Virus Evolution Timeline

Theories for self-replicating programs are first developed.

The Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBN. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper.

The Wabbit virus, more a fork bomb than a virus, is written. The Wabbit virus made multiple copies of itself on a single computer (and was named "Wabbit" for the speed at which it did so) until it clogs the system, reducing system performance, before finally reaching a threshold and crashing the computer.

ANIMAL is written by John Walker for the UNIVAC 1108. Animal asked a number of questions to the user in an attempt to guess the type of animal that the user was thinking of, while the related program PERVADE would create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structure, and to not copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, "Pervading Animal" represents the first Trojan "in the wild".

Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild," or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

Fred Cohen, while working on his dissertation, formally defines a computer virus as "a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself."

Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had "Brain" for a volume label.

The Lehigh virus, one of the first file viruses, infects files.

One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .exe and .com files and deletes any programs run on that day. MacMag and the Scores virus cause the first major Macintosh outbreaks.

Symantec launches Norton AntiVirus, one of the first antivirus programs developed by a large company.

Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.

1300 viruses are in existence, an increase of 420% from December of 1990.

The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that turns ordinary viruses into polymorphic viruses. The Virus Creation Laboratory (VCL) is also made available. It is the first actual virus creation kit.

Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line "Good Times." Though disproved, the hoax resurfaces every six to twelve months.

Word Concept becomes one of the most prevalent viruses in the mid-1990s. It is spread through Microsoft Word documents.

Baza, Laroux (a macro virus), and Staog viruses are the first to infect Windows95 files, Excel, and Linux respectively.

Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section. The Chernobyl virus spreads quickly via .exe files. As the notoriety attached to its name would suggest, the virus is quite destructive, attacking not only files but also a certain chip within infected computers. Two California teenagers infiltrate and take control of more than 500 military, government, and private sector computer systems.

The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any previous virus, infecting an estimated 1 million PCs. Bubble Boy is the first worm that does not depend on the recipient opening an attachment in order for infection to occur. As soon as the user opens the email, Bubble Boy sets to work. Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files.

The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook, much like Melissa. The virus comes as a VBS attachment and deletes files, including MP3, MP2, and .JPG. It also sends usernames and passwords to the virus's author. W97M.Resume.A, a new variation of the Melissa virus, is determined to be in the wild. The "resume" virus acts much like Melissa, using a Word macro to infect Outlook and spread itself. The "Stages" virus, disguised as a joke email about the stages of life, spreads across the Internet. Unlike most previous viruses, Stages is hidden in an attachment with a false ".txt" extension, making it easier to lure recipients into opening it. Until now, it has generally been safe to assume that text files are safe. "Distributed denial-of-service" attacks by hackers knock Yahoo, eBay, Amazon, and other high profile web sites offline for several hours.

Shortly after the September 11th attacks, the Nimda virus infects hundreds of thousands of computers in the world. The virus is one of the most sophisticated to date with as many as five different methods of replicating and infecting systems. The "Anna Kournikova" virus, which mails itself to persons listed in the victim's Microsoft Outlook address book, worries analysts who believe the relatively harmless virus was written with a "tool kit" that would allow even the most inexperienced programmers to create viruses. Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems. Sircam spreads personal documents over the Internet through email. CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected approximately 359,000 hosts in the first twelve hours. BadTrans is designed to capture passwords and credit card information.

Author of the Melissa virus, David L. Smith, is sentenced to 20 months in federal prison. The LFM-926 virus appears in early January, displaying the message "Loading.Flash.Movie" as it infects Shockwave Flash (.swf) files. Celebrity named viruses continue with the "Shakira," "Britney Spears," and "Jennifer Lopez" viruses emerging. The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes), creates hidden copies of the originals, and attempts to disable common anti-virus products. The Bugbear worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems.

In January the relatively benign "Slammer" (Sapphire) worm becomes the fastest spreading worm to date, infecting 75,000 computers in approximately ten minutes, doubling its numbers every 8.5 seconds in its first minute of infection. The Sobig worm becomes the one of the first to join the spam community. Infected computer systems have the potential to become spam relay points and spamming techniques are used to mass-mail copies of the worm to potential victims.

In January a computer worm, called MyDoom or Novarg, spreads through emails and file-sharing software faster than any previous virus or worm. MyDoom entices email recipients to open an attachment that allows hackers to access the hard drive of the infected computer. The intended goal is a "denial of service attack" on the SCO Group, a company that is suing various groups for using an open-source version of its Unix programming language. SCO offers a $250,000 reward to anyone giving information that leads to the arrest and conviction of the people who wrote the worm.
An estimated one million computers running Windows are affected by the fast-spreading Sasser computer worm in May. Victims include businesses, such as British Airways, banks, and government offices, including Britain's Coast Guard. The worm does not cause irreparable harm to computers or data, but it does slow computers and cause some to quit or reboot without explanation. The Sasser worm is different than other viruses in that users do not have to open a file attachment to be affected by it. Instead, the worm seeks out computers with a security flaw and then sabotages them. An 18-year-old German high school student confessed to creating the worm. He's suspected of releasing another version of the virus.

