I just got this e-mail from my sister-in-law.

IBM says this virus will erase your hard drive, and, unlike Happy.exe, you do not have to execute it to start it.

Mike Cumbie xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx START PASTE HERE

Kristi_Oberg@elliott.es.twsu.edu on 02/24/99 02:45:58 AM

Please respond to Kristi_Oberg@elliott.es.twsu.edu

Subject: FWD: Virus Warning

Thought you would all like to know. -------------------------------------- Date: 2/23/99 7:40 PM From: Kevin R. Keplar VIRUS WARNING !!!!!!! If you receive an email titled "It Takes Guts to Say 'Jesus'" DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new very malicious virus and not many people know about it. This information was announced yesterday morning from IBM; please share it with everyone that might access the internet. Once again, pass this along to EVERYONE in your address book so that this may be stopped. Also, do not open or even look at any mail that says "RETURNED OR UNABLE TO DELIVER." This virus will attach itself to your computer components and render them useless. Immediately delete any mail items that say this. AOL has said that this is a very dangerous virus and that there is NO remedy for it at this time. Please practice cautionary measures and forward this to all your online friends ASAP.

Kevin R. Keplar Director of Technology Elliott School of Communication Wichita State University (316) 978-6017 office (316) 978-3006 fax

-- Michael H. Cumbie (Mikecumbie@aol.com), February 24, 1999

Answers

Thanks Mike. I wonder how many "unknown" viruses are out there with a trigger date of 1/1, just to make it a little more interesting! <:(=

-- SYsman (y2kboard@yahoo.com), February 24, 1999.

'New and dangerous virus on the loos' -

This is the first virus that your computer can infect your computer from a toilet seat!

-- Ned (entaylor@cloudnet.com), February 24, 1999.

This is yet another hoax.

See http://www.symantec.com/avcenter/venc/data/jesus-hoax.html

Bobbi http://www.buzzbyte.com/

-- Bobbi (bobbia@slic.com), February 24, 1999.

Hi Bob, I don't doubt this may be a hoax, but I think it is possible that someone could read the "hoax list" then design a real virus to match the symptoms. Just a thought... <:)=

-- Sysman (y2kboard@yahoo.com), February 24, 1999.

Definitely a hoax. We see several such message every month where I work. There's been one version of this or another going around for years (see the infamous "Good Times" hoax) Another great source of information is:

http://www.datafellows.co m/news/hoax/

-- Arnie Rimmer (arnie_rimmer@usa.net), February 24, 1999.

Hoax. Here's a reference to this hoax, among others, directly from the IBM Web site:

http://www.av.ibm.com/BreakingNews/HypeAlert/

I'll even try to create a real link to it (my first attempt - bear with me...)

-- Don (whytocay@hotmail.com), February 24, 1999.

Okay, this time for sure. Sorry for the bandwidth...

http://www.av.ibm .com/BreakingNews/HypeAlert/

-- Don (whytocay@hotmail.com), February 24, 1999.

O.K., I get the message.

Thought the post was credible since it came from a local university professor who, I thought, would verify before sending out an offical alert.

From now on, I will personally verify before I post.

Would someone please hand me towel (I need to wipe the egg off my face)?

Mike

-- Michael H. Cumbie (Mikecumbie@aol.com), February 24, 1999.

I hate to say it, but email gets more troublesome all the time. The new mail clients allow for macros, some allow Java scripts and VB script. This means a mail message can actually be a program. IF someone disables the 'macro contained in message' warning then we have a nasty possibility of anything you can do in VBscript or JavaScript being performed in the background. I have been having problems trying to stamp out the W97 email macro virus since before Christmas. And if you get your mail via an Internet mail client ie. a browser, then you have all the above problems as a possibility. A few years back it was impossible to get a virus through your email. That is no longer the case.

-- Paul Davis (davisp1953@yahoo.com), February 24, 1999.

Quoting Mike:

"Thought the post was credible since it came from a local university professor who, I thought, would verify before sending out an official alert. From now on, I will personally verify before I post."

Now let's touch that up a little:

"Thought the (article, news report) was credible since it came from a (major media source) who, I thought, would verify before sending out (Y2K disinformation). From now on, I will personally verify before I (believe anything the media says).

Ominous parallels, considering the sheer numbers of these stupid virus hoaxes that fill up my mailbox ad nauseum. Some people will believe anything if the source is prestigious enough - thinking for yourself seems to have gone out of style.

-- scooter (here@work.now), February 24, 1999.

A question for all my friends here who are cretifiable gee...er, ah, computer scientists. If I have a virus controll program installed (like Virex 5.8) will it protect me from viruses over the net as e- mail or other?

No foolin', I am admittedly non-computer savy, being somewhat, well, ancient is apropos. So type slowly, use little bitty words in your answer. OK? And don't tell me exactly why or how it all works; I'll just fall asleep and hurt myself again. Please, just will it?, and if not, what a dummy like me can do.

