The History and the Evolution of Computer Viruses: 1986-1991

CRO at F-Secure Mikko Hypponen provides a captivating insight into the onset and advancement of computer infections in his talk at Defcon 19 called “The History and the Evolution of Computer Viruses”. This part of the speech is dedicated to a detailed description of the first viruses that came on stage in 1986 – 1991, such as the ‘Brain’, ‘Omega’ and others.

Mikko Hypponen My name is Mikko Hypponen, and we’ll be doing the first session here talking about the history and evolution of computer viruses.

I am from Finland. I’ve been playing around with viruses for the past 20 years, a little bit more than that.

And we are at an interesting point in history, and I’ll get back to that in just a moment, and that’s the main reason why I wanted to speak about the whole evolution of where we’ve been, where we are right now, and where we will be going with malware, trojans, backdoors, worms, viruses.

Now, all those years I’ve been working with the same company – F-Secure. So, we run antivirus labs around the world. And of course in the early days our operations were very small. A couple of guys in the lab analyzed everything by hand, reverse-engineered the code, built detection, tried to figure out how they spread.

Today, all professional antivirus companies run massive labs around the world with automation, because we are, on typical day right now, receiving some range of 100,000 to 200,000 samples coming into our systems. So, obviously we can’t keep up with normal human power any more.

1986 – 1991

5.25-inch floppy disk infected by ‘Brain.A’ But we’ll start from ‘Brain’. So, what you’re seeing on the image here is an original 5.25-inch floppy disk infected by ‘Brain’. Last year, around November, we were cleaning our labs and in one of the cupboards, we found this box which was full of 5.25-inch floppy disks. And that box had basically the first 100 PC viruses in it, including this ‘Brain.A’. And ‘Brain.A’ is considered to be – and is known to be – the first PC virus in history. That’s the first PC virus. We’ve seen before 1986, for example, some Apple II viruses and stuff like that. But this is actually important because we are still finding PC viruses today, right?

So, I did the math, 1986 – 2011, that’s 25. It’s gonna be 25 years. And we had a meeting in the lab. Okay, what should we do about this? It’s gonna be 25 years since the first PC virus. And our media team thought that we should have some sort of social media campaign to raise awareness of computer security. And I thought that that’s boring, what about if I try to go and find the guys who wrote ‘Brain’ 25 years ago. And if I find them, I’ll speak with them, and I ask them, like, you know, why did you do it, what were you thinking, and what do you think about what you started 25 years ago.

It’s gonna be 25 years since the first PC virus.

And actually, doing that – like trying to find virus authors 25 years later – typically would be impossible. In case of ‘Brain’, it actually isn’t, and I’ll show you.

Boot code snippet of a 'Brain'-stricken floppy Here is the actual boot code of a floppy infected by ‘Brain’. So, if you just take a closer look, you’ll see some text inside here (see image) saying ‘Welcome to the Dungeon, 1986, Basit and Amjad’, and Basit and Amjad are first names. They are Pakistani first names. Then there is a phone number and a street address.

So, in February, I went to the town of Lahore in Pakistan, which was the address listed inside the ‘Brain’ code. So I knocked on the door. You wanna guess who was at the door? Basit and Amjad. They are still there. Nowadays these guys run an Internet operator, and it is a telco operator for the city of Lahore, and the company is called ‘Brain Telecommunications’.

So, we had a very interesting chat about, okay, why did you do it, and what were you thinking, and… Their explanation was that it was a proof of concept. These guys had a background in Unix1 world. They had been running different mainframe systems in the early 1980s, when they were like in their late teens – early 20s. And then PC DOS2 came around, in 1985. And they hated it. They thought that it wasn’t secure – and obviously, it wasn’t. And they decided to prove it by writing a virus. And that’s what they did. And of course they had no idea that virus would go around the world, infect computers in more than 100 countries around the world, but that’s what it did.

They also started getting phone calls from around the world, from people who had been infected by the virus and all that. They really weren’t expecting that to happen, but of course it went global, became a global problem.

