New Removable Media gives Malware a Boost #1

Most of the security issues in 1994 were triggered by the increased popularity of removable media, especially the more and more affordable CD-ROMs. Such storage devices acted as a vector of infection, as computer users burnt not only important data, but also infected files.

A couple of CD
producers unwillingly distributed already-infected products, and the situation
got even more complicated as read-only disks could not be disinfected.

A new outbreak of
polymorphic viruses occurred in the United Kingdom. SMEG.Pathogen and SMEG.Queeg, two extremely dangerous viruses had been uploaded on a
couple of BBS boards by their creator (Shortly after the incident, Scotland
Yard arrested the author – Christopher Pile, also known as Black Baron), and
although their malicious potential was limited, mass-media fueled computer
users’ panic.

Hoaxes also gained
popularity, and one of the best examples is the GoodTimes hoax. It allegedly spread via the Internet and could
infect computers by simply receiving an e-mail message. The hoax was followed
by a DOS virus containing the text “Good Times”, which also caused panic, but
it was nothing if compared to the upcoming threats.

In June, an
extremely complex and dangerous polymorphic virus called One-Half caused a new epidemic. The new DOS-based polymorphic piece
of malware came with a peculiar payload that would encrypt a certain part of
the hard-disk drive, in order to perform on-the-fly decryptions when the user
accessed the affected files. However, when the system is disinfected and the
virus is deleted, the encryption process can not be reversed. When the virus
has successfully encrypted half of the drive, it displays the following text:

Dis is one half.

Press any key to continue …

The One-Half virus
may be more than a decade old, but it is still active and continues to infect
unprotected systems around the world.

significant battle was carried against a Russian virus called W97M.Zaraza.A. Its name is an
Anglicized version of the Russian 3APA3A (“infection”). The new virus managed
to take the antivirus world by surprise thanks to a new mode of concealment. It
replaces IO.SYS with its own routine in order to get memory access and avoid
detection.  The W97M.Zaraza.A unleashes its payload in August, when it displays the
following message:


( ” There is an infection in the
boot sector “)


1995 was much
calmer than the previous years on the security scene. While MS-DOS viruses kept
increasing in both count and infection potential, no major outbreak was
reported to have occurred. A couple of complex DOS viruses virus such as Nightfall, Nostradamus, and Nutcracker
surfaced on miscellaneous BBS boards, as well as the RMNS virus and the Winstart .BAT-infector. ByWay and DieHard2, two new types of malware managed to find their way into a
couple of systems but failed to cause an epidemic.

Believe it or not,
but Microsoft managed to succeed where most of the malware authors failed.
Their new operating system – Windows 95 – was shipped to worldwide beta-testers
on floppy disk drives. Probably excited by the new computing environment at
their fingertips, beta-testers forgot to comply with the most elementary
protection rules regarding data security and proceeded with the installation.
It appears that Microsoft had shipped virus-infected floppy-disks. Testing had
to be postponed until the company came up with clean disks.

A couple of months
later, the Microsoft Word text processor was hit by a new type of virus, called
Concept. The new macro virus
infected Microsoft Word documents and managed to spread across the globe in
less than a month. WM/Concept was
the first virus specifically written for the Microsoft Word system and
discovered “in the wild”.

As its name
suggests, the virus was a proof-of-concept only and had no harmful payload.
Instead, the text contained in the virus read “That’s enough to prove my
point”. In spite of its low security risk, Concept become on of the most common
viruses on the planet.


One month later, a
top-tier computer manufacturer called Digital Equipment Corporation (DEC)
accidentally distributed copies of the Concept
virus to the attendees at a DECUS conference in Dublin. The damage was minimal, as the
presence of the Concept virus was quickly detected. Macro viruses, however, set
the antivirus industry on fire, as there was no existing technology capable to
detect and disinfect the new threats.

Another security
incident was triggered by Computer Life, a Ziff-Davis publication that sent its
customers diskettes containing a Christmas greeting. However, all the shipped
disks were infected with the Parity Boot
, and many customers have been affected. This was not the only
security incident triggered by a Ziff-Davis publication. The English version of
PC Magazine also delivered diskettes infected with the Sampo virus. The
security risk has been discovered later, and the company apologized for
inconvenience. More than that, in order to keep its users safe, it offered a
free antivirus utility.

continued to receive visits from Scotland Yard. Christopher Pile, the author of
the SMEG.Pathogen and SMEG.Queeg polymorphic viruses was
arrested for writing and distributing viruses. Later that year, he was
sentenced to 18 months in prison.

