Couputer Parazsife9 ^me(igs gl Catafogue of 'FirstSigfltin s of RseaC &. Omaginoars 'Betins -

Corinne Cnutlemn Wagts itusrr4rdyJ3. STbQns

VIRUSES tect and "kill" creepers. (The messages began appearing on the Viruses, in their simplest form, Cincinnati Post, Feb. 1, 1988) ARPAnet. Status messages are nor- just replicate themselves. A slight- Rabbit - One of the first known mally broadcast from each node ly more advanced virus not only viruses, first sighted in 1974 by of the network to relay their read- duplicates a program but renames Bill Kennedy. When Rabbit was iness to handle new data. Each each one slightly differently. More introduced into a system, it copied node then propagates copies of sophisticated viruses erase files, itself and continued to toss the incoming status messages to other scramble memory, turn off the copies back into the input job- nodes in an ongoing determina- power, or do any/all of these things stream (the place where programs tion of the optimal path for the with a time delay, called a time start). This slowed the communi- electronic traffic. Status messages bomb. Some viruses "burn a hole" cation between the input job- are supposed to be trashed im- somewhere so that a certain com- stream and its console (teletype mediately afterward, but in this mand will do something else, i.e., where system operator sees what's case the message from a parti- given an addition command the going on), which made Rabbit cular node somewhere near Los program subtracts instead. harder to kill the longer it ran. Angeles became mutated. Its con- (comp.risks [an electronic journal taminated form caused a "garbage Creeper - Possibly the first collector" malfunction in the re- known virus, first sighted in 1970. on the Usenet network], Mar. 29, 1988). ceiving nodes. No messages could Built by Bob Thomas of BBN, it be thrown out, thus saturating the Pervading Animal was a demonstration program that - An early nodes. Yet the nodes continued to proto-virus attached crawled through ARPAnet, a na- to a Univac propagate waves of this debilitating 1108 game program tionwide Pentagon-funded net- called Animal. message, infecting others which While the user was playing work linking university, military the couldn't dump the infected mes- and corporate computers, spring- game, Pervading Animal copied sage, until it spread throughout ing up on computer terminals itself into every write-enabled the whole network like cancer program with the message, "I'm the file available. (Mike Van and ground it to a halt. It was 72 Pelt, comp.risks creeper, catch me if you can!" Mar. 29, 1988.) hours before technicians could A version of Creeper done by Ray Smart Virus - In the book The revive it. (Software Engineering Tomlinson not only Inoved through Adolescence of P-1 (Thomas J. Notes, Jan. 1981.) the net, but also replicated itself Ryan, Collier Books, 1977), there 2600 VAX Virus - This one at times. is an example of an intelligent, replicates itself, sends jobs con- Reaper - In response to Creeper, information-hunting virus. tinuously to the batch queue this virus also jumped through the ARPAnet Data Virus - On Oc- (where programs line up, waiting network, but it proceeded to de- tober 27, 1980, multiple "status" to be run). All that happens is the

27 GATEFIVE ROAD SAUSAUTO CA 9496S I 07 71(3 Queue might overflow. (2600, come to the dungeon ... Beware response on the 13th of any month, Aug. 1986, vol. 3, no. 8.) of this VIRUS. Contact us for vac- it would also put garbage on the Virus - First sighted cination." The message includes screen from time to time. What in 1981 or. 1982, this one runs on the address and phone number of called attention to the virus was the Apple II family. It inserts itself Computer Services, a com- an error in the virus code itself, into the DOS operating system. puter company in Lahore, Pakistan, which caused it to mistake pre- Elk Cloner hooks into the RUN, and the names of two brothers, viously infected programs as un- LOAD, BLOAD, and CATALOG Basit and Amjad. infected. In error, it would add commands to make them check The virus markssome disk sectors another copy of itself to the pro- the accessed program disk and as bad.'It modifies several com- gram. Some programs were in- infect it. It prints a poem: mand files, maybe all of them fected as many as 400 times and the growth in The)Program with a personality eventually, without changing file size of the program was noticeable. This It will get on