Korova Multimedia

Up to the "Hoax du Jour" home page
(home page)

Updated info!

Network Associates

CERT Incident Note

CNET News reports:
Virus hits MCI WorldCom systems
Analysts question "cyberterrorism" hype
CERT downplays virus attack
Debate rages over NT virus

Korova Multimedia:
Windows NT administration tips

Public links to this specific article:
Also: this page, print-friendly

Got a question? Try
"The FAQ du Jour"

Previous "Hoax du Jour" columns

The "Hoax du Jour" Index

A More Wretched Hive of Scum & Villainy

Children's Crusade

Lingering Misinformation

Viral marketing is Now.

The Grinch is Real

Call Now!
(Int'l phone scams)

"You're Never Gonna Believe This..."

The Word Macro Spam 'Bot

Calls to Overreaction

Remote Explorer of My Eye

Internet Access Charges & Taxation

The Fear of AIDS (Needles)

Toxic Tampons

Death Threats and Disney Trips

The AOL Hacker Riot II

The "90# Phone Scam" Alert

E-j-mail Extortion

Phone Slamming

AOL Cookie

Click here for the "Hoax du Jour" top-level page.

Related topic: you know what e-mail is. But do you know what "e-v-mail" is?

Related topic: rate your own Internet alert (or just-received warning from a well-meaning friend) against the Korova Drop-dead Internet Alert guide.

Computer virus protection If you're not using anti-virus software, you need to consider getting some, and soon. Click here to choose some from Amazon.com. If you're connected to the Internet with an "always on," broadband connection (cable modem or DSL), consider getting some firewall software, or a hardware solution for your entire home network.

About the "Hoax du Jour"

The "Hoax du Jour" is a recurring column providing updated information and commentary on the Internet community. It is a feature of Korova Multimedia's "e-v-mail" page.

What is a "hoax du jour?" With the advent of widespread use of the Internet as a medium for sharing information, the phenomenon of sharing misinformation has exploded. Conventional urban folklore and propaganda have blossomed on the Internet. Intentionally misleading information is broadcast on a professional and personal level.

On the Web, misinformation wants to be free. It also likes to be free of authenticity and corroboration, when such grounding deflates the credibility of the content.

The result? Naive users of the Internet are subjected to a daily barrage of data that are erroneous, slanderous, and sometimes even destructive. This page is dedicated to discussing intentional misinformation, or 'Net hoaxes.

Disclaimer The opinions expressed here are entirely my own, and do not reflect policy or intentions of any persons, groups or companies referred to or linked from this site. I, my guest writers, or Korova Multimedia are not responsible for content or sites linked to from the "Hoax du Jour" column.

Kudos and links for
the "Hoax du Jour"

("Best of the Net")

Computer Virus Myths

The Curse of a Thousand Chain Letters

Lycos Guide: Urban Legends
(Top Rated Site)

The Motley Fool
("striking a blow for rationality")

(March, 2001)

("three stars")

Also on Korova.com

Clean the hoax-y taste from your mouth with Nonstop Anonymous Monotonous Onomatopoeia, just for fun.

Get a fresh perspective with Korova Truth.

Think outside, way outside, of the box at ChromeJob.com.

Other anti-hoax resources

Korova Multimedia: "e-v-mail"

Rob Rosenberger:
Computer Virus Myths

DoE CIAC - Hoaxbusters

Barbara Mikkelson:
Urban Legends Reference Pages

David Emery:
About.com guide to Urban Legends & Folklore

HoaxKill Service

Urban legend and computer security books

by Jan Harold Brunvand
Click to order this title from Amazon.com
The Baby Train
The Choking Doberman
Curses! Broiled Again!
The Mexican Pet
The Truth Never Stands In The Way Of A Good Story

Computer Security Basics (O'Reilly)

... or search Amazon.com for more books about hoaxes and urban legends...

Sponsor links:

January 3, 1999     

Not all Internet virus hype and deception (intentional and otherwise) comes from the grass roots, and dark, anonymous sources on the Net. Anyone who remembers the mass-media hysteria surrounding the Michelangelo virus scare of 1992 can attest to the kind of inertia that can sweep common sense and reason into the bit bucket. As documented by Rob Rosenberger on his Computer Virus Myths home page, McAfee Associates (now Network Associates) had a key role in getting the news media whipped up into a paranoid fury about a computer virus threat that turned out to be a minimal risk. (Read more about the Michelangelo virus scare on the Computer Virus Myths and Crypt Newsletter sites.)

