In the wild - A chronology of computer viruses
By Csilla Burján
John von Neumann (1903-1957), Hungarian computer scientist, develops the theory of self-reproducing automata.
The first programs are used as placeholders in mainframe computers. If no jobs are waiting, these programs copy themselves at the end of the queue. Thanks to their propensity to proliferate, they are soon nicknamed Rabbits.
At around the same time, H. Douglas McIlroy, Victor Vysottsky, and Robert Morris, programmers at Bell Laboratories, invent the game of Core Wars.The game's objective: to steal valuable CPU time from the opponent.
In the early 1970's, Bob Thomas is employed at ARPANET developer Beranek and Newman, where he is actively involved in designing the technical foundation of today's Internet. He creates the Creeper program, which travels from computer to computer within the network. Seeing that the program is reproducing itself out of control, Thomas then writes a second program, Reeper, to pursue and disable the pest.
Jürgen Kraus, a computer science student at the University of Dortmund, writes his master's thesis on Selbstreproduktion bei Programmen, [Program Self-Reproduction], describing the construction of such phenomena. This thesis is the first study to show that certain programs can display behaviour similar to that of biological viruses. His work is not presented and disappears in the university archives.
Rich Skrenta's Elk Cloner program infects Apple II disks without deleting data. When the disk is started for the 50th time, a poem appears on the desktop.
Professor Len Adleman employs the term "virus" to describe self-copying programs when discussing them with Fred Cohen, his computer science student.
At the same time, Joe Dellinger, a student at Texas A&M University, writes several self-reproducing programs for Apple II disks, naming them Virus 1, Virus 2 and Virus 3.
Jon Hepps and John Shock of Xerox PARC generate worms for divided computer programs; these are designed for internal use. Unfortunately, a programming error slips in, allowing the worm uncontrolled self-copying, and the affected programs must be shut down.
Fred Cohen presents his first functional virus: Programmed under the Unix operating system, it implants itself in the VD command. Whenever an infected program is run, this virus inherits the program's system privileges, and in this way can transfer these privileges to each user within a short period of time.
Fred Cohen presents his dissertation, entitled “Computer Viruses - Theory and Experiments”, which attracts international attention. It both defines the computer virus and includes descriptions of numerous experimental viruses.
The EGABTR virus, posing as a program designed to improve the poor graphics then prevalent, is distributed via mailboxes. However, once this camouflaged Trojan horse is started, all files on the hard disk are deleted and a message appears on the screen: “Arf, arf, Gotcha!”
1985 also witnesses publication in "Apples" magazine of a source code virus for Apple II.
Basit und Amjad Farooq Alvi, managers of Brain Computer Services, a small Pakistani computer firm, include with each software copy a harmless programm with their name and address, whose purpose is to foster customer loyalty. Their action unintentionally results in the first MS-DOS virus which, under the names Brain or Pakistani, soon spreads world-wide.
In late 1986, Ralf Burger (Germany) presents the Virdem virus during a Chaos Computer Club conference. It establishes itself in the disk's boot sector and is spread by means of boot sector exchange. Virdem infects COM files without deleting data.
The Lehigh virus checks a disk each time it is read to determine whether the files have already been infected. After every fourth infection, part of the disk which has been read is overwritten. This is the first virus to infect command.com.
CHRISTMAS EXEC spreads throughout IBM VM/CMS systems. It shows a Christmas tree on the desktop and then secretly sends itself via e-mail. Although this worm is dependent on human assistance, it forces a number of systems to shut down.
Jerusalem: This virus, also known as Friday the Thirteenth, is the first virus to establish itself in the main memory (RAM). It affects the computer in two ways: On any thirteenth day of the month falling on a Friday, it deletes all COM and EXE files. On all other days, the virus reduces computer speed after 30 minutes.
The notorious Stoned virus, the first master boot sector virus, is the brainchild of a student at the University of Wellington in New Zealand. In addition to a "Your PC is now stoned!" message, the Virus also proclaims “Legalize Marijuana!”.
Zuk, created by Denny Yanuar Ramdhani (Bandung, Indonesia), is the first anti-virus virus. It recognises and removes the Brain virus and then replaces it with a copy of itself.
The first virus construction kit, designed for the Atari ST, is presented. This tool allows even beginners to easily "assemble" viruses with characteristics specified by the user.
Robert T. Morris, a Cornell University computer science student, starts a worm which takes advantage of gaps in the UNIX operating system to reproduce itself on Internet computers. However, a program error results in such a proliferation of the worm's progeny that thousands of computers are brought to a halt just a few hours later.
