Computer Invaders: The 25 Most Infamous PC Viruses of All Time

From the first amateur hackers in the 80s till 2011 when international cyber sabotage is a reality, viruses have illustrated the frightening potential of human ingenuity. Here’s a brief look back how computer viruses have evolved through the most important outbreaks of the last 25 years.

The first PC virus

1. Brain, 1986
More than a decade before anyone had ever heard of Napster, the first PC virus was designed to fight piracy. The author who came up with the word “cyber,” William Gibson called Brain “basically a wheel-clamp for PCs.”

Basit and Amjad Alvi created and marketed medical software in Lahore, Pakistan. They were interested in two things. First, they wanted to check the multi-tasking functionality in the new DOS operating system (so-called “TSR” systems). Secondly, they wanted to see if there are security vulnerabilities in DOS compared to other operating systems such as Unix.

When they realized that DOS was quite vulnerable, they had the idea to write a snippet of software that would monitor how the software and the floppy disks move around. Brain spread virally via 3 1/4-inch disks, and within weeks, the Alvi’s had to change their phone numbers.

25 years after the creation of first PC virus, in early 2011, F-Secure’s Mikko Hypponen went to Lahore, Pakistan to visit the address in the code. He found the Alvi brothers still there, running a successful business. The following video includes the first video interview Amjad and Farooq have given about Brain ever.

Some early fun

Most of the early viruses were variations of the same theme: “Gotcha!” Users knew they’d been infected because that was exactly the point. Like a digital pie in the face.

2. Stoned, 1987
Created by a high school student in New Zealand, Stoned was supposed to be harmless. It simply displayed the message “Your PC is now Stoned!” on your screen. However, as the first virus that infected a PC’s boot sector, Stoned established that viruses could control a computer’s function from the moment it turned on. Bob Dylan should be proud.

3. Form, 1990
Form became one of the most widespread viruses ever. On the 18th of each month, it produced a clicking sound from the PC’s speaker whenever a key was pressed. Annoying, but harmless.

Other variations on this early innocent sort of “gotcha” virus included V-Sign, which displayed a V on your screen. The Walker virus showed an elderly man walking across your screen. Elvira scrolled text in the “A long time ago, in a galaxy far, far away” style a la Star Wars. And then there was Joshi. Every year, on the Joshi’s birthday, this eponymous virus displayed a birthday message. The machine refused to boot up until the user typed “Happy Birthday Joshi.”

4. Michelangelo, 1992
Michelangelo would override everything on a hard drive on specified dates. A variation of Stoned with much crueler intentions, Michelangelo was probably the first computer virus that made international news.

5. VCL, 1992
Virus Creation Laboratory made it easy to whip up a malicious little program by automating virus creation using a simple graphical interface.

Getting Destructive

Early MS-DOS and PC-DOS viruses did some damage to PCs, usually intentionally, but virus writers soon began to actively seek to wreak havoc by actively disabling computers.

6. Happy99, 1999
Happy99 was the first email virus. It greeted you with “Happy New Year 1999” and emailed itself to all  contacts in your address book. Like the very first PC viruses, Happy99 did not cause any real damage, though it did spread to millions of PCs around the world.

7. Monkey, 1993
A distant relative of Stoned, Monkey secretly integrated itself into data files and spread seamlessly. It was the early ancestor of a rootkit, a self-concealing program, and it prevented booting from a floppy disk. When it was removed improperly, Monkey prevented any sort of booting at all.

Upgrading to Windows

In the early 90s, viruses became macro viruses and took on Microsoft’s new OS, Windows. Written in the same languages as applications like Microsoft Word, macro viruses appeared in late 1995. In just three months, they became the most common virus type in the world.

8. Concept, 1995
The first virus that infected Microsoft Word files, Concept became one of the most common viruses in the world because it could infect any OS that could run Word. Share the file, share the virus.

9. Melissa, 1999
Allegedly named after a female exotic dancer familiar to the virus writer, Melissa combined a virus and an email virus. It infected a Word file then emailed itself to all contacts in the user’s address book and became the first virus to span the globe in only hours. Melissa combined the jokey motivations of the early virus writers with the destructiveness of the era. This virus inserted comments from “The Simpsons” into users’ documents. Not so bad. But Melissa could also send out confidential information without the users’ notice. D’oh!

Not long after Melissa, Microsoft virtually eliminated macro viruses by changing how its Visual Basic macro language works within Office applications.

Crashing the network

Before firewalls, computer worms generated huge amounts of network traffic, disrupting systems by pure volume. These worms generally did not affect individual users but they could rock the infrastructure of both private businesses and governments.

10. Code Red, 2001
The first worm that spread without requiring any user interaction at all and thus spread around the world in minutes, Code Red hid from detection and carried out various functions on a cycle. On Days 1-19, it spread itself. From the 20th to the 27th, it launched Denial of Service attacks on various addresses including the White House. And from the 28th day till the end of the month, it rested.

