THE HISTORY OF COMPUTER VIRUSES  

Latest viruses
MyLife.e@MM
A Bit of Archeology
There are lots and lots of opinions on the date of birth of the first Goround.worm
computer virus. I know for sure just that there were no viruses on Gluas.a
the Babbidge machine, but the Univac 1108 and IBM 360/370
already had them ("Pervading Animal" and "Christmas tree"). Linux/Alfa
Therefore the first virus was born in the very beginning of 1970s or QDel234
even in the end of 1960s, although nobody was calling it a virus
BackDoor-OG
then. And with that consider the topic of the extinct fossil species
closed. Best sellers
Kaspersky PRO
Journey's Start
Let's talk of the latest history: "Brain", "Vienna", "Cascade", etc. Panda Platinum
Those who started using IBM PCs as far as in mid-80s might still
Tiny firewall
remember the total epidemic of these viruses in 1987-1989. Letters
were dropping from displays, crowds of users rushing towards Volume licensing
monitor service people (unlike of these days, when hard disk drives
die from old age but yet some unknown modern viruses are to
blame). Their computers started playing a hymn called "Yankee
Doodle", but by then people were already clever, and nobody tried
to fix their speakers - very soon it became clear that this problem
Online services
wasn't with the hardware, it was a virus, and not even a single one,
more like a dozen. Mcafee removal
 
And so viruses started infecting files. The "Brain" virus and
bouncing ball of the "Ping-pong" virus marked the victory of viruses
over the boot sector. IBM PC users of course didn't like all that at
all. And so there appeared antidotes. Which was the first? I don't
know, there were many of them. Only few of them are still alive,
and all of these anti-viruses did grow from single project up to the
major software companies playing big roles on the software
market.

There is also an notable difference in conquering different countries

by viruses. The first vastly spread virus in the West was a bootable
one called "Brain", the "Vienna" and "Cascade" file viruses
appeared later. Unlike that in East Europe and Russia file viruses
came first followed by bootable ones a year later.
Time went on, viruses multiplied. They all were all alike in a sense,
tried to get to RAM, stuck to files and sectors, periodically killing
files, diskettes and hard disks. One of the first "revelations" was
the "Frodo.4096" virus, which is far as I know was the first invisible
virus (Stealth). This virus intercepted INT 21h, and during DOS
calls to the infected files it changed the information so that the file
appeared to the user uninfected. But this was just an overhead
over MS-DOS. In less than a year electronic bugs attacked the DOS
kernel ("Beast.512" Stealth virus). The idea of in visibility
continued to bear its fruits: in summer of 1991 there was a plague
of "Dir_II". "Yeah!", said everyone who dug into it.

But it was pretty easy to fight the Stealth ones: once you clean
RAM, you may stop worrying and just search for the beast and cure
it to your hearts content. Other, self encrypting viruses, sometimes
appearing in software collections, were more troublesome. This is
because to identify and delete them it was necessary to write
special subroutines, debug them. But then nobody paid attention to
it, until ... Until the new generation of viruses came, those called
polymorphic viruses. These viruses use another approach to
invisibility: they encrypt themselves (in most cases), and to
decrypt themselves later they use commands which may and may
not be repeated in different infected files.

Polymorphism - Viral Mutation

The first polymorphic virus called "Chameleon" became known in
the early '90s, but the problem with polymorphic viruses became
really serious only a year after that, in April 1991, with the
worldwide epidemic of the polymorphic virus "Tequila" (as far as I
know Russia was untouched by the epidemic; the first epidemic in
Russia, caused by a polymorphic virus, happened as late as in
1994, in three years, the virus was called "Phantom1").

The idea of self encrypting polymorphic viruses gained popularity

and brought to life generators of polymorphic code - in early 1992
the famous "Dedicated" virus appears, based on the first known
polymorphic generator MtE and the first in a series of MtE-viruses;
shortly after that there appears the polymorphic generator itself. It
is essentially an object module (OBJ file), and now to get a
polymorphic mutant virus from a conventional non-encrypting virus
it is sufficient to simply link their object modules together - the
polymorphic OBJ file and the virus OBJ file. Now to create a real
polymorphic virus one doesn't have to dwell on the code of his own
encryptor/decryptor. He may now connect the polymorphic
generator to his virus and call it from the code of the virus when
desired.
Luckily the first MtE-virus wasn't spread and did not cause
epidemics. In their turn the anti-virus developers had sometime in
store to prepare for the new attack.

In just a year production of polymorphic viruses becomes a "trade",

followed by their "avalanche" in 1993. Among the viruses coming to
my collection the volume of polymorphic viruses increases. It
seems that one of the main directions in this uneasy job of creating
new viruses becomes creation and debugging of polymorphic
mechanism, the authors of viruses compete not in creating the
toughest virus but the toughest polymorphic mechanism instead.