An anonymous German lets the first self-encoding memory-resident virus, Cascade, loose into the wilderness. When infection is successful, this virus produces a waterfall effect, with letters raining down on the display screen.
The first polymorphic (multiform) virus is discovered, named V2Px, 1260 or Washburn. Such viruses repeatedly re-encode themselves, which complicates the development of anti-virus software.
The Dark Avenger.1800 virus, written in Sofia, Bulgaria, is the first quick-infecting virus which, however, impairs data very slowly.
The Frodo virus is discovered in Haifa, Israel. This is the first stealth virus which can infect files. On 22 September, the virus issues the message “Frodo lives!”
The PC Cyborg Corporation, registered in Panama, sends disks to participants at an international AIDS conference. These disks supposedly contain important informational material which must first be installed on the hard disk. Enclosed is the manufacturer's licence, which states that a longer period of use will require payment of USD 378.00. Non-payment will result in the encoding of critical data. Program installation places a Trojan horse in the computer, which encodes the contents of the hard disk when the computer is started for the ninetieth time. Shortly thereafter, one of the company's owners is sentenced and then committed to a psychiatric institution.
This is the year that the marijuana virus turns up in Australia and New Zealand, a virus calling for the legalisation of marijuana every eighth time that the program is run.
AIDS is the first Trojan horse to spread via mailing lists. It overwrites the beginning of documents and issues the message: “Your computer now has AIDS”. After this message appears on the screen, the system collapses and the computer must be restarted.
A McAfee virus scanner is put on the market. This version is already capable of recognising 44 viruses. IBM's comparable virus-search program recognises a mere 28.
Ping-Pong, also named Bouncing Ball or Italian, is probably the best known and most widely spread boot sector virus. When the virus is activated, a ball bounces across the screen.
Other polymorphic viruses appear in the USA, including Virus-90 and Virus-101.
Anthrax and V1 represent the discovery of the first compound viruses. The Flip virus is the first of this type to spread successfully.
Symantec introduces Norton AntiVirus, one of the first anti-virus programs developed by a large Internet company.
Publication of the virus construction kit for DOS systems by the "Verband Deutscher Virenliebhaber" [Association of German Virus Fans]; this kit enables one to assemble new viruses.
Discovery of the first cluster virus: DirII.
The Tequila virus from Switzerland remains active four months after infection. This is a so-called multipartite virus, which infects the master boot sector and DOS-EXE files. It conceals itself by outputting the guest program's original length when queried, so that it appears unchanged.
A virus programmer calling himself Dark Avenger presents the Mutation Engine program. This program can be used to generate polymorphic viruses from simple viruses. It also eliminates the necessity of constantly recoding the virus, since the encoding program instructions have been changed as well. Each new virus then has virtually no byte in common with its predecessor.
WinVir 1.4, the first Windows virus, is discovered.
The first virus to infect SYS files appears on the screen and is given the name Involuntary.
The first virus collection phenomenon is announced: John Buchanan offers his collection, which includes more than 1000 files, for USD 100.00.
The anti-virus industry presents its first wild list. This is a list of all computer viruses which surface "in the wild"; that is, directly on the user's PC. A second category includes laboratory or zoo viruses, i.e. viruses "bred" or developed in laboratories for research purposes.
The SatanBug virus infects PCs in Washington, DC. The authorities are able to trace Little Loc, its creator, to San Diego. However, they cannot take legal action as he is underage.
GDE (Generic Description Device) appears as the anti-virus industry's first tool capable of recognising polymorphic viruses.
A virus programmer places his Kaos4 virus in the alt.binaries.pictures.erotica newsgroup in order to spread his virus. A large number of visitors download the file, infecting their computers in the process.
The SMEG.Paragon virus spreads throughout England. Scotland Yard arrests Christopher Pile, also known as Black Baron.
Good Times is the first hoax: An e-mail with "Good Times" in the subject line warns of a new virus, which supposedly causes the entire contents of the hard disk to be deleted – merely by reading the message. This warning ends with the request “Forward this to all your friends”, by which means the hoax is spread throughout the Internet.
Concept, the first macro virus, infects Microsoft Word documents. The text contained in the virus reads: “That’s enough to prove my point”. WM/Concept was the first virus specifically written for the Microsoft Word system and discovered "in the wild".
Black Baron admits guilt and is sentenced to 18 months in prison.
Esperanto is the name of a new virus which automatically adjusts to the operating system. If the virus lands in a Macintosh, it is run as a Mac program. Esperanto is thus the first virus which is not only capable of infecting specific programs but basically anything then (1996) on PCs and Macs. The creator of the virus is the Spanish 29A virus programming group, which also claims responsibility for the WM.CAP macro virus.
