|
Virus HOAXES by E-mail
Two Examples, Prevention, Solution.
Four Descriptions downloaded from an Internet search engine in a few minutes to draw together a context for this first hoax example.
Jdbgmgr.exe file hoax
Reported on: April 12, 2002
Last Updated on: December 03, 2003 10:25:09 AM
Symantec Security Response encourages you to ignore any messages regarding this hoax. It is harmless and is intended only to cause unwarranted concern.
Type: Hoax
This hoax, like the SULFNBK.EXE Warning hoax, tries to encourage you to delete a legitimate Windows file from your computer. Jdbgmgr.exe is the file to which the hoax refers, and it is the Microsoft Debugger Registrar for Java. The Jdbgmgr.exe file may be installed when you install Windows.
How does an innocent file, jdbgmgr.exe, with a teddy bear icon end up accused of being a virus?
JDBGMGR.EXE is suffering the same fate as its predecessor hoax victim, SULFNBK.EXE.
In May 2001, the SULFNBK.EXE hoax caused thousands of gullible users to delete a perfectly legitimate system file. Now the same hoax is circulating, this time targeting the equally benign JDBGMGR.EXE. As with the SULFNBK.EXE hoax, it is likely a result of confusion caused by the Magistr virus.
While the hoax mail urges users to search for and delete the JDBGMGR.EXE file, in reality JDBGMGR.EXE should be on the system - it is a standard windows component included with Internet Explorer (at least as far back as version 3.02).
For those hapless folks who've deleted the file, there is good news.
Unless you are a Java developer, the file is not essential to normal operation and its absence should not create any adverse affects. If you do encounter problems with Java applications, you will need to either contact the vendor of the application for a new copy of Microsoft Virtual Machine or you can download Sun Java™ Virtual Machine instead.
Unless you are a Windows XP user, Microsoft VM is no longer available directly from Microsoft (this is due to a licensing disagreement with Sun). XP users can obtain the Microsoft VM via XP's Service Pack 1 by visiting the Windows Update site . If you use XP and had already installed Service Pack 1 before deleting the file, the Windows Update site will no longer list SP1 for your system.
You can obtain another copy of SP1 here.
http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/default.asp
(30 megabyte download with up to 90 minutes transfer for dial-up)
The email hoax urging users to delete this necessary file may be preceded with the dire sounding "National Virus Alert". It may also make reference to a Teddy Bear icon, which is the standard icon for that file.
Hoax Description
As well as portraying all the standard hoax features, (warns of a dire 'danger' then suggests that the receiver should send it onto all of their friends to minimize the damage that the 'virus' may cause) this E-mail hoax advises the user to delete the file JDBGMGR.EXE which it states is a virus. For greater impact and added realism, this hoax even lists detailed instructions on how to remove this file from your computer.
Two things should be noted about the file JDBGMGR.EXE.
First, it is a standard utility program (the Microsoft Debugger Registrar for Java) included with some versions of Windows and is normally installed in the 'system32' subdirectory of the WINNT directory. It has an icon in the form of a teddy bear that may lead users to be suspicious of it.
Second, because of its location and size and being a PE-style EXE, JDBGMGR.EXE has been observed included as an attachment in email messages sent by the Win32.Magistr virus. Thus, if you receive a copy of JDBGMGR.EXE as an email attachment, that could well be an infected copy of the file and an indication that the sender is infected with Win32.Magistr.
Please note that hoaxes often have several variations in circulation.
Recovery
The Microsoft Debugger Registrar for Java (Jdbgmgr.exe) is only used by Microsoft Visual J++ 1.1 developers.
If you follow the e-mail message instructions and delete this file, you do not have to recover it unless you use Microsoft Visual J++ 1.1 to develop Java programs on Windows XP, Windows NT 4.0, Windows 98 Second Edition, Windows 98, or Windows 95.
For Windows XP, Windows NT 4.0, Windows 98 Second Edition, Windows 98, and Windows 95:
The Microsoft VM is not available as a Web download.
A much earlier example of an e-mail transmitted Virus Hoax.
SULFNBK.EXE, a utility shipped as part of the Windows 98 operating system that allows users to restore long file names, and now the victim of a bogus virus warning.
The hoax message urges users to search their systems for the presence of SULFNBK.EXE and, if found, delete it. Of course, it's a legitimate Win98 operating system file, so anyone running Windows 98 will find it. And many, it seems, have deleted it.
Following are the steps to take to restore SULFNBK.EXE from your Windows 98 operating system CD. You will want to have your Windows 98 operating CD in the CD-ROM drive bay. If the program autoruns (launches), just click Exit.
A word of caution.
Any executable has the potential to be infected.
Any executable received via email should be considered infected until proven otherwise.
There is a vast difference between the SULFNBK.EXE file that legitimately resides on your hard drive, and an SULFNBK.EXE arriving via email.
The Magistr virus randomly selects, infects, and sends portable executable files (PE EXE) files less than 132Kb in length. This makes SULFNBK.EXE, with its paltry 45,056 file size, a perfect candidate. Thus, if you were to receive SULFNBK.EXE via email, consider it infected.
Windows 98
Windows 98 includes a handy tool known as the System File Checker which can be used to restore damaged or deleted files.
To open SFC, click "Start" | "Run" and type "SFC" without the quotes. Click "OK">. System File Checker will launch a dialogue box with two choices.
Choose "Extract one file from installation disk".
In the "Specify the system file you would like to restore" box,
type "sulfnbk.exe" (without the quotes).
Click "Start".
You will be prompted to specify the location that contains the file you want to extract and the destination directory for that file. You will need to input the "Restore from" location and the "Save file in" location.
"Restore from" will be the win98 folder on your Windows 98 operating system CD.
It is easiest and most accurate to use the "Browse" button to locate and select the folder.
The "Save file in" destination folder is the Windows directory and Command subdirectory.
For example, C:\WIN98\COMMAND
When both boxes have been filled in, click OK.
You should receive a message stating "The file has been successfully extracted".
Click OK and close any remaining SFC dialog boxes.
|
COMMENT:
A great amount of Internet resources and computer user time and effort are wasted every year through a variety of Spamming activities including the marketing of legal and illegal goods, New Age / Humanist deceptions, pseudo-religious manipulative requests, bogus offers, and virus hoaxes.
Protect yourself and others from these by knowing that they exist and by finding out more about them so that you can more easily discern what they are and avoid their harmful possibilities and not become a willing participant which encourages the originators in their efforts.
HOAXES often have the possibility of being partially true.
Balance the REAL possibility of damage to your system by what YOU do, to the uncertain possibility of damage to your system by what YOU ignore. Take a little time to be informed, OR, react and possibly have to take a LOT of time to Recover.
|
|
ADVISORY:
IF and WHEN you receive an e-mail virus alert from anyone other than YOUR antivirus application provider --- eTrust, McAfee, Norton, other --- search online for information about it.
First, you will be able to determine quickly the possibility of it being a Hoax, or, a true virus.
Secondly, you will avoid potential problems with your applications and operating system by removing a file from your system which is important to your operation of it.
Thirdly, you will not become part of a Spamming operation which endangers many other people and their applications by your well intentioned and ignorant passing on of the Hoax information, as urged in the Hoax e-mail.
Fourth, you may choose to inform others of this form of Hoax and the preventive solutions, similar to this document.
Prevention is better than cure.
Prevention is proactive and requires focused effort.
You are responsible for your actions
Why not also be responsible for your decisions.
Others can advise. Decide for yourself.
|
| 
