Office of Information Technology

image

Virus Hoaxes



The Hall of Fame

Interspersed among the junk mail and spam that fills our Internet e-mail boxes are dire warnings about devastating new viruses, Trojans that eat the heart out of your system, and malicious software that can steal the computer right off your desk. Added to that are messages about free money, children in trouble, and other items designed to grab you and get you to forward the message to everyone you know. Mostly all of these messages are hoaxes or chain letters.

While hoaxes do not automatically infect systems like a virus or Trojan, they are still time consuming and costly to remove from all the systems where they exist. We find that we spend much more time de-bunking hoaxes than handling real virus and Trojan incidents. This page describes some of the warnings, offers, and pleas for help that are filling our mailboxes, clogging our mailservers, and that generally do not have any basis in fact.


The Sulfnbk.exe hoax

This hoax was to privately share joke virus warnings that parody the outlandish claims made by the hoaxes. Among these was the Honor System Virus, which took the form of a request for users to manually erase their hard drives. The Sulfnbk hoax used this idea, attempting to entice victims to erase a nonessential file from the Windows directory.

Here's part of that message: "A VIRUS could be in your computer files now, dormant but will become active on June 1. Try not to USE your Computer on June 1st. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND TO REMOVE IT NOW. No Virus software can detect it. It will become active on June 1, 2001. It might be too late by then. It wipes out all files and folders on the hard drive. This virus travels thru e-mail and migrates to the C:\windows\command' folder. To find it and get rid of it off of your computer, do the following. At this point, the e-mail provides instructions for deleting the file. You'll notice that this hoax message names a specific date. Adding to the confusion was the fact that the file indicated, Sulfnbk.exe, could become infected with other viruses and therefore appear infected to a virus scan."


The Jdbgmgr.exe virus warning

The recent Jdbgmgr.exe virus hoax proved much more perilous than the Sulfnbk hoax; it instructs users to delete a useful Windows system file. The hoax describes an infection process similar to that of several real viruses—attacking Outlook and e-mailing itself to the contact list, for example.

Read this excerpt from the original message (note the misspellings): " I got this message about a virus that can produce lot of dammage to your computer. If you follow the instructions, which are very easy, you would be able to "clean" your computer.Apparently the virus spreads through the adresses book. I got it, then may be I passed it to you too, sorry.The name of the virus is Jdbgmgr.exe and is transmitted automatically through the Messanger and addresses book of the OUTLOOK. The virus is neither detected by Norton nor by Mc Afee. It remains in lethargy ("sleeping") for 14 days and even more, before it destroys the whole system. It can be eliminated during this period."

The rest of the message contains instructions for locating and deleting the Jdbgmgr.exe file. The file in question is the Java Debug Manager program, part of the Microsoft Java run-time engine. Although deleting the file will not cause Windows to fail, it can interfere with the proper function of Java applets.


The Budweiser Frogs Screen Saver hoax

Some genuine viruses—most notoriously, the ILoveYou, Melissa, and Anna Kournikova viruses—infect systems when a user clicks on an attachment. After the widespread media coverage of those viruses, users became skeptical of the notion of getting a virus merely by reading an e-mail. So hoaxes began appearing warning of viruses that come in e-mail attachments. One well-known case is the warning about a Budweiser Frog screen saver.

Read the following excerpt from this hoax message: "Someone is sending out a very cute screensaver of the Budweiser frogs. If you download it, you will lose everything! Your hard drive will crash and someone from the Internet will get your screen name and password! DO NOT DOWNLOAD IT UNDER ANY CIRCUMSTANCES! It just went into circulation yesterday. Please distribute this message. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft. Please share it with everyone that might access the Internet.Once again, Pass This Along To EVERYONE in your address book so that this may be stopped. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time."

This e-mail message also cites an authority—Microsoft, this time—but doesn't include a link to information about it, or quotes from anyone at Microsoft. Note the claim that the virus went into circulation “yesterday”—a real warning would cite a specific date, not some ambiguous day.


The phony It Takes Guts To Say Jesus warning

This hoax message cites an announcement from IBM but doesn’t provide a direct quote. The warning about the common delivery failure e-mail title is also a nice touch. Check out these passages from the hoax message warning: "...about the It Takes Guts To Say Jesus virus:This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from IBM; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in your address book so that this may be stopped. Also, do not open or even look at any mail that says "RETURNED OR UNABLE TO DELIVER."This virus will attach itself to your computer components and render them useless. Immediately delete any mail items that say this. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time. Please practice cautionary measures and forward this to all your online friends ASAP."

Although this message has been pretty well debunked, it still turns up from time to time, and variations on the theme are common.


The WTC Survivor Message fraud

This message hoax is a more recent variation that uses a provocative title. And just as real viruses change their tactics, so do bogus virus warnings. In a way, the change in hoax message tactics is encouraging; it implies a rising level of awareness among the potential audience. This particular message includes a line indicating the author would rather be inundated with 25 false warnings than fail to receive a real one.

And of course, this example has an attention-grabbing headline about the World Trade Center: "(FOR THOSE THAT DONT KNOW, "WTC" STANDS FOR THE WORLD TRADE CENTER... WHICH MAKES THIS VIRUS REALLY DANGEROUS BECAUSE PEOPLE WILL OPEN IT RIGHT AWAY... THINKING IT'S A STORY RELATING TO 9/11... PLEASE BE CAREFUL… :)BIGGGG TROUBLE !!!! DO NOT OPEN "WTC Survivor" It is a virus that will erase your whole "C" drive. It will come to you in the form of an e-mail from a familiar person. I repeat a friend sent it to me, but called and warned me before I opened it. He was not so lucky and now he can't even start his computer! Forward this to everyone in your address book. I would rather receive this 25 times than not at all.If you receive an e-mail called "WTC Survivor" do not open it. Delete it right away! This virus removes all dynamic link libraries (.dll files) from your computer. This is a serious one!"


The Good Times virus hoax

Although virus hoaxes may not have originated with the Good Times warning, it was one of the first to attract a lot of attention. It circulated throughout America Online but also appeared outside that system. It was typical of early virus hoaxes in that it warned that simply reading an e-mail purported to carry the virus could erase data.

Here is a passage from that original message: "There is a virus on America Online being sent by e-Mail. If you get anything called "Good Times," DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.Of course, savvy users realized that a plain text e-mail couldn't carry an active virus. However, to inexperienced users, the warning of something malicious appearing on their computers gave shape to unspoken fears of their computer’s mysterious workings."


The fake Virtual Card virus warning

Similar to the Budweiser Frogs hoax is this phony warning that would make users leery of popular virtual greeting cards: "A new virus has just been discovered that has been classified by Microsoft as the most destructive ever! This virus was discovered yesterday afternoon by McAfee and no vaccine has yet been developed. This virus simply destroys Sector Zero from the hard disk, where vital information for its functioning is stored.This virus acts in the following manner: It sends itself automatically to all contacts on your list with the title "A Card for You."As soon as the supposed virtual card is opened, the computer freezes so that the user has to reboot. When the keys or the reset button are pressed, the virus destroys Sector Zero, thus permanently destroying the hard disk.Yesterday in just a few hours this virus caused panic in New York, according to news broadcast by CNN. This alert was received by an employee of Microsoft itself. So don't open any mails with subject: "A Virtual Card for You. " As soon as you get the mail, delete it. Even if you know the sender.This warning combines citations from several authorities with ominous technobabble about destroying Sector Zero."

Notice that the warning anticipates the trend of viruses mailing themselves to a user’s contact list. Since one would expect most virtual cards to arrive from friends, the message warns about cards sent from someone the reader knows. Taken apart from the hoax, this is actually good advice, as many of the recent viruses raid the target computer’s address book and therefore often appear to be sent by someone the victim knows. It's important to tell your users that e-mail with unexpected attachments should always be regarded with discretion, even when the sender is trusted.