A History of Viruses & Worms
Theories for self-replicating programs are first developed.
Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.
Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.”
Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label.
The Lehigh virus, one of the first file viruses, infects command .com files.
One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .exe and .com files and deletes any programs run on that day.
MacMag and the Scores virus cause the first major Macintosh outbreaks.
Symantec launches Norton AntiVirus, one of the first antivirus programs developed by a large company.
Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.
1300 viruses are in existence, an increase of 420% from December of 1990.
The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that turns ordinary viruses into polymorphic viruses. The Virus Creation Laboratory (VCL) is also made available. It is the first actual virus creation kit.
Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line “Good Times.” Though disproved, the hoax resurfaces every six to twelve months.
Word Concept becomes one of the most prevalent viruses in the mid-1990s. It is spread through Microsoft Word documents.
Baza, Laroux (a macro virus), and Staog viruses are the first to infect Windows95 files, Excel, and Linux respectively.
Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.
The Chernobyl virus spreads quickly via .exe files. As the notoriety attached to its name would suggest, the virus is quite destructive, attacking not only files but also a certain chip within infected computers.
Two California teenagers infiltrate and take control of more than 500 military, government, and private sector computer systems.
The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any previous virus, infecting an estimated 1 million PCs.
Bubble Boy is the first worm that does not depend on the recipient opening an attachment in order for infection to occur. As soon as the user opens the email, Bubble Boy sets to work.
Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files.
The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook, much like Melissa. The virus comes as a VBS attachment and deletes files, including MP3, MP2, and .JPG. It also sends usernames and passwords to the virus's author.
W97M.Resume.A, a new variation of the Melissa virus, is determined to be in the wild. The “resume” virus acts much like Melissa, using a Word macro to infect Outlook and spread itself.
The “Stages” virus, disguised as a joke email about the stages of life, spreads across the Internet. Unlike most previous viruses, Stages is hidden in an attachment with a false.txt” extension, making it easier to lure recipients into opening it. Until now, it has generally been safe to assume that text files are safe.
“Distributed denial-of-service” attacks by hackers knock Yahoo, eBay, Amazon, and other high profile web sites offline for several hours.
Shortly after the September 11th attacks, the Nimda virus infects hundreds of thousands of computers in the world. The virus is one of the most sophisticated to date with as many as five different methods of replicating and infecting systems.
The “Anna Kournikova” virus, which mails itself to persons listed in the victim's Microsoft Outlook address book, worries analysts who believe the relatively harmless virus was written with a “tool kit” that would allow even the most inexperienced programmers to create viruses.
Magistr is one of the most complex viruses to hit the Internet. Its victims, users of Outlook Express, were hooked by an infected e-mail attachment. The virus, discovered in mid-March 2001, sent garbled messages to everyone in the infected user's e-mail address book. Attached were files pulled at random from the infected PC's hard drive plus an executable file with the Magistr code. This virus was not as widespread as many others, but it was very destructive. Magistr overwrites hard drives and erases CMOS and the flashable BIOS, preventing systems from booting. It also contained antidebugging features, making it hard to detect and destroy.
Still reeling from the effects of the SirCam and Code Red worms, Windows users would soon have to deal with Klez, an e-mail borne virus that exploited a flaw in Microsoft's Internet Explorer browser and targeted both Outlook and Outlook Express users.Because Klez required users to click on an embedded e-mail attachment, the damage was limited, but when later variants appeared with spoofed sender addresses, it provided the first sign that virus writers would change tactics to avoid detection. The spoofing of e-mail addresses would later become a standard trick to attack non-technical e-mail (and Windows) users.

Author of the Melissa virus, David L. Smith, is sentenced to 20 months in federal prison.
The LFM-926 virus appears in early January, displaying the message “Loading.Flash.Movie” as it infects Shockwave Flash (.swf) files.
Celebrity named viruses continue with the “Shakira,” “Britney Spears,” and “Jennifer Lopez” viruses emerging.

In January the relatively benign “Slammer” (Sapphire) worm becomes the fastest spreading worm to date, infecting 75,000 computers in approximately ten minutes, doubling its numbers every 8.5 seconds in its first minute of infection.
The Sobig worm becomes the one of the first to join the spam community. Infected computer systems have the potential to become spam relay points and spamming techniques are used to mass-mail copies of the worm to potential victims.
In January a computer worm, called MyDoom or Novarg, spreads through emails and file-sharing software faster than any previous virus or worm. MyDoom entices email recipients to open an attachment that allows hackers to access the hard drive of the infected computer. The intended goal is a “denial of service attack” on the SCO Group, a company that is suing various groups for using an open-source version of its Unix programming language. SCO offers a $250,000 reward to anyone giving information that leads to the arrest and conviction of the people who wrote the worm.
An estimated one million computers running Windows are affected by the fast-spreading Sasser computer worm in May. Victims include businesses, such as British Airways, banks, and government offices, including Britain's Coast Guard. The worm does not cause irreparable harm to computers or data, but it does slow computers and cause some to quit or reboot without explanation. The Sasser worm is different than other viruses in that users do not have to open a file attachment to be affected by it. Instead, the worm seeks out computers with a security flaw and then sabotages them. An 18-year-old German high school student confessed to creating the worm. He's suspected of releasing another version of the virus.

