Cybermed Update May 2001

Computer Viruses, Hoaxs and Chain Letters

The best way to keep children home is to make the home atmosphere pleasant--and let the air out of the tires.

Dorothy Parker (1893 - 1967)

Recently there had been a spate of emails warning of viruses in your computer, how to find it, clean it and a request to pass on this warning to your friends. It went on to say that McAfee and Norton the top anti-virus software companies could do nothing of it. Were you not suspicious?? I was and the so called SULFNBK.EXE file in windows although it existed in the directory, was not a virus but a hoax. This article will help you (hopefully) decide if future messages or attachments is a virus or a hoax. I am no expert in IT particularly in eviruses so I have "taken" the information off various sites. The source is mentioned.

What is a Computer Virus (Source: ) (Down)

While there is no widely-accepted definition of the term computer virus, the following loose definition should suffice: A computer virus is executable code that, when run by someone, infects or attaches itself to other executable code in a computer in an effort to reproduce itself. Some computer viruses are malicious, erasing files or locking up systems; others merely present a problem solely through the act of infecting other code. In either case, though, computer virus infections should not go untreated.

Closely related to computer viruses are Trojan Horses and worms. A Trojan Horse is a program that performs some undesired yet intended action while, or in addition to, pretending to do something else. One common class of trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does. Another is a disk defragger that erases files rather than reorganizing them. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself. A Worm is just a self-propagating virus. The Internet Worm from November '88 is a famous example.

Viruses come in many shapes and sizes, such as:

File infectors
These viruses attach themselves to regular programs, such as COM or EXE files under DOS. Thus, they are invoked each time the infected program is run.
Cluster infectors
They modify the file system so that they are run prior to other programs. Note that, unlike file infectors, they do not actually attach themselves to programs.
Macro viruses
Word processing documents can serve as sources of transmission for viruses that take advantage of the auto-execution macro capabilities in products such as Microsoft Word. Simply by opening an infected document, the virus, written in a product's macro language, can spread.
System infectors
Computer operating systems typically set aside a portion of each disk for code to boot the computer. Under DOS, this section is called a boot sector on floppies or a master boot record (MBR) for hard disks. System infectors store themselves in this area and hence are invoked whenever the disk is used to boot the system.

A virus must be executed by someone, perhaps unwittingly, in order to spread. Period. Some ways in which this occurs include:

Booting from an infected floppy
System infectors are loaded each time an infected disk is used to boot the system. This can happen even if a disk is not equipped with the files needed to truly boot the computer, as is the case with most floppies. With PCs, the initial infection typically occurs when someone boots - or reboots - a computer with an infected floppy accidentally left in drive A. It is always a good habit to check and remove any floppies that might be in the drives before booting your machine.
Running an infected program
As programs infected with a file infector are run, the virus spreads. For this reason, you should regularly scan for viruses any programs you retrieve from a BBS, the net, a colleague, etc... There are even instances of commercial, shrink-wrapped software that have been infected with viruses!

Virus Detection and Prevention Tips

  1. Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.
  2. Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.
  3. Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.
  4. Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that clogs up the network.
  5. Do not download any files from strangers.
  6. Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.
  7. Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. You may also need to update the product's scanning engine as well.
  8. Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.
  9. When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates which include those for your operating system web browser, and email. One example is the security site section of Microsoft located at
  10. If you are in doubt about any potential virus related situation you find yourself in, click here to report a virus.



What Are Internet Hoaxes and Chain Letters? (Source: )

Internet hoaxes and chain letters are e-mail messages written with one purpose; to be sent to everyone you know. The messages they contain are usually untrue. A few of the sympathy messages do describe a real situation but that situation was  resolved years ago so the message is not valid and has not been valid for many years. Hoax messages try to get you to pass them on to everyone you know using several different methods of social engineering. Most of the hoax messages play on your need to help other people. Who wouldn't want to warn their friends about some terrible virus that is destroying people's systems? Or, how could you not want to help this poor little girl who is about to die from cancer? It is hard to say no to these messages when you first see them, though after a few thousand have passed through your mail box you (hopefully) delete them without even looking.

Chain letters are lumped in with the hoax messages because they have the same purpose as the hoax messages but use a slightly different method of coercing you into passing them on to everyone you know. Chain letters, like their printed ancestors, generally offer luck or money if you send them on. They play on your fear of bad luck and the realization that it is almost trivial for you to send them on. The chain letters that deal in money play on people's greed and are illegal no matter what they say in the letter.

The Risk and Cost of Hoaxes

The cost and risk associated with hoaxes may not seem to be that high, and isn't when you consider the cost of handling one hoax on one machine. However, if you consider everyone that receives a hoax, that small cost gets multiplied into some pretty significant costs. For example, if everyone on the Internet were to receive one hoax message and spend one minute reading and discarding it, the cost would be something like:

50,000,000 people * 1/60 hour * $50/hour = $41.7 million

Most people have seen far more than one hoax message and many people cost a business far more than $50 per hour when you add in benefits and overhead. The result is not a small number.

Probably the biggest risk for hoax messages is their ability to multiply. Most people send on the hoax messages to everyone in their address books but consider if they only sent them on to 10 people. The first person (the first generation) sends it to 10, each member of that group of 10 (the second generation) sends it to 10 others or 100 messages and so on.

Generation: 1 2 3 4 5 6
Number of Messages 10 100 1,000 10,000 100,000 1,000,000

As you can see, by the sixth generation there are a million e-mail messages being processed by our mail servers. The capacity to handle these messages must be paid for by the users or, if it is not paid for, the mail servers slow down to a crawl or crash. Note that this example only forwards the message to 10 people at each generation while people who forward real hoax messages often send them to many times that number.

Recently, we have been hearing of spammers (bulk mailers of unsolicited mail) harvesting e-mail addresses from hoaxes and chain letters. After a few generations, many of these letters contain hundreds of good addresses, which is just what the spammers want. We have also heard rumors that spammers are deliberately starting hoaxes and chain letters to gather e-mail addresses (of course, that could be a hoax).  So now, all those nice people who were so worried about the poor little girl dying of cancer find themselves not only laughed at for passing on a hoax but also the recipients of tons of spam mail.

How to Recognise a Hoax

Probably the first thing  you should notice about a warning is the request to "send this to everyone you know" or some variant of that statement. This should raise a red flag that the warning is probably a hoax. No real warning message from a credible source will tell you to send this to everyone you know.

Next, look at what makes a successful hoax. There are two known factors that make a successful hoax, they are:

(1)  technical sounding language.
(2)  credibility by association.

If the warning uses the proper technical jargon, most individuals, including technologically savvy individuals, tend to believe the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". The first time you read this, it sounds like it might be something real. With a little research, you find that there is no such thing as an nth-complexity infinite binary loop and that processors are designed to run loops for weeks at a time without damage.

When we say credibility by association we are referring to who sent the warning. If the janitor at a large technological organization sends a warning to someone outside of that organization, people on the outside tend to believe the warning because the company should know about those things. Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real. If a manager at the company sends the warning, the message is doubly backed by the company's and the manager's reputations. 

Both of these items make it very difficult to claim a warning is a hoax so you must do your homework to see if the claims are real and if the person sending out the warning is a real person and is someone who would know what they are talking about. You do need to be a little careful verifying the person as the apparent author may be a real person who has nothing to do with the hoax. If thousands of people start sending them mail asking if the message is real, that essentially constitutes an unintentional denial of service attack on that person. Check the person's web site or the person's company web site to see if the hoax has been responded to there. Check these pages or the pages of other hoax sites to see if we have already declared the warning a hoax.

Hoax messages also follow the same pattern as a chain letter (see below).

Recognise a Chain Letter

Chain letters and most hoax messages all have a similar pattern. From the older printed letters to the newer electronic kind, they all have three recognizable parts:

The Hook

First, there is a hook, to catch your interest and get you to read the rest of the letter. Hooks used to be "Make Money Fast" or "Get Rich" or similar statements related to making money for little or no work. Electronic chain letters also use the "free money" type of hooks, but have added hooks like "Danger!" and "Virus Alert" or "A Little Girl Is Dying". These tie into our fear for the survival of our computers or into our sympathy for some poor unfortunate person.

The Threat

When you are hooked, you read on to the threat. Most threats used to warn you about the terrible things that will happen if you do not maintain the chain. However, others play on greed or sympathy to get you to pass the letter on. The threat often contains official or technical sounding language to get you to believe it is real.

The Request

Finally, the request. Some older chain letters ask you to mail a dollar to the top ten names on the letter and then pass it on. The electronic ones simply admonish you to "Distribute this letter to as many people as possible." They never mention clogging the Internet or the fact that the message is a fake, they only want you to pass it on to others.

Chain letters usually do not have the name and contact information of the original sender so it is impossible to check on its authenticity. Legitimate warnings and solicitations will always have complete contact information from the person sending the message and will often be signed with a cryptographic signature, such as PGP to assure its authenticity. Many of the newer chain letters do have a person's name and contact information but that person either does not really exist or does exist but does not have anything to do with the hoax message. As mentioned in the previous section,  try to use other means than contacting the person directly to find out if the message is a hoax. Try the person's web page, the person's company web page, or this and other hoax sites first to see if the message has already been declared a hoax.

For example, the PENPAL GREETINGS! hoax shown below appears to be an attempt to kill an e-mail chain letter. This chain letter is a hoax because reading a text e-mail message does not execute a virus nor does it execute any attachments; therefore the Trojan horse must be self starting. Aside from the fact that a program cannot start itself, the Trojan horse would have to know about every different kind of e-mail program to be able to forward copies of itself to other people. We have had to modify this statement slightly for the newer html mail readers. If a mail message is formatted with html and contains scripts, those scripts will run when the e-mail message is read. Active scripting should always be turned off for a mail reader so that malicious code like the KAK worm cannot automatically run.

Notice the three parts of a chain letter, which are easy to identify in this example.

The Hook


       Subject:  Virus Alert
       Importance:  High
       If anyone receives mail entitled: PENPAL GREETINGS! please delete it WITHOUT 
       reading it.  Below is a little explanation of the message, and what it would 
       do to your PC if you were to read the message.  If you have any questions or 
       concerns please contact  SAF-IA Info Office on 697-5059.

The Threat

       This is a warning for all internet users - there is a dangerous virus 
       propogating across the internet through an e-mail message entitled "PENPAL 
       This message appears to be a friendly letter asking you if you are 
       interested in a penpal, but by the time you read this letter, it is too late.  
       The "trojan horse" virus will have already infected the boot sector of your hard 
       drive, destroying all of the data present.  It is a self-replicating virus, 
       and once the message is read, it will AUTOMATICALLY forward itself to anyone 
       who's e-mail address is present in YOUR mailbox!
       This virus will DESTROY your hard drive, and holds the potential to DESTROY 
       the hard drive of anyone whose mail is in your inbox, and who's mail is in 
       their inbox, and so on.  If this virus remains unchecked, it has the potential 
       to do a great deal of DAMAGE to computer networks worldwide!!!!
       Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it!

The Request

       And pass this message along to all of your friends and relatives, and the
       other readers of the newsgroups and mailing lists which you are on, so that 
       they are not hurt by this dangerous virus!!!!

Validating a Warning

CIAC recommends that you DO NOT circulate  warnings without first checking with an authoritative source. Authoritative sources are your computer system security administrator, your computer incident handling team, or your antivirus vendor. Real warnings about viruses and other network problems are issued by computer security response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP. If you download a warning from a team's web site or validate the PGP signature, you can usually be assured that the warning is real. Warnings without the name of the person sending the original notice, or warnings with names, addresses and phone numbers that do not actually exist are probably hoaxes. Warnings about new malicious code are also available at the antivirus vendors sites and at the operating system's vendor site.

What to Do When You Receive a Warning

Upon receiving a warning, you should examine its PGP signature to see that it is from a real response team or antivirus organization. To do so, you will need a copy of the PGP software and the public signature of the team that sent the message. The CIAC signature is available at the CIAC home page: .You can find the addresses of other response teams by connecting to the FIRST web page at: If there is no PGP signature, check at this and other hoax sites to see if the warning has already been declared as a hoax. If you do not find the warning at the hoax sites, it just may mean that we have not yet seen this particular hoax. See if the warning includes the name of the person submitting the original warning. If it does, see if you can determine if the person really exists. If they do, don't send them an e-mail message. It is likely that they have nothing to do with this hoax and thousands of people sending them questions will be just as damaging to them as sending around the hoax message. Instead, check their personal or company web site. Often if a person has been the brunt of a hoax, that hoax message will be debunked on the person's company web site. If you still cannot determine if a message is real or a hoax, send it to your computer security manager, your ISP, or your incident response team and let them validate it.

When in Doubt, Don't Send It Out.

In addition, most anti-virus companies have a web page containing information about most known viruses and hoaxes. You can also call or check the web site of the company that produces the product that is supposed to contain the virus. Checking the PKWARE site for the current releases of PKZip would stop the circulation of the warning about PKZ300 since there is no released version 3 of PKZip. Other useful virus and hoax sites are listed on our Other Hoax Sites pages. In most cases, common sense would eliminate Internet hoaxes.

For a list of resources that might be useful for dealing with computer viruses, hoaxs and chain letters go to CERT Coordination Centre and see other computer virus resources. (

Locations of visitors to this page

With that I let your "mouse" or your "keyboard" do the "talking".

Till next month, "Happy Surfing".

Cyberdoc ( )

The links to URL mentioned above are valid at the time of writing (9 June 2001).

Updated 15 January 2006.

This page can be accessed at or at

Vads Corner Homepage ( )