THE ULTIMATE VIRUS KILLER BOOK
3 - GENERAL HISTORY OF COMPUTER VIRUSES
In 1957, N.T.J. Baily wrote a book called "The Mathematical
Theory of Epidemics". It mentioned theories behind computer
viruses, but did not result in any of them actually being
released. This is now commonly regarded to be the first book ever
published related to the subject of computer viruses, or at least
the basic principles behind them. In 1974, Gunn wrote "Use of
Virus Functions", which was already a lot more explicit. It took
up to 1980 before a German professor called J. Krause was to
publish a book that even went as far as featuring practical
examples of virus programming.
During the last decade or so, many things have happened with
various kinds of computer viruses and related anomalies. In this
chapter, you will find short stories of various 'historical'
events that have happened. Mind you, some of them are rather
3.1 THE BIG STUFF
The first actual viruses (or associated anomalies) appeared on
large networks and mainframe systems, which were at that time
mainly used by Universities and various official institutions
such as NASA and the CIA. Most of the time they appeared in the
form of Trojan horses; a funny game, for example, that cleared
vital parts of the hard disk during play.
In the early eighties, around the time when Fred Cohen published
his book "Computer Viruses: Theory and Experiments", he conducted
a lot of practical research, pioneer work on the field of virus
programming as it were.
On September 10th 1983, he infected the VAX 11/750 running UNIX
at the University of California, and within a typical time of
thirty minutes all programs were infected. The average infection
time was 500 milliseconds. This resulted in him getting kicked
off the network, until he was allowed to do further experiments
In 1986, a Trojan Horse ended up in the EDV installation of the
United States Nuclear Physics Research Centre Fermilab. A similar
program was further found in 138 VAX systems in the worldwide
Space Physics Analyst Network (SPAN) in 1987. German hackers
appeared to have written this virus, which was designed primarily
to keep open as many terminals as possible for further
contact from Germany.
Shortly before Christmas of that year, the highly notorious
Christmas Virus popped up on VM/CMS machines, written by people
at the Clausthal Technical University in Germany using the
operating language REXX. It had spread through the scientific
network "EARN Bitnet", which at the time had approximately 4000
connections. The virus locked up the connection because of its
vicious spreading, and partly jammed the IBM Company Network on
December 11th of that year.
Actually, the Christmas Virus was a "chain letter", which read
communication partner addresses from the NAMES and NETLOG files
of the system it had just infected, and then computer-mailed
itself to all those addresses where it would start doing the same
(thus creating what is known to virus specialists as a 'tree
structure', ho-hum). "Just type XMas" would appear on the screen.
People that did not follow this request were denied access to the
network for several days.
To give you an idea of the speed at which it spread, the
following table is supplied:
Time Location of network connection
12:43 University of Houston
12:44 Utah State University
12:44 Catholic University of Nijmegen, Netherlands
12:44 University of Southern California
12:44 National University of Singapore
12:45 City University of New York
12:45 Monterey Institute of Technology
12:46 Technical University Twente, Netherlands
12:46 Technical University Denmark
12:46 Weizmann Institute of Israel
12:46 Southwest Missouri State University
12:47 Louisiana State University Computer Center
Infection times with the Christmas Virus on various locations
Also in December of that year, a virus penetrated the major
processing centre of IBM in Tampa, Florida. This virus was aimed
at excluding all users, working itself slowly up even to
excluding the system manager. Just in time, this program could be
stopped from reaching its vile goal.
In 1988, 23 year old Robert Tappan Morris of Cornell University
wrote the RTM Virus. Within a matter of hours, it infected
thousands of computers of universities and research institutions
through the "Arpanet" and "Milnet" networks. Some of the infected
computers included those of the U.S. Defence Secretary, the SDI
laboratories of Livermore in California, the Lincoln laboratories
of Hanscom Air Force Base in Massachusetts and a Centre for
Nuclear Research in Los Alamos, New Mexico. The virus caused 96
million dollars worth of damage, which caused the FBI to be
At a top secret meeting where, among others, members of the FBI,
NASA, CIA, Air Force Officers and a whole gathering of University
professors attended, the foundation of a Centre for the
collection and annihilation of computer viruses was discussed,
all triggered by the news about this latest virus and the harm
that computer viruses would thus potentially be capable of
Later, it turned out that the virus had been a 'harmless' one,
which Morris had spread at the occasion of a new IBM 3090-600 E
super computer being installed at Cornell.
Virus history is written as we speak. Even as recently as in
1992, the United States employed computer viruses in the Gulf War
- they were used to infect the Iraqi computer air defence system.
