The online world has always been a place where various threats appeared. One of them is computer viruses, which over time have become real “stars” of cyberspace. These malware can cause massive damage to your computer, steal personal data, or turn your system into part of a botnet. In this article, you will learn about the most famous and surprising viruses that appeared during the computer era. We will consider their features, methods of action and the consequences they have led to. Computer viruses have always been a subject of deep interest for users, security professionals and, of course, hackers. These small but powerful programs, created to illegally interfere with systems, are often capable of causing enormous damage. Viruses spread through various channels, including the Internet, e-mail, diskettes or USB drives. They can steal personal information, use your computer’s resources for distribution, or even delete data.
Modern technology has allowed viruses to become increasingly sophisticated, masking their presence from antivirus programs and using the latest methods of infection. However, due to continuous research in the field of cyber security, the tools to detect and destroy viruses are also evolving. It is important to understand that virus protection is a repeated process. Regular software updates, including anti-virus software, and caution when downloading files from the Internet are the keys to safe computer use. Cybersecurity education and awareness also play an important role. The more users understand about viruses and their attack methods, the more difficult it is for these viruses to carry out their malicious tasks. In a world where cybercrime is becoming more and more common, knowledge about computer viruses and their countermeasures is absolutely necessary. Regardless of your level of knowledge or experience, there is always an opportunity to learn more and become prepared for any cyber threat. But it is not only the ability to cause harm that makes viruses famous. Some of them were striking in their unique structure, complexity or distribution methods. The creativity and ingenuity of the developers of these malicious programs has always been a source of admiration for cyber security professionals. Studying the history of the most famous viruses is not only interesting, but also useful. It helps to understand the motivations for their creation, the main methods of attack and, most importantly, how to avoid and deal with them.
In the era of ubiquitous computerization, viruses have become as common as insect bites. Despite being a nuisance and a nuisance, some of them can be very dangerous – just as mosquitoes can carry malaria. In general, this is a common and common attack that can be avoided with certain abilities and with minimal effort. Of course, if you do not do particularly serious developments, such as the fight against viruses, but ordinary users rarely encounter them. But in the past, at the dawn of computerization and the Internet in general, viruses were very common. They were feared, they were known by name, they caused chaos and mischief, mocking the poor along the way.
The legendary first computer worm that spread in the ARPAnet network in the first years of its existence. All in all, “Creeper” was more of a joke. It was written for Tenex OS by Bob Thomas using a hack: Creeper was distributed using the RSEXEC remote control system he developed for DARPA.
Creeper, as befits a worm, “crawled” across the network between PDP-10 mainframes. He was touchingly polite, and when copying to the next machine, he carefully erased himself on the previous one. However, a little later Ray Tomlinson (the inventor of e-mail and the speech synthesizer, as well as the creator of the same OS Tenex) unscrewed the extra politeness from the Creeper so that it could happily reproduce on the network, and not just crawl from computer to computer .
All Creeper does is display the message I AM CREEPER on the teletype or screen. CATCH ME IF YOU CAN! (“I’m a scarecrow! Catch me if you can!”). Essentially, the Creeper is a demo version of a future “real” computer worm. However, maybe he can really loosen up a bit. Suppose you are alone at night in VK and suddenly a message like this comes out of the machine. Not a bad start for a horror film.
And because some users were annoyed by its unpredictable behavior, the first antivirus software called Reaper soon appeared. It also “crawls” across the network and ruthlessly destroys the detected copies of the Creeper. The Reaper was written by… Ray Tomlinson himself. A horror movie came to Creeper himself.
Elk Cloner, which is considered the first “real” computer virus, was no longer as benign as grandfather Creeper. It was written by 15-year-old Richard Skrenta, one of the future founders of the Open Directory Project. At the time, he was in the 9th grade at a school in his native Pennsylvania and liked to annoy his peers by breaking their pirated computer games by rewriting the code and forcing them to show a “funny” picture instead of continuing.
Soon they started kicking Richard, they stopped letting him near the computers for cannon fire. Then he decided to get into other people’s machines through the networks, and in just two weeks, the same Elk Cloner was installed on the assembler.
Elk Cloner affected Apple II computers and spread via DOS floppy disks. When an uninfected diskette “Moose Cloner” is found, which has settled on the computer, it is copied to it, being recorded in the boot sector.
