Inquiring Minds
LOTS ABOUT VIRUSES FROM TWO WEB
SITES
go back
1986
- The first PC virus was created. Known as the Brain
virus, it was written in Pakistan. The Brain virus was a boot-sector
virus, which means it only infected the boot records of 360K floppy
disks, but not hard drives. It would occupy unused space on the disk
so that it could not be used. It was also the first
"stealth" virus, meaning it tried to hide itself from
detection. If a computer user tried to view the infected space on the
disk, Brain would display the original, uninfected boot sector.
1987
- In November, the Lehigh
virus was discovered at Lehigh University in the U.S. It was the first
"memory resident file infector". A file-infecting virus
attacks executable files. It gets control when the file is opened. The
Lehigh virus attacked a file called COMMAND.COM. When the file was run
(usually by booting from an infected disk), the virus stayed in the
resident memory.
- In December, the Jerusalem
virus appeared at Hebrew University in Israel. It was also a memory
resident file infector. It was the first virus that contained a bug
that caused it to re-infect already infected programs.
1988
- In March, the first anti-virus virus was written. It was designed
to detect and remove the Brain virus and immunized disks against Brain
infection.
- The Cascade virus is found in Germany. It
was the first encrypted virus, meaning it was coded so that it could
not be changed or removed.
- Viruses started getting media attention, with articles in
magazines like Business Week, Newsweek, Fortune, PC Magazine and Time
1989
- On September 17, the Washington Post reports that a computer virus
"that springs to life destructively on Friday the 13th is on the
loose". The virus was called DataCrime
and ended up being blown way out of proportion.
- A virus called Dark
Avenger introduced a new feature. It was designed to
damage a system slowly, so it would go unnoticed at first and damaged
files would be backed up.
- In October, the Frodo
virus turned up in Israel. If was the first full-stealth file
infector, designed to damage the hard drive if run on or after
September 22 of any year.
1990
- Many anti-virus products were introduced, including ones from IBM,
McAfee, Digital Dispatch and Iris.
- Viruses combining various characteristics spring up. They included
Polymorphism (involves encrypted viruses where the decryption
routine code is variable), Armoring (used to prevent
anti-virus researchers from dissembling a virus) and Multipartite
(can infect both programs and boot sectors).
1991
- Symantec releases Norton Anti-Virus software.
- In April, the Tequlia
virus is discovered. It is Stealth, Polymorphic and Multipartite!
1992
- Media mayhem greeted the virus Michaelangelo
in March. Predictions of massive disruptions were made and anti-virus
software sales soared. As it turned out, the cases of the virus were
far and few between.
1993
- The SatanBug virus appears around
Washington DC The anti-virus industry helped the FBI find the person
who wrote it - it was a kid.
- Cruncher was considered a
"good" virus because it compressed infected programs and
gave users more disk space.
1994
- A virus called Kaos4
was posted on a pornography news group file. It was encoded as text
and downloaded by a number of users.
- A virus called Pathogen
appeared in England. The writer was tracked down by Scotland Yard's
Computer Crime Unit and convicted.
1995
- Anti-virus companies worried nobody would need them anymore
because of Windows 95. The most common viruses were still boot viruses
that worked on DOS, but wouldn't replicate on Windows 95. But, later
in 1995, macro viruses appeared. These viruses worked in the MS-Word
environment, not DOS. The anti-virus industry was caught off-guard,
but was happy at the same time.
1996
- Concept, a macro-virus, becomes the
most common virus in the world.
- Boza , a weak virus, is the first
virus designed for Windows 95
- Laroux is the first virus to
successfully infect Microsoft Excel spreadsheets.
1999
- The Melissa virus, a macro, appears. It
uses Microsoft Word to infect computers and is passed on to others
through Microsoft Outlook and Outlook Express e-mail programs.
2000
- The "I Love You Virus" wreaks havoc around the world. It
is transmitted by e-mail and when opened, is automatically sent to
everyone in the user's address book.