3.2 MS-DOS VIRUSES
So far the stories about computer viruses on big systems, which
are really quite a distance away from the everyday computer user
and which might just as well have been taken from the scripts of
any "War Games" type film.
The next logical step down the ladder towards machines that 'us
lower mortals' can afford is talking about viruses on MS-DOS
computers. Writers of TV documentaries on viruses have been known
to estimate that an effective virus may cause damage to as much
as one million personal computers world wide.
Date Estimated number of viruses
Approximate virus quantities on MS-DOS
Just like Atari viruses, MS-DOS viruses usually patch themselves
onto some kind of system vector. Of course, MS-DOS computers have
totally different system vectors than TOS computers, that will
not be explained here. But the basic principle is still the same:
They still patch onto the system vectors pointing to sub-programs
within the Operating System to access disk sectors (for
bootsector viruses) or to open/close/move/whatever files (for
There are thousands of viruses around in the MS-DOS world. Some
recent claims don't stop until beyond a rather massive 5,500,
some of which have interesting names like Perfume Virus, XA-1
Virus, AIDS.EXE Virus, Dark Avenger Virus and December 24th
It is impossible to talk about all MS-DOS viruses here, as there
are far too many and this is, after all, a book aimed rather
explicitly at TOS computer users. Therefore, we will have a go at
describing some of the more 'famous' or remarkable ones.
3.2.1 THE ISRAEL VIRUS
One of the most well known viruses on MS-DOS machines, to make
it into the newspapers more than once, is the Israel Virus, also
known under its pseudonyms of PLO Virus, Jerusalem A Virus or
Friday 13th Virus.
Extensive studies have been made about this phenomenon, and it
is now believed that a whole family tree of viruses can be made
with the Israel Virus #1 as pre-virus.
It was first officially noticed by the Hebrew University of
Jerusalem in January 1988, and the discovery was due to what
probably was a bug in the virus program. The bug consisted of the
fact that it would repeatedly infect PC files of the .EXE type
(each time adding about 1,800 bytes file length), which would
then at a certain time grow too big for their storage medium. PC
files of the .COM type were not repeatedly infected.
According to K. Brunnstein's "Computerviren Report", the actual
thing the virus was supposed to do was to slow down infected
systems through a timer interrupt, resulting in the programs
running at one fifth of their original speed. Additionally, on
the first upcoming Friday the 13th it would destroy all .COM-and
.EXE files. The first Friday the 13th after the discovery date
was May 13th 1988 - the 40th anniversary of the PLO. Hence one of
These facts were hyped to considerable height in the press, and
it was often - wrongfully - stated that the Central Computer of
Jerusalem University had been infected. It had not.
The Israel Virus #1 was, nonetheless, a pre-virus for a lot of
others. The next version was the Jerusalem B Virus (which no
longer had the bug with the .EXE files), after which came the
Jerusalem C Virus (also called New Jerusalem Virus, which had the
timer function removed and would thus remain invisible until the
first Friday the 13th). The Jerusalem C Virus is thought to be
the pre-virus for at least three other viruses: The Black Hole
Virus (also called Russian Virus, which tried to pose as an anti-
virus), the Century A Virus (also called Oregon Virus, which
remains inactive up to January 1st 2000, and will then destroy
the FATs and sector 0 and put the message 'Welcome to the 21st
century' on the screen) and the Jerusalem D Virus (which would
destroy FATs on Friday the 13th). The latter would later result
in Jerusalem E Virus (destroys FATs on Friday the 13th as well,
but only starting in 1990), whereas the Century A Virus would
result in, surprise surprise, the Century B Virus (that would
additionally corrupt all write operations of BACKUP.COM, the MS-
DOS 'backup' command program).
More viruses have been triggered by 'Friday the 13th' since
then, though no link with any of the aforementioned viruses has
been made clear. On Friday the 13th of January 1989, some major
British companies (among which banks, hospitals and the stock
market) suffered from a virus that suddenly became active, for
example. It had small dots move diagonally over the screen and
create 'black holes' in texts. The British phone system nearly
crashed when all the companies involved started contacting a
company in Amersham (South-West England) that was specialised in
recovering lost data.
On October 13th 1989, a Friday again, a virus called Datacrime
II caused quite some harassment among PC users once more;
Datacrime I and Datacrime II B also exist.
3.2.2 THE BRAIN VIRUS
One of the most notorious viruses known in the United States,
and one of the first viruses to be found on the PC, is the Brain
Virus, also called Pakistani Virus due to the fact that it has
been written by software developers in Pakistan who wished to
interfere with people making unauthorised copies of their
It is a call bootsector virus, which hides itself in a disk's
bootsector (thus to be loaded at system start-up) and uses
additional sectors to store itself on (which it will mark in the
FAT as 'bad').
