History And Evolution Of Viruses And Worms

A brief synopsis of infections.

Related Articles

Risk Management

Ethical Hacking Topics

Hacking Overview
Footprinting And Reconnaissance
Network Scanning
Enumeration Stage
System Hacking
Trojan And Backdoors
Viruses And Worms
Virus and Worm Timeline
Sniffers And Session Hijacking
Social Engineering
Denial of Service
Web Server and Applications
Wireless Network Hacking
IDS, Firewalls, Honeypots
Buffer Overflows
Penetration Testing

This is not a complete history of viruses and worms, but more of a time-line of their existence. Many in-depth volumes of the history of viruses and worms can be found on the Internet.

  • 1971
    • The Creeper, an experimental self-replicating program was by Bob Thomas at BBN Technologies. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper.
  • 1974
    • Rabbit, or Wabbit virus, but really more a fork bomb than a virus was written. The Rabbit virus makes multiple copies of itself on a single computer, (which is why it was named 'Rabbit') until it clogs the system, reducing system performance, before finally reaching a threshold and crashing the computer.
  • 1975
    • April - Animal is written by John Walker for the UNIVAC 1108. Animal asked a number of questions of the user in an attempt to guess the type of animal that the user was thinking of while the related program Pervade would create a copy of itself and Animal in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structures and not to copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, Pervading Animal represents the first Trojan in the wild.
  • 1981
    • Elk Cloner, written for Apple II systems, was created by Richard Skrenta. The Apple II was seen as particularly vulnerable due to the storage of its operating system on floppy disk. Elk Cloner's design combined with public ignorance about what malware was and how to protect against it led to Elk Cloner being responsible for the first large-scale computer virus outbreak in history.
  • 1983
    • November - The term Virus is coined by Frederick Cohen in describing self-replicating computer programs. In 1984 Cohen uses the phrase "computer virus", (suggested by his teacher Leonard Adleman) to describe the operation of such programs in terms of "infection". He defines a 'virus' as a program that can infect other programs by modifying them to include a possibly evolved copy of itself. Cohen demonstrates a virus-like program on a VAX11/750 system at Lehigh University. The program could install itself in, or infect, other system objects.
  • 1986
    • January - The Brain boot sector virus is released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, and Pakistani flu as it was created in Lahore, Pakistan by 19-year-old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.
    • December - Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.
  • 1987
    • The Vienna virus appears which was subsequently neutralized—the first time this had happened on the IBM platform.
    • The Lehigh virus appeared. It was a boot sector virus such as Yale from USA, Stoned from New Zealand, Ping Pong from Italy, and appearance of first self-encrypting file virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and has never been found elsewhere as a result. A subsequent infection of Cascade in the offices of IBM Belgium led to IBM responding with its own antivirus product development. Prior to this, antivirus solutions developed at IBM were intended for staff use only.
    • October - The Jerusalem virus, part of the Suriv family is detected in the city of Jerusalem. The virus destroys all executable files on infected machines upon every occurrence of Friday the 13th except Friday 13 November 1987 making its first trigger date May 13, 1988. Jerusalem caused a worldwide epidemic in 1988.
    • November - The boot sector virus SCA for Amiga computers appear. This immediately creating a pandemic virus-writer storm. A short time later SCA releases another considerably more destructive virus, the Byte Bandit.
    • December - Christmas Tree EXEC was the first widely disruptive replicating network program which paralyzed several international computer networks in December 1987. It was written in Rexx on the VM/CMS operating system and originated in what was then West Germany. It re-emerged in 1990.
  • 1988
    • March 1 - The Ping-Pong virus, aka: Boot, Bouncing Ball, Bouncing Dot, Italian, Italian-A, VeraCruz an MS-DOS boot sector virus, is discovered at the University of Turin in Italy.
    • June - The CyberAIDS and Festering Hate Apple ProDOS viruses spreads from underground pirate BBS systems and starts infecting mainstream networks. Festering Hate was the last iteration of the CyberAIDS series extending back to 1985 and 1986. Unlike the few Apple viruses that had come before which were essentially annoying, but did no damage, the Festering Hate series of viruses was extremely destructive, spreading to all system files it could find on the host computer (hard drive, floppy, and system memory) and then destroying everything when it could no longer find any uninfected files.
    • November 2 - The Morris worm, created by Robert Tappan Morris infects DEC VAX and Sun machines running BSD UNIX that are connected to the Internet and becomes the first worm to spread extensively "in the wild" and one of the first well-known programs exploiting buffer overrun vulnerabilities.
  • 1989
    • OctoberGhostball, the first multipartite virus, is discovered by Friðrik Skúlason. It infects both executable .COM-files and boot sectors on MS-DOS systems.
    • December - Several thousand floppy disks containing the AIDS Trojan, the first known ransomware are mailed to subscribers of PC Business World magazine and a WHO AIDS conference mailing list. This DOS Trojan lies dormant for 90 boot cycles, then encrypts all filenames on the system, displaying a notice asking for $189 to be sent to a post office box in Panama in order to receive a decryption program.
  • 1990
    • The first Chameleon family of viruses were developed by Mark Washburn in conjunction with Ralf Burger while working on an analysis of the Vienna and Cascade viruses. The Chameleon family was a family of polymorphic viruses. Chameleon series debuted with the release of 1260.
    • June - The Form computer virus is isolated in Switzerland. It would remain in the wild for almost 20 years and then reappear afterwards. It was one of the most common virus in the wild with 20% to 50% of reported infections during the 1990's.
  • 1992
    • - Michelangelo was a virus that expected to create a digital apocalypse on March 6 with millions of computers having their information wiped, at least according to the mass media hysteria surrounding the virus. Later assessments of the damage showed the aftermath to be minimal.
  • 1993
    • The viruses Leandro, aka: Leandro & Kelly and Freddy Krueger spread rapidly due to popularity of BBS and shareware distribution.
  • 1994
    • April - OneHalf was a DOS-based polymorphic computer virus.
  • 1995
    • Concept, the first Macro virus was created. It attacked Microsoft Word documents.
  • 1996
    • Ply was a DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine.
    • Boza was the first virus designed specifically for Windows 95 files arrives.
    • Laroux the first Excel macro virus appears.
    • Staog the first Linux virus attacks Linux machines
  • 1998
    • June - The first version of the CIH virus appears. It is the first known virus able to erase flash ROM BIOS content.
  • 1999
    • January - The Happy99 worm appeared. It would invisibly attaches itself to emails and display fireworks to hide the changes being made. It also would wish the user a happy New Year. It would modify system files related to Outlook Express and Internet Explorer on Windows 95 and Windows 98.
    • March - The Melissa worm was released. It's target was Microsoft Word and Outlook-based systems creating considerable network traffic.
    • June - The ExploreZip worm made its debut. Its goal was to destroys Microsoft Office documents.
    • December - The Kak worm appeared. It was a JavaScript computer worm that spread itself by exploiting a bug in Outlook Express.
  • 2000
    • May - The ILOVEYOU worm, aka: Love Letter, VBS or Love Bug worm appeared. It's creator was a Filipino computer science student and written in VBScript. It infected millions of Windows computers worldwide within a few hours of its release using social engineering techniques and was considered to be one of the most damaging worms ever.
    • June - The Pikachu virus arrived and was believed to be the first computer virus geared at children. It contained the character "Pikachu" from the Pokémon series and was in the form of an e-mail titled "Pikachu Pokemon" with the message: "Pikachu is your friend." The attachment to the email had an image of a pensive Pikachu along with a message stating, "Between millions of people around the world I found you. Don’t forget to remember this day every time MY FRIEND." Embeded with the image, there is a program, written in Visual Basic 6, called "pikachupokemon.exe" that modifies the AUTOEXEC.BAT file and added a command for removing the contents of directories C:\Windows and C:\Windows\System at computer's restart. However, a message would appear during startup, asking the user if they would like to delete the contents of those folders. This is because the author, instead of writing the lines “del C:\WINDOWS\*.* /y” and “del C:\WINDOWS\SYSTEM\*.* /y” to AUTOEXEC.BAT, the author did not include the /y switches, which would have automatically chosen the yes option. The operating systems affected by this worm were Windows 95, Windows 98 and Windows ME.
  • 2001
    • February - The Anna Kournikova virus appeared and hit e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook address book.
    • May - The Sadmind worm spread by exploiting holes in both Sun Solaris and Microsoft IIS.
    • July - The Sircam worm is released. It spread through Microsoft systems via e-mail and unprotected network shares.
    • July - The Code Red worm attacked the Index Server ISAPI Extension in Microsoft Internet Information Services.
    • August - A complete re-write of the Code Red worm appeared. Code Red II began aggressively spreading onto Microsoft systems, primarily in China.
    • September - The Nimda worm is discovered. It spread through a variety of means including vulnerabilities in Microsoft Windows and backdoors left by Code Red II and Sadmind worm.
