Below is an expanded summary of the history of viruses from the start to when I stopped recording “new” events.
Note: There are endless arguments about the “first” virus. There were a number of malware attacks in the 1970s and some count these among the virus attacks. The description of the malware, however, would indicate these were worms and not viruses by general definition. Just to be complete, however, the questionable entries from the 1970s are included here with the caveat that Computer Knowledge considers virus history to start in 1981.
Also, most of this discussion is MS-DOS or Windows related. There is, however, a good summary of viruses and malware on the Apple platform on the Sophos site.
Pre 1981 Period
In the early 1970s Creeper was found an ARPANET. It was a worm that moved through modems to other systems where it displayed the message “I’M THE CREEPER : CATCH ME IF YOU CAN.” A similar program called Reaper followed Creeper. It appeared to attempt to find and delete Creeper. In 1974 malware called Rabbit which multiplied so fast making copies of itself that systems crashed. In 1975 a game written for the UNIVAC 1108 called Pervading Animal. The game asked questions in an attempt to determine what animal the user had thought of. The game, however, attempted to write itself to every writable program file, changing the creation time to be able to determine if it had already written to that file or not. It was never determined if this Trojan-like behavior was intentional or just an unintended bug. In the theoretical arena JÃ¼rgen Kraus wrote a master thesis called Selbstreproduktion bei Programmen (Self-reproduction of programs).
Now, on to the modern history.
1981 – The First Virus In The Wild
As described in Robert Slade’s history, the first virus in the wild actually predated the experimental work that defined current-day viruses. It was spread on Apple II floppy disks (which contained the operating system) and reputed to have spread from Texas A&M. [Side note: Thanks to a pointer from anti-virus pioneer Fridrik Skulason we know the virus was named Elk Cloner and displayed a little rhyme on the screen:
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
For more info on Elk Cloner see the author’s (Richard Skrenta) page at:
1983 – The First Documented Experimental Virus
Fred Cohen’s seminal paper Computer Viruses – Theory and Experiments from 1984 defines a computer virus and describes the experiments he and others performed to prove that the concept of a computer virus was viable. From the paper…
On November 3, 1983, the first virus was conceived of as an experiment to be presented at a weekly seminar on computer security. The concept was first introduced in this seminar by the author, and the name ‘virus’ was thought of by Len Adleman. After 8 hours of expert work on a heavily loaded VAX 11/750 system running Unix, the first virus was completed and ready for demonstration. Within a week, permission was obtained to perform experiments, and 5 experiments were performed. On November 10, the virus was demonstrated to the security seminar.
1986 – Brain, PC-Write Trojan, & Virdem
The common story is that two brothers from Pakistan (Basit Farooq Alvi and Amjad Farooq Alvi) analyzed the boot sector of a floppy disk and developed a method of infecting it with a virus dubbed “Brain” (the origin is generally accepted but not absolutely). Because it spread widely on the popular MS-DOS PC system this is typically called the first computer virus; even though it was predated by Cohen’s experiments and the Apple II virus. That same year the first PC-based Trojan was released in the form of the popular shareware program PC-Write. Some reports say Virdem was also found this year (it was presented to the underground Chaos Computer Club in Germany in December by Ralf Burger according to reports); it is often called the first file virus.
1987 – File Infectors, Lehigh, & Christmas Worm
The first file viruses started to appear. Most concentrated on COM files; COMMAND.COM in particular. The first of these to infect COMMAND.COM is typically reported to be the Lehigh virus. Cascade is reported to be the first self-encrypting virus. At this time other work was done to create the first EXE infector: Suriv-02 (Suriv = Virus backward). (This virus evolved into the Jerusalem virus.) A fast-spreading (500,000 replications per hour) worm hit IBM mainframes during this year: the IBM Christmas Worm. And, in November, the Atari platform saw its first boot virus: SCA.
1988 – MacMag, Scores, & Internet Worm
MacMag, a Hypercard stack virus on the Macintosh is generally considered the first Macintosh virus and the Scores virus was the source of the first major Macintosh outbreak. Apple malware was not limited to the Macintosh however. This year, in June, saw the development of the Festering Hate Apple ProDOS virus. The Internet Worm (Robert Morris’ creation in November) causes the first Internet crisis and shut down many computers. CERT is created to respond to such attacks.
