[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Virus-Hoax



> 
> Date: Sat, 23 Nov 1996 18:43:18 -0800
> From: "David Crawford by way of Fence-Walker(UNCL clicking in fm home)" <[email protected]>
> Subject: CIAC Bulletin H-05: Internet Hoaxes
> X-Digest: Volume 9 : Issue 230
> 
> - ----BEGIN PGP SIGNED MESSAGE-----
> 
> 
>              __________________________________________________________
> 
>                        The U.S. Department of Energy
>                     Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>              __________________________________________________________
> 
>                              INFORMATION BULLETIN
> 
>             Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost
> 
> November 20, 1996 15:00 GMT                                        Number H-05
> ______________________________________________________________________________
> PROBLEM:       This bulletin addresses the following hoaxes and erroneous
>                warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
>                Ghost.exe
> PLATFORM:      All, via e-mail
> DAMAGE:        Time lost reading and responding to the messages
> SOLUTION:      Pass unvalidated warnings only to your computer security
>                department or incident response team. See below on how to
>                recognize validated and unvalidated warnings and hoaxes.
> ______________________________________________________________________________
> VULNERABILITY  New hoaxes and warnings have appeared on the Internet and old
> ASSESSMENT:    hoaxes are still being cirulated.
> ______________________________________________________________________________
> 
> 
> Introduction
> ============
> 
> The Internet is constantly being flooded with information about computer
> viruses and Trojans. However, interspersed among real virus notices are
> computer virus hoaxes. While these hoaxes do not infect systems, they are
> still time consuming and costly to handle. At CIAC, we find that we are
> spending much more time de-bunking hoaxes than handling real virus incidents.
> This advisory addresses the most recent warnings that have appeared on the
> Internet and are being circulated throughout world today. We will also address
> the history behind virus hoaxes, how to identify a hoax, and what to do if you
> think a message is or is not a hoax. Users are requested to please not spread
> unconfirmed warnings about viruses and Trojans. If you receive an unvalidated
> warning, don't pass it to all your friends, pass it to your computer security
> manager to validate first. Validated warnings from the incident response teams
> and antivirus vendors have valid return addresses and are usually PGP signed
> with the organization's key.
> 
> PKZ300 Warning
> ==============
> 
> The PKZ300 Trojan is a real Trojan program, but the initial warning about it
> was released over a year ago. For information pertaining to PKZ300 Trojan
> reference CIAC Notes issue 95-10, that was released in June of 1995.
> 
> http://ciac.llnl.gov/ciac/notes/Notes10.shtml
> 
> The warning itself, on the other hand, is gaining urban legend status. There
> has been an extremely limited number of sightings of this Trojan and those
> appeared over a year ago. Even though the Trojan warning is real, the repeated
> circulation of the warning is a nuisance. Individuals who need the current
> release of  PKZIP should visit the PKWARE web page at http://www.pkware.com.
> CIAC recommends that you DO NOT recirculate the warning about this particular
> Trojan.
> 
> Irina Virus Hoax
> ================
> 
> The "Irina" virus warnings are a hoax. The former head of an electronic
> publishing company circulated the warning to create publicity for a new
> interactive book by the same name. The publishing company has apologized for
> the publicity stunt that backfired and panicked Internet users worldwide. The
> original warning claimed to be from a Professor Edward Pridedaux of the
> College of Slavic Studies in London; there is no such person or college.
> However, London's School of  Slavonic and East European Studies has been
> inundated with calls. This poorly thought-out publicity stunt was highly
> irresponsible. For more information pertaining to this hoax, reference the
> UK Daily Telegraph at http://www.telegraph.co.uk.
> 
> Good Times Virus Hoax
> =====================
> 
> The "Good Times" virus warnings are a hoax. There is no virus by that name in
> existence today. These warnings have been circulating the Internet for years.
> The user community must become aware that it is unlikely that a virus can be
> constructed to behave in the manner ascribed in the "Good Times" virus
> warning. For more information related to this urban legend, reference CIAC
> Notes 95-09.
> 
> http://ciac.llnl.gov/ciac/notes/Notes09.shtml
> 
> Deeyenda Virus Hoax
> ===================
> 
> The "Deeyenda" virus warnings are a hoax. CIAC has received inqueries
> regarding the validity of the Deeyenda virus. The warnings are very similar
> to those for Good Times, stating that the FCC issued a warning about it,
> and that it is self activating and can destroy the contents of a machine
> just by being downloaded. Users should note that the FCC does not and will
> not issue virus or Trojan warnings. It is not their job to do so. As of this
> date, there are no known viruses with the name Deeyenda in existence. For a
> virus to spread, it  must be executed. Reading a mail message does not execute
> the mail message. Trojans and viruses have been found as executable attachments
> to mail messages, but they must be extracted and executed to do any harm. CIAC
> still affirms that reading E-mail, using typical mail agents, can not activate
> malicious code delivered in or with the message.
