Have you ever received a "WARNING" in your e-mail about a deadly computer virus that if you open the e-mail entitled "JOIN THE CREW!" or "GOOD TIMES" your system will be destroyed?

Chances are you have and you complied with the instructions in that e-mail. You fell victim to what is known as an Internet Hoax. Don't feel stupid or embarassed, it's happened to literally hundreds of thousands of people around the globe. Below is a list of some of the real and hoax viruses that are making the rounds this year:

NAME CLAIM STATUS
A.I.D.S. Claimed to destroy your hard drive HOAX
American Cancer Society Claims ACS will send 3 cents for every e-mail message received for a girl having cancer. HOAX/CHAIN LETTER
AOL Ver 4.0 Cookie Claims new AOL Version 4 software release will snoop your local hard drive and send results back to AOL HOAX
AOL4FREE 3 versions known to exist as follows:
AOL4FREE (Ver 1) Macintosh software that gave users free AOL access in days before the flat rate charge. REAL
AOL4FREE (Ver 2) Alleges AOL4FREE.COM will erase hard drives HOAX
AOL4FREE (Ver 3) Trojan horse program. Claims to create free AOL accounts but is a compiled DOS batch containing DELTREE command that will erase contents of hard drive. REAL
Bad Times Makes outrageous claims...read the message contents for particulars. HOAX
Bill Gates E-Mail Offers a free copy of Win 98 to first 1000 people that distribute e-mail Tracking Program HOAX/CHAIN LETTER
Bud Frogs Claims the Bud Frogs screen saver will destroy the hard drive HOAX
Death Ray Claims to physically destroy computer hardware HOAX
EEVP Virus See Bill Gates entry ALIAS
FATE30 Claims file FATE30.COM contains a virus HOAX
GHOST.EXE Claims will destroy hard drive. Originally a free screen saver that activated on any Friday the 13th. Caused no damage/harm. MISS
Good Times Claims will rewrite your hard drive HOAX
Internet Cleanup Alleges the internet has to be shut down for 24 hours to delete outdated/useless data. HOAX
Jessica Mydek See America Cancer Society ALIAS/CHAIN LETTER
Join The Crew Claims e-mail will erase hard drive (usually mated with "PENPAL" warning) HOAX
Kidney Harvest Warns of alleged abductions/kidney removals HOAX
Open: Very Cool See A.I.D.S. ALIAS
PENPAL Claims a trojan program erases your hard drive (usually mated with "Join The Crew" warning) HOAX
Red Team Claims that running attached program will scan and disinfect computer. Attached program is virus. Affects Win 3.1/95 with Eudora mail client REAL
Returned Mail Warns not to open/read mail having subject line of "FW:Fwd: returned or unable to deliver" Such message are actually e-mail you sent, returned due to a bad e-mail address. MISS
Win A Holiday There is currently no virus that has the characteristic described in the message. The message is a variant of the "Join the Crew" hoax and another variant called "JUST WIN A HOLIDAY". HOAX
Death Ray The Death Ray Virus is a hoax. The following "Death Ray Virus" warning was reported in the Weekly World News and other publications. CIAC knows of no virus or any computer program for that matter that has caused physical dama ge to a computer or cause it to explode. HOAX
NaughtyRobot The NaughtyRobot email message appears to be a hoax. There is no indication that any of the problems described in the body have taken place on any machine. HOAX
Make Money Fast The Make Money Fast Warning Hoax appears to be similar to the PENPAL GREETINGS! Warning in that it is a hoax warning message that is attempting to kill an e-mail chain letter. While laudable in its intent, the hoax warning ha s caused as much or more problems than the chain letter it is attempting to kill. HOAX
Deeyenda The warnings are very similar to those for Good Times, stating that the FCC issued a warning about it, and that it is self activating and can destroy the contents of a machine just by being downloaded. HOAX
Irina The former head of an electronic publishing company circulated the warning to create publicity for a new interactive book by the same name HOAX
PKZ300 The warning itself is gaining urban legend status. There has been an extremely limited number of sightings of this Trojan and those appeared over a year ago. Even though the Trojan warning is real, the repeated circulation of the warning is a nuisance. Individuals who need the current release of PKZIP should visit the PKWare web page at http://www.pkware.com. HOAX/REAL
Sandman homepage warning This is a false warning of a web page which "hacks into your hard drive". Ignore it. HOAX
FATE3.0 This warning about a possible trojan horse circulate the internet. No antivirus lab has seen a sample of the original file, so this can be considered a hoax. HOAX
Francesca chain letter This is a chain letter asking to send diagnostics about a disease. The message has been circulating the internet for months now and does not need to be forwarded any more. HOAX/CHAIN LETTER
Hackingburgh This is not a virus, but a hoax which was spread in usenet news and e-mail systems in May 1997. The hoax described a non-existant virus which has features no real virus could have. HOAX
Matra R-440 Crotale There is no virus by this name. However, there was a widespread April Fools joke distributed discussing a hypotethical virus by this name. The actual message consisted of several other well-known hoax message. HOAX
YUKON3U.mp JPG This widespread hoax was posted to dozens of usenet newsgroups on March 23rd, 1997. Ignore this hoax warning and do not pass it on. It is impossible to get infected by downloading and viewing GIF or JPG pictures. (NOTE: There have been instances where people thought they were downloading a Self-Extracting ZIP file that was a bunch of pictures. This was actually just a cleverly named virus executable. Be SAFE, don't open ANY .exe or .com unless you are CERTAIN where it came from!) HOAX
Hacker Riot This is not a virus but a widespread hoax. Somebody has been distributing e-mail messages like the one below in the internet. The origins of this message are related to a campaign on AOL (America Online), but the most widespr ead version of this warning has all references to AOL removed. Ignore these warnings and do not pass them on.

