Computer Viruses - what are they and how to fight them?

Eugene Kaspersky

Kapnist has scribbled a piece of size humongous
(Yuli Kim "Kapnist").

Computer viruses. What are they and how to fight them? There are dozens of books and hundreds of articles on this topic. Hundreds (or thousands) of experts in dozens (or maybe hundreds) of companies fight viruses professionally. One might think that the subject is not that important and complicated to attract such an enormous amount of attention. But this is not the way things are. Computer viruses have been and still are one of the most widely spread reasons of loss of information. It is known that in several cases the viruses blocked the normal functioning of the entire organizations and companies.

Despite of all of the enormous efforts of the competing anti-virus companies losses caused by the computer viruses tend to go up to astronomical heights of hundreds of millions of dollars every year, and these amounts are less hat in real because just a part of such information goes to public.

One should keep in mind though that anti-virus programs and hardware do not give complete protection from viruses. Things are about that bad on the other side often of the "human-computer" coin. Both users and professional programmers do not have the slightest techniques of self-defense, and their knowledge of viruses sometimes is so shallow that they would be better off without it.

Things are slightly better in America and West Europe where there is more literature (there are as much as three monthly magazines dedicated to viruses and virus protection), and less viruses (because Chinese knock off CDs are not on the market), and the anti-virus companies are more active (for example, special conferences and seminars for specialists and users are held). To my regret in our country this is all not quite so. And one of the least worked upon items is literature dedicated to the problems of fighting the viruses. So far the literature in-store concerning anti-viruses is either outdated or has been written by non-professionals, or by authors like Khizhnyak (technical book about writing the viruses and anti-viruses), which is much worse.

It is also rather unpleasant that the computer underground works faster than its counterparts. Just for two years there has been published more than a dozen of electronic issues of the virus makers journals, there have also appeared several bulletin board systems and World Wide Web pages aimed at spreading viruses and the corresponding information.

All this has served as a starting point to join together all the material which I had accumulated for eight years of professional work with computer viruses, their analysis and working out methods of detection and cure.

In the beginning I would like to point out that the material published below includes several edited chapters from my book "Computer Viruses in MS-DOS" (1992), articles published in the magazines "Intercomputer", "Computer Press" (Russia), and "Virus Bulletin" (England), several texts from "The AVP Virus Encyclopedia", and even in part the materials from the newsgroup "relcom.comp.virus". Certainty because of this different parts of the books are very unlike each other in style - from casual and even vulgar to almost academic. Besides that the story is being told intermittently from the first person and from the third person. I would like to apologize for this in advance, the reason being constant lack of time. Such a motley style though might not be a disadvantage and would allow for the book not to be hopelessly dull.

Of the other disadvantages one might think of there is virtually completely ignoring all of the non-IBM PC viruses, infecting Macintosh, VAX and other kinds of computers. Methods of detection and extermination of viruses in Windows 3.xx, Windows95, Windows NT and OS/2 are not extensively presented, such as are several technical aspects of virus incorporation into these operating systems. I hope that the future versions of this book will be free from these drawbacks.

And switching to customary credits, I would like to say big "thank you" to:

I am very sorry that the article you are going to read will also be read by some creators of computer "insects", and that these people will take it into consideration and will use it wherever necessary.

The chapter called "The history of computer viruses" is based upon the materials from the following titles:

The chapters on macro-viruses have been prepared together with Andrew Krukov. Vadim Bogdanov took part in writing chapters about Windows.

Content

The Computer Viruses Phenomenon
What is a Computer Virus?
Explanation for a Housewife
Attempt to Give a "Normal" Definition
Who Create Viruses and Why?
The History of Computer Viruses - From the Ancient Days to Present Time
A Bit of Archeology
Journey's Start
Polymorphism - Viral Mutation
Automating Production and Viral Construction Sets
Outside DOS
Macro Virus Epidemics
Chronology of Events
The Perspective: What Will be Tomorrow and the Day After Tomorrow
What Will be Tomorrow?
What Will be the Day After Tomorrow?

Whenever I swallow something, something interesting
begins to happen immediately. Let's see what
happens this time!
Lewis Carrol. "Alice in Wonderland"

The Computer Viruses Phenomenon

The 20th-century is undoubtedly one of the turning points in the life of mankind. As a science fiction novelist once said, "mankind has rushed forward, like a whipped horse"; having defined themselves as a technocratic civilization, our grandfathers, our fathers and we ourselves had been giving all our abilities and our strength to the development of machines - from medical instruments to space ships to agricultural machinery to atomic power plants to transport to communication - this list is endless, because one can hardly name a single area of humankind's activity, not affected in any way by the development of machinery. // What was a reason of such global and intensive progress? Military opposition, or evolutionary "brain growing" of humans, or humans' pathological laziness (to construct the wheel because that's too lazy to carry mammoths to the cave) - I don't know. Let's leave answering this question to future historians.

Mankind has been seized and charmed by machinery; a few people would agree to give up a modern automobile in favor of horse cart. Many people have already forgotten what an conventional mail is, with its paper envelopes and mail couriers - email took its place, delivering mail with unbelievable speed (up to several minutes irrespective of distances) and being very reliable. I cannot imagine modern society without computers, which are capable to increase the effectiveness of labor many times and deliver any imaginable information (something like "go don't know where, bring the don't know what"). Cellular phones are not unusual to us, me myself got used to it after the first day // let's imagine that just ten years ago.

The 20th century is one of the most controversial centuries. This is the age of paradoxes, the main one of which, as I think, is man's attitude towards nature. Having ceased to being nature's friend, having conquered it and proved that he might easily destroy it, man suddenly realized, that he will die together with nature, and suddenly all the parts in the "mankind vs. Nature" drama became mixed up. Before man has defended himself from nature, now he defends nature from himself. Another phenomenon of the 20th century is mankind's attitude towards religion. Having become a technocrat, man still believes in God (or in something similar). Moreover, there have appeared and matured some new religions.

In my opinion, the most important technical phenomena of the 20th century are: man's journey into space, making use of atomic energy, revolutionary development of communication and information technology, and of course staggering development of micro- and macro-computers. And as far as computers are concerned, there always appears one more phenomenon of the end of the century - the phenomenon of computer viruses.

It may seem ridiculous to many people: the effect of appearance of computer viruses is in no way less significant, then space flights, electronic boom and the age of nuclear energy. Correct me if I'm wrong but let me explain.

First of all, computer viruses present a serious and distinctive problem, which no one has expected. Even the all-seeing science fiction futurologists of the past have nothing to say (as far as I know). In many of their books one may find numerous prophecies which more or less resemble the present technical achievements (remember Herbert Wells for example with his idea of a flight to the Moon with the help of a cannon and invasion of the Martians armed with some kind of lasers). Speaking of calculating machines, one may find that this theme has been developed extensively, but still not a single prophecy about computer viruses. Science fiction writers began writing about viruses after the first actual virus had hit its first computer.

Second of all computer virus is the first attempt to create artificial life. A successful attempt, but I wouldn't call it useful - as for now the computer microorganisms are more like pests rather than anything else, creating all kinds of problems in trouble.

But still this is life, because viruses have all the properties of a live organism. They can propagate, adapt themselves to environment, move etc (within computers only of course, just like conventional viruses can do the same within cells). Furthermore there even exist "bisexual" viruses (see the RMNS virus), the example of "multicellular" structures being macro-viruses, which consist of several independent macros.

And third of all the subject of computer viruses stands aside from most computer related problems (we are not considering such computer specific problems as copy protection or cryptography). Virtually all the problems which man solves using computers are a purposeful continuation of man's struggle with nature. The nature gives man a long non-linear differential equation in 3-D space - man stuffs computer with processing units, RAM, plugs in a web of dusty cables, smokes a lot, and finally solves this equation (or at least he's quite sure he does). Nature gives man a piece of wire with particular properties - man invents an algorithm of communicating as much data as possible through this wire, tortures it with modulations, compresses bytes into bits and patiently waits for superconductivity at room temperature. Nature (presented by the IBM) gives man another limitation which is the next version of IBM PC - man loses his sleep, smokes a lot again, while optimizing the code of the next database, to fit it into the given resources of RAM and disk memory. And so on and so forth.