To learn more about computer
viruses and to keep up with the latest virus news, check out F-Secure
Framework's site, IBM's
anti-virus webpage and Symantec's
website.
Fred's Safety Belt
~~
Fred Arshoff.
HISTORY OF COMPUTER VIRUSES
Before going into the history, I will say that the
first viruses were not as dangerous as today's viruses. They were more
like pranks that you got from sharing floppy disks with family members or
friends, or taking work home from the office computer to finish on your
home computer. Those early viruses didn't affect the REGISTRY, as there
was none back then. In those days we used either DOS (disk operating
system) or Windows 3X (3.0 to 3.11). Those versions of Windows used INI
FILES to have the computer know your settings, and each program usually
set up its own INI FILE. Those first viruses didn't even corrupt INI
FILES. Some children (and even some adults) would have a giggle with the
viruses such as the PING PONG VIRUS. What that virus did was have a ping
pong ball move around your screen. When you were working on your computer,
it could make you have problems focusing on your work, but at least you
didn't loose data, or have to reformat your hard drive, or reinstall your
operating system. Your AV (antivirus program) was able to detect this
virus and remove it very easily. For more information on this virus go to
these URLs and read about the variations of it. Personally, I haven't seen
this virus in years, but then again, most AV will detect this one right
away and give you a warning. This is one of the reasons I do highly
recommend we all have an updated AV program installed on our computers
After that came along more pranks such as THE STONED.
Of course, if you were a teenager (or even an adult) on drugs, this would
have also given you a laugh as you normally would have gotten a message
"I'm stoned". In those days there was really no damage to your
hard drive, or need to reinstall your operating system. This usually was
received in the same way as I mentioned about the Ping Pong virus. Below
are URL's to read up more on this virus and its variations.
After these came viruses that were more sophisticated
and set trigger dates. Due to this, many computer users knew in advance
that the virus was going to have its (destructive) payload on a
certain date and make sure their AV data file was up to date to detect and
remove the virus before it hit. One of the first of this type was the
Michelangelo virus. Of course, the date this virus goes off is on
Michelangelo's birthday.
How does the Michelangelo virus crash the hard drive
of your computer on his birthday and how does it work?
The Michelangelo virus was first reported in April,
1991 in Sweden and the Netherlands. The Michelangelo virus, as well as
some other computer viruses, gets on your computer by booting from an
infected floppy disk. The Michelangelo virus hides in special and
important places on disks, the boot sector and partition areas. The boot
sector is the region of the disk that contains system information and is
the first sector to be read when your machine starts. The Michelangelo
virus becomes memory resident the first time the system is booted with a
Michelangelo virus-infected disk. Even if the disk is not a bootable
floppy, but just infected in the boot sector, the Michelangelo virus will
become memory resident. Once the Michelangelo virus is memory resident, it
will infect diskette boot sectors of diskettes as they are accessed. This
is how the virus spreads itself to other disks. If a Michelangelo
virus-infected disk is booted on March 6, it will activate and erase
important parts of the hard disk, in particular the system area of the
hard disk. The hard disk will no longer boot and will need to be
reformatted to make the drive work again. Like a biological virus,
computer viruses need hosts to survive and reproduce. In this case the
host is your computer. If you trade or exchange disks with other people,
you should always run a virus check before you run any programs from
possibly infected disks. If you have a hard drive, never turn on or reset
your computer with a floppy in the drive. That is how the Michelangelo
virus, and many others, infects computers. If you have the Michelangelo
virus infecting your hard drive, it will infect disks as you access them
and spread itself. (David S. Lapointe, Ph.D., Computing Resources,
UTHSCSA)
Of course there are many other viruses with specific
payload dates. To find out what virus strikes at what date go to
this URL:
About.com
Then came viruses that stay in memory. Those where
harder to remove as they were written in such a way that, if the virus
detected you were running an AV program to delete the virus, it jumped
from one place on your hard drive to another. When you get a virus that
does stay in memory, the easiest way to get it out of memory is to
shutdown your computer properly (using "SHUTDOWN" and not just
by turning the power off) and keeping the computer turned off for five
minutes or so (if in doubt, longer is always better).
