The History and the Evolution of Computer Viruses: 1996-2001

In the third part of his talk, Mikko Hypponen proceeds with the chronological analysis of digital threats, emphasizing the dominating tendencies on the arena of computer viruses during the period 1996-2001: the influx of email worms and Windows network share replicating viruses.

1996 – 2001

'Marburg' virus would play havoc with one's Windows desktop

'Marburg' virus would play havoc with one's Windows desktop

The early Windows viruses were often visual as well. I mean they would show themselves. This is the ‘Boza’ virus, written by a virus writing group from Australia calling themselves ‘VLAD’. And that’s the name of the group, that’s the nickname of the guys in the group. So, viruses were still very much being done by hobbyists – for fame, for challenge, just because they could.

Another example is the ‘Marburg’ virus from 1998, which would change your Windows desktop to look like this, so you would know you’re infected (the image fully proves this). This was still the norm in the late 1990s.

New Year greeting card displayed by the 'Happy99' email worm

New Year greeting card displayed by the 'Happy99' email worm

More Windows viruses: ‘RemoteExplorer’, ‘Happy99’, and the latter is actually important because ‘Happy99’ is the very first email worm1, we’re talking about late 1998. This was an email worm which claimed to be a greeting card wishing Happy New Year 1999, and would actually show you fireworks on your screen. And while it’s doing that, it would take your address book and email itself as an email which looks like you sent it, to everybody listed in your address book. And the email contents were ‘Happy New Year 1999!!’ and there was an attachment called ‘Happy99.exe’ in it. And of course your friends would believe you sent it because it looks like you sent it, and they would open up the attachment then, they thought that was what it was supposed to do, and it would replicate and replicate and replicate.

And this kind of email worms quickly became the biggest problem we have. The one thing which feels funny now is that you could actually do that: I mean, you could just take a binary, like an executable, and email it to someone else anywhere else in the world, and they would get it, no problem, and they would run it, no problem. Obviously, you can’t do that anymore. I mean, if I try emailing an .exe Windows binary to every single one of you, I don’t think any of you would actually get it. I mean, my operator, your operator or your firewall, whatever, would kill off an executable attachment nowadays, but that wasn’t the case back then.

Email worms quickly became the biggest and most widespread virus problem in the late 90s.

So more ‘Windows’ viruses at that time: ‘Funlove’, ‘ZippedFiles’, ‘Melissa’. Concerning ‘Melissa’, it became one of the largest outbreaks in history because it combined these two big trends at that time: it combined an email worm with a macro virus infecting ‘Word’ documents. So, it would send itself as an email which looks like it’s coming from you once get infected, sending it to all of your contacts in your address book, and the attachment is not an executable. It’s a DOC file, it’s a ‘Word’ document file. In fact, it’s one of your own ‘Word’ document files which has been infected with a macro virus.

1996 – Boza

1998 – Marburg

1998 – Happy99

1999 – Melissa

2000 – Loveletter

2001 – Nimda

And these are two problems: first of all, you are going to infect your friends; second of all, it leaks confidential information. It takes a DOC file from your hard drive, infects it and sends it out to thousands of people. And that file could be anything, it could be plans, patent applications, a love letter – I mean, anything.

‘Loveletter’ is still in the history books as one of the largest single email outbreaks. It probably will stay as the largest email outbreak or one of them, because we don’t see email outbreaks anymore. This was one of the problems which just have gone away. Regarding the ‘Loveletter’ virus, I was initially making an estimate that no, it’s not going to be a big problem. Of course I was completely wrong, it became one of the largest outbreaks in history.

Email bundled with 'AnnaKournikova' worm

Example of an email bundled with 'AnnaKournikova' worm

‘AnnaKournikova’ – I just picked this one as an example of the email worms of that time. Many of these would simply try to fool the user into opening up an attachment. And ‘AnnaKournikova’ was an email worm which claimed that it had an image of Anna Kournikova. And here is an example of that email (on the image), and for those of you who don’t remember, Anna Kournikova used to be a tennis player, a pretty tennis player.

So, it is the email they would send. ‘Here you have’ – that’s subject field, and then the content: ‘Hi, check this! Annakournikova.jpg.vbs’. And VBS is visual basic script for Windows system which is an executable, or scripting executable.

And we actually had quite a large outbreak on this virus. And we had people calling our labs, I actually spoke with one guy myself, and he told me that he had received the email, and he heard in the radio news that it was a worm, so he knew it was a worm, and our product actually blocked it, so he was safe. But he still wanted to see the picture. Basically, he asked me how he could disable our antivirus so he could just click on it. And of course it didn’t actually show you any images.

But when you actually click on the VBS file, it would just replicate further, you wouldn’t actually see an image. I believe I told the guy – you know, we already had web at that time – I told him to go online an find some pictures, maybe that’s the easy way out.

Some more viruses of that time were ‘Badtrans’, ‘Sircam’, ‘Nimda’ – maybe this latter one is more important than others. This was one of the first Windows network share replicating viruses and got its name from ‘admiN’, which, well, it’s clear why it’s named that.

There were lots of conspiracy theories about Nimda – one of the first Windows network share replicating viruses.

There were lots of conspiracy theories at that time because ‘Nimda’ was found in 2001, in September 2001, exactly one week after the terrorist attacks. And there were lots of conspiracy theories that these were somehow related, but it was never actually proven either way. Nowadays, looking back, I don’t think it was related in any way, but everybody was pretty paranoid at that time.

Fake 'MS Technical Assistance' email sent by the 'Swen' virus

Fake 'MS Technical Assistance' email sent by the 'Swen' virus

More viruses, and these are all Windows email replicating viruses. Actually, there were several email viruses of this kind that appeared after 2001, those were ‘Klez’, ‘Bugbear’, ‘Mimail’ and ‘Swen’. The latter (‘Swen’) is a good example on the kind of social engineering tricks they were using. Here is an email sent by ‘Swen’, and it looks like it’s an email coming from ‘Microsoft’, so sender is ‘MS Technical Assistance’ (see image). It explains that, you know, there’s new patches. And this is in 2003, so we didn’t have ‘Microsoft’ updates yet, you didn’t have automatic updates. If you wanted to patch your system you had to download the patch file (an executable file) and run it.

So, this used that trick to its benefit. Looks fairly convincing, looks like a real ‘Microsoft’ email and there’s a file, you can see it here at the top, Q<something>.exe attached into it. And that is a name in convention ‘Microsoft’ used at that time for patches.

And it’s especially handy because the message explains to you that this is a security update for September 2003, and it would actually get the current date, so when this virus gets to replicating for a number of years, it would always speak about the current month and the current year. If you would run ‘Swen’ today, it would speak about August 2011, so it felt pretty real, and that’s one of the reasons why it became such a big problem.

And this is also one of the viruses, where the virus author was caught, the Swedish guy was caught and sentenced for some sort of online disruption, based on Swedish laws at that time.

Read previous: The History and the Evolution of Computer Viruses: 1991-1996
Read next: The History and the Evolution of Computer Viruses: 2001-2004


1Email worm is a malicious computer program propagating through email attachments and replicating itself in order to spread to other computers.

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: