Virus History Summary

Below is an expanded summary of the history of viruses from the start to when I stopped recording “new” events.

Narrative histories of the early years by Dr. Alan Solomon and Robert M. Slade are available. Below is an expanded summary.

Note: There are endless arguments about the “first” virus. There were a number of malware attacks in the 1970s and some count these among the virus attacks. The description of the malware, however, would indicate these were worms and not viruses by general definition. Just to be complete, however, the questionable entries from the 1970s are included here with the caveat that Computer Knowledge considers virus history to start in 1981.

Also, most of this discussion is MS-DOS or Windows related. There is, however, a good summary of viruses and malware on the Apple platform on the Sophos site.

Pre 1981 Period

In the early 1970s Creeper was found an ARPANET. It was a worm that moved through modems to other systems where it displayed the message “I’M THE CREEPER : CATCH ME IF YOU CAN.” A similar program called Reaper followed Creeper. It appeared to attempt to find and delete Creeper. In 1974 malware called Rabbit which multiplied so fast making copies of itself that systems crashed. In 1975 a game written for the UNIVAC 1108 called Pervading Animal. The game asked questions in an attempt to determine what animal the user had thought of. The game, however, attempted to write itself to every writable program file, changing the creation time to be able to determine if it had already written to that file or not. It was never determined if this Trojan-like behavior was intentional or just an unintended bug. In the theoretical arena Jürgen Kraus wrote a master thesis called Selbstreproduktion bei Programmen (Self-reproduction of programs).

Now, on to the modern history.

1981 – The First Virus In The Wild

As described in Robert Slade’s history, the first virus in the wild actually predated the experimental work that defined current-day viruses. It was spread on Apple II floppy disks (which contained the operating system) and reputed to have spread from Texas A&M. [Side note: Thanks to a pointer from anti-virus pioneer Fridrik Skulason we know the virus was named Elk Cloner and displayed a little rhyme on the screen:

It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!

For more info on Elk Cloner see the author's (Richard Skrenta) page at: Link

1983 - The First Documented Experimental Virus

Fred Cohen's seminal paper Computer Viruses - Theory and ExperimentsWeb Link from 1984 defines a computer virus and describes the experiments he and others performed to prove that the concept of a computer virus was viable. From the paper...

On November 3, 1983, the first virus was conceived of as an experiment to be presented at a weekly seminar on computer security. The concept was first introduced in this seminar by the author, and the name 'virus' was thought of by Len Adleman. After 8 hours of expert work on a heavily loaded VAX 11/750 system running Unix, the first virus was completed and ready for demonstration. Within a week, permission was obtained to perform experiments, and 5 experiments were performed. On November 10, the virus was demonstrated to the security seminar.

1986 - Brain, PC-Write Trojan, & Virdem

The common story is that two brothers from Pakistan (Basit Farooq Alvi and Amjad Farooq Alvi) analyzed the boot sector of a floppy disk and developed a method of infecting it with a virus dubbed "Brain"Web Link (the origin is generally accepted but not absolutely). Because it spread widely on the popular MS-DOS PC system this is typically called the first computer virus; even though it was predated by Cohen's experiments and the Apple II virus. That same year the first PC-based Trojan was released in the form of the popular shareware program PC-Write. Some reports say VirdemWeb Link was also found this year (it was presented to the underground Chaos Computer Club in Germany in December by Ralf Burger according to reports); it is often called the first file virus.

1987 - File Infectors, Lehigh, & Christmas Worm

The first file viruses started to appear. Most concentrated on COM files; COMMAND.COM in particular. The first of these to infect COMMAND.COM is typically reported to be the LehighWeb Link virus. CascadeWeb Link is reported to  be the first self-encrypting virus. At this time other work was done to create the first EXE infector: Suriv-02Web Link (Suriv = Virus backward). (This virus evolved into the JerusalemWeb Link virus.) A fast-spreading (500,000 replications per hour) worm hit IBM mainframes during this year: the IBM Christmas Worm. And, in November, the Atari platform saw its first boot virus: SCA.Web Link

1988 - MacMag, Scores, & Internet Worm

MacMagWeb Link, a Hypercard stack virus on the Macintosh is generally considered the first Macintosh virus and the ScoresWeb Link virus was the source of the first major Macintosh outbreak. Apple malware was not limited to the Macintosh however. This year, in June, saw the development of the Festering HateWeb Link Apple ProDOS virus. The Internet WormWeb Link (Robert Morris' creation in November) causes the first Internet crisis and shut down many computers. CERT is created to respond to such attacks.

