1949
John von Neumann (1903-1957), Hungarian computer scientist, develops the theory of self-reproducing automata.

1960s
The first programs are used as placeholders in mainframe computers. If no jobs are waiting, these programs copy themselves at the end of the queue. Thanks to their propensity to proliferate, they are soon nicknamed Rabbits.

At around the same time, H. Douglas McIlroy, Victor Vysottsky, and Robert Morris, programmers at Bell Laboratories, invent the game of Core Wars. The game's objective: to steal valuable CPU time from the opponent.

1970s
In the early 1970's, Bob Thomas is employed at ARPANET developer Beranek and Newman, where he is actively involved in designing the technical foundation of today's Internet. He creates the Creeper program, which travels from computer to computer within the network. Seeing that the program is reproducing itself out of control, Thomas then writes a second program, Reeper, to pursue and disable the pest.

1980
Jürgen Kraus, a computer science student at the University of Dortmund, writes his master's thesis on Selbstreproduktion bei Programmen, [Program Self-Reproduction], describing the construction of such phenomena. This thesis is the first study to show that certain programs can display behavior similar to that of biological viruses. His work is not presented and disappears in the university archives.

1981/82
Rich Skrenta's Elk Clonner program infects Apple II disks without deleting data. When the disk is started for the 50th time, a poem appears on the desktop.

Professor Len Adleman employs the term "virus" to describe self-copying programs when discussing them with Fred Cohen, his computer science student.

At the same time, Joe Dellinger, a student at Texas A&M University, writes several self-reproducing programs for Apple II disks, naming them Virus 1, Virus 2 and Virus 3.

Jon Hepps and John Shock of Xerox PARC generate worms for divided computer programs; these are designed for internal use. Unfortunately, a programming error slips in, allowing the worm uncontrolled self-copying, and the affected programs must be shut down.

1983
Fred Cohen presents his first functional virus: Programmed under the Unix operating system, it implants itself in the VD command. Whenever an infected program is run, this virus inherits the program's system privileges, and in this way can transfer these privileges to each user within a short period of time.

1984
Fred Cohen presents his dissertation, entitled “Computer Viruses - Theory and Experiments”, which attracts international attention. It both defines the computer virus and includes descriptions of numerous experimental viruses.

1985
The EGABTR virus, posing as a program designed to improve the poor graphics then prevalent, is distributed via mailboxes. However, once this camouflaged Trojan horse is started, all files on the hard disk are deleted and a message appears on the screen: “Arf, arf, Gotcha!”

1985 also witnesses publication in "Apples" magazine of a source code virus for Apple II.

1986
Basit und Amjad Farooq Alvi, managers of Brain Computer Services, a small Pakistani computer firm, include with each software copy a harmless virus with their name and address, whose purpose is to foster customer loyalty. Their action unintentionally results in the first MS-DOS virus which, under the names Brain or Pakistani, soon spreads world-wide.

In late 1986, Ralf Burger (Germany) presents the Virdem virus during a Chaos Computer Club conference. It establishes itself in the disk's boot sector and is spread by means of boot sector exchange. Virdem infects COM files without deleting data.

1987
The Lehigh virus checks a disk each time it is read to determine whether the files have already been infected. After every fourth infection, part of the disk which has been read is overwritten. This is the first virus to infect command.com.

CHRISTMAS EXEC spreads throughout IBM VM/CMS systems. It shows a Christmas tree on the desktop and then secretly sends itself via e-mail. Although this worm is dependent on human assistance, it forces a number of systems to shut down.

Jerusalem: This virus, also known as Friday the Thirteenth, is the first virus to establish itself in the main memory (RAM). It affects the computer in two ways: On any thirteenth day of the month falling on a Friday, it deletes all COM and EXE files. On all other days, the virus reduces computer speed after 30 minutes.

The notorious Stoned virus, the first master boot sector virus, is the brainchild of a student at the University of Wellington in New Zealand. In addition to a "Your PC is now stoned!" message, the virus also proclaims “Legalize Marijuana!”.

