Category Archives: Viruses

In September of 2013, the Cyptolocker virus is thought to have been posted online. Part of a new class of malicious software called ransomware, it would encrypt infected files and then demand a ransom from users for the decryption key. Spread through email attachments and also distributed by the Zeus botnet, it’s responsible for extorting an estimated $3 million from infected victims. After encrypting files using public RSA keys, it would display a message demanding payment via bitcoin or cash vouchers. In 2014, a joint police sting called Operation Tovar took down the Zeus botnet and recovered the database of private keys used by Cryptolocker. An online tool was later created to allow users to get their keys and decrypt files. Several other versions of this ransomeware came later using variations of the original “cryptolocker” name.

This was the first cell phone virus and it appeared in June of 2k4. A network worm dubbed Cabir, it was a proof of concept. It spawned several later variants and spread between mobile phones by using a Symbian operating system distribution file that was modified to masquerade as security software. Users who ran the file saw the word “Caribe” on their screens and the worm set itself to run whenever the phone was on. Once a phone was infected it scanned for other Bluetooth phones to spread to.

In January 2k4 the MyDoom.A virus appeared, spreading quickly and setting records for the number of infections. A potent worm that also left behind a trojan, it is estimated it was found in one of every 12 emails. Millions of infected messages were discovered at the peak of it’s spread, and it is considered one of the worst viruses ever released into the wild. The trojan it left behind launched a denial of service attack against the SCO Group’s website. An estimated 25-50k infected computers took part in the massive attack. MyDoom also launched the era of criminal virus enterprise, as the zombie machine networks created by such worms offered profit to those who controlled them. A war between the writer of MyDoom and the Beagle virus began later when Beagle was finding and removing MyDoom from machines it infected.

On January 25th, 2003 Slammer made it’s appearance rapidly, spreading to nearly 75,000 machines. Exploiting vulnerabilities in Microsoft’s SQL Server and MSDE database, the worm quickly attacked the buffer overflow holes in those products. Thousands of companies and organizations suffered massive downtime because of their reliance on MS SQL and unpatched machines. There were heavy slowdowns in internet traffic globally, even causing core internet routers to crash. To this day Slammer is considered the first high speed worm.

Slammer doubled in size every 8.5 seconds and infected more than 90% of the world’s vulnerable hosts within 10 minutes.

The Sobig-F worm appeared in August of 2003, not long after the Blaster worm. It went down in history as the fastest spreading virus ever. Carrying it’s own internal SMTP engine, it was able to email copies of itself at an explosive rate.

The Blaster worm appeared in early August of 2003 and promptly infected millions of PCs because of a security flaw in Microsoft’s Windows OS. The hole allowed the worm to download itself to vulnerable systems, which meant it didn’t require any action by the user to infect the machine. It was also designed to launch a denial of service attack against Microsoft’s Windows Update site, where users could download a patch to protect themselves from the vulnerability. Two variants of the worm later appeared; Blaster B and Welchia.

View the original CERT advisory.

The CERT/CC received reports of new malicious code known as the “W32/Nimda worm” or the “Concept Virus (CV) v.5.” in September, 2001. This new worm appeared to spread by multiple mechanisms.

It modifies web documents (e.g., .htm, .html, and .asp files) and certain executable files found on the systems it infects, and creates numerous copies of itself under various file names.

View the original CERT advisory

Code Red is a worm that gained notoriety when it appeared in July, 2001. It quickly spread among vulnerable IIS servers around the world.  It is self-replicating malicious code that exploited a known vulnerability.

View the original CERT advisory.

The “Love Letter” worm is a malicious VBScript program that first appeared May, 2000, which spreads in a variety of ways. As of 5:00 pm EDT(GMT-4) May 8, 2000, the CERT Coordination Center received reports from more than 650 individual sites indicating more than 500,000 individual systems were affected. In addition, several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the “Love Letter” worm.

You can be infected with the “Love Letter” worm in a variety of ways, including electronic mail, Windows file sharing, IRC, USENET news, and possibly via webpages.

View the rest of the original CERT advisory.

The Michelangelo virus was one of the first viruses to capture widespread public attention on such a massive scale. It was capable of destroying the contents of hard drives on the same date as the famous artists’ birthday, March 6th.

This turned out to be more hype than fact, and the hysteria over it made it the first high profile virus. In January of 1992, two major computer manufacturers announced they had erroneously shipped equipment infected with Michelangelo. The media would eventually inflate it’s immediate threat, becoming fascinated with it. This in turn created mass hysteria. Anti virus software flew off the shelves, fueling conspiracy theorists’ wildest dreams.

When March 6th arrived, worldwide incidents were between 10,000-20,000. This was not the widely reported five million the general public expected and the media quit running stories about Michelangelo the same day, hoping to forget the embarrassment. The virus is relatively dead in today’s time, overshadowed by it’s more powerful grandchildren like Blaster and Sobig.

The original CERT advisory on Michelangelo is available from: http://www.cert.org/advisories/CA-1992-02.html