History of malware

A brief history of viruses, worms and Trojans, part 3

In 1995 the first macro viruses appeared. Until that time, only executable files and boot sectors had been affected. Macro viruses placed ever higher demands on the detecting scanners. Melissa, Loveletter, Sobig et al. continue to set new speed records for spreading.


With "DMV" and "Night watchman" the first macro viruses appear. "Concept 1995" was the first macro virus which broke out publicly and spread unchecked in English systems.

Hunter.c was the first polymorphic macro virus to appear in Germany.

Wm.Concept was the first 'in the wild' macro virus for Word (with the exception of the HyperCard infectors). It only contained the message, "That's enough to prove a point. " and shortly afterwards was the most widespread virus in the world. Wm.Concept established the category of "Proof of Concept" viruses. PoC viruses merely demonstrate that it is possible to exploit a given weak point without causing any real damage. Detection of macro viruses puts a lot of demands on virus scanners, not least because of the constantly changing formats of script languages and Office files.


The first macro generators for German or English macro viruses appear. Macro viruses are no longer limited to Word, but also target Excel and AmiPro files. They also cross the boundaries between operating systems and infect both PCs and Macs.

Laroux is the first to infect MS Excel files.

Boza is the first virus to attack the PE EXE format of Windows 95 files. It was written by Quantum, a member of the Australian virus-writing group VLAD.


Viruses are becoming more and more specialised and target specific weak points in programs, operating systems or hardware.

The first mIRC scripts appear, which spread in a worm-like manner amongst Internet Relay Chat users.

The first virus for the Linux OS appears.


Strange Brew is the first Java virus.

With the exception of macro viruses, which are now underway in both Access and other programs, PCs with MacOS had not been plagued with viruses for at least 3 years. That all changes with the Autostart.9805 worm. Autostart uses the QuickTime AutoStart mechanism on Power PCs and copies itself to hard drives and other data media. Certain files are overwritten with junk data and thus corrupted. AutoStart spreads all over the world from Hong Kong.

Backdoors appear with Netbus and Back Orifice, with which it is possible to monitor and remotely control a computer without the victim being aware. Where Back Orifice is concerned, a lively discussion rages as to whether it is remote maintenance or remote control software. Since the remote control functions can be executed unbeknown to the user, Back Orifice is classed as a Trojan. In mid 2000, an attacker successfully broke into Microsoft's internal company network using BO.

CIH (Spacefiller, Chernobyl) appears in June in Taiwan. It has one of the largest payloads in virus history. It raises the question as to whether viruses are capable of destroying hardware. When its harmful function becomes active (on the 26th of April), it overwrites the Flash BIOS and the partition table of the hard drive. The computer is thus no longer able to boot. On some motherboards, the BIOS components had to be replaced or reprogrammed. But even after restoring the system, the data were lost. The author, Chinese student Chen Ing-Hau is not legally prosecuted. More...

VBS.Rabbit is the first program to use the Windows Scripting Host (WSH). Written in Visual Basic, it accesses other VBS files. HTML.Prepend demonstrates that HTML files can be infected using VBScript.

Dr. Solomons was bought by Network Associates. As previously with McAfee, customers migrate away from the program.


In March, the "Melissa" worm infects tens of thousands of computers and spreads like wildfire worldwide on the first day of its appearance. It sends e-mails to the first 50 addresses in the Outlook address book and many mail-servers crash under the weight of incoming e-mails. In August, David I. Smith admits that he wrote the worm.

Happy99 creates a copy of every e-mail sent by the user and sends it again with the same text and the same subject line plus the worm as an attachment. This also operates with Usenet postings.

In June, Explore.zip  disguises itself as a self-extracting file which is sent as a reply to an e-mail received. It spreads through network sharing and can infect other computers in the network, if only one network user does not take sufficient care. The damaging function scans the hard drive for C and C++ programs, Excel, Word and PowerPoint files and deletes them.

Besides email, Pretty Park also spreads through Internet Relay Chats (IRC). It had very effective protection and camouflage mechanisms, which prevented the worm from being able to be deleted. At the next virus scan, the worm was recognized as legitimate. Sometimes virus scans were even blocked. By manipulating the Registry, Pretty Park was executed before EXE files, which therefore resulted in all EXE files being reported as infected.

For users of Outlook, the "Good Times" vision that a virus can infect the computer, if an email is opened (even in preview mode) comes true with Bubbleboy. To do this, Bubbleboy uses an error in a program library.


Despite all the prophecies, there is no Millennium Bug, which would have been worthy of this name.

Palm/Phage and Palm/Liberty-A are certainly rare, but quite capable of attacking PDAs running with Palm OS.

The VB-Script worm VBS/KAKworm uses a weak point in scriplets and typelibs in Internet Explorer. Similarly to BubbleBoy, it was spread by opening an email (even in preview mode).

In May, a worm sends emails in snowballing fashion from the Outlook address book with the subject line "I love you" and causes billions in damages primarily in large companies' networks. Here too, the networks were quickly completely overloaded. A host of versions are derived from the original version, created by a Filipino student by the name of Onel de Guzman. US experts refer to it as the most malicious virus in computer history.

The author of W95/MTX took great pains to remove the worm/virus hybrid from the computer. It sent a PIF file with a double file extension via email. It blocked the browser's access to some anti-virus providers' websites, contaminated files with the virus component and replaced some files with the worm component.

