Malicious software that has gone down in history. Part III

Published on December 04, 2017

Malicious software that has gone down in history. Part III

The subject of art can be a painting, sculpture, poem, symphony and even a computer virus, no matter how strange it sounds. Unfortunately, the creation of viruses nowadays involves taking advantage of your creation or harming others. However, at the dawn of computer technology, virus writers were true artists, whose colors were pieces of code, skillfully mixed, they turned into a masterpiece. And their goal was not to offend someone as much as to declare oneself, to demonstrate one’s intelligence and ingenuity and, at times, just to amuse people. Today we will continue our acquaintance with the various creations of virus writers, which in one way or another deserve our attention. (If you want to familiarize yourself with the previous parts, here are the references: Part I and Part II )

Fork bomb (All ingenious is simple) - 1969

Fork bomb is not a separate virus or worm, but a family of extremely simple malware. The structure of the Fork bomb code can consist of only 5 lines. Using some languages ​​to write this kind of malware eliminates the need to use colons, parentheses, and sometimes all alphanumeric characters.

The Fork bomb operates in a very simple way: first, the program loads itself into memory, where it creates several copies of itself (usually two). Then each of these copies creates as many copies as the original, and so on until the memory is completely full, which leads to system failure. Depending on the device, this process takes from several seconds to several hours.

One of the first recorded cases of the Fork bomb is its appearance on the computer Burroughs 5500 at the University of Washington in 1969. This malware was named “RABBITS”. In 1972, the virus writer Q The Misanthrope created a similar program in the BASIC language. It's funny that at this moment the author was in 7th grade. There was another case in an unknown company, in 1973, when their IBM 360 was infected with the rabbit program. As a result, a young employee was fired and accused of spreading the virus.

Cascade (falling down) - 1987

One of the funniest viruses of its time. Why just find out so.

When the virus entered the system and was activated, it first of all checked for the presence of the line “COPR. IBM. If there was one, the virus should have stopped and NOT infecting this machine, but due to an error in the virus code, infection still happened. Read More Cascade became resident in the memory. The virus has infected any .com file when it was launched. Cascade replaced the first 3 bytes of the file with the code that led to the code of the virus itself.

And now what about the results of the virus. They took effect if the infected file was launched between October 1 and December 31, 1988. All the characters on the DOS screen just began to randomly fall, literally down the screen. That is why the virus was called Cascade (cascade). Sometimes, some sounds were reproduced.

After spreading around the world, a lot of Cascade variants appeared - about 40. Some of them were created by the previous author in the hope of fixing the IBM copyright recognition bug, however, these virus variants continued to successfully infect computer giant systems. Other options instead of a waterfall of characters led to the formatting of hard drives, or simply contained some kind of message. In any case, the original Cascade virus was remembered by many.

It's funny that the author tried to avoid infecting IBM computers, but at the same time not only those were infected, but also the whole office in Belgium became a victim. As a result, IBM released to the public its antivirus, which was previously used only within the company.

Nothing is known about the origin of the virus and its author. There are guesses that Cascade was written by someone from Germany or Switzerland.

Eddie (Hallowed Be Thy Name) - 1988

One of the first Bulgarian viruses and the first creation of Dark Avenger, which became extremely famous thanks not only to its viruses, but also the so-called Dark Avenger Mutation Engine (about it a bit later). Dark Avenger named its virus after the symbol of the Iron Maiden group - a skeleton named Eddie.

After hitting the computer, the virus became resident in memory. The victims of the infection were the .com and .exe files. At the same time there was no need to execute these programs for infection, it was enough just to read them (copy, move, check the contents of the file). There was also the possibility of infection of antivirus software, which could lead to the infection of any file that was scanned by this software. After every 16th infection, the virus rewrote a random sector.

In the future, the source code of the virus was published on the Internet, which gave rise to many of its variants:
Eddie.Jericho (Two Variants)
Eddie .Korea

Who is the author of some of them is unknown to this day. Variations of Eddie, released from the pen of Dark Avenger:

  • Eddie.V2000 - contained the following “messages”: “Copy me - I want to travel”; “© 1989 by Vesselin Bontchev.”; "Only the good die young ..."
  • Eddie.V2100 - contained the words "Eddie lives" and, if there is an Anthrax virus in the last sector of the disk, transferred it to the partition table, thereby restoring the virus.

For a long time, Eddie retained the status of the most common volgari virus, while it was also recorded in West Germany, the USA and the USSR.

