No, it's not a hoax. You can read all about it on the CIAC web site
(the definitive source for computer security information and warnings).
The relevent notice is at the following URL:
http://www.ciac.org/ciac/bulletins/i-077a.shtml
Please make a habit of checking their web site whenever you receive
warnings on computer security issues.
However, it is unwise to send out mass emailings with virus warnings,
whether hoaxes or not. Systems administrators (like me) have to deal
with the users' panic, although it may only be a vulnerability, not
an imminent threat. Email virus warnings acquire a life of their own,
and are difficult to stop, once started. If a real threat occurs,
everyone will hear about it from every imaginable direction - hopefully
from their institution's computer experts, but sadly also from sources
like the New York Times - i.e. sensationalistic, information-poor news.
To summarize, there is NO virus threat imminent. A flaw in several email
programs has been identified which could be exploited maliciously.
There is no record of anyone having done so. Patches for the affected
programs are available immediately or within 2 weeks. It is highly
unlikely that anyone will create a virus in that time window that will
have significant effect on the worldwide internet community.
Bob Lyons
-----------------------------
Robert Lyons, Ph.D.
Director, DNA Sequencing Core
University of Michigan
-----------------------------