============================================================================= AL-95.02 AUSCERT Alert April 26, 1995 "Good Times" Virus HOAX returns. ----------------------------------------------------------------------------- There is a message circulating that warns of a email virus called "Good Times". ********* THE "Good Times" VIRUS IS A HOAX. ********** Please do NOT pass on any warnings about this virus. Please notify anyone who sends you such a warning that it is not valid. (HINT: Do not use the words "good times" in the subject line as anyone who believes the hoax will simply delete the message unread.) This is a similar hoax to the "Good Times" virus hoax that had very wide circulation in December of 1994. If you are interested in more details, a PCERT Advisory on the subject is included below this message. AUSCERT would like to thank PCERT for the use of this material. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is the Australian Computer Emergency Response Team, funded by the Australian Academic Research Network (AARNet) for its members. It is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). Internet Email: auscert@auscert.org.au Facsimile: (07) 365 4477 Telephone: (07) 365 4417 (International: +61 7 365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -------------------------->>>>>>>>>>>>>>>>>>>>>> PCERT Advisory (Purdue Computer Emergency Response Team, ) "Good Times" Virus Hoax Circulating Again April 24, 1995 Summary -------- The "Good Times" virus warnings are a hoax. People are circulating the warnings without verifying the information contained therein, thus leading to unnecessary worry and concern. Please do not circulate the "Good Times" warnings further. Please send this advisory on to anyone who has mailed you such an advisory. In this advisory: Summary Background More Recently What you can do Additional Discussion More Information Contact information for FIRST Background ----------- In early December 1994, a mail message was circulated in several mailing lists and bulletin boards warning of a "Good Times" virus. This "virus" was allegedly being circulated in e-mail on bulletin boards and several commercial services. The report stated that simply reading the message in a mail reader would cause it to activate, causing various forms of damage. Some versions of the message cite the FCC and/or America On-Line as authoritative sources of warnings about "Good Times." A related "virus" is sometimes also reported, alleged to have the string "xxx-1" (or similar) in the subject. Several of the FIRST teams, including the Department of Energy's CIAC and Purdue's PCERT, responded by posting advisories stating that this report appeared to be a hoax. Actually, the hoax posting was allegedly traced to a student at a college in the northeast U.S. who had made the whole thing up as a prank that got somewhat out of hand. In the time since that first posting, none of the response teams has reported any credible sighting of such a virus. (It is possible, in some very specialized, very rare circumstances, that e-mail might contain a destructive sequence or characters, but this is highly unlikely, and NOT the case in this instance. Some further details are given in the "additional discussion" below. We repeat, this is NOT the case in regards to "Good Times.") More Recently -------------- In the past few weeks, we have received e-mail and phone calls from a number of people who have seen new instances of "warnings" about the "virus." It seems that many people did not see the original series of postings, or forgot the earlier advisories. It is also an unfortunate reality that many people will forward on warnings, even if of questionable technical merit, without making an attempt to verify them with an authoritative source. This leads to worry and further copies as the warnings spread. Please DO NOT repost warnings or reports of the "Good Times" virus! It is important that we try to stop the spread of the false and potentially damaging warning about "Good Times." It is in the same class of rumors and out-dated information as other urban legends such as the "Craig Shergold" (requests to send postcards/business cards to a dying boy) rumor. These stories continue to keep appearing and disturbing people as time goes on. What you can do ---------------- * If you have received a warning about "Good Times" then send this advisory to everyone you know who received that warning. To ensure that it is read, DO NOT put the phrase "Good Times" in the subject line. We suspect that some people never saw the original advisories because they set their mailers to automatically delete mail with those words in the subject line. * Save this advisory. If you receive a warning about "Good Times" anytime in the future, simply send a copy of this advisory back to whomever it is who sends you the warning. * If you ever get a warning like this, or similarly get a warning or notice of some widespread problem with computers, VERIFY it with credible sources before passing it on. Rumors, especially when spread by well-meaning individuals, can cause significant panic and damage. FIRST response teams (FIRST == Forum of Incident Response and Security Teams) will be more than willing to respond with definitive information to a query on these topics; it is one of their missions. We are enclosing a copy of the list in this advisory, current as of April 24, 1995. * We also note the possibility that someone is using this as a precursor to a real attack. That is, someone is repeatedly circulating the "Good Times" rumor to condition people to believing there is no danger, and will then circulate some damaging code under that name. To that end, if you ever get any mail labelled "Good Times" that is in some way executable (i.e., is a program or command file), DO NOT run it! Instead, contact your appropriate FIRST team for assistance and analysis. Again, we stress that we view this possibility as very, very unlikely. Additional Discussion ---------------------- Informally, a computer virus is code that, when executed, causes some action to occur, including some form of reproduction of the virus. In a similar manner, a "Trojan Horse" program is code that when executed has some unexpected (and usually unwanted effect). What is important to note here is that the virus and trojan horse code must be *executed* in some way to have an effect. That is, it must be run as a program, or passed as instructions to some interpreter program. When e-mail arrives at a system and is read by the user, it is seldom "executed" by anything that could damage the system, let alone reproduce the code itself. There are only two general exceptions to this for systems in wide-spread use, to our knowledge: 1) On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible that a carefully-crafted control code sequence could execute some unwanted actions. This would only work if the mail was displayed in text mode (not in a window or specialized application). However, there are three good reasons to believe that this would never act to spread a virus: * First, the necessary control characters would be unlikely to pass through various mail gateways and forwarders without modification. Any change would render the sequence inoperable. * To spread effectively, the code would need to be written such that it would use pathnames and code present on almost every machine where received, including ANSI.SYS MS-DOS machines are seldom so predictable! * Any such change would only map one or more keys to a damaging command; the user would have to press a certain key (or sequence) to actually trigger the damage. This involves more than simply reading a mail message! 2) On systems using MIME-capable mailers (or similar), it is possible that a message could be crafted that would trigger an external agent on the receiving machine to do harm. For example, it might be possible to embed commands in a PostScript file that would cause a PostScript interpreter to modify files. For this to succeed, it requires that users automatically execute those applications upon receipt of appropriate mail, and that those applications have enabled operations that might unduly affect the system. Again, this does not seem to be a viable way to spread a virus. Note that we are not claiming that a harmful agent cannot be distributed in mail. To the contrary, the "Good Times" message *is* damaging -- as a rumor! It is also possible to circulate code that, if executed by an unwary user, could cause damage. However, the possibility is effectively nil of a virus being constructed that will circulate via e-mail, affect any of several dozens of operating systems when run through any of scores of different mail agents, and launch by being listed to the screen. More Information ----------------- Further discussion of this rumor may be found in the following CIAC Notes, available via WWW: http://ciac.llnl.gov/ciac/notes/Notes04c.shtml http://ciac.llnl.gov/ciac/notes/Notes05d.shtml http://ciac.llnl.gov/ciac/notes/Notes09.shtml or via ftp: ftp://ciac.llnl.gov/pub/ciac/notes/notes04c.txt ftp://ciac.llnl.gov/pub/ciac/notes/notes05d.txt ftp://ciac.llnl.gov/pub/ciac/notes/notes09.txt