Father Christmas (Ho-ho-ho) - 1988

Shortly before Christmas (Catholic) in 1988, the worm Father Christmas began its journey through DECnet (an early version of the Internet, so to speak). The birthplace of the worm is considered to be the University of Neuchâtel in Switzerland.

The HI.COM file acted as a worm, which copied itself from one DECnet node to another. Then he tried to start himself using either Task Object 0 (a program that allows performing actions between two connected computers) or through DECnet login and password. If the launch fails, the worm deletes its HI.COM file from the victim's system. If successful, the worm is loaded into memory, after which it uses the MAIL_178DC process to delete the HI.COM file. Next, the worm sends a SYS $ ANNOUNCE banner at 20597 :: PHSOLIDE, and then checks the system clock. If the infection time falls between 00:00 and 00:30 24/12/1988, the worm creates a list of all users of the system and sends its copies to them. If the infection occurred after 00:30 of the above date, the worm simply ceased to be active.

In search of a new victim, the worm randomly generated a number ranging from 0 to 63 * 1024. When the appropriate number was found, he copied the HI.COM file onto the victim’s water. After 00:00 24/12/1988 distribution did not occur.

Father Christmas also displayed a message (of a very benevolent, if you can say that about malware, character):

«From: NODE :: Father Christmas 24-DEC-1988 00:00
To: You ...
Subj: Christmas Card.


How are ya? I had a hard time preparing all the presents. It
isn't quite an easy job. It is up to the Northpole
to get the terrible
Rambo-Guns, Tanks and Space Ships
. But now the good part is coming. All Distributing
the presents with up my sleigh and deers is the real fun. I When
slide down the chimneys I often find a little present offered by
the children, or even a little Brandy from the father. (Yeah!)
Anyhow the chimneys are getting tighter and tighter every
year. I think my diet And after

Christmas I’ve got my big holidays :-).

Now you’re at home !!!

Merry Christmas
and a Happy New Year


«От: НОДА: Father Christmas 24-ДЕКАБРЯ-1988 00:00
Кому: Тебе…
Тема: Рождественская открытка


Как ты? Мне было тяжеловато приготовить все эти подарки. Это не такая уж и простая задача. Я получаю все больше и больше писем от детей каждый год и это не просто получить «пушки» как у Рэмбо, танки и космические корабли на Северном Полюсе. Но сейчас будет хорошая часть. Развозить подарки на моих санях с оленями очень весело. Когда я спускаюсь по дымоходу, я частенько нахожу маленькие подарочки от детей, или даже немного бренди от папы. (Ура!) В любом случае, дымоходы с каждым годом становятся все теснее и теснее. Я думаю мне опять надо сесть на диету. И после Рождества у меня будет мои большие каникулы :-).

А теперь хватит сидеть перед компьютером и хорошего времени в домашней обстановке!!!

Счастливого Рождества
и с Новым Годом

Ваш Отец Рождество»

Father Christmas did not become the conqueror of the world, he infected only 6,000 machines, and only 2% of them activated the worm. However, there is a curious fact: a worm from Switzerland reached the Goddard Space Flight Center in a suburb of Washington in just 8 minutes.

The creator of such an unusual and chronologically tied worm was never found. We only know that a computer from the university was used, to which so many people had access.

Icelandic (Eyjafjallajökull) - 1989

The first virus that infected the .exe file exclusively on a DOS system. Place of birth - Iceland.

Icelandic got to the computer as an .exe file, when launched, the virus checked for itself in the system memory. If its copy was not there, the virus became resident. He also modified some blocks of memory in order to hide his presence. This could lead to a system crash if the program tried to write to these very blocks. The virus further infects every tenth executable file, adding its own code at the end of each. If the file was in read only format, Icelandic deleted its code.

If the computer used hard drives of more than 10 megabytes, the virus selected the FAT area that was not used, and marked it as beaten. This operation was performed every time an infection of a new file occurred.

There were also several Icelandic varieties that differed from each other in some functions and properties:

  • Icelandic.632 - infects every third program. Marked as a broken one cluster on the disk, if it was more than 20 megabytes;
  • Icelandic.B - has been improved to make it more difficult for some antiviruses to detect; it didn’t perform anything other than distribution;
  • Icelandic.Jol is a sub-variant of Icelandic.B, which on December 24th displayed a message in Icelandic “Gledileg jol” (“Merry Christmas”);
  • Icelandic.Mix1 - first discovered in Israel, caused distortion of characters when transferring them to serial devices (for example, printers);
  • Icelandic.Saratoga - with a 50% chance of infecting a running file.

