`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.' 20TH CENTURY: COMPUTER VIRUS HISTORY `'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.' written by: paranoidxe date: 04/21/2004 For generic information about viruses and how they work, please visit my other document entitled "The Basic Concepts of PC Viruses". This document automatically assumes you have knowledge on the following: - What a virus is - What a trojan is - What a worm is - What polymorphic, stealth, memory resident, etc. mean - What .COM, .SYS, .PIF, .EXE files are If you understand all the above please proceed, if you don't you can still proceed but you may have a hard time understanding it. Please note this article does NOT focus on what I call piggy-back viruses, these are viruses such as macro viruses that need word in order to perform. So this means specifically, all Outlook, Excel, and Word dependent viruses WILL NOT BE covered by this guide. What will be covered is some of the revolutional viruses in the 90s and 80s, as well as some of the more popular viruses. This also covers some of the worms and trojans that were threats back in the day. Please note, that most if not all of these viruses are not a threat at current day. - - - - - - - - - - - - - - - AOL4FREE TROJAN/VIRUS (1997) - - - - - - - - - - - - - - - AOL4FREE trojan/virus was a special case because at the time there was a AOL4FREE program that allowed users that used AOL and were charged by the minute to get free AOL time. At the same time hoax chain letters were sent around explaining that there is a AOL4FREE virus going around that deletes all data from your hard drive by simply reading the message, it couldn't be detected by any current antivirus software, and it would render your computer useless. The next thing to come would only lead to more confusion... Then it happened, in April of 1997 a AOL4FREE.COM trojan was released that could potentially delete data on the users hard drive. The AOL4FREE.COM trojan (called a virus by some) would delete common windows directories if the user launched it. So now you have 3 different stories about one subject. So now you have, a) the hoax which made claims that were WAY out of line with what the trojan actually does, b) the legit program that gave aol users free time, and c) the trojan that deletes common windows directories. Then you have the varient that comes along, AOLHELL97 trojan which claims to do the exact same thing as the hoax claims it does. The only difference is the AOLHELL97 trojan NEVER existed. By the time it was all said and done VERY few people actually got the trojan, the infection was barely in the 100s. - - - - - - - - - - - - THE HARE VIRUS OF 1996 - - - - - - - - - - - - The real, but EXTREMELY overblown virus of 1996 was hands down the Hare virus. While the virus does have a destructive payload and it can potentially bring down a computer, the ACTUAL infection rate described at the time was insane. The virus was claimed to infect millions of computers around the world, and due to the claim that current av products couldn't detect it there are people that don't even know they are infected. Many people added to the hysteria of Hare by claiming their computer was infected by the Hare virus by certain common windows problems that occured. So what did the Hare virus actually do? The payload loads on August 22nd and September 22, ONLY on these two dates will the virus overwrite the data on your hard drives. The message commonly displayed by this virus is "HDEuthanasia" by demon emperor: Hare Krsna, hare, hare..." - - - - - - - - - - - - - - - - - - DATACRIME/COLUMBUS DAY VIRUS (1989) - - - - - - - - - - - - - - - - - - This virus was probably one of the first, if not the very first virus to cause hysteria back in 1989. Datacrime was a virus that would launch its payload on or after Oct. 13 or later in the year and would format the first nine tracks of a hard disk and display the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989" By deleting the tracks the hard drive would be unreadable as the hard drive could not tell how to get to the data on the drive. Datacrime then went under the alias of Columbus day virus in america, it was thought to be written by Norwegian terrorists. The big attack of the Datacrime virus was apparently at Royal National Institute for the Blind claiming that Datacrime had wiped out their most important data. Only to find out it was a minor outbreak of the Jerusalem virus. The virus becomes a huge deal due to the media and wannabe-experts making false claims about the virus, in the end VERY few computers were ever touched by Datacrime. 7 confirmed reports was the only reports in 6 months of the virus infecting computers according to Mcafee. - - - - - - - - - - - - - - GHOST.EXE "VIRUS" (1996) - - - - - - - - - - - - - - The GHOST program is orignally a program designed to have ghosts fly about your computer screen with no ill effects. However, in 1996 this all changed when people (obviously in touch with the Hare hysteria) claimed the program would "attack" computer networks on Friday the 13th. This quickly got to Mcafee, Mcafee then supposedly disassembled it and labeled it as a trojan horse. The USDECIAC checked this out and found it to be untrue, however Mcafee continued to label the program as a trojan until sometime after. - - - - - - - - - - - - - - - THE MICHELANGELO VIRUS OF 1992 - - - - - - - - - - - - - - - The michelangelo virus was orignally discovered in 1991, this virus would delete the data on a users hard drive. The payload would trigger each year of March 6th. Michelangelo gained fame when a major computer manufacturer claimed to have shipped over 500 computers carrying the michelangelo virus. Then the press adds more fuel to the fire by claiming that hundreds of thousands of computers around the world MIGHT be infected. Another major software company jumps on the bandwagon and claims they distrubuted 900 floppies containing the nefty virus. Another reporter now claims millions of personal computers around the world are infected. Finally the day came, the "millions" estimate ended up being in the thousands...10 to 20 thousand to be exact. While still quite a few people did get the virus, the claims of millions were WAY off. - - - - - - - - - - - - - - - JERUSALEM VIRUS (1987) - - - - - - - - - - - - - - - Originated from a programmer in Israel, as part of a experimentation. The programmer made three different viruses before Jerusalem, these viruses were labeled as Suriv-1, Suriv-2, and Suriv-3. Suriv-2 became the first EXE file infector in the world. The fourth virus created would be known as Jerusalem and as accidently leaked into the world (so it was believed). Jerusalem had the ability to infect .EXE, .COM, .SYS, .PIF, and .OVL files on the infected machine. The Jerusalem code has been altered many times but this is the orignal code: Jerusalem becomes a memory resident and infects all files that are run, with the exception of command.com. Due to a bug in the coding the virus may reinfect the same .EXE file over and over again. - - - - - - - - - - - - - - - STONED VIRUS (1987) - - - - - - - - - - - - - - - Stoned was created by a programmer at the university of Wellington in New Zealand in 1987. The virus is designed to infect MBR and boot sectors of 360K floppy disks. However, though it was designed for 360K disks its chance of infecting higher capacity floppy disks are higher than the orignal infection target. When booting there is a 1 in 8 chance that the virus will beep and display one of the following messages: "Your PC is now stoned! LEGALIZE MARIJUANA!" "Your PC is now Stoned!" "Your computer is now stoned." Stoned is another base code for many virus writers, there are literally over 90 varients of stoned which do different things. - - - - - - - - - - - - - - - CASCADE VIRUS (1987) - - - - - - - - - - - - - - - This virus was written in germany, the cascade virus introduced the concept of encryption. This made it significantly harder to repair any infected files the cascade virus caused. Cascade also introduced quite another feature, the ability to cause lettering in the screen to drop to the bottom. Cascade is another base virus for virus writters with MANY varients. Cascades variants were quite potent as well, one variant specifically formats the users hard drive. Cascade is the virus that made IBM take viruses seriously when many IBM computers became infected with the virus. - - - - - - - - - - - - - VIENNA VIRUS (1990) - - - - - - - - - - - - - The vienna virus became the first known polymorphic virus, which caused a problem with anti-virus creators. This virus requires AV companies to write an algorithm that would apply logical tests to the file and decide whether the bytes it was looking at were one of the possible decryptors. The