It was discovered at the University of Miami, and the original
version could be recognised by the fact that it changed the
disk's volume label (disk name) to "(c) BRAIN". It was harmless
as long as it did not encounter specific pirated copies of
software. It is thought to have spread to at least 100,000 disks,
sometimes destroying data. Each time, it would leave the message
"WELCOME TO THE DUNGEON".
Sometimes, wrongfully, it is also called Ping Pong Virus. This
may be due to the fact that the Brain Virus may have been the
pre-virus to that. The Ping Pong Virus, however, manifests itself
as a little bouncing ball on the screen, that will interrupt
whatever you are doing on the computer. Granted, it's a pain in
the posterior, but otherwise quite harmless.
3.2.3 THE LEHIGH VIRUS
The Lehigh Virus was first found on computers at the Lehigh
University in the United States, from which it got its name. It
is contained in a reserved part of the COMMAND.COM boot file of
MS-DOS boot disks, and once it has infected the disk it will try
to copy to another COMMAND.COM file each time a disk is accessed
(i.e. when reading a directory or copying, etc.). The original
(parent) version would keep a counter - once this would have
reached 4, every disk to be used in the system later would be
completely erased (bootsector and FAT would be overwritten with
It does not only work on floppy disks, but on hard disks as
3.2.4 THE SEX.EXE VIRUS
If there is one virus that demonstrates exactly how Trojan
Horses function, it is definitely the SEX.EXE Virus (which is
actually not a virus a such).
The program itself, with is an .EXE type file that can be run on
its own (that is like a .PRG file on Atari systems), is
relatively harmless (apart from the occasional deafness that may
or may not result from excessive viewing). It shows a picture of
a couple of people trying to prevent the human race from
While you watch it, however, the program infects the system with
a true virus. After a while, hard disk users would notice their
FATs getting corrupted - the more you would use the system
utilities, the more severe the corruption would get.
3.2.5 THE BLACK JACK VIRUS
The Black Jack Virus, of which rumours seem to indicate that it
was written either by an employee of a large software company in
Stuttgart, West Germany, or by students at the University of
Vienna, is a really mean one.
It works much like many viruses on TOS computers do, which means
that a system vector is bent to point to it, after which genuine
Operating System calls (in this case the one that loads and
executes a program) get to do some virus multiplication before
they are actually being used.
The reason why it is called Black Jack Virus is the fact that,
in the original version, it is 1704 bytes long (17+04=21). The
Black Jack Virus used an own kind of Memory Management routine,
which made it very hard to detect.
3.2.6 THE RUSH HOUR VIRUS
The Rush Hour Virus was written for demonstration purposes by
someone called B. Fix in Heidelberg, West Germany. Obviously, he
is the kind of person that believes, rather naively, that adding
a comment along the lines of "Typing in this program with the aim
of spreading it to other systems is an offence!" will actually
not cause the virus to be spread anywhere.
Lucky enough, it does not do much except for multiplying itself
to keyboard driver files. However, a listing of this virus
appeared in a book about viruses. It would probably not take much
more to adapt it to do something seriously harmful.
One wonders seriously.
3.2.7 DARK AVENGER
Not to be mistaken by the thing Kathleen Turner refers to as
"bold avenger" in the Danny the Vito film "War of the Roses",
this virus is resident and extremely prolific at infecting any
executable files opened for any reason (even using the DOS COPY
and XCOPY commands will cause both the source-and target files to
become infected). Another name for this virus is Black Avenger.
This virus was considered worth mentioning as it is the first
virus that has been officially deliberately spread in The
Netherlands, which also lead to the first ever lawsuit involving,
if it may be called that in a "1984" way, virus crime. That was
in October 1990.
Curiously enough, the virus contains the text string "This
program was written in the city of Sofia. Eddie lives....
Somewhere in Time!". This particular virus author from Sofia,
Bulgaria, is thought to be responsible for at least 20 to 30
viruses on the PC. A more recent version of his 'work',
Nomenklatura, has been reported to have once infected the British
House of Commons Library computers.
3.2.8 THE MICHAELANGELO VIRUS
Another rather notorious virus that came into the news but
recently (early 1992) was the Michaelangelo Virus, probably named
after the fact that its date of activity was the birthday of the
famous artist of old (no, not after one of those dreadful Ninja
Hero thingies!). It is supposed to have been written either in
Scandinavia or the Netherlands. It was programmed to strike at
Friday, March 6th 1992. Even before it struck it was already
estimated that it would hurt more than 1,000,000 Personal
Computers world wide, with an estimated damage of almost
£100,000,000 - which just goes to show how viruses can fright the
living daylights out of people who don't know what to do against
The Michaelangelo Virus is particularly destructive. When the
system date happens to be March 6th 1992, it will simply erase
each and every hard disk sector. It will not be hard to imagine
what kind of damage may result from that.
