vtr
[Top] [All Lists]

BOGUS virus warning!

To: triumphs@autox.team.net, vtr@autox.team.net, TRGang@triumph.cs.utah.edu,
Subject: BOGUS virus warning!
From: Berry Kercheval <kerch@parc.xerox.com>
Date: Tue, 25 Apr 1995 07:59:09 PDT
------- Forwarded Message

Date:    Tue, 25 Apr 95 07:39:54 -0800
From:    The Post Office <postmaster@parc.xerox.com>
To:      kerch@parc.xerox.com
cc:      The Post Office <postmaster.parc@xerox.com>
Subject: Unresolvable mail address

A copy of your message is being returned to you because one or more of
the addresses you specified could not be recognized as addresses that are
understood by, or reachable from, this system.

This means that the portion of the address AFTER the @ is incorrect.

Common errors include gratuitous appending of ".com" or ".edu" to an
address, attempting to mail to host addresses rather than names, and
simple typographical errors.  Xerox users may wish to consult
[Vertigo-16a:PARC]<NetInfo>Doc>ExternalMail.txt for further information.


error: unresolvable: cash@cmsnames.albany.edu

- ------- Original Message follows -------
external
rcvdfrom reynaldo.parc.xerox.com ([13.2.116.96])
with SMTP
from <kerch@klute.parc.xerox.com>
to <british-cars@triumph.cs.utah.edu>
to <cash@cmsnames.albany.edu>
Received: from localhost by reynaldo.parc.xerox.com with SMTP id <34950>; Tue, 
25 Apr 1995 07:39:33 -0700
X-Mailer: exmh version 1.6 4/21/95
To:     cash@cmsnames.albany.edu
cc:     british-cars@triumph.cs.utah.edu
Subject: Re: Virus warning : IT'S BOGUS!
In-reply-to: Your message of "Fri, 21 Apr 95 12:58:00 PDT."
             <199504251402.IAA05955@triumph.cs.utah.edu> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date:   Tue, 25 Apr 1995 07:39:20 -0700
Sender: Berry Kercheval <kerch@parc.xerox.com>
From:   Berry Kercheval <kerch@parc.xerox.com>
Message-Id: <95Apr25.073933pdt.34950@reynaldo.parc.xerox.com>

>>>cash@cmsnames.albany.edu said:
 > >There is a computer virus that is being sent across the Internet.  If you
 > >receive an e-mail message with the subject line "Good Times", DO NOT
 > >read the message, DELETE it immediately. 

This is completely bogus.  Please read the attached notes from CIAC.  Apologies
to the britcar folks, but this nonsense must be stamped out.  PLease forward 
appropriately.

  --berry

Berry Kercheval :: Xerox Palo Alto Research Center

- -------------------------------
             U.S. DOE's Computer Incident Advisory Capability
           ___  __ __    _     ___           __  __ __   __   __
          /       |     /_\   /       |\ |  /  \   |    |_   /_
          \___  __|__  /   \  \___    | \|  \__/   |    |__  __/

Number 94-04c                                               December 8, 1994

Welcome to the fourth issue of CIAC Notes!  This is a special edition to
clear up recent reports of a "good times" virus-hoax.  Let us know if you
have topics you would like addressed or have feedback on what is useful and
what is not.  Please contact the editor, Allan L. Van Lehn, CIAC,
510-422-8193 or send E-mail to ciac@llnl.gov. 

  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
  $ Reference to any specific commercial product does not necessarily   $
  $ constitute or imply its endorsement, recommendation or favoring by  $
  $ CIAC, the University of California, or the United States Government.$
  $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$

THE "Good Times" VIRUS IS AN URBAN LEGEND

In the early part of December, CIAC started to receive information requests
about a supposed "virus" which could be contracted via America OnLine, simply
by reading a message.  The following is the message that CIAC received: 

 ---------------------------------------------------------------------------
| Here is some important information. Beware of a file called Goodtimes.    |
|                                                                           |
|  Happy Chanukah everyone, and be careful out there. There is a virus on   |
| America Online being sent by E-Mail.  If you get anything called "Good    |
| Times", DON'T read it or download it.  It is a virus that will erase your |
| hard drive.  Forward this to all your friends.  It may help them a lot.   |
 ---------------------------------------------------------------------------

THIS IS A HOAX.  Upon investigation, CIAC has determined that this message
originated from both a user of America Online and a student at a university
at approximately the same time, and it was meant to be a hoax. 

CIAC has also seen other variations of this hoax, the main one is that any
electronic mail message with the subject line of "xxx-1" will infect your
computer. 

This rumor has been spreading very widely.  This spread is due mainly to the
fact that many people have seen a message with "Good Times" in the header. 
They delete the message without reading it, thus believing that they have
saved themselves from being attacked. These first-hand reports give a false
sense of credibility to the alert message. 

There has been one confirmation of a person who received a message with
"xxx-1" in the header, but an empty message body.  Then, (in a panic, because
he had heard the alert), he checked his PC for viruses (the first time he
checked his machine in months) and found a pre-existing virus on his machine.
 He incorrectly came to the conclusion that the E-mail message gave him the
virus (this particular virus could NOT POSSIBLY have spread via an E-mail
message).  This person then spread his alert. 

As of this date, there are no known viruses which can infect merely through
reading a mail message.  For a virus to spread some program must be executed.
Reading a mail message does not execute the mail message.  Yes, Trojans have
been found as executable attachments to mail messages, the most notorious
being the IBM VM Christmas Card Trojan of 1987, also the TERM MODULE Worm
(reference CIAC Bulletin B-7) and the GAME2 MODULE Worm (CIAC Bulletin B-12).
 But this is not the case for this particular "virus" alert. 

