Truth About Computer Security Hysteria
Hare Fiasco: a Historical Timeline
Monday, 30 September 1996
6/18/96: PC Week reporter Jo Pettitt files an online report: "Anti-virus software
supplier Dr. Solomon's said the Hare.7610 virus — aka Krsna and HDEuthanasia — has been reported in the wild....
Graham Cluley, senior technology consultant at Dr Solomon's, ... fears that because the virus is not to be triggered
before 22 August, some users may not be aware they have it."
8/5/96: Cheyenne Software issues a
press release about Hare.
The opening paragraph claims it "is difficult to detect through traditional anti-virus software and is
considered a severe and highly destructive threat." The Dow Jones news service issues a
three-paragraph summary story later in the day based on Cheyenne's press release.
8/6/96: Virus Bulletin editor Ian Whalley offers a
detailed analysis of Hare.
(He started his analysis work after receiving a copy in late May.)
8/9/96: EliaShim issues a press release announcing a free Hare virus detection program.
The second paragraph claims "HARE.7610 is a thoroughly destructive virus. It is multipartite (infects boot
sectors and program files), stealth (hides itself), polymorphic (changes form), and encrypts the hard drive's
partition table [sic]. Therefore, it has the potential for very rapid distribution." The press
release later mentions countries where Hare surfaced and notes "although there have been few confirmed
reports ... in the USA as of August 1, 1996, the number of attacks reported may be misleading because most scanners
cannot detect this virus."
8/12/96: c|net reporter Janet Kornblum writes what will soon become an ironic
online story: "The Hare virus is no
Michelangelo, an early virus that attacked users' systems, although the concept is much
the same.... 'It's one of the nastiest viruses we've seen in a long time,' said Alex Haddock, a product manager
for Symantec." The story later quotes Wolfgang Stiller, president of
Stiller Research, who labels Hare "a fairly low
threat to the user community as a whole."
8/13/96: PC World reporter Samantha Parent writes an
online story which downplays
the virus's perceived threat. "The Hare virus is worth watching, says Peter Tippett, President of National
Computer Security Associates (NCSA), but it's not likely to bother people who are doing everyday business...
'You're only going to get it if you play in bad neighborhoods,' says Tippett."
8/14/96: The Microsoft Network's popular
"start page" (a default starting page for many users of
the Internet Explorer web browser) promotes EliaShim as a
"pick of the week" in computers & technology.
8/14/96: c|net reporter Janet Kornblum writes another piece titled
"How viruses become epidemic."
The story almost exclusively revolves around the Hare virus, and it ventures into speculation about using
the Internet to begin the spread of new viruses.
8/15/96: Dr. Solomon's issues a
press release about Hare.
The opening paragraph claims it "may cause significant damage." The press release further states
"as an additional service, Dr. Solomon's is sending to all registered customers a disk containing a new
version of FindVirus that includes a driver which will allow them to scan for and repair the Hare virus."
8/15/96: EliaShim quickly updates its world
wide web home page after Rob Rosenberger alerts them to a typographical ambiguity. (A
concerned user asked Rosenberger to explain the differences between the Hare virus and what EliaShim called
the "FREE HARE" virus. EliaShim actually just wanted to highlight their offer for a free Hare
virus removal utility.)
8/16/96: InfoWorld Electric reporter Diane Frank files an
"the anti-virus industry believes [Hare] will not cause long-term problems."
NCSA president Peter Tippett and McAfee Associates research
director Jimmy Kuo downplay the virus in the story. " 'Throughout the world I would say only 100 to
1,000 people will be affected,' McAfee's Kuo said."
8/16/96: EliaShim issues a press release about
its selection as Microsoft Network's "pick of the week" for computers & technology. President Moti
J. Dover: "Microsoft's selection adds momentum to our marketing efforts, and comes on the heels of our August
5, 1996 press release about being one of the first anti-virus companies to have a free virus removal tool for the
8/17/96: In an unrelated incident, miscreants infiltrate the U.S. Department of Justice world wide
web home page and alter it to display pictures of swastikas, Adolf Hitler, and genitalia. A banner at the top of
the page proclaims 'This page is in violation of the Communications Decency Act.'
