Although the technically savvy see through a hoax's dire warnings, many end users harbor a deep fear of accidentally opening a virus that will cause problems on their system or network. These users have the best intentions when they forward these hoax e-mail messages about viruses lurking on the Internet to other users.
As IT professionals, we should educate end users about hoaxes to quell their fears and cut down on unnecessary e-mail traffic. In previous articles, I alerted you to a number of hoaxes and gave you some tips on patterns that can help you identify bogus messages. But there are still some notorious (and, in some cases, long-lived) virus hoaxes that users continue to spread around.
To help you train your users on how to spot a virus hoax, share with your users these passages I've collected from several hoax e-mail messages. You can also use these passages in e-mail screening programs to stop the messages before they make it to your users' inboxes.
Alert your users with a hoax notification letter
TechRepublic member Mark Simonds sent in a sample of a memo he sends to users to explain what a hoax virus message is and how to report one if such a message ends up in their inboxes.
The Good Times virus hoax
Although virus hoaxes may not have originated with the Good Times warning, it was one of the first to attract a lot of attention. It circulated throughout America Online but also appeared outside that system. It was typical of early virus hoaxes in that it warned that simply reading an e-mail purported to carry the virus could erase data. Here is a passage from that original message:
There is a virus on America Online being sent by e-Mail. If you get anything called "Good Times," DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.
Of course, savvy users realized that a plain text e-mail couldn't carry an active virus. However, to inexperienced users, the warning of something malicious appearing on their computers gave shape to unspoken fears of their computer’s mysterious workings.
The phony It Takes Guts To Say Jesus warning
This hoax message cites an announcement from IBM but doesn’t provide a direct quote. The warning about the common delivery failure e-mail title is also a nice touch. Check out these passages from the hoax message warning about the It Takes Guts To Say Jesus virus:
This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from IBM; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in your address book so that this may be stopped.
Also, do not open or even look at any mail that says "RETURNED OR UNABLE TO DELIVER."
This virus will attach itself to your computer components and render them useless. Immediately delete any mail items that say this. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time. Please practice cautionary measures and forward this to all your online friends ASAP.
Although this message has been pretty well debunked, it still turns up from time to time, and variations on the theme are common.
The WTC Survivor message fraud
This message hoax is a more recent variation that uses a provocative title. And just as real viruses change their tactics, so do bogus virus warnings. In a way, the change in hoax message tactics is encouraging; it implies a rising level of awareness among the potential audience.
This particular message includes a line indicating the author would rather be inundated with 25 false warnings than fail to receive a real one. And of course, this example has an attention-grabbing headline about the World Trade Center:
(FOR THOSE THAT DONT KNOW, "WTC" STANDS FOR THE WORLD TRADE CENTER... WHICH MAKES THIS VIRUS REALLY DANGEROUS BECAUSE PEOPLE WILL OPEN IT RIGHT AWAY... THINKING IT'S A STORY RELATING TO 9/11... PLEASE BE CAREFUL… :)
BIGGGG TROUBLE !!!! DO NOT OPEN "WTC Survivor" It is a virus that will erase your whole "C" drive. It will come to you in the form of an e-mail from a familiar person. I repeat a friend sent it to me, but called and warned me before I opened it. He was not so lucky and now he can't even start his computer! Forward this to everyone in your address book. I would rather receive this 25 times than not at all.
If you receive an e-mail called "WTC Survivor" do not open it. Delete it right away! This virus removes all dynamic link libraries (.dll files) from your computer. This is a serious one!
The Budweiser Frogs Screen Saver hoax
Some genuine viruses—most notoriously, the ILoveYou, Melissa, and Anna Kournikova viruses—infect systems when a user clicks on an attachment. After the widespread media coverage of those viruses, users became skeptical of the notion of getting a virus merely by reading an e-mail. So hoaxes began appearing warning of viruses that come in e-mail attachments. One well-known case is the warning about a Budweiser Frog screen saver. Read the following excerpt from this hoax message:
Someone is sending out a very cute screensaver of the Budweiser frogs. If you download it, you will lose everything! Your hard drive will crash and someone from the Internet will get your screen name and password! DO NOT DOWNLOAD IT UNDER ANY CIRCUMSTANCES! It just went into circulation yesterday. Please distribute this message. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft. Please share it with everyone that might access the Internet.
Once again, Pass This Along To EVERYONE in your address book so that this may be stopped. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time.