all your disks sizes or dates. Even if the boot one was dis- covered before It will infiltrate your chips sector is rewritten, the virus re- D-day, but it had infected home, university, Yes, it's cloned mains active through the command and military computers before It will stick to you files it modified. No known cure. it like glue was detected. It will modify Ram too (comp.risks, Apr. 5, 1988.) MaclnVirus - First known en- Send in the cloned This is the first virus to infect an counter by David Spector. This (comp.risks, Apr. 26, 1988 by American newspaper's was written by a West Ger- Phil Goetz) system (The Providence Journal- man and posted to CompuServe Finger Virus - A speculative Bulletin). When the phone number in a HyperCard stack. The virus virus that would go out replicating in Pakistan, was called, the person is disguised as a resource that until it found a specific person. who answered expressed surprise inserts itself in a system trap Then it would send that person's that the virus had travelled so far handler (the place where the e-mail address back to its creator. - and refused to give his last computer catches errors so they (Fred Hapgood, First Artificial name. (New York Times, May Life won't cause system crashes). The Conference, Sept. 1987). 25, 1988.) virus destroys hard disks and the Lehigh Virus - First sighted Nov. Amiga Virus - This one is a applications that run on them. 25, 1987 by Jeffrey Carpenter, simple modification of the Amiga (comp.risks, Jan. 10, 1988.) boot block. On an Amiga floppy posted on Usenet. It attached it- "Good" Virus - Written the boot block consists of the first by a self to a few lines of the operating West German programmer, two sectors on the disk. Normally this system used on the IBM PCs that virus won't let it contains a small bit of code "unknown" pro- Lehigh University provides for stu- grams run on one's that loads and initializes the DOS machine. If dent use. It is a corruption of a le- the programs when it is "booted" or turned to be run aren't gitimate program, Command.Com, already infected on. Some commercial software with THIS virus, the basic boot-up file of MS-DOS they won't be packages and games store special allowed to run at and PC-DOS. The virus destroys all. (comp.risks, Jan. 10, 1988.) data on floppies and hard disks by information in the boot block. writing zeros to the first thirty-two Since the virus overwrites this, the sectors of a disk (which erases the information is lost forever. After directory kept in the first couple a certain number of disks have been of tracks), making the data un- infected the virus will recoverable. print a message: , It spreads when a clean PC is "Something wonderful booted from an infected disk and has happened. the user accesses a second, un- Your Amiga is alivell infected program disk with the and even better ' resident commands: TYPE, COPY, Some of your disks are infecte DIR, CHDIR, ERASE, MKDIR, by a VIRUS RMDIR, VERIFY. The virus waits Another masterpiece of the until it has been copied four times Mega-Mighty SCA" before it wipes out the data on (comp.risks, Dec. 7, 1987.) the disk on which it resides. Israeli Virus-- First sighted by © Brain Virus - First sighted Yuval Rakavy, a student at Hebn Fall, 1987 at the University of Del- University; first mentioned pub- aware. It changes the volume label lically in Maariv, one of Israel's (the given name) of a floppy or daily newspapers, Jan. 8, 1988. hard disk to © Brain. The boot Designed to begin destroying fil record contains a message: "Wel- on May 13, and to slow comput

1 08 WHOLE EARTH REVIEW FALL 1988 2-4141 this virus is to print all your files the virus resources have been onto paper, erase all the disks on deleted, but they have been re- your system, buy fresh software named and will return when the disks from the manufacturer, and Mac is restarted. type in all your data again. But Apparently, the virus doesn't FIRSTI send this message to every- attempt to spread itself over one you know, so that they will networks. also protect themselves. The virus causes printing This virus took Jeff Mogul tvo problems, system crashes, appli- minutes to produce and he didn't cation crashes on launch, and even have to write any code. damaged Excel files. Scores Virus - First sighting MacMag Virus - First sighted mentioned in MacWeek, Apr. 12, by Chris Borton Mar. 8, 1988 and 1988. In existence since at least posted to comp.risks on Usenet. February, and possibly since as First mentioned in print in the early as September 1987. It in- Toronto Star March 16, 1988. The filtrated several government agen- virus was launched in December cies, Apple sales offices, and the 1987 by Richard Brandow, pub- Mac of an unidentified senator, lisher of MacMag magazine in as well as MacWorld and Mac- Montreal, Canada. It was supposed intosh Today. to be a simple message of peace, First dissected by John Norstad designed to pop up on Macintosh and Bob Hablutzel, this virus has screens on March 2, the anniver- several time-delay features. It's sary of the introduction of the Virus Compressor - First imag- designed to attack two custom ap- Apple Macintosh SE and Macin- ined by Fred Cohen, this virus plications called ERIC and VULT, tosh II. The virus infects the System would compress the coding of but it will infect anything. Several file, but doesn't directly affect ap- data, permitting it to be stored in days after infecting a Mac system, plications. After March 2 the virus a smaller space. It would ask per- the virus attempts to locate and erased itself. Although this virus mission of the user each time it modify any files with the creator was designed to be benign, it had acted. (New York Times, Jan. code of ERIC or VULT. The code some nasty side effects: it played 31, 1988.) of the virus is written to make the havoc with users' System folders, Target Virus - This one would targeted program dysfunctional. resulting in thousands of hours target a specific program or in- The virus lies dormant for two of lost work. · dividual, for example, by systema- days after infection. After two, tically altering spreadsheet data or four, and seven days various parts performing other subtle changes. wake up and begin their mischief. (The Cincinnati Post, Feb. 1, 1988.) Two days after the initial infection the virus begins to spread to other The Anti-Virus Software Virus applications. After four days the - First imagined by Chuck Wein- second part of the virus wakes up. stock, posted to Usenet Feb. 9, It begins to watch for the VULT 1988. The virus is, of course, im- and ERIC applications. Whenever bedded in the software you use VULT or ERIC is run, the system to detect viruses, and therefore bombs after twenty-five minutes' goes undetected. use. After seven days the third part Meta-Virus - First imagined by of the virus kicks in. Whenever Jeffrey Mogul, Feb. 9, 1988 on VULT is run the virus waits fifteen Usenet. This is a paranoia virus, minutes, then causes any attempt created only with words: to write a disk file to bomb. If you WARNINGI A serious virus is on don't do any writes for another the loose. It was hidden in the ten minutes the application will program called 1987 TAXFORM bomb anyway. that was on this bulletin board Deleting the infected resources last year.... By now, it is possible isn't enough to remove the virus that your system is infected even since the virus recognizes the at- if you didn't download this pro- tempt and modifies its resource gram, since you could easily have identification and memory loca- L I ZtecmtfG11 been infected indirectly. The only tion when probed by resource safe way to protect yourself against utilities. ResEdit "thinks" that

27 GATEFIVE ROAD SAUSLITO CA 9496S 1 09 The virus spread to Europe and the King II Virus - A virus that not cent program. Viruses replicate; West Coast, and it is the first virus only kills other viruses, but feeds Trojan Horses do not. Some are to infect a commercially available on them, getting stronger each written from scratch, some are personal computer product. it was time. Imagined by Michael Zent- adulterated copies of legitimate inadvertently passed to Aldus by ner, Mar. 16, 1988, Macintosh programs. Some Trojans erase or Marc Canter, president of Macro- Conference on The Well. scramble data, some just scramble Mind Inc. of Chicago, which makes Bell Labs Virus - A compiler pro- or erase the file allocation table. training disks for Aldus. Mr. Can- gram (which translates a human Some begin destruction within ter's personal machine caught the programmer's instructions into a minutes of infection, others per- virus from an infected copy of Mr. set of Is and Os that a computer .form as legitimate software for Potato Head, a computer game. can read) had been altered so that weeks or months, then touch off a Mr. Canter ran the program only it secretly embedded a hidden time bumb. Some Trojans put up a once; it was enough to infect his "trapdoor" each time it created screen message such as: "I'm de- computer, which was later used a new version of the operating leting all your files," then proceed to work on a training software system. The secret trapdoor altered to do so. Some put up a similar disk for Aldus. Aldus admits that a the system so that, in addition screen message, but don't follow disk-duplicating machine copied to normal users' passwords, it through. The more sophisticated the infected disk for three days. would recognize a magic pass- Trojan Horses delete themselves Half of the infected disks were word known only to one person. with their last line of program- distributed to retailers; the other The instructions never showed up ming. In other cases the Trojan half were warehoused. in the program listing - it was isn't actually inserted directly into Immortal Virus - First imagined undetectable through normal the program. Only a pointer is by Paul Hoffman, Mar. 13, 1988 in means. The virus never escaped placed in the program, telling the the Macintosh Conference on The Bell Labs. system which program to run, and the horse is hidden elsewhere. WELL. This virus would live in Atari ST Virus - First dissected some cache-like memory on a Mar. 22, 1988, posted on Usenet Notroj - This Trojan Horse pre- serial port or parallel port (what Mar. 26, 1988 by Martin Minow. tends to be a program that guards connects a printer to a computer) Once installed, this virus will against Trojans. It's actually a time so it would survive a warm boot, copy itself onto every non-write- bomb that wipes out the hard even after a devirusing. protected disk used. It tests an disk after it's more than 70 per- uninfected disk to see if it con- cent full. (New York Times, May tains the virus, replicates, then it 19, 1987.) keeps count of how many times 'XmasCard Trojan - First known the disk is used after that. When a sighting Dec. 9, 1987. It was writ- certain limit is reached, the virus ten as a prank by a West German writes random data across the student. This Trojan began in a root (central) directory and file European academic computer net- allocation tables (the computer's work (Bitnet) and jumped through index of where data are stored) electronic gateways to five con- for the disk, making it unusable. tinents and to the internal e-mail The virus then removes itself from system of IBM. In the IBM internal the damaged disk. The current e-mail system, a holiday message virus doesn't affect hard disks. promised to draw a Christmas tree This virus may survive a reset on the screen if someone would (a warm boot - resetting the type the word "Christmas" on the machine without turning it off). computer. When they did, it drew No-Name Virus - First rumored a tree but it also sent a copy of to exist Mar. 26, 1988 on Usenet, itself to all of the other network posted by Martin Minow. This mail addresses kept in each user's virus is almost impossible to de- electronic rolodex. Along with a tect because for each disk, it scans very primitive tree (made of capital for any program file and appends "Xs"), a message was displayed: itself to the text segment in some "A very happy Christmas and my way. This makes it very difficult to best wishes for the next year. Let tell whether or not the virus is this run and enjoy yourself. Brows- ing this file is no fun at all. Just King Virus - A virus that kills actually on the disk. type 'Christmas'" other viruses and replaces them with itself. First imagined by An- TROJAN HORSES Once opened, the program rare- drew Beals, Mar. 16, 1988 on These parasites are bits of code ly accepted commands to stop. The Well. No known sightings. slipped into an otherwise inno- Operators who turned off their

I I 0 WHOLE EARTH REVIEW FALL 1988 which rewrite themselves suc- ran loose through a computer cessively through the computer's network, gobbling up computer memory. The programs on indi- memory in order to duplicate vidual computers are the segments, itself - there was no stopping it. which remain in communication The worms were used by rebels to with each other. Almost any pro- undermine a dictatorial govern- gram can be modified to incor- ment wielding power through a porate the worm mechanism. computer network. Xerox PARC Worm - In 1980 "And - no, it.can't be killed. John Shoch at the Xerox Palo Alto It's definitely self-perpetuating Research Center devised a worm so long as the net exists. Even if which wriggled through large one segment of it is