|
|
Dear user,
We enclose here a message generated by Purdue university after a lot of
questions from their users. Since it is relevant to us also, we include it
bellow.
__Yehavi:
PCERT Advisory
(Purdue Computer Emergency Response Team, pcert@cs.purdue.edu)
7 November 1996
Good Times, Irina, PKZip 3.00 Warnings
=====================================
Introduction
Recently, three warnings of computer viruses have been (re)appearing
on various newsgroups and mailing lists. These have therefore been
circulating at Purdue University. This advisory is intended to
address these warnings -- please circulate this widely.
Consider saving this advisory for future reference: While the the
threat of existing and future computer viruses remains real, this is
the third year that the "Good Times" topic has circulated through this
campus. Given the nature of how information spreads through the
Internet and as Internet growth continues to expose new people to old
topics, the "Good Times" issue is almost certain to appear again.
=====================================
Specific Remarks
* The warnings about the "Good Times" virus are a hoax. There is no
virus by that name circulating, although the warnings themselves can
be considered a form of "virus" that multiplies and
spreads. Furthermore, it is not possible for a virus to be constructed
to behave in the manner ascribed to the "Good Times" virus. We first
circulated an advisory on this hoax in April of 1995. A shortened
version of that advisory is appended to this advisory. There is also
a comprehensive FAQ at http://www.nsm.smcm.edu/News/GTHoax.shtml.
Note that the anti-virus community has committed to never naming any
future virus "Good Times," no matter what it might do or print!
* The "Irina" virus warnings are also a hoax -- the result of some
poorly thought-out publicity by a publisher. The former head of
electronic publishing at Penguin Books circulated a bogus warning about
the "Irina" virus to create some publicity for their new interactive
book by the same name. The original warning claimed to be from a
Professor Edward Pridedaux of the College of Slavic Studies in
London; there is no such person, and no such college. (Source:
"Network Security", October 1996, Elsevier Publishing.)
Penguin Books followed their bogus alert with a posting clarifying
that the announcement was fiction. However, they appear to have
misunderstood how things work on the net. People have passed on the
"warning," often edited for brevity, but they have failed to pass on
the follow-up. Thus, we have a bogus alert that will be circulating
on the network for some time.
* The pkzip300 trojan is real. The following is quoted from the CIAC
Notes issue of 95-10, issued June 16, 1995:
A Trojaned version of the popular, DOS file compression utility PKZIP
is circulating on the networks and on dial-up BBS systems. The
Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the
following warning from PKWARE:
- -------------------------------------------------------------------------
Some joker out there is distributing a file called PKZ300B.EXE and
PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your
harddrive if you use it. The most recent version is 2.04G. Please
tell all your friends and favorite BBS stops about this hack.
Thank You.
Patrick Weeks Product Support PKWARE, Inc.
- -------------------------------------------------------------------------
PKZ300B.EXE appears to be a self extracting archive, but actually
attempts to format your hard drive. PKZ300B.ZIP is an archive, but the
extracted executable also attempts to format your hard drive. While
PKWARE indicated the Trojan is real, we have not talked to anyone who
has actually touched it. We have no reports of it being seen anywhere
in the DOE.
If you visit http://www.pkware.com you will find that the most
recent release of PKZIP is version 2.50, and not 3.x.
Also, if you are using PKZIP, remember that this is a licensed
shareware product, and Purdue University regulations and policy
require software to be properly paid for and registered. Thus, be
sure to pay your shareware fees!
Please note that there have been an extremely limited number of
sightings of this pk300 trojan -- perhaps as few as 2 or 3. Those are
also over a year old. Thus, although the pk300 warning is real, we
strongly suggest that you do *not* circulate or repeat warnings about
it -- the warnings occupy more bandwidth and concern than the trojan
ever did!
=====================================
Concluding Remarks
We continue to advise that you DO NOT circulate virus warnings without
checking with an authoritative source. Incorrect or incomplete
warnings can cause damage and confusion in the user community.
If you receive news about a new virus or problem, please contact the
PCERT or other FIRST response team for definitive information and
assistance.
If you believe that your system (at Purdue University ONLY!) has a
security problem of some sort, you can contact the PCERT at
pcert@cs.purdue.edu for assistance.
======================================
- From the archives:
PCERT Advisory
(Purdue Computer Emergency Response Team, pcert@cs.purdue.edu)
"Good Times" Virus Hoax Circulating Again
April 24, 1995
Summary
- -------
The "Good Times" virus warnings are a hoax. People are circulating the
warnings without verifying the information contained therein, thus
leading to unnecessary worry and concern. Please do not circulate the
"Good Times" warnings further. Please send this advisory on to anyone
who has mailed you such an advisory.
In this advisory:
Summary
Background
More Recently
What you can do
Additional Discussion
More Information
Contact information for FIRST
Background
- ----------
In early December 1994, a mail message was circulated in several mailing
lists and bulletin boards warning of a "Good Times" virus. This "virus"
was allegedly being circulated in e-mail on bulletin boards and several
commercial services. The report stated that simply reading the message
in a mail reader would cause it to activate, causing various forms of
damage. Some versions of the message cite the FCC and/or America
On-Line as authoritative sources of warnings about "Good Times." A
related "virus" is sometimes also reported, alleged to have the string
"xxx-1" (or similar) in the subject.