After Loveletter and its many versions, emails with the corresponding subject lines were simply filtered out at the email gateways. Stages of Life varied the subject line and thus slipped through the net.

In September, Liberty, the first Trojan for PDAs, appears in Sweden. It transfers itself during synchronisation with the PC and then deletes all updates.


In February, an email worm circulates, the attachment of which purports to contain a picture of the Russian tennis player Anna Kournikova. Whoever opens it, installs the worm, which sends itself to all addresses in the Outlook address book.

Naked also spread by email. It purports to be a flash animation of a naked woman. After opening it installs itself and sends itself to all Outlook addresses. As it also deletes Windows and system directories, it makes the computer unusable. The computer can only be used again, once the operating system is reinstalled.

In July, Code Red uses a buffer overflow error in the Internet Information Server (IIS) Indexing Service DLL of Windows NT, 2000 und XP. It randomly scans IP addresses on the standard port for Internet connections and transmits a Trojan which, between the 20th and 27th of a month, launches a Denial of Service (DoS) attack against the White House website. Removing the virus requires a great deal of effort and costs billions.

In July, SirCam spreads over networks and via Outlook Express and brings in some innovations. It ensures that, each time the computer is started, an EXE file is activated. It is the first worm to bring its own SMTP engine with it. However it not only transmits itself, but also personal files, which it finds on the computer.

In September, Nimda distributes an Internet worm, which requires no user interaction. For distribution, it uses security loopholes in programs alongside emails. Numerous web servers are overloaded and infected file systems can be read by the entire world.

In November, the memory-resident Badtrans worm uses a security loophole in Outlook and Outlook Express to spread itself. It installs itself as a service, answers emails, spies on passwords and records key sequences.


At the beginning of the year the "MyParty" worm  proves that not everything that ends with ".com" is a website. Anyone who double-clicks on the e-mail attachment "www.myparty.yahoo.com" gets a worm with backdoor components instead of the expected pictures.

In the spring and summer, Klez uses the IFRAME security loophole in Internet Explorer to automatically install itself when an email is viewed. It spreads via email and networks and attaches itself to executable files. On the 13th of even months (or other days in subsequent versions), all files on all accessible drives would be overwritten with random content. The content could only be restored through backups.

In May, Benjamin spreads as the initial worm via the KaZaA network. It replicates itself under many different names in a network folder. A website with an advertisement is displayed on infected computers. Prior to this, Gnutella P2P networks were also affected.

Lentin is a worm that exploits the fact many people don't know that SCR files are not only screen savers, but that they are also executable files. Compared to Klez, its video effect is just an annoyance as a harmful function. Nor does it manage to spread like Klez.

At the end of September Opasoft (also called Brazil) spreads like an epidemic. On port 137, it scans any computer on the network and checks to see if file and/or printer sharing is enabled on any of them. Then it tries to copy itself onto the computer. If there is password protection, a list of passwords is run through and a weak point in the saving of passwords is exploited. 

Tanatos aka BugBear is the first worm since the spring to edge out Klez from the top position. The worm spreads via email and networks, installs a spyware component and sends records of keystrokes.


In January, "SQL slammer" infects at least 75,000 SQL servers and consequently cripples the Internet for hours. It exploits a weak point in the Microsoft SQL server, which has been known about for 6 months, to neutralize database servers. As SQL slammer comprises only an incorrect query and is not loaded into the memory as a file, it remains undetected by antivirus programs. The result: in Seattle the emergency numbers for the police and fire brigade fail, Bank of America ATMs cease to function, 14,000 post offices in Italy remain closed, online stock market trading suffers severely. In Korea KT Corp was temporarily completely disconnected from the Net. The index fell by some 3%, in line with the greatly reduced trading volume. In China all foreign network traffic was blocked.

In August, Lovesan (alias Blaster) spreads independently over the Internet. It uses a security loophole closed just four weeks previously by Microsoft in the RPC/DCOM service and randomly infects computers selected by IP address. Within a very short time hundreds of thousands of computers were infected (570,000 was bandied about). Shortly afterwards Welchia (alias Nachi) began to remove Lovesan/ Blaster from computers and close the RPC/DCOM security loophole. At the end of August 2003, 18 year-old, Jeffrey Lee Parsons was arrested as the author of Lovesan. In March 2005, he was given a hefty fine, which, with the agreement of Microsoft, was commuted to a weekly period of community service over 3 years.

The mass mail worm "Sobig.F" sets a new record for propagation speed with its own mail engine. It spreads ten times faster than previous worms.


Viruses become weapons in the armoury of organised crime. Countless Trojans spy on passwords, credit card numbers and other personal information. Backdoors make computers capable of being remotely controlled and integrate them in so-called botnets. Using the zombies of a botnet, denial of service attacks are made on online betting agencies during the European Football Championship. The operators are forced to pay the extortionists' demands.

Rugrat is the first virus for 64 bit Windows.

Cabir, the first virus for mobile telephones with Symbian OS and Bluetooth interface is developed by Group 29A, the group known for its proof of concept viruses. Shortly thereafter, the same group follows up with WinCE4Dust.A, the first PoC virus for Windows CE.


The first worm for Symbian Smartphones, CommWarrior.A, spreads via MMS. The MMS messages are sent to all entries in the phone book and use variable accompanying texts to pose as anti-virus software, games, drivers, emulators, 3D software or interesting pictures.