Since that ignominious incident, McAfee and Symantec (makers of Norton AntiVirus) have repeatedly demonstrated a canny manipulation of a naïve press corps in favor of wailing Chicken Little-style, all in the name of selling more copies of their antivirus software.

Just in time for Christmas 1998, Network Associates again played the "alert" press release game, warning the entire industry of "the most destructive virus ever seen."

Network Associates home page image

"A serious scare for anyone who surfs the 'Net"

"I don't think it's hyperbole to call this an information time bomb."

Gene Hodges
Network Associates

According to various reports, a new virus called "Remote Explorer" (or RICHS) was discovered on MCI WorldCom computers on or about December 17, 1998. When the executable is run by an administrator-level account, it installs itself as a Windows NT service, infects other executables and replicates itself to other NT systems in the background. Once it infects a system, it loads itself into memory as a "service" (IE403R.SYS, or TASKMGR.SYS), and randomly encrypts folders, executables, and ASCII files, rendering them useless. Ouch. It's rather large by virus standards, 120 kilobytes, with an associated DLL (dynamic link library) to support it. Although the virus might be stored or passed through Windows 95/98, Unix, and Netware systems, it appears to become active only on Windows NT Server and Workstation. (See some of my tips for a more secure NT environment.)

Early December 21, Network Associates managers went public with the story, "working the phones" to warn customers (and reporters, naturally) of a new virus that recently attacked a "Fortune 100" client. A press conference was scheduled for 4:30 PM PT.

In an initial story on PC Week Online (December 21, 10:57 AM PT), Jim Kerstetter reported, "The computer network of a Fortune 100 company was obliterated last week by a new virus that one official [Hodges] called 'the first legitimate incident of cyber-terrorism' he had ever seen."

Although Hodges declined to name the attacked company, he said 10 sites and several thousand servers and workstations had been infected. It was also unclear whether the virus was downloaded from the Internet or planted on a server internally.

Jim Kerstetter
PC Week Online

(As an interesting anomaly, the HTML version of this report, dated 12:45 AM ET -- one hour earlier -- identifies MCI WorldCom instead of "a Fortune 100 company." In this version, Hodges states "... it's clear as to how it was first planted and how it spreads and that this person was very knowledgeable of network administration features....")

By the time of the scheduled press conference, it was public knowledge that MCI had been the victim. A story by Kerstetter on ZDNET (4:43 PM PT) starts with the bylines "Self-replicating NT virus obliterates MCI/WorldCom's network. Will it spread?" and "A massive, hybrid virus attacked MCI WorldCom, taking down its servers and scrambling data last week."

Not to be outdone, local broadcast journalists took to the air with a tale of danger well-suited for a Bruce Willis potboiler. In a live story that aired locally at 6:00 PM (available on the Web as a RealVideo file), KRON-TV's Pete Wilson announced that MCI WorldCom was "under very real attack this evening." KRON couldn't resist using the Internet as a loaded buzzword to get viewers' attention: "It's a serious scare for just about anyone who surfs the 'Net."

"We're not talking about a single company here, but one of the Internet's most important backbones."

"This has all the markings of what could've been the most destructive event yet for the Internet..."

"This past weekend dozens of computer security and encryption experts frantically tried to contain a vicious new software virus that could've literally destroyed the Internet..."

Jim Goldman
KRON-TV High Tech Business reporter
NewsCenter4 at 6:00 pm - Dec 21, 1998

To further dramaticize his report, Goldman included a film clip from the Dustin Hoffman film, Outbreak, in which an Ebola-like virus threatens to decimate the United States. Huh? It must've played well in the editing room. Anchorman Pete Wilson shook his head at the end of the story, muttering, "Scary stuff."

In a story the following morning for the San Francisco Chronicle ("Network Associates Says Killer Virus Hit MCI WorldCom"), Benny Evangelista quoted Network Associates as stating that Remote Explorer is the "most destructive virus ever seen." Peter Watkins, general manager for Network Associates' security division, tempered the alarm by saying, "It does represent an entirely new kind of virus, but at this point, there's no reason to panic." Remote Explorer, he continued, "is the first one that is really targeted at attacking a network environment."

The early bird gets ... The Worm

Actually, it's NOT the first, as any credible programmer or computer security expert knows. Network worms have been around for quite some time, at least since Robert T. Morris' infamous Internet Worm (November 2, 1988). Morris was known for his concern about Internet security weaknesses (in February, 1985, he published "A Weakness in the 4.2BSD UNIX TCP/IP Software"), and he apparently wrote the Internet Worm in 1988 to demonstrate these. As a demonstration of the Internet's security weaknesses, his worm was surprisingly successful. Nicknamed "The Great Worm," it provided a watershed event in the evolution of the Internet, and computer security law.

I hate to spoil a good story with boring ol' facts, but I have to wonder why a security expert at Network Associates would overlook this new bug's resemblance to a network worm. The coincidence of this virus incident at MCI WorldCom occurring circa the 10th anniversary of the Internet Worm ... leads me to suspect more than just a coincidence.

(For an excellent primer on computer security issues, take a look at O'Reilly & Associate's most excellent primer on the subject, Computer Security Basics. To read more about Morris' Internet Worm, take a look at Thomas Darby and Charles Schmidt's account of the case.)

What, me worry?

From Kerstetter's escalating hysteria ("NT virus obliterates MCI/WorldCom's network"), you'd think that MCI would be irate about their identity being divulged. Quite the contrary, according to the telecommunications giant, the virus was discovered and isolated quite quickly. Jim Monroe of MCI WorldCom, speaking to the Chronicle and others, downplayed the incident: "It had no impact on our customers or our operations." The virus had effected some "thousands" of servers and workstations at 10 sites, and WAN access was halted temporarily to remove the bug, but MCI's Internet services were undisturbed. (A subsequent CERT incident report identified that only 50 servers, and an undetermined number of workstations, had been infected.)

All this hysteria was not without a silver lining, of course. At the end of the day, CNNfn reported, "Network Associates stock soared 6-3/8 to 60-3/8 on the news, cracking a new 52-week high." Imagine that, news of Networks Associates "spearheading the effort" to contain the "smart virus" [KRON-TV] actually made their stock price soar.

A unrelated circumstance? Perhaps. But I doubt it.

NETA chart by Quote.Com

Déjà vu?

The warning (in the form of a press release) of a catastrophic virus epidemic has served the antivirus software developer before. Rob Rosenberger wrote an excellent article tracing the mutation of the Michelangelo virus scare of 1992 from a few minor incidents into a full-scale, national media scare-fest. A key component of the hysteria was an exaggerated estimate of the potential damage, attributed to none other than John McAfee. His shareware antivirus program was widely exhibited as a great way to "protect" users' computers from the deadly threat. (I recall that Symantec also released a "special," free version of Norton AntiVirus coded to only look for this specific virus.)

It turned out that the actual damage from Michelangelo was far less than predicted, and a gullible media establishment congratulated itself for helping the public avert an epidemic by spreading the word.

The "computer virus as sales tool" tactic has continued to serve McAfee Associates very well in the years since Michelangelo. In fact, the antagonistic press release has been a primary marketing tool for antivirus industry, with McAfee and Symantec taking the lead.

In one instance, McAfee's Beta-test division found an obscure ActiveX security flaw in The Norton Utilities 2.0, when used with Microsoft Internet Explorer 3.x. Rather than reporting the weakness to Symantec, McAfee reported the problem to Windows Sources magazine, and provided a test utility that demonstrated the weakness. Symantec almost immediately provided a fix.

But was such extreme alarm necessary? According to Symantec Senior Product Manager Tom Andrus, "To our knowledge, there are no Norton Utilities users in the world that have run into this." In other words, it was almost a non-problem. Symantec complained about Windows Sources providing the test utility on the Web for anyone to download and exploit, and the magazine subsequently removed it from their Web site. It was as if McAfee had concocted a virus to show up a competitor's product weaknesses, then provided the virus to the media, and the computing product.

In a second instance, McAfee's Beta-test division found a heuristic "cheat mode" in Dr. Solomon's AntiVirus Toolkit. In yet another "j'accuse" press release through the PR Newswire, they inferred that this function caused the product to produce unrealistic results in tests by reviewers:

"The cheat mode can cause Dr. Solomon's Anti-Virus Toolkit to show inflated virus detection results when the product is being reviewed by trade publications or independent third party testing organizations. McAfee has forwarded its evidence to the National Computer Security Association [NCSA]..."

