Combating Hoax Virus Messages

How I yearn for the problems of yesterday. If someone plastered your network with messages about a hoax virus just a few years ago, the most severe consequence was probably wasted bandwidth. But in April 2001, some prankster created the first widespread and harmful hoax virus, Sulfnbk. Sulfnbk originally appeared in Portuguese, but it wasn't long before English versions arrived. The hoax includes a seemingly well-intentioned warning about an email virus that hides on hard disks and destroys computers. The warning instructs Windows users to use the Find File feature to locate the sulfnbk.exe file, and if it is found, to delete it. Sulfnbk.exe is a Windows Me and Windows 9.x system file that restores long filenames that have become corrupted. Fortunately, deleting the file rarely causes any noticeable problems. (The common Magistr virus can distribute itself as sulfnbk.exe, but that form isn't nearly as common as the hoax message.)

When the wrong people discovered that they could dupe millions of end users into deleting legitimate files, the game was on. In short order, hoax virus messages appeared that encouraged users to delete nonvirus files such as cleanmgr.exe, elfbowl.exe, y2kgame.exe, frogpult.exe, ghost.exe, and jdbgmgr.exe. The consequences were often serious. Hoax virus messages have successfully convinced people to cripple their antivirus software and could similarly convince Windows XP or Windows 2000 users to corrupt Encrypting File System (EFS) settings, delete private pretty good privacy (PGP) keys, set malicious registry keys, and download Trojan horses. Clearly, these hoaxes are no longer merely a nuisance; they cause downtime and system corruption and can direct users to completely and irrecoverably harm their machines.

How to Spot a Hoax
Systems administrators should know better, but many forward hoax virus messages without first determining whether the messages are legitimate. When you receive the latest virus warning message from another systems administrator or an end user, take a few minutes to do some research before passing the message along. Visit your favorite antivirus vendor, find the hoax section (e.g., see http://securityresponse.symantec.com/avcenter/hoax.html for Symantec's page or http://vil.mcafee.com/hoax.asp for McAfee's page), and search for key words that you find in the body of the message you've received. If the antivirus vendor sites don't help you confirm whether a warning message is a hoax, you can look for several themes that are common to most hoax virus messages.

"This Is Not a Joke." Every email message I've received that began with "This is not a joke" has been a joke. Legitimate sources don't need to claim otherwise.

"THIS VIRUS IS VERY SERIOUS!" Hoax virus messages often rely heavily on capitalization and multiple exclamation points. The authors use capitalization to instill panic. Apparently, three or more exclamation points at the end of a sentence is supposed to indicate that the authors are serious and that the virus is extremely dangerous. For example, "This VIRUS is VERY, VERY SERIOUS!!! THERE IS NO REMEDY!!!! Please pass this on to everyone you know! PASS IT ON QUICKLY and TO AS MANY PEOPLE AS POSSIBLE!!!"

Capitalizing everything in an email message is equivalent to screaming, which is something that antivirus vendors and security experts would never do. On the contrary, these parties always want to appear calm, even if they aren't sure what the virus they're describing does. And antivirus experts seem to feel reasonably assured that you'll pass along their warnings without specific guidance.

"There's Nothing You Can Do." Hoax virus messages usually contain a warning that indicates that there's nothing you can do to prevent the spread of the malicious code. Warnings from reliable sources always describe steps you can take and how a particular product can detect and remove the latest bug.

"This Virus Will Destroy Your Hardware." No hoax virus message is ever complete without repeated warnings about how destructive the virus is. Typically, these messages explain that the virus can fry your hardware, kill your hard disk, and has already spread to every computer on the planet. Legitimate virus messages don't contain these types of warnings.

"For More Information . . . " The authors of hoax virus messages like to refer to official-sounding security organizations and include testimony from official-sounding people with seemingly important titles. Hoax virus messages might contain real names and might link to actual Web sites, but these sites won't contain any information about viruses that don't exist. Investigate any sources that suspicious email warning messages refer to.

Minimizing the Damage
Hoax virus messages are the one type of malicious "mobile code" whose threat decreases primarily with end-user education. Let's discuss educating end users, employing email filters, and other steps you can take to minimize the damage that hoax virus messages can cause.

Create a policy. Create and distribute a policy that describes hoax virus messages and requires end users to send any such messages they receive to the Help desk for confirmation. To limit the amount of exposure, you want to discourage users from forwarding these messages to everyone in your organization.

Create a template. When end users forward hoax virus messages to colleagues, I reply with a page-long message that I generate from a template I created for just such an occasion. The response thanks the users for their concern and educates them about hoax virus messages. I typically include advice about recognizing common hoax ploys and include a list of Web sites the end users can visit to confirm a message's validity in the future. Of course, I reiterate the company's policy that requires end users to send suspicious messages to the Help desk for confirmation.

Use Exmerge. End-user education is never completely effective, and one day someone will forward an old virus hoax (e.g., the Goodtimes virus hoax from 1994) to everyone in your company. What's a network administrator to do? If you use Microsoft Exchange Server, make sure you get your hands on a copy of Microsoft's exmerge.exe utility and use it to quickly delete all copies of a message in just a matter of minutes. (For more detailed information about using this utility, see "Using Exmerge as a Virus Cleanup Tool," http://www.secadministrator.com, InstantDoc ID 23687.)

Employ email filters. Consider setting rules on your email clients and filters on your messaging server to block common hoaxes and spam. Most email clients let you set rules (in Microsoft Outlook, choose Tools, Rules Wizard) that examine incoming messages for keywords common to hoax virus messages. For example, you can establish a rule to delete any email that contains the word "sulfnbk". Of course, these rules might occasionally delete legitimate messages, so you must be careful when establishing these rules. Several commercial products let you implement predefined lists and keywords. Trend Micro's ScanMail eManager and Clearswift's MAILsweeper are excellent companion products for Exchange. McAfee's SpamKiller and Symantec's Norton Internet Security 2003 are great products for small businesses and personal use. Open-source buffs might want to explore SpamAssassin or Roaring Penguin Software's MIMEDefang.

Lock down broadcast email addresses. Remove broadcast email groups from your email server's public contact list. Exchange and every mail server I've used let you specify which users can use email groups and distribution lists (DLs). Remove the right for Everyone to use broadcast email listings, then restore the right to users who need it after thoroughly explaining the responsible use of the feature. To make these changes in an Exchange environment, open Microsoft Exchange Administrator, then select Global Distribution List. Click File, Properties, click the Delivery Restrictions tab, and, under Accept messages from, select List. Click Modify, then specify users who can use the DL. You can also click the Advanced tab and select the Hide from address book check box. Hiding a DL from view in the address book won't prevent users from highlighting every user's mailbox and sending out a broadcast email, but this step makes the process more difficult.

Secure your workstations. Ensure that workstation security is strong enough to prevent typical end users from deleting system files or modifying registry settings. NTFS security can really help you achieve this goal. Consider using security policy templates and Group Policy Objects (GPOs) to tighten default end-user security. For more information about securing your workstations, see "Building a Custom Security Template," http://www.secadministrator.com, InstantDoc ID 23082.

Hoaxes are no longer harmless. As a network administrator, you must take a proactive stance against hoax virus messages by educating end users, tightening security, and eradicating hoax virus messages quickly.