Every fiftieth download, the virus displayed a threatening message on the screen:
Elk Cloner: a program with personality
It will penetrate all your drives
It will penetrate your chips
Yes, it’s Cloner!
It will stick to you like glue
And he will also repair the RAM
Switched to Cloner
Klonolos could break a DOS disk by erasing tracks if the OS was written off-premises. But that was not a feature, but a bug. Features were by no means only poems: contrary to most publications, Elk Cloner did various annoying things that interfered with normal work on the computer. Moreover, the pods were tied to computer startups.
Every 15 and 25 downloads the screen starts to flicker or the text flips. Every fortieth and seventy-fifth boot, the computer froze. After every tenth and sixty-fifth download, the virus causes more errors.
At first, the virus infected some school cars, and teachers tried to blame Skrenta for breaking into the cabinets. And how else could this bandit damage the computer? And then gradually it went beyond Pennsylvania. It did not gain serious attention until 1985, when an article about the Elk Cloner appeared in Scientific American. There was no real epidemic: it took an unusual event to spread the virus — the simultaneous insertion of two DOS diskettes into an Apple II disk drive.
Skrenta himself is proud of his program to this day: “I can only justify the fact that the gin would have been released in any case. But it was interesting to be the first to do it 🙂
The program that caused the first “real” virus epidemic was not created as a virus at all. And she came, surprisingly for the mid-80s, not from the USA, but from Pakistan.
It all started with the fact that two brothers from Haiti, 17-year-old Basit and 24-year-old Amjat Farooq Alvi, were very indignant that medical software for IBM PC from their company Brain, intended for monitoring the heart rate, was being pirated by anyone who was not lazy. They wrote a program that spread through the boot sectors of disks and searched the computer for unlicensed copies of Brain products.
If detected, such a virus from the Alvi brothers overwrote its fragments, as well as slowed down the speed of access to diskettes and partially interfered with the normal storage of information.
The inscription appeared on the screen:
Welcome to the Dungeon © 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS… Contact us for vaccination… $#@%$@!!”(Welcome to Jail! Bazit and Amjad (Private Company) BRAIN COMPUTER SERVICES LLC: 730 Nizab Block, Allama Iqbal, Lahore, Paksitan. Phones: 430791, 443248, 280530. Beware of the virus, for vaccination!).
The inscription in different versions of the virus (the brothers improved their work) could be different, including with an ironic dedication. with us”). Interestingly, Brain was able to “hide” from detection attempts: when trying to read an infected sector, it “substituted” an uninfected source code instead.
A year later, more than 18,000 devices were infected in the US alone. Unfortunately, the brothers’ program did not work quite correctly, and slowed down the work of even those devices that did not have their broken programs. And when it hit Apple computers, it could even block the recording of any new information to the disk.
Worse, rumors spread that the virus deletes files (which it did not know how to do and generally had a “plug” for working with hard disk sectors), and Brain began to be “dumped” on the disappearance of data and files for various reasons. The brothers’ honestly listed phones were cut off by angry victims of the virus, and they had to be replaced. And then to give up working with medical software altogether.
However, the Alvi brothers have since achieved success in the IT field and are currently the head of a large Pakistani Internet provider, Brain Telecommunications.
The first truly virulent and virulent virus originated in Israel. Its author is still unknown, and this is not surprising: if the Alvi brothers miraculously avoided prosecution by outraged users, then the creator of the “Friday the 13th virus” will be sentenced to many years and “money if caught.”
This scourge was first discovered on a computer at the Hebrew University of Jerusalem in October 1987. The author may have been inspired by the famous 1980 American horror series Friday the 13th. This is a combination of the day of the week and the number of months during which the virus activated its “prime size” and, according to various sources, deleted all or part of the programs launched on that date. Apparently, for wider and more reliable distribution, the “timer” was written not to activate this function during 1987. However, she didn’t just miss Friday the 13th every week.
Video about the work of Jerusalem:
“Jerusalem” was distributed via diskettes or e-mail attachments. The virus worked on the principle of a logic bomb. It (regardless of the day of the week and date) hit executables other than command.com and “bloated” the exe files by 1808-1823 bytes each time it was run until they grew to their raw size.
After thirty minutes of running the infected computer, there was a significant slowdown of the system as a whole by the code entering the processing cycle every time the CPU timer is activated. Also, a characteristic black rectangle appeared on the screen, which “obscured” the Dossian text.