1986 – Brain

1987 – Stoned

1987 – Cascade

1989 – Yankee Doodle

1989 – Dark Avenger

1990 – Form

‘Brain’ was a very typical example of the early viruses we used to see back then. The motive wasn’t anything very concrete. These guys wanted to try something out. They wanted to do something that would replicate and go around the world. And of course, around those days (1986, 1987, 1988) viruses like ‘Brain’ and ‘Stoned’ and ‘Cascade’, and ‘Yankee Doodle’ were all basically the same thing. They were spreading on floppy disks, infecting boot sectors, so you would have infected floppy inside your computer, you boot from the floppy – you get infected, and every other floppy you put in after that gets infected as well. Or file infectors like ‘Yankee Doodle’ which would infect DOS .COM files, and then when you share files, well, it spreads from one computer to another.

What we have to remember is that in 1986 we didn’t have networks. I mean normal computers, PC computers, were not connected to each other in any way. In fact, most computers didn’t have a hard drive. They would typically have two floppy drives only, right. So, if you wanted to move data around you had to put it on a floppy, there were no other means of doing it. And that’s why floppy-based infectors spread so quickly.

In 1986 computers were not connected to each other and most of them didn’t have hard drives, so floppy-based infectors spread quickly.

Many of these viruses at that time were also, in one way or another, visual. What I mean by that is that you would typically know that you are infected. And one good example of that is the ‘Omega’ virus. This one is not so important or pointed in any history books or anywhere actually, to anyone else except to me. But it’s important to me because it’s the first virus I analyzed. In September 1991, we had a customer case of a large company, actually a telco, where they had damage on their computers and they were suspecting a virus, and they sent us a sample. And I got assigned to look at the sample, because around that time in F-Secure, I was the only guy who would do reverse-engineering in assembly language. Even that I actually had never done on PC, I had background with Commodore 643 and doing assembly there, but, you know, I decided to do that. And I printed out the code, spent a couple of days trying to go through and understand how it works, and learning the interrupts of DOS system and all that.

'Omega' sign And I did it, I decoded it. I actually didn’t have a spare PC I could infect at that time, so I actually couldn’t run the code, I was just reading it, trying to figure out what it does. And one of the things that I thought it did, just looking at the code, was that it would be displayed on 13th of the month. If it was a Friday, it would activate and display one character: character number 232, I believe. And I looked up that character and that is the ‘Omega’ sign. So, I named the virus ‘Omega’. That’s the first virus I ever named. And the name stuck, if you google around, you will still find this virus as the ‘Omega’ virus.

And that actually started a tradition. In our days, in our company, once you’ve been 10 years with the company, you’ll get a genuine Swiss OMEGA watch. So, I should have named the virus ‘Ferrari’.

Read next: The History and the Evolution of Computer Viruses: 1991-1996


1Unix is a term generally used to refer to those multitasking, multi-user operating systems which use this term as the entirety of or as part of their official names, including all of the original versions of UNIX that were developed at Bell Labs.

2PC DOS (full name: The IBM Personal Computer Disk Operating System) is a DOS system for the IBM Personal Computer and compatibles, manufactured and sold by IBM from the 1980s to the 2000s.

3Commodore 64 was an 8-bit home computer manufactured by the now defunct Commodore International company in the time frame 1982-1994.

Like This Article? Let Others Know!
Related Articles:


  1. Dave says:

    Before 1987, I read an article about the “Israeli” or PLO” virus. It infected .EXE files, not the boot sector, and I believe it was triggered to delete files on April 1. I obtained a copy of the virus and examined the executable code, and used it as a demonstration in a series of speeches about viruses beginning in 1986. It was the first virus I learned about. Why isn’t that listed as the first, or one of the first, viruses?

  2. admin says:

    Thanks for letting our site visitors and us know about that pioneering virus sample! Great to know.
    With regard to why it’s not listed – the article is based on Mykko Hypponen’s presentation and perspective.

    Anyway, thank you again for the useful information!

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: