1986-1987 The Prologue

It all started in 1986. Basit and Amjad realised that the boot sector of a floppy diskette contained executable code, and this code is run whenever you start up the computer with a diskette in drive A. They realised that they could replace this code with their own program, that this could be a memory resident program, and that it could install a copy of itself on each floppy diskette that is accessed in any drive. The program copied itself; they called it a virus. But it only infected 360KB floppy disks.

In 1987, the University of Delaware realised that they had this virus, when they started seeing the label “(c) Brain” on floppy diskettes. That’s all it did; copy itself, and put a volume label on diskettes.

Meanwhile, also in 1986, a programmer called Ralf Burger realised that a file could be made to copy itself, by attaching a copy of itself to other files. He wrote a demonstration of this effect, which he called VIRDEM. He distributed it at the Chaos Computer Club conference that December, where the theme was viruses. VIRDEM would infect any COM file; again the payload was pretty harmless.

This attracted so much interest, that he was asked to write a book. Ralf hadn’t thought of boot sector viruses like Brain, so his book doesn’t even mention them. But by then, someone had started spreading a virus, in Vienna.

In 1987, Franz Swoboda became aware that a virus was being spread in a program called Charlie. He called it the Charlie virus. He made lots of noise about the virus (and got badly bitten as a result). At this point, there are two versions of the story, Burger claims that he got a copy of this virus from Swoboda, but Swoboda denies this. In any case, Burger obtained a copy, and gave it to Berdt Fix, who disassembled it (this was the first time anyone had disassembled a virus). Burger included the disassembly in his book, after patching out a couple of areas to make it less infectious and changing the payload. The normal payload of Vienna is to cause one file in eight to reboot the computer (the virus patches the first five bytes of the code); Burger (or maybe Fix) replaced this reboot code with five spaces. The effect was that patched files hung the computer, instead of rebooting. This isn’t really an improvement.

Meanwhile, in the US, Fred Cohen had completed his doctoral dissertation, which was on computer viruses. Dr Cohen proved that you cannot write a program that can, with 100% certainty, look at a file and decide whether it is a virus. Of course, no one ever thought that you could, but Cohen made good use of an existing mathematical theorem and earned a doctorate. He also did some experiments; he released a virus on a system, and discovered that it traveled further and faster than anyone had expected.

In 1987, Cohen was at Lehigh, as was Ken van Wyk. So was the author of the Lehigh virus. Lehigh was an extremely unsuccessful virus – it never managed to spread outside its home university, because it could only infect COMMAND.COM and did a lot of damage to its host after only four replications. One of the rules of the virus is that a virus that quickly damages it host, cannot survive. However, the Lehigh virus got a lot of publicity, and led to van Wyk setting up the Virus-L newsgroup on Usenet. Lehigh was nasty. After four replications, it did an overwrite on the disk, hitting most of the File Allocation Table. But a virus that only infects COMMAND.COM, isn’t very infectious.

Meanwhile, in Tel Aviv, Israel (some say in Italy), another programmer was experimenting. His first virus was called Suriv-01 (virus spelled backwards). It was a memory resident virus, but it could infect any COM file, whereas Lehigh could only infect COMMAND.COM. This is a much better infection strategy than the non-TSR strategy used by Vienna, as it leads to files on all drives and all directories being infected. His second virus was called Suriv-02, and that could infect only EXE files, but it was the first EXE infector in the world. His third attempt was called Suriv-03, and it could handle COM and EXE files. His fourth effort escaped into the world, and became known as the Jerusalem virus. Every Friday 13th, instead of infecting files that are run, it deletes them. But Friday 13ths are not common, so the virus is pretty inconspicuous, most of the time. It avoids infecting COMMAND.COM, because in those days, many people believed that this was the file to watch (see Lehigh).

It looks as if it escaped rather than was released, because it plainly was not ready for release. The author decided to change the way that the virus detected itself in EXE files, and had made part of that change. There is redundant code from the Suriv viruses still in place, and also what looks like debugging code. It was found in the Hebrew University of Jerusalem (hence the name) by Yisrael Radai.

While all this was going on, a young student at the University of Wellington, New Zealand, had found a very simple way to create a very effective virus. One time in eight, when booting from an infected floppy, it also displayed the message ‘Your PC is now Stoned’, hence the name of the virus.

The virus itself was just a few hundred bytes long, but because of its self-restraint, and memory-resident replication, it has become the most widespread virus in the world, accounting for over a quarter of outbreaks. It is very unlikely that Stoned virus will ever become rare. The virus spread rapidly, because of its inconspicuousness (and because in those days, people were keeping a careful eye on COMMAND.COM, because of Lehigh).

In Italy, at the University of Turin, a programmer was writing another boot sector virus. This one put a bouncing ball up on the screen, if the disk was accessed exactly on the half hour. It became known as Italian virus, Ping Pong, or Bouncing Ball. But this virus had a major defect; it couldn’t work on anything except an 8088 or 8086 computer, because it uses an instruction that doesn’t work on more advanced chips. As a result, this virus has almost died out (as has Brain, which can only infect 360KB floppies, and which foolishly announces its presence via the volume label).

Back in the US, an American was demonstrating a problem that has continued to dog US virus writers ever since: incompetence. The Lehigh didn’t make it outside a small circle; neither did the Yale virus. This was another boot sector virus, but it only copied itself when you booted from an infected floppy, then put another floppy in to continue the boot process. No subsequent diskette was infected, and if the boot-up continued from a hard disk, there was no infection at all. Yale never spread at all widely, either.

But also in 1987, a German programmer was writing a very competent virus, the Cascade, so called after the falling letters display that it gave. Cascade used a new idea – most of the virus was encrypted, leaving only a small stub of code in clear for decrypting the rest of the virus. The reason for this was not clear, but it certainly made it more difficult to repair infected files, and it restricted the choice of search string to the first couple of dozen bytes. This idea was later extended by Mark Washburn when he wrote the first polymorphic virus, 1260 (Chameleon). Washburn based Chameleon on a virus that he found in a book: the Vienna, published by Burger.

Cascade was supposed to look at the BIOS, and if it found an IBM copyright, it would refrain from infecting. This part of the code didn’t work. The author soon released another version of the virus, 1704 bytes long instead of 1701, in order to correct this bug. But the corrected version had a bug that meant that it still didn’t detect IBM BIOSes.

Of these early viruses, only Stoned, Cascade and Jerusalem are common today, but those three are very common.

The information in this section was provided by and used with permission of Dr. Solomon Software. Please do not further use the material without obtaining your own permission to use it.

Up Arrow Dr Solomon History Up Arrow
Prior Page Next Page
Dr Solomon History 1988 The Game Begins