March saw the world's first cell phone virus: Commwarrior-A. The virus probably originated in Russia, and it spread via text message. In the final analysis, Commwarrior-A only infected 60 phones, but it raised the specter of many more and more effectivecell phone viruses.

The first large scale ransomware application, "SpySheriff", spreads globally.

Eastern European companies such as Bakasoftware and KlikVIP grow rapidly using server-side polymorphic virus technology to extort revenue via ransomware distribution worldwide.

First discovered in November, the Conficker virus is thought to be the largest computer worm since Slammer of 2003. It's estimated that the worm infected somewhere between nine and 15 million server systems worldwide, including servers in the French Navy, the UK Ministry of Defense, the Norwegian Police, and other large government organizations. Since it's discovery, at least five variants of the virus have been released. Authorities think that the authors of Conficker may be releasing these variants to keep up with efforts to kill the virus.
The Koobface computer worm targets users of Facebook and Myspace.

The July 2009 cyber attacks occur and the emergence of the W32.Dozor attack the United States and South Korea.

Microsoft announced that a BSoD problem on some windows machines which was triggered by a batch of Patch Tuesday updates was caused by the Alureon Trojan.
Russian scareware continues to flourish.


Years ago when we thought about computer viruses we regarded them as simply mean-spirited email scripts written and distributed by punk hackers that got picked on in school and lashed out at the world the only way they knew how. Today many of these hackers are wearing a shirt and tie to work and are writing even nastier scripts for companies that specialize in forced advertising. As if we don't have enough to worry about with all the phishing scams and identity thefts, now we have to be aware of a growing threat to our online security in the form of software "retailers" that infect their customers computers in order to force the purchase of their product as the only option for removing the infection. Kinda like slipping someone poison then selling him the antidote, or more accurately, a sci-fi version of what thugs and business owners used to call "protection".

Sometimes these infections are payloaded via the "free trial version" of a product, which is usually an anti-spyware program, or transmitted via a third party company that uses ad injector viruses and sells piggy-back time on these injectors as they backdoor their way into thousands of browsers 24 hours a day. The ad injectors are distributed in other "shareware" downloads like screensavers, warez, or porn, and can even install themselves on the users PC just by opening their web page.

Ironically, even if you give up and pay for the removal product, by then your computer is infected with a whole host of other viruses that the product cannot remove. WinAntiSpy is a classic example of these applications. PLEASE take a minute to read these warnings about them HERE, and a much better explanation and detailed accessment HERE

Now, are these types of business practices illegal? Of course they are. It used to be you could get away with such things by burying usage stipulations far enough in the install EULAs that no one took the time to "read the fine print", but this type of fraud is beyond any loopholes. Self downloaders and popups disguised as warning messages cross the line, and at best are deceptive business tactics. However, these days our various law enforcement agencies have bigger fish to fry. They are more worried about terrorists blowing up things and people smoking cigarettes in public, and not much in between.
So the internet is more in a state of anarchy than at any previous time in its short but significant existence, and personally I am glad for the lack of intervention, because as our civil liberties diminish, freedom of information becomes even more important. Google China is a good preview of things to come.

So....we need to fend for ourselves against the hackers, phishers, scammers, vandals and now also against the "browser mobsters" that seek to kidnap our hard earned bandwidth for their own greedy agendas. This page has a few available removal tools I have stumbled upon and wish to consolidate and share. As always, feel free to email me with any questions or comments. jw.

for a fascinating look at how these scams work, check out this 2-page article by Joe Stewart:
Rogue Antivirus Dissected

a similar article from USAtoday:
Rogue Antivirus Dissected

The following are just a few viruses of the hundreds out there that are distributed by seemingly legitimate companies that in reality only want to hijack your browser. These removal tools are not "magic fixes" and need to be followed up on with virus and spyware scanners and any clean up tools you may have.

Name: Zlob
Description: Trojan-Downloader-Zlob is a common downloader that may download other threats onto your computer.
Removal tool from ZLOB REMOVER

Name: Perfect Keylogger
Description: Perfect Keylogger is a monitoring tool that records all visited web sites, keystrokes and mouse clicks.
Removal instructions (if SPYBOT fails): PERFECT KEYLOGGER REMOVAL

Name: HotBar
Description: HotBar is a toolbar that comes in two versions: a free version that is adware-supported and displays pop-up advertisements and a paid version. The paid version does not include adware or display pop-up advertisements.
Removal tool from HOTBAR REMOVER

Name: SmitFraud
Description: Smitfraud is a Trojan / Spyware program that gains access to user's computers. Once the people behind Smitfraud have access to your machine it can be used for all sorts of purposes . The reinstallers for this program can be especially difficult to get rid of.
Another Removal tool: SMITFRAUD FIX

