A Brief History Of Viral Time

For about 20 years now we've been using the term computer viruses to describe self-replicating programs. Although such programs had previously been found on Apple computers, viruses entered the PC world in early 1986 with the Brain virus.

Created by two programmers named Basit and Amjad, Brain was a boot virus that ran when a computer was booted up with an infected floppy diskette in the A: drive. (Remember when floppy disks were actually floppy?) Once a machine was infected, it would infect all subsequent floppies put in the drive.

Brain, a.k.a. (C)Brain, was also the first stealth virus, meaning that the boot sectors of infected diskettes would appear uninfected to users. The Brain virus didn't spread very quickly, nor was it particularly harmful -- but it ushered in an era of increasingly destructive viruses, worms, and other malware.

Computer viruses have changed a great deal since then. It has generally been an evolutionary change: mostly small developments that, when looked at cumulatively, can be viewed as rather spectacular. In this story we'll look at overall trends in the history of PC viruses; also see the timeline below and to the left for more information about specific virus events.

	Virus Or Worm?
	In this piece we use the term virus generically to mean any self-replicating software. Technically, though, a virus uses a computer's storage media -- hard disk, floppy disk, flash memory stick, etc. -- as its transfer medium, whereas a worm uses external resources, such as an Internet connection or a network server. Additionally, viruses usually need some form of user interaction to spread, while worms may spread with no user assistance. The term malware refers to any kind of malicious software, including viruses, worms, Trojans, spyware, rootkits, and so on. We'll get to these other nasties later in the piece.

The Early Years

Once Brain showed the way, many derivative PC viruses followed in the late 1980s. With no built-in protection, Microsoft's DOS operating system made it easy. Before long, there were about 100 known computer viruses. (Today there are about 300,000, according to some estimates.)

Click on any year to see its major virus events, then mouse over an event on the right to read more about it.

The Lehigh virus, discovered at Lehigh University in 1987, was the first to attack an executable file, specifically COMMAND.COM. The Jerusalem virus (1987), which infected both .EXE and .COM files, was the first to trigger its payload (the subroutine within a virus or worm that actually does the damage) on a specific date -- Friday the 13th. Several other Friday the 13th viruses would follow. The Cascade virus (1988) was the first encrypted virus, which made it difficult to alter or remove.

The first worm to spread widely over the Internet was the Morris worm, released in 1988 by Robert T. Morris, then a graduate student at Cornell University and now an MIT professor. Morris claimed to have created the worm as an intellectual exercise to measure the size of the Internet; however, it spread farther than intended, and many machines were infected multiple times. Infected computers -- Unix machines rather than PCs -- slowed down so much that they became unusable.

In the early 1990s, the computing world saw its first mass-generated computer viruses as virus creation libraries (VCLs) were uploaded to renegade BBSes known as VX Exchange Boards. Here, members of hacker clubs could download virus source code, personalize it, and release their own virus with little effort or true knowledge of programming. Fortunately, VCLs tended to create viruses -- such as Kinison, Donatello, Earthday, Genocide, and Venom -- that were too buggy to ever spread far or cause much concern.

The Math-Test virus, which required users to solve simple math problems before executing their commands, was created with a virus creation toolkit. Courtesy of F-Secure. Click image to enlarge and to launch image gallery.

A number of the VCL viruses were append-class viruses, appending their infective code to the target program. Some were companion-class viruses, leaving the target untouched but using the MS-DOS execute order so that the virus was run instead of the target program. Some VCL viruses had payloads that would attempt to erase the boot sector. Others overwrote target executables.