___________________________________________________________________________
Security: "Good Times virus" and other hoaxes
G o o d T i m e s V i r u s H o a x
------------
F r e q u e n t l y A s k e d Q u e s t i o n s
by Les Jones
macfaq@aol.com
lesjones@usit.net
April 27, 1995
This information can be freely reproduced in any medium,
as long as the information is unmodified.
-------------------------------------
Is the Good Times email virus a hoax?
-------------------------------------
Yes. It's a hoax.
America Online, government computer security agencies, and makers
of anti-virus software have declared Good Times a hoax. See Online
References at the end of the FAQ.
Since the hoax began in December of 1994, no copy of the alleged
virus has ever been found, nor has there been a single verified
case of a viral attack.
-------------------------------------------------
Why should I believe the FAQ instead of the hoax?
-------------------------------------------------
Unlike the warnings that have been passed around, the FAQ is signed
and dated. I've included my email address, and the email addresses
of contributors, for verification. I've also provided online
references at the end of the FAQ so that you can confirm this
information for yourself.
-----------------------------------------------------------
I'm new to the Internet. What is the Good Times virus hoax?
-----------------------------------------------------------
The story is that a virus called Good Times is being carried by
email. Just reading a message with "Good Times" in the subject line
will erase your hard drive, or even destroy your computer's
processor. Needless to say, it's a hoax, but a lot of people
believed it.
The original message ended with instructions to "Forward this to
all your friends," and many people did just that. Warnings about
Good Times have been widely distributed on mailing lists, Usenet
newsgroups, and message boards.
The original hoax started in early December, 1994. It sprang up
again in March of 1995. IIn mid-April, a new version of the hoax
that mentioned a (long since retracted) FCC report began
circulating. Worried that Good Times would never go away, I decided
to write the FAQ and a separate report that chronicles the hoax's
history.
-------------------------------
What is the effect of the hoax?
-------------------------------
For those who already know it's a hoax, it's a nuisance to read the
repeated warnings. For people who don't know any better, it causes
needless concern and lost productivity.
The virus hoax infects mailing lists, bulletin boards, and Usenet
newsgroups. Worried system administrators needlessly worry their
employees by posting dire warnings. The hoax is not limited to the
United States. It has appeared in several English-speaking
countries.
Adam J Kightley (adamjk@cogs.susx.ac.uk) said, "The cases of
'infection' I came across all tended to result from the message
getting into the hands of senior non-computing personnel. Those
with the ability and authority to spread it widely, without the
knowledge to spot its nonsensical content."
Some of the companies that have reportedly fallen for the hoax
include AT&T, CitiBank, NBC, Hughes Aircraft, Texas Instruments,
and dozens or hundreds of others. There have been outbreaks at
numerous colleges.
The U.S. government has not been immune. Some of the government
agencies that have reportedly fallen victim to the hoax include the
Department of Defense, the FCC, NASA. I've confirmed outbreaks at
the Department of Health and Human Services, though they had the
good sense to question the hoax, and ask for more information on
Usenet.
The virus hoax has occasionally escaped into the popular media.
ez018982@betty.ucdavis.edu reports that on April 4, 1995, during
the Tom Sullivan show on KFBK 1530 AM radio in Sacramento,
California, a police officer warned listeners not to read email
labeled "Good Times", and to report the sender to the police. I've
called Business Media Services (916-453-8802) and ordered a tape of
the show. .WAV at 11:00.
There are scattered reports of the virus spreading via Faxnet, that
low-tech network of secretaries and bored knowledge workers that
traffics in cartoons and dumb blonde jokes. I don't have any of
these faxes, so if you have one, email me and I'll give you my fax
number.
---------------------------
What was the CIAC bulletin?
---------------------------
On December 6, 1994, the U.S. Department of Energy's CIAC (Computer
Incident Advisory Capability) issued a bulletin declaring the Good
Times virus a hoax and an urban legend. The bulletin was widely
quoted as an antidote to the hoax. The original document can be
found at the address in Online References at the end of the FAQ.
Note that the document went through several minor revisions, with
94-04c of December 8 being the most recent.
