PERRIN "Virus" Hoax - U-M Virus Busters

The Perrin/Upgrade Internet2 "Virus" Email Warning Is A Hoax

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)

Last significant update: 17 January 2001

This information can be freely reproduced in any medium, as long as the information is unmodified.

Thanks to RSchudel, who first brought this to our attention on 26 August, 2000.

This hoax actually includes the names of some files that often are used to carry malware of one sort or another -- using file names, though, is a Bad Idea, since viruses can be named any legal file name (and some illegal ones as well).

Here is the text of the hoax:


"VIRUS WITH NO CURE"

PLEASE, SEND THIS INFORMATION TO EVERY PERSON IN YOUR ADDRESS BOOK.

No, please do not. That would be bearing false witness.



IF YOU RECEIVE AN E-MAIL THAT READS "UPGRADE INTERNET2" DO NOT OPEN IT,

Actually, this is good advice -- but it doesn't go far enough:

NEVER accept unsolicited email attachments, even when they appear to be from someone you know and trust.

The hoaxter isn't trying to be helpful here, though. Pity. Instead, s/he is attempting to muddy the waters.


AS IT CONTAINS AN EXECUTABLE NAMED "PERRIN.EXE." IT WILL ERASE ALL THE DATA IN
YOUR HARD DRIVE AND IT WILL STAY IN MEMORY. EVERY TIME THAT YOU UPLOAD ANY
DATA, IT WILL BE AUTOMATICALLY ERASED AND YOU WILL NOT BE ABLE TO USE YOUR
COMPUTER AGAIN.

No such file has ever been reported -- and after this many months, there would be plenty of reports if it did exist.


THIS INFORMATION WAS PUBLISHED YESTERDAY IN THE CNN WEB SITE.

False; see for yourself.

If you apply legal standards now -- that once a witness has been shown to provide false testimony, all other testimony is suspect -- you can ignore the rest, starting right now. Or read on, for more debunking.



THIS IS A VERY DANGEROUS VIRUS. TO THIS DATE, THERE IS NO KNOWN ANTIVIRUS
PROGRAM FOR THIS PARTICULAR VIRUS.

Then how, pray tell, was it purported to have been detected? Remember, antivirus companies tend not to announce viruses until they have a cure available. The marketroids wouldn't have it any other way....


PLEASE, FORWARD THIS INFORMATION TO YOUR
FRIENDS, SO THAT THEY WILL BE ON THE ALERT.



ALSO CHECK THE LIST BELOW, SENT BY IBM, WITH THE NAMES OF SOME E-MAILS THAT,
IF RECEIVED, SHOULD NOT BE OPENED AND MUST BE DELETED IMMEDIATELY, BECAUSE
THEY CONTAIN ATTACHED VIRUSES. THIS WAY YOUR COMPUTER WILL BE SAFE.

This approach is futile -- viruses can be named anything.

Instead, it would be a lot more helpful to say:

NEVER ACCEPT UNSOLICITED ATTACHMENTS, even from those you know and trust. (Yeah, I know, but it bears repeating.)
Get top quality antivirus software, install it, and USE it.
Keep said software updated, preferably at least once a week.
Avoid crappy emailers that allow active content, like the Microsoft Outlook variants. Otherwise, you WILL get bitten by junk like this.

But then again, hoaxters can't ever be expected to be helpful. Twerps.


THE TITLES ARE:

1) buddylst.exe

Ha! A known hoax; see e.g., our own debunk


2) calcu18r.exe
3) deathpr.exe
4) einstein.exe
5) happ.exe
6) girls.exe
7) happy99.exe

That's the name of the file dropped by a known worm, W32/Ska.A. But that's ancient (it appeared way back in 1998), and hence protected against by any current antivirus software, and hence this "warning" is silly.


8) japanese.exe
9) keypress.exe
10) kitty.exe
11) monday.exe
12) teletubb.exe
13) The Phantom Menace
14) prettypark.exe

Another known worm -- and also ancient.


15) UP-GRADE INTERNET2
16) perrin.exe
17) I love You

From May, 2000 -- again, any current antivirus software handles this.


18) CELCOM Screen Saver or CELSAVER.EXE
19) Win a Holiday (e-mail)
20) JOIN THE CREW O PENPALS

And to wrap it up, three known hoaxes. See our CelCom, Win A Holiday, and Join The Crew debunks, for example.


ONCE AGAIN, DO NOT OPEN THESE E-MAILS!!! PASS THIS INFORMATION ON TO YOUR
FRIENDS AS SOON AS POSSIBLE.

No no no. Not once, in years and years and years (and megabytes and megabytes) of emails that say in effect "Forward to everyone you know, have I seen a single one that merited doing so. 99.999% (more, actually) are hoaxes, and the rest are junk that isn't deserving of forwarding.

This is clearly a hoax; for one thing, there is no mention of it at CNN's web site (not that this would make it credible, mind you, but the lack speaks volumes). But let's assume that it is real. Then it still would be worthless:

There is no contact point for more info (phone, URL, snail mail)
It's not dated, so one can't tell whether the "no known fix" applies still -- and this particular message has been around for a good while.
Even if true, such warnings should NEVER go from user to user. They can go from internal security personnel to their own flocks; from security to security at other places (to inform, or ask about validity; also from the vendor of a compromised product to IS folks, or even end users). Finally, it is ok for end users to contact their own security personnel, or folks like us if they (a) trust us and (b) have no internal security contacts either to report a new hoax, or inquire about the validity of a warning.
Even if this were true, it would be trivial for the bad guys to change the names of the naughty programs -- and it is equally possible that valid, innocent programs might have the same name(s) as the purported evil ones.
Clearly these are programs that would, if they existed, work only on PCs. Hence there should be an effort to avoid waring Mac (or other) platform users -- since no such effort is made, it is another hoax tipoff.
The fact that it is in ALL CAPS is a haox tip-off.
The "Forward to everyone" request is almost a headline shouting I AM A HOAX!!!

But enough: the bottom line is that it belongs in the electronic circular file.

Please do not forward this -- or any other hoax -- to all your friends.

Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- informing the originators that this is a hoax. For this particular hoax, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/hoaxes/perrin.html)

For corroboration, see e.g., the NAI (leaving our site) or F-Secure (leaving our site) debunks of this hoax.

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Wednesday, 02-Jan-2002 18:37:41 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 16 January 2001 15:22 EST