A simple solution would have been to skip that date, i.e. on
March 5th change the date to the 7th, and on the real March 7th
(when the computer 'thinks' it's March 8th) change it back to the
An English company called Hi-Jinx software launched a package
called "Jokeware" not too long ago. It is actually a package 'to
amuse your friends', and contains various virus-like things that
will make a Pacman eat the screen at a certain time, or that will
print a 'hard disk formatted' message on the screen. Harmless, of
course, but only if you are aware of its humorous intent.
It says it restores an 'infected' PC back to its old self within
a maximum of 10 minutes - so any aggravation should be temporary.
3.3 AMIGA VIRUSES
It's easy to remember the days, early 1987, when the first tales
about viruses on the Commodore Amiga were heard at local computer
clubs. I myself remember the way we used to laugh at Amiga users
struck by viruses - rather childish, really - before they were
discovered on the ST.
Amiga viruses work in much the same way as their TOS computer
counterparts. They also mostly use the bootsector (which on the
Amiga is called boot block, and which happens to be two sectors -
i.e. 1024 bytes - long), out of which they copy themselves into
memory, point a system vector to themselves and run in the
background. Normally, memory-resident Amiga viruses seem to nest
themselves into an Amiga's memory at the addresses $7E800, $7EC00
The first virus on the Amiga was the SCA Virus, which gave away
its presence by scrolling the message "Something wonderful has
happened - Your AMIGA is alive !!!" across the screen every time
it had been successfully multiplied. It was actually harmless,
and was only active during booting. The thing that caused it to
get very widely spread was the fact that it was originally spread
unintentionally on a regular program disk.
The next virus to occur was the so-called Byte Bandit Virus. It
did not destroy any data, but was not totally harmless either.
For starters, it manipulated the DoIO ('Do Input Output', an
Operating System sub-program in the Amiga) vector so that it was
able to copy itself to every single boot block it possibly could.
After the second reset and the sixth copy, it started a counter
that would black-out the screen after seven (PAL version) or five
minutes (NTSC version). Although this would mean RESET for most
people, a hidden option in the virus (pressing [L-ALT], [L-
AMIGA], [SPACE], [R-AMIGA], [R-ALT]) enabled the user to switch
the screen back again for a couple of minutes.
There have also been adapted versions of both these viruses;
Obelisk, AEK, LSD, Pentagon, Bamiga Sector One, Warhawk,
Micromaster and Northstar, for example, are all versions of the
Whereas the ones above were boot block viruses, the third one to
occur, the IRQ Virus, was a link virus that infected system files
(making them 1,060 bytes longer). It used some of the CLI
(Command Line Interpreter) commands to multiply itself. It was
discovered around January 1989.
Next things that occurred on the Amiga were the so-called Lamer-
Exterminator Viruses, of which the third type (#3) was really
something new again: It detoured all I/O operations from/to the
boot block to another sector, so that theoretically even a disk
containing a boot block could be infected without the original
boot block being destroyed!
Other viruses on the Amiga are, for example, the boot block
viruses Revenge, Gadaffi, Disk-Doctor, Timebomb and Byte Warrior
(also known as DASA); other link viruses are BSG9, Disaster
Master V2 (also known under the name CLI Virus), Smily
Cancer/Centurions, Virusslayer, VKill, and Travelling Jack.
There are supposed to be well over 100 viruses on the Amiga.
In his "Terminator" virus killer program manual (which used to
be marketed by English CRL plc. before they went into
receivership) its author, R.G. Pickles, stated that disk write-
protection on the Amiga is purely software - in other words it is
the programmer's responsibility to protect the user from writing
to write-protected disks. This seems to make the Amiga a lot more
vulnerable to virus infection than Atari systems.
Some popular virus killers on the Amiga are, for example,
"Terminator", "System Z 4.0", "Blizzard Protector", "LSD Virus
Checker" and "Ass Protecter 1.0".
On an older Commodore machine, the Commodore 64, viruses also
exist. As a matter of fact, as recently as early 1992 a German
magazine called "64'er" published a rather controversial
competition for its readers that involved the writing of the most
brilliant Commodore 64 virus. Apparently the chief editor was on
holiday around that time...
3.4 MACINTOSH VIRUSES
Some rather interesting stories concerning viruses are known
from the world of the Apple MacIntosh, the computer that some of
you may know through popular so-called 'MacIntosh Emulators' the
likes of "Magic Sac", "Aladdin" or "Spectre".