> 
> Ghost.exe Warning
> =================
> 
> The Ghost.exe program was originally distributed as a free screen saver
> containing some advertising information for the author's company (Access
> Softek). The program opens a window that shows a Halloween background with
> ghosts flying around the screen. On any Friday the 13th, the program window
> title changes and the ghosts fly off the window and around the screen. Someone
> apparently got worried and sent a message indicating that this might be a
> Trojan. The warning grew until the it said that Ghost.exe was a Trojan that
> would destroy your hard drive and the developers got a lot of nasty phone
> calls (their names and phone numbers were in the About box of the program.)
> A simple phone call to the number listed in the program would have stopped
> this warning from being sent out. The original ghost.exe program is just cute;
> it does not do anything damaging. Note that this does not mean that ghost
> could not be infected with a virus that does do damage, so the normal
> antivirus procedure of scanning it before running it should be followed.
> 
> History of Virus Hoaxes
> =======================
> 
> Since 1988, computer virus hoaxes have been circulating the Internet. In
> October of that year, according to Ferbrache ("A pathology of Computer
> Viruses" Springer, London, 1992) one of the first virus hoaxes was the
> 2400 baud modem virus:
> 
> 	SUBJ: Really Nasty Virus
>  	AREA: GENERAL (1)
> 
>  	I've just discovered probably the world's worst computer virus
>  	yet. I had just finished a late night session of BBS'ing and file
>  	treading when I exited Telix 3 and attempted to run pkxarc to
>  	unarc the software I had downloaded. Next thing I knew my hard
>  	disk was seeking all over and it was apparently writing random
>  	sectors. Thank god for strong coffee and a recent backup.
>  	Everything was back to normal, so I called the BBS again and
>  	downloaded a file. When I went to use ddir to list the directory,
>  	my hard disk was getting trashed again. I tried Procomm Plus TD
>  	and also PC Talk 3. Same results every time. Something was up so I
>  	hooked up to my test equipment and different modems (I do research
>  	and development for a local computer telecommunications company
>  	and have an in-house lab at my disposal). After another hour of
>  	corrupted hard drives I found what I think is the world's worst
>  	computer virus yet. The virus distributes itself on the modem sub-
>  	carrier present in all 2400 baud and up modems. The sub-carrier is
>  	used for ROM and register debugging purposes only, and otherwise
>  	serves no othr (sp) purpose. The virus sets a bit pattern in one
>  	of the internal modem registers, but it seemed to screw up the
>  	other registers on my USR. A modem that has been "infected" with
>  	this virus will then transmit the virus to other modems that use a
>  	subcarrier (I suppose those who use 300 and 1200 baud modems
>  	should be immune). The virus then attaches itself to all binary
>  	incoming data and infects the host computer's hard disk. The only
>  	way to get rid of this virus is to completely reset all the modem
>  	registers by hand, but I haven't found a way to vaccinate a modem
>  	against the virus, but there is the possibility of building a
>  	subcarrier filter. I am calling on a 1200 baud modem to enter this
>  	message, and have advised the sysops of the two other boards
>  	(names withheld). I don't know how this virus originated, but I'm
>  	sure it is the work of someone in the computer telecommunications
>  	field such as myself. Probably the best thing to do now is to
>  	stick to 1200 baud until we figure this thing out.
> 
> 	Mike RoChenle
> 
> This bogus virus description spawned a humorous alert by Robert Morris III :
> 
>  	Date: 11-31-88 (24:60)	Number: 32769
>  	To: ALL	Refer#: NONE
>  	From: ROBERT MORRIS III	Read: (N/A)
>  	Subj: VIRUS ALERT	Status: PUBLIC MESSAGE
> 
>  	Warning: There's a new virus on the loose that's worse than
>  	anything I've seen before! It gets in through the power line,
>  	riding on the powerline 60 Hz subcarrier. It works by changing the
>  	serial port pinouts, and by reversing the direction one's disks
>  	spin. Over 300,000 systems have been hit by it here in Murphy,
>  	West Dakota alone! And that's just in the last 12 minutes.
> 
> 	It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
>  	RSX-11, ITS, TRS-80, and VHS systems.
> 
>  	To prevent the spresd of the worm:
> 
>  	1) Don't use the powerline.
>  	2) Don't use batteries either, since there are rumors that this
>  	  virus has invaded most major battery plants and is infecting the
>  	  positive poles of the batteries. (You might try hooking up just
>  	  the negative pole.)
>  	3) Don't upload or download files.
>  	4) Don't store files on floppy disks or hard disks.
>  	5) Don't read messages. Not even this one!
>  	6) Don't use serial ports, modems, or phone lines.
>  	7) Don't use keyboards, screens, or printers.
