Additional information on VIRUS SITUATIONS, can be found on the
Nortin Anti-Virus Research Center Web Site for Virus Alerts.

Subject: Virus warning
  Date: Wed, 4 Dec 96 10:36:00 UT
  From: "Andrew Mann" 
    To: "Freemasonry List" 

My son downloaded a cut-down demo of a program that builds
Simpsons cartoons. It has a virus! If you or your offspring see it -

The virus trashes the CMOS - not just the date/time stuff, but IRQ's, 
ports, etc. - really bad news. It brings down hard disk adapters, modems, 
COM ports, networks, the lot.

I had to reload nearly everything back onto a large dual-boot 
Windows NT/Windows 95 system plus another Win95 system and I had to 
reconfigure all my so-called "plug and play" devices. Even now IRQ 2/9
is still disabled and I can't fix it.

This is a new virus and was not detected by my 4 months old virus scanner.
It was detected by my hardware supplier who checked out my system and 
I have forgotten the name - something like "CMOS Killer" I think.

Andrew Mann 18deg
IPM, Herakles Lodge 415, DH
WM, Loge la Perouse, GODF
Sydney, NSW, Australia


*** Forwarding note from SYSADMIN--FFXVM1   11/18/96 18:02 ***  
To: OfficeVision Users                                                         

FROM: OfficeVision Administration and Programming Staff                        
      Department of Information Technology                                     
Subject: Virus Advisory                                                        

The following information is broadcasted on behalf of DIT                      
Security branch:                                                               

Although the following note was sent by Purdue University, the                 
information on microcomputer viruses, both rumored and real, is valid          
for the County as well.                                                        


Recently, three warnings of computer viruses have been (re)appearing           
on various newsgroups and mailing lists.  These have therefore been            
circulating at Purdue University.  This advisory is intended to                
address these warnings -- please circulate this widely.                        

Consider saving this advisory for future reference: While the the              
threat of existing and future computer viruses remains real, this is           
the third year that the "Good Times" topic has circulated through this         
campus.  Given the nature of how information spreads through the               
Internet and as Internet growth continues to expose new people to old          
topics, the "Good Times" issue is almost certain to appear again.              

Specific Remarks                                                               

* The warnings about the "Good Times" virus are a hoax.  There is no           
virus by that name circulating, although the warnings themselves can           
be considered a form of "virus" that multiplies and                            
spreads. Furthermore, it is not possible for a virus to be constructed         
to behave in the manner ascribed to the "Good Times" virus. We first           
circulated an advisory on this hoax in April of 1995.  A shortened             
version of that advisory is appended to this advisory.  There is also          
a comprehensive FAQ at .             

Note that the anti-virus community has committed to never naming any           
future virus "Good Times," no matter what it might do or print!                

* The "Irina" virus warnings are also a hoax -- the result of some             
poorly thought-out publicity by a publisher.  The former head of               
electronic publishing at Penguin Books circulated a bogus warning about        
the "Irina" virus to create some publicity for their new interactive           
book by the same name.  The original warning claimed to be from a              
Professor Edward Pridedaux of the College of Slavic Studies in                 
London; there is no such person, and no such college.  (Source:                
"Network Security", October 1996, Elsevier Publishing.)                        

Penguin Books followed their bogus alert with a posting clarifying             
that the announcement was fiction.  However, they appear to have               
misunderstood how things work on the net.  People have passed on the           
"warning," often edited for brevity, but they have failed to pass on           
the follow-up.  Thus, we have a bogus alert that will be circulating           
on the network for some time.                                                  

* The pkzip300 trojan is real.  The following is quoted from the CIAC          
Notes issue of 95-10, issued June 16, 1995:                                    

    A Trojaned version of the popular, DOS file compression utility PKZIP      
    is circulating on the networks and on dial-up BBS systems. The             
    Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the          
    following warning from PKWARE:                                             
    - -------------------------------------------------------------------------
      Some joker out there is distributing a file called PKZ300B.EXE and       
      PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your   
      harddrive if you use it.  The most recent version is 2.04G.  Please      
      tell all your friends and favorite BBS stops about this hack.            

