Marvin J. Christensen (
Mon, 24 Apr 1995 13:50:15 -0700


U.S. DOE's Computer Incident Advisory Capability
___ __ __ _ ___ __ __ __ __ __
/ | /_\ / |\ | / \ | |_ /_
\___ __|__ / \ \___ | \| \__/ | |__ __/

Number 95-09 April 24, 1995

This edition of CIAC NOTES describes the recent rebirth of "Good Times",
and reiterates CIAC's previous position that "Good Times" is a hoax.
Please send your comments and feedback to

$ Reference to any specific commercial product does not necessarily $
$ constitute or imply its endorsement, recommendation or favoring by $
$ CIAC, the University of California, or the United States Government.$

There is a rebirth of the "Good Times" urban legend. CIAC and other
response teams, along with the Federal Communications Commission and
America Online, have received numerous queries regarding the validity
of the "Good Times" virus. The current "Good Times" message appears to
be a repeat of the hoax perpetuated last December.

CIAC first released CIAC NOTES 94-04 in December 1994 which is titled
"THE 'Good Times' VIRUS IS AN URBAN LEGEND." The original "Good Times"
message that was posted and circulated contained the following:

| Here is some important information. Beware of a file called Goodtimes. |
| |
| Happy Chanukah everyone, and be careful out there. There is a virus on |
| America Online being sent by E-Mail. If you get anything called "Good |
| Times", DON'T read it or download it. It is a virus that will erase your |
| hard drive. Forward this to all your friends. It may help them a lot. |

Soon after the release of CIAC NOTES 04, another "Good
Times" message was circulated. This is the same message that is
being circulated during this recent "Good Times" rebirth. This
message includes a claim that the Federal Communications Commission
(FCC) released a warning about the danger of the "Good Times"
virus. This "Good Times" hoax message contains the following:

The FCC released a warning last Wednesday concerning a matter of
major importance to any regular user of the InterNet. Apparently,
a new computer virus has been engineered by a user of America
Online that is unparalleled in its destructive capability. Other,
more well-known viruses such as Stoned, Airwolf, and Michaelangelo
pale in comparison to the prospects of this newest creation by a
warped mentality.
What makes this virus so terrifying, said the FCC, is the fact
that no program needs to be exchanged for a new computer to be

... { stuff deleted } ...

CIAC contacted the FCC to ensure that this reference was fabricated
and that the "Good Times" is truly a hoax.

Having malicious code (malware) buried in the body of an E-mail
message that would "infect" your computer is not a very likely
possibility because characters in an E-mail message are displayed, not
executed. CIAC still affirms that reading E-mail, using typical mail
agents, will not activate malware delivered in or with the message.

Many people believe "in theory" that malware can be delivered and
activated by some mail agents that have automated services. An
example of such malware is mail delivered to a PC that has embedded,
seemingly invisible escape sequences which affect screen display or
program the keyboard to do some nastiness when some key is
"accidently" pressed. The following is an excerpt from CIAC NOTES
05 which included and update to the "Good Times" urban legend.

CIAC did not claim that E-mail could not be a delivery agent for
malware. A real threat comes from attached files which could
contain viruses or Trojan programs. You should scan any executable
attachment before executing it in the same way that you scan all new
software before using it. It is possible to create a file that
remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS
driver loaded. However, this only works on PC/MS-DOS machines with
the text displayed on the screen in text mode. It would not work in
Windows or in most text editors or mailers. A key could be remapped
to produce any command sequence when pressed, for example DEL or
FORMAT. However, the command is not issued until the remapped key
is pressed and the command issued by the remapped key would be
visible on the screen. You could protect yourself by removing
ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the
functionality of ANSI.SYS to control screen functions and colors.
Windows programs are not effected by ANSI.SYS, though a DOS program
running in Windows would be.

- - ------------------------------
Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to
employees and contractors of the DOE, such as:

. Incident Handling Consulting
. Computer Security Information
. On-site Workshops
. White-hat Audits

CIAC is located at Lawrence Livermore National Laboratory in
Livermore, California, and is a part of its Computer Security
Technology Center. Further information can be found at CIAC. CIAC is
also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster
cooperation and coordination among computer security teams
worldwide. See FIRST for more details.

- - ------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer security
incident response team for the U.S. Department of Energy. CIAC is located
at the Lawrence Livermore National Laboratory in Livermore, California.
CIAC is also a founding member of FIRST, the Forum of Incident Response
and Security Teams, a global organization established to foster cooperation
and coordination among computer security teams worldwide.

CIAC services are available to DOE and DOE contractors, and can be
contacted at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604

For emergencies and off-hour assistance, DOE and DOE contractor sites may
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, pgp public key, and other
information are available from the CIAC Computer Security Archive.

World Wide Web:
Anonymous FTP: (
Modem access: (510) 423-4753 (14.4K baud)
(510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe
(add yourself) to one of our mailing lists, send the following request as
the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE
or SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending

E-mail to
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.

- - ---------------------------------------------------------------
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
- - ---------------------------------------------------------------

End of CIAC Notes Number 95-09 95_4_24

Version: 2.6.2

Attachment converted: msattler:SIGNED MESSAGE 21 (TEXT/MPGP) (00005589)