Virus Hoaxes

Don't be taken in by Virus Hoaxes

Christine Peterson

Computer viruses are a part of life. It seems you cannot provide library services today without dealing with telecommunications, computers, and the Internet. Along with the computers come viruses. A virus is nothing more than a computer program. Normally it is found within another computer program and causes something unexpected (and usually undesirable) to happen. Sources of the original program are frequently unaware that the virus has been transmitted. Some viruses don't execute immediately; they wait patiently for just the right circumstance and then execute. There are funny or playful viruses ("Happy Birthday, Ludwig"), as well as harmful ones (reformat your hard drive).

Unfortunately, not only do we have to cope with viruses, but now also virus hoaxes. Normally transmitted through e-mail messages, these are false warnings of viruses. The first virus hoaxes were identified in October or November of 1988. Those of you who remember 1200/2400 baud modems and TRS-80s might enjoy checking this out: http://ciac.llnl.gov/ciac/CIACHoaxes.html#history.

Here are some of the most popular hoaxes. See if you've been taken in by any of them.

Good Times Virus

Happy Chanukah everyone, and be careful out there. There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times," DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.

Another version of the hoax includes mention of the Federal Communications Commission (FCC):

The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the InterNet. Apparently, a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability.

A virus must be executed in order to spread. To execute a virus, you must start the program or open the file. You cannot execute a virus just by opening an e-mail message. Electronic mail messages are comprised of text and, therefore, are harmless.

In addition, the FCC does not issue virus warnings. You can check this by going to: http://www.fcc.gov/Bureaus/Miscellaneous/Public_Notices/1995/pnmc5036.txt

The Good Times Virus hoax has been around for so long that spoofs on the Good Times Virus Hoax can also be found. This one was written by Patrick J. Rothfuss in December of 1996:

READ THIS: Goodtimes will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CD's you try to play.

It will give your ex-girlfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your beer and leave its socks out on the coffee table when there's company coming over. It will put a dead kitten in the back pocket of your good suit pants and hide your car keys when you are late for work.

There is more, but I think you get the idea. For the entire spoof, see: http://ciac.llnl.gov/ciac/CIACHoaxes.html#
goodtimes

The Deeyenda Virus hoax and the Pen Pal Greetings! hoax are similar to the Good Times message. The Pen Pal hoax has an interesting twist to it. In addition to destroying all the data on your hard drive, it will automatically send itself to every person whose e-mail address is in your mailbox. This would be a difficult feat, as it would have to know every e-mail program available and the virus program would have to be huge!

Blue Mountain Cards

This hoax is a relatively recent one. Blue Mountain Cards (http://www1.bluemountain.com/index.html) is a company on the Internet that allows you to send electronic greeting cards to anyone who has an e-mail address. On February 25, 1999, an e-mail similar to this made its way around the Internet:

"Just received a call from the family. A friend of
theirs opened a card from Blue Mountain Cards
and system crashed.

"Do not open Blue Mountain Cards until further notice. Virus has infiltrated their system . . . pass it on . . ."

This message inferred that by just opening their greeting card, a virus would crash your computer. The company has stated that the greeting card notifications that are sent are just e-mail messages (text) and the cards themselves are static web pages.

Bill Gates chain letter

Particularly with the current media coverage of Microsoft and its "hidden" code, this hoax seems credible, but isn't true. (The grammatical errors are a tip-off.)

"Hello Everyone,

"And thank you for signing up for my Beta E-mail Tracking Application or (BETA) for short. My name is Bill Gates. Here at Microsoft we have just compiled an e-mail tracing program that tracks everyone to whom this message is forwarded to. It does this through an unique IP (Internet Protocol) address log book database.

"We are experimenting with this and need your help. Forward this to everyone you know and if it reaches 1000 people everyone on the list you will receive $1000 and a copy of Windows98 at my expense."

A similar hoax states that Walt Disney, Jr. is helping Gates with the program. Those who forward the message are supposed to receive either money or a free trip to Disney World.

Ghosts.exe/Sheep.exe

Ghosts.exe is a Halloween screen saver. Originally it was created by the author to provide advertising information about his company (Access Softek). On any Friday the 13^th, the title of the window changes and ghosts fly around the desktop. Because of this change, some assumed that this was also a virus. Although cute, it is not. For a picture of the screensaver, see: http://www.datafellows.com/news/hoax/ghost.htm

Sheep.exe is another popular screen saver thought to be a virus. In this program, a little sheep eats, sleeps, jumps, and wanders around your screen. After investigation, this program was found to be harmless. It was also found to be commercial and should not be sent between users. For a picture of the sheep, see: http://www.datafellows.com/news/hoax/sheep.htm

Remember, however, that it would be relatively easy for someone to create a virus called ghosts.exe or sheep.exe, so you still need to be careful!

PKZIP300

PKZIP (http://www.pkware.com) is a very well-known program for compressing (zipping) and uncompressing (unzipping) files. Unlike the other hoaxes listed here, PKZ300 was a real virus and was released in 1995. Although there have been few sitings of this virus, the warning is often seen on the Internet:

It has come to the attention of PKWARE that a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWARE and it will attempt to erase your hard drive if run. It attempts to perform a deletion of all the directories of your current drive. If you have any information as to the creators of this trojan horse, PKWARE would be extremely interested to hear from you. If you have any other questions about this fake version, please e-mail support@pkware.com.

PKWARE has said they will not produce a version with the number 300. The highest release number as of this date is the Windows version which is 2.60.03.

