`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'`'.'
written by: paranoidxe
date: 04/21/2004
For generic information about viruses and how they work, please visit
my other document entitled "The Basic Concepts of PC Viruses". This
document automatically assumes you have knowledge on the following:
- What a virus is
- What a trojan is
- What a worm is
- What polymorphic, stealth, memory resident, etc. mean
- What .COM, .SYS, .PIF, .EXE files are
If you understand all the above please proceed, if you don't you can
still proceed but you may have a hard time understanding it.
Please note this article does NOT focus on what I call piggy-back viruses,
these are viruses such as macro viruses that need word in order to perform.
So this means specifically, all Outlook, Excel, and Word dependent viruses
WILL NOT BE covered by this guide.
What will be covered is some of the revolutional viruses in the 90s and 80s,
as well as some of the more popular viruses. This also covers some of the
worms and trojans that were threats back in the day. Please note, that most
if not all of these viruses are not a threat at current day.
- - - - - - - - - - - - - - -
AOL4FREE TROJAN/VIRUS (1997)
- - - - - - - - - - - - - - -
AOL4FREE trojan/virus was a special case because at the time there was
a AOL4FREE program that allowed users that used AOL and were charged by
the minute to get free AOL time. At the same time hoax chain letters
were sent around explaining that there is a AOL4FREE virus going around
that deletes all data from your hard drive by simply reading the message,
it couldn't be detected by any current antivirus software, and it would
render your computer useless. The next thing to come would only lead to
more confusion...
Then it happened, in April of 1997 a AOL4FREE.COM trojan was released
that could potentially delete data on the users hard drive. The AOL4FREE.COM
trojan (called a virus by some) would delete common windows directories if
the user launched it. So now you have 3 different stories about one subject.
So now you have, a) the hoax which made claims that were WAY out of line
with
what the trojan actually does, b) the legit program that gave aol users free
time, and c) the trojan that deletes common windows directories.
Then you have the varient that comes along, AOLHELL97 trojan which claims to
do
the exact same thing as the hoax claims it does. The only difference is the
AOLHELL97 trojan NEVER existed.
By the time it was all said and done VERY few people actually got the
trojan,
the infection was barely in the 100s.
- - - - - - - - - - - -
THE HARE VIRUS OF 1996
- - - - - - - - - - - -
The real, but EXTREMELY overblown virus of 1996 was hands down the Hare
virus.
While the virus does have a destructive payload and it can potentially bring
down a computer, the ACTUAL infection rate described at the time was
insane. The virus was claimed to infect millions of computers around the
world,
and due to the claim that current av products couldn't detect it there are
people that don't even know they are infected.
Many people added to the hysteria of Hare by claiming their computer was
infected by the Hare virus by certain common windows problems that occured.
So what did the Hare virus actually do? The payload loads on August 22nd and
September 22, ONLY on these two dates will the virus overwrite the data on
your hard drives. The message commonly displayed by this virus is
"HDEuthanasia" by demon emperor: Hare Krsna, hare, hare..."
- - - - - - - - - - - - - - - - - -
DATACRIME/COLUMBUS DAY VIRUS (1989)
- - - - - - - - - - - - - - - - - -
This virus was probably one of the first, if not the very first virus to
cause hysteria back in 1989.
Datacrime was a virus that would launch its payload on or after Oct. 13
or later in the year and would format the first nine tracks of a hard
disk and display the message
"DATACRIME VIRUS RELEASED: 1 MARCH 1989"
By deleting the tracks the hard drive would be unreadable as the hard
drive could not tell how to get to the data on the drive.
Datacrime then went under the alias of Columbus day virus in america, it
was thought to be written by Norwegian terrorists.
The big attack of the Datacrime virus was apparently at Royal National
Institute for the Blind claiming that Datacrime had wiped out their most
important data. Only to find out it was a minor outbreak of the Jerusalem
virus.
The virus becomes a huge deal due to the media and wannabe-experts making
false claims about the virus, in the end VERY few computers were ever
touched
by Datacrime. 7 confirmed reports was the only reports in 6 months of the
virus infecting computers according to Mcafee.
