F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

Hoax Warnings

Alphabetical Index
NAME:YUKON3U.mp
This is not a virus but a widespread hoax. Somebody posted the warning below to dozens of usenet newsgroups on March 23rd, 1997. Ignore this warning and do not pass it on. It is impossible to get infected by downloading and viewing GIF or JPG pictures. 

  From: SammyT32@shorty.com (Sammy T.)
  Subject: VIRUS WARNING!!:  YUKON3U will strike!
  Date: Sun, 23 Mar 1997 04:37:37 GMT
  Organization: MDM Communications, Inc.


  YUKON3U.mp  VIRUS IS ABOUT TO STRIKE THE NEWSGROUPS!


  As many of you know, the amount of viruses that have been posted
  within the past couple of months are tremendous -- now we have 2 new
  threats to contend with.


  To continue...  a medium amount of the recent posts in some of the
  Alt.Binaries have contained a time-bomb trojan virus called YUKON3U.mp
  which is a derivative of a 2nd generation Mutating Engine developed by
  the Dark Avenger -- a self-described "King" of viruses from Bulgaria.
  The only difference is that this strain has a stealth capability
  beyond the reach of Norton or McAfee Anti-Virus programs latest
  updates, with the possible, but not probable exception of Dr.
  Soloman's Anti-Virus version 7.69.  The encryption technique is
  incredible.


  The YUKON3U.mp virus is somehow compiled within the UUE code
  of the JPG itself, and when decoded will install the virus onto the
  boot sector of the hard drive, and lie in wait for the trigger date
  sometime in April (changing your internal system clock won't help
  since the trigger day changes with each infection).  The only constant
  is the month itself.


  The simple fact of decoding the file via a newsreader or third-party
  decoder such as Wincode automatically runs and installs the virus
  without detection, thereby eliminating the wait for somebody actually
  launching the file by accident (we all know viruses do nothing unless
  they're launched).


  For all intents and purposes, the JPG is viewable without any problems
  and normal in every way, but there is a second file hiding within your
  boot sector without detection.


  One of the effects carries a nasty manipulation task which damages
  hardware -- an interrupt call set to a track value beyond 39, which
  will cause the drive heads to move past the inner track of the hard
  drive, causing the heads to stick on some models.


  That isn't the worst of it.  Untitled posts which contain special BOTS
  that are basically invisible and cannot be seen or read by newsgroup
  readers have also been recently posted according to Dr. Soloman's
  web-site.


  These BOTS are capable of replacing ASCII characters within all posts
  in the Alt. Binaries newsgroups (i,e. H becomes S, G becomes F, and so
  on).  The BOTS are triggered to alter other user posts by certain
  words contained in the post, or by calling upon the Cancel Date of the
  article ( probably some time in April ).


  It's very possible that the same group who posted the KILL-BOTS last
  July are behind this second posting along with the YUKON3U.mp
  virii.

Again, ignore this warning and do not pass it on. Also, do not confuse this hoax with the real Yukon.151 virus.

[Analysis: Mikko Hypponen, F-Secure]