[2J[1m[37;41mĿ[40m
[1m[37;41m[1m[37;41m__________________________________________________________                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mThe U.S. Department of Energy                                                [1m[37;41m[40m
[1m[37;41m[1m[37;41mComputer Incident Advisory Capability                                        [1m[37;41m[40m
[1m[37;41m[1m[37;41m___  __ __    _     ___                                                      [1m[37;41m[40m
[1m[37;41m[1m[37;41m/       |     /_\   /                                                        [1m[37;41m[40m
[1m[37;41m[1m[37;41m\___  __|__  /   \  \___                                                     [1m[37;41m[40m
[1m[37;41m[1m[37;41m__________________________________________________________                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mINFORMATION NOTE                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mGood Times Virus Hoax                                                        [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mNumber 95-09:April 24, 1995                                                  [1m[37;41m[40m
[1m[37;41m[1m[37;41m---------------------------------------------------------------------------  [1m[37;41m[40m
[1m[37;41m[1m[37;41mThis edition of CIAC NOTES describes the recent rebirth of "Good Times", and [1m[37;41m[40m
[1m[37;41m[1m[37;41mreiterates CIAC's previous position that "Good Times" is a hoax. Please send [1m[37;41m[40m
[1m[37;41m[1m[37;41myour comments and feedback to ciac@llnl.gov.                                 [1m[37;41m[40m
[1m[37;41m[1m[37;41m---------------------------------------------------------------------------  [1m[37;41m[40m
[1m[37;41m[1m[37;41mReference to any specific commercial product does not necessarily constitute [1m[37;41m[40m
[1m[37;41m[1m[37;41mor imply its endorsement, recommendation or favoring by CIAC, the University [1m[37;41m[40m
[1m[37;41m[1m[37;41mof California, or the United States Government.                              [1m[37;41m[40m
[1m[37;41m[1m[37;41m---------------------------------------------------------------------------  [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mThere is a rebirth of the "Good Times" urban legend. CIAC and other response [1m[37;41m[40m
[1m[37;41m[1m[37;41mteams, along with the Federal Communications Commission and America Online,  [1m[37;41m[40m
[1m[37;41m[1m[37;41mhave received numerous queries regarding the validity of the "Good Times"    [1m[37;41m[40m
[1m[37;41m[1m[37;41mvirus. The current "Good Times" message appears to be a repeat of the hoax   [1m[37;41m[40m
[1m[37;41m[1m[37;41mperpetuated last December.                                                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC first released CIAC NOTES 94-04 in December 1994 which is titled "THE   [1m[37;41m[40m
[1m[37;41m[1m[37;41m'Good Times' VIRUS IS AN URBAN LEGEND." The original "Good Times" message    [1m[37;41m[40m
[1m[37;41m[1m[37;41mthat was posted and circulated contained the following:                      [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mHere is some important information. Beware of a file called                  [1m[37;41m[40m
[1m[37;41m[1m[37;41mGoodtimes.                                                                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mHappy Chanukah everyone, and be careful out there. There is a                [1m[37;41m[40m
[1m[37;41m[1m[37;41mvirus on America Online being sent by E-Mail. If you get anything            [1m[37;41m[40m
[1m[37;41m[1m[37;41mcalled "Good Times", DON'T read it or download it. It is a virus             [1m[37;41m[40m
[1m[37;41m[1m[37;41mthat will erase your hard drive. Forward this to all your                    [1m[37;41m[40m
[1m[37;41m[1m[37;41mfriends. It may help them a lot.                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mSoon after the release of CIAC NOTES 04, another "Good Times" message was    [1m[37;41m[40m
[1m[37;41m[1m[37;41mcirculated. This is the same message that is being circulated during this    [1m[37;41m[40m
[1m[37;41m[1m[37;41mrecent "Good Times" rebirth. This message includes a claim that the Federal  [1m[37;41m[40m
[1m[37;41m[1m[37;41mCommunications Commission (FCC) released a warning about the danger of the   [1m[37;41m[40m
[1m[37;41m[1m[37;41m"Good Times" virus. This "Good Times" hoax message contains the following:   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mThe FCC released a warning last Wednesday concerning a matter of             [1m[37;41m[40m
[1m[37;41m[1m[37;41mmajor importance to any regular user of the InterNet. Apparently,            [1m[37;41m[40m
[1m[37;41m[1m[37;41ma new computer virus has been engineered by a user of America                [1m[37;41m[40m
[1m[37;41m[1m[37;41mOnline that is unparalleled in its destructive capability. Other,            [1m[37;41m[40m
[1m[37;41m[1m[37;41mmore well-known viruses such as Stoned, Airwolf, and                         [1m[37;41m[40m
[1m[37;41m[1m[37;41mMichaelangelo pale in comparison to the prospects of this newest             [1m[37;41m[40m
[1m[37;41m[1m[37;41mcreation by a warped mentality.                                              [1m[37;41m[40m
[1m[37;41m[1m[37;41mWhat makes this virus so terrifying, said the FCC, is the fact               [1m[37;41m[40m
[1m[37;41m[1m[37;41mthat no program needs to be exchanged for a new computer to be               [1m[37;41m[40m
[1m[37;41m[1m[37;41minfected.                                                                    [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m... { stuff deleted } ...                                                    [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC contacted the FCC to ensure that this reference was fabricated and that [1m[37;41m[40m
[1m[37;41m[1m[37;41mthe "Good Times" is truly a hoax.                                            [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mADDITIONAL INFORMATION                                                       [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mHaving malicious code (malware) buried in the body of an E-mail message that [1m[37;41m[40m
[1m[37;41m[1m[37;41mwould "infect" your computer is not a very likely possibility because        [1m[37;41m[40m
[1m[37;41m[1m[37;41mcharacters in an E-mail message are displayed, not executed. CIAC still      [1m[37;41m[40m
[1m[37;41m[1m[37;41maffirms that reading E-mail, using typical mail agents, will not activate    [1m[37;41m[40m
[1m[37;41m[1m[37;41mmalware delivered in or with the message.                                    [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mMany people believe "in theory" that malware can be delivered and activated  [1m[37;41m[40m
[1m[37;41m[1m[37;41mby some mail agents that have automated services. An example of such malware [1m[37;41m[40m
[1m[37;41m[1m[37;41mis mail delivered to a PC that has embedded, seemingly invisible escape      [1m[37;41m[40m
[1m[37;41m[1m[37;41msequences which affect screen display or program the keyboard to do some     [1m[37;41m[40m
[1m[37;41m[1m[37;41mnastiness when some key is "accidently" pressed. The following is an excerpt [1m[37;41m[40m
[1m[37;41m[1m[37;41mfrom CIAC NOTES 05 which included and update to the "Good Times" urban       [1m[37;41m[40m
[1m[37;41m[1m[37;41mlegend.                                                                      [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m-----------------                                                            [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC did not claim that E-mail could not be a delivery agent for malware. A  [1m[37;41m[40m
[1m[37;41m[1m[37;41mreal threat comes from attached files which could contain viruses or Trojan  [1m[37;41m[40m
[1m[37;41m[1m[37;41mprograms. You should scan any executable attachment before executing it in   [1m[37;41m[40m
[1m[37;41m[1m[37;41mthe same way that you scan all new software before using it. It is possible  [1m[37;41m[40m
[1m[37;41m[1m[37;41mto create a file that remaps keys when displayed on a PC/MS-DOS machine with [1m[37;41m[40m
[1m[37;41m[1m[37;41mthe ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines   [1m[37;41m[40m
[1m[37;41m[1m[37;41mwith the text displayed on the screen in text mode. It would not work in     [1m[37;41m[40m
[1m[37;41m[1m[37;41mWindows or in most text editors or mailers. A key could be remapped to       [1m[37;41m[40m
[1m[37;41m[1m[37;41mproduce any command sequence when pressed, for example DEL or FORMAT.        [1m[37;41m[40m
[1m[37;41m[1m[37;41mHowever, the command is not issued until the remapped key is pressed and the [1m[37;41m[40m
[1m[37;41m[1m[37;41mcommand issued by the remapped key would be visible on the screen. You could [1m[37;41m[40m
[1m[37;41m[1m[37;41mprotect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS [1m[37;41m[40m