Like all quoted material in the FAQ, it includes the original
spelling and punctuation. Because some of the lines in the CIAC
report are rather long, they will appear broken.
----Begin quoted material----
THE "Good Times" VIRUS IS AN URBAN LEGEND
In the early part of December, CIAC started to receive information
requests about a supposed "virus" which could be contracted via
America OnLine, simply by reading a message.
---------------------------------------------------------------------------
| Here is some important information. Beware of a file called
Goodtimes. |
|
|
| Happy Chanukah everyone, and be careful out there. There is a
virus on |
| America Online being sent by E-Mail. If you get anything called
"Good |
| Times", DON'T read it or download it. It is a virus that will
erase your |
| hard drive. Forward this to all your friends. It may help them
a lot. |
---------------------------------------------------------------------------
THIS IS A HOAX. Upon investigation, CIAC has determined that this
message originated from both a user of America Online and a student
at a university at approximately the same time, and it was meant to
be a hoax.
CIAC has also seen other variations of this hoax, the main one is
that any electronic mail message with the subject line of "xxx-1"
will infect your computer.
This rumor has been spreading very widely. This spread is due
mainly to the fact that many people have seen a message with "Good
Times" in the header. They delete the message without reading it,
thus believing that they have saved themselves from being attacked.
These first-hand reports give a false sense of credibility to the
alert message.
There has been one confirmation of a person who received a message
with "xxx-1" in the header, but an empty message body. Then, (in a
panic, because he had heard the alert), he checked his PC for
viruses (the first time he checked his machine in months) and found
a pre-existing virus on his machine. He incorrectly came to the
conclusion that the E-mail message gave him the virus (this
particular virus could NOT POSSIBLY have spread via an E-mail
message). This person then spread his alert.
As of this date, there are no known viruses which can infect merely
through reading a mail message. For a virus to spread some program
must be executed. Reading a mail message does not execute the mail
message. Yes, Trojans have been found as executable attachments to
mail messages, the most notorious being the IBM VM Christmas Card
Trojan of 1987, also the TERM MODULE Worm (reference CIAC Bulletin
B-7) and the GAME2 MODULE Worm (CIAC Bulletin B-12). But this is
not the case for this particular "virus" alert.
If you encounter this message being distributed on any mailing
lists, simply ignore it or send a follow-up message stating that
this is a false rumor.
Karyn Pichnarczyk
CIAC Team
ciac@llnl.gov
----End quoted material----
Note: Karyn is now with Cisco. Her new email address is
karyn@cisco.com.
-----------------------------------------------------
What are some early versions of the warning (Protos)?
-----------------------------------------------------
I have an early version of the hoax that dates back to November 15,
1994, when it was posted to the TECH-LAW mailing list. This is
currently the earliest known example of Good Times. See also "When
did the hoax start?"
---Begin quoted material----
FYI, a file, going under the name "Good Times" is being sent to
some Internet users who subscribe to on-line services (Compuserve,
Prodigy and America On Line). If you should receive this file, do
not download it! Delete it immediately. I understand that there is
a virus included in that file, which if downloaded to your personal
computer, will ruin all of your files.
----End quoted material----
Here's another version that was circulated among a few AOL members
on November 18:
---Begin quoted material---
Somebody is sending e-mail under the title "good times". If you
get anything like this, DON'T DOWNLOAD THE FILE! ! ! ! ! ! ! ! ! !
It has a virus that rewrites your hard drive, and you lose anything
on your hard drive. Please be careful and forward this mail to
anyone you care about, I have!
----End quoted material---
One person remembers seeing Good Times as far back as April or May
of 1994, but there is no supporting evidence for that claim. For
now, the FYI message qualifies as the earliest prototype of Good
Times.
------------------------------------------------------
What did the first major warning (Happy Chanukah) say?
------------------------------------------------------
This is the canonical original message as I received it on December
2, 1994, and as it was quoted in the CIAC report. The message that
sparked the Good Times panic. Note, however, that it is not the
earliest version of the hoax (see "When did the hoax start").
----Begin quoted material----
Here is some important information. Beware of a file called
Goodtimes.
