The year began unexpectedly for users of Windows 2000 and Visio, a popular application for creating diagrams and flow-charts. Microsoft had not even finished announcing the release of a fully functional commercial version of their operating system when members of the underground group 29A set Inta loose. The virus was the first to infect Windows 2000 files Shortly after, two viruses emerged almost simultaneously, Unstable and Radiant which marked Visio’s demise. The second incident brought to light a sick joke: the viruses had been released by Microsoft which not long after Unstable and Radiant purchased Visio Corporation.
In April, the first macro virus of Russian origin for MS Word was recorded. Proverb was detected in 10 Downing Street, the office of the British prime minister. It can only be hoped that English authorities heeded the advice of the Russian proverb, ‘Don’t put off ’till tomorrow what you can drink today’.
May 5th broke a record in the Guiness Book of Records with the script virus LoveLetter. Everything occurred exactly as Eugene Kaspersky had predicted in November of 1998. Naïve users couldn’t even imagine that harmless VBS files and TXT files could contain a harmful virus. Once loaded, it destroyed a range of files and sent itself to all addresses in the MS Outlook address book. The transparency of the source code more or less guaranteed that new modifications of the virus would appear throughout the year, and currently, there are more than 90 of them in circulation.
On the 6th of June, the Timofonica virus was detectedö this was the first computer virus that employed, in a limited manner, mobile phones. In addition to spreading via email, the virus sent messages to random mobile phone numbers in the MoviStar cellular network, which belonged to the global telecommunications giant, Telefonica. The virus had no other effect on mobile phones despite the fact that many mass media outlets were quick to name Timifonica the first ‘cellular’ virus.
The summer of 2000 was hot, particularly as far as mobile phone viruses were concerned. While this period is usually a vacation time for virus writers and antivirus experts alike, the former, by all accounts, decided to surprise the latter. In July, a group known as the Cult of Death Cow produced a new version of Back Orifice virus (BO2K). This occurred at the annual DefCon conference (in a jab at Microsoft’s DevCon) and evoked a flood of messages from frightened users to antivirus vendors. In reality, the new version posed little harm more than its predecessor and was promptly added to leading antivirus vendors’ databases. The distinguishing feature of BO2K was its drift towards legitimate commercial utilities of remote administration; the program was visible upon installation. Despite this it could still be used for illicit purposes and was classified by antivirus companies as a BackdoorTrojan.
July saw the appearance of three exceptionally interesting viruses. Star was the first virus designed for AutoCAD packages. Dilber was distinguished by the fact that it containedcode from five other viruses including CIH, SK, and Bolzano. Depending on the date, Dilber activated processes from one of its components, earning it the nickname, Shuttle Virus. The third interesting virus was an Internet worm called Jer which employed a relatively clumsy means of penetrating computers. Script programs (the worm’s body) were uploaded to a website which were automatically activated when the corresponding HTML page was opened. After this, users received a warning that an unidentified file was found on the disc. It was a calculated risk assuming human error: it was hoped that users would inadvertantly answer ‘yes’ to be rid of the script program. The appearance of this worm confirmed a new fashion in the spread of viruses through the Internet. First, the worm is placed on a website, and then a mass marketing campaign is conducted to attract users. The calculated risk paid off: for every thousand users, a few dozen would let the virus in.
In August, the Liberty virus was discovered – the first harmful Trojan program to affect the PalmOS operating systems of Palm Pilot. Upon installation, it deleted files but was incapable of replicating. In September, this new class of harmful programs was extended with the first true virus for PalmOS, Phage. It represented a classic virus-parasite program which after installing and infecting files proceeded to delete them and record its own code.
In the beginning of September, a computer virus by the name of Stream was discovered which was capable of manipulating the ADS of NTFS file systems. This virus posed no particular threat. More dangerous was the technology of accessing ADS insofar as no antivirus program was capable of scanning this location. Unfortunately, the virus evoked an insufficient reaction among some large antivirus firms which accused Kaspersky Lab of scaremongering. Despite the accusations, none of the opponents were able to offer any concrete arguments confirming the position they put forth regarding the safety of ADS in NTFS. The problem of antivirus protection for NTFS remains to this day a vital issue insofar as only a few antivirus scans have learned to search for viruses in ADS.
October saw the appearance of the first virus for PIF files (Fable), and the first virus written in PHP script-language (Pirus). Both viruses to this day have yet to be discovered ‘in the wild’. At the same time, a scandal arose when Microsoft’s internal systems were hacked and left open for several months by a group of unknown hackers from St. Petersburg. The entry was gained through a simple loophole using a network worm called QAZ. What was curious about this incident was the fact that at the time the system hack was discovered, the worm in question was already included in practically all antivirus databases. This caused some misgivings about the competency of Microsoft personnel, or, perhaps, their malicious intent. In any case, as of the writing of this book, the guilty parties have yet to be located.
A notable event occurs in November. Kaspersky Labs, having become one of the antivirus industry’s major players in three short years, changes the name of its flagship product. AntiViral Toolkit Pro (AVP) becomes Kaspersky Anti-Virus and takes on a new logotype.
This same month brought the detection of a technologically complex and dangerous virus called Hybris. This virus was written by the Brazilian virus writer Vecna. He further developed his first self-rejuvenating virus, Babylonia taking into account earlier errors. The main innovation was the use of websites and list servers (alt.comp.virus in particular) to load new modules of the virus to infected computers. If it was easy to simply take a website down, then list servers were an ideal alternative for spreading as they were less easy to take down. Further, Hybris employed a 128-bit RSA key for identifying modules actually written by the author.
As a whole, 2000 was the year that email again proved itself to be the best way to transmit viruses. According to Kaspersky Labs’ support statistics, approximately 85% of all registered infection occurred via email. The year was also notable for a wave of activity among virus creators with Linux. Altogether, there were37 registered new viruses and Trojan programs created for the Linux operating system. Consequently, the overall quantity of Linux viruses reached 43, which represented a seven-fold growth in 2000 alone. Finally, a change in the most widespread viruses occurred. Up until this year, macro viruses had been the most common, but once 2000 was over, this place was taken by script viruses.