This web site is provided as a public service; however, CIAC does not have the resources to investigate and/or confirm every hoax currently circulating the Internet. CIAC appreciates input on questionable hoaxes, but we are not able to respond back to each e-mail message. You can help eliminate "junk mail" by educating the public on how to identify a new hoax warning, how to identify a valid warning and what to do if you think a message is a hoax.
Hoaxes described on this page: PKZ300,Irina, Good Times,Good Times Spoof, Deeyenda,Ghost PENPAL GREETINGS!,Make Money Fast, NaughtyRobot,AOL4FREE, Join the Crew,Death Ray, AOL V4.0 Cookie,A.I.D.S. Hoax, Internet CleanupDay, Bill Gates Hoax,WINA HOLIDAY, AOL Riot June 1, 1998
Last modified: Wednesday, 22-Apr-98 16:08:46 PDT You are the1103170th visitor to this page.
For information on Internet Chain Letters, check the New CIAC web page locatedathttp://ciac.llnl.gov/ciac/CIACChainLetters.html
The Internet is constantly being flooded with information about computerviruses and Trojans. However, interspersed among real virus notices are computervirus hoaxes. While these hoaxes do not infect systems, they are still timeconsuming and costly to handle. At CIAC, we find that we are spending muchmore time de-bunking hoaxes than handling real virus incidents. This pagedescribes only a small number of the hoax warnings that are found on theInternet today. We will address some of the history ofhoaxes on the Internet.
Users are requested to please not spread unconfirmed warnings about virusesand Trojans. If you receive an unvalidated warning, don't pass it to allyour friends, pass it to your computer security manager to validate first.Validated warnings from the incident response teams and antivirus vendorshave valid return addresses and are usually PGP signed with the organization'skey.
The PKZ300 Trojan is a real Trojan program, but the initial warning aboutit was released over a year ago. For information pertaining to PKZ300 Trojanreference CIAC Notesissue 95-10, at http://ciac.llnl.gov/ciac/notes/Notes10.shtml that wasreleased in June of 1995. The warning itself, on the other hand, is gainingurban legend status. There has been an extremely limited number of sightingsof this Trojan and those appeared over a year ago. Even though the Trojanwarning is real, the repeated circulation of the warning is a nuisance.Individuals who need the current release of PKZIP should visit thePKWare web page at http://www.pkware.com.CIAC recommends that you DO NOT recirculate the warning about this particularTrojan.
The following is the true warning about PKZ300 from the PKWare web site:
!!! PKZIP Trojan Horse Version - (Originally Posted May 1995) !!!
It has come to the attention of PKWARE that a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an offical version from PKWARE and it will attempt to erase your hard drive if run. It attempts to perform a deletion of all the directories of your current drive. If you have any information as to the creators of this trojan horse, PKWARE would be extremely interested to hear from you. If you have any other questions about this fake version, please e-mail support@pkware.com
The "Irina" virus warnings are a hoax. The former head of an electronicpublishing company circulated the warning to create publicity for a newinteractive book by the same name. The publishing company has apologizedfor the publicity stunt that backfired and panicked Internet users worldwide.The original warning claimed to be from a Professor Edward Pridedaux of theCollege of Slavic Studies in London; there is no such person or college.However, London's School of Slavonic and East European Studies has been inundatedwith calls. This poorly thought-out publicity stunt was highly irresponsible.For more information pertaining to this hoax, reference theUK Daily Telegraph athttp://www.telegraph.co.uk. The original hoax message is as follows:
FYI There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Irina", DONOT read the message. DELETE it immediately. Some miscreant is sending people files under the title "Irina". If you receive this mail or file, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this mail to anyone you care about. ( Information received from the Professor Edward Prideaux, College of Slavonic Studies, London ).
The "Good Times" virus warnings are a hoax. There is no virus by that namein existence today. These warnings have been circulating the Internet foryears. The user community must become aware that it is unlikely that a viruscan be constructed to behave in the manner ascribed in the "Good Times" viruswarning.
CIAC first described the Good Times Hoax in CIAC NOTES 94-04creleased in December 1994 and described it again in CIAC NOTES 95-09in April 1995. More information is in theGood_Times FAQ(http://www-mcb.ucdavis.edu/info/virus.html) written by Les Jones.
The original "Good Times" message that was posted and circulated in Novemberand December of 1994 contained the following warning:
Here is some important information. Beware of a file called Goodtimes. Happy Chanukah everyone, and be careful out there. There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.