Diamond (Shine bright like a diamond) - 1989

Another virus from Bulgaria. It is assumed that its author is Dark Avenger, since this virus has much in common with its first creation, Eddie.

When you run an infected program, the virus entered memory, occupying 1072 bytes. The virus checked programs that were monitored with interrupts 1 or 3. If there were any, this check caused the system to freeze and the virus could no longer replicate itself. If there were no such programs, Diamond joined any running program that weighed less than 1024 bytes. During the infection process, the virus avoided the COMMAND.COM file. Also in the virus itself, it was possible to detect a string that makes it easy to identify it, “7106286813”.

Diamond became the progenitor of several of its variants, which differed by the type of impact on the infected system and by the method of distribution and infection: the

Rock Steady

666-byte virus that did not become resident in memory if the infection occurred on the 13th day of any month. Instead, it formatted the first 1 to 10 sectors on the first hard disk. After that, I rewrote the first 32 sectors of the C drive: garbage data and rebooted the system. It was first discovered in Montreal (Canada).

The file infection path was also quite curious. To begin with, Rock Steady checked the “weight” of the file: less than 666 bytes (for any format) and more than 64358 bytes (for .com files). Then the virus checked whether the file names start with the letters “MZ” and “ZM”, after which they changed them from “ZM” to “MZ” and vice versa. The virus also changed the value to 60 and took away its “weight” of 666 bytes from the size of the infected file.


Perhaps came from Italy. Was first seen in May 1991. The first version of this virus could not infect the .exe files, but its sub-version, released in October 1992, already had such an opportunity. It led to a frequent crash of the system when the .com file was executed, and the virus did not avoid the COMMAND.COM file in the process of infection, as the original did. If the infected .exe file was launched on Tuesday, the virus formatted the disks. Also displayed on the screen a bouncing ping-pong ball and a message of the following content:

© David Grant Virus Research 1991 PCVRF Disribuite this virus
freely !!! ... ah ... John ... Fuck You!

Damage It

is believed that this virus was created by the same person who wrote David, because Damage was also discovered in May 1991, also in Italy. The virus infects a file that exceeds 1000 bytes in size and did not avoid the COMMAND.COM file. If the system clock showed 14:59:53, a multi-colored diamond appeared on the screen, which broke up into smaller diamonds, which removed characters from the screen. The phrases “Damage” (for which he got its name) and “Jump for joy !!!” were found in the virus code.


Another virus from Italy, discovered in May 1991. Infected a file larger than 2 kilobytes, including COMMAND.COM. If the timestamp of the file was 12:00 pm before infection, the virus disappears after infection.


Oh, this Italy, oh, this May 1991. This virus is also from there. Strongly slowed down the system (about 10%). On July 14 of any year, he rewrote some sectors of the A :, B: and C: disks.

There were several other options, but their main feature was that they did not check for the presence of their copies in the victim files, which resulted in the latter being reinfected.

Alabama (Alabama Shakes) - 1989

The virus under the DOS system, which infected the .exe files. When an infected file was activated, the virus became resident in memory. However, unlike other resident viruses, Alabama did not infect a file when it was executed. The virus was looking for a file to infect in this directory, and if it did not work, only then it would switch to the method of infecting activated files. Also, on Friday, instead of infecting files, the virus opened a random file instead of what the user wanted to open. Alabama displayed flashing text on the screen an hour after the system was infected:

Box 1055 Tuscambia ALABAMA USA.

Dark Avenger Mutation Engine (DAME) - 1991

This is not a virus, but this module is made extremely famous by a certain Dark Avenger, which we have already mentioned earlier.

When a virus that uses DAME infects a file, the encryptor issued the virus code for garbage. And when the file was opened, the descrambler returned the virus code to its previous working form.

Dark Avenger also added an archive containing a separate module for generating random numbers, which, when used, helped the virus to spread.

Thanks to the DAME module, virus writers have made it much easier to create polymorphic viruses, despite the complexity of implementing the module into the code of the original virus. In this case, the use of the module made it possible to create many variants of the same virus. According to malware researchers, by the end of 1992, there were about 900,000 variants of virus variants that used DAME.

Starship (Back in the USSR) - 1991

So we got to their native lands. Starship virus was created in the USSR. But this is not where its distinctive features end.

The method of infection with the Starship virus was very difficult, in due time, and unusual. This virus has infected files like .com and .exe. When these files opened, Starship infected the master boot record. At the same time, the virus did not become resident in memory and did not infect other .com and / or .exe files. Starship modified three bytes in partitioned data tables and implemented its code in 6 consecutive sectors of the last track of the hard disk.

