GOOD TIMES VIRUS HOAX FAQ FREQUENTLY ASKED QUESTIONS by Les Jones macfaq@aol.com lesjones@usit.net October 12, 1995 Edition This document can be freely reproduced in any medium, as long as it is distributed unmodified and in its entirety. FAQ Quick Jumps * Is the Good Times email virus a hoax? * What was the CIAC bulletin? * Who started the hoax? * Online References _________________________________________________________________ OCTOBER 12 UPDATE The Good Times virus hoax is popping up again. I've received reports that the Infinite Loop version of the hoax has hit the U.S. Census Bureau and U.S. Department of Agriculture. People seeking information have been posting to the virus and security newsgroups on Usenet. The Good Times hoax shows no signs of going away. This FAQ seems to be the best antidote to outbreaks. I've updated the FAQ with new dates and updated URLs. I plan to post it to Usenet on a quarterly basis to keep it in circulation. _________________________________________________________________ IS THE GOOD TIMES EMAIL VIRUS A HOAX? Yes. It was a hoax in December of 1994, and it's still a hoax. America Online, government computer security agencies, and makers of anti-virus software have declared Good Times a hoax. See Online References at the end of the FAQ. Since the hoax began in December of 1994, no copy of the alleged virus has ever been found, nor has there been a single verified case of a viral attack. _________________________________________________________________ WHY SHOULD I BELIEVE THE FAQ INSTEAD OF THE HOAX? Unlike the warnings that have been passed around, the FAQ is signed and dated. I've included my email address, and the email addresses of contributors, for verification. I've also provided online references at the end of the FAQ so that you can confirm this information for yourself. _________________________________________________________________ I'M NEW TO THE INTERNET. WHAT IS THE GOOD TIMES VIRUS HOAX? The story is that a virus called Good Times is being carried by email. Just reading a message with "Good Times" in the subject line will erase your hard drive, or even destroy your computer's processor. Needless to say, it's a hoax, but a lot of people believed it. The original message ended with instructions to "Forward this to all your friends," and many people did just that. Warnings about Good Times have been widely distributed on mailing lists, Usenet newsgroups, and message boards. The original hoax started in early December, 1994. It sprang up again in March of 1995. In mid-April, a new version of the hoax that mentioned a FCC report began circulating. Worried that Good Times would never go away, I decided to write the FAQ. These worries proved valid when the hoax began popping up again in October of 1995. _________________________________________________________________ WHAT IS THE EFFECT OF THE HOAX? For those who already know it's a hoax, it's a nuisance to read the repeated warnings. For people who don't know any better, it causes needless concern and lost productivity. The virus hoax infects mailing lists, bulletin boards, and Usenet newsgroups. Worried system administrators needlessly worry their employees by posting dire warnings. The hoax is not limited to the United States. It has appeared in several English-speaking and non-English-speaking countries. One reader sent me an English transcription of a radio broadcast in Malta. Adam J Kightley (adamjk@cogs.susx.ac.uk) said, "The cases of 'infection' I came across all tended to result from the message getting into the hands of senior non-computing personnel. Those with the ability and authority to spread it widely, without the knowledge to spot its nonsensical content." Some of the companies that have reportedly fallen for the hoax include AT&T, CitiBank, NBC, Hughes Aircraft, Texas Instruments, and dozens or hundreds of others. There have been outbreaks at numerous colleges. The U.S. government has not been immune. Some of the government agencies that have reportedly fallen victim to the hoax include the Department of Defense, the FCC, NASA, the USDA, U.S. Census Bureau,and various national labs. I've confirmed outbreaks at the Department of Health and Human Services, though they had the good sense to question the hoax, and ask for more information on Usenet, before passing the hoax along to others. The virus hoax has occasionally escaped into the popular media. ez018982@betty.ucdavis.edu reports that on April 4, 1995, during the Tom Sullivan show on KFBK 1530 AM radio in Sacramento, California, a police officer warned listeners not to read email labeled "Good Times", and to report the sender to the police. Other radio stations have spread the hoax, including Australia's ABC radio. There are scattered reports of the virus spreading via Faxnet, that low-tech network of secretaries and bored knowledge workers that traffics in cartoons and dumb blonde jokes. _________________________________________________________________ WHAT WAS THE CIAC BULLETIN? On December 6, 1994, the U.S. Department of Energy's CIAC (Computer Incident Advisory Capability) issued a bulletin declaring the Good Times virus a hoax and an urban legend. The bulletin was widely quoted as an antidote to the hoax. The original document can be found at the address in Online References at the end of the FAQ. Note that the document went through several minor revisions, with 94-04c of December 8 being the most recent. Like all quoted material in the FAQ, it includes the original spelling and punctuation. Because some of the lines in the CIAC report are rather long, they will appear broken. ----Begin quoted