Jerusalem struck its first blow on Friday, May 13, 1988, infecting about six thousand computers around the world, deleting many files and becoming one of the first famous computer viruses.
In general, “Jerusalem” exploited interrupts and other low-level functions of the MS-DOS operating system, which ceased to be relevant after the increasing mass migration to Windows. Jerusalem and its imitator variants disappeared by the mid-1990s. The author of the virus remained unknown.
On the other hand, the name of the author of the first global virus attack, which almost brought down the entire early network, is known for sure. And the story entered. However, he did not do it on purpose, that’s how it turned out.
A recent graduate of Harvard and Robert Tappen Morris in 1988, he was a graduate student at Cornell University, New York. The son of a professional cryptographer of the US NSA, a much less well-known and much more serious and effective American intelligence agency than the noisy and scandalous CIA, decided to write a self-propagating worm on ARPAnet. Well, these are the kinds of fun talented Harvard graduates had at that time.
Morris thought in advance how the worm should behave when false copies installed by administrators appeared: in 14% of cases, when it detected itself on the device, it had to register itself anyway. Only a young programmer set too short intervals for checking. Instead of periodic duplicating, the program began to engage in very fast self-copying in the device’s memory, jamming the RAM with its commands.
November 2, 1988 became a day of fear. Computers connected to ARPAnet began to fail one by one. Over two thousand devices were infected within fifteen hours, and it takes 2-3 days to fix the consequences on each machine. There could have been more, but the worm only affected systems running Berkeley Unix.
Some of the nodes were saved by simple physical shutdown. Norway was saved from being infected with the Morris worm thanks to the fact that Paul Spilling, who learned about the shucker on the phone from his American colleagues, simply pulled out the cable. After that, she became known in the history of IT as the person who first connected Norway to the Internet, and then disconnected it.
In just one day, from two to six thousand machines were affected (it took more than six months for the Jerusalem virus to do this) and almost the entire world wide network of that time was put at risk. More than 42,000 nodes had to be checked. Damages totaled nearly $100 million, of which approximately 2/3 were indirect losses due to equipment failure. Morris’ creation was deservedly called the “Big Worm” – a kind of Shai-Hulud of the early Internet.
Morris was horrified at what he had done, but there was no way to recall the crazed worm. The best US IT specialists from MIT and Berkeley were urgently connected to the solution of the problem, as well as all difficult agencies such as the NSA, DARPA and a bunch of military laboratories specializing in computer technologies, which all together were able to develop and implement in just a few days countermeasures and liquidation. .
Meanwhile, the CIA and the FBI, having lost their feet, were looking for an attacker – and, apparently, only the rapid collapse of the Cold War prevented the emergence of a version about an insidious attack by Soviet hackers (which did not exist in nature, but nothing is impossible for the paranoid imagination of special services). Only Morris was very careful and did not leave any traces – although at some point, at the height of the crisis and the establishment of the global scale of his group, he called a friend and asked him to anonymously convey ideas about the fight against the worm.
And so, perhaps, the creator of the “Big Worm” would remain unknown. But Morris could not stand it and told his father. Morris’s father, who in the NSA was not engaged in anything, but in the IT security of the computer systems of the US federal government, and very well understood the enormity of the shukher for all departments and for the entire national security of the US, when Rooshu … excuse me, came to his senses from the epicness of his son’s fakap and fubar, revealed severity and uncompromisingness. Robert was forced to confess to the crime and appeared before an American court.
Initially, he faced five years and a $250,000 fine – but the court showed leniency and took into account the absence of malicious intent. Morris received three years probation, a ten thousand dollar fine and four hundred hours of community service in addition to the global lunacy. Well, then he made quite a solid career in the IT field. It would be strange otherwise.
And the computer community only after this story realized the scale of a possible trindets, and urgently rushed to deal with antiviruses. That did not help immediately.
The first known encrypted virus, which left a mark in history both by its memetic nature and by the fact that it prompted Kaspersky to start creating antiviruses. Obviously, it became the creation of some German programmer, perhaps even a student: the virus was first discovered on the computers of the University of Konstanz on the border with Switzerland. In German, it is called the poetic word Herbstlaub, “autumn leaves.”
