Virus Evolution History Part 2 – Melissa and other executable worms

The powerful file interpreter scripts included in Microsoft Office gave to the virus creators an opportunity to be armed with the characteristics of worms. An example of this was Melissa worm, a Word macro virus with the characteristics of a worm, which infected documents created with the 97 and 2000 versions of Word. This worm automatically sends itself as an attachment in an email, in the first 50 contacts to be found in the address book in Outlook, on the infected computer. This technique, which unfortunately has become very popular today, was first used in this virus which in 1999 caused one of the biggest epidemics in computer history, within a few days. In fact, large companies like Microsoft, Intel and Lucent Technologies had to block their connections to the Internet due to the action of Melissa.

The technique applied for the first time in the Melissa virus was developed subsequently by viruses like VBS / Freelink who, on the contrary to its predecessor, sent itself to all contacts recorded in the address book of an infected PC. This was the beginning of a new generation of worms, that were able to send themselves to all the contacts found in the address book in Outlook of the infected computer. From all those worms, the one that really stands out is the VBS / LoveLetter, widely known as I love You Virus, which first appeared in May 2000 and caused an epidemic with losses estimated at 10,000 million euros. To attract the attention of users and to contribute to its spread, this worm sent itself via an e-mail message with ILOVEYOU title and an attachment named LOVE-LETTER-FOR-YOU.TXT.VBS. When the user opens the attachment, the computer was infected.

Besides Melissa, in 1999 another type of virus appeared, which was also a milestone in the history of viruses. In November of that year the VBS / BubbleBoy virus (written in VB Script) was created: a new type of worm which spread over the Internet, without the user clicking on an attachment. To automatically run itself when the user opened or displayed a message, the virus took advantage of a security problem in Internet Explorer 5. Successor of this worm in 2000 was the JS / Kak.Worm, which spread by exploiting the automatic signature of Microsoft Outlook Express, which enabled it to infect computers without requiring the execution of a file from the user. These were the first samples of a series of worms that were subsequently enriched with new members – worms that could attack computers while users were browsing the Internet.

Virus Evolution History – Part 1

In this article we will examine how the growth of Windows and Visual Basic affected the evolution of computer viruses, since along with the development of those two technologies we had the appearance of global virus epidemics, like the virus Melissa in 1999.

While Windows were evolving as an application designed to facilitate the management of the DOS in a 32-bit operating system, the virus developers returned to using assembly as the main programming language to create viruses. Versions 5 and 6 of Visual Basic (VB) were, together with the Borland Delphi (Pascal language environments for Windows), the preferred development tool for creators of worms and Trojan horses. Then Visual C came into play, which offered a powerful application programming language for Windows. Quickly C was adopted by the creators of viruses, Trojan horses and worms. Viruses based on the Visual C language acquired unprecedented power, supplanting all other types of viruses. Although the characteristics of worms have changed with time, all have the same goal: to spread to as many computers in the shortest possible time.

Over time, Visual Basic became extremely popular and Microsoft implemented it as part of the functionality of a separate tool: an “interpreter” capable of executing script files that contained code with similar syntax.
Simultaneously, with the establishment of the 32-bit Windows platform, the first script file viruses were born: These were hostile software hidden inside a plain text file. Script file viruses showed that the executable files (files with extensions. EXE and. COM) were not the only ones that could carry viruses. As we have already seen with BAT files for viruses, there are other means of spreading a virus, fully justifying the assumption that everything that can be executed either directly or through an interpreter, may contain a hostile software. Specifically, the first viruses that could infect the macros contained in the applications of Microsoft Office came into the scene. As a result, Word, Excel, Access and PowerPoint have become vehicles for the spread of lethal weapons, which destroy data even when users simply open a document.

Virus Types

Viruses are generally distinguished by the way they spread and propagate or the target they attack. The following virus types do not necessarily indicate a strict division. A file infector for example may also be a system infector. A script virus that infects other script files may be considered also to be a file inspector. There are also difficulties in drawing a hard distinction between macro and script viruses. Nevertheless, the virus types that I describe in this post provide a pretty good classification of computer viruses as researched by security scientists. Continue reading “Virus Types”

Trojan Horse – Mythology or Reality ?

In Greek Mythology, the Trojan Horse was a seemingly innocuous but treacherous gift from the Greeks to the Trojans. During the siege of Troy, an enormous wooden horse was left by the Greek army outside the gates of the city. The Greeks had sailed away as if they had retreated. The Trojans, believing the horse to be a religious offering, brought it into the city. Greek soldiers then emerged from their hiding place within the hollow horse and opened the city gates to enable the rest of the Greek army to enter and capture the city. Continue reading “Trojan Horse – Mythology or Reality ?”

Comparison: Virus, Warm, Adware, Spyware, Trojan

We have all encountered terms like virus, warms, spyware etc many many times in the internet “jungle” without actually distinguishing between them. In this post I will try to define and compare all these malware threats that flow around the computer and internet worlds.

  • Virus: A virus is a malware program that is loaded on your computer without your knowledge, with the intent of doing some damage to your system. It normally attaches itself to another program or data file in order to spread and reproduce itself in other areas of the computer without the knowledge of the user. Normally a virus enters your computer through a spam email which has attachments (pictures or files) or by downloading infected programs from malicious sites. A virus can damage files or cause your computer to behave strangely.
  • Warm: Warms are memory-resident malware threats that can spread across networks by exploiting possible Vulnerabilities in the TCP/IP stack implementation of the OS and/or specific applications. They load themselves into the memory of a remote system and then execute themselves … all without ever being written to a disk. A warm therefore can live on its own and propagate by copying itself from one computer to another. Worms can harm a network, can consume tremendous bandwidth, and can shut a computer down.
  • The difference between viruses and worms is that a virus cannot replicate itself like a worm, and it usually affects the computer it has invaded. A worm acts autonomously, and uses a computer network in order to multiply itself and to send copies of itself to other systems. A virus needs a user action (e.g download of infected file, run a program etc) in order to propagate and spread itself. Continue reading “Comparison: Virus, Warm, Adware, Spyware, Trojan”