"Fake" viruses can be just as much trouble as the real thing.
You've almost certainly received an e-mail warning you about a new virus. You know the type -- one of those mass e-mails containing warnings of all sorts of dire things that can happen if the described virus or worm gets loose on your system. The e-mail goes on to list the name of the offending file, and tells you that all you need to do is delete the file, and the threat will be gone.
So you check your system, and sure enough, there in the Windows directory is the very file the email warned you about. You wonder briefly why your antivirus software didn't pick up this one, but then you remember that the letter said that this one was so clever that antivirus software couldn't detect it. Guess you'd better delete it, right?
Wrong. If you actually do delete the file, you could very easily spend the next couple of hours reinstalling Windows. And that, of course, is why the antivirus software didn't issue an alert. The e-mail was a hoax, and if you follow its instructions, you could delete an important Windows file--one that's supposed to be there.
The power of the hoax
“Hoaxes are almost a bigger problem than viruses,” notes Roger Thompson, technical director of malicious code research for the ICSA in the US. He notes that it's a lot easier to create a good hoax than it is to create a good virus. And antivirus software, obviously, can't detect a hoax. So these hoaxes usually get through.
As a result, enormous amounts of company resources are used up in dealing with hoaxes. Employees spend time sending the messages to others, some waste time looking for and deleting the offending files, and time is also spent restoring users' computers after they've deleted those files.
Right now, the hot hoax is one that warns of a file on your computer called JDBGMGR.EXE, which an e-mail claims will invade your computer, lie dormant for two weeks, and then release a worm. In reality, this is a file that allows Windows to use Java. If you erase it, you won't be able to use Java.
Making matters more complicated, JDBGMGR.EXE is a file that is sometimes sent out in infected form by the MAGISTR virus, meaning that you could find it as an attachment in an e-mail. The result is even more complicated; in one case, you don't want to erase the file (when it's on your hard disk) but in another case, you do (when it's in an e-mail). You can imagine how much fun the support desk is having with that one.
In some ways, JDBGMGR.EXE is similar to the granddaddy of virus hoaxes--the “Goodtimes” virus of seven years ago. If activated, this virus was supposed to execute code that would cause your CPU to overheat and fail. Aside from the fact that you can't do that with software (at least not the way the e-mail described it) there was simply nothing to it. But for months, thousands of people were searching for anything named “Goodtimes”.
That hoax was complicated by two things. In those days, Microsoft shipped a music video on the Windows CD called “Goodtimes”. So people were freaking out when they found what they thought was a virus on their operating system CD where it couldn't be erased. Then, a few months later, somebody actually did release a virus called “Goodtimes”. By then, most people had learned that Goodtimes wasn't a virus. So they didn't treat it as one. Imagine the consternation.
The answer to the chaos caused by these hoaxes isn't all that easy, but you should start by making sure your employees know that such things exist. Maybe that will help them learn not to believe everything they read in e-mail. The next thing you should do is appoint someone to be the hoax point of contact. Then, when people receive warnings, real or imagined, about viruses, you have someone who can actually investigate and tell whether it's real. Remember, if a hoax requires as much resources as fixing a virus does, there's not much practical difference. It might as well be a real virus.
Educate users
The appearance of the SirCam virus last year again raised awareness of the threat posed by e-mail-borne viruses. This awareness is a vital part of your company's antivirus strategy, but unfortunately, well-intentioned employees might be falling victim to another side of this insidious coin and giving your mail server additional headaches by circulating virus hoaxes.
Almost as dangerous
As the many clones and variations of well-known viruses such as Melissa and IloveYou attest, assembling a virus isn't necessarily that big a trick. But it's even easier to spawn a flood of e-mail that, while not a virus, can clog your servers and, worse, is much harder to kill. How? Craft an impressive-sounding, frightening warning about a nonexistent virus, and tell people to forward it to everyone they know.
Originally, these warnings advised readers to avoid even reading so called “infected” e-mail--although the text messages couldn't possibly contain malicious code. With viruses now lurking in attachments, pranksters have plenty more paranoia to play upon. For example, here's a copy of an e-mail warning that was circulated recently.
Read and Heed. Very Urgent!!
Do not open any attachment to e-mail entitled: “It Takes Guts to Say Jesus”
DO NOT OPEN IT. It will erase everything on your hard drive. This information was announced recently from IBM. AOL states that this is a very dangerous virus... much worse than “Melissa” and that there is no remedy for it at this time. Some very sick individual has succeeded in using the reformat function from Norton Utilities, causing it to completely erase all documents on the hard drive. It has been designed to work with Netscape Navigator and Microsoft Internet Explorer. It destroys Macintosh- and IBM-compatible computers. This very malicious virus is new, and not many people know about it.
A bit of creative writing
Let's take a look at the components of this threat. The hoax's writer has used several impressive-sounding names, such as the Melissa virus itself, AOL, IBM, and Norton Utilities. The writer hopes to gain credibility by dropping as many names as possible. Unfortunately, the operations the e-mail describes, while intended to sound impressively technical, are pure bunk. For starters, IBM rarely originates virus warnings. The lack of links to any particular warning is also a clue to the message's falsity.
Although not included in this message, phony virus warnings often share a trait in common with other hoaxes, chain letters, and urban legends: a message urging the reader to forward the e-mail to everyone he or she knows. Chain letters and hoaxes of all types rely on gullible readers to propagate; that's why it's rare to see warnings about the thoroughly debunked “GoodTimes” virus.
Virus myth education
Fortunately, it's a lot easier to be on guard against this kind of threat. Just as technology sites are quick to expose genuine threats, there are a number of sites that collect information about the latest hoaxes.
The US Department of Energy's Computer Incident Advisory Capability (CIAC) maintains the Hoaxbusters Web site in an effort to identify the newest panic-inducing messages. Similarly, Symantec, makers of the Norton AntiVirus suite, has a page listing virus hoaxes as well as genuine threats.
Another source, Vmyths.com, is dedicated to collecting information about phony warnings. Prominent links describe common traits of phony warnings and the false authority syndrome (in which expertise in one field is used to give credibility to claims made in another or, put another way, why hoaxers cite everyone from Big Blue to Big Bird as originating their “warnings”). Also, although IBM doesn't usually sound virus alerts, it does maintain a collection of papers on real and bogus viruses.
Once you know how to spot a questionable warning, educate your users with an eye toward easing the virus paranoia. The dire prophecies in these bogus e-mails are transparently false to experienced eyes, but they prey on the inherent fear many novices have in approaching their systems--that some mysterious doohickey is going to go haywire and destroy everything.
It's up to you
As a support or training professional, you owe it to your company to ensure that your users think twice before opening e-mail attachments. A little background, though, on why they're a problem--and what constitutes a legitimate threat--can not only put your users on guard against the next attack but can also prevent them from gumming up your mail server by forwarding silly warnings.
Also keep in mind that unlike many of the recent crop of VBScript viruses, bogus messages rely on good intentions, not just ignorance, to circulate. Recognise that while a temporary flood of e-mail is an inconvenience, the person who forwarded the message thought he or she was doing the right thing.
You might even back the training up with a policy stating that no employee should pass around a virus warning unless it came from the IT department itself. For that matter, it might not hurt to restrict mass e-mail forwarding to strictly business-related matters.
3%
2%