Happy Chanukah everyone, and be careful out there.There is a virus
on America Online being sent by E-Mail. If you get anything called
"Good Times", DON'T read it or download it. It is a virus that
will erase your hard drive. Forward this to all your friends. It
may help them a lot.
----End quoted material----
---------------------------------------
What's the other major warning (ASCII)?
---------------------------------------
The "happy Chanukah" greeting in the original message dates it, so
more recent hoax eruptions have used a different message. The one
below can be identified because it claims that simply loading Good
Times into the computer's ASCII buffer can activate the virus, so I
call it ASCII.
Karyn Pichnarczyk (karyn@cisco.com) remembers the ASCII message
from the original hoax in December of 1994, though I never saw it.
Mikko Hypponen (Mikko.Hypponen@datafellows.fi) sent me a copy of
this warning that dates back to December 2, 1994. The Infinite Loop
variety of ASCII is now the basis for the most common warnings.
----Begin quoted material----
Thought you might like to know...
Apparently , a new computer virus has been engineered by a user of
America Online that is unparalleled in its destructive capability.
Other, more well-known viruses such as Stoned, Airwolf, and
Michaelangelo pale in comparison to the prospects of this newest
creation by a warped mentality.
What makes this virus so terrifying is the fact that no program
needs to be exchanged for a new computer to be infected. It can be
spread through the existing e-mail systems of the InterNet.
Luckily, there is one sure means of detecting what is now known as
the "Good Times" virus. It always travels to new computers the
same way - in a text e-mail message with the subject line reading
simply "Good Times". Avoiding infection is easy once the file has
been received - not reading it. The act of loading the file into
the mail server's ASCII buffer causes the "Good Times" mainline
program to initialize and execute.
The program is highly intelligent - it will send copies of itself
to everyone whose e-mail address is contained in a received-mail
file or a sent-mail file, if it can find one. It will then proceed
to trash the computer it is running on.
The bottom line here is - if you receive a file with the subject
line "Good TImes", delete it immediately! Do not read it! Rest
assured that whoever's name was on the "From:" line was surely
struck by the virus. Warn your friends and local system users of
this newest threat to the InterNet! It could save them a lot of
time and money.
----End quoted material---
-------------------------------------------------------------
What's the popular variation on ASCII (FCC or Infinite Loop)?
-------------------------------------------------------------
You rarely see the pure ASCII version any more. One common
variation mentions an FCC memo, and claims that Good Times can
destroy a computer's processor by placing the processor in a
"nth-complexity infinite binary loop," which is a fancy-sounding
bit of science fiction. This is by far the most common version
nowadays, and consists of ASCII with the following additional
material:
----Begin quoted material----
The FCC released a warning last Wednesday concerning a matter of
major importance to any regular user of the InterNet. Apparently,
a new computer virus has been engineered by a user of America
Online that is unparalleled in its destructive capability. Other,
more well-known viruses such as Stoned, Airwolf, and Michaelangelo
pale in comparison to the prospects of this newest creation by a
warped mentality.
What makes this virus so terrifying, said the FCC, is the fact that
no program needs to be exchanged for a new computer to be infected.
It can be spread through the existing e-mail systems of the
InterNet. Once a computer is infected, one of several things can
happen. If the computer contains a hard drive, that will most
likely be destroyed. If the program is not stopped, the computer's
processor will be placed in an nth-complexity infinite binary loop
- which can severely damage the processor if left running that way
too long. Unfortunately, most novice computer users will not
realize what is happening until it is far too late.
----End quoted material---
--------------------------------
Exactly when did the hoax start?
--------------------------------
I thought I knew, but new evidence has come to light. In the
original FAQ, I wrote the following paragraphs :
----
December 2, 1994 is often quoted as the beginning of the hoax, but
some of the AOL forward message headers in the copy I received put
the date at December 1. One non-AOL header is dated November 29,
though that date could easily have been forged.
Also, notice the text of the original message as it was sent to me,
and quoted in the CIAC report:
Here is some important information. Beware of a file called
Goodtimes.
