ES - Virus crap

Jan Nowlan nowlanj at us.ibm.com
Thu Jun 25 09:18:42 PDT 1998


http://www.av.ibm.com/BreakingNews/HypeAlert/


Secretary to:  Lanese Turner   / Dan Gutridge
Data Warehouse Solutions / BISD
8/522-55702 OR (817) 962-5702
Fax:  (817) 962-5677
nowlanj at us.ibm.com

---------------------- Forwarded by Jan Nowlan/Dallas/Contr/IBM on 06/25/98
11:20 AM ---------------------------

From: Dave McCrostie/Dallas/IBM @ IBMUS
Subject: Virus crap


This morning, I recieved yet ANOTHER "VIRUS ALERT" from a well meaning friend.
I figured if their asking *me* about viruses, one of your friend, sister,
whomever, may ask you.  There's a lot of this garbage circulating AOL
especially.  Not actual viruses, just the hoaxes.  So, I did a little research
and came up with this "official" response from IBM.  It could save you lots of
trouble explaining to everyone that, no, I'm pretty sure there is no
virus...etc.

APPENDIX A

How to Spot a Virus Hoax

If you receive a virus alert message, don't believe it.

At the end of 1996, the problem of virus hoaxes escalated (specifically hoaxes
in the form of false virus alert messages). Warnings similar to the "Good
Times" virus hoax became common. This paper analyzes the "Good Times" hoax,
builds a list of it's features, and shows how those features apply to later
hoaxes. A simple generic system is presented to aid in analyzing virus
warnings. The paper concludes by showing how to handle false virus warning.

Hyperdriven: Thoughts travel faster in a vacuum

As 1997 begins, we've seen several virus alerts. None of them were real. And
all of them were probably driven by a previously unwritten law of human nature.
This newly-discovered theory explains how ideas are able to travel faster than
the speed of thought. The theory may be stated thus:

Thoughts travel faster in a vacuum.

Think about it. By removing the actual thinking process, thoughts can travel
uninhibited and thus exceed all logical bounds. In addition, such thoughts
often tend to become hyperdriven (adj. driven by hype). This explains a lot of
phenomena. For example, sales are often hyperdriven. Indeed, marketing often
depends on the buyer engaging in rational thought only after the fact.

More importantly however, it explains how stories on the Internet can spread so
quickly.

Such stories have, of late, been a major problem on the Internet. It might even
get to the point where hoaxes are more of a problem than viruses are. After
all, a hoax is much easier to write than a virus is. A good rule of thumb for
today is "If you receive a virus alert message, don't believe it."

Let's look at the late-1996 crop of virus hoaxes. Our purpose is to glean
enough information about them to easily recognize a new hoax when we see it.
(For a fuller list of hoaxes, see our Hype Alert department.)

Chain Letters from Hell - The e-mail equivalent of a stampede

The root of the problem with hoaxes is that they spread faster than viruses do.
They don't use a replication engine to spread, as a virus does; rather, they
use human nature. They play on peoples' fear. As we look at these hoaxes,
you'll notice that they warn the reader of impending doom and insist that the
warning be forwarded to everyone else in the known universe. Someone shouts
"fire" on a busy, crowded Net and the e-mail equivalent of a stampede begins.

However, if people engage the thought process before clicking the forwarding
button, these hoaxes will not spread.

As these warnings spread, two things happen. Some well-intentioned individuals
add their own warnings and suggested actions to the warning. At the same time,
other not-so-well-intentioned individuals add to the horrors the supposed virus
could wreak. In this way the messages undergo changes. They mutate or evolve.
In fact, we should note here that the warnings shown below are ones we
received, and may vary in wording from other copies.

This fact that the warnings change is important to understand. Any single hoax
may exist in many forms.

For example, late in 1996 we received a warning message about a "Penal Virus."
It took about half a second to realize that the warning was identical to the
warning about the nonexistent "Penpal virus." Although just that one "p" in
"Penpal" was dropped, the "Penal Virus" warning is now spreading on its own.

Moreover, current hoaxes are just revisions of other hoaxes. The Penpal hoax
itself follows the pattern set by Good Times.

Armed with the knowledge of how hoaxes change, a person familiar with the "Good
Times Virus" hoax would recognize more recent warnings as a mere regurgitation
of that message. To this end, let's dissect Good Times.

Good Times: The Chicken Little domino-effect engine

The granddaddy of this current crop of hoaxes was a warning message about a
nonexistent virus called "Good Times." It began in 1994 as a joke, evidently by
two students who posted the warning on America Online. From there, the warning
message spread and, as noted above, it also changed. For example, the version
given below has given the virus the fanciful ability to place the computer's
CPU "in an nth-complexity infinite binary loop--which can severely damage the
processor."

What follows is an evolved version of the "Good Times Virus" warning message.
Again, there is no such virus. This is a hoax. The interlinear commentary
(bracketed and in italics) has been added here as we dissect the virus, and is
not part of the original message.

The hoax message reads:

V I R U S - W A R N I N G
[Commentary: If you receive any message in e-mail that starts like this,
immediately suspect a hoax. With the current bumper crop of hoaxes, odds are
that it is not a real virus warning.]

There is a computer virus that is being sent across the Internet.
If you receive an email message with the subject line "Good Times",
DO NOT read the message, DELETE it immediately.

Please read the messages below. Some miscreant is sending email under
the title "Good Times" nationwide, if you get anything like this,
DON'T DOWN LOAD THE FILE!
[This theme seems to be almost universal in hoaxes. The supposed virus is
always propagating on the Internet. There are warnings (again, usually in ALL
CAPS about reading or downloading an e-mail message. Salvation by immediate
deletion is also nearly universal. Interestingly, for some reason the word
"miscreant" seems to be a common catchphrase in hoaxes.]

It has a virus that rewrites your hard drive, obliterating anything on it.
[Most real viruses, which are an actual threat to users, are not destructive;
in fact they're usually quite tame. Hoax viruses, however, always seem to wield
the powers of a vengeful binary god. Such godlike viruses can often do nasty
things to your system that are beyond the abilities of software, mere mortals,
or even most hardware technicians.]

Please be careful and forward this mail to anyone you care about.
[Here it is. This is the replication engine. This is what gives the virus the
pesky lifelike ability to multiply. This is also a dead giveaway that it is a
hoax.]

WARNING!!!!!!! INTERNET VIRUS
[Another thing to notice is the multiplication of exclamation marks. We see
this a lot.]

The FCC released a warning last Wednesday concerning a matter of major
importance to any regular user of the Internet.
[Also nearly universal is the authoritative source. "Whoa! The FCC. This must
be real." This aspect of cited authority is meant to lend credibility to the
hoax. The truth is, however, that according to the FCC they have never, and
will never, send out virus warnings.]

Apparently a new computer virus has been engineered by a user of AMERICA
ONLINE that is unparalleled in its destructive capability.
[Notice especially here, and in the following lines, the superlative nature of
the abilities described. Here we see that it's "unparalleled in its destructive
capability." Suspect any warning about a virus that is the most destructive,
most polymorphic, or stealthiest.]

What makes this virus so terrifying, said the FCC,
[Note the authoritative source is cited as saying this. Again, credibility is
sought.]

is the fact that no program needs to be exchanged for a new computer
to be infected. It can be spread through the existing email systems
of the Internet. Once a Computer is infected, one of several things
can happen. If the computer contains a hard drive, that will most likely
be destroyed. If the program is not stopped, the computer's processor
will be placed in an nth-complexity infinite binary loop--which can
severely damage the processor if left running that way too long.
[Here's another important factor to note: the language is crafted to sound
technical. It uses computer jargon. This also tends to lend credibility to the
hoax. By the way, If you do believe that a CPU can be melted down by "an nth-
complexity infinite binary loop," we'd like to talk to you about some
oceanfront property we're selling in Nebraska.]