[1m[37;41m[1m[37;41mprograms use the functionality of ANSI.SYS to control screen functions and   [1m[37;41m[40m
[1m[37;41m[1m[37;41mcolors. Windows programs are not effected by ANSI.SYS, though a DOS program  [1m[37;41m[40m
[1m[37;41m[1m[37;41mrunning in Windows would be.                                                 [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m-----------------                                                            [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mWho is CIAC?                                                                 [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC is the U.S. Department of Energy's Computer Incident Advisory           [1m[37;41m[40m
[1m[37;41m[1m[37;41mCapability. Established in 1989, shortly after the Internet Worm, CIAC       [1m[37;41m[40m
[1m[37;41m[1m[37;41mprovides various computer security services free of charge to employees and  [1m[37;41m[40m
[1m[37;41m[1m[37;41mcontractors of the DOE, such as:                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m* Incident Handling Consulting                                               [1m[37;41m[40m
[1m[37;41m[1m[37;41m* Computer Security Information                                              [1m[37;41m[40m
[1m[37;41m[1m[37;41m* On-site Workshops                                                          [1m[37;41m[40m
[1m[37;41m[1m[37;41m* White-hat Audits                                                           [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC is located at Lawrence Livermore National Laboratory in Livermore,      [1m[37;41m[40m
[1m[37;41m[1m[37;41mCalifornia, and is a part of its Computer Security Technology Center.        [1m[37;41m[40m
[1m[37;41m[1m[37;41mFurther information can be found at CIAC. CIAC is also a founding member of  [1m[37;41m[40m
[1m[37;41m[1m[37;41mFIRST, the Forum of Incident Response and Security Teams, a global           [1m[37;41m[40m
[1m[37;41m[1m[37;41morganization established to foster cooperation and coordination among        [1m[37;41m[40m
[1m[37;41m[1m[37;41mcomputer security teams worldwide. See FIRST for more details.               [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC, the Computer Incident Advisory Capability, is the computer security    [1m[37;41m[40m
[1m[37;41m[1m[37;41mincident response team for the U.S. Department of Energy. CIAC is located at [1m[37;41m[40m
[1m[37;41m[1m[37;41mthe Lawrence Livermore National Laboratory in Livermore, California.  CIAC is[1m[37;41m[40m
[1m[37;41m[1m[37;41malso a founding member of FIRST, the Forum of Incident Response and Security [1m[37;41m[40m
[1m[37;41m[1m[37;41mTeams, a global organization established to foster cooperation and           [1m[37;41m[40m
[1m[37;41m[1m[37;41mcoordination among computer security teams worldwide.                        [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC services are available to DOE and DOE contractors, and can be contacted [1m[37;41m[40m
[1m[37;41m[1m[37;41mat:                                                                          [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mVoice:    510-422-8193                                                       [1m[37;41m[40m
[1m[37;41m[1m[37;41mFAX:      510-423-8002                                                       [1m[37;41m[40m
[1m[37;41m[1m[37;41mSTU-III:  510-423-2604                                                       [1m[37;41m[40m
[1m[37;41m[1m[37;41mE-mail:   ciac@llnl.gov                                                      [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mFor emergencies and off-hour assistance, DOE and DOE contractor sites may    [1m[37;41m[40m
[1m[37;41m[1m[37;41mcontact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC [1m[37;41m[40m
[1m[37;41m[1m[37;41mvoice number 510-422-8193 and leave a message, or call 800-759-7243          [1m[37;41m[40m
[1m[37;41m[1m[37;41m(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the    [1m[37;41m[40m
[1m[37;41m[1m[37;41mprimary PIN number, 8550070, is for the CIAC duty person, and the secondary  [1m[37;41m[40m
[1m[37;41m[1m[37;41mPIN number, 8550074 is for the CIAC Project Leader.                          [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mPrevious CIAC notices, anti-virus software, pgp public key, and other        [1m[37;41m[40m
[1m[37;41m[1m[37;41minformation are available from the CIAC Computer Security Archive.           [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mWorld Wide Web:       http://ciac.llnl.gov/                                  [1m[37;41m[40m
