The Vienna virus appeared: its appearance and subsequent spread around the world was hotly debated as the global community tried to discover the identity of the author. Franz Swoboda was the first person to detect the virus: his warning about the discovery of a self-replicating program named Charlie publicized by many information technology companies and attracted the attention of the media as well. As could be expected, many people were interested in discovering the author and the source of the epidemic. Information leaked out that Swoboda had received the virus from Ralf Burger, who completely denied Swoboda’s story, and claimed that, on the contrary, he had received the virus from Swoboda. It was never revealed who had actually created the malicious program.
Despite the confusion surrounding the author of Vienna, its appearance was noteable for another reason. One of its potential authors, Rolf Burger, forwarded a copy to Bernt Fix, who was able to neutralize the virus. This was the first occasion when someone was able to neutralize a virus. Thus Fix was a precursor of modern anitvirus professionals, although contemporary antivirus experts not only analyze and neutralize viruses, but more importantly release protection, detection and disnfection modules.
Burger capitalized on Fix’s work, and published the code used to neutralize Vienna in his book, Computer Viruses: The Disease of High Technology, which was analogous to B. Khizhnyak’s Writing Viruses and Anti-Viruses. In his book, Burger explained how the virus code could be modified to eliminate its ability to replicate. However, the book probably gained popularity for explaining how viruses are created, serving as a stimulus for thousands of viruses which were partly or completely developed from ideas expressed in this book.
Several other IBM-compatible computer viruses appeared this year as well:
- the famous Lehigh virus, named in honor of the university in Pennsylvania where it was first detected; this university is ironically the alma mater of the father of modern computer virology;
- the Suriv family of viruses;
- a number of boot-sector viruses in various countries;Yale in the US, Stoned in New Zealand, Ping Pong in Italy;
- the first self-encrypting file virus, Cascade.
Lehigh made history as the first virus that caused direct damage to data: the virus destroyed information on discs. Fortunately, there were several computer experts at Lehigh Univeristy who were skilled at analyzing viruses. As a result, the virus never left the university, and Lehigh was never detected in the wild.
The Lehigh virus initiated a destructive routine that eventually deleted the virus as well as valuable data. Lehigh first infected only the command.com system files. After infecting four files it began destroying data, i.e. it eventually destroyed itself as well.
By this time, users had began taking security more seriously and learning how to protect themselves against viruses. More cautious users quickly learned to monitor the command.com file size once they knew that an increase in the file size of command.com was the first sign of potential infection.
The Suriv family of viruses (try reading the name backwards) written by an unidentified programmer from Israel was just as interesting. As with the Brain virus, it is difficult to determine whether this was merely an experiment that span out of control or the premeditated creation of a malicious program. Many antivirus experts were inclined to think that it was an experiment . The discovery at Yisrael Radai University of code fragments supported this version. The university was able to show that the virus’s author was attempting to change the process for installing files in EXE format and the last modification of the virus was only a debugging version.
The first member of this virus family, aptly named by the author Suriv-1, was able to infect accessed COM files in real time. To do this, the virus loaded itself into the computer’s memory and remained active until the computer was turned off. This allowed the virus to intercept file operations and, if the user loaded the COM file, to immediately infect it. This facilitated the almost instant spread of the virus to removable storage media.
Suriv-2, as opposed to its predecessor, targeted EXE files. It was, to all intents and purposes, the first virus able to penetrate EXE files. The third incarnation, Suriv-3, combined characteristics from the first and second versions and was able to infect both COM and EXE files.
The fourth modification of the virus, named Jerusalem, appeared shortly thereafter and was able to spread quickly worldwide; Jerusalem caused a worldwide virus epidemic in 1988.
The last significant event of 1987 was the appearance of the encrypted Cascade virus, which was named after part of its payload. Once the virus was activated, the symbols on the screen cascaded down to the bottom line (see cascade.bmp). The virus consisted of two parts – the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the encryption routine which decoded the virus body and transferred control to it.
This virus can be considered the predecessor of polymorphic viruses which have no permanent program code yet maintain their functionality. However, unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as a decryption key. The decryption routine remained unchanged which allows modern antivirus solutions to detect the virus with ease.
In 1988, Cascade caused a serious incident in IBM’s Belgian office and served as the impetus for IBM’s own antivirus product development. Prior to this, any antivirus solutions developed at IBM had been intended for internal use only.
Later, Mark Washburn combined information published by Ralf Burger on the Vienna virus with the concept of self-encryption used in Cascade and created the first family of polymorphic viruses: the Chameleon family.
IBM computers were not alone: viruses were written for Apple Macintosh, Commodore Amiga, and Atari ST.
In December 1987, the first major local network epidemic occurred: the Christmas Tree Worm, which was written in REXX spread on VM/CMS-9 operating systems. The worm was unleashed on the Bitnet network on December 9th from a West German university through a European Academic Research Network (EARN) portal and then onto IBM’s Vnet. Within four days (on December 13th), the virus had flooded the network. Upon loading, the virus displayed a Christmas tree on-screen and sent copies of itself to all network users whose addresses were listed in the NAMES and NETLOG system files.