An Associated Press newswire notes "spokesman Joe Krovisky ... said Justice officials were not
sure which statutes were violated but they are certain the action is illegal."
8/19/96: Salt Lake [City] Tribune reporter Lisa Carricaburu writes a story about the
Hare virus. Among those quoted as experts in the article: Peter Harrison, a marketing manager at
Cheyenne, and Brett Miller, a marketing engineer at Intel. Carricaburu launches a new myth in this article
-- "Jimmy Kuo, senior virus researcher at McAfee Associates ... estimates the Hare virus may affect 100,000
computer users as compared to the infamous Michelangelo virus, which affected
millions." [Kuo was misquoted.]
8/19/96: PC Week reporter Norvin Leach files an
online story about the Hare virus. The
lead paragraph claims "most vendors of anti-virus utilities have posted updates that can catch and repair the
virus," contradicting most antivirus company press releases which trumpet how their competitors
cannot yet deal with Hare. And Hare "is fairly rare. A spokesperson for Symantec ...
said fewer than half a dozen customers had been infected, and these customers were spread out over three or four
8/20/96: Trend Micro issues a press release about Hare. The third paragraph: "Virus
experts at Trend stress that only a few cases of the Hare Krishna [sic] virus have been reported. 'We don't
expect a huge number of incidents from this virus,' said Eva Chen, director of research and development."
Further down, the press release oddly proclaims "the virus is contracted through the Internet."
8/20/96: EliaShim issues another press release
about new awards bestowed on its world wide web home page. President Moti J. Dover: "Along with [these
website honors] and our offer of a free virus removal tool for the Hare.7610 virus, due to hit August 22 or
September 22, 1996, our marketing efforts continue to build momentum."
8/20/96: MSNBC reporter Paul Chavez files an online story about the Hare
virus. (It appears under 'world news,' not 'science & technology.') The report quotes Glenn Jordan, a senior
technology consultant at Dr. Solomon's, who "downplayed" the virus. But Charles Renert, a development
manager at Symantec, "said the Hare virus shouldn't be taken lightly. 'It's important because of the
widespread nature of it,' Renert said. 'It really is necessary to mobilize on this one. It seems to be spreading
and doing so in a stealthy way. You need to take care of it.' " According to Renert, the first outbreak
occurred in early July at a New Zealand university.
8/20/96: Reporter Finlay Marshall of PA News writes a story about the Hare virus.
"Richard McMillan, of Second Sight, ... told PA News: 'I would be surprised if there were more than 100
instances of this virus in Britain.' " The story later quotes Neil Fawcett of
Computer Weekly: "We believe the panic is caused by companies working in anti-virus equipment
looking for business. These things are always an anti-climax but [sic] there is no need for
scare-mongering.' " Marshall incorrectly states Hare "is believed to have originated in New
Zealand in July."
8/20/96: MSNBC anchor Brian Williams conducts a superficial interview with Symantec
general manager Mary Engstrom. Williams' lack of computer knowledge clearly shows. (Engstrom tactfully limits
herself to one modest plug for Symantec's antivirus software.)
8/21/96: PC Magazine Trends reporter Margaret Kane files an
online story: "exactly how many
computers have been infected is tough to know, according to Peter Harrison, a [marketing manager at]
Cheyenne.... Three months isn't enough time to cause a lot of damage, he admits."
8/21/96: Newsbytes reporter Steve Gold files a newswire: "The Hare virus ...
not only wipes a PC's hard disk, but is also very difficult to spot using conventional anti-virus software....
Earlier this month, Peter Harrison, Cheyenne's marketing manager, said that the virus will destroy all data on an
8/21/96: ZDNet publishes an
online copy of James Daly's
virus article in the 9/96 issue of PC/Computing magazine already on newsstands. (It doesn't
specifically mention the Hare virus.) Ostensibly a comparison review of antivirus software, Daly's article
includes two sidebar stories:
8/21/96: c|net reporter Janet Kornblum writes another online story titled
"D-Day for the Hare virus arrives."