Also Starship tracked how many times the computer was loaded. When this happened, the virus loaded itself into the video memory, where it was decrypted (in other words, it was deployed). Being in the video memory, the virus violated interruptions in order to protect itself from being rewritten on the hard disk and waited for the completion of the first available program. When this happened, the virus moved itself to the main memory, where it occupied 2688 bytes.

Next, Starship infected .com and .exe files on disks A: and B :. At the same time, he added his code inside the file only after it was closed, thereby complicating detection.

The result of the virus was visible after 80 computer downloads. Under the melodic sounds on the screen color pixels were displayed, each of which signified one of the connections to the disks.

Groove (“When you get a groove going, time flies”) - 1992

And here is the virus that was used to encrypt the creation of Dark Avenger DAME (paragraph 8). Groove was the first virus that used the aforementioned module to infect .exe files. The homeland of this malicious software is Germany, although it managed to spread around the world, reaching even the United States.

The virus, after the activation of the infected file, was located in the “high” memory, below the limit

DOS in 640K. 640K or DOS 640k boundary
«В 1982 году, когда IBM PC был представлен с 64К RAM на материнской плате, максимальный размер программы в 640К казался невероятно огромен. Некоторые пользователи были обеспокоены тем, что сама ОС MS-DOS и резидентные в памяти драйверы устройств, как и приложения должны помещается в пространство памяти в размере 640К. В то время было не так и много программ, и большая их часть легко помещалась в 64К. Сейчас, конечно же, программы невероятно увеличились в размере. DOS стал больше, и существует множество драйверов устрой, добавляющих функции, которые сейчас считаться ну просто необходимыми. Минимум в 640К уже недостаточный, что Windows и намерены исправить.

Хоть IBM с Microsoft и установили ограничение в 640К, большую ответственность несет все же микропроцессор Intel 8088. Оригинальные IBM-PC были оснащены микропроцессорами Intel 8088. Существует так много контактов, исходящих из одного блока, и это число и диктует к какому количеству памяти может получить доступ микропроцессор. У Intel 8088 было 40 контактов (20 для доступа к памяти), достаточно для доступа к 1000К памяти. Проектируя IBM-PC, инженеры нуждались в части из этих 1000К для того, чтобы компьютер мог работать с монитором. Дополнительная часть из 1000К была использована для различных основных системных функций, чтобы компьютер мог работать. Инженеры также зарезервировали часть из 1000К для будущих нужд. То что осталось и есть наши 640К.»

Цитата из книги Software Patents / Third Edition / 2012 (автор: Gregory A. Stobbs)

The Groove virus attached its code to the .com and .exe files that the user ran. At the same time, to infect .exe files, the latter had to be smaller than a certain size (unfortunately, I did not find information about which one). Infection of programs led to disruption of their work. And infection with COMMAND.COM makes it impossible to boot the system.

After 00:30, the virus displayed the message:

Wory dont, you are not to alone AT the this hour ...
ThisVirus is the NOT the dedicated to Sara
ITS the dedicated her to the Groove (... Thats a up my name)
This Virus is only a test Virus there for
the BE the ready for the Test the Next up my ....

Не переживай, ты не один в этот час…
Этот Вирус не посвящен Саре
он посвящен ее Groove (… Так меня зовут)
Этот Вирус только тестовый Вирус, потому
будь готов к моему Следующему Тесту…

In order to prolong its existence, the virus deleted or corrupted files related to antivirus programs.

Qark's Incest family ("we are family, I got all my sisters with me ...") - 1994

In this paragraph, we will consider not one virus, but the whole “family” authored by Australian virus writer Qark, who as a result joined the group of brothers in arms “VLAD” (Virus Labs & Distribution). Qark's vigorous activity in the ranks of the organization falls from 1994 to 1997.

And now more about the "family members" of the viral clan.


By reducing the size of the MCB (Memory Control Block), but only if this MCB is the last in the chain. The virus can also create its own MCB with the setting of the owner field value (0x0008 - and join INT 21h.

Files are infected when they are opened or when the user becomes familiar with their data or properties. Daddy also hid the size of his location directory from FCB findfirst / findnext. And infected files were marked as such by changing the time stamp value to the date stamp value.

Daddy also contained the following lines:

[Incest Daddy]
by Qark / VLAD


If MS-DOS did not specify a file extension to execute it, .COM files took precedence over .EXE files. Infected .com files run a virus, and then open the original .exe files. To begin with, the virus ran the original .exe files, after which it became resident by joining INT 21h.