- - - - - - - - - - - - - -
GHOST.EXE "VIRUS" (1996)
- - - - - - - - - - - - - -
The GHOST program is orignally a program designed to have ghosts fly about
your computer screen with no ill effects.
However, in 1996 this all changed when people (obviously in touch with the
Hare hysteria) claimed the program would "attack" computer networks on
Friday
the 13th. This quickly got to Mcafee, Mcafee then supposedly disassembled it
and labeled it as a trojan horse.
The USDECIAC checked this out and found it to be untrue, however Mcafee
continued to label the program as a trojan until sometime after.
- - - - - - - - - - - - - - -
THE MICHELANGELO VIRUS OF 1992
- - - - - - - - - - - - - - -
The michelangelo virus was orignally discovered in 1991, this virus would
delete the data on a users hard drive. The payload would trigger each year
of March 6th.
Michelangelo gained fame when a major computer manufacturer claimed to have
shipped over 500 computers carrying the michelangelo virus. Then the press
adds more fuel to the fire by claiming that hundreds of thousands of
computers around the world MIGHT be infected.
Another major software company jumps on the bandwagon and claims they
distrubuted 900 floppies containing the nefty virus. Another reporter now
claims millions of personal computers around the world are infected.
Finally the day came, the "millions" estimate ended up being in the
thousands...10 to 20 thousand to be exact. While still quite a few people
did get the virus, the claims of millions were WAY off.
- - - - - - - - - - - - - - -
JERUSALEM VIRUS (1987)
- - - - - - - - - - - - - - -
Originated from a programmer in Israel, as part of a experimentation. The
programmer made three different viruses before Jerusalem, these viruses
were labeled as Suriv-1, Suriv-2, and Suriv-3. Suriv-2 became the first
EXE file infector in the world. The fourth virus created would be known
as Jerusalem and as accidently leaked into the world (so it was believed).
Jerusalem had the ability to infect .EXE, .COM, .SYS, .PIF, and .OVL files
on the infected machine. The Jerusalem code has been altered many times
but this is the orignal code:
Jerusalem becomes a memory resident and infects all files that are run,
with the exception of command.com. Due to a bug in the coding the virus
may reinfect the same .EXE file over and over again.
- - - - - - - - - - - - - - -
STONED VIRUS (1987)
- - - - - - - - - - - - - - -
Stoned was created by a programmer at the university of Wellington in
New Zealand in 1987. The virus is designed to infect MBR and boot
sectors of 360K floppy disks. However, though it was designed for 360K
disks its chance of infecting higher capacity floppy disks are higher
than the orignal infection target.
When booting there is a 1 in 8 chance that the virus will beep and
display one of the following messages:
"Your PC is now stoned! LEGALIZE MARIJUANA!"
"Your PC is now Stoned!"
"Your computer is now stoned."
Stoned is another base code for many virus writers, there are literally
over 90 varients of stoned which do different things.
- - - - - - - - - - - - - - -
CASCADE VIRUS (1987)
- - - - - - - - - - - - - - -
This virus was written in germany, the cascade virus introduced the
concept of encryption. This made it significantly harder to repair any
infected files the cascade virus caused.
Cascade also introduced quite another feature, the ability to cause
lettering in the screen to drop to the bottom. Cascade is another base
virus for virus writters with MANY varients.
Cascades variants were quite potent as well, one variant specifically
formats the users hard drive. Cascade is the virus that made IBM take
viruses seriously when many IBM computers became infected with the
virus.
- - - - - - - - - - - - -
VIENNA VIRUS (1990)
- - - - - - - - - - - - -
The vienna virus became the first known polymorphic virus, which caused
a problem with anti-virus creators. This virus requires AV companies to
write an algorithm that would apply logical tests to the file and decide
whether the bytes it was looking at were one of the possible decryptors.
The vienna virus' polymorphic technology caused quite a few AV products
to generate false positives due to poor coding.
What did the vienna virus actually do to a computer? The virus infected
COM files everytime they were run, and 1/8th of the time it inserts a
jump to the BIOS routines that reboots the machine. Essentially the
virus randomly rebooted the computer and corrupted files.