This is a partial list of the viruses that can be called 100 percent
polymorphic (late 1993):
Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy,
Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros,
Nukehard, PcFly (three versions), Predator, Satanbug, Sandra,
Shoker, Todor, Tremor, Trigger, Uruguay (eight versions).
These viruses require special methods of detection, including
emulation of the viruses executable code, mathematical algorithms
of restoring parts of the code and data in virus etc. Ten more new
viruses may be considered non-100 percent polymorphic (that is
they do encrypt themselves but in decryption routine there always
exist some nonchanging bytes):
Basilisk, Daemaen, Invisible (two versions), Mirea (several
versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly,
Simulation.

However to detect them and to restore the infected objects code

decrypting is still required, because the length of nonchanging code
in the decryption routine of those viruses is too small.

Polymorphic generators are also being developed together with

polymorphic viruses. Several new ones appear utilizing more
complex methods of generating polymorphic code. They become
widely spread over the bulletin board systems as archives
containing object modules, documentation and examples of use. By
the end of 1993 there are seven known generators of polymorphic
code.
They are:
MTE 0.90 (Mutation Engine),
TPE (Trident Polymorphic Engine), four versions
NED (Nuke Encryption Device),
DAME (Dark Angel's Multiple Encryptor)
Since then every year brought several new polymorphic generators,
so there is little sense in publishing the entire lists.

Automating Production and Viral Construction Sets

Laziness is the moving force of progress (to construct the wheel because
that's too lazy to carry mammoths to the cave). This traditional wisdom needs
no comments. But only in the middle of 1992 progress in the form of
automating production touched the world of viruses. On the fifth of July 1992
the first viral code construction set for IBM PC compatibles called VCL (Virus
Creation Laboratory) version 1.00 is declared for production and shipping.

This set allows to generate well commented source texts of viruses in the
form or assembly language texts, object modules and infected files
themselves. VCL uses standard windowed interface. With the help of a menu
system one can choose virus type, objects to infect (COM or/and EXE),
presence or absence of self encryption, measures of protection from
debugging, inside text strings, optional 10 additional effects etc. Viruses can
use standard method of infecting a file by adding their body to the end of file,
or replace files with their body destroying the original content of a file, or
become companion viruses.

And then it became much easier to do wrong: if you want somebody to have
some computer trouble just run VCL and within 10 to 15 minutes you have
30-40 different viruses you may then run on computers of your enemies. A
virus to every computer!
The further the better. On the 27th of July the first version of PS-MPC
(Phalcon/Skism Mass-Produced Code Generator). This set does not have
windowed interface, it uses configuration file to generate viral source code.
This file contains description of the virus: the type of infected files (COM or
EXE); resident capabilities (unlike VCL, PS-MPC can also produce resident
viruses); method of installing the resident copy of the virus; self encryption
capabilities; the ability to infect COMMAND.COM and lots of other useful
information.

Another construction set G2 (Phalcon/Skism's G2 0.70 beta) has been

created. It supported PS-MPC configuration files, however allowing much
more options when coding the same functions.

The version of G2 I have is dated the first of January 1993. Apparently the
authors of G2 spent the New Year's Eve in front of their computers. They'd
better have some champagne instead, this wouldn't hurt anyway.
So in what way did the virus construction sets influence electronic wildlife? In
my virus collection there are:

 several hundreds of VCL and G2 based viruses;

 over a thousand PS-MPC based viruses.

So we have another tendency in development of computer viruses: the

increasing number of "construction set" viruses; more unconcealably
lazy people join the ranks of virus makers, downgrading a respectable
and creative profession of creating viruses to a mundane rough trade.

Outside DOS
The year 1992 brought more than polymorphic viruses and virus
construction sets. The end of the year saw the first virus for Windows,
which thus opened a new page in the history of virus making. Being
small (less than 1K in size) and absolutely harmless this non resident
virus quite proficiently infected executables of new Windows format
(NewEXE); a window into the world of Windows was opened with its
appearance on the scene.

After some time there appeared viruses for OS/2, and January 1996
brought the first Windows95 virus. Presently not a single week goes by
without new viruses infecting non-DOS systems; possibly the problem
of non-DOS viruses will soon become more important than the
problem of DOS viruses. Most likely the process of changing priorities
will resemble the process of DOS dying and new operating systems
gaining strength together with their specific programs. As soon as all
the existing software for DOS will be replaced by their Windows,
Windows95 and OS/2 analogues, the problem of DOS viruses becomes
nonexistent and purely theoretical for computer society.

The first attempt to create a virus working in 386 protected mode was
also made in 1993. It was a boot virus "PMBS" named after a text string
in its body. After boot up from infected drive this virus switched to
protected mode, made itself supervisor and then loaded DOS in virtual
window mode V86. Luckily this virus was born dead - its second
generation refused to propagate due to several errors in the code.
Besides that the infected system "hanged" if some of the programs
tried to reach outside the V86 mode, for example to determine the
presence of extended memory.