I know, I COULD go read the dadgum book, but if you can set me straight easily, well, thanks in advance.

-- Lon Frank (postit@here.com), February 24, 1999.

These two sites are also useful:

Hoaxes and Viruses

-- Tom Carey (tomcarey@mindspring.com), February 24, 1999.

>>A question for all my friends here who are cretifiable gee...er, ah, computer scientists. If I have a virus controll program installed (like Virex 5.8) will it protect me from viruses over the net as e- mail or other?

yes, under certain conditions: 1) files are always saved to a "safe" folder and scanned before they are runor opened

2) every month you download the new virus definitions upgrade (kinda like a tetnus booster shot)

3) you keep everything important (like that novel you've been writing for the past 2 years) backed up onto *2* removeable media (floppy, zip disk) so that if a virus does strike, or your hard drive fails, the most you would lose is a few hours of re-installing programs

-- Jay Kusnetz (jayrtfm@hotmail.com), February 24, 1999.

Thanks, Jay!

I don't exactly know where to download the definitions, and I hadn't thought of the "safe" file for net documents. But I do back up to my zip drive religiously. (Hard-learned lesson)

I'll send you along a jar of my gen-u-wine bayou nuke cukes, and a copy of my turducken recipe. :) Thanks again for taking the time.

-- Lon Frank (postit@here.com), February 24, 1999.

Michael, Don't feel badly about posting that virus hoax message.

I received one from our ISP that was sent to EVERY customer (a rather lengthy list) and I wrote back to the tech rep who sent it out, giving links to the hoax web sites, etc.

He wrote back very apologetically and said "thanks for letting me know this".

So you see, even the so-called "experts" can get taken in by the virus hoax thingamabob. :-)

Bobbi http://www.buzzbyte.com

-- Bobbi (bobbia@slic.com), February 25, 1999.

Bobbi et al,

How do you know the hoax web sites aren't hoax web sites, if you get my drift :)

Later,

Andy

-- Andy (2000EOD@prodigy.net), February 25, 1999.

Andy,

I usually trust Symantec. :-) Good thought though! LOL - Are we getting paranoid and untrusting or what?

Bobbi http://www.buzzbyte.com

-- Bobbi (bobbia@slic.com), February 25, 1999.

Haven't worked with the others, but McAfee can be set up to automatically scan all email, internet access, downloads and files when they are downloaded or opened. Works pretty well, W97 is pretty much under control now. But it might be worth noting, the script W97.class runs can (and does) modify the system registry in windows. If the guy who wrote it had wanted to, he could have trashed many machines rather than just fooling around with them.

-- Paul Davis (davisp1953@yahoo.com), February 25, 1999.

This one is real, and perhaps the scariest virus I've ever heard of. It can overwrite FLASH BIOS chips. That means that it magically transforms your PC into a doorstop. Can't even re-boot it with a rescue disk. Have to pull the motherboard, and hopefully find a way to restore the BIOS settings.

The truly scary part is, if CIH or a variant can *reprogram* FLASH BIOS, can it produce Y2K-effects in otherwise compliant machines?

Good anti-virus software is essential, but you must also be religious about updateing it from the vendor's web sites.

http://www.datafellows.com/v-descs/cih.htm

Computer Virus Information Pages

NAME: CIH TYPE: Resident EXE -files

ALIAS: PE_CIH, CIHV, SPACEFILLER, VIN32

ORIGIN: Taiwan CIH virus infects Windows 95 and 98 EXE files.

After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed.

The CIH virus was first located in Taiwan in early June [1998]. After that, it has been confirmed to be in the wild in at least France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been spreading very quickly as it has been distributed through pirated software.

It seems that at least four underground pirate software groups got infected with the CIH virus, and they inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but Data Fellows has been unable to confirm this.

Later on, CIH was available by accident from several commercial websites, including the Origin Systems website where a download related to the popular Wing Commander game was infected.

What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups.

However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off.

The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT.

CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The actual size of the virus code is around 1 kB. The virus also employees advanced tricks in jumping from processor ring 3 to ring 0 in order to hook file system calls.

There are four known closely-related variants:

CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common variant. It contains this text:

CIH v1.2 TTIT

CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains this text:

CIH v1.3 TTIT

CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the wild, but not particularily common. It contains this text:

CIH v1.4 TATUNG

Note on disinfection: If you're using F-Secure Anti-Virus for Windows 95 v4.02, you need to exit Windows to disinfect CIH. Choose Start/Restart in MS-DOS mode, then execute FSAV for DOS from the FSAV CD-ROM and disinfect your hard drive with that.

-- Lewis (aslanshow@yahoo.com), February 26, 1999.