1989 - AIDS Trojan

This Trojan is famous for holding data hostage. The Trojan was sent out under the guise of an AIDS information program. When run it encrypted the user's hard drive and demanded payment for the decryption key. GhostballsWeb Link is reported by some to be the first multipartite virus but it is a simple variation of the Vienna virus.

1990 - VX BBS & Little Black Book (AT&T Attack)

The first virus exchange (VX) BBS went online in Bulgaria. Here virus authors could trade code and exchange ideas. Also, in 1990, Mark Ludwig's book on virus writing (The Little Black Book of Computer Viruses) was published. While there is no proof, hackers are suspected of taking down the AT&T long-distance switching system. Based on the Vienna virus, the V2P1Web Link (alias 1260) virus is sometimes considered to be the first polymorphic virus although the changes are minor.

1991 - Tequila

TequilaWeb Link was the first serious polymorphic virus; it came out of Switzerland and changed itself in major ways in an attempt to avoid detection.

1992 - Michelangelo, DAME, & VCL

MichelangeloWeb Link was the first media darling. A worldwide alert went out with claims of massive damage predicted on the March 6th trigger date. Actually, little happened. The same year the Dark Avenger Mutation EngineWeb Link (DAME) became the first toolkit that could be used to turn any virus into a polymorphic virus. Also that year the Virus Creation LaboratoryWeb Link (VCL) became the first actual virus creation kit. It had pull-down menus and selectable payloads (though it's reported to not have worked very well).

1993 - Stealth_boot PMBS

Stealth_boot PMBSWeb Link used a unique technique to operate. You caught it by booting from an infected floppy disk. Once installed, Stealth_Boot would install itself in extended memory, switched the computer into protected mode, and then ran a virtual V86 machine which DOS and programs would use. Basically, the virus existed between the operating system and the hardware.

1995 - Year of the Hacker, Concept

Hackers attacked Griffith Air Force Base, the Korean Atomic Research Institute, NASA, Goddard Space Flight Center, and the Jet Propulsion Laboratory. GE, IBM, Pipeline and other companies were all hit by the "Internet Liberation Front" on Thanksgiving. The first macro virus to attack Word, ConceptWeb Link, is developed.

1996 - Boza, Laroux, & Staog

BozaWeb Link is the first virus designed specifically for Windows 95 files. LarouxWeb Link is the first Excel macro virus. And, StaogWeb Link is the first Linux virus (written by the same group that wrote Boza).

1998 - Strange Brew & Back Orifice; JetDB

Strange BrewWeb Link is the first Java virus. Back OrificeWeb Link is the first Trojan designed to be a remote administration tool that allows others to take over a remote computer via the Internet. Access macro viruses start to appear (JetDBWeb Link).

1999 - Melissa, Corner, Win95.SK, Tristate, Infis, & Bubbleboy

MelissaWeb Link is the first combination Word macro virus and worm to use the Outlook and Outlook Express address book to send itself to others via E-mail. It arrived in March. CornerWeb Link is the first virus to infect MS Project files. Win95. SKWeb Link, in April 1999, is believed to be the first viral HLP file infector. TristateWeb Link is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files. InfisWeb Link installs itself as an NT driver and then takes over some undocumented functions. BubbleboyWeb Link is the first worm that would activate when a user simply opened and E-mail message in Microsoft Outlook (or previewed the message in Outlook Express). No attachment necessary. Bubbleboy was the proof of concept; KakWeb Link spread widely using this technique.