10. Loveletter, 2000
The computer worm that broke millions of hearts, Loveletter is still one of the biggest outbreaks of all time. It spread via email attachment and overwrote many of the crucial files on the PCs it infected. This outbreak was an incredible successful attempt at social engineering. Using the promise of love, it convinced millions to open the attachment, causing an estimated $5.5 billion in damage worldwide. Guess there are a lot of people out there looking for a little love.

12. Slammer, 2003
Network worms require just a few lines of code and vulnerability to spark real world trouble. Slammer took down Bank of America’s ATM network and 911 services in Seattle. Even the air traffic control system was not immune.

13. Sobig, 2003
Sobig was a quick improvement on Fizzer (see below). Some versions waited for a couple of days after infecting a machine before turning affected machines into e-mail proxy servers. The result? Massive spam. AOL alone reported stopping more than 20 million infected messages on one day.

14. Mydoom, 2004
Mydoom spread over email and the Kazaa Peer-to-Peer (P2P) network. It set new records but was old school in the sense that the motive wasn’t monetary. Mydoom executed Distributed Denial-of-Service attack on one particular website and opened a backdoor on infected computers, which left the machine open to remote access.

15. Sasser, 2004
Sasser came in through a vulnerable network ports and slowed or crashed networks from Australia to Hong Kong to the UK.

Money. Money. Money.

In the last decade, the motive for virus writing has become obvious: Money. The technology still tends to be variations on a theme, but modern virus writers utilize advanced user psychology and social engineering to draw users into traps that they’d probably been warned about several times.

16. Fizzer, 2003
Fizzer was the first virus designed to make money. It arrived as an infected attachment. Once opened, it took over infected computers and forced them to send spam.

Ever-evolving threats

As the real-world impact of viruses was felt in the early 90s, business, government, software makers and the Internet security industry put fires out and collaborated to minimize threats. Virus writers, too, evolved to avoid detection, creating advanced malware that could even be programmed to be patient.

17. Cabir, 2003
The first mobile phone virus in history, Cabir targeted Nokia smartphones running the Symbian operating system. It was spread via Bluetooth and proved that whatever shape PCs evolve into, they will be targeted.

18. SDBot, 2003
SDBot was a Trojan horse that bypassed normal security to secretly control a computer. It created a backdoor that allowed the user to do several things including sniff for passwords and the reg codes of games like Half-Life and Need for Speed 2.

19. Haxdoor, 2005
Haxdoor was another Trojan horse that sniffed for passwords and other private data. Later variants had rootkit capabilities. Even Brain used techniques to cloak itself, but Haxdoor employed far more sophisticated methods. A modern rootkit can turn a computer into a zombie computer that can be controlled without the user’s knowledge, sometimes for years.

20. Sony BMI, 2005
In 2005, one of the biggest record companies in the world had the same idea that the Alvi brothers had in 1986: Use a virus to prevent piracy. On its audio CDs, it included a music player program and a rootkit that controlled how the owner could access the audio tracks. The result was a media firestorm and a class-action lawsuit that ended with Sony offering users money and free downloads.

Cyber Sabotage

Computer viruses have had real world effects for decades, but in 2010 a computer virus may have changed the course of history.

In November of 2010, Iranian President Mahmoud Ahmadinejad confirmed that a cyber attack had indeed caused problems with their nuclear centrifuges. And in January of 2011, Russia’s ambassador to NATO said that Stuxnet could cause a “new Chernobyl.”

21. Stuxnet, 2010
An unusually large Windows worm—about a 1000% larger than the typical computer worm, Stuxnet most likely spread through USB device. It infects a system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic factory system. If the worm finds a connection, it then changes the commands sent from the Windows computer to the PLC Programmable Logic Controllers, i.e., the boxes that actually control the machinery. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.

F-Secure Labs estimates that it would take more than 10 man-years of work to complete Stuxnet. This complexity and the fact that it could be used to impair the ability of a centrifuge to enrich uranium while providing no monetary gain suggest that Stuxnet was probably developed by a government—though which government is unclear.

22. Storm Worm, 2007
Machiavelli said it’s better to be feared than loved. Seven years after Loveletter, Storm Worm capitalized on our collective fear of bad weather and first spread generally via an email message with the subject line “230 dead as storm batters Europe.” Once the attachment was open, a Trojan backdoor and a rootkit forced the PC to join a botnet. Botnets are armies of zombie computers that can be used to, among other thing, send out tons of spam. And this one sucked in ten million computers.

23. Mebroot, 2008
Mebroot was a rootkit built to hide from the rootkit detectors that quickly became part of many Internet security suites. It is so advanced that if it crashes a PC, Mebroot will send a diagnostic report to the virus writer.