However fighting computer viruses is fighting one human intelligence with another (being in a sense just another form of the forces of nature, but there are more than one opinions on that). This fight is a fight of wits, because virologists face the tasks set by another people just like them. They invent new virus - we have to take care of it. Then they invent a new virus which is very hard to crack - but we still have to take care of it. And even as we speak there definitely is a guy no dumber than me sitting in front of a computer and obsessed with producing another monster, which I will have to analyze for a whole week and debug anti-virus algorithm for another week. Just like the evolution of live organisms, isn't it?

We see now that the appearance of computer viruses is one of the most interesting moments of the 20th century's technical progress. So let's finish our semi-philosophical talks and turn to concrete problems. The question of definition of computer virus will be in the first place among them.

So what is a computer virus?

What is a Computer Virus?

One may think of several explanations of what is a computer virus. The simplest of them is a commonplace one fit for a housewife in what has never seen a computer in her life, but knows that It exists, and that It is prone to virus infection. Such an explanation can be given rather easily, unlike the other one, meant for an expert programmer. So far I don't think I can give an exact definition of a computer virus and set a clear margin between programs basing on a principle "virus - non-virus".

Explanation for a Housewife

This explanation will be given on the example of a desk clerk working exclusively with papers. The idea of an explanation like this belongs to D.N.Lozinsky.

Let's imagine a desk clerk coming to work every day to his office. Everyday he finds a stack of papers with a list of tasks which he must fulfill during his working day. He takes the top paper from the stack, reads the instructions of the superior, follows them carefully, then throws "used" papers into waste basket. Suppose a bad guy sneaks into the office and inserts a paper into the stack with his own task which goes like this:

What will the desk clerk do? He will copy this paper twice, destroy the original one and continue to the next paper in the stack, i.e. will go on working as usual. What will his neighbors do, being as careful workers as he is, when they find a new task? They will do the same thing as the first one did: copy the paper twice and give it to other desk clerks. Altogether we have four copies of the paper already, and the paper will continue to be copied and transferred to other people.

This is approximately this scenario according to which the computer virus works, with programs instead of papers stacks and computers instead of desk clerks. A computer, like a desk clerk, carefully fulfills all the commands contained in a program (task lists), starting from the first one. If the first one like "copy my body into two other programs", the computer will do so, and the virus command will now be in two other programs. When the computer starts running other "infected" programs, the virus will continue to spread all over the computer in a similar manner.

In the above example about a desk clerk and his office our paper virus does not check whether another stack of papers is infected or not. In this case by the end of the working day all the office will be overrun by piles of such copies, the clerks will have nothing else to do but copy the same text and give it to the neighbors - the first clerk makes two copies of the paper, the next victims of the virus make four copies, then 8, 16, 32, 64 and so on, that is the number of copies each time will increase twice.

If a desk clerk needs 30 seconds to copy one paper and 30 seconds more to pass the copies on, then in an hour there will be more than 1.000.000.000.000.000.000 copies of the virus in the office! Soon, of course, the office will be out of paper, and spreading of the virus will be stopped because of this obvious reason.

Funny as it may seem (although the participants of this incident were not at all laughing), exactly the same thing happened in 1988 in America, when several global information networks became overflow with copies of a network virus (Morris's worm), which transferred itself from one computer to another. Therefore "direct" viruses behave like this:

The problem is solved - there is no "overpopulation", but each stack contains a copy of the virus, besides that desk clerks also manage to do their usual jobs.

"How about the destruction of data?" - an educated housewife make ask. This is very simple - it is sufficient to and to the list approximately this:

  1. "Copy this list two times and put the copies into the stacks of tasks of neighbors, if they don't already have one.
  2. Check with the calendar, and if the date is Friday the 13th, throw all the documents away into the waste basket."

That's about all a well-known in past the "Jerusalem" virus did (a.k.a. "Time").

By the way judging by the example with our desk clerks one may very well see why it in most cases it is impossible to say, where did the virus come from to our computer. All the clerks have the same COPIES (except for handwriting), but the original written by the hand of the bad guy is in the waste basket for a long time already!

This is the simple explanation of how a virus works. I would like to add two axioms to it, which are not obvious for everyone, strange as it may seem:

Firstly viruses do not appear by themselves - they are being created by very evil and bad hackers programers who then send them to information exchange networks or toss them to the computers of their acquaintances. Virus can not sneak to your computer by itself - either it was hiding on diskettes or even on a CD, or you have accidentally downloaded it from a computer informational network, or maybe you had virus in your computer from the very beginning, or, worst of all, some hacker lives in your home.

Secondly, computer viruses infect only a computer and nothing else, so don't be afraid - they are not being passed through keyboard or mouse.

Attempt to Give a "Normal" Definition

The first attempts to explore self multiplying artificial entities were made in the middle of this century. Von Neumann, Wiener and other authors gave definition and mathematically analyzed finite slot machines, including self multiplying ones. The term "computer virus" became known later - it is now official, that it was first used by F.Cohen (USA), a Lehigh university scholar, in 1984, on the seventh conference on computer security, which was held in the United States. It has been a long time since then, viruses present a far bigger problem now, but there is still no exact definition of a computer virus, despite many attempts to give one.

The main difficulty while trying to give the exact definition of a virus is that virtually all the unique features of a virus (incorporating with other objects, stealth behavior, potential danger and so on) may be found in other non-virus programs, or there exist some viruses which are free from those features (except for their spreading capabilities).

For example, if we take stealth capability as a distinctive feature of a virus, then it's easy to give example of virus not denying its spreading. Such a virus before infecting any file outputs a message saying that there is a virus in a computer ready to hit another file, then outputs its filename and prompts for user permission to incorporate itself into this file.

If we take the ability to destroy programs and data on disks as a distinctive feature of a virus, then as a counter-example for this feature it's possible to give the dozens of absolutely harmless viruses, which do nothing but spread themselves.

However the main feature computer viruses - their capability of incorporation into different objects of operating system - can be found in many conventional programs, which are not viruses. For example, the most widespread operating system MS-DOS has all the necessary means to arbitrarily install itself to non-DOS disks. To do so it is sufficient to create an AUTOEXEC.BAT file containing the following lines: 

SYS A:
COPY *.* A:
SYS B:
COPY *.* B:
SYS C:
COPY *.* C:
...

on a DOS boot floppy.

If you modify DOS as described above, it will become a virus in its own right from the point of view of any existing definition of a computer virus.

Thus the first reason not allowing us to give an exact definition of a virus is the impossibility to name features which virus and only virus can have.

The second difficulty arising when trying to work out the definition of a computer virus is the fact that this definition has to be OS-specific. For example theoretically there can be operating systems in which viruses simply cannot exist. This may be the system where it is prohibited to modify executable code, i.e. those objects that are already being executed or can be executed by operating system under certain conditions.

Therefore it is possible to give only the necessary condition for considering some sequence of executable code a virus.

THE NECESSARY CONDITION OF BEING CONSIDERED A COMPUTER VIRUS is the capability to produce copies of itself (not exact bytewise replicas) and to incorporate them into computer networks and/or files, system areas of computers, and other executable objects. In addition to that copies also maintain the capability to spread further.

It has to be mentioned that this condition is not sufficient (i.e. final), because for example the MS-DOS operating system has the necessary condition of a virus, but is obviously not a virus.

This is why there is no exact definition of a virus up to this moment, and it can hardly be given in the near future. Therefore there is no exactly defined law according to which "good" files may be told from "viruses". And more than that, for each particular file sometimes it is rather difficult to tell, whether it is a virus or not.

Here are two examples: KOH virus and ALREADY.COM program.

Example 1. There is a virus(?) utility(?) called KOH. This program encrypts/decrypts disks on a user request only. This is a bootable diskette with KOH bootstrap loader, somewhere in the other sectors there is executable code of KOH. After diskette boot up KOH asks user something like, "May I install myself to your HDD?" (if it already has been installed onto the HDD it asks the same about diskette). If the answer is yes, KOH transfers itself from one disk to another.

As a result KOH transfers (copies) itself from diskettes to hard drives and vice versa, but only if user permits to do so.

Then KOH outputs some text about its hot keys by pressing which it encrypts/decrypts disks - prompts for password, reads sectors, encrypts them and makes them unavailable if you enter incorrect password. By the way it also has a key for uninstallation, which is used by KOH to remove itself from disks (having decrypted all the encrypted data first, of course).

So KOH is a utility program for information protection from nonapproved access. However it has one additional feature: this program can copy itself from one disk to another (with user's permission). Is this a virus? Yes or no? Most likely not...

This might be okay, nobody would call this utility program KOH a virus, if it wasn't for one thing. The KOH's bootstrap loader looks 100 percent like that rather "popular" "Havoc" virus ("StealthBoot")... end of story. It's a virus! It even has an official name - "StealthBoot.KOH".

Had KOH been written by somebody in Symantec or Sierra or even by Microsoft and not by somebody unknown, nobody would even think of calling it a virus.

Example 2. There is a program called ALREADY.COM, which copies itself to different subdirectories on a drive depending on system date. Is this a virus? Yes of course - a typical worm virus, spreading itself over the drives (including the network ones). Yes?... Yes!

"Close but no cigar!" As it turned out, this is not the virus, this is a part of some software. However if you detached this part from the rest of the software, it behaves like a typical virus.

So we have to live examples:
1. Non-virus - virus.
2. Virus - non-virus.

And attended reader who is no stranger to arguments may object:

- Hold it. Computer viruses are called "viruses" because, like their biological counterparts, they had the ability to self-propagation. KOH also has this ability, therefore it's a virus (or a compound which includes a virus component)"

In this case DOS is also a virus (or a compound which includes a virus component), because it has the SYS and COPY commands. And if the boot disk has the AUTOEXEC.BAT file similar to the one shown above, there is even no need for a user to initiate the propagation process. In addition to that, if we consider the capability to self-propagate to be a necessary and sufficient feature of a virus, that every software which includes an installation program is a virus. Therefore this argument fails.

- ... what if we define a virus as not just "self propagating code", but "self propagating code not doing anything useful and even doing harm, without user participation or even noticing"...

The KOH virus is a program encrypting disks using a password supplied by user. Everything it does is being commented on the display and all the actions are confirmed by the user. In addition to that it also has the "uninstall" option to it that decrypts all the disks and deletes the program body. Nevertheless it's a virus!

Judging by subjective criteria in case of ALREADY.COM (useful/useless, it's part of a compound/is a stand-alone etc.) maybe it is incorrect to call it a virus/worm. But what's the use being subjective?

But what can objective criteria of being a virus be? Might that be self propagation, obscurity, destructive capabilities? But for each objective criterion one might find 2 counter examples - a) some particular virus not meeting this criterion, and b) some particular non-virus program meeting this criterion:

Self propagation:

a. intended viruses, which can not propagate because of numerous errors, or propagate under very limited conditions.
b. MS-DOS and variations of SYS+COPY.

Obscurity:

a. "KOH", "VirDemo", "Macro.Word.Polite" viruses and some others inform user about their presence and propagation.
b. how many drivers counting by tens do Microsoft Windows95 load? They're all obscure by the way.

Destructive capabilities:

a. harmless viruses like "Yankee", who feel fine under DOS, Windows 3.x, Windows95, NT and don't mess up anything.
b. the older versions of Norton Disk Doctor applied to drives with long filenames. In this case Disk Doctor turns out to be Disk Destroyer.

And so the question whether it is possible to give "normal" definition of computer virus is still open. Only in the few cases one can tell exactly: for example the COMMAND.COM file is definitely not a virus, whereas the notoriously famous program containing the text "Dis is one half" is 100 percent virus ("OneHalf"). Everything in between may be a virus and maybe not.


Don't lose your temper, Shura, you are still to do
time for your last case.
From Zhvanetsky.

Who Creates Viruses and Why?

I have never written viruses myself, I rarely meet with their authors, therefore my conclusions on this matter may be purely theoretical.

So who does create viruses? To my mind mainly students and schoolchildren do, having just studied the assembly language they would like to try something but cannot find anything more decent to do. One can only be glad that mostly such authors do not spread their viruses themselves, and after sometime these viruses "die" together with the diskettes they are kept on. Those kinds of viruses are created only to raise one's self respect.

The second group consists also of young people (often students), who are not experts in programming yet, but have already decided to devote themselves to creating and spreading viruses. The only reason moving such people to create viruses is their inferiority complex, resulting in computer misdemeanors.

Those "geniuses" often produce modifications of "classical" viruses, or extremely primitive viruses containing large amount of errors. I call those viruses "students' ones". The life of those virus makers became much easier after there had appeared some virus construction sets, which enable to create viruses even with minimal knowledge of operating system and assembly language, or even with no knowledge that all. Their life became even more easier after there had appeared macro-viruses, because instead of learning a rather complicated assembly language they could now learn a much easier Basic.

After some growing up and obtaining some experience still immature many of those kinds of virus makers fall into the third category which is the most dangerous. It creates and launches so-called "professional" viruses. These are very thoroughly thought out and debugged programs created by professional programmers, and often by rather talented ones. Such viruses often implement original algorithms, undocumented system calls and unknown methods of incorporating into system data areas. "Professional" viruses in many cases utilize stealth technology and(or) are polymorphic, they infect not just files but also boot sectors of drives and sometimes Windows and OS/2 executables.

So called "virus families" occupy a significant part of my collection. These are groups of several (sometimes several dozens) viruses. Representatives of each of those groups have one distinctive feature called "handwriting": in several different viruses there can often be found similar algorithms and programming hints. Often all or almost all members of one family have one author, and often it is pretty funny to follow the inexperienced author as he becomes more and more proficient - from almost "student-like" attempts to create anything resembling virus to quite viable implementation of a professional virus.

To my mind the reason pushing people to do such senseless work is still the same - inferiority complex, sometimes combined with mental instability. For instance in the spring of 1997 one of the most widely known authors of viruses in the world nicknamed Talon (Australia) died in the age of 21 from heroine overdose.

There is also the fourth group of virus makers which is a bit different from the others, called "explorers". This group consists of quick-witted programmers inventing new principles of infecting, hiding, counter attacking anti-viruses and so on. They also invent new methods of incorporating into new operating systems, create new virus construction sets, and polymorphic generators. These programmers right virus is not for the sake of viruses themselves, but rather for the sake of "exploration" of the potentials of "computer wildlife".

Often the authors of such creations do not launch them into the world, but are very active in promoting their ideas through numerous electronic media dedicated to creating viruses. Due to that those "explorer" viruses do not become any less dangerous - as soon as the "professionals" from the third group get hold of the new ideas, they very quickly implement them into actual viruses.

I have mixed feelings towards the authors of viruses. First of all anyone writing viruses or somehow promoting them is the "hand that feeds" the anti-virus industry with annual net gross of two hundred millions of dollars or even more (not forgetting that computer viruses are to blame over losses of several hundreds of millions of dollars annually which is several times more than it is being spent on anti-virus programs). If the overall number of viruses reaches 20,000 by the end of the year 1997, it's easy to calculate that the income of anti-virus companies from each separate virus is ten thousand dollars a year minimum. Of course the authors of viruses are not to expect some kind of fee. In fact their work has been and will continue to be free. Besides that so far the supply of new viruses is balanced by demand (namely capabilities of the anti-virus companies to process new viruses).

Secondly I have some pity for the authors of viruses, especially for "professionals". That's because to write a similar virus it is necessary to: a) spend a significant amount of effort and time, much more than it is needed to understand this virus, learn its mechanism, add it to the database, or even to write a specific anti-virus program; and b) have nothing better to do. Therefore "professional" virus makers are pretty resourceful, have lots of energy and yet indulge themselves in loitering - the situation looks pitiful to me.

And thirdly, my attitudes towards the authors of viruses are tainted with the feelings of disliking and contempt because these people are deliberately and aimlessly wasting their talents to harm the others.


