Hare Fiasco: a Historical Timeline

Rob Rosenberger, Vmyths co-founder
Monday, 30 September 1996

JUNE 1996

6/18/96: PC Week reporter Jo Pettitt files an online report: "Anti-virus software supplier Dr. Solomon's said the Hare.7610 virus — aka Krsna and HDEuthanasia — has been reported in the wild.... Graham Cluley, senior technology consultant at Dr Solomon's, ... fears that because the virus is not to be triggered before 22 August, some users may not be aware they have it."

AUGUST 1996

8/5/96: Cheyenne Software issues a press release about Hare. The opening paragraph claims it "is difficult to detect through traditional anti-virus software and is considered a severe and highly destructive threat." The Dow Jones news service issues a three-paragraph summary story later in the day based on Cheyenne's press release. 8/6/96: Virus Bulletin editor Ian Whalley offers a detailed analysis of Hare. (He started his analysis work after receiving a copy in late May.) 8/9/96: EliaShim issues a press release announcing a free Hare virus detection program. The second paragraph claims "HARE.7610 is a thoroughly destructive virus. It is multipartite (infects boot sectors and program files), stealth (hides itself), polymorphic (changes form), and encrypts the hard drive's partition table [sic]. Therefore, it has the potential for very rapid distribution." The press release later mentions countries where Hare surfaced and notes "although there have been few confirmed reports ... in the USA as of August 1, 1996, the number of attacks reported may be misleading because most scanners cannot detect this virus." 8/12/96: c|net reporter Janet Kornblum writes what will soon become an ironic online story: "The Hare virus is no Michelangelo, an early virus that attacked users' systems, although the concept is much the same.... 'It's one of the nastiest viruses we've seen in a long time,' said Alex Haddock, a product manager for Symantec." The story later quotes Wolfgang Stiller, president of Stiller Research, who labels Hare "a fairly low threat to the user community as a whole." 8/13/96: PC World reporter Samantha Parent writes an online story which downplays the virus's perceived threat. "The Hare virus is worth watching, says Peter Tippett, President of National Computer Security Associates (NCSA), but it's not likely to bother people who are doing everyday business... 'You're only going to get it if you play in bad neighborhoods,' says Tippett." 8/14/96: The Microsoft Network's popular "start page" (a default starting page for many users of the Internet Explorer web browser) promotes EliaShim as a "pick of the week" in computers & technology. 8/14/96: c|net reporter Janet Kornblum writes another piece titled "How viruses become epidemic." The story almost exclusively revolves around the Hare virus, and it ventures into speculation about using the Internet to begin the spread of new viruses. 8/15/96: Dr. Solomon's issues a press release about Hare. The opening paragraph claims it "may cause significant damage." The press release further states "as an additional service, Dr. Solomon's is sending to all registered customers a disk containing a new version of FindVirus that includes a driver which will allow them to scan for and repair the Hare virus." 8/15/96: EliaShim quickly updates its world wide web home page after Rob Rosenberger alerts them to a typographical ambiguity. (A concerned user asked Rosenberger to explain the differences between the Hare virus and what EliaShim called the "FREE HARE" virus. EliaShim actually just wanted to highlight their offer for a free Hare virus removal utility.) 8/16/96: InfoWorld Electric reporter Diane Frank files an online story: "the anti-virus industry believes [Hare] will not cause long-term problems." NCSA president Peter Tippett and McAfee Associates research director Jimmy Kuo downplay the virus in the story. " 'Throughout the world I would say only 100 to 1,000 people will be affected,' McAfee's Kuo said." 8/16/96: EliaShim issues a press release about its selection as Microsoft Network's "pick of the week" for computers & technology. President Moti J. Dover: "Microsoft's selection adds momentum to our marketing efforts, and comes on the heels of our August 5, 1996 press release about being one of the first anti-virus companies to have a free virus removal tool for the Hare.7610 virus." 8/17/96: In an unrelated incident, miscreants infiltrate the U.S. Department of Justice world wide web home page and alter it to display pictures of swastikas, Adolf Hitler, and genitalia. A banner at the top of the page proclaims 'This page is in violation of the Communications Decency Act.' An Associated Press newswire notes "spokesman Joe Krovisky ... said Justice officials were not sure which statutes were violated but they are certain the action is illegal." 