            In first place for the top malware ranking is Sdbot.ftp, which has held this ranking for the last six months. This generic detection of the variants of the Sdbot worm, downloaded via FTP,
            was responsible for 3.7 percent of infections. In second place comes the tenacious veteran Netsky.P. Since this worm first appeared in 2004, it has stubbornly refused to leave the monthly
            list of most frequently detected viruses. Ironically, this worm exploits a vulnerability in Internet Explorer which was detected and resolved some years ago.

            April 07, Cross-platform Virus Infects Linux And Windows. A security company announced Friday that it had found a cross-over virus that can infect PCs running either the open-source
            Linux or Microsoft Windows operating systems. Dubbed "Linux.Bi.a" and "Win32.Bi.a," the split-personality malware doesn't do any damage. Instead, it's a proof-of-concept to prove that a
            cross-platform virus is possible. "However, experience shows that once proof-of-concept code is released, virus writers are usually quick to take the code, and adapt it for their own use". "It is
            a sign that the cross-platform aspects are becoming important. As the developers of viruses continue to research this, we will see (more) cross-platform malware." Already, malicious Web site
            creators send exploits to visitors based on what browser and/or platform the surfer is using. Linux.Bi.a/Win32.Bi.a virus can infect either ELF binaries (Linux) or files with the ".exe" extension

            July 14, The Sophos Security Threat Management Report reveals that while there has been a vast drop in the number of new viruses and worms being written, this has been over-compensated
            by increases in other types of malware, as cyber criminals turn their attention to stealing information and money. Most interestingly, new Trojans now outweigh viruses and worms by 4:1, compared
            to 2:1 in the first half of 2005. In addition, the continued dominance of Windows-based threats has prompted Sophos to suggest that many home users should consider switching to Apple Macs, to
            shield themselves from the malware onslaught.


The first sign of computer worm activity dates back to 1982, when a program called Elk Cloner squirmed through Apple II systems. The SCA virus and Brain, written for IBM PC compatibles and Amigas, would pop up in the late 1980s, followed by the Morris Worm, the first documented "in the wild" proof-of-concept that infected DEC VAX machines.

Those worms hardly registered on the mainstream media radar but, with the arrival of Windows 95, all that changed in a hurry. The computer world has never been the same.

March 1999: Melissa Strikes

Named after a lap dancer in Florida, the Melissa worm is the considered the first destructive mass-mailer targeting Microsoft customers. The worm was programmed to spread via Microsoft Word- and Outlook-based systems, and the infection rate was startling.

Melissa, created by a New Jersey hacker who would go to jail for the attack, was released on a Usenet discussion group inside a Microsoft Word file. It spread quickly via e-mail, sending anti-virus vendors scrambling to add detections and prompting immediate warnings from the CERT Coordination Center.

The Explorer.zip worm appeared in the summer of 1999, following in the footsteps of Melissa. The worm deleted Word, Excel, and PowerPoint files and randomly altered other types of files. Like Melissa, Explorer traveled via e-mails that appeared to be from someone the recipient knew. The message included a file that, if activated, showed a fake error message to the user. Unlike Melissa, this virus did not use Outlook to gather e-mail addresses. Instead, it watched the in-box of the infected computer and then sent automatic replies to senders, using the same e-mail subject as the original message.

May 2000: ILOVEYOU

Still widely considered one of the most costly viruses to enterprises, the ILOVEYOU worm, also known as VBS/Loveletter or Love Bug, used social engineering and catchy subject lines to trick Windows users into launching the executable.

The worm spread rapidly by sending out copies of itself to all entries in the Microsoft Outlook address book. Anti-virus researchers also discovered an additional—and dangerous—component called "WIN-BUGSFIX.EXE" that was a password-stealing program that e-mailed cached passwords back to the attacker.

The worm also gained the attention of the mainstream press when it launched a denial-of-service attack against the White House Web site. To this day, anti-virus vendors report ILOVEYOU sightings in the wild.

2001: A Triple-Barreled Barrage

Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems.

This was the year that malicious worm activity exploded, with three high-profile attacks bombarding Windows users. First up was SirCam, malicious code that spread through e-mail and unprotected network shares. Sircam spreads personal documents over the Internet through email. The damage from SirCam was somewhat limited, but what was to follow would set the tone for a spate of network worms that caused billions of dollars in business costs.

