My sister received this email:
This won't affect me anyway because I don't have Power Point and the normal usesr doesn't have enough privileges to remove any system (or anyone else's) files so it's a user area wipe at the worst.
Anyway, is this a hoax or is it a real threat?
Let's examine the warning signs. I'll bet we don't get one line in before we hit an inconsistency.
From: Lakeland Communications - Steven Brady [mailto:steve AT wanafone DOT com]
There. RIGHT THERE. See a problem? You should. The parent company is Lakeland Communications, Ltd. Wanafone.com is a subsidiary. Why would a subsidiary - which SELLS PHONES - have this information? According to
http://www.lakeland-communications.co.uk/content/view/8/33/, their contact address is at email AT
lakeland-communications DOT co DOT uk. Under normal circumstances, that would mean their MAILSERVER (and this doesn't exactly look like Verizon, so I'd assume there's just the one) is listed at that domain.
Hoax mistake number one: perpetrators often use domains UNVERIFIED to be compatible with their agenda.
Sent: 17 November 2005 14:19
To: Abby Mobile
I would assume an organisation large enough to warrant its own mailserver would know HOW TO USE EMAIL, but moving on.
Subject: FW: NOT A JOKE - PLEASE OPEN A.S.A.P.
Again, notice that the subject is not in ANY kind of recognised warning format. Usually, when issued by Symantec or McAfee (or an equally reputable vendor), these warnings will carry subject information including the virus name, severity, and/or date-of-discovery - not to mention the name of the discovering agency.
VERY IMPORTANT WARNING
This is not a joke!
Off of what we've seen so far, I see no reason to give them the benefit of the doubt anymore than you'd stall your car on the train tracks and expect a passing freighter to yield, but let's continue as if we did.
Please Be Extremely Careful especially if using internet mail such as
Yahoo, Hotmail, AOL and so on.
Sage advice. I wonder if they have a stake in POP3, given that they don't seem to address THOSE providers?
This information arrived this morning
direct from both Microsoft and Norton.
Funny, I didn't know Microsoft had its anti-virus engine in gear already.
Please send it to everybody you know who has access to the Internet.
What about the people that don't? Should we leave them subject to an unknown danger, that could - for all we know - be passed diskette-to-diskette (or site-to-site, mail-to-mail, mouth-to-mouth, head-to-ass, etc)?
Hoax mistake number two: assume every virus solely propagates across the Internet.You may receive an apparently harmless email with a Power Point
presentation "Life is beautiful."
I don't know about you, but I don't have many people sending me crap like that, so I'd tend to be suspicious and check for a VBS extension at the end anyway. Oh, what's that? That's right:
Hoax mistake number three: play on people's fears of faked (doubled, tripled, etc) extensions BY NOT INCLUDING *ANY* in the description.If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and
delete
it immediately. If you open this file, a message will appear on your
screen
saying: "It is too late now, your life is no longer beautiful."
Wow. A PowerPoint file, showing a message... on a SCREEN. I can never get mine past that first BSOD, but I guess someone must have.
Subsequently you will LOSE EVERYTHING IN YOUR PC and the person who sent
it to you will gain access to your name, e-mail and password.
This is why I DON'T OPEN VBS FILES. If it were a REAL PowerPoint
Slideshow as the extension in the original variant of this hogwash seems to indicate, how would it do this? Drop the /con/con bomb? Oh, I know, MAYBE IT'LL EGGDROP SOME SHELLCODE INTO EXPLORER AND CAUSE A BUFFER OVERFLOW! That'll give them my NAME, EMAIL, and PASSWORD FOR SURE! If they can get past, the whole, y'know... COMPUTER NOT WORKING BIT.
Hoax mistake number four: assuming a computer can self-heal BSODs, since we ALL run Crystal Palace technology at home. Incidentally - NORAD uses UNIX-based, not Windows.
This is a new virus which started to circulate on Saturday afternoon.
AOL has already confirmed the severity, and the antivirus software's are
not capable of destroying it.
I don't know about the UK, but here we have a
Computer Emergency Readiness Team that grades these things, NOT AOHELL.
Hoax mistake number five: assume AOL will be around forever, then grant them government agency status. God knows enough idi... um... newbies implicitly trust them. To date, the only "virus" that antivirus applications can't destroy? That's right: Sony's rootkit, and that's simple enough to remove once you know the way it infects your system. Hell, people are making BATCHFILES to combat it, so it's technically not a big enough threat to warrant antivirus attentions. Now, if it polymorphed, THAT would be a problem.
The virus has been created by a hacker who
calls himself "life owner."
PLEASE SEND A COPY OF THIS EMAIL TO ALL YOUR FRIENDS and ask them to
PASS IT ON IMMEDIATELY
Hoax mistake number six: rather than realising that any decent anti-virus company has their own distribution system, convince the masses that they MUST forward your message. After all, how else can it survive from a spoofed address?
Regards,
Steven J Brady
Managing Director
Lakeland Communications Limited
Blackhall Yard
Kendal
Cumbria
LA9 4LU
t: 0870 990 7973
f: 0871 433 1456
m: 0797 344 8245
e: steve AT wanafone DOT com
w: www.lakeland-communications.co.uk
Seriously, leave this poor guy alone, it's probably some disgruntled worker's ex-boss that they just want to drive insane. Otherwise, emails will bounce, and calls to the mobile will likely be answered by someone other than the landline - check out that areacode.
Oh, and
hoax mistake number seven, for the game? Check out that postal code. Check that
contact page for Lakeland. Yep, that's right:
the postal code is off.
Hopefully, the response detailed here will help you notice crap like this in the future. Share it with your sister! In fact, here are the checks, presented in the order of the hoax mistakes (some of which were not enumerated, but significant in their own right):
[list=1]
- Check that the domain fits the intent. A phone shopping site is NOT a reliable source for virus information.
- Check that the "notice" acknowledges non-Internet propagation.
- Check that the "notice" contains the three-letter extension. Double-check the extension through filext.com or a similar site. Anything described as belonging to "Visual" anything, "Builder" anything, or "Lab" anything should be approached with EXTREME CAUTION unless YOU made the file yourself. Even then, treat it like a grenade - it may not be live, but the wrong touch may still screw something up.
- Check the validity of what the "notice" is saying. Can people get your NAME from you merely logging into a BBS? If you were honest with the signup form (who here is), then possibly. Can people get your home address over a wireless connection to a Q-39 Illudium Explosive Space Modulator stashed away deep within your PC, EVEN WHEN IT'S TURNED OFF, THE POWER REMOVED, AND THE CMOS BATTERY HURLED INTO THE WHITE-HOT FIRES OF THE SUN? Probably not.
- Check that the "notice" acknowledges REAL antivirus companies (McAfee, Norton/Symantec, AntiVir) not ISPs (Microsoft [MSN], AOL, Earthlink, and so on).
- If the email came from a third-party site, DON'T TRUST IT and DON'T TOUCH THE ATTACHMENTS. You're staring down a container of ebola, and until you open those files, nothing really bad (at least through that email) can happen. If you have auto-open attachments enabled, FOR GOD'S SAKE TURN IT OFF. Remember that anti-virus companies offer updates through their own - SECURE - updating tool, not through as easily manipulated a medium as IMAP emails.
- Finally, check that the "contact" in the "notice" exists through the website. If you notice typos in the address, discard it, unless the other factors (such as style of subject, etc) warrant keeping the message.
