Date: Thu, 23 May 1996 09:44:13 -0700
Sender: Vanagon Mailing List <vanagon@vanagon.com>
From: Bren Smith <bren@ccnet.com>
Subject: Re: VIRUS ALERT - NOT again?????
>The GOOD TIMES virus alert has been LONG known to be a load of
>rubbish. It was over a year ago when I first received a message like
>this.
Hey gang, I realize this might be overkill, but here's the latest good
times FAQ. It's helpful in stopping this once and for all:
=========================================
The Good Times email virus is a hoax!
If anyone repeats the hoax, please show them the FAQ.
G o o d T i m e s V i r u s H o a x
------------
F r e q u e n t l y A s k e d Q u e s t i o n s
by Les Jones
macfaq@aol.com
lesjones@usit.net
May 4, 1995
This information can be freely reproduced in any medium,
as long as the information is unmodified.
-------------------------------------
Is the Good Times email virus a hoax?
-------------------------------------
Yes. It's a hoax.
America Online, government computer security agencies, and makers of
anti-virus software have declared Good Times a hoax. See Online References
at the end of the FAQ.
Since the hoax began in December of 1994, no copy of the alleged virus has
ever been found, nor has there been a single verified case of a viral
attack.
-------------------------------------------------
Why should I believe the FAQ instead of the hoax?
-------------------------------------------------
Unlike the warnings that have been passed around, the FAQ is signed and
dated. I've included my email address, and the email addresses of
contributors, for verification. I've also provided online references at the
end of the FAQ so that you can confirm this information for yourself.
-----------------------------------------------------------
I'm new to the Internet. What is the Good Times virus hoax?
-----------------------------------------------------------
The story is that a virus called Good Times is being carried by email. Just
reading a message with "Good Times" in the subject line will erase your
hard drive, or even destroy your computer's processor. Needless to say,
it's a hoax, but a lot of people believed it.
The original message ended with instructions to "Forward this to all your
friends," and many people did just that. Warnings about Good Times have
been widely distributed on mailing lists, Usenet newsgroups, and message
boards.
The original hoax started in early December, 1994. It sprang up again in
March of 1995. In mid-April, a new version of the hoax that mentioned a
(long since retracted) FCC report began circulating. Worried that Good
Times would never go away, I decided to write the FAQ and a separate report
that chronicles the hoax's history.
-------------------------------
What is the effect of the hoax?
-------------------------------
For those who already know it's a hoax, it's a nuisance to read the
repeated warnings. For people who don't know any better, it causes needless
concern and lost productivity.
The virus hoax infects mailing lists, bulletin boards, and Usenet
newsgroups. Worried system administrators needlessly worry their employees
by posting dire warnings. The hoax is not limited to the United States. It
has appeared in several English-speaking and non-English-speaking
countries. One reader sent me an English transcription of a radio broadcast
in Malta.
Adam J Kightley (adamjk@cogs.susx.ac.uk) said, "The cases of 'infection' I
came across all tended to result from the message getting into the hands of
senior non-computing personnel. Those with the ability and authority to
spread it widely, without the knowledge to spot its nonsensical content."
Some of the companies that have reportedly fallen for the hoax include
AT&T, CitiBank, NBC, Hughes Aircraft, Texas Instruments, and dozens or
hundreds of others. There have been outbreaks at numerous colleges.
The U.S. government has not been immune. Some of the government agencies
that have reportedly fallen victim to the hoax include the Department of
Defense, the FCC, NASA, and various national labs. I've confirmed outbreaks
at the Department of Health and Human Services, though they had the good
sense to question the hoax, and ask for more information on Usenet, before
passing the hoax along to others.
The virus hoax has occasionally escaped into the popular media.
ez018982@betty.ucdavis.edu reports that on April 4, 1995, during the Tom
Sullivan show on KFBK 1530 AM radio in Sacramento, California, a police
officer warned listeners not to read email labeled "Good Times", and to
report the sender to the police. I've called Business Media Services
(916-453-8802) and ordered a tape of the show. .WAV at 11:00. Other radio
stations have spread the hoax, including Australia's ABC radio.
There are scattered reports of the virus spreading via Faxnet, that
low-tech network of secretaries and bored knowledge workers that traffics
in cartoons and dumb blonde jokes. I don't have any of these faxes, so if
you have one, email me and I'll give you my fax number.
---------------------------
What was the CIAC bulletin?
---------------------------
On December 6, 1994, the U.S. Department of Energy's CIAC (Computer
Incident Advisory Capability) issued a bulletin declaring the Good Times
virus a hoax and an urban legend. The bulletin was widely quoted as an
antidote to the hoax. The original document can be found at the address in
Online References at the end of the FAQ. Note that the document went
through several minor revisions, with 94-04c of December 8 being the most
recent.
Like all quoted material in the FAQ, it includes the original spelling and
punctuation. Because some of the lines in the CIAC report are rather long,
they will appear broken.
----Begin quoted material----
THE "Good Times" VIRUS IS AN URBAN LEGEND
In the early part of December, CIAC started to receive information requests
about a supposed "virus" which could be contracted via America OnLine,
simply by reading a message.
---------------------------------------------------------------------------
| Here is some important information. Beware of a file called Goodtimes. |
|
|
| Happy Chanukah everyone, and be careful out there. There is a virus on |
| America Online being sent by E-Mail. If you get anything called "Good |
| Times", DON'T read it or download it. It is a virus that will erase your |
| hard drive. Forward this to all your friends. It may help them a lot. |
---------------------------------------------------------------------------
THIS IS A HOAX. Upon investigation, CIAC has determined that this message
originated from both a user of America Online and a student at a university
at approximately the same time, and it was meant to be a hoax.
CIAC has also seen other variations of this hoax, the main one is that any
electronic mail message with the subject line of "xxx-1" will infect your
computer.
This rumor has been spreading very widely. This spread is due mainly to the
fact that many people have seen a message with "Good Times" in the header.
They delete the message without reading it, thus believing that they have
saved themselves from being attacked. These first-hand reports give a false
sense of credibility to the alert message.
There has been one confirmation of a person who received a message with
"xxx-1" in the header, but an empty message body. Then, (in a panic,
because he had heard the alert), he checked his PC for viruses (the first
time he checked his machine in months) and found a pre-existing virus on
his machine. He incorrectly came to the conclusion that the E-mail message
gave him the virus (this particular virus could NOT POSSIBLY have spread
via an E-mail message). This person then spread his alert.
As of this date, there are no known viruses which can infect merely through
reading a mail message. For a virus to spread some program must be
executed. Reading a mail message does not execute the mail message. Yes,
Trojans have been found as executable attachments to mail messages, the
most notorious being the IBM VM Christmas Card Trojan of 1987, also the
TERM MODULE Worm (reference CIAC Bulletin B-7) and the GAME2 MODULE Worm
(CIAC Bulletin B-12). But this is not the case for this particular "virus"
alert.
If you encounter this message being distributed on any mailing lists,
simply ignore it or send a follow-up message stating that this is a false
rumor.
Karyn Pichnarczyk
CIAC Team
ciac@llnl.gov
----End quoted material----
Note: Karyn is now with Cisco. Her new email address is karyn@cisco.com.
The CIAC report was wrong when it stated that the hoax was started by "a
user of America Online and a student at a university." See "Who started the
hoax."
-----------------------------------------------------
What are some early versions of the warning (Protos)?
-----------------------------------------------------
I have an early version of the hoax that dates back to November 15, 1994,
when it was posted to the TECH-LAW mailing list. This is currently the
earliest known example of Good Times. See also "When did the hoax start?"
---Begin quoted material----
FYI, a file, going under the name "Good Times" is being sent to some
Internet users who subscribe to on-line services (Compuserve, Prodigy and
America On Line). If you should receive this file, do not download it!
Delete it immediately. I understand that there is a virus included in that
file, which if downloaded to your personal computer, will ruin all of your
files.
----End quoted material---
One person remembers seeing Good Times as far back as April or May of 1994,
but there is no supporting evidence for that claim. For now, the FYI
message qualifies as the earliest prototype of Good Times.
------------------------------------------------------ What did the first
major warning (Happy Chanukah) say?
------------------------------------------------------
This is the canonical original message as I received it on December 2,
1994, and as it was quoted in the CIAC report, though it's not the earliest
message. This message sparked the December Good Times panic.
