PCERT Advisory
Purdue Computer Emergency Response Team
<pcert@cs.purdue.edu>
"Good Times" Virus Hoax Circulating Again
April 24, 1995
Summary
The
"Good Times" virus warnings are a hoax. People are circulating the warnings
without verifying the information contained therein, thus leading to
unnecessary worry and concern. Please do not circulate the "Good Times"
warnings further. Please send this advisory on to anyone who has mail you such
an advisory.
Background
In early December 1994, a mail message was circulated in several mailing lists
and bulletin boards warning of a "Good Times" virus. This "virus" was
allegedly being circulated in e-mail on bulletin boards and several commercial
services. The report stated that simply reading the message in a mail reader
would cause it to activate, causing various forms of damage. Some versions of
the message cite the FCC and/or America On-Line as authoritative sources of
warnings about "Good Times." A related "virus" is sometimes also reported,
alleged to have the string "xxx-1" (or similar) in the subject.
Several of the FIRST teams, including the Department of Energy's CIAC and
Purdue's PCERT, responded by posting advisories stating that this report
appeared to be a hoax. Actually, the hoax posting was allegedly traced to a
student at a college in the northeast U.S. who had made the whole thing up as a
prank that got somewhat out of hand. In the time since that first posting,
none of the response teams has reported any credible sighting of such a virus.
(It is possible, in some very specialized, very rare circumstances, that e-mail
might contain a destructive sequence or characters, but this is highly
unlikely, and NOT the case in this instance. Some further details are given in
the "additional discussion" below. We repeat, this is NOT the case in regards
to "Good Times.")
More Recently
In the past few weeks, we have received e-mail and phone calls from a number of
people who have seen new instances of "warnings" about the "virus." It seems
that many people did not see the original series of postings, or forgot the
earlier advisories. It is also an unfortunate reality that many people will
forward on warnings, even if of questionable technical merit, without making an
attempt to verify them with an authoritative source. This leads to worry and
further copies as the warnings spread.
Please DO NOT repost warnings or reports of the "Good Times" virus! It is
important that we try to stop the spread of the false and potentially damaging
warning about "Good Times." It is in the same class of rumors and out-dated
information as other urban legends such as the "Craig Shergold" (requests to
send postcards/business cards to a dying boy) rumor. These stories continue to
keep appearing and disturbing people as time goes on.
What you can do
- If you have received a warning about "Good Times" then send this advisory
to everyone you know who received that warning. To ensure that it is read, DO
NOT put the phrase "Good Times" in the subject line. We suspect that some
people never saw the original advisories because they set their mailers to
automatically delete mail with those words in the subject line.
- Save this advisory. If you receive a warning about "Good Times" anytime
in the future, simply send a copy of this advisory back to whomever it is who
sends you the warning.
- If you ever get a warning like this, or similarly get a warning or notice
of some widespread problem with computers, VERIFY it with credible sources
before passing it on. Rumors, especially when spread by well-meaning
individuals, can cause significant panic and damage. FIRST response teams
(FIRST == Forum of Incident Response and Security Teams) will be more than
willing to respond with definitive information to a query on these topics; it
is one of their missions. We are enclosing a copy of the list in this
advisory, current as of April 24, 1995.
- We also note the possibility that someone is using this as a precursor to
a real attack. That is, someone is repeatedly circulating the "Good Times"
rumor to condition people to believing there is no danger, and will then
circulate some damaging code under that name. To that end, if you ever get any
mail labelled "Good Times" that is in some way executable (i.e., is a program
or command file), DO NOT run it! Instead, contact your appropriate FIRST team
for assistance and analysis. Again, we stress that we view this possibility as
very, very unlikely.
Additional Discussion
Informally, a computer virus is code that, when executed, causes some action to
occur, including some form of reproduction of the virus. In a similar manner,
a "Trojan Horse" program is code that when executed has some unexpected (and
usually unwanted effect). What is important to note here is that the virus and
trojan horse code must be *executed* in some way to have an effect. That is,
it must be run as a program, or passed as instructions to some interpreter
program.
When e-mail arrives at a system and is read by the user, it is seldom
"executed" by anything that could damage the system, let alone reproduce the
code itself. There are only two general exceptions to this for systems in
wide-spread use, to our knowledge:
- On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible that a
carefully-crafted control code sequence could execute some unwanted actions.
This would only work if the mail was displayed in text mode (not in a window or
specialized application). However, there are three good reasons to believe
that this would never act to spread a virus:
- First, the necessary control characters would be unlikely to pass through
various mail gateways and forwarders without modification. Any change would
render the sequence inoperable.
- To spread effectively, the code would need to be written such that it
would use pathnames and code present on almost every machine where received,
including ANSI.SYS MS-DOS machines are seldom so predictable!
- Any such change would only map one or more keys to a damaging command; the
user would have to press a certain key (or sequence) to actually trigger the
damage. This involves more than simply reading a mail message!
- On systems using MIME-capable mailers (or similar), it is possible that a
message could be crafted that would trigger an external agent on the receiving
machine to do harm. For example, it might be possible to embed commands in a
PostScript file that would cause a PostScript interpreter to modify files. For
this to succeed, it requires that users automatically execute those
applications upon receipt of appropriate mail, and that those applications have
enabled operations that might unduly affect the system. Again, this does not
seem to be a viable way to spread a virus.
Note that we are not claiming that a harmful agent cannot be distributed in
mail. To the contrary, the "Good Times" message *is* damaging -- as a rumor!
It is also possible to circulate code that, if executed by an unwary user,
could cause damage. However, the possibility is effectively nil of a virus
being constructed that will circulate via e-mail, affect any of several dozens
of operating systems when run through any of scores of different mail agents,
and launch by being listed to the screen.
More Information
Further discussion of this rumor may be found in the following CIAC Notes,
available via WWW:
or via ftp:
Contact information for FIRST
This is a list of contact information for incident response teams participating
in FIRST, the Forum of Incident Response and Security Teams. This list is
updated periodically; a master copy of this list is available from the FIRST
Secretariat via anonymous ftp at csrc.ncsl.nist.gov (129.6.54.11), file
pub/first/first-contacts, or by sending e-mail to docserver@first.org with the
message: send first-contacts .If you can't figure out who to call, contact a
response team or the FIRST Secretariat at (301) 975-5200 or
first-sec@first.org
{ ** lengthy list omitted -- available on request ** }
Navigation
Go
to
Roger's
Home Page.
Go to
the
contents-page for this segment.
Send
an email to Roger
Last Amended: 15 October 1995
| These community
service pages are a joint offering of the Australian National University (which
provides the infrastructure), and Roger Clarke (who provides the content).
| |