|
|
|
Major Virus Incidents Since 1998
Melissa
This macro virus was first spotted on March 26, 1999
and is regarded as an industry milestone. Other automatic spamming
viruses had existed before it, but none had spread so quickly. At the
time, it was the fastest spreading infectious program ever discovered.
It attacks
Microsoft Word's normal.dot global template, ensuring infection of all
newly created documents. When an infected document is opened, the
virus disables Word's macro warning feature -- allowing it to activate
itself. It then accesses the Microsoft Outlook address book and
mails the infected Word file to the first 50 entries in the address
book. The number of victims increases exponentially as recipients of
the virus open the attachment, thus sending it to another 50 email
addresses.
The virus
payload itself was relatively harmless -- inserting text into a
document only at a specific instant of the day. However the sheer
message volume was sufficient to overwhelm mail servers all over the
world.
ExploreZip
This Melissa-like program, first discovered during June
1999, is not really a virus, but a Trojan -- meaning it cannot
replicate itself. Whereas the more wide-spread Melissa was a
relatively harmless spam virus, in addition to hijacking Microsoft
Outlook, ExploreZip sought out certain files and reduced their file
size to zero -- rendering them useless and unrecoverable.
Chernobyl
The Chernobyl, or PE CIH, virus was reportedly written
by a Taiwanese national sometime in 1998, and wipes the first megabyte
of data on a hard disk (making the rest useless) every April 26 -- the
anniversary of the nuclear power plant disaster that occurred in
Chernobyl, Ukraine. Additionally, it deletes a PC's Basic
Input-Output System (BIOS), rendering the PC itself inoperable until
the BIOS chip is replaced, or data is restored to it. Only flash
BIOSes, meaning those that can be changed or updated, are vulnerable
to this threat.
Since the virus
attaches itself to executable files, which are not distributed as
often as documents, it never spread on the scale of the "more
successful" macro viruses. Despite this, hundreds of
thousands of computers have fallen victim to PE CIH, particularly in
Asia.
VBS_LOVELETTER
The VBS_LOVELETTER
VBS script virus, also known
as the Love Bug and the ILOVEYOU virus, unseated Melissa as the
world's most prevalent virus when it struck in May, 2000. By the
time the outbreak was finally brought under control, losses incurred
were estimated at US$10 Billion, and the Love Bug is said to have
infected one in every five PCs worldwide.
The original version of the virus,
allegedly written by a Filipino undergraduate, used Microsoft Outlook
to send messages with the attachment file "LOVE-LETTER-FOR-YOU.TXT.vbs"
to all addresses listed in the address list. This email had the
subject: "ILOVEYOU", and its body contained the following
message: "kindly check the attached LOVELETTER coming from
me." The file attachment contained the virus. Since then, over 30
variants, with different subjects and mail bodies, have been developed
-- some coming out only days after the first outbreak.
LOVELETTER also propagates using mIRC.
With mIRC, the virus sends a copy of itself:
“LOVE-LETTER-FOR-YOU.HTM” to users in the same channel as the
infected user.
This virus has a destructive payload.
It overwrites selected files with its own code -- creating versions of
itself in their place.
Famous Incidents in Virus History
Pakistani
Brain
A boot sector virus that transfers the current boot sector to an
unused portion of the disk and marks that portion of the disk as bad
sectors. It then copies the remainder of the virus to an unused
portion of the disk and also marks that portion as bad sectors. It
periodically marks other portions of the disk as bad sectors making
files, and eventually the disk, unusable. Early versions displayed a
volume label as "Brain (C:)". All versions have the name of
the program, the authors and often their address in the boot sector of
the infected disk. This virus was the first virus known to spread
worldwide and has spawned numerous strains of similar viruses
including the Ashar or Ashar-Shoe viruses which are very common in
Malaysia.
Stoned-Marijuana
This is another boot sector virus. It infects the boot sector of
floppy disks and the File Allocation Table (FAT) of hard disk drives.
On most systems, it will periodically display a message "Your PC
is Stoned. Legalise Marijuana." However, it will damage the file
allocation table on hard disk drives with more than one partition and
on floppy disks that have been formatted high density. This makes
access to the files nearly impossible. The original strain of this
virus was written in New Zealand.
Jerusalem
Also known as "Israeli" and "Friday the 13th",
this virus includes several strains including the Jerusalem-B virus.
The Jerusalem virus infects both .COM and .EXE files. This virus will
survive a warm boot, i.e., it will stay in memory after re-booting
your computer by typing Ctrl-Alt-Del or using your computer's
"Reset" button. After the virus is resident for half an
hour, it slows the system down by a factor of ten. On Friday the 13th,
it will delete all infected files. Besides the damage it inflicts, the
Jerusalem-B virus also periodically displays a "black
window" in the middle of the screen.
Cascade
Also known as "Falling Letters" or "1701". It
originally appeared as a Trojan horse disguised as a program to turn
off the Num-Lock light on the keyboard. Instead, it caused all the
characters on the screen to fall into a pile at the bottom of the
screen. It now occurs as a memory resident .COM virus. The Cascade
virus uses an encryption algorithm to avoid detection. It originally
activated on any machine with a color monitor from September to
December in the years 1980 and 1988.
Michelangelo
The
Michelangelo virus, also referred to by some virus watchers as
Stoned.Michelangelo, is a boot record virus and was first encountered
in the early 1990’s. Since then, a number of strains have come
about, and is now also known by a variety of names.
It
was named after the Italian Rennaissance artist Michelangelo
Buonarroti – because the trigger date for the delivery of its
payload coincided with the artist’s birthday: March 6 (the name
was assigned by a virus researcher, not the virus writer himself).
On the said trigger date, it destroys files by overwriting critical
areas of the hard disk or floppy disk with garbage, rendering the rest
of the disk, and information on it, useless. Once a bootable
disk is infected with this virus – is ceases to be so.
Infections
are the result of system boot-ups using infected diskettes. Once
the virus is resident in memory, it then infects non-write protected
diskettes that are used on the said PC.
This virus is of
particular interest to Trend Micro – it was this virus’
destructive nature that inspired the founder of the company to enter
the antivirus industry.
Black
Monday
On Mondays, a counter counts down from 240 each time a file is
infected. When zero is reached, a low level format of the hard disk is
performed. Written by a Malaysian student.
|
 |