material---- THE "Good Times" VIRUS IS AN URBAN LEGEND In the early part of December, CIAC started to receive information requests about a supposed "virus" which could be contracted via America OnLine, simply by reading a message. --------------------------------------------------------------------------- | Here is some important information. Beware of a file called Goodtimes. | | | | Happy Chanukah everyone, and be careful out there. There is a virus on | | America Online being sent by E-Mail. If you get anything called "Good | | Times", DON'T read it or download it. It is a virus that will erase your| | hard drive. Forward this to all your friends. It may help them a lot. | --------------------------------------------------------------------------- THIS IS A HOAX. Upon investigation, CIAC has determined that this message originated from both a user of America Online and a student at a university at approximately the same time, and it was meant to be a hoax. CIAC has also seen other variations of this hoax, the main one is that any electronic mail message with the subject line of "xxx-1" will infect your computer. This rumor has been spreading very widely. This spread is due mainly to the fact that many people have seen a message with "Good Times" in the header. They delete the message without reading it, thus believing that they have saved themselves from being attacked. These first-hand reports give a false sense of credibility to the alert message. There has been one confirmation of a person who received a message with "xxx-1" in the header, but an empty message body. Then, (in a panic, because he had heard the alert), he checked his PC for viruses (the first time he checked his machine in months) and found a pre-existing virus on his machine. He incorrectly came to the conclusion that the E-mail message gave him the virus (this particular virus could NOT POSSIBLY have spread via an E-mail message). This person then spread his alert. As of this date, there are no known viruses which can infect merely through reading a mail message. For a virus to spread some program must be executed. Reading a mail message does not execute the mail message. Yes, Trojans have been found as executable attachments to mail messages, the most notorious being the IBM VM Christmas Card Trojan of 1987, also the TERM MODULE Worm (reference CIAC Bulletin B-7) and the GAME2 MODULE Worm (CIAC Bulletin B-12). But this is not the case for this particular "virus" alert. If you encounter this message being distributed on any mailing lists, simply ignore it or send a follow-up message stating that this is a false rumor. Karyn Pichnarczyk CIAC Team ciac@llnl.gov ----End quoted material---- Note: Karyn is now with Cisco. Her new email address is karyn@cisco.com. The CIAC report was wrong when it stated that the hoax was started by "a user of America Online and a student at a university." See "Who started the hoax." _________________________________________________________________ WHAT'S THE FIRST VERSION OF THE WARNING (FYI)? I have an early version of the hoax that dates back to November 15, 1994, when it was posted to the TECH-LAW mailing list. This is currently the earliest known example of Good Times. See also "When did the hoax start?" ----Begin quoted material---- FYI, a file, going under the name "Good Times" is being sent to some Internet users who subscribe to on-line services (Compuserve, Prodigy and America On Line). If you should receive this file, do not download it! Delete it immediately. I understand that there is a virus included in that file, which if downloaded to your personal computer, will ruin all of your files. ----End quoted material---- One person remembers seeing Good Times as far back as April or May of 1994, but there is no supporting evidence for that claim. For now, the FYI message qualifies as the earliest prototype of Good Times. _________________________________________________________________ WHAT DID THE FIRST MAJOR WARNING (HAPPY CHANUKAH) SAY? This is the canonical original message as I received it on December 2, 1994, and as it was quoted in the CIAC report, though it's not the earliest message. This message was largely responsible for sparking the December Good Times panic. ----Begin quoted material---- Here is some important information. Beware of a file called Goodtimes. Happy Chanukah everyone, and be careful out there.There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot. ----End quoted material--- _________________________________________________________________ WHAT'S THE OTHER MAJOR WARNING (ASCII)? The "happy Chanukah" greeting in the original message dates it, so more recent hoax eruptions have used a different message. The one below can be identified because it claims that simply loading Good Times into the computer's ASCII buffer can activate the virus, so I call it ASCII. Karyn Pichnarczyk ( karyn@cisco.com) remembers the ASCII message from the original hoax in December of 1994, though I never saw it. Mikko Hypponen ( Mikko.Hypponen@datafellows.fi) sent me a copy of this warning that dates back to December 2, 1994. The Infinite Loop variety of ASCII is now the basis for the most common warnings. ----Begin quoted material---- Thought you might like to know... Apparently , a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality. What makes this virus so terrifying is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the InterNet. Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It always travels to new computers the same way - in a text e-mail message with the subject line reading simply "Good Times". Avoiding infection is easy once the file has been received - not reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good Times" mainline program to initialize and execute. The program is highly intelligent - it will send copies of itself to everyone whose e-mail address is contained in a received-mail file or a sent-mail file, if it can find one. It will then proceed to trash the computer it is running on. The bottom line here is - if you receive a file with the subject line "Good TImes", delete it immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was surely struck by the virus. Warn your friends and local system users of this newest threat to the InterNet! It could save them a lot of time and money. ----End quoted material--- _________________________________________________________________ WHAT'S THE POPULAR VARIATION ON ASCII (FCC OR INFINITE LOOP)? You rarely see the pure ASCII version any more. One common variation mentions an FCC memo, and claims that Good Times can destroy a computer's processor by placing the processor in a "nth-complexity infinite binary loop," which is a fancy-sounding bit of science fiction. This is by far the most common version nowadays, and consists of ASCII with the following additional material: ----Begin quoted material---- The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the InterNet. Apparently, a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality. What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the InterNet. Once a computer is infected, one of several things can happen. If the computer contains a hard drive, that will most likely be destroyed. If the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop - which can severely damage the processor if left running that way too long. Unfortunately, most novice computer users will not realize what is happening until it is far too late. ----End quoted material--- _________________________________________________________________ EXACTLY WHEN DID THE HOAX START? I thought I knew, but new evidence has come to light. In the original FAQ, I wrote the following paragraphs : ---- December 2, 1994 is often quoted as the beginning of the hoax, but some of the AOL forward message headers in the copy I received put the date at December 1. One non-AOL header is dated November 29, though that date could easily have been forged. Also, notice the text of the original message as it was sent to me, and quoted in the CIAC report: Here is some important information. Beware of a file called Goodtimes. Happy Chanukah everyone, and be careful out there.There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot. The first paragraph suggests that someone was forwarding the information in the second paragraph. A seasonal greeting like "Happy Chanukah" is almost never placed in the second paragraph of a letter, suggesting even more strongly that this message was repeating information from someone else. ---- After reading the FAQ, several people reported earlier instances of the hoax. On November 15, 1994, Rich Lavoie ( lavoie@cwt.com) posted it to the TECH-LAW mailing list. Rodney Knight ( r.j.knight@rl.ac.uk) saw that message on a newsgroup, and forwarded the warning to the POSTCARD mailing list. November 15 is currently the earliest confirmed sighting. Anthony Altieri ( magneto@epix.net) recollected the hoax as far back as April or May of 1994, but that recollection is so far unsubstantiated by any evidence. _________________________________________________________________ WHO STARTED THE HOAX? We don't know who started the hoax. You'll meet people who think they know who started it, or where it started. They are mis-informed. Show them the FAQ. I've seen some people claim that the hoaxsters were arrested and convicted. This is incorrect. The CIAC report stated that the hoax was started by "a user of America Online and a student at a university." I asked Karyn Pichnarczyk about that. During the December outbreak of Happy Chanukah, several people tried to trace the hoax by following messages headers. When America Online traced headers, they stopped at an AOL account. When Nathan Gilliatt (gilliatt@ac.duke.edu) traced headers in different messages, the messages seemed to stop at Swarthmore College. Karyn said she didn't know who to believe, so she said that the virus was started by "a user of America Online and a student at a university." We now know that Happy Chanukah" wasn't the original message, so tracing headers was a futile attempt to trace the origin of the hoax. Asking who started the hoax assumes that someone consciously started the hoax. It's possible that Good Times is a highly distorted report of some real or semi-real event. After being told and retold, the story became the Good Times hoax as we know it. The Telephone Game gone mad. The problem with this theory is that really can'y be proven. AOL postmaster David O'Donnell ( PMDAtropos@aol.com) has another theory about the origins of the hoax. David says that there was once a Good Times chain letter going around. To stop the chain letter, David's theory goes, someone claimed that the chain letter contained a virus, and warned people to delete any email with "Good Times" in the subject line. Once again, however, there is no evidence to support this theory. _________________________________________________________________ IS AN EMAIL VIRUS POSSIBLE? The short answer is no, not the way Good Times was described. The long answer is that this is a difficult question that's open to nit-picking. Keep three things in mind when considering the question: 1. A virus is operating system-specific. DOS viruses don't affect Macintoshes, and vice versa. That greatly limits the destructive power of viruses. (And notice that none of the Good Times warnings mention which types of computers are affected. That omission set off many people's hoax detectors.) 