A resident virus written in assembler affected .com files and differed from its predecessors in that, in addition to the actual body, it contained a decryption function. The virus code was first deciphered at launch, and only then was it launched. Different “instances” of the virus had a different cipher, the key to which was the size of the file it infected – but the decryptor was the same, which made it easier to fight it compared to future “polymorphs”.
Judging by the action of “Cascade”, he could be a kind of student joke. The virus did not break files, but simply caused a characteristic “sprinkling” of text on the screen to the melody. This interfered with work and forced reboots, resulting in data loss.
Cascade affected many computers in Central European countries, but its original version had a built-in time limiter: the virus was scheduled to work only from October 1 to December 31, 1988. Unfortunately, many enthusiasts began to release their adaptations with the timer disabled, and as a result, Cascade interfered with work until the early 90s. The last case of infection was documented in 1997.
For a still unclear reason, the virus had another built-in limiter: it was not supposed to infect IBM PCs. But due to programmer errors, it did not always work, and the virus reached IBM’s Belgian office. This prompted the company to develop its own anti-virus programs.
And not only them: in October 1989, “Cascade” was caught by Yevhen Kaspersky. This gave him the idea to start developing antiviruses. Cascade was the first virus entered into the database of Kaspersky’s first antivirus.
And Kaskad inspired the work of Dark Avenger and other Bulgarian hackers. However, the phenomenon of Bulgarian hackers and viruses of the 90s (even the first VX BBS for exchanging viruses and information about their writing was made by Bulgarians), ideally, deserves a separate article. And in general, the Cascade with its characteristic effect became so memetic that it even appeared in one of the seasons of Star Trek.
This virus caused more buzz in the press than actual damage. According to the version popular among journalists in 1989, it was created by some Norwegian patriot, offended that the honor of discovering America was given to Columbus instead of Viking Leif Eriksson. This assumption arose because the virus was particularly active on October 13, right after Columbus Day, which is celebrated in the US every October 12. The version is crooked, but the public liked it, and in the history of Datacrime it remained under the alternative name “Columbus Day”.
The virus entered the user’s computer through infected files. When they were run in the first version, it infected the .com files one by one in the directory, except those with D as the seventh: this way the author avoided damaging COMMAND.COM. The second version of Datacrime was able to infect .exe files as well, and its code was completely encrypted.
Infected files sat peacefully in their directories or spread the virus to other machines until October 13. When launched on the specified day and any day before December 31 of the current year (why did the virus writers of the late 80s like to tie the work of viruses to the fourth quarter?) “Datacrime” displayed a proud message on the screen: (“Datacrime virus, released on March 1 DATACRIME VIRUS. RELEASED: MARCH 1, 19891989”). And he formated the zero cylinder of the hard disk most brutally (and in the first version he did it crookedly due to the author’s mistakes), as a result of which the FAT file allocation table was destroyed and the data was irretrievably lost.
The spread of the virus was not very significant, but the press, frightened by previous incidents like last year’s Morris worm, went into a frenzy. It is worth noting that the end of the 80s was generally a time of “virus panic” in Western societies and the press: there were waves of frightening publications about new extremely dangerous viruses… which simply did not exist in nature.
Datacrime hit the Netherlands the hardest, where, according to some estimates, up to 10% of all computers were affected. The police of this country even had to urgently release their antivirus to fight Datacrime directly: Dutch cops were selling it for $1 per copy. However, the police antivirus worked very well and gave many false positives. The VIRSCAN antivirus from IBM worked best, which, including due to the noise surrounding Datacrime, tried to enter a new promising market.
Perhaps the virus itself came from the Netherlands: it was first reported by Fred Vogel back in March 1989, and this combination of name and surname is characteristic of the Dutch.
The author of the next virus approached the matter seriously and with considerable cynicism. The world of the late 1980s was terribly worried about the AIDS epidemic that was raging. Measures to prevent the spread of HIV were just being developed, as was supportive antiretroviral therapy. Contagion usually took people to the grave with a guarantee in a matter of years, there were rumors, urban legends and apocalyptic predictions, one more terrible than the other, in societies and the press, the infected were shunned like lepers.
In the wake of this panic, evolutionary biologist Joseph Popp from Harvard in December 1989 sent 20,000 (!) diskettes signed “AIDS Introductory Information Diskette” around the world to the participants of the World Health Organization AIDS conference in Stockholm. information on AIDS, version 2.0″). Yes, “AIDS” was almost the only computer virus in history that was widely distributed by “regular” and not e-mail.