Boza, the first Windows 95 virus, is written by Quantum, a member of the VLAD virus programming group in Australia. When an infected program is started, it searches for up to three executable files which have not yet been infected, and infects them. On the 31st of each month it issues a message regarding its creators.
The first Excel macro virus, XM.Laroux, makes its appearance in Alaska and Africa. It infects Microsoft Excel documents containing a hidden "laroux" table.
Staog, the first Linux virus, is found in the lab, but is never spotted in the wild.
Linux.Bliss is the first Linux virus in the wild. It searches for programs for which the current process has write permission, and then overwrites such files with its viral code – simultaneously destroying the original program. The virus exhibits wormlike behaviour, which aids it in infecting computers via a network.
Virus programmers write mIRC scripts, which, in a worm-like manner, are automatically spread amongst Internet Relay Chat users.
The CIH-Virus (also referred to as Chernobyl), originating in Taiwan, travels via the Internet to Europe and the USA, where it is unwittingly spread via promotional downloads and free CD-ROMs. On 26 April 1999, it deletes data from the host computer. On a few computers, it even manages to overwrite the BIOS. The perpetrator, Chen Ing-hau is discovered and arrested, but he is soon released as no one in Taiwan is interested in pressing charges. Shortly thereafter Wahoo, a Taiwanese Linux distributor, hires him as a security expert.
Win95/Marburg, the polymorphic Windows virus, spreads via the "Wargames" computer game and by means of a CD-ROM included in the Australian "PC Power Play" magazine. It infects Win32 EXE and SCR (screen saver) files and is activated three months after the file is originally infected. If an infected application is started, the virus is displayed as a standard Windows error (a white "X" on a red circle), distributed over the entire screen. Marburg deletes databases from a variety of anti-virus programs and prevents discovery by infecting all EXE files with a "V" in their name (Scanvirus.exe, etc.) This enables it to infect the self-test of most anti-virus programs.
The first Excel formula virus, named XF.Paix.A, appears. This virus does not use Excel's standard macro capabilities, but a special formula sheet instead, which can contain the malicious code.
Carl-Fredrik Neikter presents NetBus, a back-door program which provides hackers with access to infected computers.
The first Microsoft Access virus and variants are discovered: A2M.Accessiv for Access 2.0; AM.Accessiv.A,B, AM.Tox.A,B for Access 97.
AOL Trojan horses make their appearance. The first of many Trojan horses steals information from AOL users. AOL e-mail addresses are flooded with infected document attachments.
Strange.Brew is the first virus capable of infecting Java applications; however, it is unable to spread via web-based Java.
The Cult of the Dead Cow group presents Back.Orifice, a disguised remote control program with permits both program execution as well as computer monitoring. The media turn their attention to NetBus, which has already appeared and which displays similar behaviour.
The first VB script: VBS.Rabbit first goes into action when an infected script is run. The viral code searches certain Windows directories and the current directory for additional script files (VBS) and writes itself at the beginning of these files. The infected scripts can still run, thus continuing the spread of the virus. On the second day of each month between nine and ten o'clock, the script searches for all texts containing ".txt - und .doc" extensions and replaces these texts with a drawing of an obscene gesture.
The HTML.Internal-Virus, also known as HTML.Prepend, is based on VBS, but only occurs when Internet Explorer is used. If the user views a website which has been infected by the virus, a visual basic script is activated; this inserts a text into HTML documents on the user's PC. An infected text is relatively easy to spot, because the header begins, " ".
Discovery of P97M.Vic.A, the first Microsoft PowerPoint virus, also known as PM97/Vic.A. This virus infects the "User Form", which is attached to a command button. If the button is clicked, the virus infects all PowerPoint documents under C:\My Documents.
W97M.Melissa.A quickly spreads world-wide. The virus infects Word documents and sends itself as an e-mail message to as many as 50 addresses in the Outlook address book, which leads to the collapse of a large number of mail servers – even those of large software companies. Following his arrest, David L. Smith admits responsibility for this virus.
NetBus 2 Pro is presented as a commercial program. In order to prevent anti-virus manufacturers from reporting it as a virus, author Carl-Fredrik Neikter demands payment for his product. The manufacturers nonetheless insert a recognition routine, as this is a malicious program.
W32/ExploreZip is an e-mail worm which, together with an attached worm file, sends itself to the senders of all unread e-mail in the incoming mailbox. Even computers not using Outlook can be infected with W32/ExploreZip.