----Begin quoted material----
Here is some important information. Beware of a file called Goodtimes.
Happy Chanukah everyone, and be careful out there.There is a virus on
America Online being sent by E-Mail. If you get anything called "Good
Times", DON'T read it or download it. It is a virus that will erase your
hard drive. Forward this to all your friends. It may help them a lot.
----End quoted material----
---------------------------------------
What's the other major warning (ASCII)?
---------------------------------------
The "happy Chanukah" greeting in the original message dates it, so more
recent hoax eruptions have used a different message. The one below can be
identified because it claims that simply loading Good Times into the
computer's ASCII buffer can activate the virus, so I call it ASCII.
Karyn Pichnarczyk (karyn@cisco.com) remembers the ASCII message from the
original hoax in December of 1994, though I never saw it. Mikko Hypponen
(Mikko.Hypponen@datafellows.fi) sent me a copy of this warning that dates
back to December 2, 1994. The Infinite Loop variety of ASCII is now the
basis for the most common warnings.
----Begin quoted material----
Thought you might like to know...
Apparently , a new computer virus has been engineered by a user of America
Online that is unparalleled in its destructive capability. Other, more
well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in
comparison to the prospects of this newest creation by a warped mentality.
What makes this virus so terrifying is the fact that no program needs to be
exchanged for a new computer to be infected. It can be spread through the
existing e-mail systems of the InterNet.
Luckily, there is one sure means of detecting what is now known as the
"Good Times" virus. It always travels to new computers the same way - in a
text e-mail message with the subject line reading simply "Good Times".
Avoiding infection is easy once the file has been received - not reading
it. The act of loading the file into the mail server's ASCII buffer causes
the "Good Times" mainline program to initialize and execute.
The program is highly intelligent - it will send copies of itself to
everyone whose e-mail address is contained in a received-mail file or a
sent-mail file, if it can find one. It will then proceed to trash the
computer it is running on.
The bottom line here is - if you receive a file with the subject line "Good
TImes", delete it immediately! Do not read it! Rest assured that whoever's
name was on the "From:" line was surely struck by the virus. Warn your
friends and local system users of this newest threat to the InterNet! It
could save them a lot of time and money.
----End quoted material---
------------------------------------------------------------- What's the
popular variation on ASCII (FCC or Infinite Loop)?
-------------------------------------------------------------
You rarely see the pure ASCII version any more. One common variation
mentions an FCC memo, and claims that Good Times can destroy a computer's
processor by placing the processor in a "nth-complexity infinite binary
loop," which is a fancy-sounding bit of science fiction. This is by far the
most common version nowadays, and consists of ASCII with the following
additional material:
----Begin quoted material----
The FCC released a warning last Wednesday concerning a matter of major
importance to any regular user of the InterNet. Apparently, a new computer
virus has been engineered by a user of America Online that is unparalleled
in its destructive capability. Other, more well-known viruses such as
Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of
this newest creation by a warped mentality.
What makes this virus so terrifying, said the FCC, is the fact that no
program needs to be exchanged for a new computer to be infected. It can be
spread through the existing e-mail systems of the InterNet. Once a computer
is infected, one of several things can happen. If the computer contains a
hard drive, that will most likely be destroyed. If the program is not
stopped, the computer's processor will be placed in an nth-complexity
infinite binary loop - which can severely damage the processor if left
running that way too long. Unfortunately, most novice computer users will
not realize what is happening until it is far too late.
----End quoted material---
--------------------------------
Exactly when did the hoax start?
--------------------------------
I thought I knew, but new evidence has come to light. In the original FAQ,
I wrote the following paragraphs :
----
December 2, 1994 is often quoted as the beginning of the hoax, but some of
the AOL forward message headers in the copy I received put the date at
December 1. One non-AOL header is dated November 29, though that date could
easily have been forged.
Also, notice the text of the original message as it was sent to me, and
quoted in the CIAC report:
Here is some important information. Beware of a file called Goodtimes.
Happy Chanukah everyone, and be careful out there.There is a virus on
America Online being sent by E-Mail. If you get anything called "Good
Times", DON'T read it or download it. It is a virus that will erase your
hard drive. Forward this to all your friends. It may help them a lot.