8/19/96: Salt Lake [City] Tribune reporter Lisa Carricaburu writes a story about the Hare virus. Among those quoted as experts in the article: Peter Harrison, a marketing manager at Cheyenne, and Brett Miller, a marketing engineer at Intel. Carricaburu launches a new myth in this article -- "Jimmy Kuo, senior virus researcher at McAfee Associates ... estimates the Hare virus may affect 100,000 computer users as compared to the infamous Michelangelo virus, which affected millions." [Kuo was misquoted.] 8/19/96: PC Week reporter Norvin Leach files an online story about the Hare virus. The lead paragraph claims "most vendors of anti-virus utilities have posted updates that can catch and repair the virus," contradicting most antivirus company press releases which trumpet how their competitors cannot yet deal with Hare. And Hare "is fairly rare. A spokesperson for Symantec ... said fewer than half a dozen customers had been infected, and these customers were spread out over three or four countries." 8/20/96: Trend Micro issues a press release about Hare. The third paragraph: "Virus experts at Trend stress that only a few cases of the Hare Krishna [sic] virus have been reported. 'We don't expect a huge number of incidents from this virus,' said Eva Chen, director of research and development." Further down, the press release oddly proclaims "the virus is contracted through the Internet." 8/20/96: EliaShim issues another press release about new awards bestowed on its world wide web home page. President Moti J. Dover: "Along with [these website honors] and our offer of a free virus removal tool for the Hare.7610 virus, due to hit August 22 or September 22, 1996, our marketing efforts continue to build momentum." 8/20/96: MSNBC reporter Paul Chavez files an online story about the Hare virus. (It appears under 'world news,' not 'science & technology.') The report quotes Glenn Jordan, a senior technology consultant at Dr. Solomon's, who "downplayed" the virus. But Charles Renert, a development manager at Symantec, "said the Hare virus shouldn't be taken lightly. 'It's important because of the widespread nature of it,' Renert said. 'It really is necessary to mobilize on this one. It seems to be spreading and doing so in a stealthy way. You need to take care of it.' " According to Renert, the first outbreak occurred in early July at a New Zealand university. 8/20/96: Reporter Finlay Marshall of PA News writes a story about the Hare virus. "Richard McMillan, of Second Sight, ... told PA News: 'I would be surprised if there were more than 100 instances of this virus in Britain.' " The story later quotes Neil Fawcett of Computer Weekly: "We believe the panic is caused by companies working in anti-virus equipment looking for business. These things are always an anti-climax but [sic] there is no need for scare-mongering.' " Marshall incorrectly states Hare "is believed to have originated in New Zealand in July." 8/20/96: MSNBC anchor Brian Williams conducts a superficial interview with Symantec general manager Mary Engstrom. Williams' lack of computer knowledge clearly shows. (Engstrom tactfully limits herself to one modest plug for Symantec's antivirus software.) 8/21/96: PC Magazine Trends reporter Margaret Kane files an online story: "exactly how many computers have been infected is tough to know, according to Peter Harrison, a [marketing manager at] Cheyenne.... Three months isn't enough time to cause a lot of damage, he admits." 8/21/96: Newsbytes reporter Steve Gold files a newswire: "The Hare virus ... not only wipes a PC's hard disk, but is also very difficult to spot using conventional anti-virus software.... Earlier this month, Peter Harrison, Cheyenne's marketing manager, said that the virus will destroy all data on an infected PC." 8/21/96: ZDNet publishes an online copy of James Daly's virus article in the 9/96 issue of PC/Computing magazine already on newsstands. (It doesn't specifically mention the Hare virus.) Ostensibly a comparison review of antivirus software, Daly's article includes two sidebar stories:

a short interview with Ian "Captain Zap" Murphy — who spelled out doom & gloom with overgeneralized statements;
the "true story" about a "virus attack on a nuclear power plant" — actually a series of Word.Concept virus infections. "[The plant's computer team] scanned dozens of electronic bulletin boards around the world looking for a fix" for example, when it could have simply downloaded a well-publicized fix directly from Microsoft; and after finally downloading one, the plant's computer team "began the grueling task" of securing its computers from Word macro infections.