2000 - DDoS, Love Letter, Timofonica, Liberty (Palm), Stream, Pirus & Zmist

The first major distributed denial of service attacks shut down major sites such as Yahoo!,, and others. In May the Love LetterWeb Link worm became the fastest-spreading worm (to that time); shutting down E-mail systems around the world. June 2000 saw the first attack against a telephone system. The Visual Basic Script worm TimofonicaWeb Link tries to send messages to Internet-enabled phones in the Spanish telephone network (later in 2000 another Trojan attacked the Japanese emergency phone system). August 2000 saw the first Trojan developed for the Palm PDA. Called LibertyWeb Link and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. When it was accidentally released to the wider public Ardiri helped contain its spread. StreamWeb Link became the first proof of concept NTFS Alternate Data Stream (ADS) virus in early September. As a proof of concept, Stream has not circulated in the wild (as of this writing) but as in all such cases a circulating virus based on the model is expected. PirusWeb Link is another proof of concept for malware written in the PHP scripting language. It attempts to add itself to HTML or PHP files. Pirus was discovered 9 Nov 2000. ZmistWeb Link (Zombie.Mistfall) was introduced in this year. It appears to be the first code integrating virus (the virus takes EXE files apart, inserts itself, and puts the EXE files back together again - a type of Spacefiller virus).

2001 - Gnuman, Winux Windows/Linux Virus, LogoLogic-A Worm, AplS/Simpsons Worm, PeachyPDF-A, Nimda

GnumanWeb Link (Mandragore) showed up the end of February. This worm cloaked itself from the Gnutella file-sharing system (the first to specifically attack a peer-to-peer communications system) and pretended to be an MP3 file to download. In March a proof of concept virus designed to infect both Windows and Linux (and cross between them) was released. WinuxWeb Link (or Lindose depending on who you talk to) is buggy and reported to have come from the Czech Republic. Shortly after, the EtapWeb Link (Simile) virus also attacked the same operating systems but was more effective. On 9 April a proof of concept Logo Worm was released which attacked the Logotron SuperLogo language. The LogoLogic-AWeb Link worm spreads via MIRC chat and E-mail. May saw the first AppleScript wormWeb Link. It uses Outlook Express or Entourage on the Macintosh to spread via E-mail to address book entries. May also brought SadmindWeb Link, a worm spreading through both Sun Solaris and Microsoft IIS systems. Early August, the PeachyPDF-AWeb Link worm became the first to spread using Adobe's PDF software. Only the full version, not the free PDF reader, was capable of spreading the worm so it did not go far. September, the NimdaWeb Link worm demonstrated significant flexibility in its ability to spread and used several firsts. While not new in concept, a couple of worms created a fair amount of havoc during the year: SircamWeb Link (July), CodeRedWeb Link (July & August), and BadTransWeb Link (November & December).

2002 - LFM-926, Donut, Sharp-A, SQLSpider, Benjamin, Perrun, Scalper

Early in January LFM-926Web Link showed up as the first virus to infect Shockwave Flash (.SWF) files. It was named for the message it displays while it's infecting: "Loading.Flash.Movie...". It drops a Debug script that produces a .COM file which infects other .SWF files. Also in early January DonutWeb Link showed up as the first worm directed at .NET services. In March, the first native .NET worm written in C#, Sharp-AWeb Link was announced. Sharp-A was also unique in that it was one of the few malware programs reportedly written by a woman. Late May the Javascript worm SQLSpiderWeb Link was released. It was unique in that it attacked installations running Microsoft SQL Server (and programs that use SQL Server technology). Also in late May the BenjaminWeb Link appeared. Benjamin is unique in that it uses the KaZaa peer-to-peer network to spread. Mid-June the press went wild over the proof-of-concept PerrunWeb Link virus because a portion of the virus attached itself to JPEG image files. Despite the hype, JPEG files are still safe as you must have a stripper program running on your system in order to strip the virus file off the image file (see 2004 for another JPEG attack). On 28 June the ScalperWeb Link worm was discovered attacking FreeBSD/Apache Web servers. The worm is designed to set up a flood net (stable of zombies which could be used to overwhelm one or more systems).