Date: Sun, 9 Feb 1997 21:35:59 -0500 (EST)
Subject: Fwd: This is serious guys Fw: Important Please Read!!! VIRUS ALERT!!!!!!!!!!!...
THERE IS GOING TO BE A RIOT FEB 14 OF HACKERS SO I WOULD NOT GET ON THAT WHOLE DAY I AM TELLING YOU THIS BECAUSE YOU ARE MY FRIENDS AND I DONT WANT YOUR COM TO GET INFECTED FROM A HACKERS IDEA OF A FUN TIME.

HOAX
SHEEP.EXE SHEEP.EXE is a program which creates a cute animation of a little sheep which wonders around the screen, eats, sleeps, jumps etc. There were several widespread warnings that this program was a trojan or a virus, but after SHE EP.EXE and SCMPOO16.EXE samples were analysed, the program was found innocent. However, during the analysis the original Japanese author of this program was contacted, and it was found out that SHEEP.EXE is a commercial program, and should not be passed o n between users. FALSE ALARM
EYES.EXE or WINEYES.EXE EYES.EXE or WINEYES.EXE caused alarms similar to GHOST and SHEEP: it's a simple demo program which has created a lot of warnings. This program was analysed and found harmless.

Naturally, whenever any program is declared clean, there's a risk that somebody will take the file and infect it - since people will now trust it. To overcome this problem, you can verify the files against the 32-bit CRC's of the confirmed clean versions (as displayed by PKUNZIP):

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
317792 DeflatN 117014 64% 09-12-96 08:25 683ae9da --w- SHEEP.EXE
317088 DeflatN 116749 64% 03-12-96 22:17 3662678a --w- SCMPOO16.EXE
28096 DeflatN 14145 50% 30-10-96 13:20 5dce8738 --w- GHOST.EXE
28064 DeflatN 14142 50% 13-11-96 13:45 a6839c30 --w- GHOST2.EXE
28065 DeflatX 14121 50% 11-22-96 12:11 f47d5cbd --w- GHOST3.EXE
54048 DeflatX 9157 84% 11-15-96 14:42 ba2cda0b --w- EYES.EXE

Read this: As speculated above, a malicious person can easily infect any of these programs and make them harmful. In June 1997, we received a samples of the above SHEEP.EXE infected with the Windows-based Tentacle virus.