8/21/96: c|net reporter Janet Kornblum writes another online story titled "D-Day for the Hare virus arrives." Written at the top for an 8/22 release, the story begins: "The Hare virus detonates today and antivirus software companies are lining up to make sure you won't be decimated." Ironically, one would need to turn on a computer to read this — an action which would trigger Hare's destructiveness, rendering the system incapable of accessing this story. Kornblum suddenly switches tense in the middle of her story: "folks may want to rush out and download anti-virus software before tomorrow...."

TRIGGER DATE August 1996

8/22/96: V-DAY ARRIVES!? Yet while fear over Hare continues, major news organizations echo stories about a non-event. Reuters: "About 10 incidents have been reported so far...." MSNBC: "The Hare computer virus ... struck hard drives worldwide, but only in small numbers." 8/22/96: c|net reporter Janet Kornblum writes another online story titled "Hare today, gone tomorrow?" The opening paragraph says Hare "lived up to its promise today" but then immediately qualifies her comment with how "it fell far short of the mainstream media's dire warnings of global mayhem. As virus experts had predicted in interviews with CNET last week, software companies said today that Hare did not appear to be widespread." The story goes on to say "anti-virus companies reported numerous calls from worried customers and curious journalists but reported few, if any, actual hits." 8/22/96: InfoWorld Electric reporter Diane Frank files another online story: "the so-called Hare virus seems to have passed its Thursday deadline quietly, in part due to early detection and warnings by the anti-virus community, but also just because the virus was no good to begin with.... Graham Cluley, senior technical consultant for Dr. Solomon's ... got calls from only four or five clients who had lost their hard disk." 8/22/96: Command Software Systems updates its world wide web pages. "[We are] pleased to report 0 incidents of the Hare virus triggering!" 8/22/96: Crypt Newsletter editor George C. Smith, Ph.D., publishes a scathing opinion piece titled "Symantec's Norton Antivirus Preys upon FEAR and IGNORANCE For Sales" [sic]. 8/22/96: Reuters reporter Tanya Pang files a story about Norwegian attempts to track down paedophiles on the Internet. "Norway's ombudsman for children, Trond Waage, ... had been warned by experts to drop plans to block use of the Internet for child pornography by 'bombing' the paedophiles' communication sites with a computer virus. 'We wanted to establish a network of bomb squads but we were advised not to use this as a solution because of the great risk of receiving return bombs,' Waage said."