1988
Zuk, created by Denny Yanuar Ramdhani (Bandung, Indonesia), is the first anti-virus virus. It recognizes and removes the Brain virus and then replaces it with a copy of itself.

The first virus construction kit, designed for the Atari ST, is presented. This tool allows even beginners to easily "assemble" viruses with characteristics specified by the user.

Robert T. Morris, a Cornell University computer science student, starts a worm which takes advantage of gaps in the UNIX operating system to reproduce itself on Internet computers. However, a program error results in such a proliferation of the worm's progeny that thousands of computers are brought to a halt just a few hours later.

An anonymous German lets the first self-encoding memory-resident virus, Cascade, loose into the wilderness. When infection is successful, this virus produces a waterfall effect, with letters raining down on the display screen.

1989
The first polymorphic (multiform) virus is discovered, named V2Px, 1260 or Wash burn. Such viruses repeatedly re-encode themselves, which complicates the development of anti-virus software.

The Dark Avenger.1800 virus, written in Sofia, Bulgaria, is the first quick-infecting virus which, however, impairs data very slowly.

The Frodo virus is discovered in Haifa, Israel. This is the first stealth virus which can infect files. On 22 September, the virus issues the message “Frodo lives!”

The PC Cyborg Corporation, registered in Panama, sends disks to participants at an international AIDS conference. These disks supposedly contain important informational material which must first be installed on the hard disk. Enclosed is the manufacturer's licence, which states that a longer period of use will require payment of USD 378.00. Non-payment will result in the encoding of critical data. Program installation places a Trojan horse in the computer, which encodes the contents of the hard disk when the computer is started for the ninetieth time. Shortly thereafter, one of the company's owners is sentenced and then committed to a psychiatric institution.

This is the year that the marijuana virus turns up in Australia and New Zealand, a virus calling for the legalization of marijuana every eighth time that the program is run. Via e-mail, the Internet worm attempts to send itself to Microsoft Outlook address book entries with “check this out!!!” in the subject line.

AIDS is the first Trojan horse to spread via mailing lists. It overwrites the beginning of documents and issues the message: “Your computer now has AIDS”. After this message appears on the screen, the system collapses and the computer must be restarted.

A McAfee virus scanner is put on the market. This version is already capable of recognizing 44 viruses. IBM's comparable virus-search program recognizes a mere 28.

1990
Ping-Pong, also named Bouncing Ball or Italian, is probably the best known and most widely spread boot sector virus. When the virus is activated, a ball bounces across the screen.

Other polymorphic viruses appear in the USA, including Virus-90 and Virus-101.

Anthrax and V1 represent the discovery of the first compound viruses. The Flip virus is the first of this type to spread successfully.

Symantec introduces Norton AntiVirus, one of the first anti-virus programs developed by a large Internet company.

1991
Publication of the virus construction kit for DOS systems by the "Verband Deutscher Virenliebhaber" [Association of German Virus Fans]; this kit enables one to assemble new viruses.

Discovery of the first cluster virus: DirII.

The Tequila virus from Switzerland remains active four months after infection. This is a so-called multipartite virus, which infects the master boot sector and DOS-EXE files. It conceals itself by outputting the guest program's original length when queried, so that it appears unchanged.

1992
A virus programmer calling himself Dark Avenger presents the Mutation Engine program. This program can be used to generate polymorphic viruses from simple viruses. It also eliminates the necessity of constantly recoding the virus, since the encoding program instructions have been changed as well. Each new virus then has virtually no byte in common with its predecessor.

WinVir 1.4, the first Windows virus, is discovered. The first virus to infect SYS files appears on the screen and is given the name Involuntary.

The first virus collection phenomenon is announced: John Buchanan offers his collection, which includes more than 1000 files, for USD 100.00.

1993
The anti-virus industry presents its first wild list. This is a list of all computer viruses which surface "in the wild"; that is, directly on the user's PC. A second category includes laboratory or zoo viruses, i.e. viruses "bred" or developed in laboratories for research purposes.
The SatanBug virus infects PCs in Washington, DC. The authorities are able to trace Little Loc, its creator, to San Diego. However, they cannot take legal action as he is underage.