Many scientists and doctors, who were engaged in the fight against HIV, did not know too much about the issues of computer security, which were still being formalized, and tried to open the content. The consequences were the massive contamination of their machines and the loss of serious volumes of information on countering the AIDS pandemic.
The floppy disk contained the first ever Trojan – however, written in Turbo Pascal 3.01a “very carelessly”. However, the concept itself was praised as “brilliant and extremely sophisticated.” The virus used a vulnerability in MS-DOS, introduced itself into the system, where it registered its hidden files and overwrote system files. Countdown of downloads began.
On the 90th startup of the computer, AIDS renamed and hid all the files, displayed an offensive and confusing message on the screen:
«ATTENTION I have been elected to inform you that throughout your process of collecting and executing files, you have accdientally ¶HÜ¢KΣ► yourself over: again, that's PHUCKED yourself over. No, it cannot be; YES, it CAN be, a √ìτûs has infected your system. Now what do you have to say about that? HAHAHAHAHA. Have ¶HÜÑ with this one and remember, there is NO cure for AIDS».
Sirech “Attention! I was chosen to inform you that throughout your entire process of collecting and executing files, you accidentally screwed yourself: again, it screwed you. No, it can’t be? YES, it could be that a virus has infected your system! Now, what can you say about this? HAHAHAHAHAHA. Have fun with it and remember that there is NO cure for AIDS!”.
A single file remained on the visible drive: a $189 bill from a Panamanian bank that offered to pay for virus treatment. However, the conspirator from the insidious biologist turned out to be much worse than the programmer: Joseph Popp was quickly calculated at the address of sending the diskettes, detained at the Amsterdam airport and returned to the United States in handcuffs. In general, it did not take long to calculate: the hacker managed to send the virus from his own mailbox.
However, at the court, Poppa was found to be insane: he was wild, wore condoms on his nose and wrapped his beard in curlers. The reasons for his extravagant act have remained unclear until now: probably, either he was not accepted to work at the WHO, or his colleagues refused to recognize some of his “brilliant” ideas about HIV. After this story, Popp flew the cuckoo in the other direction and engaged in propaganda to lower the marriage age for women, whose purpose of existence he considered to be the birth of as many children as possible.
However, his main endeavor continued: Trojans have become one of the most popular forms of viruses, and computer virus extortion is a booming criminal business.
“Chameleon” was in many respects a development of the ideas laid by the creator of “Cascade”. Actually, its author, Mark Washburn, read Ralph Burger’s book “Computer Viruses. The Disease of High Technologies” became interested in the idea, based on the “Vienna” virus, and supplemented it with an advanced self-changing encryption system based on “Cascade”.
If “Cascade” had a different encrypted body of the virus, the decryptor itself was the same, which made it possible to calculate the virus code based on the signature, then “Chameleon” simply did not have any permanent signature. It changed with each new infection without the intervention of the creator in the form of a “sewn” randomizer, the key was the system time. Washburn explained that he wanted to demonstrate the imperfection of existing signature-based anti-virus systems by simply searching for known pieces of code.
Well… showed. The creators of antiviruses all over the world grabbed their heads and started searching for more advanced virus detection systems with the help of decryptors and algorithmic languages.
The virus did no harm, being, in fact, a demonstrator of technical capabilities. Once started, it searched for files in the current directory using the mask *.com. When detected, it checked whether the file size was 10 or 63488 bytes. If not, it wrote three bytes at the beginning and 1260 bytes at the end (hence the second name, “1260”). Naturally, the authors of truly malicious viruses immediately adopted the development. Including the following.
“Cat” was released in Hamburg, Germany six months after “Chameleon”, in the summer of 1990. At the time of detection, it was the largest of the computer viruses: the first detected instance “weighed” as much as 9216 bytes. No wonder: the virus had the most complex multi-level polymorphic encryption system, a system for hiding the presence in the system, as well as anti-debugging functionality. Even the size of the virus changed.
It took researchers weeks to decipher its code. No wonder: the author with German thoroughness and solidity approached to make it as difficult as possible to decipher his creation, its tracing, disassembly and analysis.
