Thread: Computer infection history

has anyone ever studied or looked at the history of viruses, worms etc.? been doing it on wiki to do some studying for a test at my clubs state conference and been pretty interesting.

For example, there was a worm created that would update users microsoft windows, another which would make the infected computer print a picture of the "O RLY" owl 

an interesting thing on the Win32 virus

When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on the 17th of March, June, September, or December, a message is displayed. Depending on the version of the virus the case of each letter in the text is altered randomly. On May 14 (the anniversary of Israeli independence day), a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew.

The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code. After the rebuild, the virus searches for executable files in folders on all fixed and remote drives. Files will not be infected if they are located in a subfolder more than three levels deep, or if the folder name begins with the letter W. For each file that is found, there is a 50 percent chance that it will be ignored. Files will not be infected if they begin with F, PA, SC, DR, NO, or if the letter V appears anywhere in the file name.

Or how about Bliss? the virus which did almost no damage and seems like a conspiracy by the anti-virus companies to sell anti-virus to Linux users.

And the scary CIH virus, which rewrote the first gig of a harddrive with all 0s and would destroy the BIOS.

I'll probably use this topic to mentions others when i find interesting ones, just to warn
EDIT: Fuck, i lost all i had typed for the last ten minutes grrrrrrrrrrrrr, btw i'm spending too much time reading about viruses

ILOVEYOU-an annoying bitch that really didn't do terrible damage, other then mess up your stuff and be a pain to remove. came out on May 4, 2000 and 9 days lately had infected up to IIRC 50 million computers. Used your contact list to send using your name. Appears it used the fact that if you save something like .doc.exe it will look as if its a .doc and not a .exe. since the attachment was a love letter to you (something like that).txt.vbs. Did leave password mining viruses however

Blaster-interesting way to infect, instead of the user downloading it through attachment, web download etc. it basically sent itself out to random ips.

[quote]effects from the worm.

The worm contains two messages hidden in strings. The first:

I just want to say LOVE YOU SAN!!

is why the worm is sometimes called the Lovesan worm. The second:

billy gates why do you make this possible ? Stop making money
and fix your software!!

is a message to Bill Gates, the co-founder of Microsoft and the target of the worm.[quote]

the major flaw with the virus? It was used to DDoS windowsupdate.com, a redirect site to windowsupdate.microsoft.com. Microsoft just shut down the redirct site for awhile and suffered almost no damage while the programmer got himself 18 months in prison.

Morris Worm-old school baby, coded to supposedly test how big the internet was (and considered the first internet virus) it suffered what was "supposedly" a flaw in that it was told once out of every 7 yes to the question if it was on the system. causing DDoS and damage to web servers all over

Now its time to get some sleep and study some more in the morning

Back when it was my job to fight viruses on PCs for home users, the two that I thought were the most interesting were Nimda and City.

I respected Nimda because it could infect an entire network in seconds because of multiple infection vectors.
You literally had no reaction time. 22 minutes after its release, it was the most common virus on the internet.

I thought City was hilarious because it made the icons in Win9X systems run from the mouse pointer.

I also thought Blaster was funny because it was such an obvious exploit.

oh!
I left out Welchia, the anti-virus virus. This one was built to remove blaster and fix the vulnerabilities that blaster exploited.
Still a problem though because it rebooted the pc after downloading and installing windows patches.
Us I.T. folks like planned update rollouts, not crazy random updates.

well did my test today, and of course it was on a bunch of networking and things i didn't study . Some were my fault, i should know to study packet sniffing and port scanner for cyber security.

Also one of the questions i was able to answer due to TTP, it dealt with ping-of-death.

Had a question that involved script-kiddies as well.

Nimba was on there, so was melissa (of course wikipedia wouldn't have nimba?! wtf? go write something up gumby :P) melissa i only knew in name due to reading about the tuxissa scam.

Some more i read about today:

Mydoom-fastest spreading e-mail worm ever. Thing didn't sound like fun and i know removal was a bitch if you caught it. Some interesting things about it

Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers.The worm contains the text message “andy; I'm just doing my job, nothing personal, sorry,” leading many to believe that the worm's creator was paid to do so. Early on, several security firms published their belief that the worm originated from a professional underground programmer in Russia. The actual author of the worm is unknown.
...
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text “mydom” within a line of the program's code. He noted: “It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate.
...
The original version, Mydoom.A, is described as carrying two payloads:

* A backdoor on port 3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of the Windows Explorer); this is essentially the same backdoor used by Mimail.
* A denial of service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004. Many virus analysts doubted if this payload would actually function. Later testing suggests that it functions in only 25% of infected systems.

A second version, Mydoom.B, as well as carrying the original payloads, also targets the Microsoft website and blocks HTTP access to Microsoft sites and popular online antivirus sites, thus blocking virus removal tools or updates to antivirus software.
...
A variant of Mydoom attacks Google, AltaVista and Lycos, completely stopping the function of the popular Google search engine for the larger portion of the workday, and creating noticeable slow-downs in the AltaVista and Lycos engines for hours.

ExploreZip-my why would you download that pick, the file was named ZIPPED_FILES.EXE. I don't get why a person would think an .exe would contain zip files, and further why would you use an .exe when the zips could be sent separately. Another user of zero-byte to f up the harddrive.

©Brain-

©Brain affects the computer by replacing the boot sector of a floppy disk with a copy of the virus. The real boot sector is moved to another sector and marked as bad. Infected disks usually have three kibibytes of bad sectors. The disk label is changed to ©Brain, and the following text can be seen in infected boot sectors:

Welcome to the Dungeon © 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages....$#@%$@!!

There are many minor and major variations to that version of the text. The virus slows down the floppy disk drive and makes seven kilobytes of memory unavailable to DOS. ©Brain was written by two brothers, Basit and Amjad Farooq Alvi, who lived in Charminar, Lahore, Pakistan. The brothers told TIME magazine they had written it to protect their medical software from piracy and it was supposed to target copyright infringers only.

Originally Posted by Red_Lizard2

Nimba was on there, so was melissa (of course wikipedia wouldn't have nimba?! wtf? go write something up gumby :P) melissa i only knew in name due to reading about the tuxissa scam

http://en.wikipedia.org/wiki/Nimda

Originally Posted by Gumby

Originally Posted by Red_Lizard2

Nimba was on there, so was melissa (of course wikipedia wouldn't have nimba?! wtf? go write something up gumby :P) melissa i only knew in name due to reading about the tuxissa scam

http://en.wikipedia.org/wiki/Nimda

oh, guess it helps when i spell right, eh? lol my bad