inactivated, computer systems looking for a counterpart of the missing machines that were not being portion will remain in store used and harnessing them to help at some other station and the solve a large problem. The worm worm will automatically sub- could take over an entire system. divide and send a duplicate xQ)A~c c. (John F. Shoch and Jon A. Hupp, head to collect the spare groups Sept. 1980, Xerox Palo Alto and restore them to their place!' Research Center.) (ohn Brunner, The Shockwave terminals to try to stop the Christ- Existential Worm - A worm Rider, Ballantine, 1975.) mas message lost electronic mail whose sole purpose is to stay Worm Watcher - A special pro- or unfinished reports not saved in alive. It runs no substantive ap- gram which automatically takes the computer. The Trojan infected plication program. The Cookie steps to limit the size of a worm, so many machines that it brought Monster Worm at MIT was one or shut it down if it grows beyond IBM's global electronic mail net- such. It might display a screen a certain limit. The worm watcher work to a halt, disrupting the sys- message such as: "I'm a worm, also maintains a running log re- tem for 72 hours. Plant officials kill me if you cani" cording changes in the state of were forced to turn off internal (John Shoch, 1980.) individual segments. This infor- links between computer terminals Billboard Worm - A worm used mation can be used to analyze and mainframe systems to purge to distribute a full-size graphic im- what might have gone wrong with the message. age to many different machines. a worm. (John Shoch, 1980.) , -A virus was written to follow and Some have graphics of the worm destroy the Christmas Card Trojan nibbling up the screen and head- and then self-destruct in mid-Jan- ing off into memory. uary. The Trojan was generally (John Shoch, 1980.) stamped out by December 14, Alarm Clock Wbrm - A worm 1987. The culprit was tracked that reaches out through the net- down and barred from access work to an outgoing terminal (one to his system. equipped with a modem), and Turkey Trojan - A program being places wake-up calls to a list of passed around via ARPAnet and users. (John Shoch, 1980.) some other computer networks, Gladiator Worms - Bill Buckley called "Turkey:' It's supposed to and James Hauser developed Core draw a picture of a turkey but it Wars, where the object is to write doesn't. Instead it erases all of the a worm program that can replicate unprotected files in the directory. itself faster than another worm (comp.risks May 12, 1988.) program can eat it. The one alive Run.me - This is a graphics at the end wins. Some of the win- program which plays the Star- ning programs have a chromosome Spangled Banner and displays the consisting of only four lines of American flag while it worms its code. Longer genes can't execute way into the hard disk and erases as fast as short ones, so they tend the data on it. (New York Times, to get weeded out. (WER #58.) May 19, 1987.) Shockwave Rider Worm - Still the most sophisticated worm is the WORMS fictional one created by writer John Essentially, worms are simple Brunner in his novel The Shock- creatures: memory crunchers .wave Rider. Brunner's tapeworm mia 7-8/ 27 GATEFIVE ROAD SAUSAUTO CA 94965 II VIRUS REMEDIES installed on a sterile system and Padlock - Prevents anything from the Scores virus is introduced being written on a storage disk As viruses have proliferated, so later, Vaccine will only warn of unless the computer operator have vaccines and other remedies. the virus attack; it will not prevent pushes a button to give permission. infection. Vaccine is available free Viralarm System (Lasertrieve Inc., Data Physician works on IBM PC. on electronic bulletin boards such and UNIX systems. of Metuchen, N.J., 201/906-1901) as CompuServe and Genie. - Consists of a special program to Disk Defender ($199, Elek-tek, Interferon - Written by Robert protect another program, creating IL Woodhead. A shareware program 6557 N. Lincoln Ave., Chicago, a software barrier. The protection 60645; 800/621-1269) - Director is available for individual personal that detects and claims to recog- nize "signals" that viruses give off Technologies, Inc. developed this computers and works for most product, which write-protects in operating systems now available. when they are present, Interferon was intended to complement the hardware all or part of a personal Protec ($195 from Sophco. Inc., Vaccine program from CE