Security

Get IT Done: Educate users about virus hoaxes

See why virus hysteria can harm your organization and get some tips on helping users distinguish between real threats and hoaxes


The SirCam virus’ recent debut has again raised awareness of the threat posed by e-mail-borne viruses. This awareness is a vital part of your company’s antivirus strategy, but unfortunately, well-intentioned employees might be falling victim to another side of this insidious coin and giving your mail server additional headaches by circulating virus hoaxes.

Almost as dangerous
As the many clones and variations of well-known viruses such as Melissa and IloveYou attest, assembling a virus isn’t necessarily that big a trick. But it’s even easier to spawn a flood of e-mail that, while not a virus, can clog your servers and, worse, is much harder to kill. How? Craft an impressive-sounding, frightening warning about a nonexistent virus, and tell people to forward it to everyone they know.

Originally, these warnings advised readers to avoid even reading so called “infected” e-mail—although the text messages couldn’t possibly contain malicious code. With viruses now lurking in attachments, pranksters have plenty more paranoia to play upon. For example, here’s a copy of an e-mail warning recently circulated at my company.

Sample virus hoax
Read and Heed. Very Urgent!!
Do not open any attachment to e-mail entitled:
"It Takes Guts to Say Jesus"
DO NOT OPEN IT.
It will erase everything
on your hard drive.
This information was announced
recently from IBM.
AOL states that this is a
very dangerous virus...
much worse than "Melissa" and
that there is no remedy for
it at this time.
Some very sick individual has
succeeded in using the reformat
function from Norton Utilities,
causing it to completely erase
all documents on the hard drive.
It has been designed to work with
Netscape Navigator and Microsoft
Internet Explorer.
It destroys Macintosh- and
IBM-compatible computers.
This very malicious virus is new,
and not many people know about it.


A bit of creative writing
Let’s take a look at the components of this threat. The hoax’s writer has used several impressive-sounding names, such as the Melissa virus itself, AOL, IBM, and Norton Utilities. The writer hopes to gain credibility by dropping as many names as possible. Unfortunately, the operations the e-mail describes, while intended to sound impressively technical, are pure bunk. For starters, IBM rarely originates virus warnings. The lack of links to any particular warning is also a clue to the message’s falsity.

Although not included in this message, phony virus warnings often share a trait in common with other hoaxes, chain letters, and urban legends: a message urging the reader to forward the e-mail to everyone he or she knows. Chain letters and hoaxes of all types rely on gullible readers to propagate; that’s why it’s rare to see warnings about the thoroughly debunked “Good Times” virus.

Trash files with the user’s help
Unfortunately, the troublemakers have been raising the bar. Late in May, an e-mail began making the rounds advising users to delete a Windows utility, Sulfnbk.exe, which handles long file names. The e-mail asserted that this file had been installed by a virus and would cause dreadful harm if not deleted.

While virus experts believe this e-mail may have been confused with an authentic threat—genuinely infected copies of Sulfnbk.exe have been detected—it’s far more preferable to disinfect a contaminated file than to delete it entirely. Up-to-date antivirus software should help reassure users that their files have both sufficient protection and a ready remedy in case of corruption.

Virus myth education
Fortunately, it’s a lot easier to be on guard against this kind of threat. Just as technology sites are quick to expose genuine threats, there are a number of sites that collect information about the latest hoaxes.

The Department of Energy’s Computer Incident Advisory Capability (CIAC) maintains the Hoaxbusters Web site in an effort to identify the newest panic-inducing messages. Similarly, Symantec, makers of the Norton AntiVirus suite, has a page listing virus hoaxes as well as genuine threats.

Another source, Vmyths.com, is dedicated to collecting information about phony warnings. Prominent links describe common traits of phony warnings and the false authority syndrome (in which expertise in one field is used to give credibility to claims made in another or, put another way, why hoaxers cite everyone from Big Blue to Big Bird as originating their “warnings”). Also, although IBM doesn’t usually sound virus alerts, it does maintain a collection of papers on real and bogus viruses.

Once you know how to spot a questionable warning, educate your users with an eye toward easing the virus paranoia. The dire prophecies in these bogus e-mails are transparently false to experienced eyes, but they prey on the inherent fear many novices have in approaching their systems—that some mysterious doohickey is going to go haywire and destroy everything.

It’s up to you
As a support or training professional, you owe it to your company to ensure that your users think twice before opening e-mail attachments. A little background, though, on why they’re a problem—and what constitutes a legitimate threat—can not only put your users on guard against the next attack but can also prevent them from gumming up your mail server by forwarding silly warnings.

Also keep in mind that unlike many of the recent crop of VBScript viruses, bogus messages rely on good intentions, not just ignorance, to circulate. Recognize that while a temporary flood of e-mail is an inconvenience, the person who forwarded the message thought he or she was doing the right thing.

You might even back the training up with a policy stating that no employee should pass around a virus warning unless it came from the IT department itself. For that matter, it might not hurt to restrict mass e-mail forwarding to strictly business-related matters.

Report a hoax
If you have a virus hoax you’d like to report, post a comment or send us a note. We’ll be compiling your responses into a master hoax list.

 

Editor's Picks