This unsuccessful attempt to create supervisor virus remained the only

one up to spring of 1997, when one Moscow prodigy released
"PM.Wanderer" - a quite successful implementation of a protected
mode virus.

It is unclear now whether those supervisor viruses might present a real

problem for users and anti-virus program developers in the future.
Most likely not because such viruses must "go to sleep" while new
operating systems (Windows 3.xx, Windows95/NT, OS/2) are up and
running, allowing for easy detection and killing of the virus. But a full-
scale stealth supervisor virus may mean a lot of trouble for "pure" DOS
users, because it is absolutely impossible to detect such a stealth virus
under pure DOS.

Macro Virus Epidemics

August 1995. All the progressive humanity, The Microsoft and Bill
Gates personally celebrate the release of a new operating system
Windows95. With all that noise the message about a new virus using
basically new methods of infection came virtually unnoticed. The virus
infected Microsoft Word documents.

Frankly it wasn't the first virus infecting Word documents. Earlier

before anti-virus companies had the first experimental example of a
virus on their hands, which copied itself from one document to
another. However nobody paid serious attention to that not quite
successful experiment. As a result virtually all the anti-virus companies
appeared not ready to what came next - macro virus epidemics - and
started to work out quick but inadequate steps in order to put an end to
it. For example several companies almost simultaneously released
documents- anti-viruses, acting along about the same lines as did the
virus, but destroying it instead of propagation.

By the way it became necessary to correct anti-virus literature in a

hurry because earlier the question, "Is it possible to infect a computer
by simply reading a file" had been answered by a definite "No way!"
with lengthy proofs of that.

As for the virus which by that time got its name, "Concept", continued
its ride of victory over the planet. Having most probably been released
in some division of Microsoft "Concept" ran over thousands if not
millions of computers in no time it all. It's not unusual, because text
exchange in the format of Microsoft Word became in fact one of the
industry standards, and to get infected by the virus it is sufficient just
to open the infected document, then all the documents edited by
infected copy of Word became infected too. As a result having
received an infected file over the Internet and opened it, the
unsuspecting user became "infection peddler", and if his
correspondence was made with the help of MS Word, it also became
infected! Therefore the possibility of infecting MS Word multiplied by
the speed of Internet became one of the most serious problems in all
the history of existence of computer viruses.

In less than a year, sometime in summer of 1996, there appeared the

"Laroux" virus, infecting Microsoft Excel spreadsheets. As it had been
with "Concept", these new virus was discovered almost simultaneously
in several companies.
The same 1996 witnessed the first macro virus construction sets, then
in the beginning of 1997 came the first polymorphic macro viruses for
MS Word and the first viruses for Microsoft Office97. The number of
various macro viruses also increased steadily reaching several
hundreds by the summer of 1997.
Macro viruses, which have opened a new page in August 1995, using
all the experience in virus making accumulated for almost 10 years of
continuous work and enhancements, actually do present the biggest
problem for modern virology.

Chronology of Events
It's time to give a more detailed description of events. Let's start
from the very beginning.

Late 1960s - early 1970s

Periodically on the mainframes at that period of time there
appeared programs called "the rabbit". These programs cloned
themselves, occupied system resources, thus lowering the
productivity of the system. Most probably "rabbits" did not copy
themselves from system to system and were strictly local
phenomena - mistakes or pranks by system programmers servicing
these computers. The first incident which may be well called an
epidemic of "a computer virus", happened on the Univax 1108
system. The virus called "Pervading Animal" merged itself to the
end of executable files - virtually did the same thing as thousands
of modern viruses do.

The first half of 1970s

"The Creeper" virus created under the Tenex operating system
used global computer networks to spread itself. The virus was
capable of entering a network by itself by modem and transfer a
copy of itself to remote system. "The Reeper" anti-virus program
was created to fight this virus, it was the first known anti-virus
program.

Early 1980s
Computers become more and more popular. An increasing number
of program appears written not by software companies but by
private persons, moreover, these programs may be freely
distributed and exchanged through general access servers - BBS.
As a result there appears a huge number of miscellaneous "Trojan
horses", programs, doing some kind of harm to the system when
started.

1981
"Elk Cloner" bootable virus epidemics started on Apple II
computers. The virus attached itself to the boot sector of diskettes
to which there were calls. It showed itself in many ways - turned
over the display, made text displays blink and showed various
messages.

1986
The first IBM PC virus "Brain" pandemic began. This virus infecting
360 KB diskettes became spread over the world almost
momentarily. The secret of a "success" like this late probably in
total unpreparedness of computer society to such a phenomenon as
computer virus.

The virus was created in Pakistan by brothers Basit and Amjad

Farooq Alvi. They left a text message inside the virus with their
name, address and telephone number. According to the authors of
the virus they were software vendors, and would like to know the
extent of piracy in their country. Unfortunately their experiment left
the borders of Pakistan.
It is also interesting that the "Brain" virus was the first stealth
virus, too - if there was an attempt to read the infected sector, the
virus substituted it with a clean original one.

