Bug watch: The boy who cried worm

Many have learnt the hard way but, on the whole, companies have now woken up to the dangers of virus infection and have taken appropriate action.

The bad news is that computer viruses are not the only internet nasties capable of confusing users and injuring corporate reputations. We are now seeing critters that anti-virus software simply cannot detect and protect against. The problem? The humble hoax.

The much publicised "Budweiser Frogs" and "A virtual card for you" scares are typical of hoax emails as they warn of a supposed new virus. These hoaxes are generally easy to spot as the "virus" they describe is usually of epidemic proportions, able to evade all anti-virus software, and has a highly damaging (and sometimes implausible) payload.

And just to make sure users realise just how serious it is, part of the email might be in CAPITAL letters and contain plenty of exclamation marks!!! Recipients are always encouraged to forward the email to everyone they know so that they can also be prepared for "Cyber-Armageddon".

Hoaxes may not carry the payloads of the real thing, but they can cause the same amount of inconvenience in terms of compromised reputation and clogged mail servers.

Any company used as a vehicle for virus distribution - be it real or fake - looks foolish. Forwarding a hoax to a colleague or client is at best gullible and at worst damaging to the corporate credibility they have worked hard to establish. It is similar to the way a real virus often makes its recipients look stupid for double-clicking on an infected attachment.

Hoaxes can also emulate real viruses in the way they spread. Although incapable of self-propagation, they spread because innocent users mistakenly believe they are doing their friends a favour by passing on the warning. Indeed, many hoaxes have spread further and longer than actual viruses.

The inconvenience becomes worse still as recipients start to panic. Normal working patterns are disrupted and helpdesks become swamped with unnecessary cries for help.

So if software isn't the answer, what can be done to prevent the spread of virus hoaxes? As with every aspect of computer security, products need to be backed up by procedure. Businesses need to establish a firm policy on hoaxes that defines one person as responsible for dealing with all virus warnings. For then, if an employee receives a scare - even if it purports to be from an anti-virus vendor or trusted friend - rather than sending it out to all-and-sundry, he or she should forward it to this designated person. It would then be their responsibility to find out if it's real or false.

Experts talk extensively about how user education can complement anti-virus software. In the case of the virus hoax - where a detection routine cannot be written - common sense and a suspicious attitude are the most important and effective weapons against falling for the ruse.