>  	8) Don't use switches, CPUs, memories, microprocessors, or
>  	  mainframes.
>  	9) Don't use electric lights, electric or gas heat or
>  	  airconditioning, running water, writing, fire, clothing or the
>  	  wheel.
> 
>  	I'm sure if we are all careful to follow these 9 easy steps, this
>  	virus can be eradicated, and the precious electronic flui9ds of
>  	our computers can be kept pure.
> 
>  	---RTM III
> 
> Since that time virus hoaxes have flooded the Internet.With thousands of
> viruses worldwide, virus paranoia in the community has risen to an extremely
> high level. It is this paranoia that fuels virus hoaxes. A good example of
> this behavior is the "Good Times" virus hoax which started in 1994 and is
> still circulating the Internet today. Instead of spreading from one computer
> to another by itself, Good Times relies on people to pass it along.
> 
> How to Identify a Hoax
> ======================
> 
> There are several methods to identify virus hoaxes, but first consider what
> makes a successful hoax on the Internet. There are two known factors that make
> a successful virus hoax, they are: (1) technical sounding language, and
> (2) credibility by association. If the warning uses the proper technical
> jargon, most individuals, including technologically savy individuals, tend to
> believe the warning is real. For example, the Good Times hoax says that
> "...if the program is not stopped, the computer's processor will be placed in
> an nth-complexity infinite binary loop which can severely damage the
> processor...". The first time you read this, it sounds like it might be
> something real. With a little research, you find that there is no such thing
> as an nth-complexity infinite binary loop and that processors are designed
> to run loops for weeks at a time without damage.
> 
> When we say credibility by association we are referring to whom sent the
> warning. If the janitor at a large technological organization sends a warning
> to someone outside of that organization, people on the outside tend to believe
> the warning because the company should know about those things. Even though
> the person sending the warning may not have a clue what he is talking about,
> the prestigue of the company backs the warning, making it appear real. If a
> manager at the company sends the warning, the message is doubly backed by the
> company's and the manager's reputations.
> 
> Individuals should also be especially alert if the warning urges you to pass
> it on to your friends. This should raise a red flag that the warning may be
> a hoax. Another flag to watch for is when the warning indicates that it is a
> Federal Communication Commission (FCC) warning. According to the FCC, they
> have not and never will disseminate warnings on viruses. It is not part of
> their job.
> 
> CIAC recommends that you DO NOT circulate virus warnings without first
> checking with an authoritative source. Authoritative sources are your computer
> system security administrator or a computer incident advisory team. Real
> warnings about viruses and other network problems are issued by different
> response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by
> the sending team using PGP. If you download a warning from a teams web site or
> validate the PGP signature, you can usually be assured that the warning is
> real. Warnings without the name of the person sending the original notice, or
> warnings with names, addresses and phone numbers that do not actually exist
> are probably hoaxes.
> 
> What to Do When You Receive a Warning
> =====================================
> 
> Upon receiving a warning, you should examine its PGP signature to see that it
> is from a real response team or antivirus organization. To do so, you will
> need a copy of the PGP software and the public signature of the team that
> sent the message. The CIAC signature is available from the CIAC web server
> at:
> 
> http://ciac.llnl.gov
> 
> If there is no PGP signature, see if the warning includes the name of the
> person submitting the original warning. Contact that person to see if he/she
> really wrote the warning and if he/she really touched the virus. If he/she is
> passing on a rumor or if the address of the person does not exist or if
> there is any questions about theauthenticity or the warning, do not circulate
> it to others. Instead, send the warning to your computer security manager or
> incident response team and let them validate it. When in doubt, do not send
> it out to the world. Your computer security managers and the incident response
> teams teams have experts who try to stay current on viruses and their warnings.
> In addition, most anti-virus companies have a web page containing information
> about most known viruses and hoaxes. You can also call or check the web site
> of the company that produces the product that is supposed to contain the virus.
> Checking the PKWARE site for the current releases of PKZip would stop the
> circulation of the warning about PKZ300 since there is no released version 3
> of PKZip. Another useful web site is the "Computer Virus Myths home page"
> (http://www.kumite.com/myths/) which contains descriptions of several known
> hoaxes. In most cases, common sense would eliminate Internet hoaxes.
> 
> - -----------------------------------------------------------------------------
> 
> CIAC, the Computer Incident Advisory Capability, is the computer
> security incident response team for the U.S. Department of Energy
> (DOE) and the emergency backup response team for the National
> Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
> National Laboratory in Livermore, California. CIAC is also a founding
> member of FIRST, the Forum of Incident Response and Security Teams, a
> global organization established to foster cooperation and coordination
> among computer security teams worldwide.
> 
> CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> can be contacted at:
>     Voice:    +1 510-422-8193
>     FAX:      +1 510-423-8002
>     STU-III:  +1 510-423-2604
>     E-mail:   [email protected]
> 
> For emergencies and off-hour assistance, DOE, DOE contractor sites,
> and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> duty person, and the secondary PIN number, 8550074 is for the CIAC
> Project Leader.
> 
> Previous CIAC notices, anti-virus software, and other information are
> available from the CIAC Computer Security Archive.
> 
>    World Wide Web:      http://ciac.llnl.gov/
>    Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
>    Modem access:        +1 (510) 423-4753 (28.8K baud)
>                         +1 (510) 423-3331 (28.8K baud)
> 
> CIAC has several self-subscribing mailing lists for electronic
> publications:
> 1. CIAC-BULLETIN for Advisories, highest priority - time critical
>    information and Bulletins, important computer security information;
> 2. CIAC-NOTES for Notes, a collection of computer security articles;
> 3. SPI-ANNOUNCE for official news about Security Profile Inspector
>    (SPI) software updates, new features, distribution and
>    availability;
> 4. SPI-NOTES, for discussion of problems and solutions regarding the
>    use of SPI products.
> 
> Our mailing lists are managed by a public domain software package
> called ListProcessor, which ignores E-mail header subject lines. To
> subscribe (add yourself) to one of our mailing lists, send the
> following request as the E-mail message body, substituting
> CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
> valid information for LastName FirstName and PhoneNumber when sending
> 
> E-mail to       [email protected]:
>         subscribe list-name LastName, FirstName PhoneNumber
>   e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
> 
> You will receive an acknowledgment containing address, initial PIN,
> and information on how to change either of them, cancel your
> subscription, or get help.
> 
> PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> communities receive CIAC bulletins.  If you are not part of these
> communities, please contact your agency's response team to report
> incidents. Your agency's team will coordinate with CIAC. The Forum of
> Incident Response and Security Teams (FIRST) is a world-wide
> organization. A list of FIRST member organizations and their
> constituencies can be obtained by sending email to
> [email protected] with an empty subject line and a message body
> containing the line: send first-contacts.
> 
> This document was prepared as an account of work sponsored by an
> agency of the United States Government. Neither the United States
> Government nor the University of California nor any of their
> employees, makes any warranty, express or implied, or assumes any
> legal liability or responsibility for the accuracy, completeness, or
> usefulness of any information, apparatus, product, or process
> disclosed, or represents that its use would not infringe privately
> owned rights. Reference herein to any specific commercial products,
> process, or service by trade name, trademark, manufacturer, or
> otherwise, does not necessarily constitute or imply its endorsement,
> recommendation or favoring by the United States Government or the
> University of California. The views and opinions of authors expressed
> herein do not necessarily state or reflect those of the United States
> Government or the University of California, and shall not be used for
> advertising or product endorsement purposes.
> 
> LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
> 
> G-43: Vulnerabilities in Sendmail
> G-44: SCO Unix Vulnerability
> G-45: Vulnerability in HP VUE
> G-46: Vulnerabilities in Transarc DCE and DFS
> G-47: Unix FLEXlm Vulnerabilities
> G-48: TCP SYN Flooding and IP Spoofing Attacks
> H-01: Vulnerabilities in bash
> H-02: SUN's TCP SYN Flooding Solutions
> H-03: HP-UX_suid_Vulnerabilities
> H-04: HP-UX  Ping Vulnerability
> 
> RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
> 
> Notes 07 - 3/29/95     A comprehensive review of SATAN
> 
> Notes 08 - 4/4/95      A Courtney update
> 
> Notes 09 - 4/24/95     More on the "Good Times" virus urban legend
> 
> Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
>                        in S/Key, EBOLA Virus Hoax, and Caibua Virus
> 
> Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
>                        America On-Line Virus Scare, SPI 3.2.2 Released,
>                        The Die_Hard Virus
> 
> Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
>                        Windows, beta release of Merlin, Microsoft Word
>                        Macro Viruses, Allegations of Inappropriate Data
>                        Collection in Win95
> 
> Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
>                        Conference Announcement, Security and Web Search
>                        Engines, Microsoft Word Macro Virus Update
> 
> - ----BEGIN PGP SIGNATURE-----
> Version: 2.6.1
> Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface
> 
> iQCVAwUBMpN8qrnzJzdsy3QZAQHpZgP/V+NTN7AwEtWCM46sSBMFnEuz0NxmN9X2
> DMOFnATcUSNvukXBPAMc3LMYmnjhp+CrqDyfQCWVBUaHDTmb3yKTTsexYev5alyd
> cSR4uZjQrMjO1pu16HG7BS+faxaP+E/FVEcbAof9a+tjX4aj9LTOM/Nt8Hb6Aazo
> eRHTBH+AYy4=
> =fBQM
> - ----END PGP SIGNATURE-----
> 
> ------------------------------
> 
>