Happy Chanukah everyone, and be careful out there.There is a virus
on America Online being sent by E-Mail. If you get anything called
"Good Times", DON'T read it or download it. It is a virus that
will erase your hard drive. Forward this to all your friends. It
may help them a lot.
The first paragraph suggests that someone was forwarding the
information in the second paragraph. A seasonal greeting like
"Happy Chanukah" is almost never placed in the second paragraph of
a letter, suggesting even more strongly that this message was
repeating information from someone else.
----
After reading the FAQ, several people reported earlier instances of
the hoax. On November 15, 1994, Rich Lavoie (lavoie@cwt.com) posted
it to the TECH-LAW mailing list. Rodney Knight
(r.j.knight@rl.ac.uk) saw that message on a newsgroup, and
forwarded the warning to the POSTCARD mailing list. November 15 is
currently the earliest confirmed sighting.
Anthony Altieri (magneto@epix.net) recollected the hoax as far back
as April or May of 1994, but that recollection is so far
unsubstantiated by any evidence.
---------------------
Who started the hoax?
---------------------
No one knows who started the original hoax. You'll meet people who
think they know who started it, or where it started. They are
mis-informed. Show them the FAQ. They're just repeating second hand
information. The truth is, no one knows who started Good Times. I
discuss this further in my report.
Now that new outbreaks of the hoax have begun, it's not especially
important who spreads the rumors. Most people who pass on the
warnings aren't aware that it's hoax. We're better off spending our
time educating new Internet users, and distributing the FAQ
whenever Good Times erupts.
Asking who started the hoax assumes that someone consciously
started the hoax. It's possible that Good Times is a highly
distorted report of some real or semi-real event. After being told
and retold, the story became the Good Times hoax as we know it. The
Telephone Game gone mad.
-------------------------------
How do you know all this stuff?
-------------------------------
I investigated the original hoax in December of 1994. I'll disclose
the full details in my report.
------------------------------------
When will your report be ready, Les?
------------------------------------
Soon. I'm working on a complete history of the hoax. It promises to
be good reading. The report provides a detailed history of events
and public opinion. It also suggests a way to counter hoaxes and
other thought viruses, and recounts my discovery of the NVP Trojan
horse. When it's finished, it will be freely distributable, and
will be available from my ftp site at usit.net in the pub/lesjones
directory.
---------------------------
Is an email virus possible?
---------------------------
The short answer is no, not the way Good Times was described.
The longer answer is that this is a difficult question that's open
to nitpicking. Keep three things in mind when considering the
question:
*A virus is computer specific. IBM PC viruses don't affect
Macintoshes, and vice versa. That greatly limits the destructive
power of viruses. (And notice that none of the Good Times warnings
mention which types of computers are affected.)
*A virus, by definition, can't exist by itself. It must infect an
executable program. To transmit a virus by email, someone would
have to infect a file and attach the file to the email message. To
activate the virus, you would have to download and decode the file
attachment, then run the infected program. In that situation, the
email message is just a carrier for an infected file, just like a
floppy disk carrying an infected file.
*Some of the situations that people have dreamed up involve Trojan
horses rather than viruses. A virus can only exist inside another
program, which then automatically infects other programs. A Trojan
horse is a program that pretends to do something useful, but
instead does something nefarious. Trojans aren't infectious, so
they're much less common than viruses.
There are some email programs that can be set to automatically
download a file attachment, decode it, and execute the file
attachment. If you use such a program, you would be well advised to
disable the option to automatically execute file attachments.
You should, of course, be wary of any file attachments a stranger
sends you. At the least, you should check such file attachments for
viruses before running them.
-------------------------------------------------
How can I protect myself from viruses in general?
-------------------------------------------------
Use a virus checker regularly. Freeware, shareware, and commercial
anti-virus programs are widely available. Which program you use
isn't as important as how you use it. Most people get into trouble
because they never bother to check their computer for viruses.
Most viruses spread through floppy disks, so isolating yourself
from online services and the Internet will not protect you from
viruses. In fact, you're probably safer if you're online, simply
because you'll have access to anti-viral software and information.