      Thank You.                                                               

      Patrick Weeks Product Support PKWARE, Inc.                               
    - -------------------------------------------------------------------------
    PKZ300B.EXE appears to be a self extracting archive, but actually          
    attempts to format your hard drive. PKZ300B.ZIP is an archive, but the     
    extracted executable also attempts to format your hard drive. While        
    PKWARE indicated the Trojan is real, we have not talked to anyone who      
    has actually touched it. We have no reports of it being seen anywhere      
    in the DOE.                                                                

If you visit  you will find that the most               
recent release of PKZIP is version 2.50, and not 3.x.                          

Also, if you are using PKZIP, remember that this is a licensed                 
shareware product, and Purdue University regulations and policy                
require software to be properly paid for and registered.  Thus, be             
sure to pay your shareware fees!                                               

Please note that there have been an extremely limited number of                
sightings of this pk300 trojan -- perhaps as few as 2 or 3.  Those are         
also over a year old.  Thus, although the pk300 warning is real, we            
strongly suggest that you do *not* circulate or repeat warnings about          
it -- the warnings occupy more bandwidth and concern than the trojan           
ever did!                                                                      

Concluding Remarks                                                             

We continue to advise that you DO NOT circulate virus warnings without         
checking with an authoritative source.  Incorrect or incomplete                
warnings can cause damage and confusion in the user community.                 

If you receive news about a new virus or problem, please contact the           
PCERT or other FIRST response team for definitive information and              

If you believe that your system (at Purdue University ONLY!) has a             
security problem of some sort, you can contact the PCERT at                    
 for assistance.                                          
- From the archives:                                                           

                            PCERT Advisory                                     
   (Purdue Computer Emergency Response Team, )            
              "Good Times" Virus Hoax Circulating Again                        
                            April 24, 1995                                     

- -------                                                                      
The "Good Times" virus warnings are a hoax.  People are circulating the        
warnings without verifying the information contained therein, thus             
leading to unnecessary worry and concern.  Please do not circulate the         
"Good Times" warnings further.  Please send this advisory on to anyone         
who has mailed you such an advisory.                                           

In this advisory:                                                              
     More Recently                                                             
     What you can do                                                           
     Additional Discussion                                                     
     More Information                                                          
     Contact information for FIRST                                             

- ----------                                                                   
In early December 1994, a mail message was circulated in several mailing       
lists and bulletin boards warning of a "Good Times" virus.  This "virus"       
was allegedly being circulated in e-mail on bulletin boards and several        
commercial services.  The report stated that simply reading the message        
in a mail reader would cause it to activate, causing various forms of          
damage.  Some versions of the message cite the FCC and/or America              
On-Line as authoritative sources of warnings about "Good Times." A             
related "virus" is sometimes also reported, alleged to have the string         
"xxx-1" (or similar) in the subject.                                           

Several of the FIRST teams, including the Department of Energy's CIAC          
and Purdue's PCERT, responded by posting advisories stating that this          
report appeared to be a hoax.  Actually, the hoax posting was allegedly        
traced to a student at a college in the northeast U.S. who had made the        
whole thing up as a prank that got somewhat out of hand.  In the time          
since that first posting, none of the response teams has reported any          
credible sighting of such a virus. (It is possible, in some very               
specialized, very rare circumstances, that e-mail might contain a              
destructive sequence or characters, but this is highly unlikely, and NOT       
the case in this instance.  Some further details are given in the              
"additional discussion" below. We repeat, this is NOT the case in              
regards to "Good Times.")                                                      

More Recently                                                                  
- -------------                                                                
In the past few weeks, we have received e-mail and phone calls from a          
number of people who have seen new instances of "warnings" about the           
"virus."  It seems that many people did not see the original series of         
postings, or forgot the earlier advisories.  It is also an unfortunate         
reality that many people will forward on warnings, even if of                  
questionable technical merit, without making an attempt to verify them         
with an authoritative source.  This leads to worry and further copies          
as the warnings spread.                                                        

Please DO NOT repost warnings or reports of the "Good Times" virus!  It        
is important that we try to stop the spread of the false and potentially       
damaging warning about "Good Times."  It is in the same class of rumors        
and out-dated information as other urban legends such as the "Craig            
Shergold" (requests to send postcards/business cards to a dying boy)           
rumor. These stories continue to keep appearing and disturbing people as       
time goes on.                                                                  

