Good Times Virus Hoax

demetris.a.gaines at ceswa-im-i.mail.usace.army.mil demetris.a.gaines at ceswa-im-i.mail.usace.army.mil
Thu Apr 27 08:00:00 EDT 1995 

01/ou=CESWA-IM-I/s=GAINES/g=DEMETRIS/i=A/@MHS>
approved: Usenet at ux1.cso.uiuc.edu
organization: University of Illinois at Urbana
reply-to: grassu-list at max.cecer.army.mil
newsgroups: info.grass.user
originator: daemon at ux1.cso.uiuc.edu



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    
          Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  95-15
 
       Release date: 24 April, 1995, 3:30 PM EDT (GMT -4)

SUBJECT: E-mail virus is a hoax.

SUMMARY: ASSIST has received numerous requests for information
about a computer virus virus known as "Good Times" that is
traversing the Internet and infects systems through e-mail.  THE
GOOD TIMES VIRUS MESSAGE IS A HOAX.  DO NOT FORWARD THE MESSAGE
ON GOOD TIMES TO OTHER PERSONS AND PROPAGATE THE RUMOR FURTHER.

BACKGROUND: The Good Times hoax was initiated in late 1994 and
after investigation the origination of the message was traced to a 
student at a university site and a user of America Online.  There 
have been several variations of the message with a basic theme of
"this electronic mail message with the subject line of "xxx-1" 
will infect your computer".  The spread of the hoax was accelerated
when many people saw a a message with "Good Times" in the header. 
They deleted the message without reading it, thus believing that they
have saved themselves from being attacked. These first-hand reports 
give a false sense of credibility to the alert message.

The initial Good Times incident ended in December 1994 and there
was virtually no traffic on the subject until early April 1995
when another round of hoax messages began circulating on the
network.  The most common April 1995 version of the message
contained references to public statements from the Federal
Communications Commission and America Online as to Good Times
being verified as a legitamate virus.  This second round of Good
Times messages is also a hoax and based on the same false reports
as the 1994 Good Times messages.

As of this time, there are no known viruses which can infect merely
through reading a mail message, for a virus to infect and spread
a file must be executed.  Simply reading a text message does not
cause execution of any files.  It would be possible for malicious
code to be transferred as an attachment or within the body (i.e
uuencoded) of a message, but then the file would have to be
decoded and separate action taken outside of a mailer to execute
the file.  In addition, it would be extremely difficult for 
malicious code to be written to infect an environment as diverse 
as the Internet.  There are so many different types and versions
of operating systems and mailers in use on the Internet that
writing a piece of code that would succesfully infect any 
recipient of an e-mail message would be highly unlikely.

It has been suggested that, theoretically, e-mail could be used
to deliver and activate malicious code in mailers that would 
have some type of embedded automated services.  An example was 
given of "invisible" escape sequences which affect screen 
Ôto do some malicious action when 
some key is "accidently" pressed.  This could be done through a 
file that remaps keys when displayed on a PC/MS-DOS machine with 
the ANSI.SYS driver loaded.  However, this only works on MS-DOS 
machines with the text displayed on the screen in text mode.  It 
would not work in Windows or in most text editors or mailers.  A 
key could be remapped to produce any command sequence when pressed, 
for example DEL or FORMAT.  However, the command is not issued 
until the remapped key is pressed and the command issued by the 
remapped key would be visible on the screen.  You could protect 
yourself by removing ANSI.SYS from the CONFIG.SYS file, but many 
DOS programs use the functionality of ANSI.SYS to control screen 
functions and colors.  Windows programs are not effected by 
ANSI.SYS, though a DOS program running in Windows would be. 

IMPACT: DoD personnel take unnecessary time and effort in 
response to a problem that does not exist.

RECOMMENDED SOLUTIONS: Do not forward a notice about the Good Times
virus to any other persons.  Normal policy should be to scan any 
executable file received from any source for malicious code.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

More information about the grass-user mailing list