Like Daddy, the virus was encrypted and used similar methods of avoiding detection. In addition, Mummy had another unusual stealth mechanism: companions .com files were created with a hidden set of attributes. When running the FindFirst ASCII, the virus removed the hidden part from the requested attribute mask. This made it possible to prevent infected files from entering the list of antivirus search results.

The Mummy virus code contained the signature:

[Mummy Incest] by VLAD of Brisbane.
Breed baby breed!


This virus used the same MCB manipulation method as Daddy. Infection of flags occurred when performing such tasks: discovery, execution, Chmod, renaming. The infected files were marked by adding the “magic” value in the MZ format.

Signature in Sister virus code:

[Incest Sister]
by VLAD - Brisbane, OZ


In order not to repeat itself, we simply say that this virus did the same thing as other members of the “family”: it changed the MCB, joined the INT 21h. Also deleted the base of checksums of antivirus programs Central Point Anti-Virus and Microsoft Anti-Virus. To mark infected files, set the seconds in the time stamp to 62.

Tentacle (I'm the Tentacle Virus!) - 1996

Another family of viruses, although its representatives were not created at the same time, but only followed one after another as different updated versions. Possible countries of origin of this virus can be considered the UK or France.

After activating an infected file, the virus began a search in the currently open directory and in the Windows directory environment. Search target - .exe files. In the open directory, 1 file was infected, in Windows - 2. The virus caused damage to some files.

A distinctive feature of the Tentacle virus was the replacement of the icon of the infected file with its own (see the picture below), but only if the infection occurred between 00:00 and 00:15.

Also in the virus code you could find the phrase:

Virus Alert! This file is infected with Win.Tentacle

CAP (Dios y Federacion) - 1996

Macro Word virus written by Jacky Qwerty from Venezuela. However, a few weeks later he said goodbye around the world.

The virus contained from 10 to 15 macros, depending on the language version of Word. If the language is English, the macros were as follows:

  • Cap
  • Autoexec
  • Autoopen
  • Fileopen
  • Autoclose
  • File save
  • FileSaveAs
  • FileTemplates
  • Toolsmacro
  • FileClose

In other language versions, the virus created 5 additional macros that were copies of the last five of the above list. When an infected file was activated, the CAP virus deleted the macros from NORMAL.DOT, replacing them with its own. And the Macros, Customize and Templates buttons disappeared from the drop-down menu. If the toolbar had an icon, it simply stopped working.

When decrypting macros, you could see the following message:

“CAP: Un virus social ... y ahora digital ...
” “j4cKy Qw3rTy” (
'Venezuela, Maracay, Dic 1996.
' PD Que haces gochito? Nunca seras Simon Bolivar ... Bolsa!

C.A.P: социальный вирус, а теперь и цифровой.
'«j4cKy Qw3rTy» (
'Venezuela, Maracay, Dic 1996.
П.С. Что ты делаешь маленький ковбой? Ты никогда не будешь Симоном Боливаром! Дурак!

Esperanto ("I did a movie in Esperanto") - 1997

The world's first multiprocessor virus. It hurt both on Microsoft Windows and DOS PCs with x86 processors, and on MacOS with Motorola or PowerPC processors.

Work on Windows and DOS

First of all, after activation, the virus checked for a working copy of itself in memory. If there was none, it became resident in the memory. Infected .com and .exe files during their opening. Also could infect the main files DOS, NewEXE and Portable EXE.

Work on MacOS

To successfully infect files, at the end of the virus code there was a special MDEF resource. The OS will interpret the Intel code as garbage and immediately go to Motorola code processing. This leads to the fact that the code is executed by the operating system without emulation, allowing the virus to become resident in memory. The ability of the virus to run on MacOS with the PowerPC processor comes from Motorola emulation in the Macintosh core. Given the infection of system files, the virus was activated at system startup. Esperanto also infected Finder, which led to the infection of any file opened through this program. As in the case of Windows and DOS, only one copy of the virus could work on MacOS at a time.

The Esperanto virus could easily migrate from Windows to MacOS and back. In order to infect a computer on MacOS through .com and .exe files, the virus dropped the MDEF resource containing the virus. And to infect .com and .exe files from MacOS files, the virus looked for Windows executables running in the emulator.