Luckily, there is one sure means of detecting what is now known as the
"Good Times" virus. It always travels to new computers the same way in
a text email message with the subject line reading "Good Times." Avoiding
infection is easy once the file has been received simply by NOT READING IT!
The act of loading the file into the mail server's ASCII buffer causes the
"Good Times" mainline program to initialize and execute. The program is
highly intelligent--it will send copies of itself to everyone whose email
address is contained in a receive-mail file or a sent-mail file, if it can
find one. It will then proceed to trash the computer it is running on.
[Of course, you'll never see this message. It's a hoax. Also of interest is the
fact that this virus is "highly intelligent." Odd. All the viruses we've seen
are extremely dumb.]

The bottom line is:
If you receive a file with the subject line "Good Times", delete it
immediately! Do not read it. Rest assured that whoever's name was on
the "From" line was surely struck by the virus.
[Odd it doesn't say to contact the sender. But, again, there will be no
sender. It's a hoax.]

Warn your friends and local system users of this newest threat to the
Internet! It could save them a lot of time and money. Could you pass
this along to your global mailing list as well?
[Actually, this is the bottom line; where the message urges you to propagate
the hoax. Here's the hoax's combination chicken-little, domino-effect
replication engine.]

Hoax Heuristics: Common sense, isn't it?

Now we can define some rules to help us detect hoaxes generically. To summarize
what we've seen, a hoax will have some combination of the following factors
(but not necessarily all of them):

It's a warning message about a virus (or occasionally a Trojan spreading on
the Internet. (Some even describe a "Trojan horse virus." There is no such
thing.)
It's usually from an individual, occasionally from a company, but never from
the cited source.
It warns you not to read or download the supposed virus, and preaches salvation
by deletion.
It describes the virus as having horrific destructive powers and often the
ability to send itself by e-mail.
It usually has lots of words in all caps and loads of exclamation marks.
It urges you to alert everyone you know, and usually tells you this more than
once.
It seeks credibility by citing some authoritative source as issuing the
warning. Usually the source says the virus is "bad" or has them "worried."
It seeks credibility by describing the virus in specious technical jargon.
Now let's look at a couple of the hoaxes in light of what we've observed.

Deeyenda: It's Deeyenda the world as we know it

The "Deeyenda" hoax appeared near the end of 1996. Again, the interlinear
commentary (bracketed and in italics) has been added and is not part of the
original message.

The hoax message reads:

VERY IMPORTANT INFORMATION, PLEASE READ!
[This is a slight twist, it doesn't use the word "virus", although the e-mail
subject line probably does.]

There is a computer virus that is being sent across the Internet. If
you receive an email message with the subject line "Deeyenda", DO NOT
read the message, DELETE it immediately!
[Several factors are seen here: Virus on the Net. Do not read. Delete immedi
ately. Lots of caps (only one exclamation mark though). By this time, you
should already be reasonably sure that this is a hoax.]

Some miscreant is sending email under the title "Deeyenda" nationwide,
if you get anything like this DON'T DOWNLOAD THE FILE! It has a virus
that rewrites your hard drive, obliterates anything on it. Please be
careful and forward this e-mail to anyone you care about.
[There's our miscreant, our warning against download, and our warning of mass
destruction.]

Please read the message below.

-----------

FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET

[Red flag. The FCC never issues virus warnings. This is definitely a hoax.]

The Internet community has again been plagued by another computer virus.
This message is being spread throughout the Internet, including USENET
posting, EMAIL, and other Internet activities. The reason for all the
attention is because of the nature of this virus and the potential
security risk it makes. Instead of a destructive Trojan virus (like
most viruses!), this virus referred to as Deeyenda Maddick, performs
a comprehensive search on your computer, looking for valuable information,
such as email and login passwords, credit cards, personal inf., etc.
[This is not only a mythical "Trojan virus", but it also has the powers of a
mythical cyber-god. And it is described in a specious manner.]

