Computer Viruses and Hoaxes
Please respond to forum at
ArtistEye. Specify "Virus" in the
Subject field.
The real viruses mentioned below are just a fraction of the nasty bugs on
the Internet. Thousands of them are exhaustively covered on other sites.
This sample is intended to educate our members about some of the genuine
dangers and gratuitous silliness out there.
Real Viruses | About Viruses | Prevention | Virus HELP! | Hoaxes | Jokes
5/12/99 AOL Virus
This is of EXTREME importance. I just spoke with AOL about this, so what
I am saying is accurate.
While reading my email, a message box came on my screen--it
was unlike any I had ever seen--it was unlike IM's [Instant Messages]. Anyway,
it had the official AOL logo on it and mentioned the virus that is out right
now...it said this is AOL mail and asked if I wanted to save this information
as a text file...I had two choices--yes or no. There was absolutely no way
to "X" out of it...I was in the middle of writing email and thought that
I would just move this box to the side and call AOL or ask someone about
it. The box (window) could be moved, but nothing else could be done on the
computer...being leery of this, I clicked on NO. I was immediately booted
off. I promptly called AOL--they said I had made the correct choice, and
said it was a way to introduce the virus into my computer...
AOL said anytime they need to notify someone, it is done at sign-on. You won't be able to sign on...it will give the message to call AOL direct. It is never done with email or with a window such as I described. Also, it is never in IMs. Please be careful. This is very bad!! This window with AOL logo was very official looking--don't be fooled!! Click NO!!!!! ---Colleen
4/99 VirusName: W97M.Mailissa
Aliases: W97M.Melissa
Infection Length: one VBA5 module named Melissa
Area of Infection: Microsoft Word 97 documents
Likelihood: Common
Region Reported: US
Characteristics: Macro, Wild
Description: This could spread very quickly. It's not
a dangerous virus (it won't erase everything on your hard drive) but it poses
a personal security issue. If you have an antivirus program that can be updated,
now would be a good time to do it. W97M.Mailissa is a common macro virus
with a unique payload. Similar to W97M.Pri, the virus turns off the security
protection upon opening an infected document in MS Word 2000. This disables
MS Word 2000 macro prompt the next time the document is opened. It infects
MS Word 97 document by adding a new VBA5 (macro) module named Melissa. Although
there is nothing unique in the infection routine of this macro virus, it
has a payload that utilizes MS Outlook to send an attachment of the infected
MS Word 97 document being opened.
Technical Notes
When opening or closing an infected document, the virus determines if there
has been a previous mass emailing by checking the following registry key:
"HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value. The value
data is set to "…by Kwyjibo" if the mass emailing has been done on the
current machine.
If the virus does not find the registry entry, it will do the following:
1. Open MS Outlook.
2. Use MAPI calls, to retrieve the user's profile to use MS Outlook
3. Creates a new email message that sends up to 50 addresses listed in MS
Outlook address book.
4. The email will have the subject line of : "Important Message From USERNAME"
where USERNAME is taken from MS Word profile.
5. The email message is "Here is that document you asked for ... don't show
anyone else ;-)"
6. Attaches the active document (the infected document being opened or closed)
to the email message.
7. Sends the email.
Please note that "HKEY_CURRENT_USER\Software\Microsoft\Office" is a registry
entry created by MS Office. The virus simply adds a new value into this registry
entry: "Melissa?". As stated above, the value is set to "…by Kwyjibo",
if the virus has successfully mass emailed infected documents from the system.
Once the value is set, the virus does not attempt another mass emailing.
The second payload replaces the currently selected text of the document
with:
" Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here."
Repair notes:
Norton AntiVirus users can protect themselves from this virus by downloading
the current virus definitions either through LiveUpdate or from the following
webpage:
http://www.symantec.com/avcenter/download.html
I've been following this one so if you have any questions I'd be glad to
answer them: Raul K. Elnitiarta
March 26, 1999
7/28/98 BIOS Virus
Turns PCs into Paperweights
Researchers urge users to obtain the latest versions of their antivirus software,
such as Network Associates Inc.'s VirusScan and Symantec Corp.'s Norton
AntiVirus, which will detect and eliminate the virus before it strikes.
