Timeline of computer viruses and worms

بسم اللہ الرحمٰن الرحیم
السلامُ علیکم و رحمۃ اللہ و برکاتہ

This is a timeline of noteworthy computer viruses, worms and Trojan horses.

 1960-1969

 1966

The work of John von Neumann on the "Theory of self-reproducing automata" is published. The article is based on lectures held by von Neumann at the University of Illinois about the "Theory and Organization of Complicated Automata" back in 1949.

1970-1979

 1971

The Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBN Technologies. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper.

1974

The Wabbit virus, more a fork bomb than a virus, is written. The Wabbit virus makes multiple copies of itself on a single computer (and was named "Wabbit" for the speed at which it did so) until it clogs the system, reducing system performance, before finally reaching a threshold and crashing the computer.

1974/1975

ANIMAL is written by John Walker for the UNIVAC 1108. Animal asked a number of questions to the user in an attempt to guess the type of animal that the user was thinking of, while the related program PERVADE would create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structure, and not to copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, "Pervading Animal" represents the first Trojan "in the wild".

1976-1977

Back in the mid-1970s, several of the system support staff at Motorola discovered a relatively simple way to crack system security on the Xerox CP-V timesharing system. Through a simple programming strategy, it was possible for a user program to trick the system into running a portion of the program in `master mode' (supervisor state), in which memory protection does not apply. The program could then poke a large value into its `privilege level' byte (normally write-protected) and could then proceed to bypass all levels of security within the file-management system, patch the system monitor, and do numerous other interesting things. In short, the barn door was wide open.

Motorola quite properly reported this problem to Xerox via an official `level 1 SIDR' (a bug report with an intended urgency of `needs to be fixed yesterday'). Because the text of each SIDR was entered into a database that could be viewed by quite a number of people, Motorola followed the approved procedure: they simply reported the problem as `Security SIDR', and attached all of the necessary documentation, ways-to-reproduce, etc.

The CP-V people at Xerox sat on their thumbs; they either didn't realize the severity of the problem, or didn't assign the necessary operating-system-staff resources to develop and distribute an official patch.

Months passed. The Motorola guys pestered their Xerox field-support rep, to no avail. Finally they decided to take direct action, to demonstrate to Xerox management just how easily the system could be cracked and just how thoroughly the security safeguards could be subverted.

They dug around in the operating-system listings and devised a thoroughly devilish set of patches. These patches were then incorporated into a pair of programs called `Robin Hood' and `Friar Tuck'. Robin Hood and Friar Tuck were designed to run as `ghost jobs' (daemons, in UNIX terminology); they would use the existing loophole to subvert system security, install the necessary patches, and then keep an eye on one another's statuses in order to keep the system operator (in effect, the superuser) from aborting them.

One fine day, the system operator on the main CP-V software development system in El Segundo was surprised by a number of unusual phenomena. These included the following:

• Tape drives would rewind and dismount their tapes in the middle of a job.
• Disk drives would seek back and forth so rapidly that they would attempt to walk across the floor.
• The card-punch output device would occasionally start up of itself and punch a lace card. These would usually jam in the punch.
• The console would print snide and insulting messages from Robin Hood to Friar Tuck, or vice versa.
• The Xerox card reader had two output stackers; it could be instructed to stack into A, stack into B, or stack into A (unless a card was unreadable, in which case the bad card was placed into stacker B). One of the patches installed by the ghosts added some code to the card-reader driver... after reading a card, it would flip over to the opposite stacker. As a result, card decks would divide themselves in half when they were read, leaving the operator to re collate them manually.

Naturally, the operator called in the operating-system developers. They found the bandit ghost jobs running, and X'ed them... and were once again surprised. When Robin Hood was X'ed, the following sequence of events took place:

!X id1

id1: Friar Tuck... I am under attack! Pray save me! id1: Off (aborted)

id2: Fear not, friend Robin! I shall rout the Sheriff of Nottingham's men!

id1: Thank you, my good fellow!