In July 2001, the appearance of Code Red again set the cat among the pigeons, spreading via a flaw in Microsoft's Internet Information Server (IIS) Web server. The worm exploited a vulnerability in the indexing software distributed with IIS and caused widespread panic by defacing Web sites with the stock phrase "Hacked By Chinese!" CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected approximately 359,000 hosts in the first twelve hours. Code Red spread itself by looking for more vulnerable IIS servers on the Internet and, in August, launched a denial-of-service attack against several U.S. government Web sites, including the White House portal.

Less than a month later, a new mutant identified as Code Red II appeared and wreaked even more havoc.

BadTrans is designed to capture passwords and credit card information.

The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes), creates hidden copies of the originals, and attempts to disable common anti-virus products.

The Bugbear worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems.

Benjamin--a new breed of worm--was let loose in May 2002, and it affected users of the popular file-sharing program Kazaa. The crafty worm posed as popular music and movie files. Kazaa users thought they were downloading a media file to their machines, but they got the imposter instead. It then set up a Kazaa share folder and stuffed it with copies of itself posing as popular music and movie files, which other Kazaa users would download. It congested the system's network connection and would ultimately fill up a hard drive.

Slammer, Sobig and Blaster

This year Windows users had to contend with another three-pronged threat—Slammer in January 2003 and the Sobig and Blaster attacks in the summer.

Reminiscent of the Code Red worm, Slammer exploited two buffer overflow vulnerabilities in Microsoft's SQL Server database, causing major congestion of Internet traffic throughout Asia, Europe and North America.

The worm infected about 75,000 hosts in the first 10 minutes and knocked several ISPs around the world offline for extended periods of time.

As Microsoft struggled to cope with the Slammer fallout, there were two new outbreaks in the summer with Sobig and Blaster squirming through millions of unpatched Windows machines. The fast-spreading worms crippled network infrastructure globally and the cleanup and recovery were estimated to be tens of billions of dollars.

Blaster was particularly nasty. The worm spread by exploiting a buffer overflow in the DCOM RPC service on Windows 2000 and Windows XP and also launched a SYN flood attack against port 80 of Microsoft's windowsupdate.com site that is used to distribute security patches. Microsoft was able to dodge the bullet by temporarily redirecting the site, but the media latched onto the story and forced the company to make major changes to its patching schedule to help customers cope with the patch management nightmare.

2004: Sasser Strikes

After Slammer and Blaster, Microsoft customers complained bitterly that the company's unpredictable patching schedule was causing hiccups in the patch deployment process. In October 2003, chief executive Steve Ballmer announced a plan to release security bulletins on a monthly cycle, except for emergency situations.

The new plan is greeted warmly, but the worm attacks showed no sign of letting up. In January 2004, the MyDoom worm was spotted. A mass-mailer with a payload targeting the Windows operating system, MyDoom quickly surpassed Sobig as the fastest-spreading e-mail worm ever. In addition to seeding Windows machines to create botnets, MyDoom was programmed to launch DDoS (distributed denial-of-service) attacks on Microsoft's Web site.

In early May, Sasser hit. Exploiting a flaw in the LSASS (Local Security Authority Subsystem Service) component, the Sasser worm squirmed through unpatched Windows 2000 and Windows XP machines. Sasser was particularly dangerous and spread rapidly through vulnerable network ports.

Microsoft is credited with reacting swiftly to contain the Sasser spread but, as the latest Zotob August 2005(Zotob is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability described in Microsoft Security Bulletin MS05-039) attacks prove, the time to exploit an unpatched flaw has narrowed significantly since the launch of Windows 95 10 years ago.

November 25
Sober X Virus Is Worst Computer Worm of the Year

It’s being called the worst computer worm of the year — a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders.
The bogus e-mail claims the government has discovered you visiting “illegal” Web sites and asks you to open an attachment to answer some official questions. If you do, your computer gets infected with malware that can disable security and firewall programs and blast out similar e-mails to contacts in your address book. It can also keep you from getting to computer security Web sites that might help fix the problem, and it may open your Windows computer to intruders who can steal your personal data.
The worm — named “Sober X” — has spread so far so fast that the CIA and the FBI put prominent warnings on their Web sites making it clear that they did not send out the e-mail and urging people to not open the attachment.

July 2006
Sober-Z worm
A Dominant Monopoly

Findings show that the most widespread threat from January to date (14 July 2006) is the Sober-Z worm, which, at its peak, accounted for one in every thirteen emails. This worm's dominance is evidence of trends of moving away from email virus attacks, since Sober-Z maintains a monopoly despite having stopped spreading on 6 January 2006. Further reinforcing this, only one in every 91 of all emails were viral so far this year, compared with one in every 35 for the same period in 2005. Some of the side effects of Sober-Z are: