A Brief History Of Viral Time

computer viruses Brain

Created by two programmers named Basit and Amjad, Brain was a boot virus that ran when a computer was booted up with an infected floppy diskette in the A: drive. (Remember when floppy disks were actually floppy?) Once a machine was infected, it would infect all subsequent floppies put in the drive.

Brain, a.k.a. (C)Brain, was also the first stealth virus, meaning that the boot sectors of infected diskettes would appear uninfected to users. The Brain virus didn't spread very quickly, nor was it particularly harmful -- but it ushered in an era of increasingly destructive viruses, worms, and other malware.

Computer viruses have changed a great deal since then. It has generally been an evolutionary change: mostly small developments that, when looked at cumulatively, can be viewed as rather spectacular. In this story we'll look at overall trends in the history of PC viruses; also see the timeline below and to the left for more information about specific virus events.

\

Virus Or Worm?

\

\

In this piece we use the term

virus

generically to mean any self-replicating software. Technically, though, a virus uses a computer's storage media -- hard disk, floppy disk,

flash

memory

stick, etc. -- as its transfer medium, whereas a

worm

uses external resources, such as an Internet connection or a network server. Additionally, viruses usually need some form of user interaction to spread, while worms may spread with no user assistance.

The term malware refers to any kind of malicious software, including viruses, worms, Trojans, spyware, rootkits, and so on. We'll get to these other nasties later in the piece.

id
unit-1659132512259
type
Sponsored post

The Early Years


Once Brain showed the way, many derivative PC viruses followed in the late 1980s. With no built-in protection, Microsoft's DOS operating system made it easy. Before long, there were about 100 known computer viruses. (Today there are about 300,000, according to some estimates.)

Click on any year to see its major virus events, then mouse over an event on the
right to read more about it.

The Lehigh virus, discovered at Lehigh University in 1987, was the first to attack an executable file, specifically COMMAND.COM. The Jerusalem virus (1987), which infected both .EXE and .COM files, was the first to trigger its payload (the subroutine within a virus or worm that actually does the damage) on a specific date -- Friday the 13th. Several other Friday the 13th viruses would follow. The Cascade virus (1988) was the first encrypted virus, which made it difficult to alter or remove.

The first worm to spread widely over the Internet was the Morris worm, released in 1988 by Robert T. Morris, then a graduate student at Cornell University and now an MIT professor. Morris claimed to have created the worm as an intellectual exercise to measure the size of the Internet; however, it spread farther than intended, and many machines were infected multiple times. Infected computers -- Unix machines rather than PCs -- slowed down so much that they became unusable.

In the early 1990s, the computing world saw its first mass-generated computer viruses as virus creation libraries (VCLs) were uploaded to renegade BBSes known as VX Exchange Boards. Here, members of hacker clubs could download virus source code, personalize it, and release their own virus with little effort or true knowledge of programming. Fortunately, VCLs tended to create viruses -- such as Kinison, Donatello, Earthday, Genocide, and Venom -- that were too buggy to ever spread far or cause much concern.


The Math-Test virus, which required users to solve simple math problems before executing their commands, was created with a virus creation toolkit. Courtesy of F-Secure. Click image to enlarge and to launch image gallery.

A number of the VCL viruses were append-class viruses, appending their infective code to the target program. Some were companion-class viruses, leaving the target untouched but using the MS-DOS execute order so that the virus was run instead of the target program. Some VCL viruses had payloads that would attempt to erase the boot sector. Others overwrote target executables. Viruses Get Smarter


One of the more interesting virus "enhancements," now dealt with exceedingly well, but initially not dealt with at all, was the self-mutating (also known as polymorphic) virus. Antivirus scanners look for small, recognizable snippets of known computer viruses, so self-mutating viruses try to change recognizable patterns to unrecognizable ones each time they replicate, thereby thwarting simplistic scanner software. Self-mutators based on DAME (Dark Avenger's Mutating Engine) and MtE (Mutating Engine -- also by Dark Avenger) were prevalent in the 1991-1992 timeframe.

To deal with this threat, the scanner authors had merely to remember that even small fragments of code reveal identifiable characteristics inherent in each virus. A new antivirus methodology made polymorphic viruses toothless and easily detected: the emulator program.