GDE (Generic Description Device) appears as the anti-virus industry's first tool capable of recognizing polymorphic viruses.

1994
A virus programmer places his Kaos4 virus in the alt.binaries.pictures.erotica newsgroup in order to spread his virus. A large number of visitors download the file, infecting their computers in the process.

The SMEG.Paragon virus spreads throughout England. Scotland Yard arrests Christopher Pile, also known as Black Baron.

Good Times is the first hoax: An e-mail with "Good Times" in the subject line warns of a new virus, which supposedly causes the entire contents of the hard disk to be deleted – merely by reading the message. This warning ends with the request “Forward this to all your friends”, by which means the hoax is spread throughout the Internet.

1995
Concept, the first macro virus, infects Microsoft Word documents. The text contained in the virus reads: “That’s enough to prove my point”. WM/Concept was the first virus specifically written for the Microsoft Word system and discovered "in the wild".

Black Baron admits guilt and is sentenced to 18 months in prison.

1996
Esperanto is the name of a new virus which automatically adjusts to the operating system. If the virus lands in a Macintosh, it is run as a Mac program. Esperanto is thus the first virus which is not only capable of infecting specific programs but basically anything then (1996) on PCs and Macs. The creator of the virus is the Spanish 29A virus programming group, which also claims responsibility for the WM.CAP macro virus.

Boza, the first Windows 95 virus, is written by Quantum, a member of the VLAD virus programming group in Australia. When an infected program is started, it searches for up to three executable files which have not yet been infected, and infects them. On the 31st of each month it issues a message regarding its creators.

The first Excel macro virus, XM.Laroux, makes its appearance in Alaska and Africa. It infects Microsoft Excel documents containing a hidden "laroux" table.

Staog, the first Linux virus, is found in the lab, but is never spotted in the wild.

1997
Linux.Bliss is the first Linux virus in the wild. It searches for programs for which the current process has write permission, and then overwrites such files with its viral code – simultaneously destroying the original program. The virus exhibits wormlike behavior, which aids it in infecting computers via a network.

Virus programmers write mIRC scripts, which, in a worm-like manner, are automatically spread amongst Internet Relay Chat users.

1998
The CIH-Virus (also referred to as Chernobyl), originating in Taiwan, travels via the Internet to Europe and the USA, where it is unwittingly spread via promotional downloads and free CD-ROMs. On 26 April 1999, it deletes data from the host computer. On a few computers, it even manages to overwrite the BIOS. The perpetrator, Chen Ing-hau is discovered and arrested, but he is soon released as no one in Taiwan is interested in pressing charges. Shortly thereafter Wahoo, a Taiwanese Linux distributor, hires him as a security expert.

Win95/Marburg, the polymorphic Windows virus, spreads via the "Wargames" computer game and by means of a CD-ROM included in the Australian "PC Power Play" magazine. It infects Win32 EXE and SCR (screen saver) files and is activated three months after the file is originally infected. If an infected application is started, the virus is displayed as a standard Windows error (a white "X" on a red circle), distributed over the entire screen. Marburg deletes databases from a variety of anti-virus programs and prevents discovery by infecting all EXE files with a "V" in their name (Scanvirus.exe, etc.) This enables it to infect the self-test of most anti-virus programs.

The first Excel formula virus, named XF.Paix.A, appears. This virus does not use Excel's standard macro capabilities, but a special formula sheet instead, which can contain the malicious code.

Carl-Fredrik Neikter presents NetBus, a back-door program which provides hackers with access to infected computers.

The first Microsoft Access virus and variants are discovered: A2M.Accessiv for Access 2.0; AM.Accessiv.A,B, AM.Tox.A,B for Access 97.

AOL Trojan horses make their appearance. The first of many Trojan horses steals information from AOL users. AOL e-mail addresses are flooded with infected document attachments.

Strange.Brew is the first virus capable of infecting Java applications; however, it is unable to spread via web-based Java.