Here's the CRC of the infected version (as displayed by PKUNZIP):

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
319750 DeflatN 118568 63% 26-06-97 18:16 60a4617a --w- ESHEEP.EXE
Meme or Anti-CDA hoax This is supposed to be a joke, but as we've seen in the past several times, hoaxes like this just cause panic and grief. There is no real 'MEME' or 'anti-CDA' virus. Here is the the original hoax warning message:

Subject: New anti-CDA virus threatens Internet
Newsgroups: comp.security.misc,comp.security.unix,alt.security,alt.comp.virus,alt.folklore.computers
Date: Tue, 5 Mar 1996 01:30:39 GMT

As part of their vicious opposition to the Communications Decency Act, hackers have created a devilish new virus the sole purpose of which is to oppose the CDA. This virus is now spreading over the Internet.

Independence Day hoax This was a joke, which was distributed as an official-looking CERT alert and was based on the movie 'Independence Day'. HOAX
Current virus totals
ZERO known email viruses
ZERO known HTML viruses
ZERO known Java viruses
ZERO known Javascript viruses
ZERO known ActiveX viruses
ZERO known CMOS viruses
ZERO known video RAM viruses
ZERO known BIOS viruses
ZERO known GIF/JPG viruses
ZERO known AVI/MOV viruses

     The Internet is constantly being flooded with information about computer viruses and Trojans. However, interspersed among real virus notices are computer virus hoaxes. While these hoaxes do not infect systems, they are still time consuming and costly to handle. Much more time is spent every year de-bunking hoaxes than handling real virus incidents. There are websites that describe many of the hoax warnings that are found on the Internet today. This page will only touch on the issue. I highly recommend that you spend time browsing through the Reference Links to become familiar with the wide variety of hoaxes, scams, and just plain jokes that are out there. I also cover how to identify a new hoax warning, how to identify a vali dated warning and what to do if you think a message is a hoax.

Tips For Handling E-Mail

1. Never open attachments that have .exe or .com extensions if you don't know the sender! Delete the message without opening the attachment.

2. If you're anti-virus software doesn't automatically scan e-mail attachments, save them to your hard drive first, then scan them with a vius checking program like McAfee or Symantec.

3. Should you receive e-mail warning of a virus that doesn't appear in the above list, see if it fits the profile of a hoax (Read the tips below to help identify a hoax). If it still seems to be real, please visit the reference links below to see if it's turned up on those lists. If it has please e-mail me at matthewa@lostparadise.com and I'll make sure I update my list.

4. If you get e-mail telling you to forward it to a number of others, delete it!! (See below about identifying hoaxes). Chain e-mail clogs precious bandwidth, takes up your time to readdress it, and really annoys almost everybody who receives it from you, besides they're also illegal.

Identifying A Hoax The following information on identifying hoaxes and what do do about one is excerpted from the US Department of Energy's Computer Incident Advisory Capability pages on internet hoaxes:

     There are several methods to identify virus hoaxes, but first consider what makes a successful hoax on the Internet. There are two known factors that make a successful virus hoax, they are:

(1) technical sounding language
and
(2) credibility by association.

     If the warning uses the proper technical jargon, most individuals, including technologically savy individuals, tend to believe the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". The first time you read this, it sounds like it might be something real. With a little research, you find that there is no such thing as an nth-complexity infinite binary loop and that processors are designed to run loops for weeks at a time without damage.

     When we say credibility by association we are referring to whom sent the warning. If the janitor at a large technological organization sends a warning to someone outside of that organization, people on the outside tend to bel ieve the warning because the company should know about those things. Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real. If a manager at the company sends the warning, the message is doubly backed by the company's and the manager's reputations.

     Individuals should also be especially alert if the warning urges you to pass it on to your friends. This should raise a red flag that the warning may be a hoax. Another flag to watch for is when the warning indi cates that it is a Federal Communication Commission (FCC) warning. According to the FCC, they have not and never will disseminate warnings on viruses. It is not part of their job.

     CIAC recommends that you DO NOT circulate virus warnings without first checking with an authoritative source. Authoritative sources are your computer system security administrator or a computer incident advisory team. Real wa rnings about viruses and other network problems are issued by different response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP. If you download a warning from a teams web site or validate the PGP signature , you can usually be assured that the warning is real. Warnings without the name of the person sending the original notice, or warnings with names, addresses and phone numbers that do not actually exist are probably hoaxes.

