[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Internet and Computer Virus Information



Radsafers, 

Several days ago we all received a note about the "Good Times" virus.  As we know it is a
hoax.  Here is the latest update on it and a number of other Hoax Viruses.  NRC's Computer
Security Ace, Mr. Lou Grosman, provided this information.           

Regards,

Jim Myers  
OSP/NRC
jhm@nrc.gov
             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability

                             INFORMATION BULLETIN
             __________________________________________________________


            Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost

November 20, 1996 15:00 GMT                                        Number H-05
______________________________________________________________________________
PROBLEM:       This bulletin addresses the following hoaxes and erroneous 
               warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and 
               Ghost.exe
PLATFORM:      All, via e-mail
DAMAGE:        Time lost reading and responding to the messages
SOLUTION:      Pass unvalidated warnings only to your computer security 
               department or incident response team. See below on how to 
               recognize validated and unvalidated warnings and hoaxes.
______________________________________________________________________________
VULNERABILITY  New hoaxes and warnings have appeared on the Internet and old 
ASSESSMENT:    hoaxes are still being cirulated.
______________________________________________________________________________


Introduction
============

The Internet is constantly being flooded with information about computer viruses and Trojans.
However, interspersed among real virus notices are  computer virus hoaxes. While these
hoaxes do not infect systems, they are  still time consuming and costly to handle. At CIAC,
we find that we are  spending much more time de-bunking hoaxes than handling real virus
incidents.  This advisory addresses the most recent warnings that have appeared on the 
Internet and are being circulated throughout world today. We will also address the history
behind virus hoaxes, how to identify a hoax, and what to do if you think a message is or is not
a hoax. Users are requested to please not spread  unconfirmed warnings about viruses and
Trojans. If you receive an unvalidated  warning, don't pass it to all your friends, pass it to your
computer security  manager to validate first. Validated warnings from the incident response
teams and antivirus vendors have valid return addresses and are usually PGP signed  with the
organization's key.

PKZ300 Warning
==============

The PKZ300 Trojan is a real Trojan program, but the initial warning about it  was released over
a year ago. For information pertaining to PKZ300 Trojan  reference CIAC Notes issue 95-10,
that was released in June of 1995.  

http://ciac.llnl.gov/ciac/notes/Notes10.shtml

The warning itself, on the other hand, is gaining urban legend status. There  has been an
extremely limited number of sightings of this Trojan and those  appeared over a year ago. Even
though the Trojan warning is real, the repeated  circulation of the warning is a nuisance.
Individuals who need the current  release of  PKZIP should visit the PKWARE web page at
http://www.pkware.com.  CIAC recommends that you DO NOT recirculate the warning about
this particular  Trojan.           

Irina Virus Hoax
================

The "Irina" virus warnings are a hoax. The former head of an electronic  publishing company
circulated the warning to create publicity for a new  interactive book by the same name. The
publishing company has apologized for  the publicity stunt that backfired and panicked Internet
users worldwide. The  original warning claimed to be from a Professor Edward Pridedaux of the 
College of Slavic Studies in London; there is no such person or college.  However, London's
School of  Slavonic and East European Studies has been  inundated with calls. This poorly
thought-out publicity stunt was highly  irresponsible. For more information pertaining to this
hoax, reference the  UK Daily Telegraph at http://www.telegraph.co.uk.    

Good Times Virus Hoax
=====================

The "Good Times" virus warnings are a hoax. There is no virus by that name in  existence
today. These warnings have been circulating the Internet for years.  The user community must
become aware that it is unlikely that a virus can be  constructed to behave in the manner
ascribed in the "Good Times" virus  warning. For more information related to this urban legend,
reference CIAC  Notes 95-09.

http://ciac.llnl.gov/ciac/notes/Notes09.shtml
     Deeyenda Virus Hoax
===================

The "Deeyenda" virus warnings are a hoax. CIAC has received inqueries  regarding the validity
of the Deeyenda virus. The warnings are very similar  to those for Good Times, stating that the
FCC issued a warning about it,  and that it is self activating and can destroy the contents of a
machine  just by being downloaded. Users should note that the FCC does not and will  not
issue virus or Trojan warnings. It is not their job to do so. As of this  date, there are no known
viruses with the
name Deeyenda in existence. For a  virus to spread, it  must be executed.
Reading a mail message does not execute  the mail message. Trojans and viruses have been
found as executable attachments to mail messages, but they must be extracted and executed
to do any harm. CIAC still affirms that reading E-mail, using typical mail agents, can not
activate malicious code delivered in or with the message.