Programmers have very heavy life...

The History of Computer Viruses - From the Ancient Days to Present Time

A Bit of Archeology

There are lots and lots of opinions on the date of birth of the first computer virus. I know for sure just that there were no viruses on the Babbidge machine, but the Univac 1108 and IBM 360/370 already had them ("Pervading Animal" and "Christmas tree"). Therefore the first virus was born in the very beginning of 1970s or even in the end of 1960s, although nobody was calling it a virus then. And with that consider the topic of the extinct fossil species closed.

Journey's Start

Let's talk of the latest history: "Brain", "Vienna", "Cascade", etc. Those who started using IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in 1987-1989. Letters were dropping from displays, crowds of users rushing towards monitor service people (unlike of these days, when hard disk drives die from old age but yet some unknown modern viruses are to blame). Their computers started playing a hymn called "Yankee Doodle", but by then people were already clever, and nobody tried to fix their speakers - very soon it became clear that this problem wasn't with the hardware, it was a virus, and not even a single one, more like a dozen.

And so viruses started infecting files. The "Brain" virus and bouncing ball of the "Ping-pong" virus marked the victory of viruses over the boot sector. IBM PC users of course didn't like all that at all. And so there appeared antidotes. Which was the first? I don't know, there were many of them. Only few of them are still alive, and all of these anti-viruses did grow from single project up to the major software companies playing big roles on the software market.

There is also an notable difference in conquering different countries by viruses. The first vastly spread virus in the West was a bootable one called "Brain", the "Vienna" and "Cascade" file viruses appeared later. Unlike that in East Europe and Russia file viruses came first followed by bootable ones a year later.

Time went on, viruses multiplied. They all were all alike in a sense, tried to get to RAM, stuck to files and sectors, periodically killing files, diskettes and hard disks. One of the first "revelations" was the "Frodo.4096" virus, which is far as I know was the first invisible virus (Stealth). This virus intercepted INT 21h, and during DOS calls to the infected files it changed the information so that the file appeared to the user uninfected. But this was just an overhead over MS-DOS. In less than a year electronic bugs attacked the DOS kernel ("Beast.512" Stealth virus). The idea of in visibility continued to bear its fruits: in summer of 1991 there was a plague of "Dir_II". "Yeah!", said everyone who dug into it.

But it was pretty easy to fight the Stealth ones: once you clean RAM, you may stop worrying and just search for the beast and cure it to your hearts content. Other, self encrypting viruses, sometimes appearing in software collections, were more troublesome. This is because to identify and delete them it was necessary to write special subroutines, debug them. But then nobody paid attention to it, until ... Until the new generation of viruses came, those called polymorphic viruses. These viruses use another approach to invisibility: they encrypt themselves (in most cases), and to decrypt themselves later they use commands which may and may not be repeated in different infected files.

Polymorphism - Viral Mutation

The first polymorphic virus called "Chameleon" became known in the early '90s, but the problem with polymorphic viruses became really serious only a year after that, in April 1991, with the worldwide epidemic of the polymorphic virus "Tequila" (as far as I know Russia was untouched by the epidemic; the first epidemic in Russia, caused by a polymorphic virus, happened as late as in 1994, in three years, the virus was called "Phantom1").

The idea of self encrypting polymorphic viruses gained popularity and brought to life generators of polymorphic code - in early 1992 the famous "Dedicated" virus appears, based on the first known polymorphic generator MtE and the first in a series of MtE-viruses; shortly after that there appears the polymorphic generator itself. It is essentially an object module (OBJ file), and now to get a polymorphic mutant virus from a conventional non-encrypting virus it is sufficient to simply link their object modules together - the polymorphic OBJ file and the virus OBJ file. Now to create a real polymorphic virus one doesn't have to dwell on the code of his own encryptor/decryptor. He may now connect the polymorphic generator to his virus and call it from the code of the virus when desired.

Luckily the first MtE-virus wasn't spread and did not cause epidemics. In their turn the anti-virus developers had sometime in store to prepare for the new attack.

In just a year production of polymorphic viruses becomes a "trade", followed by their "avalanche" in 1993. Among the viruses coming to my collection the volume of polymorphic viruses increases. It seems that one of the main directions in this uneasy job of creating new viruses becomes creation and debugging of polymorphic mechanism, the authors of viruses compete not in creating the toughest virus but the toughest polymorphic mechanism instead.

This is a partial list of the viruses that can be called 100 percent polymorphic (late 1993):
Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions).

These viruses require special methods of detection, including emulation of the viruses executable code, mathematical algorithms of restoring parts of the code and data in virus etc. Ten more new viruses may be considered non-100 percent polymorphic (that is they do encrypt themselves but in decryption routine there always exist some nonchanging bytes):
Basilisk, Daemaen, Invisible (two versions), Mirea (several versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly, Simulation.

However to detect them and to restore the infected objects code decrypting is still required, because the length of nonchanging code in the decryption routine of those viruses is too small.

Polymorphic generators are also being developed together with polymorphic viruses. Several new ones appear utilizing more complex methods of generating polymorphic code. They become widely spread over the bulletin board systems as archives containing object modules, documentation and examples of use. By the end of 1993 there are seven known generators of polymorphic code. They are:

MTE 0.90 (Mutation Engine),
TPE (Trident Polymorphic Engine), four versions
NED (Nuke Encryption Device),
DAME (Dark Angel's Multiple Encryptor)

Since then every year brought several new polymorphic generators, so there is little sense in publishing the entire lists.

Automating Production and Viral Construction Sets

Laziness is the moving force of progress (to construct the wheel because that's too lazy to carry mammoths to the cave). This traditional wisdom needs no comments. But only in the middle of 1992 progress in the form of automating production touched the world of viruses. On the fifth of July 1992 the first viral code construction set for IBM PC compatibles called VCL (Virus Creation Laboratory) version 1.00 is declared for production and shipping.

This set allows to generate well commented source texts of viruses in the form or assembly language texts, object modules and infected files themselves. VCL uses standard windowed interface. With the help of a menu system one can choose virus type, objects to infect (COM or/and EXE), presence or absence of self encryption, measures of protection from debugging, inside text strings, optional 10 additional effects etc. Viruses can use standard method of infecting a file by adding their body to the end of file, or replace files with their body destroying the original content of a file, or become companion viruses.

And then it became much easier to do wrong: if you want somebody to have some computer trouble just run VCL and within 10 to 15 minutes you have 30-40 different viruses you may then run on computers of your enemies. A virus to every computer!

The further the better. On the 27th of July the first version of PS-MPC (Phalcon/Skism Mass-Produced Code Generator). This set does not have windowed interface, it uses configuration file to generate viral source code. This file contains description of the virus: the type of infected files (COM or EXE); resident capabilities (unlike VCL, PS-MPC can also produce resident viruses); method of installing the resident copy of the virus; self encryption capabilities; the ability to infect COMMAND.COM and lots of other useful information.

Another construction set G2 (Phalcon/Skism's G2 0.70 beta) has been created. It supported PS-MPC configuration files, however allowing much more options when coding the same functions.

The version of G2 I have is dated the first of January 1993. Apparently the authors of G2 spent the New Year's Eve in front of their computers. They'd better have some champagne instead, this wouldn't hurt anyway.

So in what way did the virus construction sets influence electronic wildlife? In my virus collection there are:
several hundreds of VCL and G2 based viruses; over a thousand PS-MPC based viruses.

So we have another tendency in development of computer viruses: the increasing number of "construction set" viruses; more unconcealably lazy people join the ranks of virus makers, downgrading a respectable and creative profession of creating viruses to a mundane rough trade.

Outside DOS

The year 1992 brought more than polymorphic viruses and virus construction sets. The end of the year saw the first virus for Windows, which thus opened a new page in the history of virus making. Being small (less than 1K in size) and absolutely harmless this non resident virus quite proficiently infected executables of new Windows format (NewEXE); a window into the world of Windows was opened with its appearance on the scene.