POST-HARE August 1996

8/23/96: Data Fellows updates the Hare information available via their world wide web site. The second paragraph of this web page (written before August 22) warns "infections have been reported worldwide. This is quite serious...." Their update, however, says: "As estimated, a handful of reports of overwritten hard drives were received from USA and Europe.... It can be estimated that there will be very few incidents during the subsequent activations of the Hare virus." 8/23/96: IBM updates its Hare information available via their world wide web site. "The Hare viruses now join the Michelangelo [sic] as viruses which are more conspicuous by their publicity than prevalence. Few real instances of Hare virus have been confirmed, but the warnings of doom and gloom on August 22nd and September 22nd have been hear far and wide." 8/23/96: Computerworld reporter Rebecca Sykes files an online story: "Thursday saw the Hare computer virus hit with all the accuracy of a Scud missile, causing almost no damage.... [Dr. Solomon's general manager Stephen] Orenberg said, 'Worldwide, we're only aware of 12 cases of infection that happened.' " 8/23/96: PCWeek Online reporter Norvin Leach files an online story: Hare "caused no more than a small ripple in the computer community. Anti-virus-utility vendors said that only a handful of sites were infected, and most of those were cleaned up before the detonation date." The story quotes Dr. Solomon's senior product manager Bob Middleton, who claims the company "mailed out 70,000 [antivirus software update] disks to our customers, but we never thought this would be a major threat." 8/23/96: Newsbytes reporter Steve Gold files another newswire: "the virus that was due to go off yesterday, as well as on September 22, has proven to be something of a non-event. A straw poll of support teams at several anti-virus software houses has revealed that, while some subscribers to the company's anti-virus service reported problems, each company could count its incidents on the fingers of one hand. This is broadly in keeping with previous 'virus events,' where it seems that the quantity of media hype — apparently stirred up by public relations companies operating on behalf of anti-virus and security software companies -- appears to be inversely proportional to the number of occurrences of the virus iteself." 8/23/96: Crypt Newsletter editor George C. Smith, Ph.D., publishes another scathing opinion piece — this one titled "The Hare Virus: Another Bogus Virus Scare." 8/24/96: No major news organization files a report about computer viruses. 8/25/96: No major news organization files a report about computer viruses. 8/26/96: No major news organization files a report about computer viruses. 8/27/96: No major news organization files a report about computer viruses. 8/28/96: No major news organization files a report about computer viruses. (Newsbytes reporter Ian Stokell mentions viruses peripherally in a story about new software released by Seagate.) 8/28/96: The National Computer Security Association issues a press release touting its selection as one of the top 25 world wide web sites according to the latest I-Way 500 ratings. 8/29/96: No major news organization files a report about computer viruses. (Newsbytes reporter Bill Pietrucha mentions viruses as an analogy in a story about Alabama's efforts to upgrade state software for the year 2000.) 8/29/96: Jimmy Kuo of McAfee Associates posts a public message on the UseNet comp.virus newsgroup: "Informal poll among 8 or so [antivirus] vendors registered approximately 30 incidents affecting 80 or so machines worldwide." 8/30/96: A Reuters newswire focuses on a new Japanese police unit, the "Security Systems Countermeasures Team," which will "try to stem a spread of computer viruses and other attacks by hackers." No other major news organization files a report about computer viruses.

SEPTEMBER 1996

9/12/96: CompUSA, a national chain of computer stores, issues a press release urging users to purchase antivirus software for Hare's upcoming second trigger date. Spokesman Mark Clauder oddly claims "there are trial [antivirus] programs available on the Internet, but if you download [one] ... you may not be protected from the latest strains of a virus." The press release incorrectly refers to McAfee Associates as "MacAffee." A special notice at the bottom reads: "ATTENTION MEDIA: In-store interviews regarding virus protection are being scheduled now. To schedule an interview with CompUSA personnel, contact...." 9/18/96: United Press International issues a newswire containing at least one major error in every paragraph: "The Hindustan Times reported Wednesday an Indian computer virus [sic] ... is expected to activate itself on Sept. 20 [sic]. The virus ... will scramble files on hard disc drives when it strikes on Friday [sic], the newspaper said. Computer data affected by the virus can be restored only by keying in a special code that remains secret [sic], Naren Kumar, a noted Indian computer virus expert, said. The virus is picked up each time a user downloads text or pictures [sic] from one of many [sic] sex-related Internet sites, Kumar said.... [Hare] is also difficult to detect because it evades the generation of anti-virus scanning systems currently available [sic], he said. Experts could not say why the virus was designed to target only pornographic downloads [sic]. Although [the virus] is India-based [sic] ... it has the potential to infect computers worldwide." 9/18/96: McAfee Associates issues a press release which "accuse[s] Symantec ... of making false and misleading claims regarding its Norton AntiVirus 2.0 software, to the detriment of Symantec's customers and the reputation of the anti-virus industry."

TRIGGER DATE September 1996

9/22/96: V-DAY ARRIVES AGAIN!? A few reporters call antivirus companies for possible follow-up stories. Initial estimate: zero Hare attacks worldwide.

POST-HARE September 1996

9/23/96: MSNBC reporter Paul Chavez files an online story with the headline "No Sunday attack by Hare virus." Chavez fills almost half the story with details about Rob Rosenberger, the Computer Virus Myths home page, and this Hare timeline document.