Ghost.exe Warning
=================

The Ghost.exe program was originally distributed as a free screen saver  containing some
advertising information for the author's company (Access  Softek). The program opens a
window that shows a Halloween background with  ghosts flying around the screen. On any
Friday the 13th, the program window  title changes and the ghosts fly off the window and
around the screen. Someone apparently got worried and sent a message indicating that this
might be a  Trojan. The warning grew until the it said that Ghost.exe was a Trojan that  would
destroy your hard drive and the developers got a lot of nasty phone  calls (their names and
phone numbers were in the About box of the program.)  A simple phone call to the number
listed in the program would have stopped  this warning from being sent out. The original
ghost.exe program is just cute; it does not do anything damaging. Note that this does not
mean that ghost  could not be infected with a virus that does do damage, so the normal 
antivirus procedure of scanning it before running it should be followed.

History of Virus Hoaxes
=======================

Since 1988, computer virus hoaxes have been circulating the Internet. In  October of that year,
according to Ferbrache ("A pathology of Computer  Viruses" Springer, London, 1992) one of
the first virus hoaxes was the  2400 baud modem virus: 

	SUBJ: Really Nasty Virus
 	AREA: GENERAL (1)
	
 	I've just discovered probably the world's worst computer virus 
 	yet. I had just finished a late night session of BBS'ing and file 
 	treading when I exited Telix 3 and attempted to run pkxarc to 
 	unarc the software I had downloaded. Next thing I knew my hard 
 	disk was seeking all over and it was apparently writing random 
 	sectors. Thank god for strong coffee and a recent backup. 
 	Everything was back to normal, so I called the BBS again and 
 	downloaded a file. When I went to use ddir to list the directory, 
 	my hard disk was getting trashed again. I tried Procomm Plus TD 
 	and also PC Talk 3. Same results every time. Something was up so I 
 	hooked up to my test equipment and different modems (I do research 
 	and development for a local computer telecommunications company 
 	and have an in-house lab at my disposal). After another hour of 
 	corrupted hard drives I found what I think is the world's worst 
 	computer virus yet. The virus distributes itself on the modem sub-
 	carrier present in all 2400 baud and up modems. The sub-carrier is 
 	used for ROM and register debugging purposes only, and otherwise 
 	serves no othr (sp) purpose. The virus sets a bit pattern in one 
 	of the internal modem registers, but it seemed to screw up the 
 	other registers on my USR. A modem that has been "infected" with 
 	this virus will then transmit the virus to other modems that use a 
 	subcarrier (I suppose those who use 300 and 1200 baud modems 
 	should be immune). The virus then attaches itself to all binary 
 	incoming data and infects the host computer's hard disk. The only 
 	way to get rid of this virus is to completely reset all the modem 
 	registers by hand, but I haven't found a way to vaccinate a modem 
 	against the virus, but there is the possibility of building a 
 	subcarrier filter. I am calling on a 1200 baud modem to enter this 
 	message, and have advised the sysops of the two other boards 
 	(names withheld). I don't know how this virus originated, but I'm 
 	sure it is the work of someone in the computer telecommunications 
 	field such as myself. Probably the best thing to do now is to 
 	stick to 1200 baud until we figure this thing out.

	Mike RoChenle

This bogus virus description spawned a humorous alert by Robert Morris III :

 	Date: 11-31-88 (24:60)	Number: 32769
 	To: ALL	Refer#: NONE
 	From: ROBERT MORRIS III	Read: (N/A)
 	Subj: VIRUS ALERT	Status: PUBLIC MESSAGE
 	
 	Warning: There's a new virus on the loose that's worse than 
 	anything I've seen before! It gets in through the power line, 
 	riding on the powerline 60 Hz subcarrier. It works by changing the 
 	serial port pinouts, and by reversing the direction one's disks 
 	spin. Over 300,000 systems have been hit by it here in Murphy, 
 	West Dakota alone! And that's just in the last 12 minutes.
 	
	It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac, 
 	RSX-11, ITS, TRS-80, and VHS systems.
 	
 	To prevent the spresd of the worm:
 	
 	1) Don't use the powerline.
 	2) Don't use batteries either, since there are rumors that this 
 	  virus has invaded most major battery plants and is infecting the 
 	  positive poles of the batteries. (You might try hooking up just 
 	  the negative pole.)
 	3) Don't upload or download files.
 	4) Don't store files on floppy disks or hard disks.
 	5) Don't read messages. Not even this one!
 	6) Don't use serial ports, modems, or phone lines.
 	7) Don't use keyboards, screens, or printers.
 	8) Don't use switches, CPUs, memories, microprocessors, or 
 	  mainframes.
 	9) Don't use electric lights, electric or gas heat or 
 	  airconditioning, running water, writing, fire, clothing or the 
 	  wheel.
 	
 	I'm sure if we are all careful to follow these 9 easy steps, this 
 	virus can be eradicated, and the precious electronic flui9ds of 
 	our computers can be kept pure.
 	