Back.Orifice 2000 is presented by Cult of the Dead Cow at DefCon in Las Vegas. The new version of the remote control program now works under NT as well. The polymorphic, memory-resident (or more accurately "memory-resistant") W32/Kriz virus spreads via infected screensavers or EXE files. It attempts to overwrite all documents on the local hard disk and network drives.
VBS/BubbleBoy is a worm which takes advantage of Internet security gaps using Explorer and Outlook. It is the first virus capable of infecting systems without requiring a user to open an e-mail attachment. The worm runs as soon as the user opens e-mail in Outlook.
Y2K fix is a Trojan which, on some computers, has the program crash before any damage can be done. On other computers, it claims to solve Y2K-related problems while in reality it is overwriting the hard disk.
VBS.Loveletter spreads world-wide at a breathtaking speed. Variant A, known under the name “ILOVEYOU”, is followed by countless others. This is a worm which attempts to spread by a variety of means; the most common is sending itself as an e-mail attachment. The subject line of infected e-mail messages reads: ILOVEYOU, with the following text in the message: “kindly check the attached LOVELETTER coming from me”. Originally programmed by Onel de Guzman (Spyder), the worm searches all local and network drives for files with VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA., JPEG or MP3 filename extensions. These files are overwritten with the worm, and their filename extensions are renamed .VBS or extended. Once again, numerous mail servers collapse. Over the next few weeks, each newly discovered virus makes a splash in the news.
VBS.Stages is an Internet worm which spreads via e-mail and which is concealed in what appears to be a text file. All e-mails sent by the virus are deleted to conceal its movements.
W32.Pokey.Worm is the name of the worm which appears as an e-mail attachment. If the user opens the pikachupokemon.exe document attachment, an animated Pokemon character appears. In addition, the worm automatically sends itself to all entries in the Outlook address book. The worm deletes all important system files and the operating system can no longer be started.
The first PDA (Personal Digital Assistant) Trojan horse appears. Palm.Liberty.A does not spread on its own, but reaches the synchronisation process on the small-sized computer and deletes updates. Palm.Liberty.A was accidentally created by Aaron Ardiri, employed at the University of Gavle in Sweden.
Navidad.EXE is a worm using Outlook or Express to spread. All types of Windows computers can be infected.
VB.SST@mm is a computer worm concealed in the AnnaKournikova.jpg.vbs e-mail attachment. If one opens the document attachment which purports to be a photograph of the tennis player, the worm copies itself into the Windows directory and then sends itself to the entire address directory via MS Outlook. Shortly after the outbreak of this virus, its Dutch creator turned himself in and was thereupon sentenced to 150 hours of community service. A salesman in a computer shop in Sneek, the Netherlands, he stated that he had no programming knowledge, but simply created the worm using a "virus construction kit".
W32/Naked disguises itself as flash animation and, once activated, sends itself as an e-mail worm with the NakedWife.exe to the entire MS Outlook address book. By deleting various Windows and system directories, the system is rendered unusable and the computer must be restarted.
Mass mailers Code Red and Code Red II take advantage of a security leak in Microsoft's "Internet Information Server" web software, which runs under Windows NT or 2000. Unlike the original, Code Red II does not attack the White House website; instead, it installs a back door to the system, through which hackers gain control of the computer.
The W32/SirCam worm spreads via MS Outlook Express. Once it is run, it places itself in the system directory and is reactivated any time the user starts a program using the EXE filename extension. It can also independently copy itself onto shared network drives, from there to be activated by the respective user. SirCam does not only send itself, but also sends personal data which it finds on the infected computer. It is also the first worm equipped with its own mail server.
The aggressive Nimda computer worm races through the World Wide Web. What is novel about it is that user intervention is no longer required for it to spread. Instead, it utilises known software weak spots and different types of infection. It spreads via e-mail and can also implant itself in outside computers by means of the Internet. This worm's rapid spread affects Internet traffic, leads to the collapse of affected websites and compromises file system security, in that it releases local network drives.
The memory-resident W32.Badtrans.B@mm Internet worm is a variant of WORM_BADTRANS.A, which avails itself of a known security gap in e-mail applications (MS Outlook/ Express). Once infection has taken place, the worm registers itself as a system service and replies to incoming e-mail, spies out passwords and installs a key logger (this records each key pressed by the user and records which program is being used).
Peachy is a VBS worm which hides in PDF files and spreads via MS Outlook. If a user opens this PDF file in Adobe Acrobat, a picture with a tiny game appears where a peach must be found. Double-clicking an icon with the supposed solution starts the VBS file. The worm attempts to send itself to the first 100 addresses which it finds in Outlook.