Facebook Invitation and the Olympic Torch

Old hoaxes never die. They just get transplanted to Facebook. Sometimes literally, when a classic email hoax starts to spread with minor emendations through Facebook message or news feeds. In this case, the actual message (at least, as I received it) is still email, but it's been adapted to appeal to the more than 800 million Facebook users. Not only has it changed the wording to refer to FACEBOOK (in upper case, so IT MUST BE SERIOUS!!! – not…), but it also includes cites a genuine snopes.com article to "prove" that this message deals with a real virus. Of course, it proves no such thing. But I'll get to that.

This is the chainmail as it was forwarded to me

FW: Nasty Virus

PLEASE CIRCULATE THIS NOTICE TO YOUR FRIENDS, FAMILY, CONTACTS!
In the coming days, you should be aware…..
Do not open any message with an attachment called: Invitation FACEBOOK, regardless of who sent it. It is a virus that opens an OlympIc torch that burns the whole hard disc C of your computer.
This virus will be received from someone you had in your address book ..
That's why you should send this message to all your contacts.
It is better to receive this email 25 times to receive the virus and open it ..
If you receive a mail called: Invitation FACEBOOK, though sent by a friend, do not open it and delete it immediately. It is the worst virus announced by CNN. A new virus has been discovered recently that has been classified by Microsoft as the most destructive virus ever.
It is a Trojan Horse that asks you to install an adobe flash plug-in.
Once you install it, it's all over. And there is no repair yet for this kind of virus.
This virus simply destroys the Zero Sector of the Hard Disc,
where the vital information of their function is saved.
SNOPES SAYS THIS IS TRUE………..
http://www.snopes.com/computer/virus/youtube.asp

I'll go through it line by line, as you may find it useful to compare the hoax hooks and tricks used here to those found in other dubious messages.

FW: Nasty Virus

PLEASE CIRCULATE THIS NOTICE TO YOUR FRIENDS, FAMILY, CONTACTS!
In the coming days, you should be aware…..

It's typical of hoaxes to be vague about exact time. This extends their shelf-life.

Do not open any message with an attachment called: Invitation FACEBOOK, regardless of who sent it. It is a virus that opens an OlympIc torch that burns the whole hard disc C of your computer.
This virus will be received from someone you had in your address book ..

Apart from the insertion of the word FACEBOOK, this is practically identical to the venerable Invitation/Olympic Torch virus hoax, which in its "Virtual Card for you" incarnation actually predates the foundation of Facebook. There is no virus or Trojan that literally sets fire to a hard disk, of course, and I'm not aware of any malware that shows an Olympic torch as a sort of visual metaphor while it trashes the hard disk, though it would be rash to say that some such display is altogether impossible technically. Of course, system trashing malware does exist, but we've never seen anything close to this description, distributed as described above.

That's why you should send this message to all your contacts.

 We sometimes describe memetic hoaxes as having hooks and threats: the hook catches your interest, and the threat persuades you to forward the message. It's simple psychological pressure.

It is better to receive this email 25 times to receive the virus and open it ..

Possibly, but that isn't the choice, since the virus doesn't exist. It's better not to forward warnings you can't be sure are valid than to forward them "just in case": at the very least, you owe it to your friends to check such warnings out before you pollute their mailboxes.

If you receive a mail called: Invitation FACEBOOK, though sent by a friend, do not open it and delete it immediately.

Unfortunately, you can't rely on the subject line to identify a malicious message, though if you do find yourself getting mail like this (unlikely!) it probably won't do much harm to delete it. There are better ways of defending yourself from malicious email, of course (and running a reputable antivirus product is one of them, though you shouldn't rely on AV for 100% protection).You can ensure that the settings for your email client don't run attachments or inline scripts without asking, or require it to read incoming mail as text rather than HTML.

It is the worst virus announced by CNN. A new virus has been discovered recently that has been classified by Microsoft as the most destructive virus ever.

Well, CNN undoubtedly knows more about viruses than I do. ;-) Ahem.

There was a time when I'd have said "ask yourself whether Microsoft is the best authority on viruses" too, but of course Microsoft is a serious player in malware analysis nowadays, with its own security software. However, the point here is that the message isn't giving us any proof that CNN or Microsoft have said anything whatsoever about this "virus". Let alone when they're supposed to have said it. It's another standard hoax technique, invoking an "authoritative" source without giving you enough information to check it.

"Trust but verify!" Better still, distrust but verify…

It is a Trojan Horse that asks you to install an adobe flash plug-in.

If it's a trojan, it's questionable whether it's a virus, but let's not be picky. Lots of Trojans do, in fact, try to trick you into installing some software claimed to be a Flash component, a video codec or whatever, so that's a good heuristic for spotting suspicious messages. In fact, snopes.com describes here how Koobface uses that trick. Of course, lots of sites including security companies have also described Koobface with varying levels of detail, but this is particularly relevant because as we'll see below, the hoaxer here has probably looked specifically at the snopes.com description in order to find material that appears to corroborate the hoax.

Once you install it, it's all over. And there is no repair yet for this kind of virus.

OK. We're back off the rails. This is just FUD/scaremongering. Remember what I said about the hook and the threat?

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information of their function is saved.

Slightly garbled, but yes, overwriting the first sector of a hard disk is a pretty good way of rendering the disk unreadable, though that doesn't always mean the disk can't be recovered.

SNOPES SAYS THIS IS TRUE………..
http://www.snopes.com/computer/virus/youtube.asp

No, it doesn't. That particular article is also about Koobface. In fact, what the article says is summarized as:

Messages appearing to come from Facebook friends and directing recipients to view YouTube videos harbor a virus.

In the abstract, this is correct. Unfortunately, the article goes on to quote several email messages that describe this single aspect of Koobface distribution (there have been many other social engineering hooks) very specifically. For example:

DO NOT ACCEPT ANYTHING FROM ANY OF YOUR FRIENDS THAT ASK YOU TO WATCH A VIDEO ON YOUTUBE "OBAMA"…IT IS A TROJAN WORM VIRUS CALLED KOOBFACE.

 Others, meanwhile, are more generic:

DO NOT ACCEPT ANYTHING FROM ANY OF YOUR FRIENDS THAT ASK YOU TO WATCH A VIDEO ON YOUTUBE. SNOPES JUST CONFIRMED.

I guess it may be safer not to watch any videos recommended by your friends, but I suspect in the long run that people will, as ever, put entertainment value ahead of safety. In the meantime, I suspect that we'll see more hoaxes circulating with a "confirmed by Snopes" label. It's actually not the first time I've seen this done. In fact, back in 2008 I blogged on a very similar version of the same hoax that also referred to a snopes.com article as if it somehow corroborated the hoax. On that occasion, though, the snopes.com article was more accurately summarized as "Mixture of real virus warning and hoax", because it included elements of the real Nuwar/Storm malware and a description of yet another variation of this hoax.

In some cases, it may be that people have become genuinely confused by the superficial convergence of some forms of real malware and certain hoax viruses. In this case, though, it seems likely to me that some sweetheart has been looking at snopes.com in some detail and has gone out of his way to misuse an excellent source of information on hoaxes. And that's a pity, because it will (hopefully only slightly) reduce the efficacy of Snopes as a means of countering hoaxes. But perhaps that was the idea. :(

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.