Rob Rosenberger's random thoughts

Pardon me while I fume: I predicted this media fiasco back in 1992. I missed the timing by a mere five months.
Like Michelangelo in 1992, the Hare virus looked "sexy" by media standards. Reporters probably salivated over key words & phrases used to describe it: new, severe and highly destructive threat, stealth, polymorphic, armored, multi-partite, initially distributed via Internet pornography-related newsgroups, etc.
Every press release from an antivirus company included details on how to obtain a free detection utility from their world wide web site.
Many press releases describe how Hare's author employed UseNet newsgroups as its initial transmission vector. Yet I can't find a press release which implicates UseNet newsgroups or the Internet in general as a prolific transmission vector — this despite Janet Kornblum's story where she claims "antivirus experts agree that the Internet as a whole has created a vast, new venue where viruses can be spread widely and anonymously. With millions of people using the Net every day, these experts warn network managers to be especially vigilant when giving full Internet access to all employees."
- Cheyenne's 8/5/96 press release correctly italicizes the word via while discussing the Internet's role in spreading macro viruses. For example, some viruses spread via the U.S. Postal Service, not because of the U.S. Postal Service.
- This subtle distinction probably qualifies as "esoteric" for now. The media needs to stop quoting marketing personnel before it can tackle the problem of making uneducated assumptions.
Janet Kornblum's story implies the Internet is a dangerous place to surf. "With millions of people using the Net every day, these experts warn network managers to be especially vigilant when giving full Internet access to all employees." (Does this imply www.cnet.com is hazardous to your computer's health?) Even more disturbing: I can't identify a virus expert who agrees with this statement.
Note to the mainstream media: the fact a virus spreads [initially] via the Internet to different locations around the world does not necessarily mean the virus resides in millions of computers. For example, I might send a message to one person in Alaska, one person in Japan, one person in France, and one person in Australia. My message instantly appears in countries all over the world, but it doesn't mean millions of people received it. Likewise, if a virus writer uses Internet newsgroups as his initial transmission vector, it doesn't mean the virus will continue to spread primarily via Internet newsgroups.
Certain antivirus firms updated their world wide web sites after August 22 to "downplay" the media hype surrounding Hare. (Spin control in some cases; gloating in other cases.)
Dr. Solomon's 8/15/96 press release may wind up coining the phrase "SPAM virus," a term until now seldom heard outside the antivirus community. As an acronym, SPAM means the virus uses stealth, polymorphic, and multi-partite techniques. As a slang verb, spam means to inundate UseNet newsgroups with unwanted [commercial] postings.
A disturbing trend continues in press releases: "which is able to avoid detection by many anti-virus software products." Cheyenne, for example, claimed this on August 5 — months after Hare's debut. Most antivirus company press releases imply the other antivirus companies can't detect the latest threat. (Smith covers this in his own opinion piece about Hare.)
Dr. Solomon's 5/14/96 press release, and other companies' press releases, treat the Tentacle virus in much the same way as they treated Hare. So the question arises: what unique essence turned Hare into a media fiasco rather than Tentacle? (Hypothesis: reporters focused on Hare's connection to controversial UseNet newsgroups.)
Data Fellows claims its F-HARE detector/disinfector "was downloaded well over 35000 times during the weeks before August 22nd."
McAfee Associates did not figure prominently in the Hare fiasco — unlike previous fiascos [e.g. Columbus 1989, Michelangelo 1992] where John McAfee cornered the market on pre-trigger-date media publicity. (Then again, John's name appears nowhere in the latest McAfee Associates shareholder package. He dropped off the radar soon after the Michelangelo fiasco.)

"I just assumed it was the Hare virus"

The following exchange took place on the UseNet comp.virus newsgroup. It involved Chengi "Jimmy" Kuo of McAfee Associates and a person who identifies himself only as Les. Kuo notes the number of computers affected worldwide by the Hare virus — and Les steps in with a personal anecdote...

Chengi J. Kuo:
Informal poll among 8 or so [antivirus] vendors registered approximately 30 incidents [of the Hare virus] affecting 80 or so machines worldwide.
Les:
I had it while my machine was unattended (home PC) and it wiped me out. Two hard disks and a zip disk which happened to be in at the time.
Chengi J. Kuo:
Not to say that you didn't have it but, how does an unattended machine wipe itself out with a virus that only does this stuff on bootup?
Les:
Well I guess I am only assuming that that's what it did, because it was the correct date....

[unknown edition published
ca.September 1996]