CIAC Notes

Number 95-09:April 24, 1995

ATTENTION: CIAC is available 24-hours a day via its two skypage numbers. To use this service, dial 1-800-759-7243. The PIN numbers are: 8550070 (for the CIAC duty person) and 8550074 (for the CIAC manager). Please keep these numbers handy.

This edition of CIAC NOTES describes the recent rebirth of "Good Times", and reiterates CIAC's previous position that "Good Times" is a hoax. Please send your comments and feedback to ciac@llnl.gov.

Reference to any specific commercial product does not necessarily constitute or imply its endorsement, recommendation or favoring by CIAC, the University of California, or the United States Government.

There is a rebirth of the "Good Times" urban legend. CIAC and other response teams, along with the Federal Communications Commission and America Online, have received numerous queries regarding the validity of the "Good Times" virus. The current "Good Times" message appears to be a repeat of the hoax perpetuated last December.

CIAC first released CIAC NOTES 94-04 in December 1994 which is titled "THE 'Good Times' VIRUS IS AN URBAN LEGEND." The original "Good Times" message that was posted and circulated contained the following:

Here is some important information. Beware of a file called Goodtimes.
Happy Chanukah everyone, and be careful out there. There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.

Soon after the release of CIAC NOTES 04, another "Good Times" message was circulated. This is the same message that is being circulated during this recent "Good Times" rebirth. This message includes a claim that the Federal Communications Commission (FCC) released a warning about the danger of the "Good Times" virus. This "Good Times" hoax message contains the following:

The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the InterNet. Apparently, a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality.
What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected.
... { stuff deleted } ...

CIAC contacted the FCC to ensure that this reference was fabricated and that the "Good Times" is truly a hoax.

ADDITIONAL INFORMATION

Having malicious code (malware) buried in the body of an E-mail message that would "infect" your computer is not a very likely possibility because characters in an E-mail message are displayed, not executed. CIAC still affirms that reading E-mail, using typical mail agents, will not activate malware delivered in or with the message.

Many people believe "in theory" that malware can be delivered and activated by some mail agents that have automated services. An example of such malware is mail delivered to a PC that has embedded, seemingly invisible escape sequences which affect screen display or program the keyboard to do some nastiness when some key is "accidently" pressed. The following is an excerpt from CIAC NOTES 05 which included and update to the "Good Times" urban legend.

CIAC did not claim that E-mail could not be a delivery agent for malware. A real threat comes from attached files which could contain viruses or Trojan programs. You should scan any executable attachment before executing it in the same way that you scan all new software before using it. It is possible to create a file that remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines with the text displayed on the screen in text mode. It would not work in Windows or in most text editors or mailers. A key could be remapped to produce any command sequence when pressed, for example DEL or FORMAT. However, the command is not issued until the remapped key is pressed and the command issued by the remapped key would be visible on the screen. You could protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the functionality of ANSI.SYS to control screen functions and colors. Windows programs are not effected by ANSI.SYS, though a DOS program running in Windows would be.

Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as:

Incident Handling Consulting
Computer Security Information
On-site Workshops
White-hat Audits

CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details.

CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide.

CIAC services are available to DOE and DOE contractors, and can be contacted at:

    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE and DOE contractor sites may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive.

   World Wide Web:       http://ciac.llnl.gov/
   Anonymous FTP:               ciac.llnl.gov (128.115.19.53)
   Modem access:  (510) 423-4753 (14.4K baud)
                  (510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic publications:

CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information;
CIAC-NOTES for Notes, a collection of computer security articles;
SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability;
SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products.

Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov:

        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help.

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

End of CIAC Notes Number 95-09 95_4_24