Ŀ
__________________________________________________________                   
                                                                             
The U.S. Department of Energy                                                
Computer Incident Advisory Capability                                        
___  __ __    _     ___                                                      
/       |     /_\   /                                                        
\___  __|__  /   \  \___                                                     
__________________________________________________________                   
                                                                             
INFORMATION NOTE                                                             
                                                                             
Good Times Virus Hoax                                                        
                                                                             
Number 95-09:April 24, 1995                                                  
---------------------------------------------------------------------------  
This edition of CIAC NOTES describes the recent rebirth of "Good Times", and 
reiterates CIAC's previous position that "Good Times" is a hoax. Please send 
your comments and feedback to ciac@llnl.gov.                                 
---------------------------------------------------------------------------  
Reference to any specific commercial product does not necessarily constitute 
or imply its endorsement, recommendation or favoring by CIAC, the University 
of California, or the United States Government.                              
---------------------------------------------------------------------------  
                                                                             
There is a rebirth of the "Good Times" urban legend. CIAC and other response 
teams, along with the Federal Communications Commission and America Online,  
have received numerous queries regarding the validity of the "Good Times"    
virus. The current "Good Times" message appears to be a repeat of the hoax   
perpetuated last December.                                                   
                                                                             
CIAC first released CIAC NOTES 94-04 in December 1994 which is titled "THE   
'Good Times' VIRUS IS AN URBAN LEGEND." The original "Good Times" message    
that was posted and circulated contained the following:                      
                                                                             
Here is some important information. Beware of a file called                  
Goodtimes.                                                                   
                                                                             
Happy Chanukah everyone, and be careful out there. There is a                
virus on America Online being sent by E-Mail. If you get anything            
called "Good Times", DON'T read it or download it. It is a virus             
that will erase your hard drive. Forward this to all your                    
friends. It may help them a lot.                                             
                                                                             
Soon after the release of CIAC NOTES 04, another "Good Times" message was    
circulated. This is the same message that is being circulated during this    
recent "Good Times" rebirth. This message includes a claim that the Federal  
Communications Commission (FCC) released a warning about the danger of the   
"Good Times" virus. This "Good Times" hoax message contains the following:   
                                                                             
The FCC released a warning last Wednesday concerning a matter of             
major importance to any regular user of the InterNet. Apparently,            
a new computer virus has been engineered by a user of America                
Online that is unparalleled in its destructive capability. Other,            
more well-known viruses such as Stoned, Airwolf, and                         
Michaelangelo pale in comparison to the prospects of this newest             
creation by a warped mentality.                                              
What makes this virus so terrifying, said the FCC, is the fact               
that no program needs to be exchanged for a new computer to be               
infected.                                                                    
                                                                             
... { stuff deleted } ...                                                    
                                                                             
CIAC contacted the FCC to ensure that this reference was fabricated and that 
the "Good Times" is truly a hoax.                                            
                                                                             
ADDITIONAL INFORMATION                                                       
                                                                             
Having malicious code (malware) buried in the body of an E-mail message that 
would "infect" your computer is not a very likely possibility because        
characters in an E-mail message are displayed, not executed. CIAC still      
affirms that reading E-mail, using typical mail agents, will not activate    
malware delivered in or with the message.                                    
                                                                             
Many people believe "in theory" that malware can be delivered and activated  
by some mail agents that have automated services. An example of such malware 
is mail delivered to a PC that has embedded, seemingly invisible escape      
sequences which affect screen display or program the keyboard to do some     
nastiness when some key is "accidently" pressed. The following is an excerpt 
from CIAC NOTES 05 which included and update to the "Good Times" urban       
legend.                                                                      
                                                                             
-----------------                                                            
                                                                             
CIAC did not claim that E-mail could not be a delivery agent for malware. A  
real threat comes from attached files which could contain viruses or Trojan  
programs. You should scan any executable attachment before executing it in   
the same way that you scan all new software before using it. It is possible  
to create a file that remaps keys when displayed on a PC/MS-DOS machine with 
the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines   
with the text displayed on the screen in text mode. It would not work in     
Windows or in most text editors or mailers. A key could be remapped to       
produce any command sequence when pressed, for example DEL or FORMAT.        
However, the command is not issued until the remapped key is pressed and the 
command issued by the remapped key would be visible on the screen. You could 
protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS 
programs use the functionality of ANSI.SYS to control screen functions and   
colors. Windows programs are not effected by ANSI.SYS, though a DOS program  
running in Windows would be.                                                 
                                                                             