[1m[37;41m[1m[37;41mAnonymous FTP:               ciac.llnl.gov (128.115.19.53)                   [1m[37;41m[40m
[1m[37;41m[1m[37;41mModem access:  (510) 423-4753 (14.4K baud)                                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m(510) 423-3331 (9600 baud)                                                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mCIAC has several self-subscribing mailing lists for electronic publications: [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m1. CIAC-BULLETIN for Advisories, highest priority - time critical            [1m[37;41m[40m
[1m[37;41m[1m[37;41minformation and Bulletins, important computer security information;          [1m[37;41m[40m
[1m[37;41m[1m[37;41m2. CIAC-NOTES for Notes, a collection of computer security articles;         [1m[37;41m[40m
[1m[37;41m[1m[37;41m3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)     [1m[37;41m[40m
[1m[37;41m[1m[37;41msoftware updates, new features, distribution and availability;               [1m[37;41m[40m
[1m[37;41m[1m[37;41m4. SPI-NOTES, for discussion of problems and solutions regarding the use     [1m[37;41m[40m
[1m[37;41m[1m[37;41mof SPI products.                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mOur mailing lists are managed by a public domain software package called     [1m[37;41m[40m
[1m[37;41m[1m[37;41mListProcessor, which ignores E-mail header subject lines. To subscribe (add  [1m[37;41m[40m
[1m[37;41m[1m[37;41myourself) to one of our mailing lists, send the following request as the     [1m[37;41m[40m
[1m[37;41m[1m[37;41mE-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or [1m[37;41m[40m
[1m[37;41m[1m[37;41mSPI-NOTES for list-name and valid information for LastName FirstName and     [1m[37;41m[40m
[1m[37;41m[1m[37;41mPhoneNumber when sending E-mail to ciac-listproc@llnl.gov:                   [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41msubscribe list-name LastName, FirstName PhoneNumber                          [1m[37;41m[40m
[1m[37;41m[1m[37;41me.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36              [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;41mYou will receive an acknowledgment containing address, initial PIN, and      [1m[37;41m[40m
[1m[37;41m[1m[37;41minformation on how to change either of them, cancel your subscription, or get[1m[37;41m[40m
[1m[37;41m[1m[37;41mhelp.                                                                        [1m[37;41m[40m
[1m[37;41m[1m[37;41m---------------------------------------------------------------------------  [1m[37;41m[40m
[1m[37;41m[1m[37;41mThis document was prepared as an account of work sponsored by an agency of   [1m[37;41m[40m
[1m[37;41m[1m[37;41mthe United States Government. Neither the United States Government nor the   [1m[37;41m[40m
[1m[37;41m[1m[37;41mUniversity of California nor any of their employees, makes any warranty,     [1m[37;41m[40m
[1m[37;41m[1m[37;41mexpress or implied, or assumes any legal liability or responsibility for the [1m[37;41m[40m
[1m[37;41m[1m[37;41maccuracy, completeness, or usefulness of any information, apparatus, product,[1m[37;41m[40m
[1m[37;41m[1m[37;41mor process disclosed, or represents that its use would not infringe privately[1m[37;41m[40m
[1m[37;41m[1m[37;41mowned rights. Reference herein to any specific commercial products, process, [1m[37;41m[40m
[1m[37;41m[1m[37;41mor service by trade name, trademark, manufacturer, or otherwise, does not    [1m[37;41m[40m
[1m[37;41m[1m[37;41mnecessarily constitute or imply its endorsement, recommendation or favoring  [1m[37;41m[40m
[1m[37;41m[1m[37;41mby the United States Government or the University of California. The views   [1m[37;41m[40m
[1m[37;41m[1m[37;41mand opinions of authors expressed herein do not necessarily state or reflect [1m[37;41m[40m
[1m[37;41m[1m[37;41mthose of the United States Government or the University of California, and   [1m[37;41m[40m
[1m[37;41m[1m[37;41mshall not be used for advertising or product endorsement purposes.           [1m[37;41m[40m
[1m[37;41m[1m[37;41m---------------------------------------------------------------------------  [1m[37;41m[40m
[1m[37;41m[1m[37;41mEnd of CIAC Notes Number 95-09 95_4_24                                       [1m[37;41m[40m
[1m[37;41m[1m[37;41m                                                                             [1m[37;41m[40m
[1m[37;41m[1m[37;40m