The Cult of the Dead Cow group presents Back.Orifice, a disguised remote control program with permits both program execution as well as computer monitoring. The media turn their attention to NetBus, which has already appeared and which displays similar behaviour.

The first VB script: VBS.Rabbit first goes into action when an infected script is run. The viral code searches certain Windows directories and the current directory for additional script files (VBS) and writes itself at the beginning of these files. The infected scripts can still run, thus continuing the spread of the virus. On the second day of each month between nine and ten o'clock, the script searches for all texts containing ".txt - und .doc" extensions and replaces these texts with a drawing of an obscene gesture.

The HTML.Internal-Virus, also known as HTML.Prepend, is based on VBS, but only occurs when Internet Explorer is used. If the user views a web site which has been infected by the virus, a visual basic script is activated; this inserts a text into HTML documents on the user's PC. An infected text is relatively easy to spot, because the header begins, "<html> <!--1nternal-->".

Discovery of P97M.Vic.A, the first Microsoft PowerPoint virus. This virus infects the "User Form", which is attached to a command button. If the button is clicked, the virus infects all PowerPoint documents under C:\My Documents.

1999
W97M.Melissa.A quickly spreads world-wide. The virus infects Word documents and sends itself as an e-mail message to as many as 50 addresses in the Outlook address book, which leads to the collapse of a large number of mail servers – even those of large software companies. Following his arrest, David L. Smith admits responsibility for this virus.

NetBus 2 Pro is presented as a commercial program. In order to prevent anti-virus manufacturers from reporting it as a virus, author Carl-Fredrik Neikter demands payment for his product. The manufacturers nonetheless insert a recognition routine, as this is a malicious program.

W32/ExploreZip is an e-mail worm which, together with an attached worm file, sends itself to the senders of all unread e-mail in the incoming mailbox. Even computers not using Outlook can be infected with W32/ExploreZip.

Back.Orifice 2000 is presented by Cult of the Dead Cow at DefCon in Las Vegas. The new version of the remote control program now works under NT as well.
The polymorphic, memory-resident (or more accurately "memory-resistant") W32/Kriz virus spreads via infected screensavers or EXE files. It attempts to overwrite all documents on the local hard disk and network drives.

VBS/BubbleBoy is a worm which takes advantage of Internet security gaps using Explorer and Outlook. It is the first virus capable of infecting systems without requiring a user to open an e-mail attachment. The worm runs as soon as the user opens e-mail in Outlook.

Y2K fix is a Trojan which, on some computers, has the program crash before any damage can be done. On other computers, it claims to solve Y2K-related problems while in reality it is overwriting the hard disk.

2000
VBS.Loveletter spreads world-wide at a breathtaking speed. Variant A, known under the name “ILOVEYOU”, is followed by countless others. This is a worm which attempts to spread by a variety of means; the most common is sending itself as an e-mail attachment. The subject line of infected e-mail messages reads: ILOVEYOU, with the following text in the message: “kindly check the attached LOVELETTER coming from me”. Originally programmed by Onel de Guzman (Spyder), the worm searches all local and network drives for files with VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA., JPEG or MP3 filename extensions. These files are overwritten with the worm, and their filename extensions are renamed .VBS or extended. Once again, numerous mail servers collapse. Over the next few weeks, each newly discovered virus makes a splash in the news.

VBS.Stages is an Internet worm which spreads via e-mail and which is concealed in what appears to be a text file. All e-mails sent by the virus are deleted to conceal its movements.

W32.Pokey.Worm is the name of the worm which appears as an e-mail attachment. If the user opens the pikachupokemon.exe document attachment, an animated Pokemon character appears. In addition, the worm automatically sends itself to all entries in the Outlook address book. The worm deletes all important system files and the operating system can no longer be started.

The first PDA (Personal Digital Assistant) Trojan horse appears. Palm.Liberty.A does not spread on its own, but reaches the synchronization process on the small-sized computer and deletes updates. Palm.Liberty.A was accidentally created by Aaron Ardiri, employed at the University of Gavle in Sweden.

Navidad.EXE is a worm using Outlook or Express to spread. All types of Windows computers can be infected.

2001
VB.SST@mm
is a computer worm concealed in the AnnaKournikova.jpg.vbs e-mail attachment. If one opens the document attachment which purports to be a photograph of the tennis player, the worm copies itself into the Windows directory and then sends itself to the entire address directory via MS Outlook. Shortly after the outbreak of this virus, its Dutch creator turned himself in and was thereupon sentenced to 150 hours of community service. A salesman in a computer shop in Sneek, the Netherlands, he stated that he had no programming knowledge, but simply created the worm using a "virus construction kit".

W32/Naked disguises itself as flash animation and, once activated, sends itself as an e-mail worm with the NakedWife.exe to the entire MS Outlook address book. By deleting various Windows and system directories, the system is rendered unusable and the computer must be restarted.

Mass mailers Code Red and Code Red II take advantage of a security leak in Microsoft's "Internet Information Server" web software, which runs under Windows NT or 2000. Unlike the original, Code Red II does not attack the White House web site; instead, it installs a back door to the system, through which hackers gain control of the computer.

The W32/SirCam worm spreads via MS Outlook Express. Once it is run, it places itself in the system directory and is reactivated any time the user starts a program using the EXE filename extension. It can also independently copy itself onto shared network drives, from there to be activated by the respective user. SirCam does not only send itself, but also sends personal data which it finds on the infected computer. It is also the first worm equipped with its own mail server.

The aggressive Nimda computer worm races through the World Wide Web. What is novel about it is that user intervention is no longer required for it to spread. Instead, it utilizes known software weak spots and different types of infection. It spreads via e-mail and can also implant itself in outside computers by means of the Internet. This worm's rapid spread affects Internet traffic, leads to the collapse of affected web sites and compromises file system security, in that it releases local network drives.

The memory-resident W32.Badtrans.B@mm Internet worm is a variant of WORM_BADTRANS.A, which avails itself of a known security gap in e-mail applications (MS Outlook/ Express). Once infection has taken place, the worm registers itself as a system service and replies to incoming e-mail, spies out passwords and installs a key logger (this records each key pressed by the user and records which program is being used).

Peachy is a VBS worm which hides in PDF files and spreads via MS Outlook. If a user opens this PDF file in Adobe Acrobat, a picture with a tiny game appears where a peach must be found. Double-clicking an icon with the supposed solution starts the VBS file. The worm attempts to send itself to the first 100 addresses which it finds in Outlook.

2002
W32.MALDAL exists in different variations, most of them arriving as a file attachment via email. The virus gets its file name at random from the system directory of the infected computer. Once the worm has established itself, a window opens in the top left hand corner of the screen. If you then click on ‘Exit’ the program seems to close. That is: it seems to close. In the background, the active worm program registers itself and thus remains invisible in the Task Manager.
Now W32.MALDAL searches the HTM and HTML files on the local system for e-mail addresses ("mailto" reference) in order to get to the relevant data. Using various registry entries, the worm also searches for other potential SMTP e-mail addresses.

W32.YARNER.B was the first virus attached to an official newsletter. Unfortunately, the newsletters came from the antivirus sector, so that the e-mail recipients felt no reason to be suspicious. Upon arrival, the virus disguised its presence by renaming the NOTEPAD.EXE application. It copied itself into a new NOTEPAD.EXE. When the virus was invoked, this also happened to the renamed original file – with the respective consequences. The virus then deleted a randomly chosen number of the files from the Windows directory.

W32.KLEZ introduced the most widely spread destructive mass mailer of the year 2002 into the systems. The virus activates itself automatically on the 6th day of every odd month. All variations of W32.KLEZ are located in the memory and are distributed via e-mail and the network.
W32.KLEZ infects EXE files and modifies their file attributes.
Furthermore, it has a routine that can stop antivirus programs. W32.KLEZ heralded a new stage in virus development. In order to distribute the e-mail, a number of new possibilities was used to generate incorrect sender and recipient addresses.