--------------------------------------------------------
Where can I find anti-viral information on the Internet?
--------------------------------------------------------
Usenet newsgroups
_________________
comp.virus -- the Usenet gateway for VIRUS-L (below)
Mailing lists
_____________
VIRUS-L is for discussions of viruses and anti-viral products. Send
email to listserv@lehigh.edu. In the body of the message, include
the line "sub virus-l your-name" (without the quotes).
FTP sites
_________
cert.org in pub/virus-l/docs/
Contains information about viruses and anti-virus products, with
pointers to other FTP sites.
World Wide Web
____________________________________
http://www.singnet.com.sg/staff/lorna/Virus
(Note: the V must be capitalized!)
------------------------------------
Was the hoax a sort of virus itself?
------------------------------------
Yes, but it wasn't a computer virus. It was more like a social
virus or a thought virus.
When someone on alt.folklore.urban asked if the virus was for real,
Clay Shirky (clays@panix.com) answered:
"Its for real. Its an opportunistic self-replicating email virus
which tricks its host into replicating it, sometimes adding as many
as 200,000 copies at a go. It works by finding hosts with defective
parsing apparatus which prevents them from understanding that a
piece of email which says there is an email virus and then asking
them to remail the message to all their friends is the virus
itself."
Shirky eloquently described what a lot of people were thinking. So
what is a virus? To a biologist, a virus is a snippet of genetic
material that must infect a host organism to survive and reproduce.
To be contagious, a virus usually carries instructions that cause
the host to engage in certain pathological activities (such as
sneezing and coughing) that spread the infection to other
organisms.
To a computer programmer, a virus is a snippet of computer code
that must infect a host program to spread. To be contagious, a
computer virus usually causes the host program to engage in certain
pathological activities that spread the infection to other programs
From this perspective, it's easy to see the Good Times hoax as a
sort of thought virus. To be contagious, a thought virus causes the
host to engage in certain pathological activities that spread the
infection.
In the case of Good Times, the original strain (happy Chanukah)
explicitly told people to "forward this to all your friends." The
other major viral strain (infinite loop) encourages people to
"Please be careful and forward this mail to anyone you care about,"
and "Warn your friends and local system users of this newest threat
to the InterNet!"
Likewise, the stories of an FCC modem tax encourage people to tell
their friends and post the warning on other BBSes. David Rhodes'
Make Money Fast scam instructs people to re-post the message to as
many as ten bulletin boards.
In _The Selfish Gene_ (1976, University of Oxford Press), Oxford
evolutionary biologist Richard Dawkins extends the principles in
his book from biology to human culture. To make the transition,
Dawkins proposes a cultural replicator analogous to genes. He calls
these replicators memes:
"Examples of memes are tunes, ideas, catch-phrases, clothes
fashions, ways of making pots or of building arches. Just as genes
propagate themselves in the gene pool by leaping from body to body
via sperm or eggs, so memes propagate themselves in the meme pool
by leaping from brain to brain via a process which, in the broad
sense, can be called imitation. ... As my colleague N. K. Humphrey
neatly summed up an earlier draft of this chapter: "...memes should
be regarded as living structures, not just metaphorically, but
technically. When you plant a fertile meme in my mind you literally
parasitize my brain, turning it into a vehicle for the meme's
propagation in just the way that a virus may parasitize the genetic
mechanism of a host cell.""
Amazingly, when I read alt.folklore.computers looking for research
material, two people had already mentioned Dawkins' memes. One of
them referred to an article in the April 8, 1995 _New Scientist_
about something called the Meme Research Group. (The article
erroneously stated that the group is at the University of
California, San Francisco. In fact, they are at Simon Fraser
University in British Columbia.)
The Meme Research Group is collecting chain letters to analyse
them. The more copies they get, the more information they have to
analyze. Send those unwanted chain letters to
meme@scottlabsgi.chem.sfu.ca.
I am not a memeticist, and a real memeticist might take umbrage at
my explanation of the concept. To learn more, visit the
alt.memetics newsgroup on Usenet, and especially the alt.memetics
home page on the World Wide Web
(http://www.xs4all.nl/~hingh/alt.memetics/). Though we've talked
about memes in terms of viruses (a common analogy), the concept of
a meme is neither good nor bad. The idea of "Do unto others as you
would have them do unto you" is as much a meme as the Good Times
hoax.