2. A virus, by definition, can't exist by itself. It must infect an executable program. To transmit a virus by email, someone would have to infect a file and attach the file to the email message. To activate the virus, you would have to download and decode the file attachment, then run the infected program. In that situation, the email message is just a carrier for an infected file, just like a floppy disk carrying an infected file. 3. Some of the situations that people have dreamed up involve Trojan horses rather than viruses. A virus can only exist inside another program, which then automatically infects other programs. A Trojan horse is a program that pretends to do something useful, but instead does something nefarious. Trojans aren't infectious, so they're much less common and much less destructive than viruses. There are some email programs that can be set to automatically download a file attachment, decode it, and execute the file attachment. If you use such a program, you would be well advised to disable the option to automatically execute file attachments. You should, of course, be wary of any file attachments a stranger sends you. At the least, you should check such file attachments for viruses before running them. _________________________________________________________________ HOW CAN I PROTECT MYSELF FROM VIRUSES IN GENERAL? Use a virus checker regularly. Freeware, shareware, and commercial anti-virus programs are widely available. Which program you use isn't as important as how you use it. Most people get into trouble because they never bother to check their computer for viruses. Most viruses spread through floppy disks, so isolating yourself from online services and the Internet will not protect you from viruses. In fact, you're probably safer if you're online, simply because you'll have access to anti-viral software and information. _________________________________________________________________ WHAT CAN I FIND ANTI-VIRAL INFORMATION ON THE INTERNET? Usenet newsgroups comp.virus-- the Usenet gateway for VIRUS-L (below) Mailing lists VIRUS-L is a moderated list for discussions of viruses and anti-viral products. Send email to listserv@lehigh.edu. In the body of the message, include the line "sub virus-l your-name" (without the quotes). FTP sites cert.org in pub/virus-l/docs/ Contains information about viruses and anti-virus products, with pointers to other FTP sites. World Wide Web http://www.singnet.com.sg/staff/lorna/Virus (Note: the V must be capitalized!) _________________________________________________________________ Was the hoax a sort of virus itself? Yes, but it wasn't a computer virus. It was more like a social virus or a thought virus. When someone on alt.folklore.urban asked if the virus was for real, Clay Shirky (clays@panix.com) answered: "Its for real. Its an opportunistic self-replicating email virus which tricks its host into replicating it, sometimes adding as many as 200,000 copies at a go. It works by finding hosts with defective parsing apparatus which prevents them from understanding that a piece of email which says there is an email virus and then asking them to remail the message to all their friends is the virus itself." Shirky eloquently described what a lot of people were thinking. So what is a virus? To a biologist, a virus is a snippet of genetic material that must infect a host organism to survive and reproduce. To be contagious, a virus usually carries instructions that cause the host to engage in certain pathological activities (such as sneezing and coughing) that spread the infection to other organisms. To a computer programmer, a virus is a snippet of computer code that must infect a host program to spread. To be contagious, a computer virus usually causes the host program to engage in certain pathological activities that spread the infection to other programs From this perspective, it's easy to see the Good Times hoax as a sort of thought virus. To be contagious, a thought virus causes the host to engage in certain pathological activities that spread the infection. In the case of Good Times, the original strain (happy Chanukah) explicitly told people to "forward this to all your friends." The other major viral strain (infinite loop) encourages people to "Please be careful and forward this mail to anyone you care about," and "Warn your friends and local system users of this newest threat to the InterNet!" Likewise, the stories of an FCC modem tax encourage people to tell their friends and post the warning on other BBSes. David Rhodes' Make Money Fast scam instructs people to re-post the message to as many as ten bulletin boards. In _The Selfish Gene_ (1976, University of Oxford Press), Oxford evolutionary biologist Richard Dawkins extends the principles in his book from biology to human culture. To make the transition, Dawkins proposes a cultural replicator analogous to genes. He calls these replicators memes. "Examples of memes are tunes, ideas, catch-phrases, clothes fashions, ways of making pots or of building arches. Just as genes propagate themselves in the gene pool by leaping from body to body via sperm or eggs, so memes propagate themselves in the meme pool by leaping from brain to brain via a process which, in the broad sense, can be called imitation. ... As my colleague N. K. Humphrey neatly summed up an earlier draft of this chapter: "...memes should be regarded as living structures, not just metaphorically, but technically. When