[3673] in WWW Security List Archive
FW: virus on the internet
daemon@ATHENA.MIT.EDU (Tim Chovanak (Digital))
Tue Dec 3 22:08:19 1996
From: "Tim Chovanak (Digital)" <v-timc@microsoft.com>
To: "'lsmith@jrctc.com'" <lsmith@jrctc.com>
Cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Tue, 3 Dec 1996 16:25:19 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
Here's a decent rundown on this and other hoaxes...
(Opinions expressed are purely me own and do not represent those of my
employers.)
>----------
>
>Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost
>
>-----Original Message-----
>From: crawford@eek.llnl.gov [SMTP:crawford@eek.llnl.gov]
>Sent: Wednesday, November 20, 1996 4:59 PM
>To:
>Subject: CIAC Bulletin H-05: Internet Hoaxes
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost
>
>November 20, 1996 15:00 GMT Number
>H-05
>_____________________________________________________________________________
>_
>PROBLEM: This bulletin addresses the following hoaxes and erroneous
> warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
> Ghost.exe
>PLATFORM: All, via e-mail
>DAMAGE: Time lost reading and responding to the messages
>SOLUTION: Pass unvalidated warnings only to your computer security
> department or incident response team. See below on how to
> recognize validated and unvalidated warnings and hoaxes.
>_____________________________________________________________________________
>_
>VULNERABILITY New hoaxes and warnings have appeared on the Internet and old
>ASSESSMENT: hoaxes are still being cirulated.
>_____________________________________________________________________________
>_
>
>
>Introduction
>============
>
>The Internet is constantly being flooded with information about computer
>viruses and Trojans. However, interspersed among real virus notices are
>computer virus hoaxes. While these hoaxes do not infect systems, they are
>still time consuming and costly to handle. At CIAC, we find that we are
>spending much more time de-bunking hoaxes than handling real virus incidents.
>This advisory addresses the most recent warnings that have appeared on the
>Internet and are being circulated throughout world today. We will also
>address
>the history behind virus hoaxes, how to identify a hoax, and what to do if
>you
>think a message is or is not a hoax. Users are requested to please not spread
>unconfirmed warnings about viruses and Trojans. If you receive an unvalidated
>warning, don't pass it to all your friends, pass it to your computer security
>manager to validate first. Validated warnings from the incident response
>teams
>and antivirus vendors have valid return addresses and are usually PGP signed
>with the organization's key.
>
>PKZ300 Warning
>==============
>
>The PKZ300 Trojan is a real Trojan program, but the initial warning about it
>was released over a year ago. For information pertaining to PKZ300 Trojan
>reference CIAC Notes issue 95-10, that was released in June of 1995.
>
>http://ciac.llnl.gov/ciac/notes/Notes10.shtml
>
>The warning itself, on the other hand, is gaining urban legend status. There
>has been an extremely limited number of sightings of this Trojan and those
>appeared over a year ago. Even though the Trojan warning is real, the
>repeated
>circulation of the warning is a nuisance. Individuals who need the current
>release of PKZIP should visit the PKWARE web page at http://www.pkware.com.
>CIAC recommends that you DO NOT recirculate the warning about this particular
>Trojan.
>
>Irina Virus Hoax
>================
>
>The "Irina" virus warnings are a hoax. The former head of an electronic
>publishing company circulated the warning to create publicity for a new
>interactive book by the same name. The publishing company has apologized for
>the publicity stunt that backfired and panicked Internet users worldwide. The
>original warning claimed to be from a Professor Edward Pridedaux of the
>College of Slavic Studies in London; there is no such person or college.
>However, London's School of Slavonic and East European Studies has been
>inundated with calls. This poorly thought-out publicity stunt was highly
>irresponsible. For more information pertaining to this hoax, reference the
>UK Daily Telegraph at http://www.telegraph.co.uk.
>
>Good Times Virus Hoax
>=====================
>
>The "Good Times" virus warnings are a hoax. There is no virus by that name in
>existence today. These warnings have been circulating the Internet for years.
>The user community must become aware that it is unlikely that a virus can be
>constructed to behave in the manner ascribed in the "Good Times" virus
>warning. For more information related to this urban legend, reference CIAC
>Notes 95-09.
>
>http://ciac.llnl.gov/ciac/notes/Notes09.shtml
>
>Deeyenda Virus Hoax
>===================
>
>The "Deeyenda" virus warnings are a hoax. CIAC has received inqueries
>regarding the validity of the Deeyenda virus. The warnings are very similar
>to those for Good Times, stating that the FCC issued a warning about it,
>and that it is self activating and can destroy the contents of a machine
>just by being downloaded. Users should note that the FCC does not and will
>not issue virus or Trojan warnings. It is not their job to do so. As of this
>date, there are no known viruses with the name Deeyenda in existence. For a
>virus to spread, it must be executed. Reading a mail message does not
>execute
>the mail message. Trojans and viruses have been found as executable
>attachments
>to mail messages, but they must be extracted and executed to do any harm.
>CIAC
>still affirms that reading E-mail, using typical mail agents, can not
>activate
>malicious code delivered in or with the message.
>
>Ghost.exe Warning
>=================
>
>The Ghost.exe program was originally distributed as a free screen saver
>containing some advertising information for the author's company (Access
>Softek). The program opens a window that shows a Halloween background with
>ghosts flying around the screen. On any Friday the 13th, the program window
>title changes and the ghosts fly off the window and around the screen.
>Someone
>apparently got worried and sent a message indicating that this might be a
>Trojan. The warning grew until the it said that Ghost.exe was a Trojan that
>would destroy your hard drive and the developers got a lot of nasty phone
>calls (their names and phone numbers were in the About box of the program.)
>A simple phone call to the number listed in the program would have stopped
>this warning from being sent out. The original ghost.exe program is just
>cute;
>it does not do anything damaging. Note that this does not mean that ghost
>could not be infected with a virus that does do damage, so the normal
>antivirus procedure of scanning it before running it should be followed.
>
>History of Virus Hoaxes
>=======================
>
>Since 1988, computer virus hoaxes have been circulating the Internet. In
>October of that year, according to Ferbrache ("A pathology of Computer
>Viruses" Springer, London, 1992) one of the first virus hoaxes was the
>2400 baud modem virus:
>
> SUBJ: Really Nasty Virus
> AREA: GENERAL (1)
>
> I've just discovered probably the world's worst computer virus
> yet. I had just finished a late night session of BBS'ing and file
> treading when I exited Telix 3 and attempted to run pkxarc to
> unarc the software I had downloaded. Next thing I knew my hard
> disk was seeking all over and it was apparently writing random
> sectors. Thank god for strong coffee and a recent backup.
> Everything was back to normal, so I called the BBS again and
> downloaded a file. When I went to use ddir to list the directory,
> my hard disk was getting trashed again. I tried Procomm Plus TD
> and also PC Talk 3. Same results every time. Something was up so I
> hooked up to my test equipment and different modems (I do research
> and development for a local computer telecommunications company
> and have an in-house lab at my disposal). After another hour of
> corrupted hard drives I found what I think is the world's worst
> computer virus yet. The virus distributes itself on the modem sub-
> carrier present in all 2400 baud and up modems. The sub-carrier is
> used for ROM and register debugging purposes only, and otherwise
> serves no othr (sp) purpose. The virus sets a bit pattern in one
> of the internal modem registers, but it seemed to screw up the
> other registers on my USR. A modem that has been "infected" with
> this virus will then transmit the virus to other modems that use a
> subcarrier (I suppose those who use 300 and 1200 baud modems
> should be immune). The virus then attaches itself to all binary
> incoming data and infects the host computer's hard disk. The only
> way to get rid of this virus is to completely reset all the modem
> registers by hand, but I haven't found a way to vaccinate a modem
> against the virus, but there is the possibility of building a
> subcarrier filter. I am calling on a 1200 baud modem to enter this
> message, and have advised the sysops of the two other boards
> (names withheld). I don't know how this virus originated, but I'm
> sure it is the work of someone in the computer telecommunications
> field such as myself. Probably the best thing to do now is to
> stick to 1200 baud until we figure this thing out.
>
> Mike RoChenle
>
>This bogus virus description spawned a humorous alert by Robert Morris III :
>
> Date: 11-31-88 (24:60) Number: 32769
> To: ALL Refer#: NONE
> From: ROBERT MORRIS III Read: (N/A)
> Subj: VIRUS ALERT Status: PUBLIC MESSAGE
>
> Warning: There's a new virus on the loose that's worse than
> anything I've seen before! It gets in through the power line,
> riding on the powerline 60 Hz subcarrier. It works by changing the
> serial port pinouts, and by reversing the direction one's disks
> spin. Over 300,000 systems have been hit by it here in Murphy,
> West Dakota alone! And that's just in the last 12 minutes.
>
> It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
> RSX-11, ITS, TRS-80, and VHS systems.
>
> To prevent the spresd of the worm:
>
> 1) Don't use the powerline.
> 2) Don't use batteries either, since there are rumors that this
> virus has invaded most major battery plants and is infecting the
> positive poles of the batteries. (You might try hooking up just
> the negative pole.)
> 3) Don't upload or download files.
> 4) Don't store files on floppy disks or hard disks.
> 5) Don't read messages. Not even this one!
> 6) Don't use serial ports, modems, or phone lines.
> 7) Don't use keyboards, screens, or printers.
> 8) Don't use switches, CPUs, memories, microprocessors, or
> mainframes.
> 9) Don't use electric lights, electric or gas heat or
> airconditioning, running water, writing, fire, clothing or the
> wheel.
>
> I'm sure if we are all careful to follow these 9 easy steps, this
> virus can be eradicated, and the precious electronic flui9ds of
> our computers can be kept pure.
>
> ---RTM III
>
>Since that time virus hoaxes have flooded the Internet.With thousands of
>viruses worldwide, virus paranoia in the community has risen to an extremely
>high level. It is this paranoia that fuels virus hoaxes. A good example of
>this behavior is the "Good Times" virus hoax which started in 1994 and is
>still circulating the Internet today. Instead of spreading from one computer
>to another by itself, Good Times relies on people to pass it along.
>
>How to Identify a Hoax
>======================
>
>There are several methods to identify virus hoaxes, but first consider what
>makes a successful hoax on the Internet. There are two known factors that
>make
>a successful virus hoax, they are: (1) technical sounding language, and
>(2) credibility by association. If the warning uses the proper technical
>jargon, most individuals, including technologically savy individuals, tend to
>believe the warning is real. For example, the Good Times hoax says that
>"...if the program is not stopped, the computer's processor will be placed in
>an nth-complexity infinite binary loop which can severely damage the
>processor...". The first time you read this, it sounds like it might be
>something real. With a little research, you find that there is no such thing
>as an nth-complexity infinite binary loop and that processors are designed
>to run loops for weeks at a time without damage.
>
>When we say credibility by association we are referring to whom sent the
>warning. If the janitor at a large technological organization sends a warning
>to someone outside of that organization, people on the outside tend to
>believe
>the warning because the company should know about those things. Even though
>the person sending the warning may not have a clue what he is talking about,
>the prestigue of the company backs the warning, making it appear real. If a
>manager at the company sends the warning, the message is doubly backed by the
>company's and the manager's reputations.
>
>Individuals should also be especially alert if the warning urges you to pass
>it on to your friends. This should raise a red flag that the warning may be
>a hoax. Another flag to watch for is when the warning indicates that it is a
>Federal Communication Commission (FCC) warning. According to the FCC, they
>have not and never will disseminate warnings on viruses. It is not part of
>their job.
>
>CIAC recommends that you DO NOT circulate virus warnings without first
>checking with an authoritative source. Authoritative sources are your
>computer
>system security administrator or a computer incident advisory team. Real
>warnings about viruses and other network problems are issued by different
>response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by
>the sending team using PGP. If you download a warning from a teams web site
>or
>validate the PGP signature, you can usually be assured that the warning is
>real. Warnings without the name of the person sending the original notice, or
>warnings with names, addresses and phone numbers that do not actually exist
>are probably hoaxes.
>
>What to Do When You Receive a Warning
>=====================================
>
>Upon receiving a warning, you should examine its PGP signature to see that it
>is from a real response team or antivirus organization. To do so, you will
>need a copy of the PGP software and the public signature of the team that
>sent the message. The CIAC signature is available from the CIAC web server
>at:
>
>http://ciac.llnl.gov
>
>If there is no PGP signature, see if the warning includes the name of the
>person submitting the original warning. Contact that person to see if he/she
>really wrote the warning and if he/she really touched the virus. If he/she is
>passing on a rumor or if the address of the person does not exist or if
>there is any questions about theauthenticity or the warning, do not circulate
>it to others. Instead, send the warning to your computer security manager or
>incident response team and let them validate it. When in doubt, do not send
>it out to the world. Your computer security managers and the incident
>response
>teams teams have experts who try to stay current on viruses and their
>warnings.
>In addition, most anti-virus companies have a web page containing information
>about most known viruses and hoaxes. You can also call or check the web site
>of the company that produces the product that is supposed to contain the
>virus.
>Checking the PKWARE site for the current releases of PKZip would stop the
>circulation of the warning about PKZ300 since there is no released version 3
>of PKZip. Another useful web site is the "Computer Virus Myths home page"
>(http://www.kumite.com/myths/) which contains descriptions of several known
>hoaxes. In most cases, common sense would eliminate Internet hoaxes.
>
>-
>-----------------------------------------------------------------------------
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac@llnl.gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
> World Wide Web: http://ciac.llnl.gov/
> Anonymous FTP: ciac.llnl.gov (128.115.19.53)
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
>2. CIAC-NOTES for Notes, a collection of computer security articles;
>3. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
>4. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called ListProcessor, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
>valid information for LastName FirstName and PhoneNumber when sending
>
>E-mail to ciac-listproc@llnl.gov:
> subscribe list-name LastName, FirstName PhoneNumber
> e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
>
>You will receive an acknowledgment containing address, initial PIN,
>and information on how to change either of them, cancel your
>subscription, or get help.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins. If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained by sending email to
>docserver@first.org with an empty subject line and a message body
>containing the line: send first-contacts.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>G-43: Vulnerabilities in Sendmail
>G-44: SCO Unix Vulnerability
>G-45: Vulnerability in HP VUE
>G-46: Vulnerabilities in Transarc DCE and DFS
>G-47: Unix FLEXlm Vulnerabilities
>G-48: TCP SYN Flooding and IP Spoofing Attacks
>H-01: Vulnerabilities in bash
>H-02: SUN's TCP SYN Flooding Solutions
>H-03: HP-UX_suid_Vulnerabilities
>H-04: HP-UX Ping Vulnerability
>
>RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
>
>Notes 07 - 3/29/95 A comprehensive review of SATAN
>
>Notes 08 - 4/4/95 A Courtney update
>
>Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
>
>Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
> in S/Key, EBOLA Virus Hoax, and Caibua Virus
>
>Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
> America On-Line Virus Scare, SPI 3.2.2 Released,
> The Die_Hard Virus
>
>Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
> Windows, beta release of Merlin, Microsoft Word
> Macro Viruses, Allegations of Inappropriate Data
> Collection in Win95
>
>Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
> Conference Announcement, Security and Web Search
> Engines, Microsoft Word Macro Virus Update
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.1
>Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface
>
>iQCVAwUBMpN8qrnzJzdsy3QZAQHpZgP/V+NTN7AwEtWCM46sSBMFnEuz0NxmN9X2
>DMOFnATcUSNvukXBPAMc3LMYmnjhp+CrqDyfQCWVBUaHDTmb3yKTTsexYev5alyd
>cSR4uZjQrMjO1pu16HG7BS+faxaP+E/FVEcbAof9a+tjX4aj9LTOM/Nt8Hb6Aazo
>eRHTBH+AYy4=
>=fBQM
>-----END PGP SIGNATURE-----
>