This program acts as if it's executing at least the initial part of a program -- usually the decryption portion of the virus -- but really intercepts the code and writes to a safe "sandbox" that exists only in memory. Thus, the decrypted virus can be identified without actually being executed.

And thus began what many antivirus researchers thought of as the "Spy Versus Spy" era. In essence, with each move forward by the virus writers, then countered by the antivirus community, viruses became ever more complex, and therefore more fragile and buggy. (It seems that finding beta testers for computer viruses before their release is rather difficult.) This, in turn, had the side effect of viruses doing unexpected and unintended things. Even with viruses, bugs are bugs.


Tequila, discovered in 1991, was one of the new crop of self-mutating viruses. Courtesy of Sophos. Click image to enlarge and to launch image gallery.

In 1992, the first virus that caught the attention of the wider public hit the computing world -- the dreaded Michelangelo virus. Set to strike on March 6, the Renaissance painter's birthday, the virus was played up by the media as an urgent threat that would spread massively, erasing the hard drives of all in its path. It turned out to be fairly widespread, but far below most predictions. Some experts hold, however, that the media hoopla caused many organizations to scan for and isolate the virus before it could spread.

Regardless, Michelangelo did surmount the multiple-floppy-disk-format problem suffered by most viruses to this point. Early viruses could write only to diskettes of the same format -- 360K, 720K, and so on -- that the source virus started on. Multiple-format viruses were a new trick.

\

Virus Hoaxes

\

\

As awareness of PC viruses grew among the general public, pranksters began to prey upon users' concern by circulating e-mails warning of viruses that didn't exist. The most famous of these, the

Good Times

virus hoax, read in part, "There is a virus on America Online being sent by E-Mail. If you get anything called 'Good Times', DON'T read it or

download

it. It is a virus that will erase your hard drive." Naturally, the e-mail ended with the admonition, "Forward this to all your friends. It may help them a lot."

First seen in November 1994, the Good Times hoax and its variants circulated for years afterward as unwitting users sought to protect their friends from the nonexistent danger. A host of imitators began to spread as well. For a time in the mid-90s it seemed as if every other e-mail message was a false virus warning from a well-intentioned but clueless friend, making these messages nearly as bothersome as viruses themselves.

In response to the slew of virus hoaxes, the Bad Times parody hoax was created, with such outrageous claims of what the virus could do -- including deleting any data on disks within 20 feet of your computer, drinking all your beer, and leaving the toilet seat up -- that nobody could possibly believe it. Security vendors, however, do not appear to be amused. "Some users are still concerned by the message," warns Sophos, and Trend Micro adds, "It plays on the insatiable need of people to forward any warning they get via e-mail, without paying much attention to the actual content."

-- Valerie Potter

\

Enter The Internet


As floppy disks became close to extinct, so did viruses using floppies as a medium of transport; the Internet became the medium of choice. Internet access was becoming ubiquitous -- everyone was getting a modem.

Even relatively unsophisticated computer users had access to online playgrounds such as AOL, CompuServe, MSN, and GEnie, along with the e-mail and downloading hazards they presented. None of these services initially had any adequate virus-checking or scanning measures in place, so downloading software was dangerous.

Around 1995, macro viruses started being written to take advantage of programming languages inherent in applications as diverse as Lotus 1-2-3 and Microsoft Word. One of the most prevalent macro viruses was the simple Concept virus. It removed all macros in infected files and disabled some of Word's menus, but was otherwise not destructive. Concept was most prevalent in 1995-1997.

Even worse, many of these new viruses took advantage of e-mail/SMTP capabilities in Windows systems by mass-mailing infected files to recipients listed in the address books of popular e-mail programs such as Microsoft Outlook. A good history of macro viruses can be found in Dr. Alan Solomon's seminal paper "Introduction to Macro Viruses" -- a must-read for anyone interested in virus history.


Besides displaying this joke image, the VBS/Monopoly virus sent itself to everyone in the recipient's Outlook address book. Courtesy of Sophos. Click image to enlarge and to launch image gallery.

As we leave the decade, don't forget that 1999 gave us the virus of the century: Melissa, a combination macro virus and worm. Among other payloads, Melissa inserted quotes from the animated television series The Simpsons in Word documents. But what was devastating was how Melissa spread: by forwarding the infected Word document as an e-mail attachment to 50 people in the computer's Outlook address book.