2003 - Sobig, Slammer, Lovgate, Fizzer, Blaster/Welchia/Mimail

SobigWeb Link, a worm that carried its own SMTP mail program and used Windows network shares to spread started the year. Sobig variants continued to multiply throughout the year. SlammerWeb Link, exploiting vulnerabilities in Microsoft's SQL 2000 servers, hit Super Bowl weekend. Its spreading technique worked so well that for some period of time all of South Korea was effectively eliminated from the Internet (obscured). It received significant media coverage. The unique entry that February saw was LovgateWeb Link. This was unique as it was a combination of a Trojan and a worm; two pieces of malware that generally don't get combined. Starting in early May FizzerWeb Link spread via usual E-mail methods but also used the KaZaa peer-to-peer network to spread. While generally not unique types, August is (in)famous for a combination of Sobig.FWeb Link, BlasterWeb Link (also known as Lovsan and MSBlast), WelchiaWeb Link (or Nachi), and MimailWeb Link; all spreading rapidly through a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. 2003 also saw what appeared to be a use of worm-like techniques used in the spreading of spam. SobigWeb Link dropped a component that could later be used by spammers to send mail through infected machines. The social engineering techniques used by virus/worm writers improved dramatically as well. Some of the malware this year was accompanied by very realistic graphics and links in an attempt to make you think the mail actually came from the likes of Microsoft or Paypal.

2004 - Trojan.Xombe, Randex, Bizex, Witty, MP3Concept, Sasser, Mac OS X, W64.Rugrat.3344, Symb/Cabir-A, JS/Scob-A, WCE/Duts-A, W32/Amus-A, WinCE/Brador-A, JPEG Weakness, SH/Renepo-A, Bofra/IFrame, Santy

Year 2004 started where 2003 left off with social engineering taking the lead in propagation techniques. Trojan.XombeWeb Link was sent out to a wide audience. It posed as a message from Microsoft Windows Update asking you to run the attached revision to XP Service Pack 1. (This, and like messages that phish for personal information, took a lead role in 2004.) In February it was demonstrated that virus writers were starting to ply their craft for money. A German magazine managed to buy a list of infected IP addresses from a distributor of the virus RandexWeb Link. These IP addresses were for sale to spammers who could use the infected machines as mail zombies. The end of February saw BizexWeb Link go after ICQ users through an HTML link that downloaded an infected SCM (Sound Compressed Sound Scheme) file. The weekend of 20/21 March introduced WittyWeb Link, the first worm to attack security software directly (some Internet Security Systems' RealSecure, Proventia and BlackICE versions). The worm was malicious in that it erased portions of the hard drive while sending itself out. A Mac OS X scare in the form of MP3ConceptWeb Link was announced 8 April. Said to be a benign Trojan, MP3Concept turned out to be nothing more than a bad proof-of-concept that never made it into the wild. The end of April saw the SasserWeb Link worm which is the first to effectively use the LSASS Windows vulnerability; a vulnerability that allowed the worm to spread via an open FTP port instead of through E-mail (even though Microsoft had already issued a patch for the vulnerability -- yet another example of people not paying attention to operating system security updates). Toward the end of May Apple issued critical patches to OS X when a vulnerability that could spread via E-mail and mal-formed Web pages was found. The vulnerability would allow AppleScript scripts to run unchecked; even to the point of deleting the home directory. The proof-of-concept Worm W64.Rugrat.3344Web Link showed up the end of May. This is claimed to be the first malware that specifically attacks 64-bit Windows files only (it ignores 32-bit and 16-bit files). It was created using IA64 (Intel Architecture) assembly code. In June Symb/Cabir-AWeb Link appeared to infect Nokia Series 60 mobile phones. The worm is designed to spread to nearby Bluetooth-enabled devices. JS/Scob-AWeb Link appeared in the last half of June. It was special in that it used Javascript to infect Microsoft's IIS Server HTML files through an unpatched vulnerability. User's visiting infected sites were then infected via a download from a Russian site (which was quickly closed down) using an unpatched vulnerability in the IE browser. Mid-July WCE/Duts-AWeb Link showed up. This was another crude proof-of-concept virus relating to the PocketPC. The virus writer was apparently trying for attention as this text is in the virus: "This is proof of concept code. Also, i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR file had to end ..." Early September saw W32/Amus-AWeb Link show up. The only thing that qualified this beast to even be mentioned here was that it uses the Microsoft Speech engine in Windows to read out loud: "hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." where "Gule" is Turkish for "Bye" and "Hamsi" is a small fish found in the Black Sea. August saw WinCE/Brador-AWeb Link, a backdoor for PocketPC devices. On 14 September that paragon of virus-free file type, the JPEG image, came under attack. To be accurate, the image file itself is not so much to blame as a Microsoft common .DLL fileWeb Link that processes the image file type and has a buffer overrun error that could allow someone to add malicious code to a JPEG image which can then open holes in an attacked system. Shortly after, some Trojan exploits started to appear. In Mid-October SH/Renepo-AWeb Link showed up on Macintosh OS X systems. This is a shell script worm that installs itself to /System/Library/StartupItems and other sites and can make files on the system vulnerable to further exploitation. Bofra/IFrameWeb Link made history over the 20/21 November weekend by becoming the first malware to be placed into Internet ads. It is a MyDoom variant that made its way into AdSolution ad serving software. A hacker broke into the system and inserted the malware into served ads until it was noticed and shut down after about 12 hours. Just before Christmas the SantyWeb Link worm showed up. The unique thing about this beast was that it used Google to find its victims. The worm used a phpBB vulnerability to deface vulnerable sites running that popular bulletin board software and queried Google to find the sites. The worm was of no danger to users of the sites; it just defaced the sites.