Name: Look2Me
Description: Look2Me is adware that serves pop-up advertisements. It has a guardian implementation to prevent detection and removal.
Removal tool from LOOK2ME REMOVER

Name: SpyAxe
Description: SpyAxe/SpywareStrike installer trojan. The trojan shows a security warning message from the system tray and repetitively installs SpyAxe or SpywareStrike.
Removal tool from SPYAXE REMOVER

Name: Matcash
Description: Trojan Downloader Matcash is a downloader created by that may download other threats on your computer.
It appears that SpySweeper is the only program that can remove this. Not sure if their trial version is fully functional, and it's $29.95 to buy. I could not find a removal tool or instructions: BUY SPYSWEEPER

Name: Virtumonde or Vundo
Description: Virtumonde displays advertisements on your computer. Can hide itself from HijackThis. Renaming HijackThis.exe to hjt.exe (or any other name) will fool its stealth capability.
Removal tool from VUNDO REMOVER

Name: ISTbar
Description: ISTbar is a toolbar that may be used for searching pornographic web sites, which display pornographic pop-ups and hijack user homepages and Internet searches.
Removal tool: ISTbar REMOVER

Name: SurfSideKick
Description: SurfSideKick displays pop-up advertisements on your computer. Used by DeluxeCommunications.
Removal instructions (if SPYBOT fails): SIDEKICK REMOVAL

Name: Virut (W32 / Virut)
Description: "Virut" is a family of polymorphic memory-resident appending file infectors that have Entry Point Obscuring (EPO) capabilities. Viruses belonging to this family infect files with .EXE and .SCR extensions. All viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.
Removal tool: VIRUT REMOVAL (safe mode only)

Name: Tanatos (BugBear variant)
Description: Similar to Virut in that it rewrites exe files, can jump drives, and infect servers. VERY destructive.

Name: Sasser Worm
Description: Sasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability causing system crashes and making the machine unbootable.

Name: Mebroot
Description: Trojan horse that modifies the Master Boot Record (MBR). It uses sophisticated rootkit techniques to hide its presence and opens a back door that allows a remote attacker control over the compromised computer.
Removal tool: EMeb Remover
Another very good MBR tool: TDSSkiller

Name: DirectRevenue-Abetterinternet
Description: DirectRevenue-ABetterInternet, commonly known as VX2 or Transponder, is an adware program that displays pop-up advertisements on your computer.
Removal tool from BINET REMOVER

Tons more free specialized removal tools from Kaspersky Lab: KASPERSKY VIRUS TOOLS

The following is a partial list of companies that use one or more of the above viruses to force the purchase of their product :

1-Click Spy Clean
#1 Spyware Killer
Ad Armor
Advanced Spyware Remover
Adware Deluxe
Adware Delete
Adware Bazooka
Adware Cops
Adware Hitman
Adware Hunter
Adware Nuker
Adware Patrol
Adware Pro
Adware Punisher
Adware Remover
Adware Safe
Adware Safety
Adware Sheriff
Adware Striker
Adware Tools
Adware X
Adware X Eliminator
A Guard Dog
Alert Spy
Alfa Cleaner
AntiSpyware Soldier
AntiSpyware Master
AntiSpy Zone
Anti Vermins
AntiVirus Gold
AntiVirus Pro
AntiVirus Protector
AntiVirus Solution
AV System Care
Best Guard Platinum
Brave Sentry
Clean X
Cure PC Solution
Cyber Defender
Expert AntiVirus
Fixer AntiSpyware
Freeze AntiSpyware
Internet AntiSpy
Internet Security 2010
Internet Shield
I-Spy Killer
Malware Alarm
Malware Wiper
MyNet Protector
PAL Spyware Remover
PC Health Plan
Perfect Cleaner
Pest Capture
Pest Protector
Pest Trap
Pest Wiper
Privacy Champion
Privacy Defender
Privacy Tools
Real Adware Remover Gold
Scan Spyware
Security i-Guard
Secure MyPC
Smart Security
Spy Cleaner
Spy Crush
Spy Dawn
Spy Falcon
Spy Killer Pro
Spy Soldier
Spy Trooper
Spyware Annihilator
Spyware Assassin
Spyware Bomber
Spyware Cleaner
Spyware C.O.P.
Spyware Hound
Spyware Killa
Spyware Knight
Spyware Quake
Spyware Slayer
Spyware Stormer
Spyware Strike
Spyware Wizard
System Stable
The SpyGuard
Titan Shield
Trust Cleaner
Ultimate Cleaner
Virtual Bouncer
Virus Blaster
Virus Burst
Virus Rescue
WinAntiVirus Pro 2007
World Antispy
ZoneProtect AntiSpyware

I will be adding more to this page as time permits and info becomes available. jw.