Soon after the release of CIAC NOTES 04, another "Good Times" message wascirculated. This is the same message that is being circulated during thisrecent "Good Times" rebirth. This message includes a claim that the FederalCommunications Commission (FCC) released a warning about the danger of the"Good Times" virus, but the FCC did not and will not ever issue a virus warning.It is not their job to do so. See theFCC Public Notice 5036. The following is the expanded "Good Times" hoaxmessage:
The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the InterNet. Apparently, a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality. What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the InterNet. Once a computer is infected, one of several things can happen. If the computer contains a hard drive, that will most likely be destroyed. If the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop - which can severely damage the processor if left running that way too long. Unfortunately, most novice computer users will not realize what is happening until it is far too late.
The following spoof of the good times hoax is too well done not to includehere. The author of this spoof is unknown, but we will gladly give him creditif he will only contact us.
READ THIS: Goodtimes will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CD's you try to play. It will give your ex-girlfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your beer and leave its socks out on the coffee table when there's company coming over. It will put a dead kitten in the back pocket of your good suit pants and hide your car keys when you are late for work. Goodtimes will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girlfriend behind your back and billing the dinner and hotel room to your Discover card. It will seduce your grandmother. It does not matter if she is dead, such is the power of Goodtimes, it reaches out beyond the grave to sully those things we hold most dear. It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve. Goodtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methanphedime in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower. Listen to me. Goodtimes does not exist. It cannot do anything to you. But I can. I am sending this message to everyone in the world. Tell your friends, tell your family. If anyone else sends me another E-mail about this fake Goodtimes Virus, I will turn hating them into a religion. I will do things to them that would make a horsehead in your bed look like Easter Sunday brunch.
So there, take that Good Times.
The following "Deeyenda" virus warning is a hoax. CIAC has receivedinqueries regarding the validity of the Deeyenda virus. The warnings arevery similar to those for Good Times, stating that the FCC issued a warningabout it, and that it is self activating and can destroy the contents ofa machine just by being downloaded. Users should note that the FCC does notand will not issue virus or Trojan warnings. It is not their job to do so.As of this date, there are no known viruses with the name Deeyenda in existence.For a virus to spread, it must be executed. Reading a mail message does notexecute the mail message. Trojans and viruses have been found as executableattachments to mail messages, but they must be extracted and executed todo any harm. CIAC still affirms that reading E-mail, using typical mail agents,can not activate malicious code delivered in or with the message.
**********VIRUS ALERT********** VERY IMPORTANT INFORMATION, PLEASE READ! There is a computer virus that is being sent across the Internet. If you receive an email message with the subject line "Deeyenda", DO NOT read the message, DELETE it immediately! Some miscreant is sending email under the title "Deeyenda" nationwide, if you get anything like this DON'T DOWNLOAD THE FILE! It has a virus that rewrites your hard drive, obliterates anything on it. Please be careful and forward this e-mail to anyone you care about. Please read the message below. Alex ----------- FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET The Internet community has again been plagued by another computer virus. This message is being spread throughout the Internet, including USENET posting, EMAIL, and other Internet activities. The reason for all the attention is because of the nature of this virus and the potential security risk it makes. Instead of a destructive Trojan virus (like most viruses!), this virus referred to as Deeyenda Maddick, performs a comprehensive search on your computer, looking for valuable information, such as email and login passwords, credit cards, personal inf., etc. The Deeyenda virus also has the capability to stay memory resident while running a host of applications and operation systems, such as Windows 3.11 and Windows 95. What this means to Internet users is that when a login and password are send to the server, this virus can copy this information and SEND IT OUT TO UN UNKNOWN ADDRESS (varies). The reason for this warning is because the Deeyenda virus is virtually undetectable. Once attacked your computer will be unsecure. Although it can attack any O/S this virus is most likely to attack those users viewing Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet Explorer 3.0+ which are running under Windows 95). Researchers at Princeton University have found this virus on a number of World Wide Web pagesand fear its spread. Please pass this on, for we must alert the general public at the security risks.
