History of malware

A brief history of viruses, worms and Trojans, part 2

The growing networking of computers was exploited for the first time in 1988 by a new type of malware program. Worms still exploit weak points in networks today. At this time, both the virus authors and the anti-virus specialists got organized. Anti-virus software established itself.


MacMag was the first virus of note for Macintosh computers and offered a series of additional innovations. It was the first virus to be developed to order (by the editor in chief of MacMag). It was also the first virus which used data files to propagate (in this case, HyperStack files). Apart from a message, it had no harmful function.

The Indonesian Denny Yanuar Ramdhani used his virus "Den Zuk" to detect and remove the "Brain" virus and so invented the anti-virus virus.

On Friday the 13th of May, for the first time a logical bomb explodes in Jerusalem (in this case a time bomb). And thus a new category of virus was established. Jerusalem is the first memory-resident virus (in the narrower sense of a file infector). Via a bug, it always infects the same file, which leads to its detection. The distribution mechanism is similar to Lehigh, but more effective, as it also affects .EXE files in addition to .COM files.

Robert T. Morris Jr. - the son of the NSA computer security expert - released an Internet worm, which obtained access to a large number of UNIX computers (2000 - 6000) using a short list of passwords and then forwarded itself like the Christmas tree virus, which once again caused networks and email communication to crash. User action was unnecessary. The only way to combat and hunt down the "Internet worm", as it was called, was through consultations over the phone.

The first Virus Construction Kit comes into existence for the Atari ST. Thus even beginners can assemble viruses with specific properties.

As a response to the overall increase in the activity of virus developers and to the "Internet worm" in particular, the Computer Emergency Response Team /Coordination Centre (CERT/CC) was founded in the USA. It still provides advice and support for all things involving data protection and data security today. Since then German CERTs have also been created.


Data crime caused an enormous stir in the media.

With the advent of "Vienna" the first polymorphic viruses appear. It encrypts itself with variable keys and also changes the form of the decryption routines. It can therefore only be detected by anti-virus software with complex algorithms which also tended to give false alarms. That was the end for many anti-virus software providers.

In July, the first issue of the Virus Bulletin is published. Since that time, it has become one of the most renowned specialist magazines for virus researchers.

In Bulgaria, Dark Avenger introduces two new aspects: 1. With the "Fast Infector", not only are executable files infected (at first "command.com"), but also files opened for reading and copied files. And thus, after a short while, the whole hard drive is affected. 2. Individual sections of the hard drive are overwritten at irregular intervals. This goes undetected in most cases. Backups, which have often been created to protect against virus attacks, are thereby rendered useless.

In Haifa, Israel, Frodo represents the first stealth virus to be discovered that infects files. After the 22nd September of a given year, it was supposed to damage the hard-drive of a PC. However, the appropriate routine did not function correctly.

A Trojan is distributed on floppies disguised as AIDS information by the PC Cyborg company with its head office in Panama. AIDS would replace the autoexec.bat and after a given number (90) of restarts it would start to encrypt the hard drive. Victims were then confronted with a bill for the decryption code.


Virus creation was now in fashion. In VX (Virus Exchange) bulletin boards, old and new viruses are swapped.

4096  bytes is the size of the virus of the same name which came out in January. It attached itself to executable and opened data files. The mechanism which tried to conceal this often led to files being destroyed. The attempt to display the message "Frode Lives", led to a system crash.

With V2Px, Virus-90 and Virus-101 the first polymorphic viruses are written in the USA.

The viruses combined stealth and encryption mechanisms. This resulted in the formation of so-called multi-partite viruses. The Fish virus was a stealth virus with compact encryption (14 byte). Joshi further advanced the concealment of boot sector viruses. Anthrax and V1 were further multi-partite viruses. The first really successful multi-partite virus was Flip.

The first multi-partite viruses were Anthrax and V1. Flip was the first virus of this type, which managed to spread itself successfully.

The Verband deutscher Virenliebhaber [Association of German Virus Lovers] disseminates the first Virus Construction Kit for DOS. This even allows novices to create custom viruses.

In December, the European Institute for Computer Antivirus Research (EICAR for short) is founded. It still plays an important part in the fight against viruses and virus authors today.


Michelangelo was a boot sector virus, which overwrote the first 256 sectors of the data storage medium on March 6th - Michelangelo's birthday. This rendered the computer unusable. The following year, Michelangelo received a lot of media coverage, which certainly prevented a great deal of damage. Nevertheless it remained active for many years.

Polymorphic viruses are now becoming more and more common. Tequila is the first widespread polymorphic virus. Maltese Amoeba overwrites the first sector of the data storage medium on two specific days of the year.

Robert Slade starts his series with computer virus tutorials. Shortly afterwards, he starts working on VIRUS-L-FAQ.

DirII is the first cluster virus to be discovered.

The "Saddam Hussein" virus encrypts parts of the data medium on Amiga computers, so that they can only be read if the virus is in the memory.

1992 A virus author going by the name of Dark Avenger publishes the Self Mutating Engine (MtE) in January. This makes it easy to turn normal viruses into polymorphic ones with little effort. MtE is thus the first toolkit for creating polymorphic viruses.

The Commodore Amiga and Atari ST become less and less important and MS-DOS becomes ever more prevalent. The number of DOS viruses rises accordingly.

Altair for the Atari ST claims to be anti-virus software. It overwrites all the viruses that it finds in the boot sector. It fails just like many other "anti-virus viruses".

WinVir 1.4 is the first virus for Windows. The first virus which infects SYS files is called Involuntary.

Commander Bomber, which uses a new camouflage mechanism, is also by Dark Avenger. It attacks COM files, but does not attach itself to the file in one block; instead, it distributes its code to several fragments, which are connected to each other through links. In order to detect it, the entire file must be scanned.

New toolkits for creating polymorphic viruses appear: Trident Polymorphic Engine (TPE), Nuke Encryption Device (NED) and Dark Angel's Multiple Encryption (DAME) build on the MtE. Virus signatures continue to be used however.

For the first time, MS-DOS 6 contains a (mediocre) virus scanner. It contained a faulty on-access component, so that the virus protection could be simply switched off.

The Amiga virus Fuck (sorry, but it is not our name), was a camouflaged Trojan which spread disguised as a modem test program and started by replacing the system file loadWB. After a computer reboot, the virus code was executed. After a certain period of time, which was determined by image repetition frequency, the entire hard drive was fully written with the offensive F word, which led to the destruction of all the data.

Joe Wells publishes the first Wildlist in July. His aim was to list the activities of the viruses in circulation. This list later gave rise to the Wildlist Organization.

Further Windows computer viruses appear.


The first multipartite viruses appear. These viruses use multiple infection mechanisms and can simultaneously attack boot sectors and/or partition tables in addition to files.

In England, the adolescent Black Baron releases Smeg.Pathogen (and Smeg.Queen). Smeg.Pathogen displays a message and then overwrites the first 256 sectors of the hard drive. This caused substantial damage in some companies. He was sentenced to a prison term the following year.

Kaos4 spread through a newsgroup which specialised in erotic images. Since then, this strategy has been used more frequently.

Virus Hoaxes with "Good-Times" warnings become a serious, but misjudged problem.