The History and the Evolution of Computer Viruses: 1991-1996

Second part of Mikko Hypponen’s speech “The History and Evolution of Computer Viruses” which encompasses the time frame 1991-1996 and reviews funny DOS viruses, some of the first Windows infections and quite a bit more stuff you should find interesting.

1991 – 1992

Michelangelo newspaper report Now, many of you remember viruses like ‘Michelangelo’ at that time, that was destructive. So, one way that you would know that you’re infected by a virus is that it would destroy your files, like ‘Michelangelo’ would overwrite the first 100 sectors on your hard drive, destroying FAT1 on DOS systems, and your PC won’t boot.

Let me demonstrate other examples of the viruses which were visual. I have a collection of binaries dated 1992-1994. These are all examples of virus code which at that time I modified slightly to remove all the destructive parts and replication parts. What we are left with is basically the activation code.

'V-Sign' virus 'Walker' virus 'Coffee Shop' virus

‘V-Sign’ / ‘Walker’ / ‘Coffee Shop’ viruses

So, for example, the ‘V-Sign’ virus which would infect your boot sectors. If you’re running the code right here, it activates by drawing a V sign on your screen (see upper image to the right), that’s why it is called the ‘V-Sign’ because you get a Victory sign. So, what I am running right here is actually a code from 1992, which is the original virus code, but everything else has just been mopped out except the visual part of the virus.

And many of the viruses at that time would do this. They would show themselves to the user. ‘V-Sign’ would do this once a month. Once a month, when you boot up your PC, it would draw this V sign on your screen.

And we have plenty of these examples in here. For example the ‘Walker’ virus (see image in the middle). Guess why it’s called the ‘Walker’… The ‘Tequila’ virus is similar, it draws a fractal, and that’s of course not graphics but DOS-based ASCII graphics with colors.

‘Alex’ – I think it’s some sort of demolition, everything on your screen just burns down, it’s pretty nice actually. You wanna get more examples? We have for instance the ‘Ambulance Car’ virus which is named that way because it displays a little ambulance car moving across the screen and making ‘dee-daa dee-daa dee-daa’ sounds.

Let’s do one more. The ‘Crash’ virus makes a complete mess out of your screen, so you know you’re infected because it looks pretty bad. Oh yeah, this is a good one – the ‘Coffee Shop’, made in the Netherlands (see bottom image in the graphical section above).

Viruses from the early 90s would display funny images, generate sounds and play with the user.

So, you would know that you’re infected by a virus because you would get visual displays on your screen, or the virus would play games with you. Like the ‘Joshi’, which does the following: one day of the year, when you boot up the PC, it won’t boot, you get an empty screen. And then you have to type: “Happy Birthday Joshi”, and then it continues. Apparently, that’s the nickname of the virus writer of that time.

Casino virus

'Casino' virus

Actually I wanna show one more example, which is a good example of virus playing games with the user. Let’s try with the ‘Casino’ virus, here we go (enlarge the image to see what it does). ‘Casino’ virus is neat, it actually takes a copy of your file allocation table to memory, then it overwrites it on your hard drive. So, you’ve just lost all your files because the file allocation table is gone. But it has a copy in RAM, right. And now it lets you play a game. You have 5 credits and if you win, it’s gonna write the allocation table back to the drive. And if you just reset the machine you lose, because it has already deleted the stuff. And it explains this in detail to the user, and it actually lets you play, and if you win it actually does what it claims. So that’s what I mean by viruses which play games with the user, or at the very least, make themselves known to the user.

1991 – Michelangelo

1991 – MtE

1992 – V-Sign

1992 – VCL

And this is an important difference to today’s malware. Today when you get infected by malware, you will not know that you’re infected. You will not see funny images, your PC will not play music, your CD-ROM tray will not open and close all the time – nothing like that. I mean, you will not know, it’s running silently in the background. They won’t even crash your systems nowadays. They are pretty well done, they are pretty compatible, won’t slow down your system, won’t take too much resources. They do testing on the virus code nowadays, so you won’t actually see that you’re infected like you used to see.

VCL - the first virus-making program with a user interface

VCL - the first virus-making program with a user interface

Viruses started getting more and more advanced: things like mutation engine ‘MtE’ made by a Bulgarian virus writer who we knew at that time as ‘Dark Avenger’. It was basically not a virus but a kit that you could use to turn any other virus into polymorphic virus which would encrypt itself with different encryption every single time. Or ‘VCL’ – Virus Creation Laboratory – which actually was the first one that had a user interface you could use to create viruses. That’s VCL: you just choose the menus, you select ‘Generate’, and it makes a virus for you. And this is in 1992, so pretty advanced, 19 years ago.

1992 – 1996

And then comes Windows. First Windows viruses were written for Windows 3.0 in 1992. The very first one was called ‘WinVir’, did nothing special. It was the first one capable of infecting the PE file structure that Windows was using at that time. Other viruses of the time – ‘Monkey’, ‘One_half’ – these are mostly encrypting boot sector viruses.

WinVir – the first known virus written for MS Windows operating system

And then we get ‘Concept’ in 1995, which is the virus that infects not your floppies, not your binaries, but it infects your documents. ‘Concept’ actually infects ‘Word’ documents using the VBA (‘Visual Basic for Applications’) scripting language inside ‘Office’ at that time. And that’s actually a big deal, because if you think about what you do with your computers ever single day, well, I mean, most computer users spend their days handling documents, creating and reading files: ‘Excel’ sheets, ‘Word’ documents, ‘PowerPoint’ slides, what have you. And if sharing those, you share a virus – that’s a big deal. And ‘Concept’ became the most common virus in the world within the first 30 days since we found it.

1992 – WinVir

1993 – Monkey

1994 – One_half

1995 – Concept

1996 – Laroux

‘Laroux’ was a close follower, ‘Laroux’ did not infect ‘Word’ files, it infected ‘Excel’ spreadsheet files. In fact, we later found a variant of ‘Laroux’ which would not just infect your ‘Excel’ spreadsheet but it would also randomly round your random numbers inside your spreadsheets by 0,01% up or down, once a day. So it would slowly corrupt the numbers you are working with. And that’s a pretty nasty attack because you will not notice the problem until it’s been happening for quite a while, which means the data you’re working with is bad, your backups are bad, and there is no easy way to recover.
There is no easy way to figure what it has changed and when. That’s a big deal.

Read previous: The History and the Evolution of Computer Viruses: 1986-1991
Read next: The History and the Evolution of Computer Viruses: 1996-2001


1FAT (File Allocation Table) is the name of a computer file system architecture and a family of industry standard file systems utilizing it. FAT is widely adopted and supported by virtually all existing operating systems for personal computers.

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: