F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

Hoax Warnings

Alphabetical Index
NAME:Christmas Tree
ALIAS:Christmas Tree Warnings

We've received a lot of warning messages about Christmas Tree greeting card (TREE.EXE) that is spread over the Internet. We have several samples of this greeting card called 'The Preacher's Wife'. All the samples are 1932577 bytes long but have different time stamp. The program itself doesn't try to do anything destructive. It was compiled with MacroMedia Director 5.0 and is freely available from several ftp sites. Here's an example of a warning: 

 Hi everyone!


 If you have received (from me or anyone) a Christmas tree that
 has sparkles that you click to "dress" the tree, DELETE THIS
 FILE!!!  We were just warned that this executable file is set to
 go off on Dec. 26th with a VIRUS - so, delete away!!!

Another warning looks like this: 

 Recently we mailed out a communication regarding the mailing of
 Non-Business related attachments.  It has been brought to our
 attention that one of these attachments, TREE.EXE,  may contain
 the CIH Virus.  This virus is said to wipe the "C" drive clean
 on Dec. 26th.  It's a cute program where you decorate a
 Christmas tree, but after running it, it will remain dormant
 until the 26th when it will wipe out everything on your hard
 drive.


 If you have this attachment in any of your mail messages, please
 delete this attachment IMMEDIATELY.


 DO NOT RUN TREE.EXE! DO NOT DETACH TREE.EXE! DO NOT FORWARD
 TREE.EXE!

As noted above the program (TREE.EXE) itself doesn't try to do anything destructive, BUT the file can be infected with CiH virus that erases hard disks and corrupts Flash Bios on 26th days (depending on its version). Someone could spread the infected copy over the Internet (purposely or simply not being aware of infection). That is why it's a must-do to check all incoming files for viruses.

We haven't received any TREE.EXE files infected with CiH virus, but nevertheless we don't consider the above warnings to be hoaxes.

There exists a different warning message: 

 Hello every one,


 You are of course free to do what you want, but READ this first.
 Your whole harddrive will be erased if you happen to run into
 it!


 On the net is right now a big mailing of a christmas card with a
 spruce as motif. It does not have any lights, but around the
 room there are lights. When you click on them, the lights go on,
 one by one, in the christmas tree. Once you've done this and is
 about to exit, you will get a virus alert that there is a virus
 in Explorer (your web browser) and you are asked to press one of
 four buttons with different options to remove this virus. Then
 you ERASE you're own program. Then the picture appears again
 that you have no Explorer and you have a virus in the next
 program, for instance you have a virus in Word and the same
 thing there.


 No matter which button you press everything turns out wrong. You
 can't turn it off because it is already in Autostart so when the
 computer boots up again it starts. A friend of mine lost ALL his
 EXE-files yesterday because of this program. A SERIOUS WARNING
 friends. Christmas cards can hold anything but this was scary. A
 newly updated anti-virus program didn't catch it since it isn't
 a ordinary virus, but a "delete-program" that you are tricked to
 run yourself.


 Spread this as soon as possible to everyone you know.

We haven't received any samples that behaved like that and NO known virus, trojan or hacker's remote access tool (Back Orifice, NetBus, Deep Throat) behaves like described above. This message is most likely a hoax, but if someone gets a sample that behaves like described in the message, send it to F-Secure for analysis please.