 	---RTM III

Since that time virus hoaxes have flooded the Internet.With thousands of  viruses worldwide,
virus paranoia in the community has risen to an extremely  high level. It is this paranoia that
fuels virus hoaxes. A good example of  this behavior is the "Good Times" virus hoax which
started in 1994 and is  still circulating the Internet today. Instead of spreading from one
computer  to another by itself, Good Times relies on people to pass it along. 

How to Identify a Hoax
======================

There are several methods to identify virus hoaxes, but first consider what  makes a successful
hoax on the Internet. There are two known factors that make a successful virus hoax, they are:
(1) technical sounding language, and  (2) credibility by association. If the warning uses the
proper technical  jargon, most individuals, including technologically savy individuals, tend to 
believe the warning is real. For example, the Good Times hoax says that  "...if the program is
not stopped, the computer's processor will be placed in  an nth-complexity infinite binary loop
which can severely damage the  processor...". The first time you read this, it sounds like it
might be  something real. With a little research, you find that there is no such thing  as an
nth-complexity infinite binary loop and that processors are designed  to run loops for weeks at
a time without damage.

When we say credibility by association we are referring to whom sent the  warning. If the
janitor at a large technological organization sends a warning to someone outside of that
organization, people on the outside tend to believe the warning because the company should
know about those things. Even though  the person sending the warning may not have a clue
what he is talking about,  the prestigue of the company backs the warning, making it appear
real. If a  manager at the company sends the warning, the message is doubly backed by the
company's and the manager's
reputations. 

Individuals should also be especially alert if the warning urges you to pass  it on to your
friends. This should raise a red flag that the warning may be  a hoax. Another flag to watch for
is when the warning indicates that it is a  Federal Communication Commission (FCC) warning.
According to the FCC, they  have not and never will disseminate warnings on viruses. It is not
part of  their job. 

CIAC recommends that you DO NOT circulate virus warnings without first  checking with an
authoritative source. Authoritative sources are your computer system security administrator or
a computer incident advisory team. Real  warnings about viruses and other network problems
are issued by different  response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally
signed by  the sending team using PGP. If you download a warning from a teams web site or
validate the PGP signature, you can usually be assured that the warning is  real. Warnings
without the name of the person sending the original notice, or  warnings with names,
addresses and phone numbers that do not actually exist  are probably hoaxes.

What to Do When You Receive a Warning
=====================================
  Upon receiving a warning, you should examine its PGP signature to see that it  is from a real
response team or antivirus organization. To do so, you will need a copy of the PGP software
and the public signature of the team that sent the message. The CIAC signature is available
from the CIAC web server  at:

http://ciac.llnl.gov 

If there is no PGP signature, see if the warning includes the name of the  person submitting the
original warning. Contact that person to see if he/she really wrote the warning and if he/she
really touched the virus. If he/she is  passing on a rumor or if the address of the person does
not exist or if  there is any questions about theauthenticity or the warning, do not circulate  it to
others. Instead, send the warning to your computer security manager or  incident response
team and let them validate it. When in doubt, do not send it out to the world. Your computer
security managers and the incident response teams teams have experts who try to stay
current on viruses and their warnings.
In addition, most anti-virus companies have a web page containing information  about most
known viruses and hoaxes. You can also call or check the web site  of the company that
produces the product that is supposed to contain the virus.
Checking the PKWARE site for the current releases of PKZip would stop the  circulation of the
warning about PKZ300 since there is no released version 3  of PKZip. Another useful web site
is the "Computer Virus Myths home page"  (http://www.kumite.com/myths/) which contains
descriptions of several known  hoaxes. In most cases, common sense would eliminate Internet
hoaxes.

- -----------------------------------------------------------------------------

CIAC, the Computer Incident Advisory Capability, is the computer security incident response
team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the
Forum of Incident Response and Security Teams, a global organization established to foster
cooperation and coordination among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may
contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call
800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and
the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are available from the CIAC
Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package called ListProcessor,
which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing
lists, send the following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid
information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and information on how to
change either of them, cancel your subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities
receive CIAC bulletins.  If you are not part of these communities, please contact your agency's
response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST
member organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the United
States Government. Neither the United States
Government nor the University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, apparatus, product, or process disclosed, or
represents that its use would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation or
favoring by the United States Government or the
University of California. The views and opinions of authors expressed herein do not necessarily
state or reflect those of the United States
Government or the University of California, and shall not be used for advertising or product
endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-43: Vulnerabilities in Sendmail
G-44: SCO Unix Vulnerability
G-45: Vulnerability in HP VUE
G-46: Vulnerabilities in Transarc DCE and DFS
G-47: Unix FLEXlm Vulnerabilities
G-48: TCP SYN Flooding and IP Spoofing Attacks
H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions
H-03: HP-UX_suid_Vulnerabilities
H-04: HP-UX  Ping Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update