Fact or Fiction? Separating the Worm from the Hoax

Virus or Worm hoaxes are not just harmless pranks.

Recipients of these annoying warning messages may become alarmed and cause damage to their computers by attempting some action to remove it, and those who forward the messages create an overload for email servers. Or worse - once they learn that there was no real threat, they may get into the habit of ignoring all virus warning messages, which would leave them vulnerable to the next real and truly destructive virus or worm.

There are many antivirus company sites that track virus hoaxes as well as genuine viruses. So the next time you receive an urgent warning message, before you act on it you can check it against the list of known hoaxes to determine if it's a hoax or a real virus or worm.

Don't let your guard down. You should never open an email attachment unless you expect it - even if it comes from someone you know and trust. Be aware that the people who create viruses can use known hoaxes to their advantage. For example, the AOL4FREE message began as a hoax warning about a nonexistent virus. Once it was recognized as a hoax, someone began to distribute a destructive trojan horse (a trojan horse differs from a virus in that it does not reproduce itself) in a file named AOL4FREE, and attached it to the original hoax virus warning.

In the same way, the known hoax about the JDBGMGR.EXE file is now being used to spread a worm. The subject file is a windows component, and this worm overwrites that file, so all the descriptions of the file as a harmless hoax become untrue. The worm uses Microsoft Outlook to spread copies of itself as an email attachment to all addresses found in the distribution lists of the Outlook address book.

JDBGMGR.EXE - the Hoax

The JDBGMGR hoax has circulated since April 2002, and has been reported in English, French, Italian, Spanish, Dutch, German, Polish, Danish and other languages.

The JDBGMGR hoax message described a new virus reportedly found in the Windows utility JDBGMGR.EXE, allegedly spread by MSN Messenger. The message instructed the user to search for and delete the file. This file is a standard component in every Windows installation, used as Java debugger manager for the Microsoft Java runtime engine. The icon of the original JDBGMGR.EXE file for some reason does look like a teddy bear.

The original email message was just a hoax. Although the JDBGMGR.EXE file may become infected by a number of unrelated but valid viruses (most commonly W32/Magistr@MM), the details of this particular hoax message were not based on truth. Recipients were advised to delete the message and NOT to pass it on to others. JDBGMGR.EXE is an application useful only for Java developers. If you have already deleted the JDBGMGR.EXE file, in most cases, you do not need to re-install it. The Microsoft KnowledgeBase article Q322993, "Virus Hoax: Microsoft Debugger Registrar for Java (Jdbgmgr.exe) Is Not a Virus" states that the Microsoft Debugger Registrar for Java (Jdbgmgr.exe) is only used by Microsoft Visual J++ 1.1 developers. If you follow the hoax email message instructions and delete this file, it's not necessary to recover it unless you use Microsoft Visual J++ 1.1 to develop Java programs on Windows XP, Windows NT 4.0, Windows 98 Second Edition, Windows 98, or Windows 95. However, if you do need to restore this file, instructions are included in the same article.

JDBGMGR.EXE - the Worm

In June 2003, a new worm based on this hoax was reported. The messages appeared to be sent from Symantec Corporation and contained a warning about the JDBGMGR hoax plus an infected attachment. You must distinguish between the two JDBMGR messages, one a hoax and the other a real worm. The JDBGMGR.EXE program is a real part of the Windows operating system and should normally not be removed, though doing so will not inconvenience most people. The computer worm (actually called Recory) overwrites the good JDBGMGR.EXE program with worm code. In any case, you should not run the JDBGMGR.EXE program if it is sent to you in an email.

Here is the most important point: The easiest way to recognize the difference between the two versions of the file JDBGMGR.EXE is to look at the icon. The program with the bear icon is the good one and the one with the tools icon (like Symantec's removal tools) is the bad one. The Recory worm W32.Recory@mm is a mass-mailing worm that primarily travels in file sharing programs such as IRC, Kazaa, and Morpheous. The worm is programmed in Visual Basic, spreads through IRC modifying the Mirc scripts, and tries to copy itself to the shared folder of several P2P and messaging programs. The VB run-time libraries must be installed on the computer for it to execute.

The message that comes with it looks a lot like the hoax message but tells you exactly the wrong thing to do, and describes the icons exactly backwards. The email has a randomly chosen subject and attachment, but it is represented as a repair or removal tool with one of several extensions (.exe, .pif, or .com). The worm uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book. It also attempts to spread across a file-sharing network and copies itself to many files in 5 different folders, including \windows, \windows\system32, and \windows\java.

NAME: Recory.B
ALIAS: Recory
Also Known As: I-Worm.Recory or WORM_RECORY.A.
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me.
Affected programs include: Kazaa, Kazaa Lite, ICQ, Bearshare, Edonkey2000, Morpheus, Grokster.
Systems Not Affected: Macintosh, OS/2, UNIX, Linux.