Don't fall for virus hoaxes
Originally posted on June
They get you coming and going...
They're not as directly dangerous
as viruses, but e-mail hoaxes could end up costing your company
more money. Wayne Rash tells you how easily hoaxes slip through
your firewall--and how you can halt them.
By Wayne Rash, Enterprise
You've almost certainly received
an e-mail warning you about a new virus. You know the type--one
of those mass e-mails containing warnings of all sorts of dire
things that can happen if the described virus or worm gets loose
on your system. The e-mail goes on to list the name of the offending
file, and tells you that all you need to do is delete the file,
and the threat will be gone.
So you check your system, and sure enough, there in the Windows
directory is the very file the e-mail warned you about. You wonder
briefly why your antivirus software didn't pick up this one,
but then you remember that the letter said that this one was
so clever that antivirus software couldn't detect it. Guess you'd
better delete it, right?
Wrong. If you actually do delete
the file, you could very easily spend the next couple of hours
reinstalling Windows. And that, of course, is why the antivirus
software didn't issue an alert. The e-mail was a hoax, and if
you follow its instructions, you could delete an important Windows
file--one that's supposed to be there.
"Hoaxes are almost a bigger
problem than viruses," notes Roger Thompson, technical director
of malicious code research for the ICSA in Herndon, Virginia.
He notes that it's a lot easier to create a good hoax than it
is to create a good virus. And antivirus software, obviously,
can't detect a hoax. So these hoaxes usually get through.
As a result, enormous amounts
of company resources are used up in dealing with hoaxes. Employees
spend time sending the messages to others, some waste time looking
for and deleting the offending files, and time is also spent
restoring users' computers after they've deleted those files.
Right now, the hot hoax is one
that warns of a file on your computer called JDBGMGR.EXE, which
an e-mail claims will invade your computer, lie dormant for two
weeks, and then release a worm. In reality, this is a file that
allows Windows to use Java. If you erase it, you won't be able
to use Java.
Making matters more complicated,
JDBGMGR.EXE is a file that is sometimes sent out in infected
form by the MAGISTR virus, meaning that you could find it as
an attachment in an e-mail. The result is even more complicated;
in one case, you don't want to erase the file (when it's on your
hard disk) but in another case, you do (when it's in an e-mail).
You can imagine how much fun the support desk is having with
In some ways, JDBGMGR.EXE is
similar to the granddaddy of virus hoaxes--the "Goodtimes"
virus of seven years ago. If activated, this virus was supposed
to execute code that would cause your CPU to overheat and fail.
Aside from the fact that you can't do that with software (at
least not the way the e-mail described it) there was simply nothing
to it. But for months, thousands of people were searching for
anything named "Goodtimes."
That hoax was complicated by
two things. In those days, Microsoft shipped a music video on
the Windows CD called "Goodtimes." So people were freaking
out when they found what they thought was a virus on their operating
system CD where it couldn't be erased. Then, a few months later,
somebody actually did release a virus called "Goodtimes."
By then, most people had learned that Goodtimes wasn't a virus.
So they didn't treat it as one. Imagine the consternation.
The answer to the chaos caused
by these hoaxes isn't all that easy, but you should start by
making sure your employees know that such things exist. Maybe
that will help them learn not to believe everything they read
in e-mail. The next thing you should do is appoint someone to
be the hoax point of contact. Then, when people receive warnings,
real or imagined, about viruses, you have someone who can actually
investigate and tell whether it's real. Remember, if a hoax requires
as much resources as fixing a virus does, there's not much practical
difference. It might as well be a real virus.