Written at the top for an 8/22 release, the story begins: "The Hare virus detonates today and antivirus
software companies are lining up to make sure you won't be decimated." Ironically, one would need to turn on
a computer to read this — an action which would trigger Hare's destructiveness, rendering the system
incapable of accessing this story. Kornblum suddenly switches tense in the middle of her story: "folks may
want to rush out and download anti-virus software before tomorrow...."
- a short interview with Ian "Captain Zap" Murphy — who spelled out doom & gloom with
- the "true story" about a "virus attack on a nuclear power plant" — actually a series of
Word.Concept virus infections. "[The plant's computer team] scanned dozens of electronic bulletin
boards around the world looking for a fix" for example, when it could have simply downloaded a
well-publicized fix directly from
and after finally downloading one, the plant's computer team "began the grueling task" of securing
its computers from Word macro infections.
TRIGGER DATE August 1996
8/22/96: V-DAY ARRIVES!? Yet while fear
over Hare continues, major news organizations echo stories about a non-event. Reuters:
"About 10 incidents have been reported so far...." MSNBC: "The Hare computer virus ...
struck hard drives worldwide, but only in small numbers."
8/22/96: c|net reporter Janet Kornblum writes another online story titled
"Hare today, gone tomorrow?"
The opening paragraph says Hare "lived up to its promise today" but then immediately qualifies her
comment with how "it fell far short of the mainstream media's dire warnings of global mayhem. As virus
experts had predicted in interviews with CNET last week, software companies said today that Hare did not appear to
be widespread." The story goes on to say "anti-virus companies reported numerous calls from worried
customers and curious journalists but reported few, if any, actual hits."
8/22/96: InfoWorld Electric reporter Diane Frank files another
"the so-called Hare virus seems to have passed its Thursday deadline quietly, in part due to early detection
and warnings by the anti-virus community, but also just because the virus was no good to begin with.... Graham
Cluley, senior technical consultant for Dr. Solomon's ... got calls from only four or five clients who had lost
their hard disk."
8/22/96: Command Software Systems updates its world wide web pages. "[We are] pleased to
report 0 incidents of the Hare virus triggering!"
8/22/96: Crypt Newsletter editor George C. Smith, Ph.D., publishes a scathing opinion
"Symantec's Norton Antivirus Preys upon FEAR and IGNORANCE For Sales"
8/22/96: Reuters reporter Tanya Pang files a story about Norwegian attempts to track
down paedophiles on the Internet. "Norway's ombudsman for children, Trond Waage, ... had been
warned by experts to drop plans to block use of the Internet for child pornography by 'bombing' the paedophiles'
communication sites with a computer virus. 'We wanted to establish a network of bomb squads but we were advised
not to use this as a solution because of the great risk of receiving return bombs,' Waage said."
POST-HARE August 1996
8/23/96: Data Fellows updates the
Hare information available via their
world wide web site. The second paragraph of this web page (written before August 22) warns "infections have
been reported worldwide. This is quite serious...." Their update, however, says: "As estimated,
a handful of reports of overwritten hard drives were received from USA and Europe.... It can be estimated that
there will be very few incidents during the subsequent activations of the Hare virus."
8/23/96: IBM updates its Hare
information available via their world wide web site. "The Hare viruses now join the Michelangelo
[sic] as viruses which are more conspicuous by their publicity than prevalence. Few real instances of Hare
virus have been confirmed, but the warnings of doom and gloom on August 22nd and September 22nd have been hear far
8/23/96: Computerworld reporter Rebecca Sykes files an
"Thursday saw the Hare computer virus hit with all the accuracy of a Scud missile, causing almost no damage....
[Dr. Solomon's general manager Stephen] Orenberg said, 'Worldwide, we're only aware of 12 cases of infection that
8/23/96: PCWeek Online reporter Norvin Leach files an
online story: Hare "caused no
more than a small ripple in the computer community. Anti-virus-utility vendors said that only a handful of sites
were infected, and most of those were cleaned up before the detonation date." The story quotes Dr. Solomon's
senior product manager Bob Middleton, who claims the company "mailed out 70,000 [antivirus software update]
disks to our customers, but we never thought this would be a major threat."
8/23/96: Newsbytes reporter Steve Gold files another newswire: "the virus that
was due to go off yesterday, as well as on September 22, has proven to be something of a non-event. A straw poll
of support teams at several anti-virus software houses has revealed that, while some subscribers to the company's
anti-virus service reported problems, each company could count its incidents on the fingers of one hand. This is
broadly in keeping with previous 'virus events,' where it seems that the quantity of media hype — apparently
stirred up by public relations companies operating on behalf of anti-virus and security software companies --
appears to be inversely proportional to the number of occurrences of the virus iteself."
8/23/96: Crypt Newsletter editor George C. Smith, Ph.D., publishes another scathing
opinion piece — this one titled
"The Hare Virus: Another Bogus Virus Scare."
8/24/96: No major news organization files a report about computer viruses.
8/25/96: No major news organization files a report about computer viruses.
8/26/96: No major news organization files a report about computer viruses.
8/27/96: No major news organization files a report about computer viruses.
8/28/96: No major news organization files a report about computer viruses.
(Newsbytes reporter Ian Stokell mentions viruses peripherally in a story about new software released
8/28/96: The National Computer Security Association issues a press release touting its selection
as one of the top 25 world wide web sites according to the latest I-Way 500 ratings.
8/29/96: No major news organization files a report about computer viruses.
(Newsbytes reporter Bill Pietrucha mentions viruses as an analogy in a story about Alabama's efforts
to upgrade state software for the year 2000.)
8/29/96: Jimmy Kuo of McAfee Associates posts a public message on the UseNet
comp.virus newsgroup: "Informal poll among 8 or so [antivirus] vendors
registered approximately 30 incidents affecting 80 or so machines worldwide."
8/30/96: A Reuters newswire focuses on a new Japanese police unit, the "Security
Systems Countermeasures Team," which will "try to stem a spread of computer viruses and other attacks by
hackers." No other major news organization files a report about computer viruses.
9/12/96: CompUSA, a national chain of computer stores, issues a
urging users to purchase antivirus software for Hare's upcoming second trigger date. Spokesman Mark Clauder
oddly claims "there are trial [antivirus] programs available on the Internet, but if you download [one] ...
you may not be protected from the latest strains of a virus." The press release incorrectly refers to McAfee
Associates as "MacAffee." A special notice at the bottom reads: "ATTENTION MEDIA: In-store
interviews regarding virus protection are being scheduled now. To schedule an interview with CompUSA personnel,
9/18/96: United Press International issues a newswire containing at least one major
error in every paragraph: "The Hindustan Times reported Wednesday an Indian computer virus [sic]
... is expected to activate itself on Sept. 20 [sic]. The virus ... will scramble files on hard disc drives
when it strikes on Friday [sic], the newspaper said. Computer data affected by the virus can be restored
only by keying in a special code that remains secret [sic], Naren Kumar, a noted Indian computer virus
expert, said. The virus is picked up each time a user downloads text or pictures [sic] from one of many
[sic] sex-related Internet sites, Kumar said.... [Hare] is also difficult to detect because it
evades the generation of anti-virus scanning systems currently available [sic], he said. Experts could not
say why the virus was designed to target only pornographic downloads [sic]. Although [the virus] is
India-based [sic] ... it has the potential to infect computers worldwide."
9/18/96: McAfee Associates issues a
press release which "accuse[s]
Symantec ... of making false and misleading claims regarding its Norton AntiVirus 2.0 software, to the detriment
of Symantec's customers and the reputation of the anti-virus industry."
TRIGGER DATE September 1996
9/22/96: V-DAY ARRIVES AGAIN!? A few
reporters call antivirus companies for possible follow-up stories. Initial estimate: zero
Hare attacks worldwide.
POST-HARE September 1996
9/23/96: MSNBC reporter Paul Chavez files an online story with the headline "No Sunday attack
by Hare virus." Chavez fills almost half the story with details about Rob Rosenberger, the Computer Virus
Myths home page, and this Hare timeline document.
- Pardon me while I fume: I predicted this media fiasco back in 1992. I missed the
timing by a mere five months.
- Like Michelangelo in 1992, the Hare virus looked "sexy" by media standards. Reporters
probably salivated over key words & phrases used to describe it: new, severe and highly destructive
threat, stealth, polymorphic, armored, multi-partite, initially distributed via Internet pornography-related
- Every press release from an antivirus company included details on how to obtain a free detection utility from
their world wide web site.
- Many press releases describe how Hare's author employed UseNet newsgroups as its initial transmission
vector. Yet I can't find a press release which implicates UseNet newsgroups or the Internet in general as a
prolific transmission vector — this despite
Janet Kornblum's story where she
claims "antivirus experts agree that the Internet as a whole has created a vast, new venue where viruses
can be spread widely and anonymously. With millions of people using the Net every day, these experts warn
network managers to be especially vigilant when giving full Internet access to all employees."
- Cheyenne's 8/5/96 press release correctly italicizes the word via while discussing the Internet's role
in spreading macro viruses. For example, some viruses spread via the U.S. Postal Service, not
because of the U.S. Postal Service.
- This subtle distinction probably qualifies as "esoteric" for now. The media needs to stop quoting
marketing personnel before it can tackle the problem of making uneducated assumptions.
- Janet Kornblum's story implies the
Internet is a dangerous place to surf. "With millions of people using the Net every day, these experts
warn network managers to be especially vigilant when giving full Internet access to all employees." (Does
this imply www.cnet.com is hazardous to your computer's health?) Even more disturbing: I can't identify a
virus expert who agrees with this statement.
- Note to the mainstream media: the fact a virus spreads [initially] via the Internet to
different locations around the world does not necessarily mean the virus resides in millions of computers. For
example, I might send a message to one person in Alaska, one person in Japan, one person in France, and one
person in Australia. My message instantly appears in countries all over the world, but it doesn't mean
millions of people received it. Likewise, if a virus writer uses Internet newsgroups as his initial
transmission vector, it doesn't mean the virus will continue to spread primarily via Internet
- Certain antivirus firms updated their world wide web sites after August 22 to "downplay" the media
hype surrounding Hare. (Spin control in some cases; gloating in other cases.)
- Dr. Solomon's 8/15/96 press release may wind up coining the phrase "SPAM virus," a term until now
seldom heard outside the antivirus community. As an acronym, SPAM means the virus uses
stealth, polymorphic, and
multi-partite techniques. As a slang verb, spam means to inundate UseNet newsgroups
with unwanted [commercial] postings.
- A disturbing trend continues in press releases: "which is able to avoid detection by many
anti-virus software products." Cheyenne, for example, claimed this on August 5 — months after
Hare's debut. Most antivirus company press releases imply the other antivirus companies can't
detect the latest threat. (Smith covers this in his own
opinion piece about Hare.)
- Dr. Solomon's 5/14/96 press release, and other companies' press releases, treat the Tentacle virus in
much the same way as they treated Hare. So the question arises: what unique essence turned Hare
into a media fiasco rather than Tentacle? (Hypothesis: reporters focused on Hare's connection to
controversial UseNet newsgroups.)
- Data Fellows claims its F-HARE detector/disinfector "was downloaded well over 35000 times during the weeks
before August 22nd."
- McAfee Associates did not figure prominently in the Hare fiasco — unlike previous fiascos [e.g.
Columbus 1989, Michelangelo 1992] where John McAfee cornered the market on pre-trigger-date media
publicity. (Then again, John's name appears nowhere in the latest McAfee Associates shareholder package. He
dropped off the radar soon after the Michelangelo fiasco.)
"I just assumed it was the Hare virus"
The following exchange took place on the UseNet comp.virus newsgroup. It involved
Chengi "Jimmy" Kuo of McAfee Associates and a person who identifies
himself only as Les. Kuo notes the number of computers affected
worldwide by the Hare virus — and Les steps in with a personal anecdote...
Chengi J. Kuo:
Informal poll among 8 or so [antivirus] vendors registered approximately 30 incidents [of the
Hare virus] affecting 80 or so machines worldwide.
I had it while my machine was unattended (home PC) and it wiped me out. Two hard disks and a zip disk
which happened to be in at the time.
Chengi J. Kuo:
Not to say that you didn't have it but, how does an unattended machine wipe itself out with a virus that
only does this stuff on bootup?
Well I guess I am only assuming that that's what it did, because it was the correct date....
[unknown edition published