This e-mail message also cites an authority—Microsoft, this time—but doesn't include a link to information about it or quotes from anyone at Microsoft. Note the claim that the virus went into circulation “yesterday”—a real warning would cite a specific date, not some ambiguous day.
The fake Virtual Card virus warning
Similar to the Budweiser Frogs hoax is this phony warning that would make users leery of popular virtual greeting cards:
A new virus has just been discovered that has been classified by Microsoft as the most destructive ever! This virus was discovered yesterday afternoon by McAfee and no vaccine has yet been developed.
This virus simply destroys Sector Zero from the hard disk, where vital information for its functioning is stored.
This virus acts in the following manner: It sends itself automatically to all contacts on your list with the title "A Card for You."
As soon as the supposed virtual card is opened, the computer freezes so that the user has to reboot. When the keys or the reset button are pressed, the virus destroys Sector Zero, thus permanently destroying the hard disk.
Yesterday in just a few hours this virus caused panic in New York, according to news broadcast by CNN. This alert was received by an employee of Microsoft itself. So don't open any mails with subject: "A Virtual Card for You. " As soon as you get the mail, delete it. Even if you know the sender.
This warning combines citations from several authorities with ominous technobabble about destroying Sector Zero. Notice that the warning anticipates the trend of viruses mailing themselves to a user’s contact list.
Since one would expect most virtual cards to arrive from friends, the message warns about cards sent from someone the reader knows. Taken apart from the hoax, this is actually good advice, as many of the recent viruses raid the target computer’s address book and therefore often appear to be sent by someone the victim knows. It's important to tell your users that e-mail with unexpected attachments should always be regarded with discretion, even when the sender is trusted.
The Sulfnbk.exe hoax
One response that bemused computer programmers and support personnel had to these hoaxes was to privately share joke virus warnings that parody the outlandish claims made by the hoaxes. Among these was the Honor System Virus, which took the form of a request for users to manually erase their hard drives. The Sulfnbk hoax used this idea, attempting to entice victims to erase a nonessential file from the Windows directory. Here's part of that message:
A VIRUS could be in your computer files now, dormant but will become active on June 1. Try not to USE your Computer on June 1st. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND TO REMOVE IT NOW. No Virus software can detect it. It will become active on June 1, 2001. It might be too late by then. It wipes out all files and folders on the hard drive. This virus travels thru e-mail and migrates to the 'C:\windows\command' folder. To find it and get rid of it off of your computer, do the following.
At this point, the e-mail provides instructions for deleting the file. You'll notice that this hoax message names a specific date. Adding to the confusion was the fact that the file indicated, Sulfnbk.exe, could become infected with other viruses and therefore appear infected to a virus scan. Check out this article for more information on the Sulfnbk.exe virus hoax.
The Jdbgmgr.exe virus warning
The recent Jdbgmgr.exe virus hoax proved much more perilous than the Sulfnbk hoax; it instructs users to delete a useful Windows system file. The hoax describes an infection process similar to that of several real viruses—attacking Outlook and e-mailing itself to the contact list, for example.
Read this excerpt from the original message (note the misspellings):
I got this message about a virus that can produce lot of dammage to your computer. If you follow the instructions, which are very easy, you would be able to "clean" your computer.
Apparently the virus spreads through the adresses book. I got it, then may be I passed it to you too, sorry.
The name of the virus is Jdbgmgr.exe and is transmitted automatically through the Messanger and addresses book of the OUTLOOK. The virus is neither detected by Norton nor by Mc Afee. It remains in lethargy ("sleeping") for 14 days and even more, before it destroys the whole system. It can be eliminated during this period.
The rest of the message contains instructions for locating and deleting the Jdbgmgr.exe file. The file in question is the Java Debug Manager program, part of the Microsoft Java run-time engine. Although deleting the file will not cause Windows to fail, it can interfere with the proper function of Java applets.
If one of your users has already deleted the file, the Microsoft Knowledge Base article Q322993 describes how to restore it.
Virus hoax Internet resources
Just as the propagation of legitimate viruses has spawned an industry devoted to antivirus protection, the proliferation of hoaxes (which are, after all, easier to create and distribute) has caused a number of sites to issue alerts when a bogus warning appears. The following sites contain useful information about virus hoaxes. When in doubt about a received warning, check one of these sites. And of course, visit TechRepublic for news regarding viruses and other security issues.