The Ghost.exe program was originally distributed as a free screen savercontaining some advertising information for the author's company (AccessSoftek). The program opens a window that shows a Halloween background withghosts flying around the screen. On any Friday the 13th, the program windowtitle changes and the ghosts fly off the window and around the screen. Someoneapparently got worried and sent a message indicating that this might be aTrojan. The warning grew until the it said that Ghost.exe was a Trojan thatwould destroy your hard drive and the developers got a lot of nasty phonecalls (their names and phone numbers were in the About box of the program.)A simple phone call to the number listed in the program would have stoppedthis warning from being sent out. The original ghost.exe program is justcute; it does not do anything damaging. Note that this does not mean thatghost could not be infected with a virus that does do damage, so the normal
The PENPAL GREETINGS! Hoax shown below appears to be an attempt to kill ane-mail chain letter by claiming that it is a self starting Trojan that destroysyour hard drive and then sends copies of itself to everyone whose addressin in your mailbox. Reading an e-mail message does not run it nor does itrun any attachments, so this Trojan must be self starting. Aside from thefact that a program cannot start itself, the Trojan would also have to knowabout every different kind of e-mail program to be able to forward copiesof itself to other people. This warning is totally a hoax.
FYI! Subject: Virus Alert Importance: High If anyone receives mail entitled: PENPAL GREETINGS! please delete it WITHOUT reading it. Below is a little explanation of the message, and what it would do to your PC if you were to read the message. If you have any questions or concerns please contact SAF-IA Info Office on 697-5059. This is a warning for all internet users - there is a dangerous virus propogating across the internet through an e-mail message entitled "PENPAL GREETINGS!". DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!" This message appears to be a friendly letter asking you if you are interestedin a penpal, but by the time you read this letter, it is too late. The "trojan horse" virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox! This virus will DESTROY your hard drive, and holds the potential to DESTROY the hard drive of anyone whose mail is in your inbox, and who's mail is in their inbox, and so on. If this virus remains unchecked, it has the potential to do a great deal of DAMAGE to computer networks worldwide!!!! Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it! And pass this message along to all of your friends and relatives, and the other readers of the newsgroups and mailing lists which you are on, so that they are not hurt by this dangerous virus!!!!
The Make Money Fast Warning Hoax appears to be similar to the PENPAL GREETINGS!Warning in that it is a hoax warning message that is attempting to kill ane-mail chain letter. While laudable in its intent, the hoax warning has causedas much or more problems than the chain letter it is attempting to kill.
Quite a few Web site administrators have received email messages that seemto be originating from the same machine hosting the Web site. The email headersare apparently being forged to hide the original sender of the message. Themail being received contains the following:
Subject: security breached by NaughtyRobot This message was sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web. NaughtyRobot exploits a security bug in HTTP and has visited your host system to collect personal, private, and sensitive information. It has captured your Email and physical addresses, as well as your phone and credit card numbers. To protect yourself against the misuse of this information, do the following: 1. alert your server SysOp, 2. contact your local police, 3. disconnect your telephone, and 4. report your credit cards as lost. Act at once. Remember: only YOU can prevent DATA fires. This has been a public service announcement from the makers of NaughtyRobot -- CarJacking its way onto the Information SuperHighway.
The NaughtyRobot email message appears to be a hoax. There is no indicationthat any of the problems described in the body have taken place on any machine.
Circulating the Internet is an email message entitled "Join the Crew". Fora virus to spread, it must be executed. Reading a mail message does not executethe mail message. Trojans and viruses have been found as executable attachmentsto mail messages, but they must be extracted and executed to do any harm.CIAC still affirms that reading E-mail, using typical mail agents, can notactivate malicious code delivered in or with the message.
IMPORTANT - VIRUS Alert!!! Take note ! Someone got an email, titled as JOIN THE CREW. It has erased his hard drive. Do not open up any mail that has this title. It will erase your whole hard drive. This is a new email virus and not a lot of people know about it, just let everyone know, so they won't be a victim. Please e-mail this to everyone you know!!! Remember the title : JOIN THE CREW
Variants of this email message are circulating the Internet. If you receivean email message entitled "Join the Crew" and it has an attachment, CIACrecommends that you delete the message and the attachment. If you receivejust the message, delete the message. Please DO NOT circulate unvalidatedvirus alerts.
The Death Ray Virus is a hoax. The following "Death Ray Virus" warning wasreported in the Weekly World News and other publications. CIAC knows of novirus or any computer program for that matter that has caused physical damageto a computer or cause it to explode.
A deadly new computer virus that actually causes home computers to explode in a hellish blast of glass fragments and flame has injured at least 47 people since August 15, horrifying authorities who say millions of people are risking injury, blindness or death every time they sit down to work at their PC! "Computer viruses of the past could disable your computer, but this virus goes a step further -- and can kill you," declared Martin Heriden, a computer expert who specializes in identifying computer viruses. "This virus doesn't carry the usual 'markers' that enable it to be detected. It slips through the cracks, so to speak. "It is an extremely complicated process. But suffice it to say that the virus affects the computer's hardware, creating conditions that lead to dangerous short circuits and power surges. The end result? Explosions -- powerful explosions. And millions of Internet users are at risk." The virus, nicknamed Death Ray by experts like Heriden, surfaced in England on August 1. A 24-year-old college student was permanently blinded when his 15-inch color monitor exploded in his face. "So how do you protect yourself? I wish I knew," said Heriden. "You either stop using the Internet or you take your chances until we can get a handle on this thing and get rid of it for good.
Circulating the Internet is an email message warning about an A.I.D.S. virusthat destroys your computer. This warning is a hoax.
There are actually several real AIDS viruses and Trojan horses, but thiswarning message does not describe any of them.
This particular warning message (shown below) indicates that the virus comesin an e-mail message. While a virus may be in an attachment to an e-mailmessage, reading that message with a standard mail reader can not executea virus. A virus in an attachment can not do anything until that attachmentis executed, or in the case of a Word macro virus, the attached Word documentis opened in Word. For this reason, CIAC recommends that you scan all executableprograms and Word documents that were sent as attachments to e-mail messagesbefore running or editing them.
The warning claims the virus destroys your actual hardware, such as memory,mouse, key board, and hard drive, all of which is impossible. Also noticethat the author has not signed the message or given you any way to authenticateit, which is another strong indication of a hoax.
THEREE IS A VIRUS GOING AROUND CALLED THE A.I.D.S VIRUS. IT WILL ATTACHITSELF INSIDE YOUR COMPUTER AND EAT AWAY AT YOUR MEMORY THIS MEMORY ISIRREPLACEABLE. THEN WHEN IT'S FINISHED WITH MEMORY IT INFECTS YOUR MOUSEOR POINTING DEVICE. THEN IT GOES TO YOUR KEY BOARD AND THE LETTERS YOUTYPE WILLNOT REGISTER ON SCREEN. BEFORE IT SELF TERMINATES IT EATS 5MB OFHARD DRIVE SPACE AND WILL DELETE ALL PROGRAMS ON IT AND IT CAN SHUT DOWNANY 8 BIT TO 16 BIT SOUND CARDS RENDERING YOUR SPEAKERS USELESS. IT WILLCOME IN E-MAIL CALLED "OPEN:VERY COOL! :) DELETE IT RIGHT AWAY. THISVIRUS WILL BASICLY RENDER YOUR COMPUTER USELESS. YOU MUST PASS THIS ONQUICKLY AND TO AS MANY PEOPLE AS POSSLE!!!!! YOU MUST!
Variants of this e-mail message have been circulating the Internet. Thiswarning is a hoax. There is no such thing as a "cleanup day" for the Internet.If each web site shutdown their web server there would be NO Internet toclean. The e-mail message is usually forged with an ambiguous signature.CIAC recommends that you trash any message related to this subject. Please,DO NOT circulate.
Subj: Internet Cleanup DayTHIS MESSAGE WILL AGAIN BE REPEATED IN MID FEBRUARY.*** Attention ***It's that time again!As many of you know, each year the Internet must be shut down for 24hours in order to allow us to clean it. The cleaning process, whicheliminatesdead email and inactive ftp, www and gopher sites, allows for abetter working and faster Internet.This year, the cleaning process will take place from 12:01 a.m.. GMT onFebruary 27 until 12:01 a.m. GMT on February 28 (the time least likely tointerfere with ongoing work). During that 24-hour period, five powerfulInternet search engines situated around the world will search theInternet and delete any data that they find.In order to protect your valuable data from deletion we ask that you dothe following: 1. Disconnect all terminals and local area networks from their Internet connections. 2. Shut down all Internet servers, or disconnect them from the Internet. 3. Disconnect all disks and hardrives from any connections to the Internet. 4. Refrain from connecting any computer to the Internet in any way.We understand the inconvenience that this may cause some Internetusers, and we apologize. However, we are certain that any inconvenienceswill be more than made up for by the increased speed and efficiency of theInternet, once it has been cleared of electronic flotsam and jetsam.We thank you for your cooperation.***** Signature Removed *****
Circulating the Internet since November 1997, is a chain letter hoax claimingto be from the office of the chief executive of Microsoft Corporation. Althoughthere are special variants, they all claim to be from Bill Gates and merelyask the receiver to forward the letter to other people. If an attachmentcomes with this message, CIAC recommends you delete it at once. DO NOT takeany unnecessary chances from unknown sources. For additional information,read the article at the ZDNet News Channel.
ZDNet's article"Bill Gatesgrubs for money...NOT!" released 12/3/97.
FROM: GatesBeta@microsoft.comATTACH: Tracklog@microsoft.com/Track883432/~TraceActive/On.htmlHello Everyone,And thank you for signing up for my Beta Email Tracking Application or (BETA)for short. My name is Bill Gates. Here at Microsoft we have just compiled ane-mail tracing program that tracks everyone to whom this message is forwardedto. It does this through an unique IP (Internet Protocol) address log bookdatabase.We are experimenting with this and need your help. Forward thisto everyone you know and if it reaches 1000 people everyoneon the list you will receive $1000 and a copy of Windows98 at my expense.Enjoy.Note: Duplicate entries will not be counted. You will be notified by emailwith further instructions once this email has reached 1000 people. Windows98will not be shipped unitl it has been released to the general public.Your friend,Bill Gates & The Microsoft Development Team.
Circulating the Internet is e-mail messages entitle "WIN A HOLIDAY". Thesee-mail messages are a hoax and the false warning of a malicious e-mail doesnot exist. There is currently no virus that has the characteristic describedin the message. The message is a variant of the "Join the Crew" hoax andanother variant called "JUST WIN A HOLIDAY". CIAC recommends that you DONOT pass the message to others.
VIRUS WARNING !!!!!!If you receive an email titled "WIN A HOLIDAY" DO NOT open it. Itwill erase everything on your hard drive. Forward this letter outas many people as you can. This is a new, very malicious virus andnot many people know about it. This information was announcedyesterday morning from Microsoft; please share it with everyonethat might access the Internet. Once again, pass this along toEVERYONE in our address book so that this may be stopped. Also, donot open or even look at any mail that says "RETURNED OR UNABLE TODELIVER" This virus will attach itself to your computer componentsand render them useless. Immediately delete any mail items thatsay this. AOL has said that this is a very dangerous virus andthat there is NO remedy for it at this time. Please practicecautionary measures and forward this to all your online friendsASAP.
The latest AOL hoax circulating the Internet is "AOL RIOT June 1, 1998".CIAC received the following statement from AOL: "The June 1, 1998 riot e-mailis a hoax. The allegations relating to the spreading of viruses and the trackingof whom the e-mail is forwarded to are false." Tatiana Gau, Vice Presidentof AOL Integrity Assurance.
AOL RIOT JUNE 1, 1998 WARNING: You must forward this letter to 10 people or your account will be terminated on June 1, 1998. All recipients of this e-mail are being tracked. When you received this, when you forwarded it, who you forwarded it to, is all on record. We are AOL's most elite hacker group, known as LcW. We have hacked AOL's (easily infiltrated) systems on numerous occaisions. We have shut down AOL keywords, we can kick any AOL Staff member off for 24 hours, we have gained access to Steve Case's account, we have created AOL's most famous hacking programs (Fate X, HaVoK, HeLL RaIsEr, MaGeNtA) and we can certainly get your credit card info. However, if you send this to 10 people, like you are told, you will escape unharmed. We won't terminate your account and you will be able to continue using AOL. So if you know whats best for you, you will send this to 10 people as soon as possible. If you think we are bluffing....just wait till June 1, and see if you can sign or not. CAUTION: THERE WILL BE A VIRUS UPLOADED ON AOL'S MAIN SERVER ON JUNE 1, 1998. ANY USERS WHO HAVEN'T FORWARDED THIS MESSAGE WILL AUTOMATICALLY HAVE THE VIRUS DOWNLOADED INTO THEIR SYSTEM. WE SUGGEST YOU FORWARD THIS MESSAGE OR YOUR COMPUTER WILL BE FRIED. ***** Because of the outrage of AOL's increasing prices, LcW has decided to create a riot on May 1, that will cause havoc on AOL. We will be sending viruses out to thousands of AOL users. We will be terminating accounts. We will be hacking into Guide chat rooms and kicking guides offline. There will be no AOL Staff - just complete pandemonium. If you want to join this riot, we urge you to! You won't have to worry about being TOSed or Reported because there will be no Guides online! So do whatever you want - punt, scroll, tos, just turn AOL into a war zone! ***** LIST OF LcW HACKERS ON AOL We represent LcW The following Hackers will be co-ordinating the Riot and hacking AOL's mainframe computer, and uploading viruses into the system. WaReZxHaCk MaGuS ReDxKiNG HaVoK SkiD SeMeN NoStRa PhoneTap InetXWeb Psy Acid PoiSon iV PaUsE CooLant InFeRnO XStatic Chronic Burn Zone Degreez WaTcHeR ----- AOL RIOT ON JUNE 1, 1998 - You have been warned LcW is taking over America Online. This is not no f***ing joke either. You have been warned. ----- Where f*** is a common vulgar expletive.
AOL has declared the AOL V4.0 Cookie chain letter a hoax. CIAC received thefollowing statement from AOL: "I wish to bring to your attention the attachedhoax letter that has been circulating on the Internet, making serious allegationsabout AOL 4.0. All of these allegations are false." Tatiana Gau, Vice Presidentof AOL Integrity Assurance.
************************************************************************************From a former AOL employee:I'll try and cut through the crap, and try to get to the point of thisletter.I used to work for America Online, and would like to remainanonymous for that reason. I was laid off in early September, but I knowexactly why I was laid off, which I will now explain:Since last December, I had been one of the many people assigned to designAOL 4.0 for Windows (AOL 4.0 beta, codenamed Casablanca). In the beginning,I was very proud of this task, until I found out the true cost of it. Thingswere going fine until about mid-February, when me and 2 of my colleaguesstarted to suspect a problem, an unexplainable 'Privacy Invasion', with thenew version. One of them, who is a master programmer, copied the finishedportion of the new version (Then 'Build 52'), and took it home, and we spentnearly 2 weeks of sleepless nights examining and debugging the program,flipping it inside-out, and here is what we found.Unlike all previous versions of America Online, version 4.0 putssomething in your hard drive called a 'cookie'. (AOL members click here for a definition).However, the cookie we found on Version 4.0 was far more treacherous thanthe simple Internet cookie. How would you like somebody looking at yourentire hard drive, snooping through any (yes, any) piece of information onyour hard drive. It could also read your password and log in information andstore it deep in the program code. Well, all previous versions,whether you like it or not, have done this to a certain extent, butonly with files you downloaded. As me and my colleagues discovered,with the new version, anytime you are signed on to AOL, any topAOL executive, any AOL worker, who has been sworn to secrecy regarding thisfeature, can go in to your hard drive and retrieve any piece of informationthat they so desire. Billing, download records, e-mail, directories,personal documents, programs, financial information, scanned images, etc.Better start keeping all those pictures on a floppy disk!This is a totally disgusting violation of our rights, and your right toknow as well. Since this is undoubtedly 'Top Secret' information that I amrevealing, my life at AOL is pretty much over. After discovering this informattain, we started to inform a few other workers at America Online, so thatwe could get a large enough crew to stop this from happening to the millionsof unfortunate and unsuspecting America Online members. This was in earlyAugust. One month later, all three of us were unemployed. We got together,and figured there was something we had to do to let the public know.Unemployed, with one of us going through a divorce (me) and another who isabout to undergo treatment for Cancer, our combined financial situation isnot currently enough to release any sort or article. We attempted to createa web page on three different servers containing in-depth information on AOL4.0, but all three were taken down within 2 days. We were running very lowon time (4.0 is released early this winter), so we figured our last hope toreveal this madness before it effects the people was starting somethingsimilar to a chain letter, this letter you are reading. Please do thefollowing, to help us expose AOL for who they really are, and to help us andyourself receive personal gratification for taking a stand for our freedom:1. Forward this letter to as many people as you can (not just friends andfamily, as many as you can)!2. Tell people who aren't on America Online in person, especiallyimportant people (Private Investigators, Government workers, City Council)3. If the information about the new version isn't exposed by the time AOLis released early this winter, for your own protection, DON'T DOWNLOAD AOL4.0 UNDER ANY CONDITION !!!Thank you for reading and examining this information. Me and my colleagueshope that you will help us do the right thing in this situation.Enjoy America Online (just kidding!).Regards, A former AOL employee************************************************************************************
AOL4FREE actually consists of three separate, independent items:
The AOL4FREE Macintosh Program was originally written to provide illegalfree access to America Online. In the March 1997 issue of the CSI ComputerSecurity Alert the following statement was made concerning the creatorof that program:
"A former Yale computer science student has pleaded guilty to defrauding America Online. AOL estimates it lost between $40,000 and $70,000 in service charges because the student distributed his computer program, AOL4FREE, to hundreds of other users."