2005 - Bropia, Troj/BankAsh, Commwarrior, Chod, PSPBrick, DSTahen, MSIL/Idonus, Troj/Stinx-E

In 2005 the end of January saw the Bropia WormWeb Link which targets MSN Messenger for spreading. A bit later the "F" version of this worm became popular because of the sexy.jpg file that spread with it. The 9th of February then saw Troj/BankAshWeb Link, the first Trojan to attack the new (still in beta) Microsoft AntiSpyware product. This Trojan also was reported to go after various British on-line banking services. The start of March saw distribution of another mobile phone worm: CommwarriorWeb Link, which spread via MMS messaging. The end of March/start of April saw variants of ChodWeb Link appear. This is a sophisticated worm that spreads via E-mail and the MSN Messaging client. Its messages are very close to what a real user would send and, for the first time, attempts to spoof the return address as being from an anti-virus company (Trend or Symantec, and Microsoft, although coming from Microsoft has been a social engineering ploy for some time now). 6 Oct brought the first Playstation Portable Trojan, PSPBrickWeb Link. This malware does not spread by itself but comes disguised as a MOD for the PSP. When placed on the PSP the MOD erases a number of system files that prevent the PSP from being restarted and basically turns it into a brick; thus the name. And, not to be outdone, on 12 Oct the Trojan DSTahenWeb Link showed up which basically does the same thing for the Nintendo DS system. Install the Trojan and you end up with a brick. 14 Oct saw MSIL/IdonusWeb Link which the maker wanted to be the first Vista virus but because it uses NET 2.0 and other systems that can be installed on earlier operating systems it wasn't; but it is unique none-the-less. The 10th of November Troj/Stinx-EWeb Link Trojan horse appeared with a trick that hid itself beneath the Sony DRM software on systems with that software installed. The DRM software is designed to protect copyrighted audio but, in hiding itself, it provided an opportunity for malware to hide behind that software in the hope to avoid detection. Not something new but just to note that during the year Creative Labs shipped 3,700 Zen MP3 players carrying the Wullik-B virus.

2006 - OSX/Leap-A, OSX/Inqtana.A, Redbrowser.A, Icabdi.A, SubVirt, Bagoly, Yhoo32.explr, Stardust.A, Yamanner.A, W32.Chamb, OSX/Macarena, Grey Goo Attack, iAdware, JS/Quickspace.A, Eliles.A

