Email Virus Hoaxes

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)



Main Menu

Email Hoax Virus Alerts

by Andrew Lee		    | gladius@gladius.f9.co.uk
AVIEN Founding Member	| http://www.avien.net
Wildlist Reporter 	    | http://www.wildlist.org

Contents

• What is a hoax?
• How do hoaxes cost money?
• How to prevent hoaxes from spreading
• Keep yourself informed

What is a hoax?

Wobbler! Budweiser Frogs! Penpal Greetings! Give your cat a colonic! You may have received warnings about these "viruses"; if you did, you have been the victim of a virus hoax.

Virus hoaxes generally consist of a wildly-fabricated tale, claiming that the user or organisation faces imminent doom or denial of service from a new electronic virus strain which the mail claims is in general circulation, often claiming to do impossible¹ things.

Unfortunately some recipients occasionally believe a hoax to be a true virus warning and may take drastic action (such as shutting down their network). Hoaxes often ask you to avoid reading or downloading emails that have a particular subject line. Examples include "Budweiser Frogs", "It Takes Guts to Say Jesus", and "Join the Crew".

Typically, these emails describe a dangerous new undetectable² virus, usually using bogus technical terms³. For instance, the Good Times hoax claims to put your computer's CPU in "an nth-complexity infinite binary loop which can severely damage the processor". The hoax warns you not to read or download anything with the subject "Good Times" because the message is a virus. It then urges you to forward the warning⁴ to as many people as possible.

A second form of virus hoax is the type of email which claims that by reading the mail you have decoded and activated an attached virus.
These forms of hoaxes are more worrying because while most tend to be aimed at causing disruption and concern among users and organisations, one or two have been known to do exactly what they claimed.
Examples areVBS/Bubbleboy⁵ and JS/KAK⁶.
Email in its raw form, i.e. Text, is still not a virusable medium, but with the many additions like HTML and active content, it is now regularly exploited as a carrier for viral code.

To demonstrate the differences between a real and a hoax alert there is a side by side comparison below.

Important indications are highlighted in red.
My comments are in green italics.

Name: XM97/Laroux-OD
Type: Excel 97 macro virus
Date: 18 June 2001
(Note good summary information, Name, Type and Date released)
Will be detected by Sophos Anti-Virus August 2001 (3.48) or later. A virus identity (IDE) file is available for earlier versions.

At the time of writing Sophos has received just one report of this virus from the wild.

Description:
XM97/Laroux-OD is an Excel spreadsheet virus. This variant of the XM97/Laroux family requires the file PERSONAL.XLS in the XLSTART directory, which it uses to replicate.
(Note that the description has none of the "undetectable drive formatting" type info, simply brief, but informative, technical information. Also notice the tendency toward reassurance rather than panic!)

Download the IDE file from
http://www.sophos.com/downloads/ide/larx-od.ide

Read the analysis at
http://www.sophos.com/virusinfo/analyses/xm97larouxod.html

Download a ZIP file containing all the IDE files available for the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip

Note that further information is linked to, and instructions about updating your software.

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications
(Note source of alert is consistently reaffirmed, and no request for forwarding, no dire prophecies of doom, and no spurious technical information or other mention of "big" Companies are given)

(Thanks to Graham Cluley and Sophos for kind permission in allowing reproduction of this alert. Please note that the links referenced in this alert may not remain current for the life of this article.)

How do Hoaxes cost money?

I'm not aware of any official research that has been done on the subject, and while it's quite likely that many of the cost figures bandied about are simply pulled out of the air, there is no doubt that hoaxes can cost you as much or more than a genuine virus incident.

After all, no anti-virus will detect hoaxes because they aren't viruses. The whole point of a hoax is to try to generate enough concern so that the "alert" will be sent on to all the colleagues and friends of the receiver.

The amount of email that a typical hoax can generate is often enough to overload mail servers, this requires someone's time to fix the problem, and can have knock on effects in legitimate mail being undelivered in a timely fashion.

Added to this is the time cost, ever receiver who reads the hoax spends a couple of minutes reading the hoax, and then a few more forwarding it to all their friends and colleagues, who then do the same. In a large company the time wasted can be enormous, added to which the person responsible for anti-virus may well be inundated with hundreds of the same message.

There is also the panic and disruption that can be caused, some companies have been known to shut down their email systems and some even their whole networks, for no other reason than they believed a hoax.

Also to be considered is the fact that, most users who access the internet from home are paying for the phone call so it costs money for them to download their email. So, before you hit send, think! Is it a hoax?

 

If you receive a chain letter in your email, the easiest thing you can do is to delete it. Do not send it to your friends and relatives. You should not forward any virus warnings of any kind to *anyone*. It doesn't matter if the virus warnings have come from an anti-virus vendor or been confirmed by any large computer company or your best friend.

Many companies have a strict policy about sending virus alerts, so it's always best to do your research in advance. If your company doesn't have a good policy in place, then suggest that they implement something like this.

"Do not forward any virus warnings of any kind to ANYONE other than the person responsible for antivirus issues It doesn't matter if the virus warnings come from an anti-virus vendor or have been confirmed by a large computer company, a colleague or your best friend! ALL virus warnings should be sent to (name of responsible person) only. It is their job to notify everybody of virus warnings. A virus warning which comes from any other source should be ignored."

As long as everyone follows these rules, there should be no flood of emails, and the person responsible for anti-virus will decide if there is a risk or not.

 

The best way to reduce the cost of virus hoaxes is to keep yourself informed by visiting the anti-virus vendor's sites and seeing what alerts and hoaxes they are listing.

Also there are a few really good sites that debunk hoaxes and computer virus myths.

http://www.vmyths.com
http://www.umich.edu/~vbusters
http://www.sophos.com/virusinfo/hoaxes

Correct and current information is the best virus protection you can have!

 

1. Impossible claims may be hard for non technical users to detect, but usually the claims are very wild - like "It will erase everything on your hard drive if you open this mail." This is simply not possible without further action such as running an attached file.

2. The claims often refer to an "undetectable" Virus. Well if it is undetectable, then how do they know it's there and how it works. Logic states therefore that either the virus is actually detectable, and therefore the AntiVirus software manufacturers will already be working on cleaning it, or it simply does not exist; which in most cases is the actuality.

3. Bogus Technical terms are often used, this is again hard for non technical users, but some claims to look for are: "this virus works on PC and MAC's", this is extremely unlikely as the nature of the two computers is very different. Hard drive "crashes" and reformats are often given as examples of what might happen, again this is unlikely due to the need for other action by the user. Email can't execute itself as there is no code to execute! It is also common to "quote" big companies such as Microsoft, AOL or IBM, and say that they said it was very dangerous. These companies do not issue virus alerts, so this is another good indication of a hoax.

4. Forward the warning, this is the most common feature of hoaxes, and is its method of spreading. No reputable AntiVirus software house (or any other company) will ever ask you to forward their alerts to anybody, a hoax nearly always will.

5. VBS/Bubbleboy is the first known Virus that can activate simply by being opened, but it requires certain conditions to be met, and is not destructive in any real sense, it also only works in Windows 95 or 98.

6. JS/Kak is without doubt the most successful virus ever in terms of sheer number of systems infected, it uses the same technique of spreading as Bubbleboy.