How to Spot a Virus Hoax
Abstract
If you receive a virus alert message,
don't believe it.
At the end of 1996, the problem of virus hoaxes escalated (specifically hoaxes in the form
of false virus alert messages). Warnings similar to the "Good Times" virus hoax
became common. This paper analyzes the "Good Times" hoax, builds a list of the
it's features, and shows how those features apply to later hoaxes. A simple generic system
is presented to aid in analyzing virus warnings. The paper concludes by showing how to
handle false virus warning.
Part 1. Hyperdriven
(Thoughts travel faster in a vacuum)
As 1997 begins, we've seen several virus alerts. None of them were real. And all of them
were probably driven by a previously unwritten law of human nature. This newly-discovered
theory explains how ideas are able to travel faster than the speed of thought. The theory
may be stated thus: "Thoughts travel faster in a vacuum."
Think about it. By removing the actual thinking process, thoughts can travel uninhibited and thus exceed all logical bounds. In addition, such thoughts often tend to become hyperdriven (adj. driven by hype). This explains a lot of phenomena. For example, sales are often hyperdriven. Indeed, marketing often depends on the buyer engaging in rational thought only after the fact.
More importantly however, it explains how
stories on the Internet can spread so quickly.
Such stories have, of late, been a major problem on the Internet. It might even get to the
point where hoaxes are more of a problem than viruses are. After all, a hoax is much
easier to write than a virus is. A good rule of thumb for today is, "If you receive a
virus alert message, don't believe it."
Let's look at the late-1996 crop of virus hoaxes. Our purpose is to glean enough information about them to easily recognize a new hoax when we see it. (For a fuller list of hoaxes, see our Hype Alert department.)
Part 2. Chain Letters from Hell
(The e-mail equivalent of a stampede)
The root of the problem with hoaxes is that they spread faster than viruses do. They don't
use a replication engine to spread, as a virus does; rather, they use human nature. They
play on peoples' fear. As we look at these hoaxes, you'll notice that they warn the reader
of impending doom and insist that the warning be forwarded to everyone else in the known
universe. Someone shouts "fire" on a busy, crowded Net and the e-mail equivalent
of a stampede begins.
However, if people engage the thought process before clicking the forwarding button, these hoaxes will not spread.
As these warnings spread, two things happen. Some well-intentioned individuals add their own warnings and suggested actions to the warning. At the same time, other not-so-well-intentioned individuals add to the horrors the supposed virus could wreak. In this way the messages undergo changes. They mutate or evolve. In fact, we should note here that the warnings shown below are ones we received, and may vary in wording from other copies.
This fact that the warnings change is important to understand. Any single hoax may exist in many forms. For example, late in 1996 we received a warning message about a "Penal Virus." It took about half a second to realize that the warning was identical to the warning about the nonexistent "Penpal virus." Although just that one "p" in "Penpal" was dropped, the "Penal Virus" warning is now spreading on its own.
Moreover, current hoaxes are just revisions of other hoaxes. The Penpal hoax itself follows the pattern set by Good Times.
Armed with the knowledge of how hoaxes change, a person familiar with the "Good Times Virus" hoax would recognize more recent warnings as a mere regurgitation of that message. To this end, let's dissect Good Times.
Part 3. Good Times
(The Chicken Little domino-effect engine)
The granddaddy of this current crop of hoaxes was a warning message about a nonexistent
virus called "Good Times." It began in 1994 as a joke, evidently by two students
who posted the warning on America Online. From there, the warning message spread and, as
noted above, it also changed. For example, the version given below has given the virus the
fanciful ability to place the computer's CPU "in an nth-complexity infinite binary
loop--which can severely damage the processor."
What follows is an evolved version of the
"Good Times Virus" warning message. Again, there is no such virus. This is a
hoax. The interlinear commentary (bracketed and in italics) has been added here as we
dissect the virus, and is not part of the original message.
The hoax message reads:
V I R U S - W A R N I N G
[Commentary: If you receive any message in e-mail that starts like this, immediately suspect a hoax. With the current bumper crop of hoaxes, odds are that it is not a real virus warning.]
There is a computer virus that is being
sent across the Internet.
If you receive an email message with the subject line "Good Times,"
DO NOT read the message, DELETE it immediately.
Please read the messages below. Some
miscreant is sending email under
the title "Good Times" nationwide, if you get anything like this,
DON'T DOWN LOAD THE FILE!
[This theme seems to be almost universal in hoaxes. The supposed virus is always propagating on the Internet. There are warnings (again, usually in ALL CAPS about reading or downloading an e-mail message. Salvation by immediate deletion is also nearly universal. Interestingly, for some reason the word "miscreant" seems to be a common catchphrase in hoaxes.]
It has a virus that rewrites your hard drive, obliterating anything on it.
[Most real viruses, which are an actual threat to users, are not destructive; in fact they're usually quite tame. Hoax viruses, however, always seem to wield the powers of a vengeful binary god. Such godlike viruses can often do nasty things to your system that are beyond the abilities of software, mere mortals, or even most hardware technicians.]
Please be careful and forward this mail to anyone you care about.
[Here it is. This is the replication engine. This is what gives the virus the pesky lifelike ability to multiply. This is also a dead giveaway that it is a hoax.]
WARNING!!!!!!! INTERNET VIRUS
[Another thing to notice is the multiplication of exclamation marks. We see this a lot.]
The FCC released a warning last Wednesday
concerning a matter of major
importance to any regular user of the Internet.
[Also nearly universal is the authoritative source. "Whoa! The FCC. This must be real." This aspect of cited authority is meant to lend credibility to the hoax. The truth is, however, that according to the FCC they have never, and will never, send out virus warnings.]
Apparently a new computer virus has been
engineered by a user of AMERICA ON
LINE that is unparalleled in its destructive capability.
[Notice especially here, and in the following lines, the superlative nature of the abilities described. Here we see that it's "unparalleled in its destructive capability." Suspect any warning about a virus that is the most destructive, most polymorphic, or stealthiest.]
What makes this virus so terrifying, said the FCC,
[Note the authoritative source is cited as saying this. Again, credibility is sought.]
is the fact that no program needs to be
exchanged for a new computer
to be infected. It can be spread through the existing email systems
of the Internet. Once a Computer is infected, one of several things
can happen. If the computer contains a hard drive, that will most likely
be destroyed. If the program is not stopped, the computer's processor
will be placed in an nth-complexity infinite binary loop--which can
severely damage the processor if left running that way too long.
[Here's another important factor to note: the language is crafted to sound technical. It uses computer jargon. This also tends to lend credibility to the hoax. By the way, If you do believe that a CPU can be melted down by "an nth- complexity infinite binary loop," we'd like to talk to you about some oceanfront property we're selling in Nebraska.]
Luckily, there is one sure means of
detecting what is now known as the
"Good Times" virus. It always travels to new computers the same way in
a text email message with the subject line reading "Good Times." Avoiding
infection is easy once the file has been received simply by NOT READING IT!
The act of loading the file into the mail server's ASCII buffer causes the
"Good Times" mainline program to initialize and execute. The program is
highly intelligent--it will send copies of itself to everyone whose email
address is contained in a receive-mail file or a sent-mail file, if it can
find one. It will then proceed to trash the computer it is running on.
[Of course, you'll never see this message. It's a hoax. Also of interest is the fact that this virus is "highly intelligent." Odd. All the viruses we've seen are extremely dumb.]
The bottom line is:
If you receive a file with the subject line
"Good Times", delete it
immediately! Do not read it" Rest assured that whoever's name was on
the "From" line was surely struck by the virus.
[Odd it doesn't say to contact the sender. But, again, there will be no sender. It's a hoax.]
Warn your friends and local system users of
this newest threat to the
Internet! It could save them a lot of time and money. Could you pass
this along to your global mailing list as well?
[Actually, this is the bottom line; where the message urges you to propagate the hoax. Here's the hoax's combination chicken-little, domino-effect replication engine.]
Part 4. Hoax Heuristics
(Common sense, isn't)
Now we can define some rules to help us detect hoaxes generically. To summarize what we've
seen, a hoax will have some combination of the following factors (but not necessarily all
of them):
. It's a warning message about a virus (or occasionally a Trojan) spreading on the
Internet. (Some even describe a "Trojan horse virus." There is no such thing.)
� It's usually from an individual, occasionally from a company, but never from the cited
source.
� It warns you not to read or download the supposed virus, and preaches salvation by
deletion.
� It describes the virus as having horrific destructive powers and often the ability to
send itself by e-mail.
� It usually has lots of words in all caps and loads of exclamation marks.
� It urges you to alert everyone you know, and usually tells you this more than once.
� It seeks credibility by citing some authoritative source as issuing the warning.
Usually the source says the virus is "bad" or has them "worried."
� It seeks credibility by describing the virus in specious technical jargon.
Now let's look at a couple of the hoaxes in light of what we've observed.
Part 5. Deeyenda
(It's Deeyenda the world as we know it)
The "Deeyenda hoax appeared near the end of 1996. Again, the interlinear commentary
(bracketed and in italics) has been added and is not part of the original message.
The hoax message reads:
VERY IMPORTANT INFORMATION, PLEASE READ!
[This is a slight twist, it doesn't use the word "virus," although the e-mail subject line probably does.]
There is a computer virus that is being
sent across the Internet. If
you receive an email message with the subject line "Deeyenda", DO NOT
read the message, DELETE it immediately!
[Several factors are seen here: Virus on the Net. Do not read. Delete immediately. Lots of caps (only one exclamation mark though). By this time, you should already be reasonably sure that this is a hoax.]
Some miscreant is sending email under the
title "Deeyenda" nationwide,
if you get anything like this DON'T DOWNLOAD THE FILE! It has a virus
that rewrites your hard drive, obliterates anything on it. Please be
careful and forward this e-mail to anyone you care about.
[There's our miscreant, our warning against download, and our warning of mass
destruction.]
Please read the message below.
FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET-----
[Red flag. The FCC never issues virus warnings. This is definitely a hoax.]
The Internet community has again been
plagued by another computer virus.
This message is being spread throughout the Internet, including USENET
posting, EMAIL, and other Internet activities. The reason for all the
attention is because of the nature of this virus and the potential
security risk it makes. Instead of a destructive Trojan virus (like
most viruses!), this virus referred to as Deeyenda Maddick, performs
a comprehensive search on your computer, looking for valuable information,
such as email and login passwords, credit cards, personal inf., etc.
[This is not only a mythical "Trojan virus," but it also has the powers of a mythical cyber-god. And it is described in a specious manner.]
The Deeyenda virus also has the capability
to stay memory resident while
running a host of applications and operation systems, such as Windows 3.11
and Windows 95. What this means to Internet users is that when a login and
password are send to the server, this virus can copy this information and
SEND IT OUT TO AN UNKNOWN ADDRESS (varies). The reason for this warning is
because the Deeyenda virus is virtually undetectable. Once attacked, your
computer will be unsecure. Although it can attack any O/S this virus is
most likely to attack those users viewing Java enhanced Web Pages
(Netscape 2.0+ and Microsoft Internet Explorer 3.0+ which are running
under Windows 95).
[Virtually undetectable. More superpowers in techno-babble.]
Researchers at Princeton University have
found this virus on a number of
World Wide Web pages and fear its spread.
[Wow. Additional credibility. Princeton's verified it and they're afraid.]
Please pass this on, for we must alert the
general public at the security
risks.
[Here's the replication engine. This one's driven by civic-duty.]
Part 6. Penpal
(Whole UNIX servers are being destroyed)
Let's look at one more hoax. "Penpal appeared around the same time Deeyenda did.
The hoax message reads:
If anyone receives mail entitled: PENPAL
GREETINGS! please delete it
WITHOUT reading it. Below is a little explanation of the message, and what it
would do to your PC if you were to read the message. If you have any questions
or concerns please contact [name and number removed].
[Don't read. Delete. Interestingly, this has a cited authority with a phone number. By the way, the number (which we removed) doesn't work.]
This is a warning for all Internet users -
there is a dangerous virus propagating
across the Internet through an e-mail message entitled
[Virus is on the Net.]
"PENPAL GREETINGS!"
DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
[Don't download warning. Lots of caps.]
This message appears to be a friendly
letter asking you if you are interested in a
penpal, but by the time you read this letter, it is too late. The "Trojan horse"
virus
will have already infected the boot sector of your hard drive, destroying all of the
data present. It is a self-replicating virus, and once the message is read, it will
AUTOMATICALLY forward itself to anyone who's e-mail address is present in
YOUR mailbox!
[Trojan horse virus. Destroys all data. Can forward itself.]
This virus will DESTROY your hard drive,
and holds the potential to DESTROY
the hard drive of anyone whose mail is in your inbox, and who's mail is in their
inbox, and so on. If this virus remains unchecked, it has the potential to do a great
deal of DAMAGE to computer networks worldwide!!!!
[Such apocalyptic powers truly deserve four exclamation marks.]
Please, delete the message entitled
"PENPAL GREETINGS!" as soon as you see
it! And pass this message along to all of your friends and relatives, and the other
readers of the newsgroups and mailing lists which you are on, so that they are not
hurt by this dangerous virus!!!!
[Replication engine.]
It changes the subject field of your E-mail
to "Penpal Greeting". As long as you
don't read the message, it's OK. But once you read the message, it destroys your
Boot Sector, copies itself and forwards new messages to all the people in your
mailbox!!!! Just delete the message before you open it. Deleting it won't do any
harm to the computer. Don't ask me how this is done with E-mail text but the news
are spreading in France and whole UNIX servers are being destroyed!!! The virus
is of type "Trojan Horse" and you can't detect it . So beware and keep your eyes
wide open from now till the year 2000. It's a matter of time until the virus gets
routed to you through one of your friends.
[The jargon factor.]
Rule of thumb: Always check the subject
field and don't read unknown
messages.
Please forward this E-mail to all your
friends, professors, staff, and print a hard
copy (or a couple dozens) and post them on campus.
[Reiteration of the replication engine.]
Part 7. Handling Hoaxes
(Do exactly the opposite)
See how easily we can spot these as a being hoaxes? All we need to do is engage the
thought process and actively apply what we know about the anatomy of hoaxes. Now that
you're better equipped now to spot hoaxes when they come your way, what should you do
about them when they arrive?
That's easy. Do exactly the opposite of what the hoaxes say you should do.
Do not forward the false warning to others. Do send a message to the person who sent you the hoax message. Tell him or her it's a hoax. Say, "Don't send it out to others." You may also want to point that person to this paper, so he or she can also understand the nature of virus hoaxes.
~ Author unknown~
~Hot Fruitchaat~