What To Do      Upon receiving a warning, you should examine its PGP signature to see that it is from a real response team or antivirus organization. To do so, you will need a copy of the PGP software and the public signature of the team tha t sent the message. The CIAC signature is available at the CIAC home page: http://ciac.llnl.gov/ You can find the addresses of other response teams by connecting to the FIRST web page at: http://www.first.org. If there is no PGP signature, see if the warn ing includes the name of the person submitting the original warning. Contact that person to see if he/she really wrote the warning and if he/she really touched the virus. If he/she is passing on a rumor or if the address of the person does not exist or if there is any questions about the authenticity or the warning, do not circulate it to others. Instead, send the warning to your computer security manager or incident response team and let them validate it. When in doubt, do not send it out to the world. Y our computer security managers and the incident response teams teams have experts who try to stay current on viruses and their warnings.

     In addition, most anti-virus companies have a web page containing information about most known viruses and hoaxes. You can also call or check the web site of the company that produces the product that is supposed to contain t he virus. Checking the PKWARE site for the current releases of PKZip would stop the circulation of the warning about PKZ300 since there is no released version 3 of PKZip. Another useful web site is the "Computer Virus Myths home page" (http://www.kumite.c om/myths/) which contains descriptions of several known hoaxes. In most cases, common sense would eliminate Internet hoaxes.

April Fools Day The following information on April Fool's Day is excerpted from the Dr. Solomon's software site press release dated April 1st, 1997.

     On this day of falsehoods and chicanery, don’t be fooled by hoaxes about dreaded computer viruses whose payloads detonate upon opening electronic mail messages. Dr Solomon’s Software – the worldwide leader in computer virus d etection, identification and disinfection – says users are still plagued by an increasing number of virus hoaxes, but do not need to fear virus infection just by opening an email.

     "It is impossible to get a computer virus simply by opening an email message," says Shane Coursen, senior technology consultant at Dr Solomon’s. "But once an email virus hoax is launched, the frenzy is spread b y well-intentioned, yet uninformed, individuals and companies. When people hear about a problem, it’s human nature to warn their friends."

Don’t Let a Virus Hoax Fool You This April Fool’s Day

or Any Day

     The threat of viruses spreading through electronic mail becomes a reality only when users open virus-infected documents or executable files attached to their email, particularly in the Microsoft Word and Excel applications. A ttached files or documents that contain viruses can launch the infectious code, giving the virus the opportunity to spread.

     In recent years, infamous hoaxes like Good Times, PenPal Greetings and Deeyenda have created panic among computer users. One hoax, Irina, was alleged to rewrite hard drives and obliterate everything on them, and others threat en similar annihilation of data, directories or files. Irina turned out to be a marketing ploy by a publisher to promote a new book, but the stir it created continues to this day.
Reference Links IBM Antivirus Site

CIAC Hoaxes Page

CIAC Chain Letters Page

Computer Virus Myths home page

April Fools on the Net

Urban Legends and Folklore

Urban Legends Reference Pages
Forewarned is forearmed
Footnote:

THERE IS NO SUCH THING AS AN E-MAIL TEXT VIRUS!

     A virus can not exist in an e-mail text message. They also can NOT exist in USENET (newsgroup) postings or simply "float around" the internet. Viruses must be attached to and infect an executable program. Virus es and other system-destroying bugs can ONLY exist in FILES, and since e-mail is not a system file, viruses can not exist there. While reading e-mail, you are not executing any malicious code to activate! Thus, no virus can exist. HOWEVER, if you (or your computer) download a FILE attached to an e-mail or USENET posting (i.e.-binary) and run it, there IS a chance that file could contain a virus, since a runable file could contain a virus. It is also very important that you DO NOT, under any circumstances, allow your e-mail program to automatically download and/or execute an attached file. You risk infection by doing so!

     Viruses are generally (almost always) OS (operating system)-specific. Meaning, viruses created for a DOS application can do no damage on a Macintosh, and vice-versa. If you take a careful look at these e-mail hoaxs, you'll no tice that very few are specific about which system it "infects." There has been one exception to the OS-specific rule, which is called the Microsoft Word Macro Virus, which infects documents instead of the program. This virus can affect both Macintosh and PC computers because of the way the application was written (it contains the same source code on several OS's). In the future, we might see viruses cross OS-boundries because Java, ActiveX programming languages break the typical "rules" of how a virus is OS-specific.


Home / Webmaster

Designed by Matthew Armistead
Copyright © 1998, Matthew D. Armistead