The first paragraph suggests that someone was forwarding the information in
the second paragraph. A seasonal greeting like "Happy Chanukah" is almost
never placed in the second paragraph of a letter, suggesting even more
strongly that this message was repeating information from someone else.
----
After reading the FAQ, several people reported earlier instances of the
hoax. On November 15, 1994, Rich Lavoie (lavoie@cwt.com) posted it to the
TECH-LAW mailing list. Rodney Knight (r.j.knight@rl.ac.uk) saw that message
on a newsgroup, and forwarded the warning to the POSTCARD mailing list.
November 15 is currently the earliest confirmed sighting.
Anthony Altieri (magneto@epix.net) recollected the hoax as far back as
April or May of 1994, but that recollection is so far unsubstantiated by
any evidence.
---------------------
Who started the hoax?
---------------------
We don't know who started the hoax. You'll meet people who think they know
who started it, or where it started. They are mis-informed. Show them the
FAQ. I've seen some people claim that the hoaxsters were arrested and
convicted. This is incorrect.
The CIAC report stated that the hoax was started by "a user of America
Online and a student at a university." I asked Karyn Pichnarczyk about
that. During the December outbreak of Happy Chanukah, several people tried
to trace the hoax by following messages headers. When America Online traced
headers, they stopped at an AOL account. When Nathan Gilliatt
(gilliatt@ac.duke.edu) traced headers in different messages, the messages
seemed to stop at Swarthmore College. Karyn said she didn't know who to
believe, so she said that the virus was started by "a user of America
Online and a student at a university." We now know that Happy Chanukah"
wasn't the original message, so tracing headers was a futile attempt to
trace the origin of the hoax.
Asking who started the hoax assumes that someone consciously started the
hoax. It's possible that Good Times is a highly distorted report of some
real or semi-real event. After being told and retold, the story became the
Good Times hoax as we know it. The Telephone Game gone mad. The problem
with this theory is that really can'y be proven.
AOL postmaster David O'Donnell (PMDAtropos@aol.com) has another theory
about the origins of the hoax. David says that there was once a Good Times
chain letter going around. To stop the chain letter, David's theory goes,
someone claimed that the chain letter contained a virus, and warned people
to delete any email with "Good Times" in the subject line. If anyone has
any evidence to support this theory, such as copies of the original chain
letter, I'd love to see them.
-------------------------------
How do you know all this stuff?
-------------------------------
I investigated the original hoax in December of 1994. I'll disclose the
full details in my report.
------------------------------------
When will your report be ready, Les?
------------------------------------
Soon. I'm working on a history of the December outbreak. It promises to be
good reading. It's essentially a first-hand narrative of the original
outbreak in December, and recounts my discovery of the NVP Trojan horse.
The FAQ will still be used for current discussion of the hoax. When it's
finished, the report will be freely distributable, and will be available
from my ftp site at usit.net in the pub/lesjones directory.
---------------------------
Is an email virus possible?
---------------------------
The short answer is no, not the way Good Times was described.
The long answer is that this is a difficult question that's open to
nit-picking. Keep three things in mind when considering the question:
*A virus is operating system-specific. DOS viruses don't affect
Macintoshes, and vice versa. That greatly limits the destructive power of
viruses. (And notice that none of the Good Times warnings mention which
types of computers are affected. That omission set off many people's hoax
detectors.)
*A virus, by definition, can't exist by itself. It must infect an
executable program. To transmit a virus by email, someone would have to
infect a file and attach the file to the email message. To activate the
virus, you would have to download and decode the file attachment, then run
the infected program. In that situation, the email message is just a
carrier for an infected file, just like a floppy disk carrying an infected
file.
*Some of the situations that people have dreamed up involve Trojan horses
rather than viruses. A virus can only exist inside another program, which
then automatically infects other programs. A Trojan horse is a program that
pretends to do something useful, but instead does something nefarious.
Trojans aren't infectious, so they're much less common than viruses.
There are some email programs that can be set to automatically download a
file attachment, decode it, and execute the file attachment. If you use
such a program, you would be well advised to disable the option to
automatically execute file attachments.
You should, of course, be wary of any file attachments a stranger sends
you. At the least, you should check such file attachments for viruses
before running them.