The harmfulness of the virus was that it greatly slowed down the affected system and caused the screen to flicker unpleasantly. According to some data, he could “miss” the system. In addition, “Cat” created the file C:FISH-#9.TBL, in which he entered the MBR of the hard drive and the text: (FISH VIRUS #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if Whale is in her Cave FISH VIRUS #9 Whale is not a Fish! Watch out for Mutant Fish and Hidden Fish Eggs because they are harmful. The sixth Fish mutates only if Whale is in her Cave Caves).
From February 19 to March 20, the virus “hanged” the system and displayed the line THE WHALE IN SEARCH OF THE 8 FISH I AM ‘~knzyvo}’ IN HAMBURG “). What it meant and what the author used remained a mystery.
This virus is by no means Mexican, but even of Swiss origin, which caused a real epidemic of infections in April 1991. Information about the authors varies. According to one version, it was written as an experiment by some scientist – but his code was stolen and released “into the pampas” in one of the Swiss IT companies. In another, it was written by some 18- and 21-year-old brothers. There were suspicions that the creators of “Tequila” had something to do with the previously complex polymorphic virus “Flip”, which appeared last year.
Like Flip, Tequila was polymorphic and resident, hiding well from attempts to find and remove it, and almost like the Cat mentioned in the previous article, literally stuffed with defense mechanisms. Some antiviruses were simply mocked by Tequila: for example, it removed checksums added to McAfee VirusScan files. As a result, the antivirus could not continue searching and endlessly checked the same files over and over again.
When it hit the computer, the virus infected the boot sector of the disk and affected .exe and .com files, increasing their size by 2468 bytes. At the same time, for a mysterious reason, it did not touch files with the letters “v” and “sc” in the names.
When it was possible to infect a quarter of all programs, the virus displayed a rather rough picture on the screen, in which the contours of Mandelbrot were guessed. Upstairs there were signs glorifying beer with tequila, some L.I.N.D.U., and recommended writing to a post box in the Swiss city of Steinhausen in the name of T. Tequila.
Well, besides, “Tequila” did almost nothing, being essentially a joke virus. It could do the most damage by reporting file association errors with CHKDSK. Attempting to fix this via CHKDSK /F may have resulted in data corruption.
Additional dangers were accidental damage when overwriting .exe and .com files, which could lead to crashes, data loss, and other troubles. Tequila spread especially strongly in Germany, affecting some schools and a large bank in Frankfurt. Some sources call it the first polymorphic virus that really spread. And in 1993, for some reason, he powerfully hit South Africa.
On March 6, 1992, the Michelangelo virus, also known as Stoned.March6.a and Stoned.Michelangelo, struck. As the date of activation, the still unknown author chose the birthday of the great Renaissance sculptor Michelangelo Buonarroti. However, he did not say anything about this even in the program code, and someone else came up with the name of the malicious program as the panic in the press grew. “Smokyness” in the name is also not accidental: the virus that caused enormous damage was a deeply modernized variation on the theme of the already old at that time Stoned / Marijuana virus, which allegedly appeared from New Zealand.
Perhaps both viruses were created by the same person: the first case of infection was found in Melbourne, Australia, which is quite close to New Zealand. According to another version, Michelangelo came from Taiwan, where the semiconductor industry and the production of computers were booming, and from where many infections began to come through disks with drivers for computer equipment.
The first detected infection in February-March 1991 made it possible to realize the danger of the virus in a timely manner. The danger was great: Michelangelo infected the boot sectors of floppy and hard drives under DOS and worked through the BIOS. When activated on an infected computer that was turned on on March 6, it completely filled the hard sectors with zeros or random characters, after which the data was irretrievably lost.
At the end of 1991 and the beginning of 1992, panic began to flare up. Here and there there have been reports of the discovery of whole batches of 5-inch drives with drivers infected with “Michelangelo”. The headlines of respected news agencies competed in describing the coming apocalypse. It was about the inevitable death of hundreds of thousands or even millions of computers all over the planet, the loss of colossal volumes of data. John McAfee, a well-known specialist in the field of virus control, spoke especially a lot about the future disaster. At the beginning of 1992, 24-hour queues lined up in stores where antiviruses were sold.
On March 6, 1992, the computer world froze in anticipation of a catastrophe… which did not happen. All told, just over 10,000 devices were damaged worldwide.