Also in 1986 a programmer named Ralph Burger found out that a

program can create copies of itself by adding its code to DOS
executables. His first virus called "VirDem" was the demonstration
of such a capability. This virus was announced in December 1986 at
an underground computer forum, which consisted of hackers,
specializing at that time on cracking VAX/VMS systems (Chaos
Computer Club in Hamburg).

1987
"Vienna" virus appears. Ralph Burger, whom we already now, gets
a copy of this virus, disassembles it, and publishes the result in his
book "Computer Viruses: a High-tech Disease". Burger's book made
the idea of writing viruses popular, explained how to do it, and
therefore stimulated creating up hundreds and in thousands of
computer viruses, in which some of the ideas from his book were
implemented.

Some more IBM PC viruses are being written independently in the

same year. They are: "Lehigh", infecting the COMMAND.COM file
only; "Suriv-1" a.k.a. "April1st", infecting COM files; "Suriv-2",
infecting (for the first time ever) EXE files; and "Suriv-3", infecting
both COM and EXE files. There also appear several boot viruses
("Yale" in USA, "Stoned" in New Zealand, "PingPong" in Italy), and
the first self encrypting file virus "Cascade".
Non-IBM computers are also not forgotten: several viruses for
Apple Macintosh, Commodore Amiga and Atari ST have been
detected.

In December of 1987 there was the first total epidemics of a

network virus called "Christmas Tree", written in REXX language
and spreading itself under the VM/CMS operating environments. On
the ninth of December this virus was introduced into the Bitnet
network in one of West German universities, then via gateway it
got into the European Academic Research Network (EARN) and
then into the IBM Vnet. In four days (Dec. 13) the virus paralyzed
the network, which was overflowing with copies of it (see the desk
clerk example several pages earlier). On start-up the virus output
an image of the Christmas tree and then sent copies of itself to all
the network users whose addresses were in the corresponding
system files NAMES and NETLOG.

1988
On Friday the 13 1988 several companies and universities in many
countries of the world "got acquainted" with the "Jerusalem" virus.
On that day the virus was destroying files which were attempted to
be run. Probably this is one of the first MS-DOS viruses which
caused a real pandemic, there were news about infected computers
from Europe, America and the Middle East. Incidentally the virus
got its name after one of the places it stroke - the Jerusalem
University.

"Jerusalem" together with several other viruses ("Cascade",

"Stoned", "Vienna") infected thousands of computers still being
unnoticed - anti-virus programs were not as common then as they
are now, many users and even professionals did not believe in the
existence of computer viruses. It is notable that in the same year
the legendary computer guru Peter Norton announced that
computer viruses did not exist. He declared them to be a myth of
the same kind as alligators in New York sewers. Nevertheless this
delusion did not prevent Symantec from starting its own anti-virus
project Norton Anti-virus after some time.

Notoriously false messages about new computer viruses started to

appear, causing panic among the computer users. One of the first
virus hoaxes of this kind belongs to a Mike RoChenle (pronounced
very much like "Microchannel"), who uploaded a lot of messages to
the BBS systems, describing the supposed virus copying itself from
one BBS to another via modem using speed 2400 baud for that.
Funny as it may seem many users gave up 2000 baud standard of
that time and lowered the speed of their modems to 1200 baud.
Similar hoaxes appeared even now. The most famous of them so
far are GoodTimes and Aol4Free.

November 1988: a total epidemic of a network virus of Morris

(a.k.a. Internet Worm). This virus infected more than 6000
computer systems in USA (including NASA research Institute) and
practically paralyzed their work. Because of erratic code of the virus
it sent unlimited copies of itself to other network computers, like
the "Christmas Tree" worm virus, and for that reason completely
paralyzed all the network resources. Total losses caused by the
Morris virus were estimated at 96 millions of dollars.
This virus used errors in operating systems Unix for VAX and Sun
Microsystems to propagate. Besides the errors in Unix the virus
utilized several more original ideas, for example picking up user
passwords. A more detailed story of this virus and the
corresponding incidents may be found in a rather detailed and
interesting articles.

December 1988: the season of worm viruses continues this time in

DECNet. Worm virus called HI.COM output and image of spruce and
informed users that they should "stop computing and have a good
time at home!!!"
There also appeared new anti-virus programs for example, Doctors
Solomon's Anti-virus Toolkit, being one of the most powerful anti-
virus software presently.

1989
New viruses "Datacrime", "FuManchu" appear, as do the whole
families like "Vacsina" and "Yankee". The first one acted extremely
dangerously - from October 13th to December 31st it formatted
hard disks. This virus "broke free" and caused total hysteria in the
mass media in Holland and Great Britain.

September 1989: 1 more anti-virus program begins shipping - IBM

Anti-virus.

October 1989: one more epidemic in DECNet, this time it was worm
virus called "WANK Worm".

December 1989: an incident with a "Trojan horse" called "AIDS".