-----------------                                                            
                                                                             
Who is CIAC?                                                                 
                                                                             
CIAC is the U.S. Department of Energy's Computer Incident Advisory           
Capability. Established in 1989, shortly after the Internet Worm, CIAC       
provides various computer security services free of charge to employees and  
contractors of the DOE, such as:                                             
                                                                             
* Incident Handling Consulting                                               
* Computer Security Information                                              
* On-site Workshops                                                          
* White-hat Audits                                                           
                                                                             
CIAC is located at Lawrence Livermore National Laboratory in Livermore,      
California, and is a part of its Computer Security Technology Center.        
Further information can be found at CIAC. CIAC is also a founding member of  
FIRST, the Forum of Incident Response and Security Teams, a global           
organization established to foster cooperation and coordination among        
computer security teams worldwide. See FIRST for more details.               
                                                                             
CIAC, the Computer Incident Advisory Capability, is the computer security    
incident response team for the U.S. Department of Energy. CIAC is located at 
the Lawrence Livermore National Laboratory in Livermore, California.  CIAC is
also a founding member of FIRST, the Forum of Incident Response and Security 
Teams, a global organization established to foster cooperation and           
coordination among computer security teams worldwide.                        
                                                                             
CIAC services are available to DOE and DOE contractors, and can be contacted 
at:                                                                          
                                                                             
Voice:    510-422-8193                                                       
FAX:      510-423-8002                                                       
STU-III:  510-423-2604                                                       
E-mail:   ciac@llnl.gov                                                      
                                                                             
For emergencies and off-hour assistance, DOE and DOE contractor sites may    
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC 
voice number 510-422-8193 and leave a message, or call 800-759-7243          
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the    
primary PIN number, 8550070, is for the CIAC duty person, and the secondary  
PIN number, 8550074 is for the CIAC Project Leader.                          
                                                                             
Previous CIAC notices, anti-virus software, pgp public key, and other        
information are available from the CIAC Computer Security Archive.           
                                                                             
World Wide Web:       http://ciac.llnl.gov/                                  
Anonymous FTP:               ciac.llnl.gov (128.115.19.53)                   
Modem access:  (510) 423-4753 (14.4K baud)                                   
(510) 423-3331 (9600 baud)                                                   
                                                                             
CIAC has several self-subscribing mailing lists for electronic publications: 
                                                                             
1. CIAC-BULLETIN for Advisories, highest priority - time critical            
information and Bulletins, important computer security information;          
2. CIAC-NOTES for Notes, a collection of computer security articles;         
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)     
software updates, new features, distribution and availability;               
4. SPI-NOTES, for discussion of problems and solutions regarding the use     
of SPI products.                                                             
                                                                             
Our mailing lists are managed by a public domain software package called     
ListProcessor, which ignores E-mail header subject lines. To subscribe (add  
yourself) to one of our mailing lists, send the following request as the     
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or 
SPI-NOTES for list-name and valid information for LastName FirstName and     
PhoneNumber when sending E-mail to ciac-listproc@llnl.gov:                   
                                                                             
subscribe list-name LastName, FirstName PhoneNumber                          
e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36              
                                                                             
You will receive an acknowledgment containing address, initial PIN, and      
information on how to change either of them, cancel your subscription, or get
help.                                                                        
---------------------------------------------------------------------------  
This document was prepared as an account of work sponsored by an agency of   
the United States Government. Neither the United States Government nor the   
University of California nor any of their employees, makes any warranty,     
express or implied, or assumes any legal liability or responsibility for the 
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process, 
or service by trade name, trademark, manufacturer, or otherwise, does not    
necessarily constitute or imply its endorsement, recommendation or favoring  
by the United States Government or the University of California. The views   
and opinions of authors expressed herein do not necessarily state or reflect 
those of the United States Government or the University of California, and   
shall not be used for advertising or product endorsement purposes.           
---------------------------------------------------------------------------  
End of CIAC Notes Number 95-09 95_4_24                                       
                                                                             

