Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

20 years of innovative Windows malware

Woody Leonhard | Feb. 28, 2011
Windows PCs have been under siege for 20 years. What a difference those two decades make.

The end of the century: Communications attacks

Windows-specific malware entered the big time when a Taiwanese programmer, Chen Ing Hau, created CIH (aka Chernobyl), thereby taking stealth infection to a new height.

Using the vagaries of the Portable Executable file format, CIH tucked itself into the parts of an EXE file between the major sections, infecting files without changing their size. Those unlucky enough to have these interstitial infections on Windows 95, 98, or ME systems woke up on April 26, 1999, with bricked PCs. CIH was a devastating virus, but it didn't spread readily.

Email emerged as a potent delivery mechanism -- a point not missed by miscreants whose Good Times hoax ("if you read a message with the subject 'Good Times' your hard drive will be destroyed") scared millions.

The next big jump in malware technology arrived as fireworks, emblazoned on a window entitled "Happy New Year 1999!" Happy99, aka SKA, infects by hijacking a Windows program, taking over the communications program Wsock32.dll. If you send a message from an infected machine, the bogus Wsock32.dll delivers the message, but then shoots out a second, blank message to the same recipient with an attached file, usually called Happy.exe. If the recipient double-clicks on the file, they're greeted with a fireworks display -- and a nasty infection.

Prior to Happy99, other malware hooked into Windows using the same sort of technique, but Happy99 had the foresight to take over the communications routine; thus, it spread prolifically. Adding to the potency: Microsoft stopped showing filename extensions starting with Windows 95, so most users receiving the Happy99.exe file only saw the name "Happy99" -- and all too frequently clicked on it.

David L. Smith, of New Jersey, wrote Melissa, a Word macro virus that scans an infected PC's Outlook address book and sends copies of itself to the first 50 entries. It was the first successful incarnation of many Windows spam-generating viruses.

Melissa was so prolific it brought down Exchange Servers all over the world on March 26, 1999. CERT says that one server received 32,000 copies of Melissa in 45 minutes. Mr. Smith served 20 months in a federal prison for his efforts. Several months later, another destructive virus, ExploreZip, also used the Outlook address book to propagate; it had a nasty habit of deleting Office documents by overwriting them.

The end of the 20th century saw malware writers take advantage of Visual Basic Script running the Windows Script Host, a combination that would become wildly successful in ensuing years.

 

Previous Page  1  2  3  4  5  6  7  Next Page 

Sign up for CIO Asia eNewsletters.