20,000 copies were shipped on diskettes marked as "AIDS
Information Diskette Version 2.0". After 90 boot-ups the "Trojan"
program encrypted all the filenames on the disk, making them
invisible (setting a "hidden" attribute) and left only one file
readable - bill for $189 payable to the address P.O. Box 7, Panama.
The author of this program was apprehended and sent to jail.

One should note that in 1989 there began total epidemics of

computer viruses in Russia, caused by the same "Cascade",
"Jerusalem" and "Vienna", which besieged the computers of
Russian users. Luckily Russian programmers pretty quickly
discovered the principles of their work, and virtually immediately
there appeared several domestic anti-viruses, and AVP (named "-
V") those time, was one of them.

My first acquaintance with viruses (this was the "Cascade" virus)

replaced in the world 1989 when I found virus on my office
computer. This particular fact influenced my decision to change
careers and create anti-virus programs. In a month the second
incident ("Vacsina" virus) was closed with a help of the first version
of my anti-virus "-V" (minus-virus), several years later renamed to
AVP - AntiViral Toolkit Pro. By the end of 1989 several dozens of
viruses herded on Russian lands. They were in order of
appearance: two versions of "Cascade", several "Vacsina" and
"Yankee" viruses, "Jerusalem", "Vienna", "Eddie", "PingPong".

1990
This year brought several notable events. The first one was the
appearance of the first polymorphic viruses "Chameleon" (a.k.a.
"V2P1", "V2P2", and "V2P6"). Until then the anti-virus programs
used "masks" - fragments of virus code - to look for viruses. After
"Chameleon"'s appearance anti-virus program developers had to
look for different methods of virus detection.

The second event was the appearance of Bulgarian "virus

production factory": enormous amounts of new viruses were
created in Bulgaria. Disease wears the entire families of viruses
"Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"),
the modifications of the "Eddie" virus etc. A certain Dark Avenger
became extremely active, making several new viruses a year,
utilizing fundamentally new algorithms of infecting and covering of
the tracks in the system. It was also in Bulgaria that the first BBS
opens, dedicated to exchange of virus code and information for
virus makers.

In July 1990 there was an incident with "PC Today" computer

magazine (Great Britain). It contained a floppy disk infected with
"DiskKiller" virus. More than 50,000 copies were sold.

In the second half of 1990 there appeared two Stealth monsters -

"Frodo" and "Whale". Both viruses utilized extremely complicated
stealth algorithms; on top of that the 9KB "Whale" used several
levels of encrypting and anti-debugging techniques.

1991
Computer virus population grows continuously, reaching several
hundreds now. Anti-viruses also show increasing activity: two
software monsters at once (Symantec and Central Point) issue their
own anti-virus programs - Norton Anti-virus and Central Point Anti-
virus. They are followed by less known anti-viruses from Xtree and
Fifth Generation.
In April a full-scale epidemic broke out, caused by file and boot
polymorphic virus called "Tequila", and in September the same kind
of story happened with "Amoeba" virus.

Summer of 1991: "Dir_II" epidemic. It was a link virus using

fundamentally new methods of infecting files.

1992
Non-IBM PC and non-MS-DOS viruses are virtually forgotten:
"holes" in global access network are closed, errors corrected, and
network worm viruses lost the ability to spread themselves. File-,
boot- and file-boot viruses for the most widely spread operating
system (MS-DOS) on the most popular computer model (IBM PC)
are becoming more and more important. The number of viruses
increases in geometrical to progression; various virus incidents
happen almost every day. Miscellaneous anti-virus programs are
being developed, dozens of books and several periodic magazines
on anti-viruses are being printed. A few things stand out:

Early 1992: the first polymorphic generator MtE, serving as a base

for several polymorphic viruses which follow almost immediately.
Mte was also the prototype for a few forthcoming polymorphic
generators.

March 1992: "Michelangelo" virus epidemics (a.k.a. "March6") and

the following hysteria took place. Probably this is the first known
case when anti-virus companies made fuss about this virus not to
protect users from any kind of danger, but attract attention to their
product, that is to create profits. One American anti-virus company
actually announced that on the 6th of March the information on
over five million computers will be destroyed. As a result of the fuss
after that the profits of different anti-virus companies jumped
several times; in reality only about 10,000 computers suffered from
that virus.

July 1992: The first virus construction sets were made, VCL and
PS-MPC. They made large flow of new viruses even larger. They
also stimulated virus makers to create other, more powerful,
construction sets, as it was done by MtE in its area.

Late 1992: The first Windows virus appears, infecting this OS's
executables, and starts a new page in virus making.

1993
Virus makers are starting to do some serious damage: besides
hundreds of mundane viruses which are no different than their
counterparts, besides the whole polymorphic generators and
construction sets, besides new electronic editions of virus makers
there appear more and more viruses, using highly unusual ways of
infecting files, introducing themselves into the system etc. The
main examples are:
"PMBS", wording in Intel 80386 protected mode.
"Strange" (or "Hmm") - a "masterpiece" of Stealth technology,
however fulfilled on the level of hardware interrupts INT 0Dh and
INT 76h.
"Shadowgard" and "Carbunkle", which widened debt range of
algorithms of companion viruses.
"Emmie", "Metallica", "Bomber", "Uruguay" and "Cruncher" - the
use of fundamentally new techniques of "hiding" of its own code
inside the infected files.
In spring of 1993 Microsoft made its own anti-virus MSAV, based
on CPAV by Central Point.

1994
The problem of CD viruses is getting more important. Having
quickly gained popularity CD disks became one of the main means
of spreading viruses. There are several simultaneous cases when a
virus got to the master disk when preparing the batch CDs. As a
result of that a fairly large number (tens of thousands) of infected
CDs hit the market. Of course they cannot be cured, they just have
to be destroyed.

Early in the year in Great Britain there popped out two extremely
complicated polymorphic viruses, "SMEG.Pathogen" and
"SMEG.Queeg" (even now not all the anti-virus programs are able
to give 100% correct detection of these viruses). Their author
placed infected files to a BBS, causing real panic and fear of
epidemics in mass media.

Another wave of panic was created by a message about a supposed

virus called "GoodTimes", spreading via the Internet and infecting a
computer when receiving E-mail. No such virus really existed, but
after some time there appeared a usual DOS virus containing text
string "Good Times". It was called "GT-Spoof".

Law enforcement increases its activities: in Summer of 1994 the

author of SMEG was "sorted out" and arrested. Approximately at
the same time also in Great Britain there was arrested an entire
group of virus makers, who called themselves ARCV (Association
for Really Cruel Viruses). Some time later one more author of
viruses was arrested in Norway.

There appear some new unusual enough viruses:

January 1994: "Shifter" - the first virus infecting object modules
(OBJ files). "Phantom1" - the cause of the first epidemic of
polymorphic virus in Moscow.

April 1994: "SrcVir" -- the virus family infecting program source

code (C and Pascal).

June 1994: "OneHalf" - one of the most popular viruses in Russia

so far starts a total epidemics.
September 1994: "3APA3A" - a boot-file virus epidemic. This virus
uses a highly unusual way of incorporating into MS-DOS. No anti-
virus was ready to meet such kind of a monster.

In 1994 (Spring) one of the anti-virus leaders of that time - Central

Point - ceased to exist, acquired by Symantec, which by that time
managed to "swallow" several minor companies, working on anti-
viruses - Peter Norton Computing, Cetus International and Fifth
Generation Systems.

1995
Nothing in particular among DOS viruses happens, although there
appear several complicated enough monster viruses like
"NightFall", "Nostardamus", "Nutcracker", also some funny viruses
like "bisexual" virus "RMNS" and BAT virus "Winstart". The "ByWay"
and "DieHard2" viruses become widespread, with news about
infected computers coming from all over the world.

February 1995: an incident with Microsoft: Windows95 demos disks

are infected by "Form". Copies of these disks were sent to beta
testers by Microsoft; one of the testers was not that lazy and tested
the disks for viruses.

Spring 1995: two anti-virus companies - ESaSS (ThunderBYTE anti-

virus) and Norman Data Defense (Norman Virus Control) announce
their alliance. These companies, each making powerful enough
anti- viruses, joined efforts and started working on a joint anti-
virus system.

August 1995: one of the turning points in the history of viruses and
anti-viruses: there has actually appeared the first "alive" virus for
Microsoft Word ("Concept"). In some month the virus "tripped
around the world", pesting the computers of the MS Word users
and becoming a firm No. 1 in statistic research held by various
computer titles.

1996
January 1996: two notable events - the appearance of the first
Windows95 virus ("Win95.Boza") and the epidemics of the
extremely complicated polymorphic virus "Zhengxi" in St.
Petersburg (Russia).

March 1996: the first Windows 3.x virus epidemic. The name of the
virus is "Win.Tentacle". This virus infected a computer network a
hospital and in several other institutions in France. This event is
especially interesting because this was the FIRST Windows virus on
a spree. Before that time (as far as I know) all the Windows viruses
had been living only in collections and electronic magazines of virus
makers, only boot viruses, DOS viruses and macro viruses were
known to ride free.
June 1996: "OS2.AEP" - the first virus for OS/2, correctly infecting
EXE files of this operating system. Earlier under OS/2 there existed
only the viruses writing themselves instead of file, destroying it or
acting as companions.

July 1996: "Laroux" - the first virus for Microsoft Excel caught live
(originally at the same time in two oil making companies in Alaska
and in southern African Republic). The idea of "Laroux", like that of
Microsoft Word viruses, was based on the presence of so-called
macros (or Basic programs) in the files. Such programs can be
included into both electronic spreadsheets of Microsoft Excel and
Microsoft Word documents. As it turned out the Basic language
built into Microsoft Excel also allows to create viruses.

December 1996: "Win95.Punch" - the first "memory resident" virus

for Windows95. It stays in the Windows memory as a VxD driver,
hooks file access and infects Windows EXE files that are opened.

In general the year 1996 is the start of widespread virus

intervention into the Windows32 operating system (Windows95 and
WindowsNT) and into the Microfoft Office applications. During this
and the next year several dozens of Windows viruses and several
hunsdreds of macro viruses appeared. Many of them used new
technologies and methods of infection, including stealth and
polymorphic abilities. That was the next round of virus evolution.
During two years they repeated the way of improving similar to
DOS viruses. Step by step they started to use the same features
that DOS viruses did 10 years beforehand, but on next
technological level.

1997
February 1997: "Linux.Bliss" - the first virus for Linux (a Unix
clone). This way viruses occupied one more "biological" niche.

February-April 1997: macro viruses migrated to Office97. The first

of them turned out to be only "converted" to the format macro
viruses for Microsoft Word 6/7, but also virtually immediately there
appeared viruses aimed at Office97 documents exclusively.

March 1997: "ShareFun" - macro-virus hitting Microsoft Word 6/7.

It uses is not only standard features of Microsoft Word to propagate
but also sends copies of itself via MS-Mail.

April 1997: "Homer" - the first network worm virus, using File
Transfer Protocol (FTP) for propagation.

June 1997: There appears the first self encrypting virus for
Windows95. This virus of Russian origin has been sent to several
BBS is in Moscow which caused an epidemic.

November 1997: The "Esperanto" virus. This is the first virus that
intends to infect not only DOS and Windows32 executable files, but
also spreads into the Mac OS (Macintosh). Fortunately, the virus is
not able to spread cross the platforms because of bugs.

December 1997: new virus type, the so-called "mIRC Worms",

came into being. The most popular Windows Internet Relay Chat
(IRC) utility known as mIRC proved to be "hole" allowing virus
scripts to transmit themselves along the IRC-channels. The next
IRC version blocked the hole and the mIRC Worms vanished.

The KAMI ltd. anti-virus department has braked away from the
mother company constituting the independent one what, certainly,
is considered the main event of 1997. Currently the company
known as Kaspersky Labs and proved to be a recognized leader of
the anti-virus industry. Since 1994 the AntiViral Toolkit Pro (AVP)
anti-virus scanner, main product of the company, constantly shows
high results while being tested by various test laboratories of all
world. Creation of an independent company gave the chance to the
at first small group of developers to gain the lead on the domestic
market and prominence on the world one. For short run versions
for practically all popular platforms were developed and released,
the new anti-virus solutions offered, the international distribution
and the product support networks created.

October 1997: the agreement on licensing of AVP technologies use

in F-Secure Anti-Virus (FSAV) was signed. The F-Secure Anti-Virus
(FSAV) package was the DataFellows (Finland) new anti-virus
product. Before DataFellows was known as the F-PROT anti-virus
package manufacturer.

1997 was also the year of several scandals between the anti-virus
main manufacturers in US and Europe. At the year beginning
McAfee has announced that its experts have detected a "feature" in
the antivirus programs of Dr.Solomon, one of its main competitors.
The McAfee testimony stated that if the Dr.Solomon's antivirus
while scanning detects several virus-types the program switches to
the advanced scanning mode. What means that while scanning
some uninfected computer the Dr.Solomon's anti-virus operates in
the usual mode and switches to the advanced mode - "cheat mode"
according to McAfee - enabling the application to detect the
invisible for the usual mode viruses while testing virus collections.
Consequently the Dr.Solomon's anti-virus shows both good speed
while scanning uninfected disks and good virus detection ability
while scanning virus collections.
A bit later Dr.Solomon stroked back accusing McAfee of the
incorrect advertising campaign. The claims were raised to the text -
"The Number One Choice Worldwide. No Wonder The Doctor's Left
Town". At the same time McAfee was in the court together with
Trend Micro, another antivirus software manufacturer, concerning
the Internet and e-mail data scanning technology patent violation.
Symantec also turned out to be involved in the cause and accused
McAfee of using the Symantec codes in the McAfee products. And
etc.
The year completion by one more noteworthy event related to
McAfee-name was marked - McAfee Associates and Network
General have declared consolidation into the new born Network
Associates company and positioning of their services not only on
the anti-virus protection software market, but also on the markets
of computer safety universal systems, encryption and network
administration. From this the virus and anti-virus history point
McAfee would correspond to NAI.

1998
The virus attack on MS Windows, MS Office and the network
applications does not weaken. There arose new viruses employing
still more complex strokes while infecting computers and advanced
methods of network-to-computer penetration. Besides numerous
the so-called Trojans, stealing Internet access passwords, and
several kinds of the latent administration utilities came into the
computer world. Several incidents with the infected CDs were
revealed - Some computer media publishers distributed CIH and
Marburg (the Windows viruses) through CDs attached to the covers
of their issues, with infected.

The year beginning: Epidemic of the "Win32.HLLP.DeTroie" virus

family, not just infecting Windows32 executed files but also capable
to transmit to the "owner" the information on the computer that
was infected, shocked the computer world. As the viruses used
specific libraries attached only to the French version of Windows,
the epidemic has affected just the French speaking countries.

February 1998: One more virus type infecting the Excel tables
"Excel4.Paix" (aka "Formula.Paix) was detected. This type of a
macro virus while rooting into the Excel tables does not employ the
usual for the kind of viruses macro area but formulas that proved
to be capable of the self-reproduction code accommodation.

February - March 1998: "Win95.HPS" and "Win95.Marburg" - the

first polymorphous Windows32-viruses were detected and
furthermore they were "in-the-wild". The anti-virus programs
developers had nothing to do but rush to adjust the polymorphous
viruses detecting technique, designed so far just for DOS-viruses,
to the new conditions.

March 1998: "AccessiV" - the first Microsoft Access virus was born.
There was no any boom about that (as it was with "Word.Concept"
and "Excel.Laroux" viruses) as the computer society already got
used to that the MS Office applications go down thick and fast.

March 1998: The "Cross" macro-virus, the first virus infecting two
different MS Office applications - Access and Word, is detected.
Hereupon several more viruses transferring their codes from one
MS Office application to the other have emerged.
May 1998 - The "RedTeam" virus infects Windows EXE-files and
dispatches the infected files through Eudora e-mail.

June 1998 - The "Win95.CIH" virus epidemic at the beginning was

mass, then became global and then turned to a kind of computer
holocaust - quantity of messages on computer networks and home
personal computers infection came to the value of hundreds if not
thousands pierces. The epidemic beginning was registered in
Taiwan where some unknown hacker mailed the infected files to
local Internet conferences. Therefrom virus has made the way to
USA where through the staff oversight infected at once several
popular Web servers that started to distribute infected game
programs. Most likely these infected files on game servers brought
about this computer holocaust that dominated the computer world
all the year. According to the "popularity" ratings the virus pushed
"Word.CAP" and "Excel.Laroux" to second cabin. One should also
pay attention to the virus dangerous manifestation - depending on
the current date the virus erased Flash BIOS what in some
conditions could kill motherboard.

August 1998: Nascence of the sensational "BackOrifice"

("Backdoor.BO") - utility of latent (hacker's) management of
remote computers and networks. After "BackOrifice" some other
similar programs - "NetBus", "Phase" and other - came into being.
Also in August the first virus infecting the Java executed files -
"Java.StangeBrew" - was born. The virus was not any danger to the
Internet users as there was no way to employ critical for the virus
replication functions on any remote computer. However it revealed
that even the Web servers browsers could be attacked by viruses.

November 1998: "VBScript.Rabbit" - The Internet expansion of

computer parasites proceeded by three viruses infecting VisualBasic
scripts (VBS files), which being actively used in Web pages
development. As the logical consequence of VBScript-viruses the
full value HTML-virus ("HTML.Internal") was born to life. Virus-
writers obviously turned their efforts to the network applications
and to the creation of full value Network Worm-Virus that could
employ the MS Windows and Office options, infect remote
computers and Web-servers or/and could aggressively replicate
itself through e-mail.

The anti-virus manufacturers world was also considerably

rearranged. In May 1998 Symantec and IBM announced the union
of their forces on the anti-virus market. The collective product
would be under the Norton Anti-Virus trade mark distributed and
the IBM Anti-Virus (IBMAV) program is liquidated. Response of the
main competitors, Dr.Solomon and NAI (former McAfee), followed
immediately. They issued the press-releases offering the IBM
product users to promotionally replace the dead anti-virus with
their own products.
Less then one month later Dr.Solomon "committed suicide". The
company was bought by NAI (former McAfee) for 640 millions US
dollars through an equity swap. The event shocked the anti-virus
world - the conflict between two anti-virus giants was completed
with a simple bargain that killed one of the most notable and
technologically strong anti-virus software manufacturers.

What Will be Tomorrow?

What can be expected from computer underground in subsequent
years? Most probably the main problems will remain the following:

1) polymorphic DOS viruses, with additional problems of

polymorphism in macro viruses and viruses for Windows and
maybe OS/2;
2) macro viruses with new and improved ways of infecting and
covering tracks of their code in the system;
3) network viruses, using network protocols and commands for
spreading.

The type 3) is now only in the earliest state of developments -

viruses make their first faint attempts to spread their code by
themselves via Microsoft Mail and using FTP, but the best is yet to
come.

There may appear other problems who which might bring a lot of
trouble to users and enough extra work to the developers of anti-
virus programs. However I look to the future optimistically: every
problem in the history of the development of viruses has been
more or less successfully solved.

Future problems, which are now just ideas in the sick minds of
virus makers, will most probably be solved in the same way!
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [

support ] - [ what's new ] - [ contact ]