1989 – AIDS Trojan
This Trojan is famous for holding data hostage. The Trojan was sent out under the guise of an AIDS information program. When run it encrypted the user’s hard drive and demanded payment for the decryption key. Ghostballs is reported by some to be the first multipartite virus but it is a simple variation of the Vienna virus.
1990 – VX BBS & Little Black Book (AT&T Attack)
The first virus exchange (VX) BBS went online in Bulgaria. Here virus authors could trade code and exchange ideas. Also, in 1990, Mark Ludwig’s book on virus writing (The Little Black Book of Computer Viruses) was published. While there is no proof, hackers are suspected of taking down the AT&T long-distance switching system. Based on the Vienna virus, the V2P1 (alias 1260) virus is sometimes considered to be the first polymorphic virus although the changes are minor.
1991 – Tequila
Tequila was the first serious polymorphic virus; it came out of Switzerland and changed itself in major ways in an attempt to avoid detection.
1992 – Michelangelo, DAME, & VCL
Michelangelo was the first media darling. A worldwide alert went out with claims of massive damage predicted on the March 6th trigger date. Actually, little happened. The same year the Dark Avenger Mutation Engine (DAME) became the first toolkit that could be used to turn any virus into a polymorphic virus. Also that year the Virus Creation Laboratory (VCL) became the first actual virus creation kit. It had pull-down menus and selectable payloads (though it’s reported to not have worked very well).
1993 – Stealth_boot PMBS
Stealth_boot PMBS used a unique technique to operate. You caught it by booting from an infected floppy disk. Once installed, Stealth_Boot would install itself in extended memory, switched the computer into protected mode, and then ran a virtual V86 machine which DOS and programs would use. Basically, the virus existed between the operating system and the hardware.
1995 – Year of the Hacker, Concept
Hackers attacked Griffith Air Force Base, the Korean Atomic Research Institute, NASA, Goddard Space Flight Center, and the Jet Propulsion Laboratory. GE, IBM, Pipeline and other companies were all hit by the “Internet Liberation Front” on Thanksgiving. The first macro virus to attack Word, Concept, is developed.
1996 – Boza, Laroux, & Staog
1998 – Strange Brew & Back Orifice; JetDB
Strange Brew is the first Java virus. Back Orifice is the first Trojan designed to be a remote administration tool that allows others to take over a remote computer via the Internet. Access macro viruses start to appear (JetDB).
1999 – Melissa, Corner, Win95.SK, Tristate, Infis, & Bubbleboy
Melissa is the first combination Word macro virus and worm to use the Outlook and Outlook Express address book to send itself to others via E-mail. It arrived in March. Corner is the first virus to infect MS Project files. Win95. SK, in April 1999, is believed to be the first viral HLP file infector. Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files. Infis installs itself as an NT driver and then takes over some undocumented functions. Bubbleboy is the first worm that would activate when a user simply opened and E-mail message in Microsoft Outlook (or previewed the message in Outlook Express). No attachment necessary. Bubbleboy was the proof of concept; Kak spread widely using this technique.
2000 – DDoS, Love Letter, Timofonica, Liberty (Palm), Stream, Pirus & Zmist
The first major distributed denial of service attacks shut down major sites such as Yahoo!, Amazon.com, and others. In May the Love Letter worm became the fastest-spreading worm (to that time); shutting down E-mail systems around the world. June 2000 saw the first attack against a telephone system. The Visual Basic Script worm Timofonica tries to send messages to Internet-enabled phones in the Spanish telephone network (later in 2000 another Trojan attacked the Japanese emergency phone system). August 2000 saw the first Trojan developed for the Palm PDA. Called Liberty and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. When it was accidentally released to the wider public Ardiri helped contain its spread. Stream became the first proof of concept NTFS Alternate Data Stream (ADS) virus in early September. As a proof of concept, Stream has not circulated in the wild (as of this writing) but as in all such cases a circulating virus based on the model is expected. Pirus is another proof of concept for malware written in the PHP scripting language. It attempts to add itself to HTML or PHP files. Pirus was discovered 9 Nov 2000. Zmist (Zombie.Mistfall) was introduced in this year. It appears to be the first code integrating virus (the virus takes EXE files apart, inserts itself, and puts the EXE files back together again – a type of Spacefiller virus).
