Sep
22
Filed Under:
MALWARE HISTORY
Vienna: Actively Fighting Malware Threats
22 September 2008
The Vienna.636.A virus marked another important milestone in the malware industry. Its appearance in the wild and its highly infectious potential managed to raise users’ awareness towards the increasing security threats.
All in all, Burger sent a copy of the virus to Berndt Fix, who managed to neutralize the virus, which could be regarded as the birth of the antivirus industry.
The Lehigh virus was firstly spotted in the wild on computers from the Pennsylvania University. Interesting enough, the University is currently known as the home of Len Eidelmen, the father of modern computer virology. The Leigh virus is mostly known for its file destructive potential, as it is regarded as the first computer virus to overwrite data stored on disks. It would check a disk each time it is read in order to determine whether the files have already been infected. After the virus infected four files, it started overwriting parts of the disk. Ultimately, the virus would destroy itself along with other files on the disk.
The Leigh University had enough skilled staff to fight and neutralize the virus, and it never left the network to spread into the wild. This is also the first report of a virus infecting command.com files, and computer users worldwide started to pay extra attention to viruses by carefully monitoring the command.com file size, as this was the first symptom of system infection.
Right after the Leigh incident, another computer virus created by an Israeli programmer appeared. Called the Win32.Worm.Suriv.A (the name reads “virus” when spelled backwards), the new virus seems to be more of an accident than a deliberate attempt to cause damage. According to some reports, the Israeli programmer tried to change the process for installing files in EXE format, and unwillingly gave birth to a new breed of viruses.
However, later in 1987, a modification of the Win32.Worm.Suriv.A, also known as Jerusalem, was reportedly destroying all the executable files stored on an infected machine. Its payload only set off on Friday the 13th, all years except for 1987 . During the payload sequence, the virus would display a black box (or a black rectangle for text-mode machines), which brought it the “BlackBox” nickname.
The Jerusalem virus was extremely common at that time, and gave birth to a large number of variants (there are over 55 variants of the virus on record). However, as it used to rely on DOS interrupts, Windows systems are no longer vulnerable to the attack.
The year’s end brought a new type of virus that forced the industry to start the development of antivirus software. A massive infection with Cascade in the IBM Belgium offices made the company start its own antivirus business. IBM had already started working on an antivirus utility, but it was intended for internal use only. The Cascade.1701 virus is the first piece of malware able to encrypt its payload(Cascade’s payload was encrypted in order to deter disassembly and detection of the virus' program code), and is considered to be the predecessor of polymorphic viruses (pieces of malware that preserve their functionality, but constantly change their program code). However, the payload was rather harmless, given the fact that the virus only displayed a waterfall effect, with letters raining down on the screen. Cascade only encrypted its body, while the decryption routine remained unchanged.
Christmas kicked in right in the middle of a major LAN outbreak of the Christmas Tree Worm, a piece of malware that attacked on VM/CMS-9 operating systems. According to those times’ reports, the worm started spreading from a West Germany university using the European Academic Research Network (EARN) portal, and had completely clogged the network by December 13th. Beyond its spreading capabilities, the worm also came with a payload that would display a Christmas tree on the computer screen.
RELATED INFO:
ALL ABOUT MALWARE
Although the originator is still unknown, it is for sure that Franz Swoboda was the first person aware of the Vienna.636.A virus . The global IT community was up in arms in order to identify its creator, and according to those days’ reports, Swoboda had received a copy of the virus from Ralf Burger. However, given the fact that Burger’s allegations would incriminate Swoboda as the author, the later claimed the contrary, and blamed it on Swoboda.
All in all, Burger sent a copy of the virus to Berndt Fix, who managed to neutralize the virus, which could be regarded as the birth of the antivirus industry.
Calling Berndt Fix the world’s first antivirus provider may be a long shot, as modern antivirus products not only that disinfect and neutralize security risks, but also offer on-the-fly protection against multiple threats, including unknown viruses and Trojans.
Burger himself published a book called Computer Viruses: The Disease of High Technology, which included Fix’s disinfection code. Despite the fact that the book aimed at informing users about how viruses spread and infect systems, it had become virus writers’ bible, and many new creations have been built based on the enclosed information.
1987 was a prolific year in virus development. Their targets were usually IBM PC-compatible machines, which had enjoyed great popularity among computer users. Apart from a series of generic boot-sector viruses spreading havoc in the United States, New Zeeland and Italy, Three different types of viruses had joined the malware family.
The Lehigh virus was firstly spotted in the wild on computers from the Pennsylvania University. Interesting enough, the University is currently known as the home of Len Eidelmen, the father of modern computer virology. The Leigh virus is mostly known for its file destructive potential, as it is regarded as the first computer virus to overwrite data stored on disks. It would check a disk each time it is read in order to determine whether the files have already been infected. After the virus infected four files, it started overwriting parts of the disk. Ultimately, the virus would destroy itself along with other files on the disk.
The Leigh University had enough skilled staff to fight and neutralize the virus, and it never left the network to spread into the wild. This is also the first report of a virus infecting command.com files, and computer users worldwide started to pay extra attention to viruses by carefully monitoring the command.com file size, as this was the first symptom of system infection.
Right after the Leigh incident, another computer virus created by an Israeli programmer appeared. Called the Win32.Worm.Suriv.A (the name reads “virus” when spelled backwards), the new virus seems to be more of an accident than a deliberate attempt to cause damage. According to some reports, the Israeli programmer tried to change the process for installing files in EXE format, and unwillingly gave birth to a new breed of viruses.
Jerusalem triggered a global outbreak one year later. According to some reports, it unleashed its malicious payload for the first time on May 13th 2008.
However, later in 1987, a modification of the Win32.Worm.Suriv.A, also known as Jerusalem, was reportedly destroying all the executable files stored on an infected machine. Its payload only set off on Friday the 13th, all years except for 1987 . During the payload sequence, the virus would display a black box (or a black rectangle for text-mode machines), which brought it the “BlackBox” nickname.
The Jerusalem virus was extremely common at that time, and gave birth to a large number of variants (there are over 55 variants of the virus on record). However, as it used to rely on DOS interrupts, Windows systems are no longer vulnerable to the attack.
The year’s end brought a new type of virus that forced the industry to start the development of antivirus software. A massive infection with Cascade in the IBM Belgium offices made the company start its own antivirus business. IBM had already started working on an antivirus utility, but it was intended for internal use only. The Cascade.1701 virus is the first piece of malware able to encrypt its payload(Cascade’s payload was encrypted in order to deter disassembly and detection of the virus' program code), and is considered to be the predecessor of polymorphic viruses (pieces of malware that preserve their functionality, but constantly change their program code). However, the payload was rather harmless, given the fact that the virus only displayed a waterfall effect, with letters raining down on the screen. Cascade only encrypted its body, while the decryption routine remained unchanged.
Christmas kicked in right in the middle of a major LAN outbreak of the Christmas Tree Worm, a piece of malware that attacked on VM/CMS-9 operating systems. According to those times’ reports, the worm started spreading from a West Germany university using the European Academic Research Network (EARN) portal, and had completely clogged the network by December 13th. Beyond its spreading capabilities, the worm also came with a payload that would display a Christmas tree on the computer screen.
RELATED INFO:
ALL ABOUT MALWARE
Copyright 2011. Site powered by Bitdefender