    • October - The Klez worm is first identified. It exploited a vulnerability in Microsoft Internet Explorer and Microsoft Outlook and Outlook Express.
  • 2002
    • February - The Simile virus is a metamorphic computer virus written in assembly.
    • Beast, aka: Remote Administration Tool (RAT), is a Windows based backdoor Trojan horse. It was capable of infecting almost all versions of Windows. It was written in Delphi and released first by its author Tataye in 2002. Its most current version was released October 3, 2004.
    • March 7: Mylife was a computer worm that spread itself by sending malicious emails to all the contacts in Microsoft Outlook.
  • 2003
    • January - The SQL Slammer worm, aka: Sapphire worm, Helkern as well as other names, attacked vulnerabilities in Microsoft SQL Server and MSDE. It became the fastest spreading worm of all time measured by doubling time at the peak rate of growth, causing massive Internet access disruptions worldwide just fifteen minutes after infecting its first victim.
    • April - Graybird was a Trojan Horse also known as Backdoor.Graybird.
    • June - Was a Turkish-made Microsoft Windows based backdoor Trojan Horse. It was more commonly known as a Remote Administration Tool (RAT).
    • August - The Blaster worm, aka: the Lovesan worm, rapidly spread by exploiting a vulnerability in system services present on Windows computers.
    • August - The Welchia (Nachi) worm is appeared. The worm tried to remove the blaster worm and patch Windows.
    • August - The Sobig worm, technically the Sobig.F worm, spread rapidly through Microsoft systems via mail and network shares.
    • September - Swen is a computer worm written in C++.
    • October - The Sober worm is first seen on Microsoft systems and maintained its presence until 2005 with many new variants. The simultaneous attacks on network weak points by the Blaster and Sobig worms cause massive damage.
    • November - Agobot was a computer worm that can spread itself by exploiting vulnerabilities on Microsoft Windows. Some of the vulnerabilities are MS03-026 and MS05-039.
    • November - Bolgimo was a computer worm that spread itself by exploiting a buffer overflow vulnerability at Microsoft Windows DCOM RPC Interface.
  • 2004
    • January - Bagle was a mass-mailing worm affecting all versions of Microsoft Windows. There were two variants of Bagle worm: Bagle.A and Bagle.B. Bagle.B that were discovered on February 17, 2004.
    • Late January - The MyDoom worm emerged. It currently holds the record for the fastest spreading mass mailer worm. The worm was most notable for performing a distributed denial-of-service (DDoS) attack on www.sco.com, which belonged to The SCO Group.
    • February - The Netsky worm was discovered. The worm spreads by email and by copying itself to folders on the local hard drive as well as on mapped network drives if available. Many variants of the Netsky worm appeared.
    • March - The Witty worm was a record-breaking worm. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm and was the first Internet worm to carry a destructive payload. It spread rapidly using a pre-populated list of ground-zero hosts.
    • May - The Sasser worm emerged by exploiting a vulnerability in the Microsoft Windows LSASS service causing problems in networks while removing MyDoom and Bagle variants and even interrupting business.
    • June - Caribe or Cabir was a computer worm that is designed to infect mobile phones that ran Symbian OS. It is the first computer worm that could infect mobile phones. It spread itself through Bluetooth.
    • August - Nuclear RAT, short for Nuclear Remote Administration Tool was a backdoor Trojan that infected Windows NT family systems: Windows 2000, Windows XP and Windows 2003.
    • August - Vundo, or the Vundo Trojan, aka: Virtumonde or Virtumondo and sometimes referred to as MS Juan was Trojan known to cause pop-ups and advertising for rogue anti spy-ware programs and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.
    • October - Bifrost, aka: Bifrose was a backdoor Trojan which could infect Windows 95 through Vista. Bifrost used the typical server, server builder and client backdoor program configuration to allow a remote attack.
    • December - Santy was the first known "webworm" is launched. It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm preventing it from spreading.
  • 2005
    • August - The Zotob worm appeared. It exploited security vulnerabilities in Microsoft operating systems like Windows 2000, including the MS05-039 plug-and-play vulnerability. This worm was known to spread on Microsoft-ds or TCP port 445.
    • October - The copy protection rootkit deliberately and surreptitiously included on music CDs sold by Sony BMG was exposed. The rootkit created vulnerabilities on affected computers making them susceptible to infection by worms and viruses.
    • Late 2005 - The Zlob Trojan appeared. Zlob was Trojan horse program that masqueraded as a required video codec in the form of the Microsoft Windows ActiveX component.
  • 2006
    • January - The Nyxem worm was discovered. It spread by mass-mailing and its payload was set to activate on the third of every month starting on February 3. It would disable security-related and file sharing software and destroy files such as Microsoft Office files.
    • February - The discovery of the first ever malware for Mac OS X came about. It was a low threat Trojan known as OSX/Leap-A but was also known as OSX/Oompa-A.
    • March - Brontok variant N was discovered. Brontok was a mass email worm. The origin for the worm was Indonesia.
    • June - The Starbucks virus appeared. It infected StarOffice and OpenOffice.
    • September - Stration, aka: Warezov appeared. It would disable security features and propagating itself to other computers via e-mail attachments. This family of worms was unusual in that new variants was being produced at an unprecedented rate, estimated to be up to one every 30 minutes at its peak, and downloaded from remote servers by infected machines to speed propagation.
  • 2007
    • January - The Storm worm was identified as a fast spreading email spamming threat to Microsoft systems. It began by gathering infected computers into the Storm botnet. By around June 30, it had infected 1.7 million computers and had compromised between 1 and 10 million computers by September. Thought to have originated from Russia, it disguised itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film.
    • July - Zeus, a Trojan appeared. It's target was Microsoft Windows and it's purpose was to steal banking information by keystroke logging.
  • 2008
    • February - The Mocmex Trojan appeared. It was the first serious computer virus on a digital photo frame and traced back to a group in China.
    • March - The Torpig Trojan, aks: Sinowal and Mebroot appeared. It affected Windows by turning off anti-virus applications. It also allowed others to access the computer, modifies data, steals confidential information and installs more malware on the victim's computer.
    • May - Rustock.C, a malware with advanced rootkit capabilities was announced to have been detected on Microsoft systems and analyzed. It had been in the wild and undetected since October 2007 at the very least.
    • July - Bohmini.A was a configurable remote access Trojan that exploited security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2.
    • July - The Koobface worm targeted users of Facebook and Myspace with new variants constantly appearing.
    • November - The Conficker worm infected anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. The French Navy, UK Ministry of Defense, including Royal Navy warships and submarines, Sheffield Hospital network, German Bundeswehr and Norwegian Police were all affected. Microsoft established a bounty of $250,000 (USD) for information leading to the capture of the worm's creator(s). Five main variants of the Conficker worm were known and were dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. On December 16, 2008, Microsoft released KB958644. This patched the server service vulnerability responsible for the spread of Conficker.
  • 2009
    • July - The emergence of the W32.Dozer attack the United States and South Korea. Symantec discovered the Daprosy worm which was a Trojan intended to steal online-game passwords in Internet cafes. It could, in fact, intercept all keystrokes and send them to its author which makes it potentially a very dangerous worm to infect business-to-business systems.
    • August - Source code for MegaPanzer is released by its author under GPLv3, and appears to have been apparently detected in the wild.
  • 2010
    • January - The Waledac botnet sent Spam emails. Also, The Psyb0t worm is discovered. It is thought to be unique in that it can infect routers and high-speed modems.
    • February - An international group of security researchers and Microsoft took Waledac down. Also, Microsoft announced that a BSoD problem on some Windows machines which was triggered by a batch of Patch Tuesday updates was caused by the Alureon Trojan.
    • June - Stuxnet, a Windows Trojan, was detected. It is the first worm to attack SCADA systems. There are suggestions that it was designed to target Iranian nuclear facilities. It used a valid certificate from Realtek.
    • Strong - The VBManiavirus appeared. Also called "here you have" is a simple Trojan horse that arrived in the in box with the subject line "here you have". The body reads "This is The Document I told you about, you can find it Here" or "This is The Free Download Sex Movies, you can find it Here".
    • September - The Kenzerovirus appeared and was a virus that spreads online from Peer to peer sites taking browsing history.
  • 2011
    • SpyEye and Zeus merged code is seen. This new variant attacked mobile phone banking information.
    • Anti-Spyware 2011, a Trojan horse that posed as an anti-spyware program disabling security-related process of anti-virus programs, while also blocking access to the Internet, which prevents updates attacked Windows 9x, 2000, XP, Vista, and Windows 7.
    • Summer - The Morto worm propagated itself to additional computers via the Microsoft Windows Remote Desktop Protocol (RDP). Morto spread by forcing infected systems to scan for Windows servers allowing RDP login. Once Morto found an RDP-accessible system, it attempted to log into a domain or local system account named 'Administrator' using a number of common passwords. A detailed overview of how the worm works, along with the password dictionary Morto uses, was done by Imperva.