Melissa: A real one

One of the problems with receiving e-mail messages about viruses is that of authenticity. How can you tell the difference between a real virus threat and a hoax? Which e-mail messages should you send on to co-workers and friends? While writing this article, a real virus hit the Internet Melissa. Let's use this as a case study.

The Melissa virus was discovered Friday, March 26, 1999.
I read about it in the Sunday morning newspaper. I immediately went to the Internet to check its validity.
At first, this virus may have seemed like a hoax because it replicated itself by sending the program to email addresses within your mail software. However, Melissa was written specifically using the Microsoft software. Therefore, it was a threat only to Microsoft platforms.
All authoritative virus information sites and anti-virus product sites had information concerning Melissa. The information sites explained what type of virus it was, what computer platforms it might affect, and how to deal with it. The product sites had downloadable patches for customers that used their software. Each of these sites had initial information posted to the Web by Saturday, March 25, 1999.

If it is real, valid information will be available at authoritative sites very quickly.

How to detect a

What can you look for in an e-mail message that might give the hoax away? Here are some indicators for hoaxes.
Although not fool-proof, they should raise some red flags.

Uses language that is technical-sounding but meaningless
" . . . if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor . . ." Even if there was something called an "nth-complexity infinite binary loop," processors are designed to run loops for weeks without damage.

Tries to establish credibility by association
Check for authoritative or well-known names or people or organizations Federal Communications Commission, Bill Gates, Walt Disney, Jr., Janet Reno.

Urges you to send it on to friends
This should be a huge red flag. Check with the originator of the message to be sure before forwarding.

Includes "FCC warning" of the virus
Another form of credibility by association. It is not the job of the FCC to provide warnings of viruses or hoaxes.

Message originator is "Unknown User"
Before alerting the whole library or community, e-mail the original sender of the message and ask for confirmation. If, instead of a confirmation, you receive an "Unknown User" message, chances are good that it is a hoax.

Check an authoritative source:

Your computer systems security administrator or computer incident advisory team
Computer Incident Advisory Capability (CIAC): http://ciac.llnl.gov/ciac/
Computer Emergency Response Team (CERT): http://www.cert.org/
NASA Automated Systems Incident Response Capability (NASIRC): http://www-nasirc.nasa.gov/nasa/index.html
Forum of Incident Response and Security Teams (FIRST): http://www.first.org/
Web site for the company that produces the product that is supposed to contain the virus, e.g., PKWARE for PKZIP300; Microsoft for Word viruses
Website for anti-virus software companies: Norton Anti-Virus (http://www.symantec.com/avcenter/index.html); McAfee http://vil.mcafee.com/villib/alpha.asp).

Tips

A virus cannot exist in a newsgroup or discussion list posting or in an e-mail message. Because e-mail is textual and not a binary file, you cannot execute a virus while opening and reading an e-mail message. You can, however, obtain a virus through an e-mail attachment. This virus could execute when the attachment is opened. Any binary file (word processed documents, graphics, computer programs such as *.bat, *.drv, *.sys) can house a virus.

It is possible to get a virus through an HTML e-mail message. The HTML code itself is just text and is harmless. The concern is the use of Java, JavaScript and ActiveX applets. Most e-mail programs understand only very basic HTML tags and do not run these types of programs. However, if e-mail packages do begin to add this functionality, viruses through HTML may become more of a consideration.

Viruses are usually specific to particular operating systems. This means that a virus written for a Macintosh computer will probably not run on a Windows computer. There is one significant exception the Microsoft Word Macro Virus. This virus infects the Microsoft Word documents themselves, but not the Microsoft Word program. As the use of cross operating system platforms such as Java and ActiveX increases, this tip may become obsolete.

Is it April First? Enough said. See "April Fools on the Net" (http://www.2meta.com/april-fools/) for specific information on hoaxes that come around this time of year.

How to protect yourself

Here are some simple points to remember that will help your computer and its data stay intact.

Use a good anti-virus program and keep it updated. The following are some brand names you can consider when shopping for an anti-virus software:
McAfee http://www.mcafee.com
Symantec (Norton) http://www.symantec.com
Anti-Virus http://www.antivirus.com
Stiller Research (Integrity Master) http:// www.stiller.com
Dr. Solomon's http://www.drsolomon.com
Data Fellows http://www.datafellows.com
Always run a file through an updated anti-virus utility before opening it.
Keep your e-mail software updated.
Never download or run an e-mail attachment from a stranger or an unknown address.
Do not set your e-mail program to automatically download attached e-mail files such as word processed or graphic files. Turn off the option to launch or execute any programs upon opening e-mail.
In a network situation, be sure you have security in place that will stop an unauthorized person from placing files on your network.
Always run floppy disks through an anti-virus program before using them; be careful when booting from a floppy.

For more information:

There are some up-to-date Internet web sites that provide sensible information on viruses and virus hoaxes.

Computer Virus Myths (http://kumite.com/myths/)
Don't Spread That Hoax! (http://www.nonprofit.net/hoax/)
Create Your Own Hoax (http://www.cao.com/hoax/)
Data Fellows Virus Information Center (http://www.datafellows.com/vir-info/)
Computer Incident Advisory Capability (http://ciac.llnl.gov)
The Truth About E-Mail Viruses (http://www.gerlitz.com/virushoax/)

Don't be taken in always be critical of a virus alert. Check authoritative sources first. Call your technical support personnel. If it is true, information will be available within a day. Use your reference skills to research and verify virus information before automatically sending it to your entire address book! J