After some time there appeared viruses for OS/2, and January 1996 brought the first Windows95 virus. Presently not a single week goes by without new viruses infecting non-DOS systems; possibly the problem of non-DOS viruses will soon become more important than the problem of DOS viruses. Most likely the process of changing priorities will resemble the process of DOS dying and new operating systems gaining strength together with their specific programs. As soon as all the existing software for DOS will be replaced by their Windows, Windows95 and OS/2 analogues, the problem of DOS viruses becomes nonexistent and purely theoretical for computer society.

The first attempt to create a virus working in 386 protected mode was also made in 1993. It was a boot virus "PMBS" named after a text string in its body. After boot up from infected drive this virus switched to protected mode, made itself supervisor and then loaded DOS in virtual window mode V86. Luckily this virus was born dead - its second generation refused to propagate due to several errors in the code. Besides that the infected system "hanged" if some of the programs tried to reach outside the V86 mode, for example to determine the presence of extended memory.

This unsuccessful attempt to create supervisor virus remained the only one up to spring of 1997, when one Moscow prodigy released "PM.Wanderer" - a quite successful implementation of a protected mode virus.

It is unclear now whether those supervisor viruses might present a real problem for users and anti-virus program developers in the future. Most likely not because such viruses must "go to sleep" while new operating systems (Windows 3.xx, Windows95/NT, OS/2) are up and running, allowing for easy detection and killing of the virus. But a full-scale stealth supervisor virus may mean a lot of trouble for "pure" DOS users, because it is absolutely impossible to detect such a stealth virus under pure DOS.

Macro Virus Epidemics

August 1995. All the progressive humanity, The Microsoft and Bill Gates personally celebrate the release of a new operating system Windows95. With all that noise the message about a new virus using basically new methods of infection came virtually unnoticed. The virus infected Microsoft Word documents.

Frankly it wasn't the first virus infecting Word documents. Earlier before anti-virus companies had the first experimental example of a virus on their hands, which copied itself from one document to another. However nobody paid serious attention to that not quite successful experiment. As a result virtually all the anti-virus companies appeared not ready to what came next - macro virus epidemics - and started to work out quick but inadequate steps in order to put an end to it. For example several companies almost simultaneously released documents- anti-viruses, acting along about the same lines as did the virus, but destroying it instead of propagation.

By the way it became necessary to correct anti-virus literature in a hurry because earlier the question, "Is it possible to infect a computer by simply reading a file" had been answered by a definite "No way!" with lengthy proofs of that.

As for the virus which by that time got its name, "Concept", continued its ride of victory over the planet. Having most probably been released in some division of Microsoft "Concept" ran over thousands if not millions of computers in no time it all. It's not unusual, because text exchange in the format of Microsoft Word became in fact one of the industry standards, and to get infected by the virus it is sufficient just to open the infected document, then all the documents edited by infected copy of Word became infected too. As a result having received an infected file over the Internet and opened it, the unsuspecting user became "infection peddler", and if his correspondence was made with the help of MS Word, it also became infected! Therefore the possibility of infecting MS Word multiplied by the speed of Internet became one of the most serious problems in all the history of existence of computer viruses.

In less than a year, sometime in summer of 1996, there appeared the "Laroux" virus, infecting Microsoft Excel spreadsheets. As it had been with "Concept", these new virus was discovered almost simultaneously in several companies.

The same 1996 witnessed the first macro virus construction sets, then in the beginning of 1997 came the first polymorphic macro viruses for MS Word and the first viruses for Microsoft Office97. The number of various macro viruses also increased steadily reaching several hundreds by the summer of 1997.

Macro viruses, which have opened a new page in August 1995, using all the experience in virus making accumulated for almost 10 years of continuous work and enhancements, actually do present the biggest problem for modern virology.

Chronology of Events

It's time to give a more detailed description of events. Let's start from the very beginning.

Late 1960s - early 1970s

Periodically on the mainframes at that period of time there appeared programs called "the rabbit". These programs cloned themselves, occupied system resources, thus lowering the productivity of the system. Most probably "rabbits" did not copy themselves from system to system and were strictly local phenomena - mistakes or pranks by system programmers servicing these computers. The first incident which may be well called an epidemic of "a computer virus", happened on the Univax 1108 system. The virus called "Pervading Animal" merged itself to the end of executable files - virtually did the same thing as thousands of modern viruses do.

The first half of 1970s

"The Creeper" virus created under the Tenex operating system used global computer networks to spread itself. The virus was capable of entering a network by itself by modem and transfer a copy of itself to remote system. "The Reeper" anti-virus program was created to fight this virus, it was the first known anti-virus program.

Early 1980s

Computers become more and more popular. An increasing number of program appears written not by software companies but by private persons, moreover, these programs may be freely distributed and exchanged through general access servers - BBS. As a result there appears a huge number of miscellaneous "Trojan horses", programs, doing some kind of harm to the system when started.

1981

"Elk Cloner" bootable virus epidemics started on Apple II computers. The virus attached itself to the boot sector of diskettes to which there were calls. It showed itself in many ways - turned over the display, made text displays blink and showed various messages.

1986

The first IBM PC virus "Brain" pandemic began. This virus infecting 360 KB diskettes became spread over the world almost momentarily. The secret of a "success" like this late probably in total unpreparedness of computer society to such a phenomenon as computer virus.

The virus was created in Pakistan by brothers Basit and Amjad Farooq Alvi. They left a text message inside the virus with their name, address and telephone number. According to the authors of the virus they were software vendors, and would like to know the extent of piracy in their country. Unfortunately their experiment left the borders of Pakistan.

It is also interesting that the "Brain" virus was the first stealth virus, too - if there was an attempt to read the infected sector, the virus substituted it with a clean original one.

Also in 1986 a programmer named Ralph Burger found out that a program can create copies of itself by adding its code to DOS executables. His first virus called "VirDem" was the demonstration of such a capability. This virus was announced in December 1986 at an underground computer forum, which consisted of hackers, specializing at that time on cracking VAX/VMS systems (Chaos Computer Club in Hamburg).

1987

"Vienna" virus appears. Ralph Burger, whom we already now, gets a copy of this virus, disassembles it, and publishes the result in his book "Computer Viruses: a High-tech Disease". Burger's book made the idea of writing viruses popular, explained how to do it, and therefore stimulated creating up hundreds and in thousands of computer viruses, in which some of the ideas from his book were implemented.

Some more IBM PC viruses are being written independently in the same year. They are: "Lehigh", infecting the COMMAND.COM file only; "Suriv-1" a.k.a. "April1st", infecting COM files; "Suriv-2", infecting (for the first time ever) EXE files; and "Suriv-3", infecting both COM and EXE files. There also appear several boot viruses ("Yale" in USA, "Stoned" in New Zealand, "PingPong" in Italy), and the first self encrypting file virus "Cascade".

Non-IBM computers are also not forgotten: several viruses for Apple Macintosh, Commodore Amiga and Atari ST have been detected.

In December of 1987 there was the first total epidemics of a network virus called "Christmas Tree", written in REXX language and spreading itself under the VM/CMS operating environments. On the ninth of December this virus was introduced into the Bitnet network in one of West German universities, then via gateway it got into the European Academic Research Network (EARN) and then into the IBM Vnet. In four days (Dec. 13) the virus paralyzed the network, which was overflowing with copies of it (see the desk clerk example several pages earlier). On start-up the virus output an image of the Christmas tree and then sent copies of itself to all the network users whose addresses were in the corresponding system files NAMES and NETLOG.

1988

On Friday the 13 1988 several companies and universities in many countries of the world "got acquainted" with the "Jerusalem" virus. On that day the virus was destroying files which were attempted to be run. Probably this is one of the first MS-DOS viruses which caused a real pandemic, there were news about infected computers from Europe, America and the Middle East. Incidentally the virus got its name after one of the places it stroke - the Jerusalem University.

"Jerusalem" together with several other viruses ("Cascade", "Stoned", "Vienna") infected thousands of computers still being unnoticed - anti-virus programs were not as common then as they are now, many users and even professionals did not believe in the existence of computer viruses. It is notable that in the same year the legendary computer guru Peter Norton announced that computer viruses did not exist. He declared them to be a myth of the same kind as alligators in New York sewers. Nevertheless this delusion did not prevent Symantec from starting its own anti-virus project Norton Anti-virus after some time.

Notoriously false messages about new computer viruses started to appear, causing panic among the computer users. One of the first virus hoaxes of this kind belongs to a Mike RoChenle (pronounced very much like "Microchannel"), who uploaded a lot of messages to the BBS systems, describing the supposed virus copying itself from one BBS to another via modem using speed 2400 baud for that. Funny as it may seem many users gave up 2000 baud standard of that time and lowered the speed of their modems to 1200 baud. Similar hoaxes appeared even now. The most famous of them so far are GoodTimes and Aol4Free.

November 1988: a total epidemic of a network virus of Morris (a.k.a. Internet Worm). This virus infected more than 6000 computer systems in USA (including NASA research Institute) and practically paralyzed their work. Because of erratic code of the virus it sent unlimited copies of itself to other network computers, like the "Christmas Tree" worm virus, and for that reason completely paralyzed all the network resources. Total losses caused by the Morris virus were estimated at 96 millions of dollars.

This virus used errors in operating systems Unix for VAX and Sun Microsystems to propagate. Besides the errors in Unix the virus utilized several more original ideas, for example picking up user passwords. A more detailed story of this virus and the corresponding incidents may be found in a rather detailed and interesting articles.

December 1988: the season of worm viruses continues this time in DECNet. Worm virus called HI.COM output and image of spruce and informed users that they should "stop computing and have a good time at home!!!"

There also appeared new anti-virus programs for example, Doctors Solomon's Anti-virus Toolkit, being one of the most powerful anti-virus software presently.

1989

New viruses "Datacrime", "FuManchu" appear, as do the whole families like "Vacsina" and "Yankee". The first one acted extremely dangerously - from October 13th to December 31st it formatted hard disks. This virus "broke free" and caused total hysteria in the mass media in Holland and Great Britain.

September 1989: 1 more anti-virus program begins shipping - IBM Anti-virus.

October 1989: one more epidemic in DECNet, this time it was worm virus called "WANK Worm".

December 1989: an incident with a "Trojan horse" called "AIDS". 20,000 copies were shipped on diskettes marked as "AIDS Information Diskette Version 2.0". After 90 boot-ups the "Trojan" program encrypted all the filenames on the disk, making them invisible (setting a "hidden" attribute) and left only one file readable - bill for $189 payable to the address P.O. Box 7, Panama. The author of this program was apprehended and sent to jail.

One should note that in 1989 there began total epidemics of computer viruses in Russia, caused by the same "Cascade", "Jerusalem" and "Vienna", which besieged the computers of Russian users. Luckily Russian programmers pretty quickly discovered the principles of their work, and virtually immediately there appeared several domestic anti-viruses, and AVP (named "-V") those time, was one of them.

My first acquaintance with viruses (this was the "Cascade" virus) replaced in the world 1989 when I found virus on my office computer. This particular fact influenced my decision to change careers and create anti-virus programs. In a month the second incident ("Vacsina" virus) was closed with a help of the first version of my anti-virus "-V" (minus-virus), several years later renamed to AVP - AntiViral Toolkit Pro. By the end of 1989 several dozens of viruses herded on Russian lands. They were in order of appearance: two versions of "Cascade", several "Vacsina" and "Yankee" viruses, "Jerusalem", "Vienna", "Eddie", "PingPong".

1990

This year brought several notable events. The first one was the appearance of the first polymorphic viruses "Chameleon" (a.k.a. "V2P1", "V2P2", and "V2P6"). Until then the anti-virus programs used "masks" - fragments of virus code - to look for viruses. After "Chameleon"'s appearance anti-virus program developers had to look for different methods of virus detection.

The second event was the appearance of Bulgarian "virus production factory": enormous amounts of new viruses were created in Bulgaria. Disease wears the entire families of viruses "Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"), the modifications of the "Eddie" virus etc. A certain Dark Avenger became extremely active, making several new viruses a year, utilizing fundamentally new algorithms of infecting and covering of the tracks in the system. It was also in Bulgaria that the first BBS opens, dedicated to exchange of virus code and information for virus makers.

In July 1990 there was an incident with "PC Today" computer magazine (Great Britain). It contained a floppy disk infected with "DiskKiller" virus. More than 50,000 copies were sold.

In the second half of 1990 there appeared two Stealth monsters - "Frodo" and "Whale". Both viruses utilized extremely complicated stealth algorithms; on top of that the 9KB "Whale" used several levels of encrypting and anti-debugging techniques.

1991

Computer virus population grows continuously, reaching several hundreds now. Anti-viruses also show increasing activity: two software monsters at once (Symantec and Central Point) issue their own anti-virus programs - Norton Anti-virus and Central Point Anti-virus. They are followed by less known anti-viruses from Xtree and Fifth Generation.

In April a full-scale epidemic broke out, caused by file and boot polymorphic virus called "Tequila", and in September the same kind of story happened with "Amoeba" virus.

Summer of 1991: "Dir_II" epidemic. It was a link virus using fundamentally new methods of infecting files.

1992

Non-IBM PC and non-MS-DOS viruses are virtually forgotten: "holes" in global access network are closed, errors corrected, and network worm viruses lost the ability to spread themselves. File-, boot- and file-boot viruses for the most widely spread operating system (MS-DOS) on the most popular computer model (IBM PC) are becoming more and more important. The number of viruses increases in geometrical to progression; various virus incidents happen almost every day. Miscellaneous anti-virus programs are being developed, dozens of books and several periodic magazines on anti-viruses are being printed. A few things stand out:

Early 1992: the first polymorphic generator MtE, serving as a base for several polymorphic viruses which follow almost immediately. Mte was also the prototype for a few forthcoming polymorphic generators.

March 1992: "Michelangelo" virus epidemics (a.k.a. "March6") and the following hysteria took place. Probably this is the first known case when anti-virus companies made fuss about this virus not to protect users from any kind of danger, but attract attention to their product, that is to create profits. One American anti-virus company actually announced that on the 6th of March the information on over five million computers will be destroyed. As a result of the fuss after that the profits of different anti-virus companies jumped several times; in reality only about 10,000 computers suffered from that virus.

July 1992: The first virus construction sets were made, VCL and PS-MPC. They made large flow of new viruses even larger. They also stimulated virus makers to create other, more powerful, construction sets, as it was done by MtE in its area.

Late 1992: The first Windows virus appears, infecting this OS's executables, and starts a new page in virus making.

1993

Virus makers are starting to do some serious damage: besides hundreds of mundane viruses which are no different than their counterparts, besides the whole polymorphic generators and construction sets, besides new electronic editions of virus makers there appear more and more viruses, using highly unusual ways of infecting files, introducing themselves into the system etc. The main examples are:

"PMBS", wording in Intel 80386 protected mode.

"Strange" (or "Hmm") - a "masterpiece" of Stealth technology, however fulfilled on the level of hardware interrupts INT 0Dh and INT 76h.

"Shadowgard" and "Carbunkle", which widened debt range of algorithms of companion viruses.

"Emmie", "Metallica", "Bomber", "Uruguay" and "Cruncher" - the use of fundamentally new techniques of "hiding" of its own code inside the infected files.

In spring of 1993 Microsoft made its own anti-virus MSAV, based on CPAV by Central Point.

1994

The problem of CD viruses is getting more important. Having quickly gained popularity CD disks became one of the main means of spreading viruses. There are several simultaneous cases when a virus got to the master disk when preparing the batch CDs. As a result of that a fairly large number (tens of thousands) of infected CDs hit the market. Of course they cannot be cured, they just have to be destroyed.

Early in the year in Great Britain there popped out two extremely complicated polymorphic viruses, "SMEG.Pathogen" and "SMEG.Queeg" (even now not all the anti-virus programs are able to give 100% correct detection of these viruses). Their author placed infected files to a BBS, causing real panic and fear of epidemics in mass media.

Another wave of panic was created by a message about a supposed virus called "GoodTimes", spreading via the Internet and infecting a computer when receiving E-mail. No such virus really existed, but after some time there appeared a usual DOS virus containing text string "Good Times". It was called "GT-Spoof".