The first beast of 2006 that uses a previously unused attack vector appeared mid-February. OSX/Leap-AWeb Link attacks the Macintosh OS/X system instead of Windows. The worm spreads via the iChat instant messaging system, forwarding itself as a file called LATESTPICS.TGZ to contacts on the infected users' buddy list. The executable inside is disguised by a JPEG image icon to trick people into clicking on the executable file. The very next day (17 Feb) another new Mac worm appeared: OSX/Inqtana.AWeb Link. This is a proof-of-concept worm that uses a Bluetooth OBEX Push transfer to move between machines. 28 Feb saw Redbrowser.AWeb Link. While a Trojan, this appears to be the first J2ME (Java 2 Mobile Edition) malware and the first mobile malware that tries to steal money. Initial releases targeted only Russian users. On 7 March Icabdi.AWeb Link became the first virus to infect a Microsoft Infopath .XSN file. As usual with firsts, this was a proof-of-concept beast that is a Trojan dropper. Mid-March Microsoft, of all people, along with the University of Michigan developed the proof-of-concept SubVirt rootkit. SubVirt would live as a virtualization layer between the hardware and the "real" operating system and present its own operating system to the user; effectively taking over the computer. They developed the software to better understand how to attack their own software in order to better defend it [ eWeek articleWeb Link]. On 22 April f-secure announced a proof of concept virus called BagolyWeb Link that infects MATLAB m-file source files. The code is prepended to the start of the m-file. Around 19 May a unique Yahoo! IM malware called yhoo32.explrWeb Link appeared. The unique thing this beast does is to install its own Web browser (called “Safety Browser”) which has an icon that looks like IE. This browser takes people to sites that load the system with other malware. The end of May a proof of concept macro virus called Stardust.AWeb Link appeared. The unique thing about this macro virus was that it was directed toward attacking StarOffice/OpenOffice documents instead of Word documents. This is the first known attack on this alternate office suite. The 12th of June the Yamanner.AWeb Link Javascript worm appeared as the first known exploit of the Yahoo! E-mail system. This was a zero-day exploit of the Yahoo! system and the worm spread automatically if you simply opened an infected message using Internet Explorer. No attachment was necessary. August 1st Symantec reported the appearance of W32.ChambWeb Link, a proof of concept infector of .CHM help files. 31 October saw the appearance of OSX/MacarenaWeb Link, the first infector of Macintosh OS X Mach-O files. Macarena was able to directly infect the program code and did not need to rely on a resource fork like Leap before it. Around 19 November a bunch of self-replicators appeared in Second Life, the multiplayer game. These were rings scripted with the Linden Scripting LanguageWeb Link and, in general, called a Grey Goo attackWeb Link. Late November saw the introduction of iAdware, the first spyware program for Mac OS X. It was proof-of-concept but indicates some attention is being given to the Macintosh platform. On 2 December there were reports of a Quicktime exploit affecting Myspace profiles. Called JS/Quickspace.A, the infected MOV file contains Javascript that will download a Javascript file which will modify your Myspace profile so that all who visit your Myspace profile will get infected as well. More on that hereWeb Link. Of interest, but maybe not really historic, in November Spybot.ACYRWeb Link showed up to exploit Symantec’s Anti-Virus program. It used a hole discovered and patched some six months earlier but still managed to spread via careless users and other methods built into the malware. The distribution of malware with products continued into 2006 when McDonald’s in Japan gave out MP3 players containing the QQpass spyware Trojan and Apple sent out some video iPods with the RavMonE.exe virus on them. Google also distributed some E-mails to the Google Video Blog group containing W32/Kapser.A@mmWeb Link; a mass mailing worm. Finally, on 29 December an unnamed proof-of-concept exploit against region tags in MMS SMIL which are vulnerable to buffer overflow causing arbitrary code execution was published. The IPAQ 6315 and i-mate PDA2k are affected and it’s quite likely that all Pocket PC 2003 and Windows Smartphone 2003 devices are also vulnerable. No malware exploit is presently known. This year also saw what could arguably be called the first Internet-based mobile threat in the Eliles.A wormWeb Link. It used a SIS file on a remote server which was quickly taken down.

2007 – Agent.BKY, iPod Linux Virus, TI.Tigraa.a, SB.Badbunny, WH/Vred.A, Zhelatin/Storm, IM-Worm:W32/Skipi.A, MSN Trojan

March 30th brought an animated cursor vulnerability which, two days later, was exploited by the Trojan downloader worm Agent.BKYWeb Link. This beast infects HTML and other similar files and these, when viewed, download other malicious software. April 5th brought the announcement of a proof-of-conceptWeb Link (very buggy and unnamed) virus for the iPod; specifically for the iPod Linux operating system. On 29 May posted the proof of concept TI.Tigraa.aWeb Link memory resident 492 byte Trojan for the TI-89 graphing calculator line. It won’t spread but introduces another device to malware. SB.BadbunnyWeb Link was reported out by Symantec on 7 June. The thing that makes this beast interesting is the fact that it’s spreads over multiple operating systems (including the Macintosh) using multiple languages (JavaScript on Windows, Ruby on the Mac, and Python on Linux) and OpenOffice macros while it attempts to spread via Instant Messaging. The middle of June F-Secure announced WH/Vred.AWeb Link which is a proof-of-concept virus infecting WinHex scripts; the first to do so. While not new, the social engineering of the Zhelatin/Storm Trojan series was quite effective. As an example, in August the gang started sending messages indicating the receiver had applied to various sites and their temporary login name/password were included along with a link. At the link the well-designed page said a sign-in applet had to be downloaded. That applet contained the Trojan which then infected the machine. The messages were quite convincing to many. September saw the introduction of a Skype worm called IM-Worm:W32/Skipi.AWeb Link. It spread via Skype’s instant messaging and pointed people to what looked like a JPEG image but, instead, was a page with a malicious automatic download and just an image from a standard Windows screensaver. October saw a number of Trojan exploits of a PDF vulnerability. While a patch was available for the vulnerability, many were affected because they did not update their PDF reading software and Microsoft delayed getting a Windows patch out. November 18th a new MSN IM Trojan surfaced which was unique in its scan for VNC (Virtual Network Computing) instances. In December a Trojan that hijacks Google ads on Web pages was report. One example would be Trojan.Qhost.WUWeb Link. The Trojan is not on the Website but, instead, on your computer and intercepts requests for Google ads and serves ads from other sources where the Trojan writer can get the income. It’s also possible the sites directed to will also contain malware to further infect your computer.

2008 – SymbOS/Beselo.A

January 23rd found the discovery of a Symbian OS worm able to run on several Symbian S60 enabled devices. SymbOS/Beselo.A!wormWeb Link can infect Nokia 6600, 6630, 6680, 7610, N70 and N72 phones (and maybe others).

[Had to leave 2008 at this point.]

2009 – Ikee

November 8th saw reports of the first IPhone worm: IkeeWeb Link. This was a proof-of-concept worm that only infects phones that have been jaibroken and have the default password on the Secure Shell application. And, it only changed the wallpaper on the phone. But, the source code for the beast was released so follow-ons with worse payloads can be expected [and, on 23 Nov there are now reports of a new version that sets up botnets on iPhones]. Speaking of botnets, articles on 10 December reported that hackers had made their way into the Amazon EC2 cloud and set up Zeus botnet cammand and control center. This is the first time the Amazon computers have been used for that.

2010 – W32.Fakeupver.trojan, PDF Virus

The end of March Bkis, in their blog, reported a Trojan called W32.Fakeupver.trojanWeb Link which claimed to be an updater for Adobe software. If run the Trojan would overwrite the Adobe and other updaters and then open various ports on the computer. Even if removed, the non-Adobe updating software would no longer work leaving the computer vulnerable to any holes found in those programs. This is the first such payload of this type. April news reports talk of a proof-of-concept PDF virusWeb Link being made. The PDF format has evolved and allows for executable material in its latest incarnations. This makes the format much more dangerous.

Had to stop at this point. Sorry.

Up Arrow CKnow Virus Tutorial Up Arrow
Prior Page Next Page
Rewrite and Redirect  Dr Solomon History

Comments from original:

Said this on 2009-12-07 At 09:46 pm
hi good mornig im rudolph villacorta from philipines.
yup.. this information is okay and i learn more. but not enough
specially im doing a ducument about “history of viruses.”
so i need more information like.. what is a porpuse, what is advantage&disadvantages
please help me becuase as a student.i need to learn in a short time.
theres no time to pass it..
thank you GODBLESS. ^^
Said this on 2009-12-07 At 09:51 pm
In reply to #1
Please read the whole tutorial.

Said this on 2010-10-18 At 05:11 am
what is the name of the first virus that they introduced…..?
[Who is they? And, all first viruses are named in the text; please just go back and actually read it. Thank you. --DaBoss]

Said this on 2010-12-29 At 03:08 am
give me more knowledge about virus . how it is created and how we can remove it and complete history and type of virus

[Well, you could start by reading the rest of the tutorial I guess. But, how a virus is created is not part of it and won't ever be. --DaBoss]

Said this on 2011-05-27 At 11:30 am
sir i want to know how many types of virus & w ho was the first virus maker?

[I guess you could read the page. --DaBoss]

stupid people
Said this on 2011-10-31 At 01:57 pm
What is the term used when a virus takes control of features on your computer and transports files or information automatically?

[The most common would be Data Theft. Cyber Crime would be a more general term. There's probably a "cute" coined term as well but at the moment it doesn't come to mind. --DaBoss]