Question: Every time I turn on the computer I get a
message that I have a memory virus and should shut down and restart. What
is a memory virus and what can I do to correct it?
Answer: A memory virus is constructed to load itself
into your computer's memory and to lurk there until it can pounce and
infect a program passing by.
Memory viruses vary in their virulence, but one, the
Chernobyl virus, which was written in Taiwan, is particularly vicious. It
is designed to destroy all the data on the hard drive. And that is just
for starters. The Chernobyl virus will also try to get into your
BIOS - the file that sets up and controls your PC's hardware - and short
circuit it, in essence crippling the computer until you can replace the
BIOS.
To get rid of a memory virus, arm yourself with an
antivirus program. Symantec, Network Associates and Sophos are among
the firms providing sound antivirus software.
But, before you install an antivirus program, read
the manual carefully, particularly the section that details how you should
proceed if your PC was infected before you bought the program.
Next came Trojans.
What these do is allow the person who makes this
virus (Trojan) to have complete access to your computer: add stuff to your
hard drive, or worse yet, steal things from you such as your SIN (social
insurance number), credit card number, etc. Some people do use Trojans to
administer other computers. They do this instead of buying software
themselves. One such software that does this is PCAnywhere and there are
many others.
Having a Firewall up and running will tell you if
someone is breaking into your computer to steal your valuable information.
There are many firewalls available, so read what each does before deciding
on the one that you will purchase. These type of viruses do make changes
to your registry, and before you try to remove them always read the full
instructions from your AV vendor to make sure you delete only the correct
lines. Before editing your registry I STRONGLY RECOMMEND YOU BACK IT UP to
floppy disk or CD (in case you delete the wrong line, you can restore the
registry and then try again to remove the correct line).
For more details on Trojans go to this URL
If you do get a Trojan here is a site that will give
you step-by-step instructions for removing Trojans.
Below is a URL for information on one of the newest
Trojans to come out:
Around the same time came Macro viruses that mostly infect MS office programs and, in particular, Word and
Excel. I won't go into too much detail about this type of virus, as it
will be the topic for next month, but will tell you a few things now. Any
program which allows autoexec macros is a potential target for macro virus
writers.
Word macro viruses:
Documents in Microsoft Word can contain macros, which are preset action
sequences usually invoked by a single keystroke. A document can also
contain an autoexec macro, which automatically runs whenever the document
is opened, or which replaces a menu item. These macros can be used to
conceal viruses! Word macro viruses replicate by inserting copies of
themselves in any Word document which is saved while they are running.
They do this by capturing the File>Save command. Word macro
viruses are very new and fortunately not widespread.
Here are some examples:
|
|
CONCEPT: The original Word macro virus, this one only tested the macro virus concept. It is a benign virus with no virus payload. |
|
|
WAZZU: This one scrambles occasional lines of Word documents and inserts the word "wazzu" at random places within your document. |
|
|
NUCLEAR: writes "End French Nuclear Testing in the Pacific" on the end of any document which is printed during the last 4 seconds on the minute. It also launches a regular code virus which does the same thing. |
Last but not least is the Worm:
These are the email viruses that send themselves to
people in your address book and perhaps inbox without your knowledge.
These are usually in attachments, and the best way to avoid getting them
is not to open an attachment unless you were told to expect it and it is
the same size you where told it was. Here are some URL's about some
popular worms
Badtrans
About.com
Explore.zip
Symantec
This will give you a choice of what variant of this
worm you wish to read about.
Until next month, lets all stay virus free and be
careful of what attachments we open to avoid getting a computer virus.
They can be much more costly then a virus we humans can catch.
I do hope you enjoy reading my column as much as I enjoy putting it together for you and helping you learn about computer viruses.