-----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-15 Release date: 24 April, 1995, 3:30 PM EDT (GMT -4) SUBJECT: E-mail virus is a hoax. SUMMARY: ASSIST has received numerous requests for information about a computer virus virus known as "Good Times" that is traversing the Internet and infects systems through e-mail. THE GOOD TIMES VIRUS MESSAGE IS A HOAX. DO NOT FORWARD THE MESSAGE ON GOOD TIMES TO OTHER PERSONS AND PROPAGATE THE RUMOR FURTHER. BACKGROUND: The Good Times hoax was initiated in late 1994 and after investigation the origination of the message was traced to a student at a university site and a user of America Online. There have been several variations of the message with a basic theme of "this electronic mail message with the subject line of "xxx-1" will infect your computer". The spread of the hoax was accelerated when many people saw a a message with "Good Times" in the header. They deleted the message without reading it, thus believing that they have saved themselves from being attacked. These first-hand reports give a false sense of credibility to the alert message. The initial Good Times incident ended in December 1994 and there was virtually no traffic on the subject until early April 1995 when another round of hoax messages began circulating on the network. The most common April 1995 version of the message contained references to public statements from the Federal Communications Commission and America Online as to Good Times being verified as a legitamate virus. This second round of Good Times messages is also a hoax and based on the same false reports as the 1994 Good Times messages. As of this time, there are no known viruses which can infect merely through reading a mail message, for a virus to infect and spread a file must be executed. Simply reading a text message does not cause execution of any files. It would be possible for malicious code to be transferred as an attachment or within the body (i.e uuencoded) of a message, but then the file would have to be decoded and separate action taken outside of a mailer to execute the file. In addition, it would be extremely difficult for malicious code to be written to infect an environment as diverse as the Internet. There are so many different types and versions of operating systems and mailers in use on the Internet that writing a piece of code that would succesfully infect any recipient of an e-mail message would be highly unlikely. It has been suggested that, theoretically, e-mail could be used to deliver and activate malicious code in mailers that would have some type of embedded automated services. An example was given of "invisible" escape sequences which affect screen display or program the keyboard to do some malicious action when some key is "accidently" pressed. This could be done through a file that remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS driver loaded. However, this only works on MS-DOS machines with the text displayed on the screen in text mode. It would not work in Windows or in most text editors or mailers. A key could be remapped to produce any command sequence when pressed, for example DEL or FORMAT. However, the command is not issued until the remapped key is pressed and the command issued by the remapped key would be visible on the screen. You could protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the functionality of ANSI.SYS to control screen functions and colors. Windows programs are not effected by ANSI.SYS, though a DOS program running in Windows would be. IMPACT: DoD personnel take unnecessary time and effort in response to a problem that does not exist. RECOMMENDED SOLUTIONS: Do not forward a notice about the Good Times virus to any other persons. Normal policy should be to scan any executable file received from any source for malicious code. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00 to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBL5v9JdH6sbnW3Io9AQGUbwP9EVnDCXLVYDh314zNrnaKnoFwDZAO4Tog IxFZvtK5e9+AFEFqlEha3hNfBGg07APy+5j3TFmFSwhxhPpvEdTJNO/EvAae7ZTS iv8xQ6cglRUzCbCHzVYrVUwKxzYi039XMnlEC+lUO7d37KuiDOTSTeia2RuOkMMl w6VMhxAiQ9c= =bBcB -----END PGP SIGNATURE-----