-----------------------------------------------
What's the best way to control a thought virus?
-----------------------------------------------
Create a counter virus like this one as an antidote. To make the
counter virus contagious, include instructions such as, "The Good
Times email virus is a hoax. If anyone repeats the hoax, please
show them the FAQ."
-------------------------------------------------------------
What are some other hoaxes and urban legends on the Internet?
-------------------------------------------------------------
The FCC Modem Tax
Every so often someone posts a dire warning that the FCC is
considering a tax on modems and online services. The warning
encourages you to tell your friends so they can take political
action. It's a hoax. It's been going on for the five years I've
been online, and probably much longer. If you'll notice, the
warnings don't include a date or a bill number.
Make Money Fast
If you haven't seen a Make Money Fast message, call your local
anthropology department. They might be interested in studying you.
Devised by David Rhodes in 1987 or 1988, Make Money Fast (sometimes
distributed on BBSes as a file called fastcash.txt) is an
electronic version of a chain letter pyramid scheme. You're
supposed to send money to the ten people on the list, then add your
name to the list and repost the chain letter, committing federal
wire fraud in the process. Posting a Make Money Fast message is one
sure way to lose your Internet account. (Information from the Make
Money Fast FAQ by ewl@panix.com.)
Craig Shergold needs your get well cards
Craig Shergold is a UK resident who was dying of cancer. He wanted
to get in the Guinness Book of World Records for having received
the most get well cards. When people heard of the poor boy's wish,
they began sending him postcards. And they kept sending him
postcards, and never stopped. Shergold is now in full remission. He
was listed in the Guinness Book of World Records in 1991. He really
does not want your postcards any more, and neither does his
hometown post office.
These are just the urban legends that you're likely to encounter on
the Internet. There are many more in real life that you probably
believe. I won't give them away, but here are some clues: peanut
butter, Neiman Marcus/Mrs. Fields, Rod Stewart, and the Newlywed
Game. For more information, read the alt.folklore.urban FAQ, listed
in Online References at the end of the FAQ.
-----------------
Online References
-----------------
CIAC Notes 94-05 95-09, and especially 94-04
--------------------------------------------
FTP to ciac.llnl.gov and look in the pub/ciac/notes directory. The
URL is ftp://ciac.llnl.gov/pub/notes/
The URL for the CIAC home page on the World Wide Web is:
http://ciac.llnl.gov/ciac/
alt.folklore.urban FAQ
--------------------------
Available via FTP from cathouse.org in the
/pub/cathouse/urban.legends/AFU.faq directory.
Also available on the World Wide Web at
http://cathouse.org/UrbanLegends/AFUFAQ/
America Online's official statement
-----------------------------------
keyword "virus2" on America Online
The Good Times Virus Hoax Mini FAQ
----------------------------------
A greatly simplified version of this FAQ. At two pages, it's short
enough for message boards, faxes, mailing lists, and people with
short attention spans. FTP to usit.net and look in the pub/lesjones
directory. The URL is
ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ .
The Good Times Virus Hoax FAQ (this document)
---------------------------------------------
Via FTP:
FTP to usit.net and look in the pub/lesjones directory. The URL is:
ftp://usit.net/pub/lesjones/GoodTimes-HoaxFAQ.txt
On the World Wide Web:
http://nethelp.tamu.edu/~swood/GoodTimes-HoaxFAQ.html -- good
hypertext
http://www.tcp.co.uk/tcp/good.times.html -- excellent hypertext
http://www.singnet.com.sg/staff/lorna/Virus -- lots of virus info
(Note: the V must be capitalized.)
On America Online:
in the file libraries at keyword "virus"
-- | macfaq@aol.com | AOL, Good Times and ZTerm FAQs |
Les Jones | lesjones@usit.net | ftp://usit.net/pub/lesjones/ |
(28-Apr-95/secgtvao/MJT)
___________________________________________________________________________