which has received excessive publicity online after being falsely accused of containing malicious code. Ghost is a fun Windows program designed to entertain idle users in a similar vein to a screensaver. A graveyard is displayed and ghosts fly around the window in front of a full moon. On Friday the 13th, the title bar changes to 'Happy Friday the 13th!' and the ghosts start flying around the Windows desktop.
According to reports on McAfee’s CompuServe forum a version of their anti-virus product identified the program as being infected with the "GHOST virus". For a while confusion reigned as all other anti-virus products declared the file to be clean, and anti-virus researchers were unable to find anything suspicious in the file.
McAfee later confirmed that the file was indeed clean and did not perform any malicious activity. It has been suggested that it was possible that McAfee’s intention was to label the file as a known ‘joke’ program to reassure those who felt it was a virus, and that’s why detection for the program was added to their database. Some anti-virus programs do detect common ‘joke’ programs (such as BONK) to reassure users who may think they are suspect.
All samples seen so far by anti-virus developers have proven to be benign.
However, please be aware that although these are not viruses, the programs
themselves could be infected in the future.
This hoax is similar to "Good Times", but taken to a somewhat more melodramatic level:
| There is a computer virus that is being sent across the Internet. If
you receive an e-mail message with the subject line "Free Money,"
DO NOT read the message. DELETE it immediately, UNPLUG your computer, then
BURN IT to ASHES in a government-approved toxic waste disposal INCINERATOR.
Once a computer is infected, it will be TOO LATE. Your computer will begin to emit a vile ODOR. Then it will secrete a foul, milky DISCHARGE. Verily, it shall SCREECH with the tortured, monitor-shattering SCREAM of 1,000 hell-scorched souls, drawing unwanted attention to your cubicle from co-workers and supervisors alike. After violently ripping itself from the wall, your computer will punch through your office window as it STREAKS into the night, HOWLING like a BANSHEE. Once free, it will spend the rest of its days CRUSHING household PETS and MOCKING the POPE. |
It’s hard to believe that such a sensational payload like this can be believable. But this hoax still spreads and some users are still concerned and contact their technical support department. In this way the message is still a troublesome nuisance.
In summary: Free Money is a hoax, not a real virus.
Like Ghost this is another program which has been mistakenly accused of being virus infected. It is just another simple ‘joke’ program which has proven harmless.
All samples seen so far by anti-virus developers have proven to be benign.
However, please be aware that although these are not viruses, the programs
themselves could be infected in the future.
THIS WAS SENT TO ME BY TWO PEOPLE. PLEASE BEWARE_
Anyone who receives this must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible. A few hours ago, I opened an E-mail that had the subject heading of aol4free.com. Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out. It ate the Anti-Virus Software that comes with the Windows '95 Program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated.
As with the majority of virus hoaxes, this claims to be triggered when
opening an e-mail, which is not possible.
A pirated copy of a commercial Japanese software program called "Stray Sheep Screen Mate" has been distributed on the net. It displays pictures of bouncing sheep. 'Stray Sheep' is apparently a very popular animated television series in Japan and the sheep is the star of the show.
Rumours have circulated that the program is infected with a virus. All the samples seen by anti-virus developers to date have proven to be benign. Of course it is unethical and irresponsible to pirate commercial software. However, please be aware that although these are not viruses, the programs themselves could be infected.
Sheep, Eyes, and Ghost could all - of course - be infected in the future
by a virus like any other program.
General hoax, hype and hysteria information
| Dr Solomon’s Virus Central: http://www.drsolomon.com/vircen
DataFellows hoax information: http://www.datafellows.fi/news/hoax.htm IBM AntiVirus Online hype alerts: http://www.av.ibm.com/BreakingNews/HypeAlert/ US Department of Energy CIAC (Computer Incident Advisory Capability) Hoax information: http://ciac.llnl.gov/ciac/CIACHoaxes.html Stiller Research Hoax information: http://www.stiller.com/hoaxes.htm Symantec AntiVirus Research Center Hoax information: http://www.symantec.com/avcenter/hoax.html |
Good Times specific references
| The Good Times Virus Hoax FAQ: http://www.public.usit.net/lesjones/goodtimes.html
The FCC debunk rumour that they issued a warning about Good Times: http://www.fcc.gov/Bureaus/Miscellaneous/Public_Notices/pnmc5036.txt |
Irina specific references
| Irina- the interactive novel on Penguin’s website: http://194.217.172.1/Penguin/homepages/index.html
The real School of Slavonic and East European Studies: http://www.ssees.ac.uk McAfee Russia: http://www.mcafee.ru PC Week story about how McAfee Russia fell for the Irina hoax: http://www.vnu.co.uk:81/ip_user/owa/story.item?c_mag_id=1&c_story_id=12844 Ansible, a Science Fiction ezine: Dave Langford, 94 London Road, Reading, Berkshire, RG1 5AU, UK. Fax: 0118 966 9914. ISSN 0256-9816 email: ansible@cix.co.uk |
Sheep specific references
| Village Center Corporation, distributors of "Stray Sheep Screen
Mate": http://www.villagecenter.co.jp/
Details of the Stray Sheep TV series and fan club: http://www.fujiint.co.uk/straysheep/index.html |
Miscellaneous
| Nothing to do with computer virus hoaxes, but an entertaining page about hoaxes carried out in real-life: http://www.nepenthes.com/Hacks/index.html |
Just as I was finishing this paper I received the following message in my email. I thought you would appreciate it.
| The latest breaking news on the GOODTIMES virus.
It turns out that this so-called hoax virus is very dangerous after all. Goodtimes will re-write your hard drive. Not only that, it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CDs you try to play. It will give your ex-girlfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your beer and leave dirty socks on the coffee table when company comes over. It will put a dead kitten in the back pocket of your good suit pants and hide your car keys when you are late for work. Goodtimes will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girlfriend behind your back and billing the dinner and hotel room to your Discover card. It will seduce your grandmother. It does not matter if she is dead, such is the power of Goodtimes, it reaches out beyond the grave to sully those things we hold most dear. It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve. Goodtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methanphedime in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower. |
Needless to say, this too is a hoax!