Soft- computer hard disk. This protects and common- P.O. Box 7430, Boulder, CO ware of Des Moines, Iowa. Inter- the operating system 80306-7430; 800/922-3001) - A feron is available on electronic ly used programs from viruses. system of programs that includes bulletin boards. Virus RX - Developed by Apple Vaccinate - a virus itself, which dealers), Softlog (Asky Inc., Milpitas, CA. (but sold through local infects the host via the Syringe this is a detection tool to deter- program. It warns the end user Licensed to corporations in lots of 100 units for $2,400.) - Matches mine whether a system has been (the person using the program as infected by the Scores virus, and opposed to the one who wrote it) the current size of computer files against their previous size, and if so, which applications have if a virus infection has occurred. lists damaged thus detects any unauthorized been affected. It It also includes Canary, a quaran- al- additional material, such as applications, invisible files, tine program. When new files are tered system files, and altered a parasite. imported from an unknown source, applications. Virus Rx reports dif- a user places the Canary program Truss - For UNIX systems, it ferent levels of concern from on a diskette with the suspect files. allows the system administrator to simple comments to "dangerous" If the Canary dies, a virus program examine any process and observe to "fatal." It first lists damaged is present. Protec works on the the activities of any user logging applications - those that have IBM-PC family of computers. in from a remote site. Truss at- not been infected by the virus, Checksum - Commonly attached taches to a login shell (the part but will not work and should pro- to the end of a program. Although of the computer that handles the bably be removed. This program not designed as a virus catcher, it commands a user needs to login is available through Apple dealers, can be used to see if the size of to the bulletin board). Truss can AppleLink, and through some the program changes. also freeze a process and allow a users'-group bulletin boards. debugger more detailed informa- Ferret - Created by Larry Nedry Forgery Detector - Designers tion about the errant process. and Scott Winders. Notifies an are now working on software that infected user of the date that the Data Physician ($199 from Digital analyzes a program's style, in a Scores virus installed itself. It's Dispatch, 1580 Rice Creek Road, similar fashion to handwriting helpful in determining where/how Minneapolis, MN 55432; 612/571 analysis. It can then detect when the virus was picked up. Ferret 7400) - The granddaddy of virus "foreign" code is added to a par-' is available on electronic bul- remedies, it detects and in some ticular program. It may also be letin boards such as CompuServe cases eliminates viruses. Makes able to determine the author of and MacNET. (MacWeek, April careful measurements of a com- a virus. (The Cincinnati Post, 26, 1988.) puter's programs and data files to Feb. 1, 1988.) KillScores - Unlocks locked files, detect any alien computer codes. Pirate Detector Virus - This one It includes: disinfects, and leaves files un- keeps track of software duplica- locked. (comp.risks May 11, 1988.) Data MD - One portion of Data tion. It tells you how many copies Vaccine - By Don Brown at CE Physician, which creates a list of of a program have been made, Software, Inc., Mar. 19, 1988. It computer data files to be protected d and alerts you to illegal or viral enables your computer's oper- and watches them while the corn program duplication. (New York ating system to detect alterations puter is in operation. Times, Jan. 31, 1988.) . to the code of your system files Antigen - Attaches itself to an and applications. It requires your individual computer program anc permission for any such alterations. checks it for viruses each time it'! If your system is already infected used. To remove a virus, Antigen when you install Vaccine, there erases the bytes of computer data will be no warning from Vaccine that weren't in the program that the virus exists. If Vaccine is earlier.

112 WHOLE EARTH REVIEW FALL 1988 SPECIAL INAUGURAL REPRINT ISSUE: INFORMATION ENVIRONMENT TOOLS AND IDEAS Whole Earth Review Dedicated to the Incoming Administration 20 January 1996 - Link Page Previous A Village Called The WELL (Fall 1988) Next Getting Over the Information Economy (interview by James Walsh) (Summer 1988)

Return to Electronic Index Page