While the overall number of file viruses grew steadily from the late 1980s, the scene was dominated by a small number of very successful viruses. Jerusalem, for example, spread across many enterprises, academic institutions and government agencies and on 13 May 1988 (which became known as ‘Black Friday’) it caused the first major virus epidemic. The Vienna virus spawned numerous variants following the publication of its source code. And Cascade, notable for being the first encrypted virus, continued to be common well into the 1990s.
As time went on, some virus authors tried to get the best of both worlds by developing viruses that were combination boot sector viruses and file viruses. Tequila, Junkie and Natas were all successful examples of what became known as multipartite viruses.
At this time, it was almost completely a virus problem. There had already been some worms, most notably the Morris worm in November 1988: this successfully infected about 6,000 or so vulnerable systems (around 10% of all computers connected to the Internet in 1988). However, at this time, the Internet was used almost exclusively by government and academic institutions. The Internet worm’s time had not yet come.
In addition, there were only a small number of Trojans. The term Trojan (short for Trojan Horse) is taken from the wooden horse used by the Greeks to sneak inside the city of Troy and capture it. The first Trojans, which appeared in the late 1980s, masqueraded as innocent programs. Once the unsuspecting user ran the program, the Trojan would deliver its harmful payload. Hence the copy-book definition given by most anti-virus vendors: a non-replicating program that appears to be legitimate but is designed to carry out some harmful action on the victim computer.
The fact that Trojans don’t spread by themselves was the key feature that distinguishes them from viruses. Viruses are parasitic, adding their code to an existing host. So they spread from file to file to file: and the longer a user is infected, the further the virus spreads across their machine (and potentially across the network too, if the user is able to access a network). Trojans, by contrast, have no on-board replication mechanism. So at this time, Trojan authors had to find some way of distributing their code manually: upload it to a BBS (Bulletin Board System) in the guise of a useful application, deliberately plant it in a corporate network, or use the postal service to send it to a pre-defined list of victims.
Twelve Tricks, for example, was a hacked version of a hard disk benchmarking program. When installed, the Trojan wrote itself to the MBR of the disk and performed one of its twelve ‘tricks’, many of which made it look as though the victim had a hardware problem. Unfortunately, there was also a chance that the Trojan would format the track on the hard disk containing the boot sector, or cause gradual corruption of the FAT.
Another example of an early Trojan was the Aids Information Disk. In late 1989, 20,000 floppy disks containing this Trojan were mailed to addresses stolen from PC Business World and the World Health Organization, by a company called PC Cyborg. The disks supposedly contained information about HIV and the author was clearly playing on widespread public concern about the disease. When the user ran the installation program, the Trojan wrote itself to the hard disk, created its own hidden files and directories and modified system files. After the PC had been booted 90 times, the Trojan encrypted the contents of the hard disk, making the data inaccessible. The only accessible file remaining on the disk was a README file: this contained a bill and a PO Box address in Panama for payment. Interestingly, the use of ‘program mechanisms’, including some that would ‘adversely affect other program applications’, was announced up-front in a license agreement contained on the floppy disk used to distribute the Trojan. It was not until much later that Trojans were to come into their own.