The Deeyenda virus also has the capability to stay memory resident while
running a host of applications and operation systems, such as Windows 3.11
and Windows 95. What this means to Internet users is that when a login and
password are send to the server, this virus can copy this information and
SEND IT OUT TO AN UNKNOWN ADDRESS (varies). The reason for this
warning is because the Deeyenda virus is virtually undetectable. Once attacked,
your computer will be unsecure. Although it can attack any O/S this virus is
most likely to attack those users viewing Java enhanced Web Pages
(Netscape 2.0+ and Microsoft Internet Explorer 3.0+ which are running
under Windows 95).
[Virtually undetectable. More superpowers in techno-babble.]

Researchers at Princeton University have found this virus on a number of
World Wide Web pages and fear its spread.
[Wow. Additional credibility. Princeton's verified it and they're afraid.]

Please pass this on, for we must alert the general public at the security risks.
[Here's the replication engine. This one's driven by civic-duty.]

Penpal: Whole UNIX servers are being destroyed

Let's look at one more hoax. "Penpal" appeared around the same time Deeyenda
did.

The hoax message reads:

If anyone receives mail entitled: PENPAL GREETINGS! please delete it
WITHOUT reading it. Below is a little explanation of the message, and what it
would do to your PC if you were to read the message. If you have any questions
or concerns please contact [name and number removed].
[Don't read. Delete. Interestingly, this has a cited authority with a phone
number. By the way, the number (which we removed) doesn't work.]

This is a warning for all Internet users - there is a dangerous virus
propagating
across the Internet through an e-mail message entitled
[Virus is on the Net.]

"PENPAL GREETINGS!"
DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
[Don't download warning. Lots of caps.]

This message appears to be a friendly letter asking you if you are interested
in a
penpal, but by the time you read this letter, it is too late. The "Trojan
horse" virus
will have already infected the boot sector of your hard drive, destroying all
of the
data present. It is a self-replicating virus, and once the message is read, it
will
AUTOMATICALLY forward itself to anyone who's e-mail address is present in
YOUR mailbox!
[Trojan horse virus. Destroys all data. Can forward itself.]

This virus will DESTROY your hard drive, and holds the potential to DESTROY
the hard drive of anyone whose mail is in your inbox, and who's mail is in their
inbox, and so on. If this virus remains unchecked, it has the potential to do a
great
deal of DAMAGE to computer networks worldwide!!!!
[Such apocalyptic powers truly deserve four exclamation marks.]

Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see
it! And pass this message along to all of your friends and relatives, and the
other
readers of the newsgroups and mailing lists which you are on, so that they are
not
hurt by this dangerous virus!!!!
[Replication engine.]

It changes the subject field of your E-mail to "Penpal Greeting". As long as you
don't read the message, it's OK. But once you read the message, it destroys your
Boot Sector, copies itself and forwards new messages to all the people in your
mailbox!!!! Just delete the message before you open it. Deleting it won't do
any
harm to the computer. Don't ask me how this is done with E-mail text but the
news are spreading in France and whole UNIX servers are being destroyed!!! The
virus is of type "Trojan Horse" and you can't detect it. So beware and keep
your
eyes wide open from now till the year 2000. It's a matter of time until the
virus
gets routed to you through one of your friends.
[The jargon factor.]

Rule of thumb: Always check the subject field and don't read unknown
messages. Please forward this E-mail to all your friends, professors, staff,
and
print a hard copy (or a couple dozens) and post them on campus.
[Reiteration of the replication engine.]

Handling Hoaxes: Do exactly the opposite

See how easily we can spot these as being hoaxes? All we need to do is engage
the thought process and actively apply what we know about the anatomy of
hoaxes. Now that you're better equipped now to spot hoaxes when they come your
way, what should you do about them when they arrive?

That's easy. Do exactly the opposite of what the hoaxes say you should do.

Do not forward the false warning to others. Do send a message to the person who
sent you the hoax message. Tell him or her it's a hoax. Say, "Don't send it
out to others." You may also want to point that person to this paper, so he or
she can also understand the nature of virus hoaxes. In addition, tell people to
check out our Hype Alert department whenever they receive a suspicious virus
warning.


"The only man who never makes a mistake is the man who never does anything."
Theodore Roosevelt




============================================================================
Go to http://lists.ansteorra.org/lists.html to perform mailing list tasks.



More information about the Elfsea mailing list