you plant a fertile meme in my mind you literally parasitize my brain, turning it into a vehicle for the meme's propagation in just the way that a virus may parasitize the genetic mechanism of a host cell."" Amazingly, when I read alt.folklore.computers looking for research material, two people had already mentioned Dawkins' memes. One of them referred to an article in the April 8, 1995 _New Scientist_ about something called the Meme Research Group. (The article erroneously stated that the group is at the University of California, San Francisco. In fact, they are at Simon Fraser University in British Columbia.) The Meme Research Group is collecting chain letters to analyze them. The more copies they get, the more information they have to analyze. Send those unwanted chain letters to meme@scottlabsgi.chem.sfu.ca. I am not a memeticist, and a real memeticist might take umbrage at my explanation of the concept. To learn more, visit the alt.memetics newsgroup on Usenet, and especially the alt.memetics home page on the World Wide Web ( http://www.xs4all.nl/~hingh/alt.memetics/). Though we've talked about memes in terms of viruses (a common analogy), the concept of a meme is neither good nor bad. The idea of "Do unto others as you would have them do unto you" is as much a meme as the Good Times hoax. _________________________________________________________________ WHAT'S THE BEST WAY TO CONTROL A THOUGHT VIRUS? Create a counter virus like this one as an antidote. To make the counter virus contagious, include instructions such as, "The Good Times email virus is a hoax. If anyone repeats the hoax, please show them the FAQ." _________________________________________________________________ What are some other hoaxes and urban legends on the Internet? The FCC Modem Tax Every so often someone posts a dire warning that the FCC is considering a tax on modems and online services. The warning encourages you to tell your friends so they can take political action. It's a hoax. It's been going on for the five years I've been online, and probably much longer. If you'll notice, the warnings don't include a date or a bill number. Make Money Fast If you haven't seen a Make Money Fast message, call your local anthropology department. They might be interested in studying you. Devised by David Rhodes in 1987 or 1988, Make Money Fast (sometimes distributed on BBSes as a file called fastcash.txt) is an electronic version of a chain letter pyramid scheme. You're supposed to send money to the ten people on the list, then add your name to the list and repost the chain letter, committing federal wire fraud in the process. Posting a Make Money Fast message is one sure way to lose your Internet account. (Information from the Make Money Fast FAQ by ewl@panix.com.) Craig Shergold needs your get well cards Craig Shergold is a UK resident who was dying of cancer. He wanted to get in the Guinness Book of World Records for having received the most get well cards. When people heard of the poor boy's wish, they began sending him postcards. And they kept sending him postcards, and never stopped. Shergold is now in full remission. He was listed in the Guinness Book of World Records in 1991. He really does not want your postcards any more, and neither does his hometown post office. These are just the urban legends that you're likely to encounter on the Internet. There are many more in real life that you probably believe. I won't give them away, but here are some clues: peanut butter, Neiman Marcus/Mrs. Fields, Rod Stewart, and the Newlywed Game. For more information, read the alt.folklore.urban FAQ, listed in Online References at the end of the FAQ. _________________________________________________________________ Online References CIAC Notes 94-04 and 94-05d FTP to ciac.llnl.gov and look in the pub/ciac/notes directory. The URL is ftp://ciac.llnl.gov/pub/ciac/notes/ The URL for the CIAC home page on the World Wide Web is: http://ciac.llnl.gov/ciac/ The announcement from PCERT is not available at an archive server. The AUSCERT announcement including it is available from their WWW and ftp sites at {www,ftp}.auscert.org.au alt.folklore.urban FAQ Available via FTP from cathouse.org in the /pub/cathouse/urban.legends/AFU.faq directory. Also available on the World Wide Web at http://cathouse.org/UrbanLegends/AFUFAQ/ The Good Times Virus Hoax Mini FAQ A greatly simplified version of this FAQ. At two pages, it's short enough for message boards, faxes, mailing lists, and people with short attention spans. FTP to usit.net and look in the pub/lesjones directory. The URL is ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ. The Good Times Virus Hoax FAQ (this document) Via FTP: FTP to usit.net and look in the pub/lesjones directory. The URL is: ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt On the World Wide Web: http://www.tcp.co.uk/tcp/good-times/index.html -- excellent hypertext http://www.singnet.com.sg/staff/lorna/Virus -- lots of virus info (Note: the V must be capitalized.) http://www.nsm.smcm.edu/News/GTHoax.html -- This copy On America Online: in the file libraries at keyword "virus" by email: send email to archive@xconn.com with REQUEST GT_VIRUS.TXT in the subject line. The FAQ should arrive by email within an hour or two -- | macfaq@aol.com | AOL, Good Times and ZTerm FAQs | Les Jones | lesjones@usit.net | ftp://usit.net/pub/lesjones/ | FAQ Quick Jumps * Is the Good Times email virus a hoax? * What was the CIAC bulletin? * Who started the hoax? * Online References This document converted to HTML format by Stan Toney stoney@oyster.smcm.edu Last updated Aug 23, 1995 - Updated lists of WWW info