**************************************************************************
Security Bulletin 9626 DISA Defense Communications System
December 12, 1996 Published by: DISN Security Coordination Center
(SCC@NIC.DDN.MIL) 1-(800) 365-3642
DEFENSE INFORMATION SYSTEM NETWORK
SECURITY BULLETIN
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DISN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
using login="anonymous" and password="guest". The bulletin pathname is
scc/sec-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. scc/sec-9544.txt). These are also
available at our WWW site, http://nic.ddn.mil .
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Automated !
! Systems Security Incident Support Team (ASSIST) and is being !
! relayed unedited via the Defense Information Systems Agency's !
! Security Coordination Center distribution system as a means !
! of providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Automated Systems Security Incident Support Team
_____
___ ___ _____ ___ _____ | /
/\ / \ / \ | / \ | | / Integritas
/ \ \___ \___ | \___ | | < et
/____\ \ \ | \ | | \ Celeritas
/ \ \___/ \___/ __|__ \___/ | |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Bulletin 96-24
Release date: December 12, 1996, 11:30 AM EST (GMT -5)
SUBJECT: Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost,
and PENPAL Greeting.
SUMMARY: This bulletin identifies several internet hoaxes; how to
identify a hoax; and what to do in the event a warning is received.
BACKGROUND: This bulletin contains information from ASSIST on the
PENPAL hoax in addition to several internet hoaxes described by the U.S.
Department of Energy Computer Incident Advisory Capability (CIAC), team.
IMPACT: Significant lost of productivity.
RECOMMENDED SOLUTIONS: See section of CIAC bulletin that addresses
"What to do when you receive a warning."
********************************************************************
PENPAL GREETINGS! Warning Hoax
The PENPAL GREETINGS! hoax encourages readers to kill an e-mail chain
letter. PENPAL claims that the chain letter contains a self starting
Trojan that destroys your hard drive and then sends copies of itself
to everyone whose address in your mailbox.
Actually, reading an e-mail message can not run such a Trojan nor any
attachment. If anyone receives e-mail entitled PENPAL GREETINGS!,
please do not forward it; rather, delete it ASAP! If you have any
questions or concerns please contact ASSIST.
*************************************************************************
Introduction
==========
The Internet is constantly being flooded with information about computer
viruses and Trojans. However, interspersed among real virus notices are
computer virus hoaxes. While these hoaxes do not infect systems, they are
still time consuming and costly to handle. At CIAC, we find that we are
spending much more time de-bunking hoaxes than handling real virus
incidents. This advisory addresses the most recent warnings that have
appeared on the Internet and are being circulated throughout world
today.
We will also address the history behind virus hoaxes, how to identify a
hoax, and what to do if you think a message is or is not a hoax.
Users are requested to please not spread unconfirmed warnings about
viruses and Trojans. If you receive an unvalidated warning, don't pass
it to all your friends, pass it to your computer security manager to
validate first. Validated warnings from the incident response
teams and antivirus vendors have valid return addresses and are
usually PGP signed with the organization's key.
PKZ300 Warning
==============
The PKZ300 Trojan is a real Trojan program, but the initial warning about it
was released over a year ago. For information pertaining to PKZ300 Trojan
reference CIAC Notes issue 95-10, that was released in June of 1995.
http://ciac.llnl.gov/ciac/notes/Notes10.shtml
The warning itself, on the other hand, is gaining urban legend status.
There has been an extremely limited number of sightings of this Trojan
and those appeared over a year ago. Even though the Trojan warning is real,
the repeated circulation of the warning is a nuisance. Individuals who need
the current release of PKZIP should visit the PKWARE web page at
http://www.pkware.com. CIAC recommends that you DO NOT recirculate
the warning about this particular Trojan.
Irina Virus Hoax
================
The "Irina" virus warnings are a hoax. The former head of an electronic
publishing company circulated the warning to create publicity for a new
interactive book by the same name. The publishing company has apologized for
the publicity stunt that backfired and panicked Internet users worldwide.
The original warning claimed to be from a Professor Edward Pridedaux of the
College of Slavic Studies in London; there is no such person or college.
However, London's School of Slavonic and East European Studies has been
inundated with calls. This poorly thought-out publicity stunt was highly
irresponsible. For more information pertaining to this hoax, reference the
UK Daily Telegraph at http://www.telegraph.co.uk.
Good Times Virus Hoax
=====================
The "Good Times" virus warnings are a hoax. There is no virus by that name
in existence today. These warnings have been circulating the Internet
for years.
The user community must become aware that it is unlikely that a virus can be
constructed to behave in the manner ascribed in the "Good Times" virus
warning. For more information related to this urban legend, reference CIAC
Notes 95-09.
http://ciac.llnl.gov/ciac/notes/Notes09.shtml
Deeyenda Virus Hoax
===================
The "Deeyenda" virus warnings are a hoax. CIAC has received inqueries
regarding the validity of the Deeyenda virus. The warnings are very similar
to those for Good Times, stating that the FCC issued a warning about it,
and that it is self activating and can destroy the contents of a machine
just by being downloaded. Users should note that the FCC does not and will
not issue virus or Trojan warnings. It is not their job to do so. As of this
date, there are no known viruses with the name Deeyenda in existence. For a
virus to spread, it must be executed. Reading a mail message
does not execute the mail message. Trojans and viruses have been found as
executable attachments to mail messages, but they must be extracted
and executed to do any harm. CIAC still affirms that reading E-mail,
using typical mail agents, can not activate malicious code delivered
in or with the message.
Ghost.exe Warning
=================
The Ghost.exe program was originally distributed as a free screen
saver containing some advertising information for the author's company
(Access Softek). The program opens a window that shows a Halloween
background with ghosts flying around the screen. On any Friday the 13th,
the program window title changes and the ghosts fly off the window and
around the screen. Someone apparently got worried and sent a message
indicating that this might be a Trojan. The warning grew until it said
that host.exe was a Trojan that would destroy your hard drive and the
developers got a lot of nasty phone calls (their names and phone numbers
were in the About box of the program.) A simple phone call to the number
listed in the program would have stopped this warning from being sent out.
The original ghost.exe program is just cute; it does not do anything
damaging. Note that this does not mean that ghost could not be infected
with a virus that does do damage, so the normal antivirus procedure of
scanning it before running it should be followed.
History of Virus Hoaxes
=======================
Since 1988, computer virus hoaxes have been circulating the Internet. In
October of that year, according to Ferbrache ("A pathology of Computer
Viruses" Springer, London, 1992) one of the first virus hoaxes was the
2400 baud modem virus:
SUBJ: Really Nasty Virus
AREA: GENERAL (1)
I've just discovered probably the world's worst computer virus
yet. I had just finished a late night session of BBS'ing and file
treading when I exited Telix 3 and attempted to run pkxarc to
unarc the software I had downloaded. Next thing I knew my hard
disk was seeking all over and it was apparently writing random
sectors. Thank god for strong coffee and a recent backup.
Everything was back to normal, so I called the BBS again and
downloaded a file. When I went to use ddir to list the directory,
my hard disk was getting trashed again. I tried Procomm Plus TD
and also PC Talk 3. Same results every time. Something was up so I
hooked up to my test equipment and different modems (I do research
and development for a local computer telecommunications company
and have an in-house lab at my disposal). After another hour of
corrupted hard drives I found what I think is the world's worst
computer virus yet. The virus distributes itself on the modem sub-
carrier present in all 2400 baud and up modems. The sub-carrier is
used for ROM and register debugging purposes only, and otherwise
serves no othr (sp) purpose. The virus sets a bit pattern in one
of the internal modem registers, but it seemed to screw up the
other registers on my USR. A modem that has been "infected" with
this virus will then transmit the virus to other modems that use a
subcarrier (I suppose those who use 300 and 1200 baud modems
should be immune). The virus then attaches itself to all binary
incoming data and infects the host computer's hard disk. The only
way to get rid of this virus is to completely reset all the modem
registers by hand, but I haven't found a way to vaccinate a modem
against the virus, but there is the possibility of building a
subcarrier filter. I am calling on a 1200 baud modem to enter this
message, and have advised the sysops of the two other boards
(names withheld). I don't know how this virus originated, but I'm
sure it is the work of someone in the computer telecommunications
field such as myself. Probably the best thing to do now is to
stick to 1200 baud until we figure this thing out.
Mike RoChenle
This bogus virus description spawned a humorous alert by Robert Morris III:
Date: 11-31-88 (24:60) Number: 32769
To: ALL Refer#: NONE
From: ROBERT MORRIS III Read: (N/A)
Subj: VIRUS ALERT Status: PUBLIC MESSAGE
Warning: There's a new virus on the loose that's worse than
anything I've seen before! It gets in through the power line,
riding on the powerline 60 Hz subcarrier. It works by changing the
serial port pinouts, and by reversing the direction one's disks
spin. Over 300,000 systems have been hit by it here in Murphy,
West Dakota alone! And that's just in the last 12 minutes.
It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
RSX-11, ITS, TRS-80, and VHS systems.
To prevent the spresd of the worm:
1) Don't use the powerline.
2) Don't use batteries either, since there are rumors that this
virus has invaded most major battery plants and is infecting the
positive poles of the batteries. (You might try hooking up just
the negative pole.)
3) Don't upload or download files.
4) Don't store files on floppy disks or hard disks.