W32.YAHA.E reached the users as .SCR and .BAT e-mail attachments with double file endings. It is not marked by a specific subject line or message text. Once in the system, it creates a copy of itself in the Recycle Bin folder, assigning itself a randomly chosen, four-character name. The file attribute is set to "hidden".

W32.FRETHEM.K is a non-destructive, memory-resident virus. It is spread as an attachment with the e-mail reading as follows:
Subject: Re:Your password!
Message Body: You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel.
attachment: DECRYPT-PASSWORD.EXE PASSWORD TXT
On computers with unpatched Internet Explorer, Internet Explorer 5.5 contains security gaps. Therefore, the file attachment can automatically execute itself if Microsoft Outlook or Outlook Express is set to Preview.

W32.BRAID.A is a memory-resident computer worm, storing a file virus called PE_FUNLOVE.4099 on the system. It infects all executable files and ActiveX objects in a system or network. W32.BRAID.A also independently sends copies via SMTP to all e-mail addresses found in .HTM and .DBX files.

W32.BUGBEAR.A opens port 36794 and thus makes it possible for a remote user to obtain information without permission. Furthermore, it can now manipulate data and carry out program changes on the affected system. Since the virus does not check the file source at port 36794 it can also copy itself into the printer queue and cause a printer jam. Or the devices print out the virus' binary code.

W32.FRIENDGREET reaches its victims not directly via e-mail but as a URL link to a specific download site. The virus can only establish and spread itself after interaction with the user. The user hereby agrees to a kind of licence agreement with the consequence that the infected program gains access to the Microsoft Outlook Contacts list. Thus it can send e-mails to all addresses listed there. Without the agreement of the user (it is actually asked for several times) this virus cannot infect the computer.

2003
Various security companies have described 2003 as the worst year there has ever been for viruses. According to F-Secure, the number of known viruses rose to over 90,000. Some of the new ones have also introduced new and more refined techniques, and network worms make not only virus scanners but now firewalls as well an absolute must. Many worms install and start themselves over and over again to protect each other in the fight against anti-virus technology that is not so advanced. According to Kaspersky, the one to watch out for most is the Trojan horse, Arcore, which may not be very widespread, but is incredibly tricky. It installs its code in the extension protocols of the NTFS data system and uses the data flow of directories rather than of individual files.
One of the main trends in 2003 were "blended threats", which are kinds of worm that bring a Trojan horse with them, duplicate themselves with new techniques and can conceal themselves better using heavy cryptography. This has been accompanied by a new quality in the way in which spammers use viruses as tools as well as in the extent of the havoc wrought by virus outbreaks in various critical infrastructure systems.
But the worst problems emerged as mere by-products of the worms Slammer and Blaster, which simply tried to reduplicate themselves but were not supposed to infect important systems. What jammed the operation of the systems was the massive network traffic caused by the worms.

The war in Iraq which began in March also had an indirect impact on public information networks. The phenomena were not caused by any official network war between the US and Iraqi forces but by the activities of single hackers who wanted to express their own opinions.
The people behind these attacks were patriotic hackers, extremists or pacifists. They attacked mainly by manipulating web sites, and to a certain extent they also used viruses.

The virus problems of 2003 were concentrated on the Windows platform. No new viruses were discovered in Linux or Mac environments.


W32/SQLSlammer: On January 24th the "almost perfect" worm began wreaking its havoc. It exploited a buffer overflow weak point in Microsoft's SQL server, which had already been known about for months, and spread around the globe within minutes.
Slammer is a fully automatic network worm that can enter a computer directly via a network connection. The biggest problem was not the number of systems infected by the worm but the aggressive way in which it sought out new victims in the network, thus causing an enormous flow of data.
One of the world's largest cash dispenser networks collapsed and was out of action for a whole weekend. Many international airports reported a slowing-down of their air traffic control systems. In various parts of the USA there were problems with emergency call systems. The virus even penetrated the internal network of the Davis Besse nuclear power station in Ohio and closed down the computer that monitors the status of the nuclear reactor.