Melissa propagated more rapidly than any previous virus, infecting an estimated 1 million PCs. The antivirus world was initially not prepared to handle this kind of quick-spreading threat, but came up with solutions very rapidly. Melissa was a wakeup call -- malware wasn't done with computer users by a long shot.

The current decade has seen increasingly sophisticated and fast-spreading worms, including ILOVEYOU (2000), which used the promise of a love letter to fuel its massive spread; Nimda (2001), notable for its sophisticated infection and replication techniques; Code Red (2001), which infected hundreds of thousands of Web pages; MyDoom (2004), the fastest-spreading worm to date; and Sasser (2004), which caused disruptions to satellite communications, airlines, financial services, and more across the globe.


The Hybris worm upgraded itself over the Internet and at times displayed a large animated spiral in the center of the screen. Courtesy of Sophos. Click image to enlarge and to launch image gallery.

One worm that had an unexpected positive effect was 2003's SQL Slammer (a.k.a. Sapphire). Finding security holes in computers running Microsoft's SQL Server or SQL Server Desktop Engine (MSDE), it infected a huge number of machines very rapidly -- 75,000 computers in 10 minutes -- causing massive slowdowns and server crashes across the Internet. Now for the good news: Because only non-updated systems were vulnerable to SQL Slammer, Microsoft reports, substantially more people are keeping their Windows systems up to date since this worm hit. Enter The Internet


As floppy disks became close to extinct, so did viruses using floppies as a medium of transport; the Internet became the medium of choice. Internet access was becoming ubiquitous -- everyone was getting a modem.

Even relatively unsophisticated computer users had access to online playgrounds such as AOL, CompuServe, MSN, and GEnie, along with the e-mail and downloading hazards they presented. None of these services initially had any adequate virus-checking or scanning measures in place, so downloading software was dangerous.

Around 1995, macro viruses started being written to take advantage of programming languages inherent in applications as diverse as Lotus 1-2-3 and Microsoft Word. One of the most prevalent macro viruses was the simple Concept virus. It removed all macros in infected files and disabled some of Word's menus, but was otherwise not destructive. Concept was most prevalent in 1995-1997.

Even worse, many of these new viruses took advantage of e-mail/SMTP capabilities in Windows systems by mass-mailing infected files to recipients listed in the address books of popular e-mail programs such as Microsoft Outlook. A good history of macro viruses can be found in Dr. Alan Solomon's seminal paper "Introduction to Macro Viruses" -- a must-read for anyone interested in virus history.


Besides displaying this joke image, the VBS/Monopoly virus sent itself to everyone in the recipient's Outlook address book. Courtesy of Sophos. Click image to enlarge and to launch image gallery.

As we leave the decade, don't forget that 1999 gave us the virus of the century: Melissa, a combination macro virus and worm. Among other payloads, Melissa inserted quotes from the animated television series The Simpsons in Word documents. But what was devastating was how Melissa spread: by forwarding the infected Word document as an e-mail attachment to 50 people in the computer's Outlook address book.

Melissa propagated more rapidly than any previous virus, infecting an estimated 1 million PCs. The antivirus world was initially not prepared to handle this kind of quick-spreading threat, but came up with solutions very rapidly. Melissa was a wakeup call -- malware wasn't done with computer users by a long shot.

The current decade has seen increasingly sophisticated and fast-spreading worms, including ILOVEYOU (2000), which used the promise of a love letter to fuel its massive spread; Nimda (2001), notable for its sophisticated infection and replication techniques; Code Red (2001), which infected hundreds of thousands of Web pages; MyDoom (2004), the fastest-spreading worm to date; and Sasser (2004), which caused disruptions to satellite communications, airlines, financial services, and more across the globe.


The Hybris worm upgraded itself over the Internet and at times displayed a large animated spiral in the center of the screen. Courtesy of Sophos. Click image to enlarge and to launch image gallery.

One worm that had an unexpected positive effect was 2003's SQL Slammer (a.k.a. Sapphire). Finding security holes in computers running Microsoft's SQL Server or SQL Server Desktop Engine (MSDE), it infected a huge number of machines very rapidly -- 75,000 computers in 10 minutes -- causing massive slowdowns and server crashes across the Internet. Now for the good news: Because only non-updated systems were vulnerable to SQL Slammer, Microsoft reports, substantially more people are keeping their Windows systems up to date since this worm hit.

Back to main story: "20 Years Of PC Viruses"