There are still conspiracy theories that antivirus software developers were involved in the appearance and media hysteria surrounding “Michelangelo”. Who have profited handsomely from this whole story thanks to the skyrocketing demand for antivirus around the world. The company of the same John McAfee worked especially well. However, it is now difficult to determine: whether the easy result was a consequence of the weakness of the virus, or whether the mass installation of antivirus software really prevented a major digital crisis.
In the following years, cases of failure of computers “Michelangelo” were limited to only dozens of recorded episodes worldwide.
The creation of the great and terrible Bulgarian hacker Dark Avenger, who became famous as one of the most literate and inventive creators of viruses in the whole world in the late 80s. There was nothing surprising about its appearance: in the Eastern Bloc, Bulgaria was particularly serious about computer technologies. Mass production of Spravnik 8 computers, which were Apple II clones, and Spravnik 16, which copied IBM PCs with Intel 8088 and 8086 processors, was established in the country. The number of computers per capita in Bulgaria by the end of the 80 1980s was, as it were, the largest of all the countries of the social camp, including the USSR. At the turn of the 80s and 90s, this gave rise to the phenomenon of Bulgarian viruses that thundered across Europe and the world… however, this is a topic for a separate article.
Strictly speaking, there was no full-fledged MtE virus. However, it was the first ever polymorphic generator under MS-DOS for use in viruses by anyone. A famous hacker from Sofia published it in the form of an object module with detailed instructions for use and a random number generator.
His hobbyist colleagues, Bulgarian and foreign, did not delay too much in using the novelty: writing polymorphic viruses using MtE became much easier. Networks and computers are flooded with many polymorphic animals, written with a “gift” from the Dark Avenger.
Often, MtE is mistakenly called DAME and stands for Dark Avenger Mutation Engine (“polymorphic generator from Dark Avenger”) – that’s how it could be called “unofficially”, but in the strict sense DAME was called the polymorphic engine 1993 Dark Angel’s Mutation Encryptor from Canada Skism.
In the summer of 1991, an epidemic of the Dir_II virus began. The text contained in the code of one of the versions of the virus also indicated its origin from the territories of the former USSR. A slightly changed text of the informal song “Alligator” was quoted there: “A pie is floating in the integral, hippies are riding in it, there are a lot of them.” As far as is known, this was the first virus that spread massively, presumably of Russian origin.
Dir_II used a fundamentally new link technology for infecting files. Earlier viruses tried to infect more executable files, increasing their size and making them vulnerable to detection. Dir_II stored its body in the last cluster of the infected logical disk, which it disguised as a failed one.
He did not add his code to the affected files, but only changed the number of the first cluster of the file located in the corresponding sector of the directory – so that the updated cluster of the file pointed to the cluster containing the body of the virus. At the same time, the sizes of files and clusters almost did not change, and it was not easy to find a single file with a virus in the last cluster.
Worst of all, during initialization, the virus penetrated the DOS kernel, changed the address of the system disk driver, and intercepted all DOS calls to it. This made the infection even more invisible to all anti-viruses of the time, and early infection blockers let it through as if through an open window. Spreading and infecting files was rapid: the virus intercepted DOS access to directories and infected files in all directories specified in the PATH.
More and more sectors were marked as bad, being encrypted. When the process covered half of the disk, the user received a sad message. When trying to copy the affected files, the virus allowed copying only 512 or 1024 bytes. Worst of all, if an affected machine was tried to treat file structure damage with utilities such as ScanDisc, instead of cleaning the virus, irreversible data loss could occur.
1991-92 was a time when, on the one hand, the production of viruses became a mass hobby, and on the other, the installation of anti-virus software became a mass practice. Virus and antivirus manufacturers have started a kind of war. The appearance of the Peach virus in 1992, according to some versions, from the same mysterious Bulgarian programmer Dark Avenger, became symbolic. It was the first known anti-virus: it not only sent the computer into a forced restart after a certain number of starts, but also targeted and deleted the database of the Central Point Antivirus change auditor.
In the summer of 1992, Virus Creation Laboratory (VCL) appeared – a program for generating computer viruses with a convenient graphical interface. Now, anyone who wants to, with some effort, could assemble his virus as a “designer” without deep programming skills and send it free swimming to the fear of “animals”. However, it was possible to collect only rather primitive viruses – but this did not always stop those who wanted to, as well as the appearance in the police and other departments of many countries of special units to combat hackers and virus creators.