The "Good Times" virus warnings are a hoax. People are circulating the warnings without verifying the information contained therein, thus leading to unnecessary worry and concern. Please do not circulate the "Good Times" warnings further. Please send this advisory on to anyone who has mail you such an advisory.

Background

Several of the FIRST teams, including the Department of Energy's CIAC and Purdue's PCERT, responded by posting advisories stating that this report appeared to be a hoax. Actually, the hoax posting was allegedly traced to a student at a college in the northeast U.S. who had made the whole thing up as a prank that got somewhat out of hand. In the time since that first posting, none of the response teams has reported any credible sighting of such a virus. (It is possible, in some very specialized, very rare circumstances, that e-mail might contain a destructive sequence or characters, but this is highly unlikely, and NOT the case in this instance. Some further details are given in the "additional discussion" below. We repeat, this is NOT the case in regards to "Good Times.")

More Recently

Please DO NOT repost warnings or reports of the "Good Times" virus! It is important that we try to stop the spread of the false and potentially damaging warning about "Good Times." It is in the same class of rumors and out-dated information as other urban legends such as the "Craig Shergold" (requests to send postcards/business cards to a dying boy) rumor. These stories continue to keep appearing and disturbing people as time goes on.

What you can do

• If you have received a warning about "Good Times" then send this advisory to everyone you know who received that warning. To ensure that it is read, DO NOT put the phrase "Good Times" in the subject line. We suspect that some people never saw the original advisories because they set their mailers to automatically delete mail with those words in the subject line.
• Save this advisory. If you receive a warning about "Good Times" anytime in the future, simply send a copy of this advisory back to whomever it is who sends you the warning.
• If you ever get a warning like this, or similarly get a warning or notice of some widespread problem with computers, VERIFY it with credible sources before passing it on. Rumors, especially when spread by well-meaning individuals, can cause significant panic and damage. FIRST response teams (FIRST == Forum of Incident Response and Security Teams) will be more than willing to respond with definitive information to a query on these topics; it is one of their missions. We are enclosing a copy of the list in this advisory, current as of April 24, 1995.
• We also note the possibility that someone is using this as a precursor to a real attack. That is, someone is repeatedly circulating the "Good Times" rumor to condition people to believing there is no danger, and will then circulate some damaging code under that name. To that end, if you ever get any mail labelled "Good Times" that is in some way executable (i.e., is a program or command file), DO NOT run it! Instead, contact your appropriate FIRST team for assistance and analysis. Again, we stress that we view this possibility as very, very unlikely.

Additional Discussion

When e-mail arrives at a system and is read by the user, it is seldom "executed" by anything that could damage the system, let alone reproduce the code itself. There are only two general exceptions to this for systems in wide-spread use, to our knowledge:

1. On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible that a carefully-crafted control code sequence could execute some unwanted actions. This would only work if the mail was displayed in text mode (not in a window or specialized application). However, there are three good reasons to believe that this would never act to spread a virus:
   • First, the necessary control characters would be unlikely to pass through various mail gateways and forwarders without modification. Any change would render the sequence inoperable.
   • To spread effectively, the code would need to be written such that it would use pathnames and code present on almost every machine where received, including ANSI.SYS MS-DOS machines are seldom so predictable!
   • Any such change would only map one or more keys to a damaging command; the user would have to press a certain key (or sequence) to actually trigger the damage. This involves more than simply reading a mail message!
2. On systems using MIME-capable mailers (or similar), it is possible that a message could be crafted that would trigger an external agent on the receiving machine to do harm. For example, it might be possible to embed commands in a PostScript file that would cause a PostScript interpreter to modify files. For this to succeed, it requires that users automatically execute those applications upon receipt of appropriate mail, and that those applications have enabled operations that might unduly affect the system. Again, this does not seem to be a viable way to spread a virus.

More Information

• http://ciac.llnl.gov/ciac/notes/Notes04c.shtml
• http://ciac.llnl.gov/ciac/notes/Notes05d.shtml
• http://ciac.llnl.gov/ciac/notes/Notes09.shtml

• ftp://ciac.llnl.gov/pub/ciac/notes/notes04c.txt
• ftp://ciac.llnl.gov/pub/ciac/notes/notes05d.txt
• ftp://ciac.llnl.gov/pub/ciac/notes/notes09.txt

Contact information for FIRST

{ ** lengthy list omitted -- available on request ** }

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 15 October 1995

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).