PCERT Advisory
Purdue Computer Emergency Response Team
"Good Times" Virus Hoax Circulating Again
April 24, 1995

The "Good Times" virus warnings are a hoax. People are circulating the warnings without verifying the information contained therein, thus leading to unnecessary worry and concern. Please do not circulate the "Good Times" warnings further. Please send this advisory on to anyone who has mail you such an advisory.


In early December 1994, a mail message was circulated in several mailing lists and bulletin boards warning of a "Good Times" virus. This "virus" was allegedly being circulated in e-mail on bulletin boards and several commercial services. The report stated that simply reading the message in a mail reader would cause it to activate, causing various forms of damage. Some versions of the message cite the FCC and/or America On-Line as authoritative sources of warnings about "Good Times." A related "virus" is sometimes also reported, alleged to have the string "xxx-1" (or similar) in the subject.

Several of the FIRST teams, including the Department of Energy's CIAC and Purdue's PCERT, responded by posting advisories stating that this report appeared to be a hoax. Actually, the hoax posting was allegedly traced to a student at a college in the northeast U.S. who had made the whole thing up as a prank that got somewhat out of hand. In the time since that first posting, none of the response teams has reported any credible sighting of such a virus. (It is possible, in some very specialized, very rare circumstances, that e-mail might contain a destructive sequence or characters, but this is highly unlikely, and NOT the case in this instance. Some further details are given in the "additional discussion" below. We repeat, this is NOT the case in regards to "Good Times.")

More Recently

In the past few weeks, we have received e-mail and phone calls from a number of people who have seen new instances of "warnings" about the "virus." It seems that many people did not see the original series of postings, or forgot the earlier advisories. It is also an unfortunate reality that many people will forward on warnings, even if of questionable technical merit, without making an attempt to verify them with an authoritative source. This leads to worry and further copies as the warnings spread.

Please DO NOT repost warnings or reports of the "Good Times" virus! It is important that we try to stop the spread of the false and potentially damaging warning about "Good Times." It is in the same class of rumors and out-dated information as other urban legends such as the "Craig Shergold" (requests to send postcards/business cards to a dying boy) rumor. These stories continue to keep appearing and disturbing people as time goes on.

What you can do

Additional Discussion

Informally, a computer virus is code that, when executed, causes some action to occur, including some form of reproduction of the virus. In a similar manner, a "Trojan Horse" program is code that when executed has some unexpected (and usually unwanted effect). What is important to note here is that the virus and trojan horse code must be *executed* in some way to have an effect. That is, it must be run as a program, or passed as instructions to some interpreter program.

When e-mail arrives at a system and is read by the user, it is seldom "executed" by anything that could damage the system, let alone reproduce the code itself. There are only two general exceptions to this for systems in wide-spread use, to our knowledge:

  1. On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible that a carefully-crafted control code sequence could execute some unwanted actions. This would only work if the mail was displayed in text mode (not in a window or specialized application). However, there are three good reasons to believe that this would never act to spread a virus:
  2. On systems using MIME-capable mailers (or similar), it is possible that a message could be crafted that would trigger an external agent on the receiving machine to do harm. For example, it might be possible to embed commands in a PostScript file that would cause a PostScript interpreter to modify files. For this to succeed, it requires that users automatically execute those applications upon receipt of appropriate mail, and that those applications have enabled operations that might unduly affect the system. Again, this does not seem to be a viable way to spread a virus.
Note that we are not claiming that a harmful agent cannot be distributed in mail. To the contrary, the "Good Times" message *is* damaging -- as a rumor! It is also possible to circulate code that, if executed by an unwary user, could cause damage. However, the possibility is effectively nil of a virus being constructed that will circulate via e-mail, affect any of several dozens of operating systems when run through any of scores of different mail agents, and launch by being listed to the screen.

More Information

Further discussion of this rumor may be found in the following CIAC Notes, available via WWW: or via ftp:

Contact information for FIRST

This is a list of contact information for incident response teams participating in FIRST, the Forum of Incident Response and Security Teams. This list is updated periodically; a master copy of this list is available from the FIRST Secretariat via anonymous ftp at csrc.ncsl.nist.gov (, file pub/first/first-contacts, or by sending e-mail to docserver@first.org with the message: send first-contacts .If you can't figure out who to call, contact a response team or the FIRST Secretariat at (301) 975-5200 or first-sec@first.org

{ ** lengthy list omitted -- available on request ** }


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 15 October 1995

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472