Several of the FIRST teams, including the Department of Energy's CIAC
and Purdue's PCERT, responded by posting advisories stating that this
report appeared to be a hoax. Actually, the hoax posting was allegedly
traced to a student at a college in the northeast U.S. who had made the
whole thing up as a prank that got somewhat out of hand. In the time
since that first posting, none of the response teams has reported any
credible sighting of such a virus. (It is possible, in some very
specialized, very rare circumstances, that e-mail might contain a
destructive sequence or characters, but this is highly unlikely, and NOT
the case in this instance. Some further details are given in the
"additional discussion" below. We repeat, this is NOT the case in
regards to "Good Times.")
More Recently
- -------------
In the past few weeks, we have received e-mail and phone calls from a
number of people who have seen new instances of "warnings" about the
"virus." It seems that many people did not see the original series of
postings, or forgot the earlier advisories. It is also an unfortunate
reality that many people will forward on warnings, even if of
questionable technical merit, without making an attempt to verify them
with an authoritative source. This leads to worry and further copies
as the warnings spread.
Please DO NOT repost warnings or reports of the "Good Times" virus! It
is important that we try to stop the spread of the false and potentially
damaging warning about "Good Times." It is in the same class of rumors
and out-dated information as other urban legends such as the "Craig
Shergold" (requests to send postcards/business cards to a dying boy)
rumor. These stories continue to keep appearing and disturbing people as
time goes on.
What you can do
- ---------------
* If you have received a warning about "Good Times" then send this
advisory to everyone you know who received that warning. To ensure
that it is read, DO NOT put the phrase "Good Times" in the subject
line. We suspect that some people never saw the original advisories
because they set their mailers to automatically delete mail with those
words in the subject line.
* Save this advisory. If you receive a warning about "Good Times"
anytime in the future, simply send a copy of this advisory back to
whomever it is who sends you the warning.
* If you ever get a warning like this, or similarly get a warning or
notice of some widespread problem with computers, VERIFY it with
credible sources before passing it on. Rumors, especially when spread
by well-meaning individuals, can cause significant panic and damage.
FIRST response teams (FIRST == Forum of Incident Response and Security
Teams) will be more than willing to respond with definitive information
to a query on these topics; it is one of their missions. We are
enclosing a copy of the list in this advisory, current as of April 24,
1995.
* We also note the possibility that someone is using this as a
precursor to a real attack. That is, someone is repeatedly circulating
the "Good Times" rumor to condition people to believing there is no
danger, and will then circulate some damaging code under that name. To
that end, if you ever get any mail labelled "Good Times" that is in some
way executable (i.e., is a program or command file), DO NOT run it!
Instead, contact your appropriate FIRST team for assistance and
analysis. Again, we stress that we view this possibility as very, very
unlikely.
Additional Discussion
- ---------------------
Informally, a computer virus is code that, when executed, causes some
action to occur, including some form of reproduction of the virus. In
a similar manner, a "Trojan Horse" program is code that when executed
has some unexpected (and usually unwanted effect). What is important
to note here is that the virus and trojan horse code must be
*executed* in some way to have an effect. That is, it must be run as a
program, or passed as instructions to some interpreter program.
When e-mail arrives at a system and is read by the user, it is seldom
"executed" by anything that could damage the system, let alone
reproduce the code itself. There are only two general exceptions to
this for systems in wide-spread use, to our knowledge:
1) On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible
that a carefully-crafted control code sequence could execute some
unwanted actions. This would only work if the mail was displayed in
text mode (not in a window or specialized application). However, there
are three good reasons to believe that this would never act to spread a
virus:
* First, the necessary control characters would be unlikely to pass
through various mail gateways and forwarders without modification.
Any change would render the sequence inoperable.
* To spread effectively, the code would need to be written such that
it would use pathnames and code present on almost every machine
where received, including ANSI.SYS MS-DOS machines are seldom so
predictable!
* Any such change would only map one or more keys to a damaging
command; the user would have to press a certain key (or sequence)
to actually trigger the damage. This involves more than simply
reading a mail message!
2) On systems using MIME-capable mailers (or similar), it is possible
that a message could be crafted that would trigger an external agent on
the receiving machine to do harm. For example, it might be possible
to embed commands in a PostScript file that would cause a PostScript
interpreter to modify files. For this to succeed, it requires that
users automatically execute those applications upon receipt of
appropriate mail, and that those applications have enabled operations
that might unduly affect the system. Again, this does not seem to be a
viable way to spread a virus.
Note that we are not claiming that a harmful agent cannot be distributed
in mail. To the contrary, the "Good Times" message *is* damaging -- as a
rumor! It is also possible to circulate code that, if executed by an
unwary user, could cause damage. However, the possibility is effectively
nil of a virus being constructed that will circulate via e-mail, affect
any of several dozens of operating systems when run through any of
scores of different mail agents, and launch by being listed to the
screen.
More Information
------------------
Further discussion of this rumor may be found in the following CIAC
Notes, available via WWW:
http://ciac.llnl.gov/ciac/notes/Notes04c.shtml
http://ciac.llnl.gov/ciac/notes/Notes05d.shtml
http://ciac.llnl.gov/ciac/notes/Notes09.shtml
or via ftp:
ftp://ciac.llnl.gov/pub/ciac/notes/notes04c.txt
ftp://ciac.llnl.gov/pub/ciac/notes/notes05d.txt
ftp://ciac.llnl.gov/pub/ciac/notes/notes09.txt
|
