On May 14, 2002 while working at a client site I received an email from the security administrator informing me while at their site to be on the look out for an email hoax. A hoax was rapidly traveling the Internet in the form of an email containing detailed instructions the reader could easily follow to remove an infected file from their computer. The security administrator pointed out in his email not to follow the instructions and delete the email hoax immediately for there was no infected file on the reader's computer. The email was designed to convince the reader that they had an infected file on their computer and it needed to be deleted or it would become active on June 1st and wipe out all there files and folders on there computer's hard drive.

Below are two different samples of the contents of the email hoax. Sample 1 - Email Hoax (Found on the Internet) is a sample of the content of the email I found on the Internet. Sample 2 - Email Hoax (Actual Email Content Received at the Client Site) was a sample of the content of the email circulating around the email system at the client site I am at. All forms of the email hoax I have read have been designed specifically targeting the Microsoft operating system.

Sample 1 - Email Hoax (Found on the Internet)

A VIRUS could be in your computer files now, dormant but will become active on June 1. Try not to USE your Computer on June 1st. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND TO REMOVE IT NOW. No Virus software can detect it. It will become active on June 1, 2001. It might be too late by then. It wipes out all files and folders on the hard drive. This virus travels thru E-mail and migrates to the 'C:\windows\command' folder. To find it and get rid of it off of your computer, do the following.

• Go to the "START" button.
• Go to "FIND" or "SEARCH"
• Go to "FILES & FOLDERS"
• Make sure the find box is searching the "C:" drive.
• Type in: SULFNBK.EXE
• Begin search.
• If it finds it, highlight it. Do not double click or file will automatically Open.
• Go to 'File' and delete it.
• Close the find Dialog box
• Open the Recycle Bin
• Find the file and delete it from the Recycle bin
• You should be safe.

DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.

WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

Sample 2 - Email Hoax (Actual Email Content Received at Client Site)

I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple:

The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. McAfee or Norton does not detect the virus and it stays quiet for 14 days before damaging the system. The virus can be cleaned before it deletes the files from your system. In order to eliminate it, it is just necessary to do the following steps:

1. Go to Start, click "Search"
2. In the "Files or Folders option" write the name jdbgmgr.exe
3. Be sure that you are searching in the drive "C"
4. Click "find now"
5. If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON
6. Right click and delete it (it will go to the Recycle bin)
7. Go to the recycle bin and delete it or empty the recycle bin.

As I started to write this article six people working in my area of the building followed the instructions and deleted there so-called infected file. Based on this figure I estimated about 750-plus people throughout the organization either attempted to or actually deleted the file per the instructions in the email. One of the six individuals was a technical person. I wouldn't call this an email virus I'd call it a form of Technical Mental Terrorism using email as the technical delivery mechanism. The creator(s) used words to instruct the reader to do something, and in this case, it was to instruct the reader to delete a specific file on their computer. The physical email didn't infect or damage the user's computer system. The user reading the email was mentally manipulated or socially engineered by the email to damage their compute. In my past article (Mental Terrorism on the World Wide Web) we talked about this topic and we gave it the name Mental Terrorism on the World Wide Web since then I have revised the term to be Technical Mental Terrorism (TMT).

TMT started developing way back with social engineering where an individual would use social engineering techniques to extract particular system information from a key user (i.e. administrator, sa, root, etc.) in order to gain access to a system. Social engineering involves using words in a creative way to extract particular information or actions from an individual. For example, I call you and pretend in a very creative way using words to be a person at your bank and ask you for your social security number. TMT is the use of social engineering techniques to inflict damage or fear on a system or user community using a technical delivery mechanism. The technical delivery mechanism does not cause the damage; the user causes the damage by being socially engineered by the delivery mechanism (in this case the email) into performing the damaging action. Terrorism on the other hand is the ability to inflict fear and damage into the hearts of individuals and/or their communities. In our case, the fear and damage is inflicted on the user and their computer also effecting their user community. If you put it all together you have a perfect example of TMT.

I'm sure the realized and unrealized cost of this TMT for my client will amount to millions of dollars (i.e. rebuilding workstations, disrupted work, etc.) How will M*Afee and N*rt*n defend your systems against this threat delivered via the Internet? Face the facts TMT is alive on the World Wide Web. It seems foolish that an individual would receive an email asking them to delete a file from their computer system and they'd just, without thinking, delete the file. But, if the email was sent from let's say the security administrator at your company then I could see how more individuals in the organization would believe the email and delete the so-called infected file from their computer. For example, if the subject line read "Urgent N*rt*n Email Virus WARNING - Please following these instructions", "Urgent M*Afee Email Virus WARNING - Please follow these instructions" or "Corporate Security Administrator Alert" I could see more individuals who read the email actually following the instructions deleting the file.

How can you protect yourself or your user community? There are many different ways to protect your users and there computer systems from TMT. The following will help reduce the threat of TMT:

• Educate your user community to the threat of TMT
• Review your policies and procedures regarding what a user can and can't do to their computer system(s) and monitor computers via network census software
• Enforce your policies and procedures
• Don't allow users to send or receive emails to and from services like Yahoo, Hushmail, Hotmail, AOL, etc.

SIDE NOTE - Based on the number of individuals who received the email hoax who actually tried to or deleted the so-called infected file displayed a lack of confidence in there virus protection software and security policies and procedures. Also there seems to be a belief by the individuals who believed what was stated in the email that there operating system has the ability to be manipulated or threatened by some unknown technical force or being out there on the Internet. And, there are a lot of individuals who can be easily socially engineered via technical means otherwise technically mentally terrorized.