Note that any attempt to use the original AOL4FREE.COM program maysubject you to prosecution.
The second item is the AOL4FREE Virus Warning Hoax message. The followingmessage has been circulating around the Internet, warning of a virus infectede-mail message:
************************************************************************************ VIRUS ALERT!!! DON'T OPEN E-MAIL NOTING "AOL4FREE" Anyone who receives this must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible. A few hours ago, I opened an E-mail that had the subject heading of "AOL4FREE.COM". Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out. It ate the Anti-Virus Software that comes with the Windows '95 Program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated.************************************************************************************
This message has several problems that identify it as a hoax.
The third item is the AOL4FREE.COM Trojan Horse. This program appearsto be the AOL4FREE program that creates fraudulent AOL accounts (though itis a DOS program instead of a Macintosh program) but is actually a simplecompiled DOS batch file that runs the DOS DELTREE command on the C:\ directoryof a DOS/Windows machine. The DELTREE command deletes all files in a directory,including the directory itself and any subdirectories in that directory.The effect is to delete all files on the C: drive of a DOS/Windows machine.If you should come across this program from any source, do not run it. Formore information see CIAC Bulletin H-47a: AOL4FREE.COMTrojan Horse Program Destroys Hard Drives.
CIAC ALWAYS recommends that software downloaded onto a computer from anysource (BBS, e-mail attachment, floppy, web) be scanned with antivirus softwareprior to being run. Note that most antivirus software does not detect Trojans,so it is important to know where your software came from before executingit.
A
Since 1988, computer virus hoaxes have been circulating the Internet. InOctober of that year, according to Ferbrache ("A pathology of Computer Viruses"Springer, London, 1992) one of the first virus hoaxes was the 2400 baud modemvirus:
SUBJ: Really Nasty Virus AREA: GENERAL (1) I've just discovered probably the world's worst computer virus yet. I had just finished a late night session of BBS'ing and file treading when I exited Telix 3 and attempted to run pkxarc to unarc the software I had downloaded. Next thing I knew my hard disk was seeking all over and it was apparently writing random sectors. Thank god for strong coffee and a recent backup. Everything was back to normal, so I called the BBS again and downloaded a file. When I went to use ddir to list the directory, my hard disk was getting trashed again. I tried Procomm Plus TD and also PC Talk 3. Same results every time. Something was up so I hooked up to my test equipment and different modems (I do research and development for a local computer telecommunications company and have an in-house lab at my disposal). After another hour of corrupted hard drives I found what I think is the world's worst computer virus yet. The virus distributes itself on the modem sub- carrier present in all 2400 baud and up modems. The sub-carrier is used for ROM and register debugging purposes only, and otherwise serves no othr (sp) purpose. The virus sets a bit pattern in one of the internal modem registers, but it seemed to screw up the other registers on my USR. A modem that has been "infected" with this virus will then transmit the virus to other modems that use a subcarrier (I suppose those who use 300 and 1200 baud modems should be immune). The virus then attaches itself to all binary incoming data and infects the host computer's hard disk. The only way to get rid of this virus is to completely reset all the modem registers by hand, but I haven't found a way to vaccinate a modem against the virus, but there is the possibility of building a subcarrier filter. I am calling on a 1200 baud modem to enter this message, and have advised the sysops of the two other boards (names withheld). I don't know how this virus originated, but I'm sure it is the work of someone in the computer telecommunications field such as myself. Probably the best thing to do now is to stick to 1200 baud until we figure this thing out. Mike RoChenle
This bogus virus description spawned a humorous alert by Robert Morris III:
Date: 11-31-88 (24:60) Number: 32769 To: ALL Refer#: NONE From: ROBERT MORRIS III Read: (N/A) Subj: VIRUS ALERT Status: PUBLIC MESSAGE Warning: There's a new virus on the loose that's worse than anything I've seen before! It gets in through the power line, riding on the powerline 60 Hz subcarrier. It works by changing the serial port pinouts, and by reversing the direction one's disks spin. Over 300,000 systems have been hit by it here in Murphy, West Dakota alone! And that's just in the last 12 minutes. It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac, RSX-11, ITS, TRS-80, and VHS systems. To prevent the spresd of the worm: 1) Don't use the powerline. 2) Don't use batteries either, since there are rumors that this virus has invaded most major battery plants and is infecting the positive poles of the batteries. (You might try hooking up just the negative pole.) 3) Don't upload or download files. 4) Don't store files on floppy disks or hard disks. 5) Don't read messages. Not even this one! 6) Don't use serial ports, modems, or phone lines. 7) Don't use keyboards, screens, or printers. 8) Don't use switches, CPUs, memories, microprocessors, or mainframes. 9) Don't use electric lights, electric or gas heat or airconditioning, running water, writing, fire, clothing or the wheel. I'm sure if we are all careful to follow these 9 easy steps, this virus can be eradicated, and the precious electronic flui9ds of our computers can be kept pure. ---RTM III
Since that time virus hoaxes have flooded the Internet.With thousands ofviruses worldwide, virus paranoia in the community has risen to an extremelyhigh level. It is this paranoia that fuels virus hoaxes. A good example ofthis behavior is the "Good Times" virus hoax which started in 1994 and isstill circulating the Internet today. Instead of spreading from one computerto another by itself, Good Times relies on people to pass it along.