2001 – Gnuman, Winux Windows/Linux Virus, LogoLogic-A Worm, AplS/Simpsons Worm, PeachyPDF-A, Nimda
Gnuman (Mandragore) showed up the end of February. This worm cloaked itself from the Gnutella file-sharing system (the first to specifically attack a peer-to-peer communications system) and pretended to be an MP3 file to download. In March a proof of concept virus designed to infect both Windows and Linux (and cross between them) was released. Winux (or Lindose depending on who you talk to) is buggy and reported to have come from the Czech Republic. Shortly after, the Etap (Simile) virus also attacked the same operating systems but was more effective. On 9 April a proof of concept Logo Worm was released which attacked the Logotron SuperLogo language. The LogoLogic-A worm spreads via MIRC chat and E-mail. May saw the first AppleScript worm. It uses Outlook Express or Entourage on the Macintosh to spread via E-mail to address book entries. May also brought Sadmind, a worm spreading through both Sun Solaris and Microsoft IIS systems. Early August, the PeachyPDF-A worm became the first to spread using Adobe’s PDF software. Only the full version, not the free PDF reader, was capable of spreading the worm so it did not go far. September, the Nimda worm demonstrated significant flexibility in its ability to spread and used several firsts. While not new in concept, a couple of worms created a fair amount of havoc during the year: Sircam (July), CodeRed (July & August), and BadTrans (November & December).
2002 – LFM-926, Donut, Sharp-A, SQLSpider, Benjamin, Perrun, Scalper
2003 – Sobig, Slammer, Lovgate, Fizzer, Blaster/Welchia/Mimail
Sobig, a worm that carried its own SMTP mail program and used Windows network shares to spread started the year. Sobig variants continued to multiply throughout the year. Slammer, exploiting vulnerabilities in Microsoft’s SQL 2000 servers, hit Super Bowl weekend. Its spreading technique worked so well that for some period of time all of South Korea was effectively eliminated from the Internet (obscured). It received significant media coverage. The unique entry that February saw was Lovgate. This was unique as it was a combination of a Trojan and a worm; two pieces of malware that generally don’t get combined. Starting in early May Fizzer spread via usual E-mail methods but also used the KaZaa peer-to-peer network to spread. While generally not unique types, August is (in)famous for a combination of Sobig.F, Blaster (also known as Lovsan and MSBlast), Welchia (or Nachi), and Mimail; all spreading rapidly through a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. 2003 also saw what appeared to be a use of worm-like techniques used in the spreading of spam. Sobig dropped a component that could later be used by spammers to send mail through infected machines. The social engineering techniques used by virus/worm writers improved dramatically as well. Some of the malware this year was accompanied by very realistic graphics and links in an attempt to make you think the mail actually came from the likes of Microsoft or Paypal.
2004 – Trojan.Xombe, Randex, Bizex, Witty, MP3Concept, Sasser, Mac OS X, W64.Rugrat.3344, Symb/Cabir-A, JS/Scob-A, WCE/Duts-A, W32/Amus-A, WinCE/Brador-A, JPEG Weakness, SH/Renepo-A, Bofra/IFrame, Santy
2005 – Bropia, Troj/BankAsh, Commwarrior, Chod, PSPBrick, DSTahen, MSIL/Idonus, Troj/Stinx-E
In 2005 the end of January saw the Bropia Worm which targets MSN Messenger for spreading. A bit later the “F” version of this worm became popular because of the sexy.jpg file that spread with it. The 9th of February then saw Troj/BankAsh, the first Trojan to attack the new (still in beta) Microsoft AntiSpyware product. This Trojan also was reported to go after various British on-line banking services. The start of March saw distribution of another mobile phone worm: Commwarrior, which spread via MMS messaging. The end of March/start of April saw variants of Chod appear. This is a sophisticated worm that spreads via E-mail and the MSN Messaging client. Its messages are very close to what a real user would send and, for the first time, attempts to spoof the return address as being from an anti-virus company (Trend or Symantec, and Microsoft, although coming from Microsoft has been a social engineering ploy for some time now). 6 Oct brought the first Playstation Portable Trojan, PSPBrick. This malware does not spread by itself but comes disguised as a MOD for the PSP. When placed on the PSP the MOD erases a number of system files that prevent the PSP from being restarted and basically turns it into a brick; thus the name. And, not to be outdone, on 12 Oct the Trojan DSTahen showed up which basically does the same thing for the Nintendo DS system. Install the Trojan and you end up with a brick. 14 Oct saw MSIL/Idonus which the maker wanted to be the first Vista virus but because it uses NET 2.0 and other systems that can be installed on earlier operating systems it wasn’t; but it is unique none-the-less. The 10th of November Troj/Stinx-E Trojan horse appeared with a trick that hid itself beneath the Sony DRM software on systems with that software installed. The DRM software is designed to protect copyrighted audio but, in hiding itself, it provided an opportunity for malware to hide behind that software in the hope to avoid detection. Not something new but just to note that during the year Creative Labs shipped 3,700 Zen MP3 players carrying the Wullik-B virus.