Probably the most well-known MacIntosh virus is the Scores
Virus, which was first found in 1987 and reported by R. Roberts
in his book "Computer Viruses" published by Compute! Books one
year after. This virus started out when, apparently, dozens of
computers were sold to several government agencies (The
Environment Protection Agency and NASA, but also Apple Computers'
Washington DC sales office) with infected hard disks. The FBI,
would you believe, was called in to investigate. The virus had
several 'time bombs' built in, and the symptoms usually were
printing problems, the odd program crash or malfunction of desk
Some time ago, a journalist wanted to check out how widespread
software piracy on the Mac was. For this purpose, he created the
Joke Virus which primarily spread itself in the USA, Canada and,
although to lesser extent, to Europe. This virus would print a
certain message on March 2nd, after which it would attempt to
destroy itself. The fact that it also (accidentally) destroyed
system-and other files could lead to substantial damage.
Another story is that of a producer of educational software that
worked for Microsoft, Aldus. Due to one of their programmer's
systems getting infected, a master copy of a graphics program
called "FreeHand" was supplied with a virus before it was being
duplicated in a copying machine that was also used to duplicate
software for Microsoft, Apple, Lotus and Ashton-Tate (some big
names in the industry). For three days, infected software was
being produced. The virus in question, the MacMag Virus that is
also known as Peace Virus, has the dubious honour of being the
first virus in history ever to have been widely spread on
Another virus for the MacIntosh, which was first seen early
1988, is the Frankie Virus, also often called Aladdin Virus
because it's thought only to appear (or even only to work) on the
"Aladdin" software MacIntosh emulator for the Atari range of
computers. Its aim, supposedly, is to prevent the spreading of
pirate copies of this MacIntosh emulation software. The virus can
copy itself, though it is not quite known how it does that. It is
not even known whether it is a link-or a bootsector virus. After
a while of computing (hardly more than five minutes), the top
line of the screen scrolls up and displays the message "Frankie
say: No more piracy". Immediately after that, the system is
frozen. Pressing the reset button no longer re-activates the
Some other viruses on the Mac, to round this off, are nVir, INIT
29, ANTI, MacMug, WDEF, ZUL and MDEF.
3.5 APPLE II VIRUSES
The first virus to appear on the Apple II series of computers, a
much older type of computer than the MacIntosh, was called Cyber
Aids. It occurred for the first time early in 1988. This started
the fight against viruses on the Apple II, lead by Glen Bredon
with his popular "Apple-Rx" virus killer. The summer of that year
saw the release of a second virus, called Festering Hate. Both
these viruses were of the link virus variety - the first one
wiped the main directory, and the second one wiped the entire
disk. These viruses are now very rare, due to the effectiveness
of "Apple-Rx" in the virus battle.
Another virus that has been quite nipped in the bud is the BURP
Virus. This destroys volume subdirectories and leaves the name
"BURP" as the name of the destroyed volume.
Two French viruses that only work on the Apple II GS are Screen
Blanker and Load Runner. These are both bootsector viruses. The
latter one is rather nasty: On a date before September, it will
only copy itself. On odd days in September, it will change the
border colours. On a date after September, it clears both boot
blocks (Apple II disks have two boot blocks).
3.6 NOTORIOUS COMPUTER GROUPS
In a chapter about general history of computer viruses, it is
highly appropriate to devote a bit of space to two hacking groups
that have 'earned' the right to be mentioned, if only for the
fact that their names seem to pop up repeatedly in most
journalists' publications pertaining computer viruses.
3.6.1 THE CHAOS COMPUTER CLUB
The Chaos Computer Club, more commonly known as CCC, is located
in Hamburg, Germany. They publish their own magazine called
"Datenschleuder", and have been known to hack their way into Top
Security United States computer systems like those of the NASA,
among some other rather illustrious facts.
Some way or another, they always seem to be the people that get
interviewed or questioned whenever the topic of 'computer
viruses' appears - though they are actually hackers rather than
3.6.2 THE BAYRISCHE HACKER POST
Unlike the Chaos Computer Club, the Bayrische Hacker Post from
Munich is thought to have produced viruses. On the ST, they are
believed to have conceived at least one bootsector virus (the BHP
Virus) and one link virus (the Garfield and Papa Virus, done by
two people that regularly wrote for their magazine).
The Bayrische Hacker Post also used to publish a magazine on
irregular basis, called "Bayrische Hacker Post", in German. In
this, various topics concerning computers (and, indeed, also
computer viruses) are covered. Not much is known about their