What you can do                                                                
- ---------------                                                              
  * If you have received a warning about "Good Times" then send this           
advisory to everyone you know who received that warning.  To ensure            
that it is read, DO NOT put the phrase "Good Times" in the subject             
line.  We suspect that some people never saw the original advisories           
because they set their mailers to automatically delete mail with those         
words in the subject line.                                                     

  * Save this advisory.  If you receive a warning about "Good Times"           
anytime in the future, simply send a copy of this advisory back to             
whomever it is who sends you the warning.                                      

  * If you ever get a warning like this, or similarly get a warning or         
notice of some widespread problem with computers, VERIFY it with               
credible sources before passing it on.  Rumors, especially when spread         
by well-meaning individuals, can cause significant panic and damage.           
FIRST response teams (FIRST == Forum of Incident Response and Security         
Teams) will be more than willing to respond with definitive information        
to a query on these topics; it is one of their missions.  We are               
enclosing a copy of the list in this advisory, current as of April 24,         

  * We also note the possibility that someone is using this as a               
precursor to a real attack.  That is, someone is repeatedly circulating        
the "Good Times" rumor to condition people to believing there is no            
danger, and will then circulate some damaging code under that name.  To        
that end, if you ever get any mail labelled "Good Times" that is in some       
way executable (i.e., is a program or command file), DO NOT run it!            
Instead, contact your appropriate FIRST team for assistance and                
analysis.  Again, we stress that we view this possibility as very, very        

Additional Discussion                                                          
- ---------------------                                                        
Informally, a computer virus is code that, when executed, causes some          
action to occur, including some form of reproduction of the virus.  In         
a similar manner, a "Trojan Horse" program is code that when executed          
has some unexpected (and usually unwanted effect).  What is important          
to note here is that the virus and trojan horse code must be                   
*executed* in some way to have an effect.  That is, it must be run as a        
program, or passed as instructions to some interpreter program.                

When e-mail arrives at a system and is read by the user, it is seldom          
"executed" by anything that could damage the system, let alone                 
reproduce the code itself.  There are only two general exceptions to           
this for systems in wide-spread use, to our knowledge:                         

1) On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible         
that a carefully-crafted control code sequence could execute some              
unwanted actions.  This would only work if the mail was displayed in           
text mode (not in a window or specialized application).  However, there        
are three good reasons to believe that this would never act to spread a        
  * First, the necessary control characters would be unlikely to pass          
    through various mail gateways and forwarders without modification.         
    Any change would render the sequence inoperable.                           
  * To spread effectively, the code would need to be written such that         
    it would use pathnames and code present on almost every machine            
    where received, including ANSI.SYS  MS-DOS machines are seldom so          
  * Any such change would only map one or more keys to a damaging              
    command; the user would have to press a certain key (or sequence)          
    to actually trigger the damage.  This involves more than simply            
    reading a mail message!                                                    

2) On systems using MIME-capable mailers (or similar), it is possible          
that a message could be crafted that would trigger an external agent on        
the receiving machine to do harm.  For example, it might be possible           
to embed commands in a PostScript file that would cause a PostScript           
interpreter to modify files.  For this to succeed, it requires that            
users automatically execute those applications upon receipt of                 
appropriate mail, and that those applications have enabled operations          
that might unduly affect the system.  Again, this does not seem to be a        
viable way to spread a virus.                                                  

Note that we are not claiming that a harmful agent cannot be distributed       
in mail.  To the contrary, the "Good Times" message *is* damaging -- as a      
rumor!  It is also possible to circulate code that, if executed by an          
unwary user, could cause damage.  However, the possibility is effectively      
nil of a virus being constructed that will circulate via e-mail, affect        
any of several dozens of operating systems when run through any of             
scores of different mail agents, and launch by being listed to the             

More Information                                                               
- ----------------                                                             
Further discussion of this rumor may be found in the following CIAC            
Notes, available via WWW:                                                                                                                               
or via ftp:                                                                                                                                          
Voice: (317) 494-5845                
FAX:   (317) 496-1814                                    
* Michael S. Hines   
* Sr. Information Systems Auditor         
* Purdue University   
* 1065 Freehafer Hall        
* West Lafayette, IN 47907-1065      

OfficeVision Administration and Programmming Staff