BUGBEAR.B: The e-mail worm Bugbear.B was discovered on June 5th. The most interesting thing about this virus is that it tried to steal information from banks and other financial institutions. As soon as Bugbear.B had infected a computer, it checked whether the computer in question was connected to the internal network of a well-known financial institution. If so, the virus collected information and passwords from the system and sent them to ten predetermined e-mail addresses. For this purpose, the worm had a list of network addresses of more than 1,300 banks in all five continents.

MSBLAST WORM: Blaster (or Lovsan) was discovered on August 11th. This was also an automatic network worm that was very similar to Slammer but could infect a far greater number of computers. Blaster exploited a security leak in the Windows 2000 and XP operating systems. The RPC weak point was discovered on July 16th, just under a month before the worm made its appearance. July and August are the main holiday season and many companies had simply omitted to install security patches before the worm appeared.
The programmer of the worm was probably a hacker who wanted to express his antipathy to Microsoft. The code includes the text, "billy gates why do you make this possible? Stop making money and fix your software!!" The worm was programmed in such a way that it would start a denial of service attack against windowsupdate.com five days after being discovered. But this web site was not, however, Microsoft's official update site, and the company removed it from the web a few hours before the planned attack.

As a consequence of the Blaster worm a virus was developed that was supposed to fight Blaster. This virus was known as Welchi or Nachi, and it infected computers that had already been infected by Blaster. As soon as Welchi entered a system, it destroyed Blaster and tried to download and install the Windows security updates. So it could be called an anti-virus virus. It's a pity, then, that in this case the treatment was worse than the disease. Welchi generated far more network traffic than Blaster and was the cause of most of the serious systems collapses that hit companies in mid-August.

Various airlines reported problems caused by Blaster and Welchi in their systems. As a result, flights had to be cancelled. Welchi also infected Diebold cash dispensers that were based on Windows XP, hindering cash transactions. The operation of the US State Department's visa system was also affected by the virus. The railway operator CSX reported that the virus caused a malfunction in its signaling system so that all passenger and goods traffic had to be stopped. All commuter trains in the Washington D.C. area were halted on the lines.

W32/Sobig.F: Just one week after Blaster a new variation of the Sobig family of viruses appeared. This was the worst e-mail worm yet seen, and it sent more than 300 million infected e-mail messages around the whole world. Apart from spreading via e-mail, the various Sobig versions have something else in common; they wait for a few days after infecting a computer before transforming the affected computers into e-mail proxy servers. The reason for this quickly became clear. Spammers used the proxy servers set up by Sobig to start massive spam mail actions. The worm had taken control of the computers of unwitting private users to send thousands upon thousands of advertising mails in their names.

SWEN WORM: The e-mail worm Swen was found on September 18th 2003. E-mail messages sent by Swen looked deceptively similar to genuine security updates from Microsoft.
While Swen was not as harmful for end-users as Sobig.F, it triggered serious problems for Internet providers. The reason for this was that most e-mails sent by Swen used false addresses. So, while these e-mails never seen by the end-users, they nevertheless produced error notices and the messages were sent back to the networks of the operators. The result was that several large Internet providers reported considerable delays, sometimes lasting weeks, in the dispatch of e-mails.

2004
The "blended threat" trend continued in 2004. More and more worms were used to spread Trojan horses and other harmful routines. All propagation routes are open to backdoors, for example, carried by worms, including e-mail, Instant Messaging, P2P and network resources used by several users. The techniques employed also include the targeted exploitation of security weak points and social engineering.

BAGLE.A WORM: Bagle.A was discovered on January 19th. It started by checking the current system date and ending itself if the date was January 28th 2004 or later. Once it was activated, the worm opened Port 6777, thus rendering the system vulnerable to hacker attacks.
Like SOBIG.F, Bagle.A scanned the recipient addresses to get the domain names. The aim was to access the mailbox server via the domain names and the associated DNS (domain name servers).

