Virus hoaxes

This is a discussion of hoax warning emails. They look rather like this:

How do I tell it's a hoax?
First and foremost, antivirus vendors do not use broadcast email as a means to advise new viruses, and they never use email to distribute removal tools. They do post advisories on their websites. AV companies can react within hours to new exploits and updates can be coded, released and propagated vastly quicker than any email chain. AV companies also share data. If you are worried the first thing to do is to update your antivirus definitions and (if you use Windows) run Windows Update.

Always check the websites and the hoax lists before letting people know. There is nothing wrong with letting people know if you think you have a virus - as long as you're reasonably sure (see below); any email which claims to be a virus alert and asks you to execute an attachment, delete files, or send it on, is almost certainly a hoax. I subscribe to three of the major antivirus vendors' mailing lists and have never yet been sent a virus warning in this way. If you want to receive updates of valid internet threats your best bet is to sign up to your antivirus vendor's mailing list and possibly the CERT Advisory Maiing List at http://www.cert.org/contact_cert/certmaillist.html (warning - technical content!).

This doesn't apply only to email about viruses, by the way - our school once passed on a hoax warning about childrens' toy tattoos soaked in LSD which had all the familiar hallmarks. Remember, too, that virus writers can use known hoaxes to their advantage. AOL4FREE started life as a hoax virus warning, but a malicious trojan was later attached.

Common signs of a hoax include:


 * it claims the authority of a trusted source, but never arrives to you directly from that source (although cunning address spoofing is not unknown)
 * it warns of some specific dire consequences
 * it contains spelling errors
 * the call to action includes "forward this to everyone you know"
 * it claims that antivirus software cannot remove the infection so you must delete a file or files.
 * it asks you to execute an attachment to disinfect your machine

If in doubt check your antivirus vendor's website - for example http://vil.mcafee.com/hoax.asp (a list of hoaxes - there are rather a lot).

Warning: Sometimes there will be a link in the message which purports to be back to an antivirus vendor's website, but which actually links to a similar-looking domain and a virus (this is a particular favourite with writers of trojans, which reset your PC to use a premium rate number to dial the Internet.). If your email says it comes from an antivirus vendor, then go directly to their public website and find the file from the links there. Never click a link in an email unless you are 100% certain of the source.

I just got a delivery failure from someone I don't know!
One of the way virus worms propagate is by sucking addresses out of Outlook address books and using a random one as the sender address when forwarding the infection. If you get unread reports from someone you don't remember emailing, delete them unread. Whatever you do, never execute any attachment in such a message!

But I want to tell people anyway, just to be on the safe side
I don't advocate sending these things on, as I have yet to see a "tell everyone you know" mail which was not a hoax. Or a joke. Like the "Honor Virus", which says: "Our programmers missed the deadline with the actual virus, so we're basing this on the honor system. Please send this virus on to fifty of your friends, then immediately delete all the files on your hard disk. Thank you." Having stayed in continental hotels with "honour bars" that appealed to me :-)

As a matter of good practice, when mailing something to your entire address book it is a good idea to use the Blind Copy (bcc) field. Send the message to yourself and put the whole world in the bcc field. This has two effects: first it hides other people's addresses from the recipients, and second it means that people who click Reply All will still only reply to you. It also reduces the chances of all your friends ending up in someone else's Outlook or Outlook Express address book and receiving the latest mass mailer worm.

Personally, I wouldn't start from here!
The best thing is not to get infected in the first place. Use a proper antivirus tool (Symantec's Norton Antivirus, McAfee's VirusScan, AVG or whatever). And keep the virus definitions up to date. All the best tools have a built-in mechanism to do this; make sure it's working - and then go to http://www.eicar.org/ and check that your virus engine is working by downloading the eicar test file. And when you fire up your computer make sure the little icon in the system tray shows that the virus checker is working.

If you have an email protection option in your antivirus software, turn your virus checker off, send yourself the eicar test file, turn the virus checker back on and verify that your virus checker picks up and removes the file as you check your mail.

New viruses are usually responded to very quickly - often within 24 hours. The ominous "Norton can't detect this" is inherently unbelievable. You can be confident that it would be a Big Deal if someone wrote a virus which the major vendors couldn't catch, and it would be front page news on CERT, the antivirus vendors' websites, Slashdot (http://slashdot.org - try reading that out!) and probably the BBC as well.

I also recommend a personal firewall - you will be amazed at how short the interval is between connecting to the internet and people starting to probe your computer. Good ones are Zone Labs' ZoneAlarm and Tiny Software's Tiny Personal Firewall. If you are in any doubt about this I advise you go to Steve Gibson's website and check out ShieldsUP! and (if you use Windows XP) XPDite!.