24. Conficker, 2008
Conficker quickly took millions of computers all over the globe. It exploits both flaws along with Windows and weak passwords along with several advanced techniques. Once a system is infected, further malware can be installed and the user is even prevented from visiting the website of most Internet security vendors. More than two years after it was first spotted, more computers are infected by the worm every day. F-Secure’s Chief Research Office Mikko Hypponen has said that in many ways Conficker is still “a great mystery.”

25. 3D Anti Terrorist
This trojanized “game” targets Windows Mobile phones and was spread via freeware sites. Once installed, it starts making calls to expensive numbers leaving you with large charges. This strategy of hijacking a mobile app or cloaking a malicious app is still new, but it’s likely to one of the main ways the virus writers will attack mobile devices.

Where are we 25 years after Brain?

In 2011, a PC running an updated version of Windows 7 is quite secure, especially when running updated security software. Now that we know more about viruses, we know how to fight them, and ideally prevent them. So, hopefully, in 25 years viruses will have gone the way of macro viruses and we won’t have to make a new list.



More posts from this topic

hacking team, hack like a champion, why hacking team matters

3 reasons the Hacking Team story matters from Mikko Hypponen

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015
adobe flash, uninstall, auto-update, click-to-play

3 ways to make Adobe Flash less annoying and/or risky

Time to update Adobe Flash if you use it. So if you do, do it now. Of course, it always feels like time to update Flash. As an internet user, it's become all of our collective part-time job. It's a reminded that while the software is free, your time isn't. This particular update was necessitated by an event you may have heard about. "The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups," Brian Krebs explained. The Hacking Team hack raised interesting questions about government surveillance and helped rattle nerves this week as computer systems kept planes out of the air and shut down the New York Stock Exchange -- freak incidents that are completely unrelated, according to disclosures thus far. But it doesn't take events like this remind us Flash exploits are so common that they're part of the business model of criminal operations like the Angler exploit kit. The key to security is always running the latest version of everything. So how do you get yourself out of the business of constantly mitigating Adobe Flash risks? Here are three ways. 1. Quit it. This is Brian Krebs' solution. He's lived without it for more than a month as an experiment. "It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently)," Krebs said. And did he notice life without it? "...not so much." So instead of updating, you can just get rid of it. 2. Auto-update. If you're going to keep it, this is the minimum precaution our Security Advisor Sean Sullivan recommends. This will make sure you're getting all the updates and will prevent you, hopefully, from being tricked into downloading malware posing as an update. So turn those "background upgrades" on. 3. Click-to-play. If you're doing number 2, you probably want to do this too. Click-to-play means Flash elements run when you tell them to. Here's how to do it in all your browsers. Not only does this expose you to fewer risks, it makes the internet less annoying and can make your browser quicker. So why not? So what did you choose? Let us know in the comments. Cheers, Jason  

July 10, 2015

How “the Cloud” Keeps you Safe

“The cloud” is a big thing nowadays. It’s not exactly a new concept, but tech companies are relying on it more and more. Many online services that people enjoy use the cloud to one extent or another, and this includes security software. Cloud computing offers unique security benefits, and F-Secure recently updated F-Secure SAFE to take better advantage of F-Secure’s Security Cloud. It combines cloud-based scanning with F-Secure’s award-winning device-based security technology, giving you a more comprehensive form of protection. Using the cloud to supplement device-based scanning provides immediate, up-to-date information about threats. Device-based scanning, which is the traditional way of identifying malware, examines files against a database saved on the device to determine whether or not a file is malicious. This is a backbone of online protection, so it’s a vital part of F-Secure SAFE. Cloud-based scanning enhances this functionality by checking files against malware information in both the local database found on devices, and a centralized database saved in the cloud. When a new threat is detected by anyone connected to the cloud, it is immediately identified and becomes "known" within the cloud. This ensures that new threats are identified quickly and everyone has immediate access to the information, eliminating the need to update the database on devices when a new threat is discovered. Plus, cloud-based scanning makes actual apps easier to run. This is particularly important on mobile devices, as heavy anti-virus solutions can drain the battery life and other resources of devices. F-Secure SAFE’s Android app has now been updated with an “Ultralight” anti-virus engine. It uses the cloud to take the workload from the devices, and is optimized to scan apps and files with a greater degree of efficiency. Relying on the cloud gives you more battery life, and keeps you safer. The latest F-Secure SAFE update also brings Network Checker to Windows PC users. Network Checker is a device-based version of F-Secure’s popular Router Checker tool. It checks the Internet configuration your computer uses to connect to the Internet. Checking your configuration, as opposed to just your device, helps protect you from attacks that target home network appliances like routers – a threat not detected by traditional anti-virus products. So the cloud is offering people much more than just extra storage space. You can click here to try F-Secure SAFE for a free 30-day trial if you’re interested in learning how F-Secure is using the cloud to help keep people safe. [Image by Perspecsys Photos | Flickr]

June 30, 2015