If you encounter this message being distributed on any mailing lists, simply
ignore it or send a follow-up message stating that this is a false rumor. 

Karyn Pichnarczyk
CIAC Team
ciac@llnl.gov


- ------------------------------

WHO IS CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory 
Capability.  Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to employees
and contractors of the DOE, such as: Incident Handling consulting, Computer 
Security Information, On-site Workshops, White-hat Audits.

CIAC is located at Lawrence Livermore National Laboratory and is a part of
its Computer Security Technology Center.  CIAC is also a founding member of 
FIRST, the Forum of Incident Response and Security Teams, a global 
organization established to foster cooperation and coordination among 
computer security teams worldwide.

CONTACTING CIAC

If you require additional assistance or wish to report a vulnerability, call
CIAC at 510-422-8193, fax messages to 510-423-8002 or send E-mail to
ciac@llnl.gov.

 ------------------- A - T - T - E - N - T - I - O - N ---------------------
| For emergencies and off-hour assistance, CIAC is available 24-hours a day |
| to DOE and DOE contractors via an integrated voicemail and SKYPAGE number.|
| To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The |
| primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second |
| PIN, 8550074 is for the CIAC Project Leader.  Keep these numbers handy.   |
 ---------------------------------------------------------------------------
 
CIAC's ELECTRONIC PUBLICATIONS

Previous CIAC Bulletins and other information are available via anonymous
FTP from ciac.llnl.gov and WWW from "http://ciac.llnl.gov";. 

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:

subscribe list-name LastName, FirstName PhoneNumber

as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov

e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.

To subscribe an address which is a distribution list, first subscribe the
person responsible for your distribution list.  You will receive an
acknowledgment (as described above). Change the address to the distribution
list by sending a second E-mail request.  As the body of this message,
substitute valid information for "list-name," "PIN", and "address of the
distribution list" when sending

E-mail to ciac-listproc@llnl.gov:
        set  list-name  address  PIN  distribution_list_address
  e.g., set ciac-notes address 001860 remailer@tara.georgia.orb

To be removed from a mailing list, send the following request via

E-mail to ciac-listproc@llnl.gov:
        unsubscribe  list-name
  e.g., unsubscribe ciac-notes

For more information, send the following request:
        help

  If you have any questions about this list, you may contact the list's owner:
listmanager@cheetah.llnl.gov.

- ------------------------------

This document was prepared as an account of work sponsored by an agency of
the United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government or the University of California, and
shall not be used for advertising or product endorsement purposes. 

- ------------------------------
End of CIAC Notes Number 94-04c  94_12_08
*****************************************


===============================================================================
===
             U.S. DOE's Computer Incident Advisory Capability
           ___  __ __    _     ___           __  __ __   __   __
          /       |     /_\   /       |\ |  /  \   |    |_   /_
          \___  __|__  /   \  \___    | \|  \__/   |    |__  __/

Number 94-05d                                                January 11, 1995

 ... { stuff deleted } ...

- ------------------------------
More on the Good Times Virus Hoax
CIAC recently sent out a Notes 94-04 telling its clients that the "good
times" virus message circulating around the Internet was a bogus virus alert.
 Having malicious code (malware) buried in the body of an E-mail message that
would "infect" your computer is not a very likely possibility because
characters in an E-mail message are displayed, not executed. 

CIAC still affirms that reading E-mail, using typical mail agents, will not
activate malware delivered in or with the message.  However, the amount of
E-mail CIAC received in response to issue 4 was extrordinary.  To summarize
what we received: lots of thank you's for exposing "good times" and "xxx-1"
viruses as urban legends (hoaxes); no E-mail viruses have been captured (and
brought to us for examination); the FCC warning concerning "good times" was
retracted; the warning message and its denounciation are seen to behave like
viruses (memetic lifeforms) with a human serving as the replicating mechanism
(just like chain letters); many people believe "in theory" that malware can
be delivered and activated by some mail agents that have automated services.
The best example of such malware was mail delivered to a PC that has
embedded, seemingly invisible escape sequences which affect screen display or
program the keyboard to do some nastiness when some key is "accidently"
pressed.  This case is described more fully below. 

CIAC did not claim that E-mail could not be a delivery agent for malware.  A
real threat comes from attached files which could contain viruses or Trojan
programs.  You should scan any executable attachment before executing it in
the same way that you scan all new software before using it .  It is possible
to create a file that remaps keys when displayed on a PC/MS-DOS machine with
the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines
with the text displayed on the screen in text mode.  It would not work in
Windows or in most text editors or mailers.  A key could be remapped to
produce any command sequence when pressed, for example DEL or FORMAT. 
However, the command is not issued until the remapped key is pressed and the
command issued by the remapped key would be visible on the screen.  You could
protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS
programs use the functionality of ANSI.SYS to control screen functions and
colors.  Windows programs are not effected by ANSI.SYS, though a DOS program
running in Windows would be. 

CIAC Plans To Have A Mosaic Home Page In January
We have been working with several people to coordinate the WWW server support
for Web home pages for LLNL, the Computer Security Technology Center (CSTC)
and CIAC.  When we are ready to go, there will be much easier access to
information on CIAC and our electronic publications.  In the meantime, you
might find the listing of security information servers (below) of interest. 

- ------------------------------







------- End of Forwarded Message


<Prev in Thread] Current Thread [Next in Thread>
  • BOGUS virus warning!, Berry Kercheval <=