------------------------------------------------- How can I protect myself
from viruses in general? -------------------------------------------------
Use a virus checker regularly. Freeware, shareware, and commercial
anti-virus programs are widely available. Which program you use isn't as
important as how you use it. Most people get into trouble because they
never bother to check their computer for viruses.
Most viruses spread through floppy disks, so isolating yourself from online
services and the Internet will not protect you from viruses. In fact,
you're probably safer if you're online, simply because you'll have access
to anti-viral software and information.
-------------------------------------------------------- Where can I find
anti-viral information on the Internet?
--------------------------------------------------------
Usenet newsgroups
_________________
comp.virus -- the Usenet gateway for VIRUS-L (below)
Mailing lists
_____________
VIRUS-L is a moderated list for discussions of viruses and anti-viral
products. Send email to listserv@lehigh.edu. In the body of the message,
include the line "sub virus-l your-name" (without the quotes).
FTP sites
_________
cert.org in pub/virus-l/docs/
Contains information about viruses and anti-virus products, with pointers
to other FTP sites.
World Wide Web
____________________________________
http://www.singnet.com.sg/staff/lorna/Virus (Note: the V must be capitalized!)
------------------------------------
Was the hoax a sort of virus itself?
------------------------------------
Yes, but it wasn't a computer virus. It was more like a social virus or a
thought virus.
When someone on alt.folklore.urban asked if the virus was for real, Clay
Shirky (clays@panix.com) answered:
"Its for real. Its an opportunistic self-replicating email virus which
tricks its host into replicating it, sometimes adding as many as 200,000
copies at a go. It works by finding hosts with defective parsing apparatus
which prevents them from understanding that a piece of email which says
there is an email virus and then asking them to remail the message to all
their friends is the virus itself."
Shirky eloquently described what a lot of people were thinking. So what is
a virus? To a biologist, a virus is a snippet of genetic material that must
infect a host organism to survive and reproduce. To be contagious, a virus
usually carries instructions that cause the host to engage in certain
pathological activities (such as sneezing and coughing) that spread the
infection to other organisms.
To a computer programmer, a virus is a snippet of computer code that must
infect a host program to spread. To be contagious, a computer virus usually
causes the host program to engage in certain pathological activities that
spread the infection to other programs
>From this perspective, it's easy to see the Good Times hoax as a sort
of thought virus. To be contagious, a thought virus causes the host to
engage in certain pathological activities that spread the infection.
In the case of Good Times, the original strain (happy Chanukah) explicitly
told people to "forward this to all your friends." The other major viral
strain (infinite loop) encourages people to "Please be careful and forward
this mail to anyone you care about," and "Warn your friends and local
system users of this newest threat to the InterNet!"
Likewise, the stories of an FCC modem tax encourage people to tell their
friends and post the warning on other BBSes. David Rhodes' Make Money Fast
scam instructs people to re-post the message to as many as ten bulletin
boards.
In _The Selfish Gene_ (1976, University of Oxford Press), Oxford
evolutionary biologist Richard Dawkins extends the principles in his book
from biology to human culture. To make the transition, Dawkins proposes a
cultural replicator analogous to genes. He calls these replicators memes.
"Examples of memes are tunes, ideas, catch-phrases, clothes fashions, ways
of making pots or of building arches. Just as genes propagate themselves in
the gene pool by leaping from body to body via sperm or eggs, so memes
propagate themselves in the meme pool by leaping from brain to brain via a
process which, in the broad sense, can be called imitation. ... As my
colleague N. K. Humphrey neatly summed up an earlier draft of this chapter:
"...memes should be regarded as living structures, not just metaphorically,
but technically. When you plant a fertile meme in my mind you literally
parasitize my brain, turning it into a vehicle for the meme's propagation
in just the way that a virus may parasitize the genetic mechanism of a host
cell.""
Amazingly, when I read alt.folklore.computers looking for research
material, two people had already mentioned Dawkins' memes. One of them
referred to an article in the April 8, 1995 _New Scientist_ about something
called the Meme Research Group. (The article erroneously stated that the
group is at the University of California, San Francisco. In fact, they are
at Simon Fraser University in British Columbia.)
The Meme Research Group is collecting chain letters to analyze them. The
more copies they get, the more information they have to analyze. Send those
unwanted chain letters to meme@scottlabsgi.chem.sfu.ca.
I am not a memeticist, and a real memeticist might take umbrage at my
explanation of the concept. To learn more, visit the alt.memetics newsgroup
on Usenet, and especially the alt.memetics home page on the World Wide Web
(http://www.xs4all.nl/~hingh/alt.memetics/). Though we've talked about
memes in terms of viruses (a common analogy), the concept of a meme is
neither good nor bad. The idea of "Do unto others as you would have them do
unto you" is as much a meme as the Good Times hoax.
----------------------------------------------- What's the best way to
control a thought virus? -----------------------------------------------
Create a counter virus like this one as an antidote. To make the counter
virus contagious, include instructions such as, "The Good Times email virus
is a hoax. If anyone repeats the hoax, please show them the FAQ."
------------------------------------------------------------- What are some
other hoaxes and urban legends on the Internet?
-------------------------------------------------------------
The FCC Modem Tax
Every so often someone posts a dire warning that the FCC is considering a
tax on modems and online services. The warning encourages you to tell your
friends so they can take political action. It's a hoax. It's been going on
for the five years I've been online, and probably much longer. If you'll
notice, the warnings don't include a date or a bill number.
Make Money Fast
If you haven't seen a Make Money Fast message, call your local anthropology
department. They might be interested in studying you. Devised by David
Rhodes in 1987 or 1988, Make Money Fast (sometimes distributed on BBSes as
a file called fastcash.txt) is an electronic version of a chain letter
pyramid scheme. You're supposed to send money to the ten people on the
list, then add your name to the list and repost the chain letter,
committing federal wire fraud in the process. Posting a Make Money Fast
message is one sure way to lose your Internet account. (Information from
the Make Money Fast FAQ by ewl@panix.com.)
Craig Shergold needs your get well cards
Craig Shergold is a UK resident who was dying of cancer. He wanted to get
in the Guinness Book of World Records for having received the most get well
cards. When people heard of the poor boy's wish, they began sending him
postcards. And they kept sending him postcards, and never stopped. Shergold
is now in full remission. He was listed in the Guinness Book of World
Records in 1991. He really does not want your postcards any more, and
neither does his hometown post office.
These are just the urban legends that you're likely to encounter on the
Internet. There are many more in real life that you probably believe. I
won't give them away, but here are some clues: peanut butter, Neiman
Marcus/Mrs. Fields, Rod Stewart, and the Newlywed Game. For more
information, read the alt.folklore.urban FAQ, listed in Online References
at the end of the FAQ.
-----------------
Online References
-----------------
CIAC Notes 94-05 95-09, and especially 94-04
-------------------------------------------- FTP to ciac.llnl.gov and look
in the pub/ciac/notes directory. The URL ftp://ciac.llnl.gov/pub/ciac/notes/
The URL for the CIAC home page on the World Wide Web is:
http://ciac.llnl.gov/ciac/
alt.folklore.urban FAQ
--------------------------
Available via FTP from cathouse.org in the
/pub/cathouse/urban.legends/AFU.faq directory.
Also available on the World Wide Web at
http://cathouse.org/UrbanLegends/AFUFAQ/
America Online's official statement
-----------------------------------
keyword "virus2" on America Online
The Good Times Virus Hoax Mini FAQ
----------------------------------
A greatly simplified version of this FAQ. At two pages, it's short enough
for message boards, faxes, mailing lists, and people with short attention
spans. FTP to usit.net and look in the pub/lesjones directory. The URL is
ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ .
The Good Times Virus Hoax FAQ (this document)
--------------------------------------------- Via FTP:
FTP to usit.net and look in the pub/lesjones directory. The URL is:
ftp://usit.net/pub/lesjones/GoodTimes-HoaxFAQ.txt
On the World Wide Web:
http://nethelp.tamu.edu/~swood/GoodTimes-HoaxFAQ.html -- good hypertext
http://www.tcp.co.uk/tcp/good.times.html -- excellent hypertext
http://www.singnet.com.sg/staff/lorna/Virus -- lots of virus info (Note:
the V must be capitalized.)
http://www.nsm.smcm.edu/News/GTHoax.html
On America Online:
in the file libraries at keyword "virus"
by email:
send email to archive@xconn.com with REQUEST GT_VIRUS.TXT in the subject line.