The Win95/CIH virus, discovered in late June, will reprogram
the flash memory in some PC models. When the flash memory, used to store
a PC's BIOS, is reprogrammed by the virus, a PC can't be booted. To fix a
PC that's been zapped by Win95/CIH, users must replace the flash memory chips.
In many cases, the chips are welded to the motherboard, which means the whole
motherboard needs to be swapped out.
Win95/CIH damage is much more harmful than other viruses,
which erase data, corrupt boot sectors and in the worst case scenario, require
that users reformat the hard disk and reinstall the operating system,
applications and data. The Win95/CIH virus comes in several strains, one
of which is set to go off on the 26th of every month.
-- By Mitch Wagner
[ see
http://pubs.cmpnet.com/internetwk/news/news0721-4.htm
]
7/14 Stuffit Virus
Alert
Recently, a program that claims to be an updater for StuffIt Deluxe for the
Macintosh (specifically an upgrade to StuffIt Deluxe v. 4.6) has been making
the rounds on the Internet. This is NOT an official updater from Aladdin
Software. Rather, it is a "Trojan Horse" program -- a program designed to
trick you into running it, so that it can plant viruses or do other damage
to your computer. In this particular case, the Trojan Horse apparently erases
data from your hard drive. So, to reiterate -- do NOT download or run anything
claiming to be a 4.6 upgrade for StuffIt Deluxe -- ever.
The official press release about this can be found here:
http://www.aladdinsys.com/company/news/071098-trojan.html
ping@greetst.com
7/11/98 This virus is still going around. . . 10/98 look for DELDB files!
Virus:
Autostart 9805
There is a Mac worm type virus going around and it has migrated to the Bay
Area. If your mac is restarting when you mount a zip, crashing frequently
or producing alot of error messages might want to check
http://www.macintouch.com/hkvirus.html
where you can find a complete description of the virus and links to downloadable
antidotes from macintouch:
Virus: Autostart 9805
Damage: Adds invisible files to every disk partition and periodically causes
extensive disk activity (and network activity if network disks are mounted).
Will overwrite some data files with random data.
Spread: PowerPC systems running the MacOS or later and with mounted HFS or
HFS+ volumes. Initial infection usually requires QuickTime 2.0 or above
installed.
From: slka@sirius.com (suzan
kaplan)
Topic #7 5/4/98 This virus is still going around. . . 10/98 look for DELDB files!
New Macintosh Worm Virus Discovered (Autostart
9805)
Damage: Adds invisible files to every disk partition and periodically
causes extensive disk activity (and network activity if network disks are
mounted). Will overwrite some data files with random data.
Spread: PowerPC systems running the MacOS or later and with mounted
HFS or HFS+ volumes. Initial infection usually requires QuickTime 2.0 or
above installed. Instead, it copies itself to other disk partitions so that
it becomes active on other systems. It can be transmitted via floppy disks,
most removable cartridges drives, MO disks, CD-WORM disks, hard disks and
even disk images. The worm will also spread across networks to any mounted
network file partition. The code requires a PowerPC-based system running
MacOS -- a 68K-based system will fail to run the code.
Symptoms
1) The system unexpectedly restarts after mounting a diskette or other volume.
This will only happen when the initial infection occurs.
2) The "DB" application name flashes briefly in the menu bar when a disk
is mounted.
3) The presence of an invisible application file named "DB" on the root of
disk volumes, or the invisible "Desktop Print Spooler" file in the
extensions folder. Any file or disk utility program (such as ResEdit) that
shows invisible files in its file selection dialogs can be used to check
for the files. Do not confuse the legitimate "Desktop Printer Spooler"
file with the worm.
4) A process named "Desktop Print Spooler" is found (use Process Watcher
or Macsbug).
5) Extensive, unexplained disk activity every 30 minutes.