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.

Finally, the system programmers did the latter --- only to find that the bandits appeared once again when the system rebooted! It turned out that these two programs had patched the boot-time OS image (the kernel file, in UNIX terms) and had added themselves to the list of programs that were to be started at boot time.

The Robin Hood and Friar Tuck ghosts were finally eradicated when the system staff rebooted the system from a clean boot-tape and reinstalled the monitor. Not long thereafter, Xerox released a patch for this problem.

It is alleged that Xerox filed a complaint with Motorola's management about the merry-prankster actions of the two employees in question. It is not recorded that any serious disciplinary action was taken against either of them.

1980-1989

1980

Jürgen Kraus wrote his Diplom thesis "Selbstreproduktion bei Programmen" (self-reproduction of programs).

1981

·         A program called Elk Cloner, written for Apple II systems and created by Richard Skrenta. Apple II was seen as particularly vulnerable due to the storage of its operating system on floppy disk. Elk Cloner's design combined with public ignorance about what malware was and how to protect against it led to Elk Cloner being responsible for the first large-scale computer virus outbreak in history.

1983

·         The term 'virus' is coined by Frederick Cohen in describing self-replicating computer programs. In 1984 Cohen uses the phrase "computer virus" – as suggested by his teacher Leonard Adleman – to describe the operation of such programs in terms of "infection". He defines a 'virus' as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself."

·         November 10, 1983, at Lehigh University, Cohen demonstrates a virus-like program on a VAX11/750 system. The program was able to install itself to, or infect, other system objects.

1984

Ken Thompson publishes his seminal paper, Reflections on Trusting Trust, in which he describes how he modified a C compiler so that when used to compile a specific version of the Unix operating system, it inserted a backdoor into the login command, and when used to compile itself, it inserted the backdoor insertion code, even if neither the backdoor nor the backdoor insertion code were present in the source code.

1986

·         January: The Brain boot sector virus (aka Pakistani flu) is released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.

• December 1986: Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.

1987

• Appearance of the Vienna virus, which was subsequently neutralized—the first time this had happened on the IBM platform.
• Appearance of Lehigh virus, boot sector viruses such as Yale from USA, Stoned from New Zealand, Ping Pong from Italy, and appearance of first self-encrypting file virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and has never been found elsewhere as a result. A subsequent infection of Cascade in the offices of IBM Belgium led to IBM responding with its own antivirus product development. Prior to this, antivirus solutions developed at IBM were intended for staff use only.
• October: The Jerusalem virus, part of the (at that time unknown) Suriv family, is detected in the city of Jerusalem. Jerusalem destroys all executable files on infected machines upon every occurrence of Friday the 13th (except Friday 13 November 1987 making its first trigger date May 13, 1988). Jerusalem caused a worldwide epidemic in 1988.
• November: The SCA virus, a boot sector virus for Amigas appears, immediately creating a pandemic virus-writer storm. A short time later, SCA releases another, considerably more destructive virus, the Byte Bandit.
• December: Christmas Tree EXEC was the first widely disruptive replicating network program, which paralysed several international computer networks in December 1987.

1988

• June: The Festering Hate Apple ProDOS virus spreads from underground pirate BBS systems and starts infecting mainstream networks.
• November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.

1989

• October 1989: Ghostball, the first multipartite virus, is discovered by Friðrik Skúlason.

1990-1999

1990

• Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burger develops the first family of polymorphic virus: the Chameleon family. Chameleon series debuted with the release of 1260.

1992

• Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped according to mass media hysteria surrounding the virus. Later assessments of the damage showed the aftermath to be minimal.

1993

• "Leandro & Kelly" and "Freddy Krueger" spread quickly due to popularity of BBS and shareware distribution.

1995

• The first Macro virus, called "Concept," is created. It attacked Microsoft Word documents.

1996

• "Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine.

1998

• June 2: The first version of the CIH virus appears.

1999

• Jan 20: The Happy99 worm first appeared. It invisibly attaches itself to emails, displays fireworks to hide the changes being made, and wishes the user a happy New Year. It modifies system files related to Outlook Express and Internet Explorer (IE) on Windows 95 and Windows 98.
• March 26: The Melissa worm was released, targeting Microsoft Word and Outlook-based systems, and creating considerable network traffic.
• June 6: The ExploreZip worm, which destroys Microsoft Office documents, was first detected.
• December 30: Kak worm is a Javascript computer worm that spread itself by exploiting a bug in Outlook Express.

2000 and later

2000

·         May: The ILOVEYOU worm appears. As of 2004 this was the most costly virus to businesses, causing upwards of 5.5 to 10 billion dollars in damage. The backdoor trojan to the worm, Barok, was created by Filipino programmer Onel de Guzman of AMA Computer University; it is not known who created the attack vector or who (inadvertently?) unleashed it; de Guzman himself denies being behind the outbreak although he suggests he may have been duped by someone using his own Barok code as a payload.

• September : Hybris (computer worm) was found and the worm believed to be written by a Brazilian named Vecna.

2001

• February 11: The Anna Kournikova virus hits e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook addressbook. Its creator, Dutchman Jan de Wit, was sentenced to 150 hours of community service.
• May 8: The Sadmind worm spreads by exploiting holes in both Sun Solaris and Microsoft IIS.
• July: The Sircam worm is released, spreading through Microsoft systems via e-mail and unprotected network shares.
• July 13: The Code Red worm attacking the Index Server ISAPI Extension in Microsoft Internet Information Services is released.
• August 4: A complete re-write of the Code Red worm, Code Red II begins aggressively spreading onto Microsoft systems, primarily in China.
• September 18: The Nimda worm is discovered and spreads through a variety of means including vulnerabilities in Microsoft Windows and backdoors left by Code Red II and Sadmind worm.
• October 26: The Klez worm is first identified. It exploits a vulnerability in Microsoft Internet Explorer and Microsoft Outlook and Outlook Express.

2002

• Beast is a Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool). It is capable of infecting almost all Windows OS i.e. 95 through XP. Written in Delphi and Released first by its author Tataye in 2002, its most current version was released October 3, 2004
• March 7 : Mylife (computer worm) is a computer worm that spread itself by sending malicious emails to all the contacts in Microsoft Outlook.^[18]
• August 30: Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K.^[19]

2003

• January 24: The SQL slammer worm, aka Sapphire worm, Helkern and other names, attacks vulnerabilities in Microsoft SQL Server and MSDE and causes widespread problems on the Internet.
• April 2: Graybird is a Trojan also known as Backdoor.Graybird.
• June 13: ProRat is a Turkish-made Microsoft Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool).
• August 12: The Blaster worm, aka the Lovesan worm, rapidly spreads by exploiting a vulnerability in system services present on Windows computers.
• August 18: The Welchia (Nachi) worm is discovered. The worm tries to remove the blaster worm and patch Windows.
• August 19: The Sobig worm (technically the Sobig.F worm) spreads rapidly through Microsoft systems via mail and network shares.
• September 18 : Swen is a computer worm written in C++.
• October 24: The Sober worm is first seen on Microsoft systems and maintains its presence until 2005 with many new variants. The simultaneous attacks on network weakpoints by the Blaster and Sobig worms cause massive damage.
• November 10 : Agobot is a computer worm that can spread itself by exploiting vulnerabilities on Microsoft Windows. Some of the vulnerabilities are MS03-026 and MS05-039.
• November 20: Bolgimo is a computer worm that spread itself by exploiting a buffer overflow vulnerability at Microsoft Windows DCOM RPC Interface.

2004

• January 18 : Bagle (computer worm) is a mass-mailing worm affecting all versions of Microsoft Windows. There were 2 variants of Bagle worm, they were Bagle.A and Bagle.B. Bagle.B was discovered on February 17, 2004.
• Late January: MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm.
• February 16: The Netsky worm is discovered. The worm spreads by email and by copying itself to folders on the local hard drive as on mapped network drivers if available. Many variants of the Netsky worm appeared.
• March 19: The Witty worm is a record-breaking worm in many regards. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm, it was the first internet worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts.
• May 1: The Sasser worm emerges by exploiting a vulnerability in LSASS and causes problems in networks, while removing MyDoom and Bagle variants, even interrupting business.
• June 15 : Caribe (computer worm) or Cabir is a computer worm that is designed to infect mobile phones that run Symbian OS. It is the first computer worm that can infect mobile phones. It spread itself through Bluetooth. More information can be found on  and
• August 16: Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor Trojan Horse that infects Windows NT family systems (Windows 2000, XP, 2003).
• August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan Horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.
• October 12, 2004: Bifrost, also known as Bifrose, is a backdoor trojan which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attack.
• December: Santy, the first known "webworm" is launched. It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading.

2005

• August 16 : Zotob (computer worm) is a computer that spread itself by exploiting Microsoft Windows Plug and Play Buffer Overflow (MS05-039).
• October 13: The Samy XSS worm becomes the fastest spreading virus by some definitions as of 2006.
• Late 2005: The Zlob Trojan, also known as Trojan.Zlob, is a trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005.
• 2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the Internet.

2006

• January 20: The Nyxem worm was discovered. It spread by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files.
• February 16: discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced.
• Late March : Brontok variant N was found in late March. Brontok was a mass-email worm and the origin for the worm was from Indonesia.
• Late September: Stration or Warezov worm first discovered.

2007

• January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, and it had compromised between 1 and 10 million computers by September. Thought to have originated from Russia, it disguises itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film.

• July : Zeus (trojan horse) is a Trojan horse that steals banking information by keystroke logging.

2008

• February 17: Mocmex is a trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame. The virus was traced back to a group in China.
• March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse that affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer.
• May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least.
• July 6: Bohmini.A is a configurable remote access tool or trojan that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2.
• July 31: The Koobface computer worm targets users of Facebook and MySpace. New variants constantly appear.
• November 21: Computer worm Conficker infects anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. The French Navy, UK Ministry of Defence (including Royal Navy warships and submarines), Sheffield Hospital network, German Bundeswehr and Norwegian Police were all affected. Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s). Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. On December 16, 2008, Microsoft releases KB958644  patching the server service vulnerability responsible for the spread of Conficker.

2009

• July 4: The July 2009 cyber attacks occur and the emergence of the W32.Dozor attack the United States and South Korea.
• July 15: Symantec discovered Daprosy Worm. Said trojan worm is intended to steal online-game passwords in internet cafes. It could, in fact, intercept all keystrokes and send them to its author.

2010

• February 18: Microsoft announced that a BSoD problem on some windows machines which was triggered by a batch of Patch Tuesday updates was caused by the Alureon trojan

• June 17: Stuxnet, a Windows trojan, was detected. It is the first worm to attack SCADA systems. Some suggest targets Iranian nuclear facilities. It uses a valid certificate from Realtek.

• September 9: The virus, called "here you have" or "VBMania", is a simple Trojan Horse that arrives in the inbox with the odd-but-suggestive subject line "here you have". The body reads "This is The Document I told you about, you can find it Here" or "This is The Free Download Sex Movies, you can find it Here".

• September 15: The Virus called Kenzero is a virus that spreads online from Peer to peer (P2P) sites taking browsing history.

 Thanks & Regards,

"Remember Me When You Raise Your Hand For Dua"
Raheel Ahmed Khan
System Engineer
send2raheel@engineer.com
sirraheel@gmail.com

http://raheel-mydreamz.blogspot.com/
http://raheeldreamz.wordpress.com/