On July 26, the virus displayed a message (if the virus was on a 32-bit Windows system):

Never mind your culture /
Esperanto will go beyond it / Esperanto preterpasos gxin;
yet Mind the differences by never / ne The Gravas la diferencoj,
Esperanto will of Overcome Them / Esperanto superos ilin.

Never mind your processor
/ Esperanto funkcios sub gxi;
never mind your platform / Ne gravas via platformo,
Esperanto will infect it / Esperanto infektos gxin.

Not only a now! Just human language, But Also a virus ...
the Turning Into Possible to impossible impossible, Esperanto.

Не обращайте внимания на вашу культуру,
Эсперанто выйдет за ее пределы;
Не обращайте внимания на отличия,
Эсперанто преодолеет их;

Не обращайте внимания на ваш процессор,
Эсперанто будет работать на нем;
Не обращайте внимания на вашу платформу,
Эсперанто инфицирует ее.

Теперь не только язык людей, но и вирусов…
Превращая невозможное в возможное, Эсперанто.

July 26 was not chosen by chance, since this holiday is Esperanto day. On July 26, 1887, Ludwik Lazar Zamenhof created a universal language called Esperanto.

Gollum ("my preciousss") - 1997

The virus was written by a Spanish guy named GriYo who claimed that his creation is the first hybrid DOS / Windows virus.

Gollum infected .exe files, avoiding those that contained “v” in their name or started with “TB”, thus avoiding contact with antivirus programs.

When the virus was first activated, the GOLLUM.386 file was inserted into the system folder. And the line DEVICE = GOLLUM.386 was added to the system.ini file. This addition allowed the virus to run every time the system boots.

After the first restart, Gollum became resident in memory under the guise of a virtual device driver. When activating the .exe file from the DOS window, the virus attached its code to this file, thereby infecting it.

The result of the Gollum virus was the removal of some anti-virus software databases and the introduction of the GOLLUM.EXE Trojan into the system.

The following text could also be found in the virus code:

ViRuS GriYo by gollum / 29A
Deep down found here by the dark water lived old
Gollum, a small slimy by creature. I dont know
where he came from, nor who or what he was.
He was a Gollum - as dark as darkness, except
for his big face.
JRR ToLkieN ... The HoBBit

Глубоко у темных вод жил старый Голлум, маленькое склизкое создание. Я не знаю ни откуда он был, ни кем или чем он был. Он был Голлумом — темным, как сама тьма, за исключением двух огромных глаз на его тощем лице.

This is an excerpt from the book "The Hobbit" by J.R.R.Tolkien, which describes a creature named Gollum, who is also familiar to many from the books "The Lord of the Rings", as well as from the screen versions by Peter Jackson. It was this creature that gave its name to the virus itself.

Babylonia (seashell) - 1999

A Brazilian virus from the pen of a Vecna ​​virus writer that infected .exe files on Windows 9x computers.

After extraction, the virus did not become instantly active, for a start, it patched the JMP or CALL and waited for the call. The virus scanned the OS kernel, obtaining the addresses of the Windows API function, and installed itself under the guise of the VxD system driver.

The virus allocated some of the memory, setting a binding in the IFS handler. Then I expected access to Help, Portable Executables and WSOCK32.DL files. Also, the Babylonia virus scanned the system for the presence of the downloaded SPIDER.VXD and AVP.VXD anti-virus libraries. If there were any, the virus patched them, as a result of which they could no longer open the files.

When the Babylonia virus infects a portable executable file, it attaches itself to the last sector or overwrites the .reloc section. The CODE section will also be scanned for available space to host the call to the virus. Help files are infected by passing control to the virus code through the USER32 EnumWindows API callback function.

The virus spread via email. First of all, he added his code to the send () function in WSOCK32.DLL. This led to the fact that in all the emails that the user sent from the infected machine, there were attachments infected with a virus, called X-MAS.exe with a Christmas icon.

Later versions of Windows could not be infected, as Babylonia had specific VxD calls that are designed exclusively for Windows 9x.

The Babylonia virus could be updated using the online update module. This module was located in the Windows System folder under the name KERNEL32.EXE, which started when the system started. Also, it could not be seen in the task list via CTRL + ALT + DEL.

Although the Babylonia virus did not spread widely, and did not become a global threat, the methods of its distribution, infection, and the updating module allowed this virus to gain popularity.

I have not found any data regarding the name of this virus. However, Babylonia is the name of a genus of marine gastropods. You can also assume that the name of the virus comes from the word "Babylon" (Babylon - a city in ancient Mesopotamia).

Dammit (darn it, virus again) - 2000

The virus under the Windows 9x series of systems that originated from Russia.

When activated, the virus loaded itself into memory, after which it infected the activating .exe files, adding its own code to them.

To avoid detection, Dammit did not touch files whose names contained the following:

All for the same purpose - to hide yourself - the virus removed the VxD AVP and Spider antivirus drivers. Also avoided detection by Microsoft's Soft-Ice debugger.

Every month, the first day, the virus hid all the icons from the desktop, by adding the value “1” to “HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer No Desktop”.

In the Dammit virus code, the following could be found:

© 2000

Where ULTRAS is the author of the virus, and MATRiX is the virus writer log, where the code of the virus was published.

Blebla ("For more than this of Juliet and her Romeo") - 2000

Mail worm from Poland, written in Delphi language. He became one of the first worms that could be activated without the intervention of a user of an infected machine. Also known as Verona or Romeo and Juliet.

The worm spread via email with the subject:
hello world
ble bla, bee
I Love You ;)
Hey you!
Matrix has you…
my picture
from shake-beer

In this letter there were 2 attached files Myjuliet.chm and Myromeo.exe. The text of the letter itself contained HTML, which saved the attached files in the Windows Temp folder and ran Myjuliet.chm. The latter, in turn, extracted the main part of the worm from the file Myromeo.exe.

Myromeo.exe runs the Romeo & Juliet task, which can be seen in the task list. It searches for a process called HH.exe, which processes .chm files, and tries to deactivate it in order to avoid warning the user about its presence.

Next, the worm propagates through six mail servers located in Poland (none of them already work):


The worm also has its own SMTP engine that attempts to establish a connection with one of the servers listed above in order to send an email with attached MIME files.

Despite the fact that the worm did not cause much harm, it received quite a lot of publicity in the media.

YahaSux / Sahay (I don't like you) - 2003

Among virus writers, too, have their Mozarts and Salieri. They are just as brilliant, and they don't like each other as much. The YahaSux worm is a creation of Gigabyte, who apparently disliked the author of the Yaha worm.

The victim received an e-mail on “Fw: Sit back and be surprised ...” with the following content:

Think of a number between 1 and 52.
Say it out loud, and keep repeating while you read on.
What is the opposite sex?
The letter of that name is now.
Add this number to the number you were thinking of.
Say the number out loud 3 times.
must have had the number of letters.
Say it out loud 3 times.
Watch, and be surprised ..

Загадайте число от 1 до 52.
Скажите его вслух, и повторяйте пока читаете это.
Загадайте имя того, кого вы знаете (противоположного пола).
Теперь подсчитайте какой порядковый номер в алфавите имеет вторая буква этого имени.
Прибавьте это число к тому, что вы загадали ранее.
Скажите число 3 раза вслух.
Теперь подсчитайте какой порядковый номер в алфавите занимает первая буква вашего имени, и отнимите это число от того, что у вас было до этого.
Скажите число 3 раза вслух.
Теперь сядьте, посмотрите прикрепленное слайд-шоу, и будьте поражены…

This file attached to the letter was a MathMagic.scr screensaver. After activating the file, the worm copies its own and the executable files of the Yaha nav32_loader.exe worm in the system folder. If the search returned no results, YahaSux copies itself to the folder under the guise of the winstart.exe file.

Then the struggle with the hated Yaha became even more fun. YahaSux tried to interrupt the process under the name WinServices.exe (or WINSER ~ 1.EXE), which belonged to Yaha.K. Removed the Yaha.K executable files from the registry, restoring its original value. Also, changes were made to the WinServices subkey (the value was set as follows: Default = (system directory) \ winstart.exe), which allowed the worm to be launched automatically when the system was turned on.

YahaSux also created the yahasux.exe file in the system folder and in the Mirc Download folder. He attached himself to all the .exe files in the mirc \ download folder in Program Files, and added the file MathMagic.scr to root on the C drive.

The worm spread by sending itself to all recipients in the Outlook Address Book list.

After 40 seconds of activity, the system of the infected PC was turned off. After rebooting and deleting another file related to Yaha.K - tcpsvs32.exe, the YahaSux worm displayed the following window with the message:

Why did Gigabyte, the author of YahaSux, dislike Yaha.K and its author? The fact is that Yaha.K changed the homepage in the Internet Explorer browser on, where the web pages and Gigabyte itself were located. All this led to the fall of the server.

In his new version of Yaha.Q, in the code, the author left a message for his rival:

to gigabyte: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux is ... lolz;)

Such is the struggle of the intellects.

Lovgate (Open me, I'm not a worm. #Wink) - 2003

Worm from China, which possessed the properties of a Trojan.

The worm got on the victim's PC with an email, the subject, content and attached files of which had several options:
Subject: Documents
Attachment: Docs.exe
Body: Send me your comments…

Subject: Roms
Attachment: Roms.exe
Body: Test this ROM! IT ROCKS!..

Subject: Pr0n!
Attachment: Sex.exe
Body: Adult content!!! Use with parental advisory.

Subject: Evaluation copy
Attachment: Setup.exe
Body: Test it 30 days for free.

Subject: Help
Attachment: Source.exe
Body: I'm going crazy… please try to find the bug!

Subject: Beta
Attachment: _SetupB.exe
Body: Send reply if you want to be official beta tester.

Subject: Do not release
Attachment: Pack.exe
Body: This is the pack ;)

Subject: Last Update
Attachment: LUPdate.exe
Body: This is the last cumulative update.

Subject: The patch
Attachment: Patch.exe
Body: I think all will work fine.

Subject: Cracks!
Attachment: CrkList.exe
Body: Check our list and mail your requests!

After activation, the worm copied itself to the Windows system folder under the guise of one of the files:

  • WinRpcsrv.exe
  • syshelp.exe
  • winrpc.exe
  • WinGate.exe
  • rpcsrv.exe

In order to allow yourself to run simultaneously with the launch of the system, the worm acted depending on the version of the system.

Windows 95, 98, or ME

A string run = rpcsrv.exe was added to the Win.ini file. If the system had registries, then the following values ​​were added to the registry key of the local machine: “syshelp =% system% \ syshelp.exe”, “WinGate initialize =% system% \ WinGate.exe -remoteshell” and “Module Call initialize = RUNDLL32.EXE reg.dll ondll_reg ".

The value of “winrpc.exe% 1” was also entered in the registry of keys so that the worm could be launched each time the user opened a text file.

Windows 2000, NT or XP

The worm copied itself to the system folder under the guise of the ssrv.exe file and added the value “run = rpcsrv.exe” to the registry of the keys of the local machine.

Also added the registry of keys of the local Software \ KittyXP.sql \ Install machine.

After these actions, the worm entered into the system folder, and then activated, the following files, which are its Trojan components: ily.dll; task.dll; reg.dll; 1.dll.

Some of these files could send information to the addresses or The worm itself was listening on port 10168, awaiting commands from its creator, who had access to it through a password. When entering the correct password, the worm copied itself into folders with shared network access under the guise of such files:

File Names:

Next, the worm scanned the system for the presence of the LSASS.EXE process (authentication service of the local security system) and joined it. He did the same with the process responsible for opening the command environment on port 20168, which did not require authentication.

The Lovgate worm scanned all computers on the local network, trying to access them through an administrator. First, he did it with an empty password field, then, in case of failure, applied the following simple passwords:


If the access attempt was successful, Lovgate copied itself under the guise of the stg.exe file into the \ admin $ \ system32 \ folder.

For further distribution, the worm scanned the “winpath” folder, the user's personal folders and the folder where it was launched, for the presence of email addresses in files with an extension beginning with .ht (for example, .html).


So our today's excursion into the world of malware has come to an end. Although many of today's exhibits deserve a separate exhibition. The world of viruses, worms and trojans is huge and diverse. There are also innocent, causing a smile, there are destructive, stealing everything that they have in their way. But those and others are the result of the work of an extraordinary mind, who never ceases to look for something new, does not cease to explore. Even if these people have directed their minds not to the most noble path, they still teach us that the limit will never be reached if we look beyond it. I do not agitate to write viruses. Just do not stand still, develop, explore, and never let your mind reach the limit. Have a nice day and see you soon.

BLACK FRIDAY CONTINUES:30% discount on the first payment on the promo code BLACK30% when ordering for 1-6 months!

These are not just virtual servers! These are VPS (KVM) with dedicated drives, which can be no worse than dedicated servers, and in most cases - better! We made VPS (KVM) with dedicated drives in the Netherlands and the USA (configurations from VPS (KVM) - E5-2650v4 (6 Cores) / 10GB DDR4 / 240GB SSD or 4TB HDD / 1Gbps 10TB available at a uniquely low price - from $ 29 / month options are available with RAID1 and RAID10) , do not miss the chance to place an order for a new type of virtual server, where all resources belong to you, as on a dedicated one, and the price is much lower, with a much more productive “hardware”!

How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny? Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA!