Computer Virus Hoaxes

Copyright 2002 by Ronald B. Standler

Introduction 1. Characteristics of a Hoax 2. Examples of Hoaxes 3. Proper Response to Hoaxes Links to other sites Conclusion

Introduction

This essay concerns e-mails that warn about a fictitious computer virus. This essay is a companion to my separate essay on computer crime and my essay on malicious computer programs.

Normally, I would not be interested in hoaxes, but several widespread e-mail hoaxes in the years 2001 and 2002 advised the recipient to delete a file (e.g., SULFNBK.EXE or JDBGMGR.EXE) from their computer that is allegedly a computer virus, but is actually part of the Microsoft Windows operating system. I have received such hoax e-mails from clueless attorneys and accountants who forwarded the hoax to their entire e-mail address book.

It is also possible that a hoax e-mail might contain an attachment that is a malicious program, such as a Trojan Horse or worm. When the reader of the hoax e-mail is an emotional state (e.g., panic about the impending virus attack mentioned in the text of the hoax e-mail), the reader may be more likely to click on the attachment and become infected.

1. Characteristics of a Hoax

If one has a healthy skepticism and some knowledge of propaganda techniques, one is well equipped to recognize hoaxes. Hoaxes commonly show the following common characteristics:

Style of hoaxes.
Hyperbole about damage that will be inflicted:
For example:
- "will wreak terrible havoc on your computer"
- "this is a very dangerous virus, much worse than Melissa and there is NO remedy for it at this time"
- "unparalleled in its destructive capability"
- "I received this virus and it wiped me out."
- "Other, more well-known viruses such as ... pale in comparison to the prospects of this newest creation by a warped mentality."
Sometimes these warnings specifically mention that the alleged virus will destroy hardware (e.g., hard disk drives). While it is possible to write malicious programs to damage some types of hardware, physical damage to hardware is rare. Most commonly, malicious programs only delete files or alter data in files, without harming the disk drive itself.

Frantic style.
For example:
- Many exclamation marks in the text of the message or in the subject line.
- Use of all UPPER-CASE letters.
- Excessive use of boldface or italics.
- Use of larger than normal-size letters in the message.
The use of hyperbole or a frantic style is symptomatic of a hoax, because scientists, engineers, and professional technical writers use neither hyperbole nor frantic style.
Technical details that appear to give the message credibility. Someone who is knowledgeable about computer science or electrical engineering can often spot errors or implausible statements in the message, but most readers do not have the technical background to evaluate such content. The point made here is that inclusion of technical terms is not proof that the author is either correct or sincere.

Sometimes the message contains long, detailed instructions for removing the alleged virus. Such instructions are needless, as it would be easier to refer the reader to the URL of the appropriate webpage at a major anti-virus vendor's website. Putting long, detailed instructions into an e-mail is a symptom of a hoax.
Appeal to authority.
Hoaxes often mention the name of a major corporation (e.g., IBM or Microsoft) or a government agency (e.g., FCC) that has allegedly originally issued or endorsed the message. Alternatively, the hoax might mention the name of a major anti-virus software vendor. A key feature of a hoax is the lack of a URL that would allow the reader to confirm the source of the information.
Last, and perhaps most importantly, the hoax will urge you to forward this message immediately to everyone you know. If you believe the hoax is credible, this encouragement plays on your desire to be helpful to other people, particularly your friends, colleagues, clients, .... In fact, if you forward a hoax, you are contributing to panic, and possibly encouraging someone else to harm his/her computer.
Before you forward the message:
1. Check one or more of the anti-virus vendors' websites listed below to see if the message is a known hoax.
2. If you work in a major corporation, forward the message to the computer center or information technology department and let them decide whether to warn other users. If you can not evaluate the technical content of a message warning about a new computer virus, then it is not your job to warn others about this alleged new virus.
Receiving an e-mail message that has been previously forwarded, particularly forwarded more than once, is diagnostic of a hoax.

If you discover that an e-mail is a hoax, reply to the person who sent the hoax.

more characteristics of hoaxes

The following are some specific features of some, but not all, hoaxes about computer viruses:

"Anti-Virus vendors do not know about this virus."
or
"Anti-Virus software will not protect your computer."
Either one of these statements is part of the alarmist message of the hoax. Anti-virus software vendors typically release revised software to detect a new malicious program on the same day that the new malicious program is discovered. Further, most (but not all) new threats spread slowly for the first few days.
"Not many people know about this virus."
Such a statement is just a variation on the previous item about the ignorance or helplessness of anti-virus software. This statement is propaganda that encourages you to believe that you are amongst the first people to know something important, and, consequently, it is your duty to inform others. This is enticement for you to spread the hoax.
Because your e-mail address is in my computer and my computer is infected, you are probably infected.
That is actually a plausible statement. The problem is that the sender's computer is not infected, and the message is only a hoax.

chain letters

An article at the now defunct CIAC website remarks on the similarity between chain letters and virus hoaxes. According to this article, a chain letter has three parts:

a hook that attracts the reader's attention
a threat that is the consequence of not forwarding the chain letter
a request to forward the chain letter

More on chain letters can be found by using a search engine to seek "chain letters" or "urban legends".

2. Examples of Hoaxes

A typical hoax in the 1990s warned the recipient that reading an e-mail with the specified subject line would infect their computers with a virus. Before the year 2001, it was not possible to infect a computer merely by reading an e-mail: one needed to click on an attachment that executed a malicious program.

So that you can see examples of how past hoaxes use the characteristic features mentioned above, I reproduce the text of the following hoaxes about computer viruses, in chronological order.

The text of the following hoaxes was copied from the Norton Anti-Virus website, unless another source is cited.

Good Times
This hoax began in 1994. There are many different versions, most of which share key phrases. Here is a version from the McAfee Anti-Virus website:

PLEASE READ THE MESSAGE BELOW !!!!!!!!!!!!! Some miscreant is sending email under the title "Good Times" nationwide, if you get anything like this, DON'T DOWN LOAD THE FILE! It has a virus that rewrites your hard drive, obliterating anything t. Please be careful and forward this mail to anyone you care about. The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the Internet. Apparently a new computer virus has been engineered by a user of AMERICA ON LINE that is unparalleled in its destructive capability. Other more well-known viruses such as "Stoned", "Airwolf" and "Michaelangelo" pale in comparison to the prospects of this newest creation by a warped mentality. What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing email systems of the Internet. Once a Computer is infected, one of several things can happen. If the computer contains a hard drive, that will most likely be destroyed. If the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop - which can severely damage the processor if left running that way too long. Unfortunately, most novice computer users will not realize what is happening until it is far too late. Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It always travels to new computers the same way in a text email message with the subject line reading "Good Times". Avoiding infection is easy once the file has been received simply by NOT READING IT! The act of loading the file into the mail server's ASCII buffer causes the "Good Times" mainline program to initialize and execute. The program is highly intelligent - it will send copies of itself to everyone whose email address is contained in a receive-mail file or a sent-mail file, if it can find one. It will then proceed to trash the computer it is running on. The bottom line is: - if you receive a file with the subject line "Good Times", delete it immediately! Do not read it" Rest assured that whoever's name was on the "From" line was surely struck by the virus. Warn your friends and local system users of this newest threat to the Internet! It could save them a lot of time and money. Could you pass this along to your global mailing list as well? ----------------- ********IMPORTANT******* PLEASE SEND TO PEOPLE YOU CARE ABOUT OR JUST PEOPLE ONLINE

The statement about putting a computer in an "nth-complexity infinite binary loop" is technical nonsense. And computers are designed to run loops indefinitely without damage to the processor.

Here is another version of the Good Times hoax, this one from the F-Secure Anti-Virus website:

Subject: Good Times Date: 12/2/94 11:59 AM Thought you might like to know... Apparently , a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality. What makes this virus so terrifying is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the InterNet. Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It always travels to new computers the same way - in a text e-mail message with the subject line reading simply "Good Times". Avoiding infection is easy once the file has been received - not reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good Times" mainline program to initialize and execute. The program is highly intelligent - it will send copies of itself to everyone whose e-mail address is contained in a received-mail file or a sent-mail file, if it can find one. It will then proceed to trash the computer it is running on. The bottom line here is - if you receive a file with the subject line "Good TImes", delete it immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was surely struck by the virus. Warn your friends and local system users of this newest threat to the InterNet! It could save them a lot of time and money.

The statement in the first long paragraph about "unparalleled in its destructive capability" is hyperbole.
Irina
This hoax was started in September 1996 when a book publisher announced the sale of an interactive novel called Irina, by distributing a warning about a nonexistent Irina virus.
Deeyenda
This hoax began in November 1996. The following text is from the F-Secure Anti-Virus website:

******** VIRUS ALERT ****** VERY IMPORTANT INFORMATION: PLEASE READ ! There is a computer virus that is being sent across the Internet. If you receive an email message with the subject line "Deeyenda", DO NOT read the message, DELETE it immediately. Please read the messages below. Some miscreant is sending email under the title "Deeyenda" nationwide, if you get anything like this DON'T DOWNLOAD THE FILE! It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this mail to anyone you care about. FCC WARNING !!!!! ----- DEEYENDA PLAGUES INTERNET ---- The internet community has again been plagued by another computer virus. This message is being spread throughout the internet, including USENET posting, EMAIL, and other internet activities. The reason for all the attention is because of the nature of this virus and the potential security risks it makes. Instead of a destructive trojan virus (most viruses!), this virus, referred to as Deeyenda Maddick, performs a comprehensive search on your computer, looking for valuable information, such as email and login passwords, credit cards, personal info, etc. The Deeyenda virus also has the capability to stay memory resident while running a host of applications and operation systems, such as Windows 3.11 and Windows 95. What this means to internet users is that when a login and PASSWORD are sent to the server, this virus can COPY this information and SEND IT OUT TO AN UNKNOWN ADDRESS (varies). The reason for this warning is because the Deeyenda virus is virtually undetectable. Once attacked, your computer will be unsecure. Although it can attack any O/S, this virus is most likely to attack those users viewing Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet Explorer 3.0+ which are running on Windows 95) . Researchers at Princeton University have found this virus on a number of World Wide Web pages and fear its spread. Please pass this on, for we must alert the general public at the security risks.

"Trojan virus" is technical nonsense: a Trojan Horse program is distinctly different from a computer virus. The mention of Princeton University is an appeal to authority.
AOL4FREE
This hoax began in March 1997.

Anyone who receives this must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible. A few hours ago, I opened an E-mail that had the subject heading of "aol4free.com." Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out. It ate the Anti-Virus Software that comes with the Windows '95 Program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated.

There is also a Trojan Horse program with the same name that has been known since March 1997.
Wobbler
This hoax began in October 1998.

VIRUS ALERT If you receive an email with a file called "California" do not open the file. The file contains the virus. This information was announced yesterday morning by IBM. The report says that "this is a very dangerous virus, much worse than "Melissa" and there is NO remedy for it at this time. Some very sick individual has succeeded in using the reformat function from Norton Utilities causing it to completely erase all documents on the hard drive. It has been designed to work with Netscape Navigator and Microsoft Internet Explorer. It destroys Macintosh and IBM compatible computers. This is a new, very malicious virus and not many people know about it at this time. Please pass this warning to everyone in your address book and share it with all your online friends asap so that the destruction it can cause may be minimized.

The mention of IBM is an appeal to authority; "much worse than Melissa" is hyperbole. The claim that the virus "destroys Macintosh and IBM compatible computers" is not plausible, because the Macintosh operating system is completely different from the DOS/Windows operating system used by IBM-compatible PCs.
SULFNBK.EXE
This hoax began in April 2001 in Brazil and informed the recipient that the file SULFNBK.EXE on their computer was a virus and should be deleted immediately. Actually, the file is part of the Microsoft Windows operating system, it displays long filenames, instead of the eight-character DOS filenames.

The Norton Anti-Virus webpage has the text for five different English-language versions of this hoax. The following is one version:

Hello! I just got this letter from my friend and yes I had the virus as well please follow the directions to see if you have the virus and then follow the directions to get rid of it. Like my friend I am sorry that I passed it along as well. Dear All: We received a virus on a message. I followed the instructions below and found that it had been spread to our computer. I followed the instructions and located the virus and was able to delete it. The bad news is that you probably have it, as you are in My Address book! More bad news is that my anti virus program did not detect this virus. The virus lies dormant for 14 days and then "kills" your hard drive. Here is what to do. If you follow the instructions and then see that you have the virus, you need to send a similar e-mail to everyone in your address book. Remove the virus by following these steps:[ first eight steps omitted here ]9. If you found the virus on your system, send this or a similar e-mail to all in your address book because this is how it is transferred. Sorry for the trouble and my apologies for having unwittingly "infected" you. You'll want to check for this virus again for the next couple days until everyone in your address book has seen it and deleted it, otherwise, being in their address book, your PC will get infected all over again so don't forget to check!
JDBGMGR.EXE
This hoax began in April 2002 and informed the recipient that the file JDBGMGR.EXE on their computer was a virus and should be deleted immediately. Actually, the file is part of the Microsoft Windows operating system, it is the Microsoft Debugger Register for Java. This hoax is similar to the earlier SULFNBK.EXE hoax.

I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple: The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system. The virus can be cleaned before it deletes the files from your system. In order to eliminate it, it is just necessary to do the following steps:[ seven steps omitted here ]IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.

The mention of "little bear" refers to the shape of the icon for the JDBGMGR.EXE file.

3. Proper Response to Hoaxes

Before you forward a warning message:

Check one or more of the anti-virus vendors' websites listed below to see if the message is a known hoax.
If you work in a major corporation, forward the message to the computer center or information technology department and let them decide whether to warn other users. If you can not evaluate the technical content of a message warning about a new computer virus, then it is not your job to warn others about this alleged new virus.

If you discover that an e-mail is a hoax, reply to the person who sent the hoax to you:

change the subject line in the e-mail to "hoax warning".
In particular, delete the name of the alleged virus, so the sender does not delete your reply, believing that he/she is about to be infected with the virus that he/she just warned you about.
tell them it is a hoax,
include the URL of a document at an anti-virus vendor's website that documents the hoax, and
this is one of the few times when etiquette books agree that it is appropriate to insult the sender. <laughing>

useful warnings

In contrast to hoaxes, a useful warning would either:

advise you to update your anti-virus software to protect yourself from the new threat that is mentioned in the message.
contain a link to a major anti-virus software vendor's website and ask that you follow the current instructions there.

links to other sites

There are many websites about computer virus hoaxes, so I have been very selective in choosing the following sites.

The major vendors of anti-virus software all have a webpage with computer security advisories, the latest threats by malicious programs, as well as detailed technical documents about each malicious program. Many anti-virus software vendors also have extensive collections of information on hoaxes about computer viruses:

Symantec Corporation, the source of Norton Anti-Virus software.
F-Secure in Finland. They have a list of fifty latest hoaxes.
McAfee homepage.
Sophos in England.

Virus Bulletin has a list of hoaxes.

A 10 January 1997 essay by Joe Wells, How to Spot a Virus Hoax, has apparently been deleted from the Internet.

Conclusion

Do not be gullible.
Recognize hoaxes and do not forward them to other people.
Hoaxes are harmful:

they waste people's time, particular time of computer technicians and anti-virus software developers who respond to bogus incidents,
they spread anxiety and panic needlessly,
they add to junk e-mail (commonly called "spam") that already clogs the Internet,
some hoaxes instruct people to delete a file used by their computer's operating system,
a few hoaxes contain a malicious program (e.g., Trojan Horse or worm) as an attachment, and
forwarding a hoax makes you look like an idiot.

Eventually, initiating a hoax about a computer virus will probably become a misdemeanor, analogous to false reporting of a fire or crime.

If you discover that an e-mail is a hoax, reply to the person who sent the hoax.

this document is at http://www.rbs2.com/hoax.htm
last revision 15 June 2002, some dead links deleted on 13 Aug 2014

My essay on real computer viruses and worms.

return to my homepage