MYDOOM.A WORM: This worm (also known as MIMAIL.R or Novarg.A) made its public appearance on January 26th. It was a mass-mailing worm that used a list with various entries for subject lines, message texts and names of attached files to send infected e-mails. The sender address was also falsified (spoofing). As a result the e-mails appeared to come from a lot of different users, but the identity of the actual sender and of the infected system was concealed. In addition, the worm used the Kazaa peer-to-peer (P2P) network to spread itself.
Mydoom tried to use its damage routine to start a denial of access attack against the website www.sco.com. The attack was carried out if the system date was February 1st 2004 or later. After February 12th 2004 the worm ended its attempted attacks and most of its program routines. It can be assumed that the target was the software company SCO, which had initiated legal action against various Linux distributors in November 2003.
Mydoom also installs a backdoor on the infected computer by opening Port 3127 to make it possible for hackers to gain remote access and manipulate file systems. This remote access then stays activated after February 12th 2004.

Mydoom.A caused a heavy increase in data traffic in the Internet and in corporate networks, especially at e-mail server level. The worm also spread more rapidly than SOBIG.F. The exceptionally high propagation speed justifies a closer look at the technologies used. Most users received Mydoom.A as a file attachment to an e-mail. No specific weak points in the system were exploited to start the malicious code automatically; instead it is necessary for the user to execute the infected file manually. MYDOOM.A employs social engineering by disguising itself as a system notice or a friendly message to get the user to open the file attachment.

NETSKY.B WORM: On February 18th a virus alarm was set off due to Netsky.B. This worm, too, used social engineering to get users to open the infected file attachments. In order to propagate itself, Netsky.B moreover stored copies of itself in public directories of the P2P application Kazaa. The idea was to induce Kazaa users to download the virus by using tempting file names such as photoshop9crack.exe or how to hack.doc.exe.

Worm activity in March and April was marked by new variants of Netsky and Bagle. All these worms use the same method of propagation and attack computers via infected e-mails. To increase the chances of spreading more quickly, worms of the Netsky and Bagle families avoid sending infected e-mails to known manufacturers of security solutions.

The possibility was widely discussed that the programmers of the Netsky and Bagle worms were conducting a feud against each other. Several observations lend weight to this scenario:

• The large number of new Netsky and Bagle variants within a short space of time.
• When a new Netsky variant started spreading, a Bagle worm would follow shortly afterwards.
• Most Bagle variants deactivate previous Netsky variants. In turn, worms of the Netsky family deactivate other malicious codes including MyDoom and Nachi, and older Bagle and Netsky variants.
• The virus code often contains harshly-worded messages to the other side.

SASSER WORM: The biggest threat of the year so far came from Sasser, which was discovered in May. The Sasser family variants, just like Nimda, Code Red, Slammer or Blaster, are network worms that spread without e-mails, web contents or file-sharing documents. Any computer that is connected to the Internet and does not have the latest security patches installed for the operating system is a potential target for an attack by the worm, which deliberately exploits security leaks in programs or in the operating system.

Sasser exploits an error in the Local Security Authority Subsystem Service (LSASS) of computers using Windows 2000 and XP, one of the roles of which is the authentication of systems in networks. The worm generates random IP addresses and contacts the systems to which these addresses belong. It injects code into vulnerable computers which then loads the actual worm from systems that are already infected, running an FTP server on Port 5554 on infected computers. Moreover, the worm is supposed to spy on incoming connections on other ports from 1068 upwards. Sasser, like the worm Blaster/Lovsan before it, sometimes also makes the LSA Service crash, which results in the rebooting of the computer by the NT Authorization Service within 60 seconds.
Sasser opens a backdoor in the infected systems and causes an immense burden on the web by searching for vulnerable systems. Even with the earlier variants, an infected computer could start up to 1,000 scan threads simultaneously. Later examples also resort to multi-cast scans for searching, which has resulted in unstable routers in some networks.

Intriguingly, the worm itself has a security leak which in turn allows others to gain full access to any computer infected with Sasser.

The programmer of the worm, an 18-year-old German schoolboy, was arrested on May 7th. Examination of the data that was seized has revealed that he is also responsible for the various Netsky variants. If he is convicted, Microsoft will pay 250,000 US dollars to the person whose information led to the arrest

 

 

 
copyright © 2004 digitalcraft.org