IN THE WILD - A CHRONOLOGY OF COMPUTER VIRUSES by C. Burján
von Neumann (1903-1957), Hungarian computer scientist, develops the theory
of self-reproducing automata.
programs are used as placeholders in mainframe computers. If no jobs are
waiting, these programs copy themselves at the end of the queue. Thanks to
their propensity to proliferate, they are soon nicknamed Rabbits.
At around the same time, H. Douglas McIlroy, Victor Vysottsky, and
Robert Morris, programmers at Bell Laboratories, invent the game of Core
Wars.The game's objective: to steal valuable CPU time from the opponent.
In the early 1970's, Bob Thomas is
employed at ARPANET developer Beranek and Newman, where he is actively
involved in designing the technical foundation of today's Internet. He
creates the Creeper program, which travels from computer to computer
within the network. Seeing that the program is reproducing itself out of
control, Thomas then writes a second program, Reeper, to pursue and
disable the pest.
Jürgen Kraus, a
computer science student at the University of Dortmund, writes his
master's thesis on Selbstreproduktion bei Programmen, [Program
Self-Reproduction], describing the construction of such phenomena. This
thesis is the first study to show that certain programs can display
behaviour similar to that of biological viruses. His work is not presented
and disappears in the university archives.
[ Top ]
Rich Skrenta's Elk Cloner program infects Apple II disks without
deleting data. When the disk is started for the 50th time, a poem appears
on the desktop.
Professor Len Adleman employs the term "virus" to
describe self-copying programs when discussing them with Fred Cohen, his
computer science student.
At the same time, Joe Dellinger, a
student at Texas A&M University, writes several self-reproducing
programs for Apple II disks, naming them Virus 1, Virus 2 and Virus 3.
Jon Hepps and John Shock of Xerox PARC generate worms for divided
computer programs; these are designed for internal use. Unfortunately, a
programming error slips in, allowing the worm uncontrolled self-copying,
and the affected programs must be shut down.
Fred Cohen presents his first functional virus: Programmed under
the Unix operating system, it implants itself in the VD command. Whenever
an infected program is run, this virus inherits the program's system
privileges, and in this way can transfer these privileges to each user
within a short period of time.
presents his dissertation, entitled “Computer Viruses - Theory and
Experiments”, which attracts international attention. It both defines the
computer virus and includes descriptions of numerous experimental viruses.
The EGABTR virus, posing as a program
designed to improve the poor graphics then prevalent, is distributed via
mailboxes. However, once this camouflaged Trojan horse is started, all
files on the hard disk are deleted and a message appears on the screen:
“Arf, arf, Gotcha!”
1985 also witnesses publication in "Apples"
magazine of a source code virus for Apple II.
Basit und Amjad Farooq Alvi, managers of Brain Computer Services,
a small Pakistani computer firm, include with each software copy a
harmless programm with their name and address, whose purpose is to foster
customer loyalty. Their action unintentionally results in the first MS-DOS
virus which, under the names Brain or Pakistani, soon spreads world-wide.
In late 1986, Ralf Burger (Germany) presents the Virdem virus
during a Chaos Computer Club conference. It establishes itself in the
disk's boot sector and is spread by means of boot sector exchange. Virdem
infects COM files without deleting data.
[ Top ]
The Lehigh virus checks a disk each time it is read to determine
whether the files have already been infected. After every fourth
infection, part of the disk which has been read is overwritten. This is
the first virus to infect command.com.
CHRISTMAS EXEC spreads
throughout IBM VM/CMS systems. It shows a Christmas tree on the desktop
and then secretly sends itself via e-mail. Although this worm is dependent
on human assistance, it forces a number of systems to shut down.
Jerusalem: This virus, also known as Friday the Thirteenth, is the
first virus to establish itself in the main memory (RAM). It affects the
computer in two ways: On any thirteenth day of the month falling on a
Friday, it deletes all COM and EXE files. On all other days, the virus
reduces computer speed after 30 minutes.
The notorious Stoned
virus, the first master boot sector virus, is the brainchild of a student
at the University of Wellington in New Zealand. In addition to a "Your PC
is now stoned!" message, the Virus also proclaims “Legalize Marijuana!”.
Zuk, created by Denny Yanuar Ramdhani
(Bandung, Indonesia), is the first anti-virus virus. It recognises and
removes the Brain virus and then replaces it with a copy of itself.
The first virus construction kit, designed for the Atari ST, is
presented. This tool allows even beginners to easily "assemble" viruses
with characteristics specified by the user.
Robert T. Morris, a
Cornell University computer science student, starts a worm which takes
advantage of gaps in the UNIX operating system to reproduce itself on
Internet computers. However, a program error results in such a
proliferation of the worm's progeny that thousands of computers are
brought to a halt just a few hours later.