McAfee Associates press release

Solomon's responded with a press release that confirmed the "heuristic" function, but asserted that reviewers get the exact same product that is sold commercially. After some more "he said, she said" press releases between the two companies, the NCSA released their own statement. The heuristic function "did not and does not affect the NCSA labs present or past certification testing." So there.

There have been other incidents of the "McAfee Media Manipulation" technique. One such tirade against Symantec in 1996 demanded no less than a worldwide recall of Norton Antivirus.

To date, most major antivirus software developers host pages to identify and alert customers to new, deadly viruses (and some host pages about false alarms, as well). Generally, these pages feature convenient links to their latest "virus data" updates, and download links to evaluate their software. It's something akin to insurance companies hosting news pages about disasters.

[Much of this historical background was drawn from articles written by Rob Rosenberger, Computer Virus Myths home page ("McAfee's media-assault tactics," "Stop arguing over Symantecs"), and George Smith, The Crypt Newsletter ("The Little Virus That Didn't!", "The Competition Virus"). Please visit their web sites for continuing news on viruses, antiviruses and virus hoaxes.]

Practice safe hex ... or else!

The reason for all this hubbub must be plain. Advertising doesn't sell antivirus software, news does. There's no better way to advertise your antivirus product than to get your name, your quotes, your frowning "I told you so" face into news reports of the latest, greatest virus incident. Network Associates and Symantec know this, and so use the almighty press release as their most potent marketing tool. They can do this because an uninformed media is anxious to parrot their tales of doom and lost data, without wasting a precious minute doing a little fact-checking or analysis. Only a few reporters actually corroborated the story with independent analysts and experts. (Antivirus developers are often more than happy to provide "independent experts" of their own.)

In the case of the MCI incident, the danger is far less than some members of the press led the public to believe. (Trust me, the Internet IS NOT in danger of being destroyed. It was designed to withstand a nuclear attack.) Based on previous experience, and some of the quotes attributed to Gene Hodges and Peter Watkins, it's clear that once again Network Associates has used the computer virus incident, and the subsequent press release, as an effective sales tool, either to move product, or simply boost their stock value.

There's only one thing truly frightening about this event: the tactic worked. Within a few days, Network Associates stock value climbed 22%.

"Scary stuff."


January 31, 1999     

Inter@ctive Week ascertained that MCI WorldCom Inc. dismissed some of their technical staff a few weeks before the discovery of the Remote Explorer virus.

January 5, 1999 5:09 PM ET

... Making the holidays less cheery was the MCI WorldCom Inc. "Remote Explorer" virus. But it was still probably a happier occurrence than the message that 2,000 MCI WorldCom (www.mciworldcom. com) network and technical employees received just a few weeks before the virus broke out: They were out of a job. Spokeswoman Sehra Eusufzai says the company has no comment, and the company is still investigating the bug as of today. Maybe MCI needs to make sure its fired Web-heads clean out their desks just a little bit faster.

I'm not at all skeptical about a connection between the two events, considering the earlier conjecture that this was "an inside job." I'd bet my bottom dollar that a disgruntled soon-to-be ex-employee bit back by planting the virus. Laying off personnel during the Thanksgiving and Christmas holiday seasons is just asking for a swift kick in the WAN.

David Spalding
Updated: 31 January 1999

(A wave of the tricorn to Rob Rosenberger, George Smith, and Jim Tunnicliffe.)

* NT admin tips from Korova Multimedia

  • Only log in as an NT administrator when necessary. Perform daily work as a user.
  • Rename or disable the default administrator account.
  • Give administrator accounts tough passwords, with misspelled words, odd capitalization, unusual acronyms, embedded numbers or special characters.
  • Do not leave administrator accounts logged in for long periods. For programs that need to be run in the background, use Services or the AT scheduling command.
  • Disable ports and services that aren't used. Deinstall network protocols that aren't needed.
  • Review logs regularly.
  • Have ALL users fill out binding user agreements, and keep the documents on file.
  • Disable accounts of employees who are slated to leave. It's mean, yes, but necessary to prevent vengeful theft or sabotage.

Learn more in O'Reilly & Associates' Windows NT User Administration, Essential Windows NT System Administration, and Windows NT In a Nutshell.

© Copyright 1999 D.B. Spalding/Korova Multimedia. All rights reserved.







What's new?