In 1996,
Microsoft’s new operating system – Windows 95 – started to gain significant
ground among computer users. As it was expected, more and more malware writers
shifted their focus to the new environment, but the older Windows 3.x systems
have not been spared.

Two new viruses
started to decimate computers worldwide in early 1996. The first virus to hit
was called Borza, followed
immediately by Zhengxi, a
polymorphic virus written by Russian programmer from Saint Petersburg Denis
Petrovym. Borza originates in Australia and
was apparently written by Quantum, a member of the VLAD virus programming
group. Each time an infected program starts, it would search for up to three
executable files which have not yet been infected, then append its code. Borza was a low-risk virus, given the
fact that it would only display a message regarding its creators on the 31st of
each month.

Early in March,
the Win.Tentacle virus slammed
Windows 3.x systems and caused the first virus epidemic for the respective
operating system. Tentacle was able to infect a hospital computer network as
well as other organizations in France.
At the same time, it was the first Windows virus detected in the wild.

Another extremely
interesting piece of malware was the Esperanto
virus, a multi-platform infector that has the ability to adjust its code
depending on the operating system. It could infect both Windows and Macintosh
systems. It appears that its creator is the notorious Spanish 29A virus
programming group, which also designed the WM.CAP
macro virus.

As it was
expected, malware authors started to build on the Microsoft Word macro virus,
and they quickly came up with another piece of malware able to infect Excel
files. Called the Laroux, the new
creation was first spotted in July at two oil drilling companies in Alaska and South Africa respectively. The
author took advantage of the Visual Basic programming language embedded in
Excel. Laroux triggered a new
epidemic in Moscow
in April 1997.

Summer ended with
the advent of two new constructors for macro viruses that would expose both the
English and German versions of MS Word. Called the Word Macro Virus Construction Kit and Macro Virus Development Kit, respectively, the new malware
creations were attributed to two virus writers called Nightmare Joker and Wild

Later in 1996,
Microsoft’s website was reportedly serving Wazzu
macro-infected Word files containing support instructions for Microsoft
products in Switzerland.  The same virus managed to infect Microsoft
Solution Provider compact discs, as well as other CD-ROM media distributed by
the company during the Orbit computer technology exhibition in Brazil.

The year ended
with a massive outbreak triggered by world’s first memory resident Windows 95
virus. It loaded into the system as a VXD driver, and then it intercepted file
calls, in order to infect them.

Linux users were
still unaffected by malware, although the first virus (Staog) had been developed in laboratory conditions for research
purposes only. It never left the secure environment, and there were no reports
about its presence in the wild ever.

The advent of
Microsoft’s new operating system marked the beginning of a new wave of attacks
with both Windows 95/NT viruses and macro viruses. During the entire year,
malware authors managed to improve their portfolio with more than over a
hundred macro viruses and dozens of viruses for Windows 95/NT. Given the fact
that the main targets were 32-bit operating environments, the antivirus
industry quickly geared up to deliver appropriate protection (Cheyenne Software
developed InocuLAN, an antivirus utility that was eventually bought by Computer

1997 made its
debut with world’s first Linux virus spotted in the wild. The Bliss virus only affects Linux-based
operating systems and is the second known virus to affect this platform. It
only infected Elf-style executables, and although it surely has a malicious
payload, it is unsure whether it is executed or not. It also has some basic
worm-like features, looking for new hosts to infect via the /etc/hosts.equiv

Bliss also searches for
programs for which the current process has write permission, and then it
overwrites them with its own code, which means that all the information
contained in the infected file is instantly destroyed.

One month later,
the ShareFun macro virus for MS Word
6/7 triggered a new wave of worries among computer users. ShareFun became the first piece of malware to spread using e-mail
messages, especially if the infected computer was using the MS mail service.

The Homer virus arrived in April 1997 and
marked a new milestone in the development of malware. The new virus had an
interesting way of propagating from one system to another, namely by using the
FTP protocol to make the “jumps”.

viruses made a comeback in June, this time especially designed for the Windows
95 operating system. The first such virus was known as Win95.Mad, a piece of malware that seems to have originated from Russia. The
virus triggered a major outbreak, as it was found on almost any BBS system.

Malware found a
new channel to spread at will with the appearance of mIRC (Internet Relay
Chat). The first mIRC worm emerged in December – it was a fundamentally new
type of malware that exploited a dangerous security loophole in the structure
of IRC channels. Files downloaded using the IRC service were stored in the same
directory that contained the script.ini command file. This way, an infected
script.ini file would facilitate the worm’s spread to other remotely located

The security hole
has been quickly patched, and many early IRC worms disappeared from the scene. More
advanced worms would actively search for the script.ini file in order to infect


Next Page –>

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.