CIAC Bulletin H-05: Internet Hoaxes

Grace Agnew grace.agnew at ibid.library.gatech.edu
Fri Jan 31 11:54:14 EST 1997


Every so often Internet virus hoaxes make it to a list, with the best
intentions of the person sending the warning.  This is a very useful CIAC
Bulletin on identifying Internet hoaxes that includes an address for a virus
hoax site.  I thought it would be useful so am forwarding it to the list.

Grace Agnew


>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>             __________________________________________________________
>
>                       The U.S. Department of Energy
>                    Computer Incident Advisory Capability
>                           ___  __ __    _     ___
>                          /       |     /_\   /
>                          \___  __|__  /   \  \___
>             __________________________________________________________
>
>                             INFORMATION BULLETIN
>
>            Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost
>
>November 20, 1996 15:00 GMT                                        Number H-05
>______________________________________________________________________________
>PROBLEM:       This bulletin addresses the following hoaxes and erroneous 
>
>               warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and 
>
>               Ghost.exe
>PLATFORM:      All, via e-mail
>DAMAGE:        Time lost reading and responding to the messages
>SOLUTION:      Pass unvalidated warnings only to your computer security 
>
>               department or incident response team. See below on how to 
>
>               recognize validated and unvalidated warnings and hoaxes.
>______________________________________________________________________________
>VULNERABILITY  New hoaxes and warnings have appeared on the Internet and old 
>
>ASSESSMENT:    hoaxes are still being cirulated.
>______________________________________________________________________________
>
>
>Introduction
>============
>
>The Internet is constantly being flooded with information about computer
>viruses and Trojans. However, interspersed among real virus notices are 
>
>computer virus hoaxes. While these hoaxes do not infect systems, they are 
>
>still time consuming and costly to handle. At CIAC, we find that we are 
>
>spending much more time de-bunking hoaxes than handling real virus incidents. 
>
>This advisory addresses the most recent warnings that have appeared on the 
>
>Internet and are being circulated throughout world today. We will also address
>the history behind virus hoaxes, how to identify a hoax, and what to do if you
>think a message is or is not a hoax. Users are requested to please not spread 
>
>unconfirmed warnings about viruses and Trojans. If you receive an unvalidated 
>
>warning, don't pass it to all your friends, pass it to your computer security 
>
>manager to validate first. Validated warnings from the incident response teams
>and antivirus vendors have valid return addresses and are usually PGP signed 
>
>with the organization's key.
>
>PKZ300 Warning
>==============
>
>The PKZ300 Trojan is a real Trojan program, but the initial warning about it 
>
>was released over a year ago. For information pertaining to PKZ300 Trojan 
>
>reference CIAC Notes issue 95-10, that was released in June of 1995.  
>
>
>http://ciac.llnl.gov/ciac/notes/Notes10.shtml
>
>The warning itself, on the other hand, is gaining urban legend status. There 
>
>has been an extremely limited number of sightings of this Trojan and those 
>
>appeared over a year ago. Even though the Trojan warning is real, the repeated 
>
>circulation of the warning is a nuisance. Individuals who need the current 
>
>release of  PKZIP should visit the PKWARE web page at http://www.pkware.com. 
>
>CIAC recommends that you DO NOT recirculate the warning about this particular 
>
>Trojan.           
>
>
>Irina Virus Hoax
>================
>
>The "Irina" virus warnings are a hoax. The former head of an electronic 
>
>publishing company circulated the warning to create publicity for a new 
>
>interactive book by the same name. The publishing company has apologized for 
>
>the publicity stunt that backfired and panicked Internet users worldwide. The 
>
>original warning claimed to be from a Professor Edward Pridedaux of the 
>
>College of Slavic Studies in London; there is no such person or college. 
>
>However, London's School of  Slavonic and East European Studies has been 
>
>inundated with calls. This poorly thought-out publicity stunt was highly 
>
>irresponsible. For more information pertaining to this hoax, reference the 
>
>UK Daily Telegraph at http://www.telegraph.co.uk.    
>
>
>Good Times Virus Hoax
>=====================
>
>The "Good Times" virus warnings are a hoax. There is no virus by that name in 
>
>existence today. These warnings have been circulating the Internet for years. 
>
>The user community must become aware that it is unlikely that a virus can be 
>
>constructed to behave in the manner ascribed in the "Good Times" virus 
>
>warning. For more information related to this urban legend, reference CIAC 
>
>Notes 95-09.
>
>http://ciac.llnl.gov/ciac/notes/Notes09.shtml
>    
>
>Deeyenda Virus Hoax
>===================
>
>The "Deeyenda" virus warnings are a hoax. CIAC has received inqueries 
>
>regarding the validity of the Deeyenda virus. The warnings are very similar 
>
>to those for Good Times, stating that the FCC issued a warning about it, 
>
>and that it is self activating and can destroy the contents of a machine 
>
>just by being downloaded. Users should note that the FCC does not and will 
>
>not issue virus or Trojan warnings. It is not their job to do so. As of this 
>
>date, there are no known viruses with the name Deeyenda in existence. For a 
>
>virus to spread, it  must be executed. Reading a mail message does not execute 
>
>the mail message. Trojans and viruses have been found as executable attachments
>to mail messages, but they must be extracted and executed to do any harm. CIAC
>still affirms that reading E-mail, using typical mail agents, can not activate
>malicious code delivered in or with the message.
>
>Ghost.exe Warning
>=================
>
>The Ghost.exe program was originally distributed as a free screen saver 
>
>containing some advertising information for the author's company (Access 
>
>Softek). The program opens a window that shows a Halloween background with 
>
>ghosts flying around the screen. On any Friday the 13th, the program window 
>
>title changes and the ghosts fly off the window and around the screen. Someone
>apparently got worried and sent a message indicating that this might be a 
>
>Trojan. The warning grew until the it said that Ghost.exe was a Trojan that 
>
>would destroy your hard drive and the developers got a lot of nasty phone 
>
>calls (their names and phone numbers were in the About box of the program.) 
>
>A simple phone call to the number listed in the program would have stopped 
>
>this warning from being sent out. The original ghost.exe program is just cute;
>it does not do anything damaging. Note that this does not mean that ghost 
>
>could not be infected with a virus that does do damage, so the normal 
>
>antivirus procedure of scanning it before running it should be followed.
>
>History of Virus Hoaxes
>=======================
>
>Since 1988, computer virus hoaxes have been circulating the Internet. In 
>
>October of that year, according to Ferbrache ("A pathology of Computer 
>
>Viruses" Springer, London, 1992) one of the first virus hoaxes was the 
>
>2400 baud modem virus: 
>
>
>	SUBJ: Really Nasty Virus
> 	AREA: GENERAL (1)
>	
> 	I've just discovered probably the world's worst computer virus 
>
> 	yet. I had just finished a late night session of BBS'ing and file 
>
> 	treading when I exited Telix 3 and attempted to run pkxarc to 
>
> 	unarc the software I had downloaded. Next thing I knew my hard 
>
> 	disk was seeking all over and it was apparently writing random 
>
> 	sectors. Thank god for strong coffee and a recent backup. 
>
> 	Everything was back to normal, so I called the BBS again and 
>
> 	downloaded a file. When I went to use ddir to list the directory, 
>
> 	my hard disk was getting trashed again. I tried Procomm Plus TD 
>
> 	and also PC Talk 3. Same results every time. Something was up so I 
>
> 	hooked up to my test equipment and different modems (I do research 
>
> 	and development for a local computer telecommunications company 
>
> 	and have an in-house lab at my disposal). After another hour of 
>
> 	corrupted hard drives I found what I think is the world's worst 
>
> 	computer virus yet. The virus distributes itself on the modem sub-
> 	carrier present in all 2400 baud and up modems. The sub-carrier is 
>
> 	used for ROM and register debugging purposes only, and otherwise 
>
> 	serves no othr (sp) purpose. The virus sets a bit pattern in one 
>
> 	of the internal modem registers, but it seemed to screw up the 
>
> 	other registers on my USR. A modem that has been "infected" with 
>
> 	this virus will then transmit the virus to other modems that use a 
>
> 	subcarrier (I suppose those who use 300 and 1200 baud modems 
>
> 	should be immune). The virus then attaches itself to all binary 
>
> 	incoming data and infects the host computer's hard disk. The only 
>
> 	way to get rid of this virus is to completely reset all the modem 
>
> 	registers by hand, but I haven't found a way to vaccinate a modem 
>
> 	against the virus, but there is the possibility of building a 
>
> 	subcarrier filter. I am calling on a 1200 baud modem to enter this 
>
> 	message, and have advised the sysops of the two other boards 
>
> 	(names withheld). I don't know how this virus originated, but I'm 
>
> 	sure it is the work of someone in the computer telecommunications 
>
> 	field such as myself. Probably the best thing to do now is to 
>
> 	stick to 1200 baud until we figure this thing out.
>
>	Mike RoChenle
>
>This bogus virus description spawned a humorous alert by Robert Morris III :
>
> 	Date: 11-31-88 (24:60)	Number: 32769
> 	To: ALL	Refer#: NONE
> 	From: ROBERT MORRIS III	Read: (N/A)
> 	Subj: VIRUS ALERT	Status: PUBLIC MESSAGE
> 	
> 	Warning: There's a new virus on the loose that's worse than 
>
> 	anything I've seen before! It gets in through the power line, 
>
> 	riding on the powerline 60 Hz subcarrier. It works by changing the 
>
> 	serial port pinouts, and by reversing the direction one's disks 
>
> 	spin. Over 300,000 systems have been hit by it here in Murphy, 
>
> 	West Dakota alone! And that's just in the last 12 minutes.
> 	
>	It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac, 
>
> 	RSX-11, ITS, TRS-80, and VHS systems.
> 	
> 	To prevent the spresd of the worm:
> 	
> 	1) Don't use the powerline.
> 	2) Don't use batteries either, since there are rumors that this 
>
> 	  virus has invaded most major battery plants and is infecting the 
>
> 	  positive poles of the batteries. (You might try hooking up just 
>
> 	  the negative pole.)
> 	3) Don't upload or download files.
> 	4) Don't store files on floppy disks or hard disks.
> 	5) Don't read messages. Not even this one!
> 	6) Don't use serial ports, modems, or phone lines.
> 	7) Don't use keyboards, screens, or printers.
> 	8) Don't use switches, CPUs, memories, microprocessors, or 
>
> 	  mainframes.
> 	9) Don't use electric lights, electric or gas heat or 
>
> 	  airconditioning, running water, writing, fire, clothing or the 
>
> 	  wheel.
> 	
> 	I'm sure if we are all careful to follow these 9 easy steps, this 
>
> 	virus can be eradicated, and the precious electronic flui9ds of 
>
> 	our computers can be kept pure.
> 	
> 	---RTM III
>
>Since that time virus hoaxes have flooded the Internet.With thousands of 
>
>viruses worldwide, virus paranoia in the community has risen to an extremely 
>
>high level. It is this paranoia that fuels virus hoaxes. A good example of 
>
>this behavior is the "Good Times" virus hoax which started in 1994 and is 
>
>still circulating the Internet today. Instead of spreading from one computer 
>
>to another by itself, Good Times relies on people to pass it along. 
>
>
>How to Identify a Hoax
>======================
>
>There are several methods to identify virus hoaxes, but first consider what 
>
>makes a successful hoax on the Internet. There are two known factors that make
>a successful virus hoax, they are: (1) technical sounding language, and 
>
>(2) credibility by association. If the warning uses the proper technical 
>
>jargon, most individuals, including technologically savy individuals, tend to 
>
>believe the warning is real. For example, the Good Times hoax says that 
>
>"...if the program is not stopped, the computer's processor will be placed in 
>
>an nth-complexity infinite binary loop which can severely damage the 
>
>processor...". The first time you read this, it sounds like it might be 
>
>something real. With a little research, you find that there is no such thing 
>
>as an nth-complexity infinite binary loop and that processors are designed 
>
>to run loops for weeks at a time without damage.
>
>When we say credibility by association we are referring to whom sent the 
>
>warning. If the janitor at a large technological organization sends a warning
>to someone outside of that organization, people on the outside tend to believe
>the warning because the company should know about those things. Even though 
>
>the person sending the warning may not have a clue what he is talking about, 
>
>the prestigue of the company backs the warning, making it appear real. If a 
>
>manager at the company sends the warning, the message is doubly backed by the
>company's and the manager's reputations. 
>
>
>Individuals should also be especially alert if the warning urges you to pass 
>
>it on to your friends. This should raise a red flag that the warning may be 
>
>a hoax. Another flag to watch for is when the warning indicates that it is a 
>
>Federal Communication Commission (FCC) warning. According to the FCC, they 
>
>have not and never will disseminate warnings on viruses. It is not part of 
>
>their job. 
>
>
>CIAC recommends that you DO NOT circulate virus warnings without first 
>
>checking with an authoritative source. Authoritative sources are your computer
>system security administrator or a computer incident advisory team. Real 
>
>warnings about viruses and other network problems are issued by different 
>
>response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by 
>
>the sending team using PGP. If you download a warning from a teams web site or
>validate the PGP signature, you can usually be assured that the warning is 
>
>real. Warnings without the name of the person sending the original notice, or 
>
>warnings with names, addresses and phone numbers that do not actually exist 
>
>are probably hoaxes.
>
>What to Do When You Receive a Warning
>=====================================
> 
>
>Upon receiving a warning, you should examine its PGP signature to see that it 
>
>is from a real response team or antivirus organization. To do so, you will
>need a copy of the PGP software and the public signature of the team that
>sent the message. The CIAC signature is available from the CIAC web server 
>
>at:
>
>http://ciac.llnl.gov 
>
>
>If there is no PGP signature, see if the warning includes the name of the 
>
>person submitting the original warning. Contact that person to see if he/she
>really wrote the warning and if he/she really touched the virus. If he/she is 
>
>passing on a rumor or if the address of the person does not exist or if 
>
>there is any questions about theauthenticity or the warning, do not circulate 
>
>it to others. Instead, send the warning to your computer security manager or 
>
>incident response team and let them validate it. When in doubt, do not send
>it out to the world. Your computer security managers and the incident response
>teams teams have experts who try to stay current on viruses and their warnings.
>In addition, most anti-virus companies have a web page containing information 
>
>about most known viruses and hoaxes. You can also call or check the web site 
>
>of the company that produces the product that is supposed to contain the virus.
>Checking the PKWARE site for the current releases of PKZip would stop the 
>
>circulation of the warning about PKZ300 since there is no released version 3 
>
>of PKZip. Another useful web site is the "Computer Virus Myths home page" 
>
>(http://www.kumite.com/myths/) which contains descriptions of several known 
>
>hoaxes. In most cases, common sense would eliminate Internet hoaxes.
>
>- -----------------------------------------------------------------------------
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
>    Voice:    +1 510-422-8193
>    FAX:      +1 510-423-8002
>    STU-III:  +1 510-423-2604
>    E-mail:   ciac at llnl.gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
>   World Wide Web:      http://ciac.llnl.gov/
>   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
>   Modem access:        +1 (510) 423-4753 (28.8K baud)
>                        +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
>   information and Bulletins, important computer security information;
>2. CIAC-NOTES for Notes, a collection of computer security articles;
>3. SPI-ANNOUNCE for official news about Security Profile Inspector
>   (SPI) software updates, new features, distribution and
>   availability;
>4. SPI-NOTES, for discussion of problems and solutions regarding the
>   use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called ListProcessor, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
>valid information for LastName FirstName and PhoneNumber when sending
>
>E-mail to       ciac-listproc at llnl.gov:
>        subscribe list-name LastName, FirstName PhoneNumber
>  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
>
>You will receive an acknowledgment containing address, initial PIN,
>and information on how to change either of them, cancel your
>subscription, or get help.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins.  If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained by sending email to
>docserver at first.org with an empty subject line and a message body
>containing the line: send first-contacts.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>G-43: Vulnerabilities in Sendmail
>G-44: SCO Unix Vulnerability
>G-45: Vulnerability in HP VUE
>G-46: Vulnerabilities in Transarc DCE and DFS
>G-47: Unix FLEXlm Vulnerabilities
>G-48: TCP SYN Flooding and IP Spoofing Attacks
>H-01: Vulnerabilities in bash
>H-02: SUN's TCP SYN Flooding Solutions
>H-03: HP-UX_suid_Vulnerabilities
>H-04: HP-UX  Ping Vulnerability
>
>RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
>
>Notes 07 - 3/29/95     A comprehensive review of SATAN
>
>Notes 08 - 4/4/95      A Courtney update
>
>Notes 09 - 4/24/95     More on the "Good Times" virus urban legend
>
>Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
>                       in S/Key, EBOLA Virus Hoax, and Caibua Virus
>
>Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
>                       America On-Line Virus Scare, SPI 3.2.2 Released,
>                       The Die_Hard Virus
>
>Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
>                       Windows, beta release of Merlin, Microsoft Word
>                       Macro Viruses, Allegations of Inappropriate Data
>                       Collection in Win95
>
>Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
>                       Conference Announcement, Security and Web Search
>                       Engines, Microsoft Word Macro Virus Update
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.1
>Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface
>
>iQCVAwUBMpN8qrnzJzdsy3QZAQHpZgP/V+NTN7AwEtWCM46sSBMFnEuz0NxmN9X2
>DMOFnATcUSNvukXBPAMc3LMYmnjhp+CrqDyfQCWVBUaHDTmb3yKTTsexYev5alyd
>cSR4uZjQrMjO1pu16HG7BS+faxaP+E/FVEcbAof9a+tjX4aj9LTOM/Nt8Hb6Aazo
>eRHTBH+AYy4=
>=fBQM
>-----END PGP SIGNATURE-----
>
>
>

<*><*><*><*><*><*><*><*><*><*><*><*>

Grace Agnew
Assistant Director for Systems
Georgia Institute of Technology Library
(404) 894-8932 
(404) 894-6084 (fax)
grace.agnew at library.gatech.edu



More information about the Web4lib mailing list