An anonymous German lets
the first self-encoding memory-resident virus, Cascade, loose into the
wilderness. When infection is successful, this virus produces a waterfall
effect, with letters raining down on the display screen.
The first polymorphic (multiform) virus is
discovered, named V2Px, 1260 or Washburn. Such viruses repeatedly
re-encode themselves, which complicates the development of anti-virus
The Dark Avenger.1800 virus, written in Sofia, Bulgaria,
is the first quick-infecting virus which, however, impairs data very
The Frodo virus is discovered in Haifa, Israel. This is
the first stealth virus which can infect files. On 22 September, the virus
issues the message “Frodo lives!”
The PC Cyborg Corporation,
registered in Panama, sends disks to participants at an international AIDS
conference. These disks supposedly contain important informational
material which must first be installed on the hard disk. Enclosed is the
manufacturer's licence, which states that a longer period of use will
require payment of USD 378.00. Non-payment will result in the encoding of
critical data. Program installation places a Trojan horse in the computer,
which encodes the contents of the hard disk when the computer is started
for the ninetieth time. Shortly thereafter, one of the company's owners is
sentenced and then committed to a psychiatric institution.
the year that the marijuana virus turns up in Australia and New Zealand, a
virus calling for the legalisation of marijuana every eighth time that the
program is run.
AIDS is the first Trojan horse to spread via
mailing lists. It overwrites the beginning of documents and issues the
message: “Your computer now has AIDS”. After this message appears on the
screen, the system collapses and the computer must be restarted.
McAfee virus scanner is put on the market. This version is already capable
of recognising 44 viruses. IBM's comparable virus-search program
recognises a mere 28.
[ Top ]
named Bouncing Ball or Italian, is probably the best known and most widely
spread boot sector virus. When the virus is activated, a ball bounces
across the screen.
Other polymorphic viruses appear in the USA,
including Virus-90 and Virus-101.
Anthrax and V1 represent the
discovery of the first compound viruses. The Flip virus is the first of
this type to spread successfully.
Symantec introduces Norton
AntiVirus, one of the first anti-virus programs developed by a large
Publication of the virus
construction kit for DOS systems by the "Verband Deutscher Virenliebhaber"
[Association of German Virus Fans]; this kit enables one to assemble new
Discovery of the first cluster virus: DirII.
Tequila virus from Switzerland remains active four months after infection.
This is a so-called multipartite virus, which infects the master boot
sector and DOS-EXE files. It conceals itself by outputting the guest
program's original length when queried, so that it appears unchanged.
A virus programmer calling himself Dark
Avenger presents the Mutation Engine program. This program can be used to
generate polymorphic viruses from simple viruses. It also eliminates the
necessity of constantly recoding the virus, since the encoding program
instructions have been changed as well. Each new virus then has virtually
no byte in common with its predecessor.
WinVir 1.4, the first
Windows virus, is discovered.
The first virus to infect SYS files
appears on the screen and is given the name Involuntary.
virus collection phenomenon is announced: John Buchanan offers his
collection, which includes more than 1000 files, for USD 100.00.
The anti-virus industry presents its first
wild list. This is a list of all computer viruses which surface "in the
wild"; that is, directly on the user's PC. A second category includes
laboratory or zoo viruses, i.e. viruses "bred" or developed in
laboratories for research purposes.
The SatanBug virus infects PCs
in Washington, DC. The authorities are able to trace Little Loc, its
creator, to San Diego. However, they cannot take legal action as he is
GDE (Generic Description Device) appears as the
anti-virus industry's first tool capable of recognising polymorphic
[ Top ]
A virus programmer places his
Kaos4 virus in the alt.binaries.pictures.erotica newsgroup in order to
spread his virus. A large number of visitors download the file, infecting
their computers in the process.
The SMEG.Paragon virus spreads
throughout England. Scotland Yard arrests Christopher Pile, also known as
Good Times is the first hoax: An e-mail with "Good
Times" in the subject line warns of a new virus, which supposedly causes
the entire contents of the hard disk to be deleted – merely by reading the
message. This warning ends with the request “Forward this to all your
friends”, by which means the hoax is spread throughout the Internet.
Concept, the first macro virus, infects
Microsoft Word documents. The text contained in the virus reads: “That’s
enough to prove my point”. WM/Concept was the first virus specifically
written for the Microsoft Word system and discovered "in the wild".
Black Baron admits guilt and is sentenced to 18 months in prison.
Esperanto is the name of a new virus which
automatically adjusts to the operating system. If the virus lands in a
Macintosh, it is run as a Mac program. Esperanto is thus the first virus
which is not only capable of infecting specific programs but basically
anything then (1996) on PCs and Macs. The creator of the virus is the
Spanish 29A virus programming group, which also claims responsibility for
the WM.CAP macro virus.