2006 – OSX/Leap-A, OSX/Inqtana.A, Redbrowser.A, Icabdi.A, SubVirt, Bagoly, Yhoo32.explr, Stardust.A, Yamanner.A, W32.Chamb, OSX/Macarena, Grey Goo Attack, iAdware, JS/Quickspace.A, Eliles.A
2007 – Agent.BKY, iPod Linux Virus, TI.Tigraa.a, SB.Badbunny, WH/Vred.A, Zhelatin/Storm, IM-Worm:W32/Skipi.A, MSN Trojan
2008 – SymbOS/Beselo.A
January 23rd found the discovery of a Symbian OS worm able to run on several Symbian S60 enabled devices. SymbOS/Beselo.A!worm can infect Nokia 6600, 6630, 6680, 7610, N70 and N72 phones (and maybe others).
[Had to leave 2008 at this point.]
2009 – Ikee
November 8th saw reports of the first IPhone worm: Ikee. This was a proof-of-concept worm that only infects phones that have been jaibroken and have the default password on the Secure Shell application. And, it only changed the wallpaper on the phone. But, the source code for the beast was released so follow-ons with worse payloads can be expected [and, on 23 Nov there are now reports of a new version that sets up botnets on iPhones]. Speaking of botnets, articles on 10 December reported that hackers had made their way into the Amazon EC2 cloud and set up Zeus botnet cammand and control center. This is the first time the Amazon computers have been used for that.
2010 – W32.Fakeupver.trojan, PDF Virus
The end of March Bkis, in their blog, reported a Trojan called W32.Fakeupver.trojan which claimed to be an updater for Adobe software. If run the Trojan would overwrite the Adobe and other updaters and then open various ports on the computer. Even if removed, the non-Adobe updating software would no longer work leaving the computer vulnerable to any holes found in those programs. This is the first such payload of this type. April news reports talk of a proof-of-concept PDF virus being made. The PDF format has evolved and allows for executable material in its latest incarnations. This makes the format much more dangerous.
Had to stop at this point. Sorry.
|CKnow Virus Tutorial|
|Rewrite and Redirect||Dr Solomon History|
Comments from original:
Said this on 2009-12-07 At 09:46 pm
hi good mornig im rudolph villacorta from philipines.
yup.. this information is okay and i learn more. but not enough
specially im doing a ducument about “history of viruses.”
so i need more information like.. what is a porpuse, what is advantage&disadvantages
please help me becuase as a student.i need to learn in a short time.
theres no time to pass it..
thank you GODBLESS. ^^
Said this on 2009-12-07 At 09:51 pm
In reply to #1
Please read the whole tutorial.
Said this on 2010-10-18 At 05:11 am
what is the name of the first virus that they introduced…..?
[Who is they? And, all first viruses are named in the text; please just go back and actually read it. Thank you. –DaBoss]
Said this on 2010-12-29 At 03:08 am
give me more knowledge about virus . how it is created and how we can remove it and complete history and type of virus
[Well, you could start by reading the rest of the tutorial I guess. But, how a virus is created is not part of it and won’t ever be. –DaBoss]
Said this on 2011-05-27 At 11:30 am
sir i want to know how many types of virus & w ho was the first virus maker?
[I guess you could read the page. –DaBoss]
Said this on 2011-10-31 At 01:57 pm
What is the term used when a virus takes control of features on your computer and transports files or information automatically?
[The most common would be Data Theft. Cyber Crime would be a more general term. There’s probably a “cute” coined term as well but at the moment it doesn’t come to mind. –DaBoss]