Law enforcement increases its activities: in Summer of 1994 the author of SMEG was "sorted out" and arrested. Approximately at the same time also in Great Britain there was arrested an entire group of virus makers, who called themselves ARCV (Association for Really Cruel Viruses). Some time later one more author of viruses was arrested in Norway.

There appear some new unusual enough viruses:
January 1994: "Shifter" - the first virus infecting object modules (OBJ files). "Phantom1" - the cause of the first epidemic of polymorphic virus in Moscow.

April 1994: "SrcVir" -- the virus family infecting program source code (C and Pascal).

June 1994: "OneHalf" - one of the most popular viruses in Russia so far starts a total epidemics.

September 1994: "3APA3A" - a boot-file virus epidemic. This virus uses a highly unusual way of incorporating into MS-DOS. No anti-virus was ready to meet such kind of a monster.

In 1994 (Spring) one of the anti-virus leaders of that time - Central Point - ceased to exist, acquired by Symantec, which by that time managed to "swallow" several minor companies, working on anti- viruses - Peter Norton Computing, Cetus International and Fifth Generation Systems.

1995

Nothing in particular among DOS viruses happens, although there appear several complicated enough monster viruses like "NightFall", "Nostardamus", "Nutcracker", also some funny viruses like "bisexual" virus "RMNS" and BAT virus "Winstart". The "ByWay" and "DieHard2" viruses become widespread, with news about infected computers coming from all over the world.

February 1995: an incident with Microsoft: Windows95 demos disks are infected by "Form". Copies of these disks were sent to beta testers by Microsoft; one of the testers was not that lazy and tested the disks for viruses.

Spring 1995: two anti-virus companies - ESaSS (ThunderBYTE anti-virus) and Norman Data Defense (Norman Virus Control) announce their alliance. These companies, each making powerful enough anti- viruses, joined efforts and started working on a joint anti-virus system.

August 1995: one of the turning points in the history of viruses and anti-viruses: there has actually appeared the first "alive" virus for Microsoft Word ("Concept"). In some month the virus "tripped around the world", pesting the computers of the MS Word users and becoming a firm No. 1 in statistic research held by various computer titles.

1996

January 1996: two notable events - the appearance of the first Windows95 virus ("Win95.Boza") and the epidemics of the extremely complicated polymorphic virus "Zhengxi" in St. Petersburg (Russia).

March 1996: the first Windows 3.x virus epidemic. The name of the virus is "Win.Tentacle". This virus infected a computer network a hospital and in several other institutions in France. This event is especially interesting because this was the FIRST Windows virus on a spree. Before that time (as far as I know) all the Windows viruses had been living only in collections and electronic magazines of virus makers, only boot viruses, DOS viruses and macro viruses were known to ride free.

June 1996: "OS2.AEP" - the first virus for OS/2, correctly infecting EXE files of this operating system. Earlier under OS/2 there existed only the viruses writing themselves instead of file, destroying it or acting as companions.

July 1996: "Laroux" - the first virus for Microsoft Excel caught live (originally at the same time in two oil making companies in Alaska and in southern African Republic). The idea of "Laroux", like that of Microsoft Word viruses, was based on the presence of so-called macros (or Basic programs) in the files. Such programs can be included into both electronic spreadsheets of Microsoft Excel and Microsoft Word documents. As it turned out the Basic language built into Microsoft Excel also allows to create viruses.

December 1996: "Win95.Punch" - the first "memory resident" virus for Windows95. It stays in the Windows memory as a VxD driver, hooks file access and infects Windows EXE files that are opened.

In general the year 1996 is the start of widespread virus intervention into the Windows32 operating system (Windows95 and WindowsNT) and into the Microfoft Office applications. During this and the next year several dozens of Windows viruses and several hunsdreds of macro viruses appeared. Many of them used new technologies and methods of infection, including stealth and polymorphic abilities. That was the next round of virus evolution. During two years they repeated the way of improving similar to DOS viruses. Step by step they started to use the same features that DOS viruses did 10 years beforehand, but on next technological level.

1997

February 1997: "Linux.Bliss" - the first virus for Linux (a Unix clone). This way viruses occupied one more "biological" niche.

February-April 1997: macro viruses migrated to Office97. The first of them turned out to be only "converted" to the format macro viruses for Microsoft Word 6/7, but also virtually immediately there appeared viruses aimed at Office97 documents exclusively.

March 1997: "ShareFun" - macro-virus hitting Microsoft Word 6/7. It uses is not only standard features of Microsoft Word to propagate but also sends copies of itself via MS-Mail.

April 1997: "Homer" - the first network worm virus, using File Transfer Protocol (FTP) for propagation.

June 1997: There appears the first self encrypting virus for Windows95. This virus of Russian origin has been sent to several BBS is in Moscow which caused an epidemic.

November 1997: The "Esperanto" virus. This is the first virus that intends to infect not only DOS and Windows32 executable files, but also spreads into the Mac OS (Macintosh). Fortunately, the virus is not able to spread cross the platforms because of bugs.

December 1997: new virus type, the so-called "mIRC Worms", came into being. The most popular Windows Internet Relay Chat (IRC) utility known as mIRC proved to be "hole" allowing virus scripts to transmit themselves along the IRC-channels. The next IRC version blocked the hole and the mIRC Worms vanished.

The KAMI ltd. anti-virus department has braked away from the mother company constituting the independent one what, certainly, is considered the main event of 1997. Currently the company known as Kaspersky Labs and proved to be a recognized leader of the anti-virus industry. Since 1994 the AntiViral Toolkit Pro (AVP) anti-virus scanner, main product of the company, constantly shows high results while being tested by various test laboratories of all world. Creation of an independent company gave the chance to the at first small group of developers to gain the lead on the domestic market and prominence on the world one. For short run versions for practically all popular platforms were developed and released, the new anti-virus solutions offered, the international distribution and the product support networks created.

October 1997: the agreement on licensing of AVP technologies use in F-Secure Anti-Virus (FSAV) was signed. The F-Secure Anti-Virus (FSAV) package was the DataFellows (Finland) new anti-virus product. Before DataFellows was known as the F-PROT anti-virus package manufacturer.

1997 was also the year of several scandals between the anti-virus main manufacturers in US and Europe. At the year beginning McAfee has announced that its experts have detected a "feature" in the antivirus programs of Dr.Solomon, one of its main competitors. The McAfee testimony stated that if the Dr.Solomon's antivirus while scanning detects several virus-types the program switches to the advanced scanning mode. What means that while scanning some uninfected computer the Dr.Solomon's anti-virus operates in the usual mode and switches to the advanced mode - "cheat mode" according to McAfee - enabling the application to detect the invisible for the usual mode viruses while testing virus collections. Consequently the Dr.Solomon's anti-virus shows both good speed while scanning uninfected disks and good virus detection ability while scanning virus collections.

A bit later Dr.Solomon stroked back accusing McAfee of the incorrect advertising campaign. The claims were raised to the text - "The Number One Choice Worldwide. No Wonder The Doctor's Left Town". At the same time McAfee was in the court together with Trend Micro, another antivirus software manufacturer, concerning the Internet and e-mail data scanning technology patent violation. Symantec also turned out to be involved in the cause and accused McAfee of using the Symantec codes in the McAfee products. And etc.

The year completion by one more noteworthy event related to McAfee-name was marked - McAfee Associates and Network General have declared consolidation into the new born Network Associates company and positioning of their services not only on the anti-virus protection software market, but also on the markets of computer safety universal systems, encryption and network administration. From this the virus and anti-virus history point McAfee would correspond to NAI.

1998

The virus attack on MS Windows, MS Office and the network applications does not weaken. There arose new viruses employing still more complex strokes while infecting computers and advanced methods of network-to-computer penetration. Besides numerous the so-called Trojans, stealing Internet access passwords, and several kinds of the latent administration utilities came into the computer world. Several incidents with the infected CDs were revealed - Some computer media publishers distributed CIH and Marburg (the Windows viruses) through CDs attached to the covers of their issues, with infected.