vienna virus' polymorphic technology caused quite a few AV products to generate false positives due to poor coding. What did the vienna virus actually do to a computer? The virus infected .COM files everytime they were run, and 1/8th of the time it inserts a jump to the BIOS routines that reboots the machine. Essentially the virus randomly rebooted the computer and corrupted files. - - - - - - - - - - - - - - DARK AVENGER FAMILY (1990) - - - - - - - - - - - - - - The dark avenger virus introduced two concepts, fast infection as well as subtle damage. The fast infection method was that simply reading a file the dark avenger could infect it this means incredibly fast infection of the hard drive. The Dark Avenger will overwrite sectors every once and awhile, if this isn't noticed for period of time, the corrupted files are backed up so when the user tries to restore the clean version of the files Dark Avenger will put the corrupt files right back...essentially Dark Avenger also targets backup copies. The variant of Dark Avenger includes, Number of The Beast..which is essentially the same concept as Dark Avenger except the virus is commonly picked up as the wrong virus by antivirus products. Another more viscious varient is Nomenklatura...which will overwrite the users hard drive on the 13th of any month. - - - - - - - - - - - - - THE WHALE VIRUS (1990) - - - - - - - - - - - - - The whale was a EXTREMELY complex polymorphic virus that took literally weeks for av vendors to decode it. While the virus isn't particularly harmful or effective it proved to be one of the toughest decode jobs by Antivirus Vendors. Whale could also change to many different sizes, making it even more complex. The biggest side effect was Whale would crash a computer if it was run. - - - - - - - - - - - - BRAIN (1987) - - - - - - - - - - - - The brain family is thought to be one of the earliest MS-DOS viruses. brain is worthy mention because it was the first virus to use stealth. Stealth which means when reporting the size of the file it would report the uninfected file size so it would appear that the file had not been infected. Some variants are able to use trapping technology to survive warm boots (reboots). Brain, though doesn't do much other than infect boot sectors of 360K floppies, is lengendary because it is one, if not, one of the first ms-dos viruses. Some variants do have bugs that scramble files on the infected disk. - - - - - - - - - - - - - THE AIDS TROJAN (1989) - - - - - - - - - - - - - Possibly the first trojan ever created, has quite a story behind it. AIDS was considered a virus back in the day, but in reality it is a trojan horse and nothing more. In fall of 1989, a AIDS information packet was sent out from a company known as PC Cyborg. The packaging was very professional and when the product was used it would show a very simple AIDS information document. The Disk itself installed the program to the hard disk of the user, at least that is what the user is supposed to think. In reality the program installed files onto a secret directory onto the users hard drive in which it would count how many times the computer was rebooted. After so many boots the hard disk was encrypted and you got a nice screen demanding payment for the AIDS information program in exchange for the decrypting code to get the information on your hard drive back. Analyzing the license shows the following: "Warning: Do not use these programs unless you are prepared to pay for them." "In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement" - - - - - - - - - BOZA VIRUS (1995) - - - - - - - - - Wouldn't be worth mentioning if it wasn't for the fact this virus is dubbed the very first Windows 95 virus. The virus is a slow infector but is fast enough to go undetected by the user. The virus also carries a bug in which it can increase the infected file size by several megabytes would could potentially kill a lot of disk space. The virus also displays a windows political message: WINDOW TITLE: Bizatch by Quantum /VLAD TEXT: "The taste of fame just got tastier! VLAD Australia does it again with the world's first Win95 Virus From the old school to the new... Metabolis Qark Darkman Automag Antigen RhinceWind Quantum Absolute Overload CoKe [ OK ] " The Boza virus resembles the simplicity of 1980 viruses, it is not very complex. If not the first Windows 95 virus it would never have achieved any fame. - - - - - - - - - - - - - - - MORRIS/INTERNET WORM (1988) - - - - - - - - - - - - - - - The first worm that unintentionally negatively affected networks. The Morris Worm (sometimes called The internet worm) function was simply to spread itself to as many computers as possible. The worm infection begins on a VAX 8600 at the University of Utah, from here it spreads causing a incredible strain on processor load. This was a bug in the worm it was never designed to overload networks, it just did. The worm then spread to over 6,000 machines acrossed the united states, the worm caused no physical damage to the machines affected by it, however there were a great profit loss to those who lost access to the internet. In the long run the worm exposed some serious security holes in UNIX enviroments, which could have gone undetected had the worm not used it to proprogate its spreading. - - - - - - - - - - - - - - - THE CHERNOBYL VIRUS (1998) - - - - - - - - - - - - - - - A virus that isn't very commonly mentioned anymore, the CHERNOBYL virus (CIH) introduces a new concept of infection. The Chernobyl virus infects 95/98/ME/NT programs, however due to NTs nature the virus cannot function correctly..therefore 95/98/ME is really the only platform affected. The unique infection method is what is worth mentioning, the virus is able to find unused spaces in a file, split the viral code into smaller coding and insert into these unused spaces. This makes it so that the file size does not change. Another unique feature is CIH's ability to overwrite FLASHBIOS which would cause the targeted computer to be unuseable unless the BIOS is completely replaced. The chances of this working are VERY slim however, as technology has changed since this virus is written and some varients have bugs that don't allow this code to work. Two variants launch the payloads on April 26th, and third variant launches the payloads on the 26th of any month. The first payload is it overwrites the hard disk with random data starting at the beginning of the disk...using a infinite loop. This usually will not stop until the computer is a) turned off by the user or b) the computer crashes itself. This will turn any data on the drive to be unuseable and difficult, if not impossible to recover. - - - - - - - - - - - - AOLGOLD TROJAN (1995) - - - - - - - - - - - - AOLGOLD Trojan is a program that was orignally advertised as a special version of the AOL software. The attached file is, in most circumstances, named AOLGOLD.ZIP. The contents of AOLGOLD.ZIP include: INSTALL.EXE and README.TXT. The readme.txt file golorifies AOLGOLD as a special addition to the AOL software. When install.exe is launched the following files are extracted onto the users hard drive: MACROS.DRV VIDEO.DRV INSTALL.BAR ADRIVE.RPT SUSPEND.DRV ANNOY.COM MACRO.COM SP-NET.COM SP-WIN.COM MEMBRINF.COM DEVICE.COM TEXTMAP.COM HOST.COM REP.COM EMS2EXT.SYS EMS.COM EMS.SYS README.TXT The readme document included with the install.exe goes on to explain the program gives you the powers of a guide (a guide means the ability to kick AOL users offline and terminate accounts). Upon execution of install.bat the file will rename video.drv to VIRUS.BAT and launch it. the VIRUS.BAT now runs the commands to delete the following directories: DOS, WINDOWS, WINDOWS/SYSTEM, QEMM, STACKER, NORTON, AOL20, PRODIGY, MMP169, CSERVE, DOOM, WOLF3D The program then prints out a crude message and attempts to run doomday.exe but it fails due to the bug in the program. - - - - - - - - - - - - - - - TWELVE TRICKS TROJAN HORSE - - - - - - - - - - - - - - - 12 Tricks trojan horse is quite a advancement in terms of trojan horses. The unique feature of the 12 tricks trojan is that it can randomly select a number between 1 and 12 and based on the number is what the trojan will do to your computer, the effects of the trojan include: - slow down of system performance - blanking or jerky motion in the scroll window - clock, printer, or keyboard malfunctions - random disk writes - garbled printer output - FAT, boot sector overwrites - floppy disk continuously running - FAT, directory or boot sector damaged disks The trojan contains the following string: SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC. 2840 ST. THOMAS EXPWY, SUITE 201 SANTA CLARA, CA 95051 There is no evidence that the string above is attached to the creation of the trojan, why the author would put the company above in is still unknown. - - - - - - - - - - - - - - PKZIP TROJAN HORSE (1992) - - - - - - - - - - - - - - Distributed through various BBS, the PKZIP trojan is advertised as a fake new version of PKZIP. The versions commonly claimed is 2.01 and 2.2, which the following possible file names: PKZ201.ZIP, PKZ201.EXE, PKZIPV2.ZIP, PKZIPV2.EXE The 2.01 version is actually a hacked 1.93 Alpha version that functions, but may do some unexpected things since it is a Alpha version of the product. The 2.2 version however is a simple batch file that attempts to delete files off your hard drive. This version targets specifically C:\DOS\*.* to delete files. - - - - - - - - - - - - - - - - - NORTSTOP/NORTSHOT TROJAN (1989) - - - - - - - - - - - - - - - - - This particular trojan horse was bundled with Norton Utilities on BBS, the official product did NOT contain this trojan ONLY pirated versions included it. The NORTSTOP or NORTSHOT trojan simply deletes specific extentions if ran on days between December 24th and December 31st. The chances of this affecting anyone is EXTREMELY rare. - - - - - - - - - - - - - TEQUILA VIRUS (1991) - - - - - - - - - - - - - The first polymorphic virus; which orignated from Switzerland. Tequila had the ability to change its form in an attempt to avoid detection. The virus is relatively harmless to data but will display messages such as: "Execute: mov ax, FE03 / INT 21. Key to go on!" If the user follows the directions they will get this message: "Welcome to T.TEQUILA's latest production. Contact T.TEQUILA/P.O.BOX 543/6312 St'hausen/Switzerland. Loving thoughts to L.I.N.D.A BEER and TEQUILA forever !" - - - - - - - - - - - - - - BACK ORIFICE TROJAN (1998) - - - - - - - - - - - - - - Back Orifice becomes the first trojan to become a adminstrative backdoor tool. Back Orifice works by the user downloading the server application and running it, the program then stays active...the person that sent the server program then launches his program and can remotely control the infected computer. The first version of Back Orifice infected 95/98/ME machines only. Later Back Orifice 2000 was released, which was able to attack Windows NT systems as well. Back Orifice had a list of features that were useful, which include: - computer info, list disk contents, file manipulation, compression, decompression, terminate porcesses, display messages, access registry, etc. Back Orifice has both a legitimate purpose, and a malicious purpose. Back Orifice can be used as a remote adminstration tool for networks, on the other hand it can be used to comprimise data from a targeted computer. Back Orifice tool does NOT pray on security flaws and is limited by the user permissions on the affected machine. Back Orifice server application must be downloaded by the user for them to be affected. - - - - - - - - - - - - - DEDICATED VIRUS (1992) - - - - - - - - - - - - - This virus was realatively harmless, however it makes a mark in history by being based on a polymorphic generator. Dedicated is a DOS infector for version 2.x or above. Dedicated only infects COM files upon execution, the easy detection method is file size growth. This particular virus was based on the Mutating Engine 0.9. The problem with the design is once the coding of the Mutating Engine is decyphered most if not all viruses created with the engine can be detected. - - - - - - - - - - - - - - - - SUBSEVEN BACKDOOR TROJAN (1999) - - - - - - - - - - - - - - - - Subseven became quite the popular backdoor trojan and still is today. There are MANY varients of subseven making it harder and harder to detect. The orignal subseven is very similiar to that of back orifice, it will only infect 95/98 machines. From version 2.2 and above NT could also become a target. subseven's source is widely available for programmers to expand upon subseven. - - - - - - - - - - - HAPPY99 VIRUS (1999) - - - - - - - - - - - This virus was distributed around 1999, generally as a attachment named Happy99.exe. This does not mean it could come as other names however. Happy99.exe is unique as it is sort of a hybrid of a trojan/virus because running Happy99.exe appears to show a fireworks show, yet it does more than meets the eye. Happy99.exe drops SKA.EXE and modifies WSOCK32.DLL, modifying WSOCK32.DLL happy99 will get a list of message recipients and will begin to send itself out through your email even though you will not notice it.