Boza, the first Windows 95 virus, is
written by Quantum, a member of the VLAD virus programming group in
Australia. When an infected program is started, it searches for up to
three executable files which have not yet been infected, and infects them.
On the 31st of each month it issues a message regarding its creators.
The first Excel macro virus, XM.Laroux, makes its appearance in
Alaska and Africa. It infects Microsoft Excel documents containing a
hidden "laroux" table.
Staog, the first Linux virus, is found in
the lab, but is never spotted in the wild.
Linux.Bliss is the first Linux virus in the wild. It searches for
programs for which the current process has write permission, and then
overwrites such files with its viral code – simultaneously destroying the
original program. The virus exhibits wormlike behaviour, which aids it in
infecting computers via a network.
Virus programmers write mIRC
scripts, which, in a worm-like manner, are automatically spread amongst
Internet Relay Chat users.
[ Top ]
(also referred to as Chernobyl), originating in Taiwan, travels via the
Internet to Europe and the USA, where it is unwittingly spread via
promotional downloads and free CD-ROMs. On 26 April 1999, it deletes data
from the host computer. On a few computers, it even manages to overwrite
the BIOS. The perpetrator, Chen Ing-hau is discovered and arrested, but he
is soon released as no one in Taiwan is interested in pressing charges.
Shortly thereafter Wahoo, a Taiwanese Linux distributor, hires him as a
Win95/Marburg, the polymorphic Windows virus,
spreads via the "Wargames" computer game and by means of a CD-ROM included
in the Australian "PC Power Play" magazine. It infects Win32 EXE and SCR
(screen saver) files and is activated three months after the file is
originally infected. If an infected application is started, the virus is
displayed as a standard Windows error (a white "X" on a red circle),
distributed over the entire screen. Marburg deletes databases from a
variety of anti-virus programs and prevents discovery by infecting all EXE
files with a "V" in their name (Scanvirus.exe, etc.) This enables it to
infect the self-test of most anti-virus programs.
The first Excel
formula virus, named XF.Paix.A, appears. This virus does not use Excel's
standard macro capabilities, but a special formula sheet instead, which
can contain the malicious code.
Carl-Fredrik Neikter presents
NetBus, a back-door program which provides hackers with access to infected
The first Microsoft Access virus and variants are
discovered: A2M.Accessiv for Access 2.0; AM.Accessiv.A,B, AM.Tox.A,B for
AOL Trojan horses make their appearance. The first of
many Trojan horses steals information from AOL users. AOL e-mail addresses
are flooded with infected document attachments.
the first virus capable of infecting Java applications; however, it is
unable to spread via web-based Java.
The Cult of the Dead Cow
group presents Back.Orifice, a disguised remote control program with
permits both program execution as well as computer monitoring. The media
turn their attention to NetBus, which has already appeared and which
displays similar behaviour.
The first VB script: VBS.Rabbit first
goes into action when an infected script is run. The viral code searches
certain Windows directories and the current directory for additional
script files (VBS) and writes itself at the beginning of these files. The
infected scripts can still run, thus continuing the spread of the virus.
On the second day of each month between nine and ten o'clock, the script
searches for all texts containing ".txt - und .doc" extensions and
replaces these texts with a drawing of an obscene gesture.
HTML.Internal-Virus, also known as HTML.Prepend, is based on VBS, but only
occurs when Internet Explorer is used. If the user views a website which
has been infected by the virus, a visual basic script is activated; this
inserts a text into HTML documents on the user's PC. An infected text is
relatively easy to spot, because the header begins, " ".
Discovery of P97M.Vic.A, the first Microsoft PowerPoint virus,
also known as PM97/Vic.A. This virus infects the "User Form", which is
attached to a command button. If the button is clicked, the virus infects
all PowerPoint documents under C:\My Documents.
[ Top ]
W97M.Melissa.A quickly spreads world-wide. The virus infects Word
documents and sends itself as an e-mail message to as many as 50 addresses
in the Outlook address book, which leads to the collapse of a large number
of mail servers – even those of large software companies. Following his
arrest, David L. Smith admits responsibility for this virus.
NetBus 2 Pro is presented as a commercial program. In order to
prevent anti-virus manufacturers from reporting it as a virus, author
Carl-Fredrik Neikter demands payment for his product. The manufacturers
nonetheless insert a recognition routine, as this is a malicious program.