- - - - - - - - - - - - - -
DARK AVENGER FAMILY (1990)
- - - - - - - - - - - - - -
The dark avenger virus introduced two concepts, fast infection as well
as subtle damage. The fast infection method was that simply reading a file
the dark avenger could infect it this means incredibly fast infection of
the hard drive. The Dark Avenger will overwrite sectors every once and
awhile, if this isn't noticed for period of time, the corrupted files are
backed up so when the user tries to restore the clean version of the files
Dark Avenger will put the corrupt files right back...essentially Dark
Avenger also targets backup copies.
The variant of Dark Avenger includes, Number of The Beast..which is
essentially the same concept as Dark Avenger except the virus is commonly
picked up as the wrong virus by antivirus products.
Another more viscious varient is Nomenklatura...which will overwrite the
users hard drive on the 13th of any month.
- - - - - - - - - - - - -
THE WHALE VIRUS (1990)
- - - - - - - - - - - - -
The whale was a EXTREMELY complex polymorphic virus that took literally
weeks for av vendors to decode it. While the virus isn't particularly
harmful or effective it proved to be one of the toughest decode jobs
by Antivirus Vendors. Whale could also change to many different sizes,
making it even more complex. The biggest side effect was Whale would
crash a computer if it was run.
- - - - - - - - - - - -
BRAIN (1987)
- - - - - - - - - - - -
The brain family is thought to be one of the earliest MS-DOS viruses.
brain is worthy mention because it was the first virus to use stealth.
Stealth which means when reporting the size of the file it would report
the uninfected file size so it would appear that the file had not been
infected.
Some variants are able to use trapping technology to survive warm boots
(reboots). Brain, though doesn't do much other than infect boot sectors
of 360K floppies, is lengendary because it is one, if not, one of the
first ms-dos viruses. Some variants do have bugs that scramble files on
the infected disk.
- - - - - - - - - - - - -
THE AIDS TROJAN (1989)
- - - - - - - - - - - - -
Possibly the first trojan ever created, has quite a story behind it.
AIDS was considered a virus back in the day, but in reality it is a trojan
horse and nothing more.
In fall of 1989, a AIDS information packet was sent out from a company
known as PC Cyborg. The packaging was very professional and when the product
was used it would show a very simple AIDS information document. The Disk
itself installed the program to the hard disk of the user, at least that is
what the user is supposed to think. In reality the program installed files
onto a secret directory onto the users hard drive in which it would count
how many times the computer was rebooted. After so many boots the hard disk
was encrypted and you got a nice screen demanding payment for the AIDS
information program in exchange for the decrypting code to get the
information on your hard drive back.
Analyzing the license shows the following:
"Warning: Do not use these programs unless you are prepared to pay for
them."
"In case of breach of license, PC Cyborg Corporation reserves the right to
use program mechanisms to ensure termination of the use of these programs.
These program mechanisms will adversely affect other program applications
on microcomputers. You are hereby advised of the most serious consequences
of your failure to abide by the terms of this license agreement"
- - - - - - - - -
BOZA VIRUS (1995)
- - - - - - - - -
Wouldn't be worth mentioning if it wasn't for the fact this virus is dubbed
the very first Windows 95 virus. The virus is a slow infector but is fast
enough to go undetected by the user. The virus also carries a bug in which
it can increase the infected file size by several megabytes would could
potentially kill a lot of disk space. The virus also displays a windows
political message:
WINDOW TITLE: Bizatch by Quantum /VLAD
TEXT: "The taste of fame just got tastier!
VLAD Australia does it again with the world's first Win95 Virus
From the old school to the new...
Metabolis
Qark
Darkman
Automag
Antigen
RhinceWind
Quantum
Absolute Overload
CoKe
[ OK ] "
The Boza virus resembles the simplicity of 1980 viruses, it is not
very complex. If not the first Windows 95 virus it would never have
achieved any fame.
- - - - - - - - - - - - - - -
MORRIS/INTERNET WORM (1988)
- - - - - - - - - - - - - - -
The first worm that unintentionally negatively affected networks.
The Morris Worm (sometimes called The internet worm) function was
simply to spread itself to as many computers as possible. The worm
infection begins on a VAX 8600 at the University of Utah, from here
it spreads causing a incredible strain on processor load. This was
a bug in the worm it was never designed to overload networks, it
just did. The worm then spread to over 6,000 machines acrossed the
united states, the worm caused no physical damage to the machines
affected by it, however there were a great profit loss to those who
lost access to the internet.
In the long run the worm exposed some serious security holes in UNIX
enviroments, which could have gone undetected had the worm not used it
to proprogate its spreading.
- - - - - - - - - - - - - - -
THE CHERNOBYL VIRUS (1998)
- - - - - - - - - - - - - - -
A virus that isn't very commonly mentioned anymore, the CHERNOBYL virus
(CIH) introduces a new concept of infection. The Chernobyl virus infects
95/98/ME/NT programs, however due to NTs nature the virus cannot function
correctly..therefore 95/98/ME is really the only platform affected.
The unique infection method is what is worth mentioning, the virus is
able to find unused spaces in a file, split the viral code into smaller
coding and insert into these unused spaces. This makes it so that the
file size does not change.
Another unique feature is CIH's ability to overwrite FLASHBIOS which
would cause the targeted computer to be unuseable unless the BIOS is
completely replaced. The chances of this working are VERY slim however,
as technology has changed since this virus is written and some varients
have bugs that don't allow this code to work.
Two variants launch the payloads on April 26th, and third variant
launches the payloads on the 26th of any month. The first payload
is it overwrites the hard disk with random data starting at the
beginning of the disk...using a infinite loop. This usually will not
stop until the computer is a) turned off by the user or b) the
computer crashes itself. This will turn any data on the drive to
be unuseable and difficult, if not impossible to recover.
- - - - - - - - - - - -
AOLGOLD TROJAN (1995)
- - - - - - - - - - - -
AOLGOLD Trojan is a program that was orignally advertised as a
special version of the AOL software. The attached file is, in most
circumstances, named AOLGOLD.ZIP.
The contents of AOLGOLD.ZIP include: INSTALL.EXE and README.TXT. The
readme.txt file golorifies AOLGOLD as a special addition to the AOL
software. When install.exe is launched the following files are extracted
onto the users hard drive:
MACROS.DRV
VIDEO.DRV
INSTALL.BAR
ADRIVE.RPT
SUSPEND.DRV
ANNOY.COM
MACRO.COM
SP-NET.COM
SP-WIN.COM
MEMBRINF.COM
DEVICE.COM
TEXTMAP.COM
HOST.COM
REP.COM
EMS2EXT.SYS
EMS.COM
EMS.SYS
README.TXT
The readme document included with the install.exe goes on to explain the
program gives you the powers of a guide (a guide means the ability to kick
AOL users offline and terminate accounts). Upon execution of install.bat
the file will rename video.drv to VIRUS.BAT and launch it. the VIRUS.BAT
now runs the commands to delete the following directories:
DOS, WINDOWS, WINDOWS/SYSTEM, QEMM, STACKER, NORTON, AOL20, PRODIGY,
MMP169, CSERVE, DOOM, WOLF3D
The program then prints out a crude message and attempts to run doomday.exe
but it fails due to the bug in the program.
- - - - - - - - - - - - - - -
TWELVE TRICKS TROJAN HORSE
- - - - - - - - - - - - - - -
12 Tricks trojan horse is quite a advancement in terms of trojan horses. The
unique feature of the 12 tricks trojan is that it can randomly select a
number between 1 and 12 and based on the number is what the trojan will do
to your computer, the effects of the trojan include:
- slow down of system performance
- blanking or jerky motion in the scroll window
- clock, printer, or keyboard malfunctions
- random disk writes
- garbled printer output
- FAT, boot sector overwrites
- floppy disk continuously running
- FAT, directory or boot sector damaged disks
The trojan contains the following string:
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC.
2840 ST. THOMAS EXPWY, SUITE 201
SANTA CLARA, CA 95051
There is no evidence that the string above is attached to the
creation of the trojan, why the author would put the company
above in is still unknown.