5) Don't read messages. Not even this one!
6) Don't use serial ports, modems, or phone lines.
7) Don't use keyboards, screens, or printers.
8) Don't use switches, CPUs, memories, microprocessors, or
mainframes.
9) Don't use electric lights, electric or gas heat or
airconditioning, running water, writing, fire, clothing or the
wheel.
I'm sure if we are all careful to follow these 9 easy steps, this
virus can be eradicated, and the precious electronic flui9ds of
our computers can be kept pure.
---RTM III
Since that time virus hoaxes have flooded the Internet.With thousands of
viruses worldwide, virus paranoia in the community has risen to an extremely
high level. It is this paranoia that fuels virus hoaxes. A good example of
this behavior is the "Good Times" virus hoax which started in 1994 and is
still circulating the Internet today. Instead of spreading from one computer
to another by itself, Good Times relies on people to pass it along.
How to Identify a Hoax
======================
There are several methods to identify virus hoaxes, but first consider what
makes a successful hoax on the Internet. There are two known factors that
make a successful virus hoax, they are: (1) technical sounding language,
and (2) credibility by association. If the warning uses the proper technical
jargon, most individuals, including technologically savy individuals, tend
to believe the warning is real. For example, the Good Times hoax says that
"...if the program is not stopped, the computer's processor will be placed
in an nth-complexity infinite binary loop which can severely damage the
processor...". The first time you read this, it sounds like it might be
something real. With a little research, you find that there is no such thing
as an nth-complexity infinite binary loop and that processors are designed
to run loops for weeks at a time without damage. When we say credibility
by association we are referring to whom sent the warning. If the janitor at
a large technological organization sends a warning to someone outside of
that organization, people on the outside tend to believe the warning because
the company should know about those things. Even though the person sending
the warning may not have a clue what he is talking about, the prestigue of
the company backs the warning, making it appear real. If a manager at the
company sends the warning, the message is doubly backed by the company's and
the manager's reputations.
Individuals should also be especially alert if the warning urges you to pass
it on to your friends. This should raise a red flag that the warning may be
a hoax. Another flag to watch for is when the warning indicates that it is a
Federal Communication Commission (FCC) warning. According to the FCC, they
have not and never will disseminate warnings on viruses. It is not part of
their job. CIAC recommends that you DO NOT circulate virus warnings without
first checking with an authoritative source. Authoritative sources are your
computer system security administrator or a computer incident advisory team.
Real warnings about viruses and other network problems are issued by
different response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are
digitally signed by the sending team using PGP. If you download a warning
from a teams web site or validate the PGP signature, you can usually be
assured that the warning is real. Warnings without the name of the person
sending the original notice, or warnings with names, addresses and phone
numbers that do not actually exist are probably hoaxes.
What to Do When You Receive a Warning
=====================================
Upon receiving a warning, you should examine its PGP signature to see that
it is from a real response team or antivirus organization. To do so, you
will need a copy of the PGP software and the public signature of the team
that sent the message. The CIAC signature is available from the CIAC web
server at: http://ciac.llnl.gov.
If there is no PGP signature, see if the warning includes the name of the
person submitting the original warning. Contact that person to see if he/she
really wrote the warning and if he/she really touched the virus. If he/she
is passing on a rumor or if the address of the person does not exist or if
there is any questions about the authenticity or the warning, do not
circulate it to others. Instead, send the warning to your computer security
manager or incident response team and let them validate it. When in doubt,
do not send it out to the world. Your computer security managers and the
incident response teams teams have experts who try to stay current on
viruses and their warnings. In addition, most anti-virus companies have a
web page containing information about most known viruses and hoaxes. You can
also call or check the web site of the company that produces the product
that is supposed to contain the virus.
Checking the PKWARE site for the current releases of PKZip would stop the
circulation of the warning about PKZ300 since there is no released version 3
of PKZip. Another useful web site is the "Computer Virus Myths home page"
which contains descriptions of several known hoaxes. In most cases, common
sense would eliminate Internet hoaxes.
****************************************************************************
* *
* The point of contact for NIPRNET security-related incidents is the *
* Security Coordination Center (SCC). *
* *
* E-mail address: SCC@NIC.DDN.MIL *
* *
* Telephone: 1-(800)-365-3642 *
* *
* NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
* Monday through Friday except on federal holidays. *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive
DISN Security Bulletins. If you are not part of the DOD community, please
contact your agency's incident response team to report incidents. Your
agency's team will coordinate with DOD. The Forum of Incident Response and
Security Teams (FIRST) is a world-wide organization. A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as a service to the DOD community. Neither the
United States Government nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government. The opinions of the authors expressed
herein do not necessarily state or reflect those of the United States
Government, and shall not be used for advertising or product endorsement
purposes.