There are several methods to identify virus hoaxes, but first consider whatmakes a successful hoax on the Internet. There are two known factors thatmake a successful virus hoax, they are: (1) technical sounding language,and (2) credibility by association. If the warning uses the proper technicaljargon, most individuals, including technologically savy individuals, tendto believe the warning is real. For example, the Good Times hoax says that"...if the program is not stopped, the computer's processor will be placedin an nth-complexity infinite binary loop which can severely damage theprocessor...". The first time you read this, it sounds like it might be somethingreal. With a little research, you find that there is no such thing as annth-complexity infinite binary loop and that processors are designed to runloops for weeks at a time without damage.
When we say credibility by association we are referring to whom sent thewarning. If the janitor at a large technological organization sends a warningto someone outside of that organization, people on the outside tend to believethe warning because the company should know about those things. Even thoughthe person sending the warning may not have a clue what he is talking about,the prestige of the company backs the warning, making it appear real. Ifa manager at the company sends the warning, the message is doubly backedby the company's and the manager's reputations.
Individuals should also be especially alert if the warning urges you to passit on to your friends. This should raise a red flag that the warning maybe a hoax. Another flag to watch for is when the warning indicates that itis a Federal Communication Commission (FCC) warning. According to the FCC,they have not and never will disseminate warnings on viruses. It is not partof their job.
CIAC recommends that you DO NOT circulate virus warnings without firstchecking with an authoritative source. Authoritative sources are your computersystem security administrator or your computer incident advisory team. Realwarnings about viruses and other network problems are issued by differentresponse teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signedby the sending team using PGP. If you download a warning from a teams website or validate the PGP signature, you can usually be assured that the warningis real. Warnings without the name of the person sending the original notice,or warnings with names, addresses and phone numbers that do not actuallyexist are probably hoaxes.
Another area of concern is Internet chain letters that may or may not betrue. For more information on Internet chain letters referencehttp://ciac.llnl.gov/ciac/CIACChainLetters.html.
Upon receiving a warning, you should examine its PGP signature to see thatit is from a real response team or antivirus organization. To do so, youwill need a copy of the PGP software and the public signature of the teamthat sent the message. The CIAC signature is available at the CIAC home page:http://ciac.llnl.gov/ You can find theaddresses of other response teams by connecting to the FIRST web page at:http://www.first.org. If there is no PGPsignature, see if the warning includes the name of the person submittingthe original warning. Contact that person to see if he/she really wrote thewarning and if he/she really touched the virus. If he/she is passing on arumor or if the address of the person does not exist or if there is any questionsabout the authenticity or the warning, do not circulate it to others. Instead,send the warning to your computer security manager or your incident responseteam and let them validate it. When in doubt, do not send it out to theworld.
In addition, most anti-virus companies have a web page containing informationabout most known viruses and hoaxes. You can also call or check the web siteof the company that produces the product that is supposed to contain thevirus. Checking the PKWARE site for the current releases of PKZip would stopthe circulation of the warning about PKZ300 since there is no released version3 of PKZip. Another useful web site is the "Computer Virus Myths home page"(http://www.kumite.com/myths/)which contains descriptions of several known hoaxes. In most cases, commonsense would eliminate Internet hoaxes.
UCRL-MI-119788
[Disclaimer]