- - - - - - - - - - - - - -
PKZIP TROJAN HORSE (1992)
- - - - - - - - - - - - - -
Distributed through various BBS, the PKZIP trojan is advertised
as a fake new version of PKZIP. The versions commonly claimed is 2.01 and
2.2, which the following possible file names:
PKZ201.ZIP, PKZ201.EXE, PKZIPV2.ZIP, PKZIPV2.EXE
The 2.01 version is actually a hacked 1.93 Alpha version that functions,
but may do some unexpected things since it is a Alpha version of the
product.
The 2.2 version however is a simple batch file that attempts to delete files
off your hard drive. This version targets specifically C:\DOS\*.* to delete
files.
- - - - - - - - - - - - - - - - -
NORTSTOP/NORTSHOT TROJAN (1989)
- - - - - - - - - - - - - - - - -
This particular trojan horse was bundled with Norton Utilities on BBS, the
official product did NOT contain this trojan ONLY pirated versions included
it. The NORTSTOP or NORTSHOT trojan simply deletes specific extentions if
ran on days between December 24th and December 31st. The chances of this
affecting anyone is EXTREMELY rare.
- - - - - - - - - - - - -
TEQUILA VIRUS (1991)
- - - - - - - - - - - - -
The first polymorphic virus; which orignated from Switzerland. Tequila had
the ability to change its form in an attempt to avoid detection. The virus
is relatively harmless to data but will display messages such as:
"Execute: mov ax, FE03 / INT 21. Key to go on!"
If the user follows the directions they will get this message:
"Welcome to T.TEQUILA's latest production.
Contact T.TEQUILA/P.O.BOX 543/6312 St'hausen/Switzerland.
Loving thoughts to L.I.N.D.A
BEER and TEQUILA forever !"
- - - - - - - - - - - - - -
BACK ORIFICE TROJAN (1998)
- - - - - - - - - - - - - -
Back Orifice becomes the first trojan to become a adminstrative backdoor
tool.
Back Orifice works by the user downloading the server application and
running
it, the program then stays active...the person that sent the server program
then launches his program and can remotely control the infected computer.
The
first version of Back Orifice infected 95/98/ME machines only.
Later Back Orifice 2000 was released, which was able to attack Windows NT
systems as well. Back Orifice had a list of features that were useful, which
include:
- computer info, list disk contents, file manipulation, compression,
decompression, terminate porcesses, display messages, access registry,
etc.
Back Orifice has both a legitimate purpose, and a malicious purpose.
Back Orifice can be used as a remote adminstration tool for networks, on the
other hand it can be used to comprimise data from a targeted computer.
Back Orifice tool does NOT pray on security flaws and is limited by the
user permissions on the affected machine. Back Orifice server application
must be downloaded by the user for them to be affected.
- - - - - - - - - - - - -
DEDICATED VIRUS (1992)
- - - - - - - - - - - - -
This virus was realatively harmless, however it makes a mark in history by
being based on a polymorphic generator. Dedicated is a DOS infector for
version 2.x or above. Dedicated only infects COM files upon execution, the
easy detection method is file size growth. This particular virus was based
on the Mutating Engine 0.9. The problem with the design is once the coding
of the Mutating Engine is decyphered most if not all viruses created with
the engine can be detected.
- - - - - - - - - - - - - - - -
SUBSEVEN BACKDOOR TROJAN (1999)
- - - - - - - - - - - - - - - -
Subseven became quite the popular backdoor trojan and still is today.
There are MANY varients of subseven making it harder and harder to detect.
The orignal subseven is very similiar to that of back orifice, it will
only infect 95/98 machines. From version 2.2 and above NT could also
become a target. subseven's source is widely available for programmers to
expand upon subseven.
- - - - - - - - - - -
HAPPY99 VIRUS (1999)
- - - - - - - - - - -
This virus was distributed around 1999, generally as a attachment named
Happy99.exe. This does not mean it could come as other names however.
Happy99.exe is unique as it is sort of a hybrid of a trojan/virus because
running Happy99.exe appears to show a fireworks show, yet it does more
than meets the eye.
Happy99.exe drops SKA.EXE and modifies WSOCK32.DLL, modifying WSOCK32.DLL
happy99 will get a list of message recipients and will begin to send itself
out through your email even though you will not notice it.
