-----BEGIN PGP SIGNED MESSAGE-----



             U.S. DOE's Computer Incident Advisory Capability
           ___  __ __    _     ___           __  __ __   __   __
          /       |     /_\   /       |\ |  /  \   |    |_   /_
          \___  __|__  /   \  \___    | \|  \__/   |    |__  __/

Number 95-09                                               April 24, 1995


This edition of CIAC NOTES describes the recent rebirth of "Good Times",
and reiterates CIAC's previous position that "Good Times" is a hoax.
Please send your comments and feedback to ciac@llnl.gov.

  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
  $ Reference to any specific commercial product does not necessarily   $
  $ constitute or imply its endorsement, recommendation or favoring by  $
  $ CIAC, the University of California, or the United States Government.$
  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$

There is a rebirth of the "Good Times" urban legend. CIAC and other
response teams, along with the Federal Communications Commission and
America Online, have received numerous queries regarding the validity
of the "Good Times" virus. The current "Good Times" message appears to
be a repeat of the hoax perpetuated last December.


CIAC first released CIAC NOTES 94-04 in December 1994 which is titled
"THE 'Good Times' VIRUS IS AN URBAN LEGEND." The original "Good Times"
message that was posted and circulated contained the following:

 ---------------------------------------------------------------------------
| Here is some important information. Beware of a file called Goodtimes.    |
|                                                                           |
|  Happy Chanukah everyone, and be careful out there. There is a virus on   |
| America Online being sent by E-Mail.  If you get anything called "Good    |
| Times", DON'T read it or download it.  It is a virus that will erase your |
| hard drive.  Forward this to all your friends.  It may help them a lot.   |
 ---------------------------------------------------------------------------

Soon after the release of CIAC NOTES 04, another "Good
Times" message was circulated. This is the same message that is
being circulated during this recent "Good Times" rebirth. This
message includes a claim that the Federal Communications Commission
(FCC) released a warning about the danger of the "Good Times"
virus. This "Good Times" hoax message contains the following:

     The FCC released a warning last Wednesday concerning a matter of
   major importance to any regular user of the InterNet.  Apparently,
   a new computer virus has been engineered by a user of America
   Online that is unparalleled in its destructive capability.  Other,
   more well-known viruses such as Stoned, Airwolf, and Michaelangelo
   pale in comparison to the prospects of this newest creation by a
   warped mentality.
     What makes this virus so terrifying, said the FCC, is the fact
   that no program needs to be exchanged for a new computer to be
   infected.

    ... { stuff deleted } ...

CIAC contacted the FCC to ensure that this reference was fabricated
and that the "Good Times" is truly a hoax.


ADDITIONAL INFORMATION
======================
Having malicious code (malware) buried in the body of an E-mail
message that would "infect" your computer is not a very likely
possibility because characters in an E-mail message are displayed, not
executed. CIAC still affirms that reading E-mail, using typical mail
agents, will not activate malware delivered in or with the message.

Many people believe "in theory" that malware can be delivered and
activated by some mail agents that have automated services.  An
example of such malware is mail delivered to a PC that has embedded,
seemingly invisible escape sequences which affect screen display or
program the keyboard to do some nastiness when some key is
"accidently" pressed. The following is an excerpt from CIAC NOTES
05 which included and update to the "Good Times" urban legend.

  CIAC did not claim that E-mail could not be a delivery agent for
  malware.  A real threat comes from attached files which could
  contain viruses or Trojan programs.  You should scan any executable
  attachment before executing it in the same way that you scan all new
  software before using it.  It is possible to create a file that
  remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS
  driver loaded. However, this only works on PC/MS-DOS machines with
  the text displayed on the screen in text mode.  It would not work in
  Windows or in most text editors or mailers.  A key could be remapped
  to produce any command sequence when pressed, for example DEL or
  FORMAT.  However, the command is not issued until the remapped key
  is pressed and the command issued by the remapped key would be
  visible on the screen.  You could protect yourself by removing
  ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the
  functionality of ANSI.SYS to control screen functions and colors.
  Windows programs are not effected by ANSI.SYS, though a DOS program
  running in Windows would be.


- - ------------------------------
Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to
employees and contractors of the DOE, such as:

    . Incident Handling Consulting
    . Computer Security Information
    . On-site Workshops
    . White-hat Audits

CIAC is located at Lawrence Livermore National Laboratory in
Livermore, California, and is a part of its Computer Security
Technology Center. Further information can be found at CIAC. CIAC is
also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster
cooperation and coordination among computer security teams
worldwide. See FIRST for more details.



- - ------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer security
incident response team for the U.S. Department of Energy. CIAC is located
at the Lawrence Livermore National Laboratory in Livermore, California.
CIAC is also a founding member of FIRST, the Forum of Incident Response
and Security Teams, a global organization established to foster cooperation
and coordination among computer security teams worldwide.

CIAC services are available to DOE and DOE contractors, and can be
contacted at:
    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE and DOE contractor sites may
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, pgp public key, and other
information are available from the CIAC Computer Security Archive.

   World Wide Web:       http://ciac.llnl.gov/
   Anonymous FTP:               ciac.llnl.gov (128.115.19.53)
   Modem access:  (510) 423-4753 (14.4K baud)
                  (510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe
(add yourself) to one of our mailing lists, send the following request as
the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE
or SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.

- - ---------------------------------------------------------------
This document was prepared as an account of work sponsored by an
agency of the United States Government.  Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
- - ---------------------------------------------------------------

End of CIAC Notes Number 95-09 95_4_24

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBL5vARrnzJzdsy3QZAQFC6AQAoJAuWKKH/9RJ9zD0UZBN5Z2GFPim24NB
9rtxIxDXqX9zl8eEiAa5MmSTx/AVkRgPi6JFGHaUKxamfkSRoZJeeKEIb12ZUUnA
il8PIZex0Z9E6B6a4lMgapjmgYDYO0pLgY/MoRHts8+PHGl4WKGSLF2fi3nhnHpA
neePBpHe8DA=
=em+y
-----END PGP SIGNATURE-----