************************************************************************** Security Bulletin 9434 DISA Defense Communications System December 9, 1944 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9428). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ******************************************************************** Following is information on "Good Times" virus (?) obtained by DISA's Center for Information Systems Security (CISS) from the Department of Energy's Computer Incident Advisory Capability (CIAC). ******************************************************************** ******************************************************************** _______ A S S I S T | / Automated Systems Security Incident Support Team | / Integritas Duty phone: +1 800 357 4231 (DSN 289 7974) | < et 24 hour pager: +1 800 791-4857 | \ Celeritas BBS: +1 703 756 7993 (DSN 289 7993) | \ e-mail: ASSIST@ASSIST.MIL ------- Anonymous FTP: ASSIST.MIL (IP 199.211.123.11) ********************************************************************* ********************************************************************* U.S. DOE's Computer Incident Advisory Capability ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 94-04 December 6, 1994 ------------------- A - T - T - E - N - T - I - O - N ------------------- | CIAC is available 24-hours a day via its two skypage numbers. To use | | this service, dial 1-800-759-7243. The PIN numbers are: 8550070 (for | | the CIAC duty person) and 8550074 (for the CIAC manager). Please keep | | these numbers handy. | ------------------------------------------------------------------------- Welcome to the fourth issue of CIAC Notes! This is a special edition to clear up recent reports of a "good times" virus-hoax. Let us know if you have topics you would like addressed or have feedback on what is useful and what is not. Please contact the editor, Allan L. Van Lehn, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov. $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ $ Reference to any specific commercial product does not necessarily $ $ constitute or imply its endorsement, recommendation or favoring by $ $ CIAC, the University of California, or the United States Government.$ $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ THE "Good Times" VIRUS IS AN URBAN LEGEND In the early part of December, CIAC started to receive information requests about a supposed "virus" which could be contracted via America OnLine, simply by reading a message. The following is the message that CIAC received: --------------------------------------------------------------------------- | Here is some important information. Beware of a file called Goodtimes. | | | | Happy Chanukah everyone, and be careful out there. There is a virus on | | America Online being sent by E-Mail. If you get anything called "Good | | Times", DON'T read it or download it. It is a virus that will erase your | | hard drive. Forward this to all your friends. It may help them a lot. | --------------------------------------------------------------------------- THIS IS A HOAX. Upon investigation, CIAC has determined that this message originated from both a user of America Online and a student at a university at approximately the same time, and it was meant to be a hoax. CIAC has also seen other variations of this hoax, the main one is that any electronic mail message with the subject line of "xxx-1" will infect your computer. This rumor has been spreading very widely. This spread is due mainly to the fact that many people have seen a message with "Good Times" in the header. They delete the message without reading it, thus believing that they have saved themselves from being attacked. These first-hand reports give a false sense of credibility to the alert message. There has been one confirmation of a person who received a message with "xxx-1" in the header, but an empty message body. Then, (in a panic, because he had heard the alert), he checked his PC for viruses (the first time he checked his machine in months) and found a pre-existing virus on his machine. He incorrectly came to the conclusion that the E-mail message gave him the virus (this particular virus could NOT POSSIBLY have spread via an E-mail message). This person then spread his alert. As of this date, there are no known viruses which can infect merely through reading a mail message. For a virus to spread some program must be executed. Reading a mail message does not execute the mail message. Yes, Trojans have been found as executable attachments to mail messages, the most notorious being the IBM VM Christmas Card Trojan of 1987, also the TERM MODULE Worm (reference CIAC Bulletin B-7) and the GAME2 MODULE Worm (CIAC Bulletin B-12). But this is not the case for this particular "virus" alert. If you encounter this message being distributed on any mailing lists, simply ignore it or send a follow-up message stating that this is a false rumor. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DDN Security bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.