Prevention
Manually disabling the AutoStart option in the QuickTime Settings Control
Panel.
Virus Removal & Recovery
Most of the major anti-virus developers have prepared updates to their software.
Users are *strongly* encouraged to run current, up-to-date anti-virus software,
and to regularly incorporate vendor-supplied updates.
Real Viruses
Real --- A number of Trojan viruses have been spread by 'free' software that promises to INCREASE your Internet security. Don't believe it! Don't download strange software.
Real -- A new trojan horse program is being distributed via email to AOL members, under the guise of a beta version of a new Black Jack program for RabbitJack Casino. Be warned! This program, being distributed under the file name "BJSETUP.EXE", is *not* a setup program for any type of game and should under *no* circumstances be downloaded and run!
Real -- AOLGOLD.ZIP is a DOS-based trojan program distributed on America Online and other networks. When the INSTALL.EXE program is executed, most files on the users C drive are deleted. There is no such program as AOLGOLD.
Where do you go for help?
Virus Detection and Elimination
Tools
Disinfectant
<ftp://ftp.nwu.edu/pub/disinfectant/>
Dr. Solomon's Anti-virus Toolkit
<http://www.drsolomon.com/products/avtk/ps_mac.html>
SAM (Symmantic Anti-virus for the Mac)
<http://www.symantec.com/sam/>
Virex
<http://www.drsolomon.com/products/virex/>
Comprehensive anti-virus information : <http://www.macvirus.com>.
More anti-virus resources may be found at
<http://www.cs.purdue.edu/homes/spaf/hotlists/csec-plain.html#comput00>.
What to do
If you discover what you believe to be a virus on your Macintosh system,
please report it to the vendor/author of your anti-virus software package
for analysis. Such reports make early, informed warnings possible for the
rest of the Mac community. If you are otherwise unsure of who to contact,
you may send e-mail to
<spaf@cs.purdue.edu> as an
initial point of contact.
ALSO: Some information about viruses can be found on the following pages:
Link Exchange article about viruses - history & prevention
Federal Trade Commission advice pages
http://www.junkemail.org/resources/
http://www.abraxis.com/fans/PAGE_7.htm
http://www.av.ibm.com/BreakingNews/HypeAlert/
Internet Fraud Watch http://www.fraud.org/internet/intinfo.htm
http://www.xanadu2.net/rrogers/scams.html
http://kumite.com/myths/home.htm
* scan your hard disk regularly with reputable, up-to-date and properly-installed anti-virus software, regularly (it's worth repeating). i.e. Norton, Symantec, McAfee, Dr. Solomon, etc.
* acquire all your software from reputable sources: 2nd-hand software is frequently unchecked and sometimes infected. Note that shrinkwrapped software isn't necessarily unused. Always scan new software disks for viruses.
* scan all new systems and all floppy disks when they're brought in (from *any* source) with a good virus-scanning program.
* scan pre-formatted diskettes before use.
* if your PC can be prevented with a CMOS setting from booting with a disk in drive A, do it (and re-enable floppy booting temporarily when you need to clean-boot).
Keep in mind that simply READING an email is unlikely to infect
your hard drive. Plain TEXT can't do anything bad. Usually a virus comes
in the form of a DOWNLOAD or attachment to an email. The attachment is actually
a small piece of software. You generally have to double-click on the dowloaded
'file' to get it started. The download may seem very attractive, like a free
game or software upgrades!
Now, you may think someone has sent you a long message
or photo that needs to be downloaded - it may be falsely named something
like "ArtGrants" or "sexypic" and you decide to open it up, to read it or
see it. That's when it begins doing its bad work. If you don't KNOW the sender,
don't be tempted. So, the important thing is, never take candy from
strangers.
Just be reasonably cautious, and you'll be okay. [-
Li]
. . . and, from our friends at AOL . . .
-- Boot Sector viruses are the most commonly found viruses, and cannot normally
spread across a network. A PC gets infected with a boot sector virus when
it is booted from an infected floppy disk in drive A.
-- A File virus infects other files when the program to which it is attached
is run, and so *can* spread across a network (often very quickly). They may
be spread from the same sources as boot sector viruses (disks), but also
from Internet FTP sites and bulletin boards.
EMAIL VIRUSES
-- Any file virus can be transmitted as an E-mail attachment. However, the
virus code has to be executed before it actually infects. Sensibly configured
mailers don't usually allow this by default and without prompting, but some
mailers can support this: for instance, cc:mail can, it seems, launch attachments
straight into AmiPro. [Again, don't download attachments unless you know
who sent them.]
Name: Win a Holiday.
Type: Hoax email virus.
Danger: None.
Description: Win a Holiday first appeared in February 1998, and is very similar
to the now-famous Good Times hoax.
Important: it is impossible for a virus to exist in the normal text portion
of an email. A virus could be carried within a file attached to an email,
but this could only be spread by detaching the file and executing it or (if
it contains macros) opening it with an application that could execute
the viral macros.
Part of the text of the hoax reads as follows
Hoax-- ". . .VIRUS WARNING !!!!!!
If you receive an email titled "WIN A HOLIDAY" DO NOT open it. It will erase
everything on your hard drive. Forward this letter out to as many people
as you can. This is a new, very malicious virus and not many people know
about it. This information was announced yesterday morning from Microsoft;
please share it with everyone that might access the internet. Once
again, pass this along to EVERYONE in our address book so that this may be
stopped. . ."
More on Virus Hoaxes at:
http://www.sophos.com/virusinfo/scares/
Hoax-- Do not, whatever you do,
open any mail from DRUMMR1001 or HIGHIMAGE00.
This is a self-downloading virus and will destroy your hard drive, and use
your aol password. You cannot change it. . . please be very careful. . .
Delete all mail from either of these sources UNREAD!
Hoax-- WARNING! If you receive an e-mail titled "JOIN THE CREW" DO NOT open it! It will erase EVERYTHING on your hard drive!
Hoax-- If you receive mail entitled "PENPAL GREETINGS!" please delete it WITHOUT reading it!! This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The trojan horse virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox!
Re: Penpal Greetings and Join the Crew viruses
Actually, it's a combination of hoaxes. Ignore it. The important thing to
remember is: if there's no executable code, there's no virus. Getting an
html or text email cannot cause a problem. Ever.
The exception (and it's a big one) is the macro virus.
These things affect DOCUMENTS in MS-Office applications, and can be destructive.
Check out these things to do to control macro
viruses:http://www.mcafee.com/support/vr/free.asp
I keep my antivirus programs updated and check all files
as I download them. This is mainly to keep out Word macro viruses. Usually,
if I'm writing a quickie, I use WordPad - Word files with no macros! (It's
a pretty limited subset of Word functionality, but I rarely care.)
If you folks moved to PC's at work, put Windows NT on
your PC. It takes forever to boot, and has its own peculiarities, but it's
immune to the most destructive viruses by its very design. (Viruses do exist
in NT-land, and some are annoying, but it's FAR safer. It's also much, much
more stable than Windows 95... assuming your hardware is compatible.)
From: Barry Warren Polley
9/97 win96up.exe
If you find somewhere on the Internet file win96up.exe don't install
it....It is a virus!!!!!!!
(From: Waipio27 and Sun23moon)
4/27/99 The E-mail Facts of Life
The following is an artifact of the Net. Someone wrote it, but his or her
name is lost in the mists of cybertime. The original document was called
``The E-mail Facts of Life.'' Feel free to distribute. If everyone understood
these truths, what a much better world it would be:
1. Big companies don't do business via chain letter. Bill Gates is not giving
you $1,000, and Disney is not giving you a free vacation. There is no baby
food company issuing class-action checks. You can relax; there is no need
to pass it on ``just in case it's true.'' Furthermore, just because someone
said in the message, four generations back, that ``we checked it out and
it's legit,'' that does not actually make it true.
2. There is no kidney theft ring in New Orleans. No one is waking up in a
bathtub full of ice, even if a friend of a friend swears it happened to their
cousin. If you are hell-bent on believing the kidney-theft ring stories.
And I quote: ``The National Kidney Foundation has repeatedly issued requests
for actual victims of organ thieves to come forward and tell their stories.
None have.'' That's ``none'' as in ``zero.'' Not even your friend's cousin.
3. Neiman Marcus doesn't really sell a $200 cookie recipe. And even if they
do, we all have it. And even if you don't, you can get a copy at
http://www.Bl.Net/forwards/cookie.html.
Then, if you make the recipe and decide that the cookies are that awesome,
feel free to pass the recipe on.
4. We all know 500 ways to drive roommates crazy, irritate co-workers and
creep out people on an elevator. We also know exactly how many engineers,
college students, Usenet posters and people from each and every world ethnicity
it takes to change a lightbulb.
5. Even if the latest NASA rocket disaster(s) DID contain plutonium that
went particulate over the Eastern seaboard, do you REALLY think this information
would reach the public via an AOL chain letter?
6. There is no ``Good Times'' virus. In fact, you should never, ever, ever
forward any e-mail containing any virus warning unless you first confirm
it at an actual site of an actual company that actually deals with virii.
Try http://www.norton.com. And even then,
don't forward it. We don't care.
7. If your CC: list is regularly longer than the actual content of your message,
you're probably going to hell.
8. If you're using Outlook, IE or Netscape to write e-mail, turn off the
``HTML encoding.'' Those of us on UNIX shells can't read it and don't care
enough to save the attachment and then view it with a Web browser, since
you're probably forwarding us a copy of the goddamned Neiman Marcus Cookie
Recipe anyway.
9. If you still absolutely must forward that 10th-generation message from
a friend, at least have the decency to trim the eight miles of headers showing
everyone else who's received it over the last six months. It sure wouldn't
hurt to get rid of all the ``)'' that begin each line. Besides, if it has
gone around that many times -- I've probably already seen it.
10. Craig Shergold in England is not dying of cancer or anything else at
this time and would like everyone to stop sending him their business cards.
He apparently is also no longer a ``little boy'' either.
12/16/97 WARNING -VIRUS MEME ALERT
What follows IS a hoax. there is a dangerous email floating around on the internet. In the guise of a friendly and official-sounding warning against an email virus that could potentially wipe out your hard drive, this evil message slyly wastes the attention and time of hundreds of thousands of online users, and convinces them to forward the message to others in order to continue propagating itself. In a final, cunning, cyclical coup, the email returns to users months and years later...and even though by now they realize the email is a scam, it STILL beats them by slyly manipulating them into penning an email that explains to the unwitting how the warning email is actually a big hoax, that a text message could never erase your drive; and into suggesting all sorts of virus websites to doublecheck against, bla bla bla. . .
..if you do anything other than immediately delete and forget about this virus warning, you have already become infected. [val@ricochet.net]
9/9/97 End-All Virus
If you receive an e-mail message with "End-All Virus" in the Subject line,
don't open it!
If you do: End-All will re-write your hard drive.
Not only that, it will scramble any disks that are even close to your computer.
It will recalibrate your refrigerator's coolness setting so all your ice
cream goes melty.
It will demagnetize the strips on all your credit cards, screw up the tracking
on your VCR and use subspace field harmonics to scratch any CDs you try to
play.
It will give your ex-girlfriend your new phone number. It will mix Kool-aid
into your fish tank.
It will leave dirty socks on the coffee table when company comes over.
End-All will give you Dutch Elm disease. It will leave the toilet seat up.
It will hide your car keys when you are late for work.
It invites your mother-in-law over for a month. It replaces the sugar in
your coffee with sweetener, gives you a headache with Excedrin written all
over it, causes your cable to only tune in home repair programs, makes you
walk with a limp, cancels all your magazine subscriptions, and makes you
personally responsible for the El Nino flooding.
It moves your car randomly around parking lots so you can't find it. It will kick your dog. It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve. (lls)
Back to Forums