    • July - The ZeroAccess rootkit, aka: Sirefef or max++ was discovered.
    • SeptemberDuqu, a worm thought to be related to the Stuxnet worm appeared.
  • 2012
    • May - Flame, aka: Flamer, sKyWIper, and Skywiper was a modular computer malware that attacks computers running Microsoft Windows. It was used for targeted cyber espionage in Middle Eastern countries.
    • August - The Shamoon virus designed to target computers running Microsoft Windows in the energy sector.
    • September - The NGRBot worm appeared. It used the IRC network for file transfer, sending and receiving commands between zombie network machines and the attacker's IRC server while monitoring and controlling network connectivity and intercept. It employed a user mode rootkit technique to hide and steal its victim's information. This family of bot was also designed to infect HTML pages with in-line frames (iframes), causing redirections and blocking victims from getting updates from security/anti-malware products by killing those services. The bot is designed to connect via a predefined IRC channel and communicate with a remote botnet.
  • 2013
    • September - The CryptoLocker Trojan horse is discovered. Cryptolocker encrypted the files on a user's hard drive and then prompted them to pay a ransom to the developer in order to receive the decryption key. In the following months, a number of copycat ransomware Trojans are also discovered.
    • December - The Gameover ZeuS Trojan is discovered. This type of virus stole one's login details on popular web sites that involve monetary transactions. It worked by detecting a login page, injected a malicious code into the page then performed keystroke logging the computer user's details.
    • December - The Linux.Darlloz targeted the Internet of things and infects routers, security cameras and set top boxes by exploiting a PHP vulnerability.
  • 2014
    • November - The Regin Trojan horse is discovered. Regin was a dropper that was primarily spread via spoofed Web pages. Once downloaded, Regin quietly downloads extensions of itself making it difficult to be detected via anti-virus signatures. It was suspected to have been created by the United States and United Kingdom over a period of months or years as a tool for espionage and mass surveillance.
  • 2015
    • The Bashlite malware was leaked leading to a massive spike in DDoS attacks.
    • Linux.Wifatch arrived. It was found to attempt to secure devices from other more malicious malware.
  • 2016
    • February - Locky, a ransomware with over 60 derivatives, spread throughout Europe and infected several million computers. At the height of the spread over five thousand computers per hour were infected in Germany alone. Although ransomware was not a new thing at the time, insufficient cyber security, as well as a lack of standards in IT were responsible for the high number of infections. Unfortunately, even up to date anti-virus and Internet security software was unable to protect systems from early versions of Locky.
    • Also in February - The Tiny Banker aka: Tinba Trojan makes headlines. Since discovered, it was found to have infected more than two dozen major banking institutions in the United States. The Tiny Banker Trojan used HTTP injection to force the user's computer to believe that it is on the bank's website. This spoofed page looked and function just as the legitimate site. The user then would enter their information to log on. At this point Tinba would launch the bank web page's "incorrect login information" and in turn redirect the user to the real website. This was used to trick the user into thinking they had entered the wrong information and proceed as normal. However, by now Tinba had captured the credentials and sent them to its host.
    • September - Mirai created headlines by launching some of the most powerful and disruptive DDoS attacks seen to date by infecting the Internet of Things.
  • 2017
    • May - The WannaCry ransomware attacks spread globally. Exploits revealed in the NSA hacking toolkit leak were used to enable the propagation of the malware. Shortly after the news of the infections broke on-line, a UK cyber-security researcher, in collaboration with others, found and activated a "kill switch" hidden within the ransomware which effectively halted the initial wave of its global propagation. The next day, researchers announced that they had found new variants of the malware without the kill switch.
    • June - The Petya ransomware spread globally affecting Windows systems. Researchers at Symantec found that this ransomware used the EternalBlue exploit which is similar to the one used in the WannaCry ransomware attack.
    • September - The Xafecopy Trojan appeared. The Trojan attacked 47 countries affecting only Android operating systems. Kaspersky Lab identified it as a malware from the Ubsod family and was capable of stealing money through click based WAP billing systems.
    • Also in September - A new variety of RAT (Remote Access Trojan) Trojan, Kedi RAT was discovered. It was distributed in a Spear Phishing Campaign and targeted Citrix users. The Trojan was able to evade usual system scanners. The Kedi Trojan had all characteristics of a common Remote Access Trojan and it could communicate to its command and control center via gmail using common HTML and HTTP protocols.