The year beginning: Epidemic of the "Win32.HLLP.DeTroie" virus family, not just infecting Windows32 executed files but also capable to transmit to the "owner" the information on the computer that was infected, shocked the computer world. As the viruses used specific libraries attached only to the French version of Windows, the epidemic has affected just the French speaking countries.

February 1998: One more virus type infecting the Excel tables "Excel4.Paix" (aka "Formula.Paix) was detected. This type of a macro virus while rooting into the Excel tables does not employ the usual for the kind of viruses macro area but formulas that proved to be capable of the self-reproduction code accommodation.

February - March 1998: "Win95.HPS" and "Win95.Marburg" - the first polymorphous Windows32-viruses were detected and furthermore they were "in-the-wild". The anti-virus programs developers had nothing to do but rush to adjust the polymorphous viruses detecting technique, designed so far just for DOS-viruses, to the new conditions.

March 1998: "AccessiV" - the first Microsoft Access virus was born. There was no any boom about that (as it was with "Word.Concept" and "Excel.Laroux" viruses) as the computer society already got used to that the MS Office applications go down thick and fast.

March 1998: The "Cross" macro-virus, the first virus infecting two different MS Office applications - Access and Word, is detected. Hereupon several more viruses transferring their codes from one MS Office application to the other have emerged.

May 1998 - The "RedTeam" virus infects Windows EXE-files and dispatches the infected files through Eudora e-mail.

June 1998 - The "Win95. CIH" virus epidemic at the beginning was mass, then became global and then turned to a kind of computer holocaust - quantity of messages on computer networks and home personal computers infection came to the value of hundreds if not thousands pierces. The epidemic beginning was registered in Taiwan where some unknown hacker mailed the infected files to local Internet conferences. Therefrom virus has made the way to USA where through the staff oversight infected at once several popular Web servers that started to distribute infected game programs. Most likely these infected files on game servers brought about this computer holocaust that dominated the computer world all the year. According to the "popularity" ratings the virus pushed "Word.CAP" and "Excel.Laroux" to second cabin. One should also pay attention to the virus dangerous manifestation - depending on the current date the virus erased Flash BIOS what in some conditions could kill motherboard.

August 1998: Nascence of the sensational "BackOrifice" ("Backdoor.BO") - utility of latent (hacker's) management of remote computers and networks. After "BackOrifice" some other similar programs - "NetBus", "Phase" and other - came into being.

Also in August the first virus infecting the Java executed files - "Java.StangeBrew" - was born. The virus was not any danger to the Internet users as there was no way to employ critical for the virus replication functions on any remote computer. However it revealed that even the Web servers browsers could be attacked by viruses.

November 1998: "VBScript.Rabbit" - The Internet expansion of computer parasites proceeded by three viruses infecting VisualBasic scripts (VBS files), which being actively used in Web pages development. As the logical consequence of VBScript-viruses the full value HTML-virus ("HTML.Internal") was born to life. Virus-writers obviously turned their efforts to the network applications and to the creation of full value Network Worm-Virus that could employ the MS Windows and Office options, infect remote computers and Web-servers or/and could aggressively replicate itself through e-mail.

The anti-virus manufacturers world was also considerably rearranged. In May 1998 Symantec and IBM announced the union of their forces on the anti-virus market. The collective product would be under the Norton Anti-Virus trade mark distributed and the IBM Anti-Virus (IBMAV) program is liquidated. Response of the main competitors, Dr.Solomon and NAI (former McAfee), followed immediately. They issued the press-releases offering the IBM product users to promotionally replace the dead anti-virus with their own products.

Less then one month later Dr.Solomon committed suicide. The company was bought by NAI (former McAfee) for 640 millions dollars through equity swap. The event shocked the anti-virus world - the conflict between two anti-virus giants was completed with a simple bargain that killed one of the most notable and technologically strong anti-virus software manufacturers.

"Everything in the world has to take place slowly and
wrongly, for human may not pride, for a human to be sad and
confused."
Venedikt Erofeev, "Moscow - Petushki"

The Perspective: What Will be Tomorrow and the Day After Tomorrow

What goes next? For how long viruses will bug us? These are the questions which in one way or another bother almost all computer users.

What Will be Tomorrow?

What can be expected from computer underground in subsequent years? Most probably the main problems will remain the following: 1) polymorphic DOS viruses, with additional problems of polymorphism in macro viruses and viruses for Windows and maybe OS/2; 2) macro viruses with new and improved ways of infecting and covering tracks of their code in the system; 3) network viruses, using network protocols and commands for spreading.

The type 3) is now only in the earliest state of developments - viruses make their first faint attempts to spread their code by themselves via Microsoft Mail and using FTP, but the best is yet to come.

There may appear other problems who which might bring a lot of trouble to users and enough extra work to the developers of anti-virus programs. However I look to the future optimistically: every problem in the history of the development of viruses has been more or less successfully solved. Future problems, which are now just ideas in the sick minds of virus makers, will most probably be solved in the same way.

What Will be the Day After Tomorrow?

What will be the day after tomorrow, and for how long the viruses in general are going to exist? To answer this question it is necessary to determine where and under what conditions do viruses exist.

The main friendly environment for mass spreading of viruses in computers, to my mind, has to consist of the following necessary components:

One must mention that the definition of an operating system is rather ambiguous. For example for macro viruses Microsoft Word and Microsoft Excel are operating systems, because they in particular, and not Windows, supply the necessary resources and functions to macro viruses (i.e. Basic programs).

If an operating system contains the means of protection of information, as almost all OS do, it will be extremely difficult for virus to hit the target, because it will have to break a structure of passwords and access restrictions. Therefore only high class professionals will be able to do the job necessary to create a virus (Morris's virus for VAX is an example of that). But it seems to me that professionals are much more decent people than users of their products, therefore the number of created and launched viruses will lower even more.

For mass production viruses it is also necessary to have a sufficient amount of information about their environments. How many of those system programmers working on mini computers under OS UNIX, VMS and so on do now the system of controlling processes in random access memory, the complete specifications on formats of executables and boot records on disks? (that is the information necessary for creating a virus). And therefore how many of them are capable of breeding a real grown-up beast? Another example - Novell NetWare operating system, which is highly popular but poorly documented. Ultimately I know of no viruses capable of infecting NetWare executables in spite of numerous promises of virus makers to make such a virus in the near future.

There is little danger in OS popularity as an necessary condition for virus invasion: of 1,000 programmers only 100 are able to make a virus, and only one of them actually makes it. Now let's multiply the proportion to the number of thousands of programmers. Here are the results: 15,000 or even 20,000 fully IBM-compatible viruses on one hand and several hundreds of viruses for Apple Macintosh on the other hand. The same disproportion can be found while comparing that total number of viruses for Windows (several dozens) and for OS/2 (less than a dozen).

The three conditions of "prosperity" of computer viruses mentioned above are being met by several OS at once, including text editors, all produced by Microsoft (DOS, Windows 3.xx, Windows95/NT and Word, Excel, Office97), which gives plenty of ground for existence of various file and macro viruses. The specifications of partitioning of hard disks also meet the conditions mentioned above. These result in miscellaneous kinds of boot viruses, which infect the system in the moment of boot up.

To evaluate the duration of invasion of computer viruses to some OS one must measure the time of coexistence of the necessary conditions mentioned above.

It is rather obvious that in the near future IBM and Apple do not intend to give out mass-market to their competition (to the joy of Apple and IBM programmers), even if it means and these companies are enjoying their efforts. The reduction of flow information on the most popular systems is also not possible, because it will lower the number of applications for them, therefore adversely affecting their sales. Only the OS security remains; however it requires following some rules (passwords etc.), resulting in some inconvenience. Therefore it seems improbable to me that OS like these are going to the popular among ordinary users - secretaries, accountants, home computer users etc. Another possibility is security measures will be disabled by users as early as the stage of OS installation.

In summation of all that we must conclude only that viruses have successfully invaded the everyday computer life and are not going to leave it in the foreseeable future.

by Eugene Kaspersky
1994-99 Metropolitan Network BBS Inc.