W32/ExploreZip is an e-mail worm which, together with an attached
worm file, sends itself to the senders of all unread e-mail in the
incoming mailbox. Even computers not using Outlook can be infected with
Back.Orifice 2000 is presented by Cult of the Dead
Cow at DefCon in Las Vegas. The new version of the remote control program
now works under NT as well. The polymorphic, memory-resident (or more
accurately "memory-resistant") W32/Kriz virus spreads via infected
screensavers or EXE files. It attempts to overwrite all documents on the
local hard disk and network drives.
VBS/BubbleBoy is a worm which
takes advantage of Internet security gaps using Explorer and Outlook. It
is the first virus capable of infecting systems without requiring a user
to open an e-mail attachment. The worm runs as soon as the user opens
e-mail in Outlook.
Y2K fix is a Trojan which, on some computers,
has the program crash before any damage can be done. On other computers,
it claims to solve Y2K-related problems while in reality it is overwriting
the hard disk.
world-wide at a breathtaking speed. Variant A, known under the name
“ILOVEYOU”, is followed by countless others. This is a worm which attempts
to spread by a variety of means; the most common is sending itself as an
e-mail attachment. The subject line of infected e-mail messages reads:
ILOVEYOU, with the following text in the message: “kindly check the
attached LOVELETTER coming from me”. Originally programmed by Onel de
Guzman (Spyder), the worm searches all local and network drives for files
with VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA., JPEG or MP3 filename
extensions. These files are overwritten with the worm, and their filename
extensions are renamed .VBS or extended. Once again, numerous mail servers
collapse. Over the next few weeks, each newly discovered virus makes a
splash in the news.
VBS.Stages is an Internet worm which spreads
via e-mail and which is concealed in what appears to be a text file. All
e-mails sent by the virus are deleted to conceal its movements.
W32.Pokey.Worm is the name of the worm which appears as an e-mail
attachment. If the user opens the pikachupokemon.exe document attachment,
an animated Pokemon character appears. In addition, the worm automatically
sends itself to all entries in the Outlook address book. The worm deletes
all important system files and the operating system can no longer be
The first PDA (Personal Digital Assistant) Trojan horse
appears. Palm.Liberty.A does not spread on its own, but reaches the
synchronisation process on the small-sized computer and deletes updates.
Palm.Liberty.A was accidentally created by Aaron Ardiri, employed at the
University of Gavle in Sweden.
Navidad.EXE is a worm using Outlook
or Express to spread. All types of Windows computers can be infected.
[ Top ]
VB.SST@mm is a computer worm concealed in
the AnnaKournikova.jpg.vbs e-mail attachment. If one opens the document
attachment which purports to be a photograph of the tennis player, the
worm copies itself into the Windows directory and then sends itself to the
entire address directory via MS Outlook. Shortly after the outbreak of
this virus, its Dutch creator turned himself in and was thereupon
sentenced to 150 hours of community service. A salesman in a computer shop
in Sneek, the Netherlands, he stated that he had no programming knowledge,
but simply created the worm using a "virus construction kit".
W32/Naked disguises itself as flash animation and, once activated,
sends itself as an e-mail worm with the NakedWife.exe to the entire MS
Outlook address book. By deleting various Windows and system directories,
the system is rendered unusable and the computer must be restarted.
Mass mailers Code Red and Code Red II take advantage of a security
leak in Microsoft's "Internet Information Server" web software, which runs
under Windows NT or 2000. Unlike the original, Code Red II does not attack
the White House website; instead, it installs a back door to the system,
through which hackers gain control of the computer.
worm spreads via MS Outlook Express. Once it is run, it places itself in
the system directory and is reactivated any time the user starts a program
using the EXE filename extension. It can also independently copy itself
onto shared network drives, from there to be activated by the respective
user. SirCam does not only send itself, but also sends personal data which
it finds on the infected computer. It is also the first worm equipped with
its own mail server.
The aggressive Nimda computer worm races
through the World Wide Web. What is novel about it is that user
intervention is no longer required for it to spread. Instead, it utilises
known software weak spots and different types of infection. It spreads via
e-mail and can also implant itself in outside computers by means of the
Internet. This worm's rapid spread affects Internet traffic, leads to the
collapse of affected websites and compromises file system security, in
that it releases local network drives.
W32.Badtrans.B@mm Internet worm is a variant of WORM_BADTRANS.A, which
avails itself of a known security gap in e-mail applications (MS Outlook/
Express). Once infection has taken place, the worm registers itself as a
system service and replies to incoming e-mail, spies out passwords and
installs a key logger (this records each key pressed by the user and
records which program is being used).
Peachy is a VBS worm which
hides in PDF files and spreads via MS Outlook. If a user opens this PDF
file in Adobe Acrobat, a picture with a tiny game appears where a peach
must be found. Double-clicking an icon with the supposed solution starts
the VBS file. The worm attempts to send itself to the first 100 addresses
which it finds in Outlook.
[ Top ]