Just when I think maybe the traditional hoax/chain message is finally dying (or at any rate the type that describes mythical malware), along comes another, though it’s spreading through Facebook rather than email as in days of old. I've included some more information in a blog here about “the Christmas Tree app” hoax first cited by Graham Cluley.

(You might describe the picture as another Christmas tree hoax: it's all lit up for Christmas, but it's actually a maple. Not exactly traditional...)

Graham has also, Scrooge-like, been visited by the Ghost of CHRISTMA EXEC, also known as the Christmas Tree Worm or the BITNET chain letter. Just in case anyone is interested in this bit of viral pre-history, here’s a bit more information (yes, I'm quoting one of my own books**: terrible habit, except when writing academic papers...)

This was launched on 9th December 1987. It was written in REXX and hosted on VM/CMS mainframes. It spread widely on BITNET, EARN, and IBM’s internal network. It invited the recipient to execute its code and did indeed draw a Xmas tree onscreen (using text characters, of course), but in the background it was mailing itself to everyone in the victim’s NAMES and NETLOG files. As I pointed out in the book, conceptually there is a direct line of succession from this worm to the social engineering worm/Trojan hybrids of the early noughties. Clearly, the line continues through to the social network malware (real and memetic) of today.

And I can’t resist quoting this bit.

“In 1990, the spirit (though none of the code) of the worm was invoked by a message displayed between 24th and 31st December, along with a Christmas tree graphic, on systems infected with the XA1 (Tannenbaum) virus. “Und er lebt doch noch: Der Tannenbaum!”

Which means “and it still lives: the Christmas tree!”


ESET Senior Research Fellow

** Viruses Revealed, by David Harley, Robert Slade and Urs E. Gattiker: Osborne, 2001