A Bit of Archaeology

There are different opinions on the date of the first computer virus. The Nivac 1108 and IBM 360/370 already had them. Therefore the first virus was born in the beginning of 1970 or late 1960, although nobody was calling it a virus then.

The Outbreak

Those who started using IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in 1987-1989. Letters were dropping from displays and computers started playing hymns.

Soon it became clear that this problem wasn't with the hardware, it was a virus, and not only one, more like a dozen.

Viruses started infecting files. The "Brain" virus and bouncing "Ping-pong" ball virus marked the victory of viruses over the boot sector. IBM PC users didn't like it at all and then antidotes appeared.

Only few of them are still alive, and all of these anti-viruses did grow from single project up to the major software companies playing big roles on the software market.

There is also a difference in viruses conquering different countries. The first vastly spread virus in the West was a bootable one called "Brain".

The "Vienna" and "Cascade" file viruses appeared later. Unlike that in East Europe and Russia file viruses came first followed by bootable ones a year later.

Time went on and viruses multiplied. They were all alike in a sense, tried to get to RAM, stuck to files and sectors, periodically damaged files, diskettes and hard disks. One of the first "revelations" was the "Frodo.4096" virus, which was the first invisible virus (Stealth).

This virus intercepted INT 21h, and during DOS calls to the infected files it changed the information so that the file appeared to the user uninfected.

But this was just an overhead over MS-DOS. In less than a year electronic bugs attacked the DOS kernel ("Beast.512" Stealth virus). The idea of invisibility continued to bear its fruits: in 1991 there was a plague of "Dir_II" and "Yeah!".

It was easy to fight the Stealth ones: once you cleaned RAM, you could stop worrying, search for the beast and cure it. Other, self encrypting viruses, sometimes appearing in software collections, were more troublesome.

To identify and delete them it was necessary to write special subroutines, debug them.

Nobody paid attention to it until the new generation of viruses came, those called polymorphic viruses. These viruses use another approach to invisibility: they encrypt themselves (in most cases).

To decrypt themselves later they use commands which may and may not be repeated in different infected files.

Polymorphism - Viral Mutation

The first polymorphic virus called "Chameleon" became known in the early '90s, but the problem with polymorphic viruses became really serious only a year after that, in April 1991, with the worldwide epidemic of the polymorphic virus "Tequila".

The first epidemic in Russia, caused by a polymorphic virus, happened late in 1994 called "Phantom1".

The idea of self encrypting polymorphic viruses gained popularity and brought to life generators of polymorphic code. In early 1992 the famous "Dedicated" virus appears, based on the first known polymorphic generator MtE and the first in a series of MtE-viruses.

Shortly after that appears the polymorphic generator itself.

It is essentially an object module (OBJ file). To get a polymorphic mutant virus from a conventional non-encrypting virus it simply link their object modules together (the polymorphic OBJ file and the virus OBJ file).

To create a real polymorphic virus one doesn't have to dwell on the code of his own encryptor/decryptor.

He may now connect the polymorphic generator to his virus and call it from the code of the virus when desired.

Luckily the first MtE-virus wasn't spread and did not cause epidemics. The anti-virus developers had some time in store to prepare for the new attack.