|
|
|  |
|
|
|
|
F-Secure Hoax Information Pages: Christmas Tree
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Christmas Tree Warnings is a hoax. We have received a lot of warning messages about Christmas Tree greeting card (TREE.EXE) that is spread over the Internet. |
|
|
|
Detailed Description
|
We have several samples of this greeting card called 'The Preacher's Wife'. All the samples are 1932577 bytes long but have different time stamp. The program itself does not try to do anything destructive. It was compiled with MacroMedia Director 5.0 and is freely available from several ftp sites. Here is an example of a warning:
Hi everyone!
If you have received (from me or anyone) a Christmas tree that
has sparkles that you click to "dress" the tree, DELETE THIS
FILE!!! We were just warned that this executable file is set to
go off on Dec. 26th with a VIRUS - so, delete away!!!
Another warning looks like this:
Recently we mailed out a communication regarding the mailing of
Non-Business related attachments. It has been brought to our
attention that one of these attachments, TREE.EXE, may contain
the CIH Virus. This virus is said to wipe the "C" drive clean
on Dec. 26th. It's a cute program where you decorate a
Christmas tree, but after running it, it will remain dormant
until the 26th when it will wipe out everything on your hard
drive.
If you have this attachment in any of your mail messages, please delete this attachment IMMEDIATELY.
DO NOT RUN TREE.EXE! DO NOT DETACH TREE.EXE! DO NOT FORWARD TREE.EXE!
As noted above the program (TREE.EXE) itself does not try to do anything destructive, BUT the file can be infected with CiH virus that erases hard disks and corrupts Flash Bios on 26th days (depending on its version). Someone could spread the infected copy over the Internet (purposely or simply not being aware of infection). That is why it's a must-do to check all incoming files for viruses.
We have not received any TREE.EXE files infected with CiH virus, but nevertheless we don't consider the above warnings to be hoaxes.
There exists a different warning message:
Hello every one,
You are of course free to do what you want, but READ this first.
Your whole harddrive will be erased if you happen to run into
it!
On the net is right now a big mailing of a christmas card with a
spruce as motif. It does not have any lights, but around the
room there are lights. When you click on them, the lights go on,
one by one, in the christmas tree. Once you've done this and is
about to exit, you will get a virus alert that there is a virus
in Explorer (your web browser) and you are asked to preass one of
four buttons with different options to remove this virus. Then
you ERASE you're own program. Then the picture appears again
that you have no Explorer and you have a virus in the next
program, for instance you have a virus in Word and the same
thing there.
No matter which button you press everything turns out wrong. You
can't turn it off because it is already in Autostart so when the
computer boots up again it starts. A friend of mine lost ALL his
EXE-files yesterday because of this program. A SERIOUS WARNING
friends. Christmas cards can hold anything but this was scary. A
newly updated anti-virus program didn't catch it since it isn't
a ordinary virus, but a "delete-program" that you are tricked to
run yourself.
Spread this as soon as possible to everyone you know.
We have not received any samples that behaved like that and NO known virus, trojan or hacker's remote access tool (Back Orifice, NetBus, Deep Throat) behaves like described above. This message is most likely a hoax, but if someone gets a sample that behaves like described in the message, please send it to F-Secure for analysis. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: September 28, 2007
|
|
|
|
|
