Virus Issue:

MORRIS WORM

The Morris worm or Internet worm was one of the first computer worms distributed via the Internet. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act.^[1] It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT.

It is usually reported that around 6,000 major Unix machines were infected by the Morris worm. Paul Graham has claimed that

“I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them.”

The U.S. GAO put the cost of the damage at $10M–100M.

The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies.^[5] Gene Spafford also created the Phage mailing list to coordinate a response to the emergency.

Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse Act. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.

The Morris worm has sometimes been referred to as the “Great Worm”, because of the devastating effect it had upon the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name derives from the “Great Worms” of Tolkien: Scatha and Glaurung.

Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse Act. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.

NIMDA

The Nimda is a computer worm, and is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes.

The worm was released on September 18, 2001. Due to the release date, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.

Nimda affected both user workstations (clients) running Windows 95, 98, Me, NT, 2000 or XP and servers running Windows NT and 2000.

The worm’s name spelled backwards is “admin“.

F-Secure found the text “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China” in the Nimda code.

Nimda was so effective partially because it—unlike other infamous malware like the Morris worm or Code Red—uses five different infection vectors:

• via email
• via open network shares
• via browsing of compromised web sites
• exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.)
• via back doors left behind by the “Code Red II” and “sadmind/IIS” worms.

I LOVE YOU VIRUS

The ILOVEYOU was a computer worm that hit numerous computers in 2000, when it was sent as an attachment to an email message with the text “ILOVEYOU” in the subject line. The worm arrived in e-mail boxes on May 4, 2000, with the simple subject of “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. Upon opening the attachment, the worm sent a copy of itself to everyone in the user’s address list, posing as the user. It also made a number of malicious changes to the user’s system.

Such propagation mechanism had been well known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987, which brought down a large fraction of the world’s mainframes at the time.

Two aspects of the worm made it effective:

• It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
• It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment; the underlying mechanism – VBScript – had not been exploited to such a degree previously to direct attention to its potential, thus the necessary layers of protection were not yet in place.

Its massive spread moved westward as workers arrived at their offices and encountered messages generated in the Philippines. Because the worm used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and might be considered “safe”, providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.

The worm began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), causing about $5.5 billion in damage. By 13 May 2000, 50 million infections had been reported. Most of the “damage” was the labor of getting rid of the worm. The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm, as did most large corporations.

This particular malware caused widespread damage. The worm overwrote important files, as well as music, multimedia and more, with a copy of itself. It also sent the worm to everyone on a user’s contact list. Because it was written in Visual Basic Script, this particular worm only affected computers running the Microsoft Windows operating system. While any other computer accessing e-mail could receive an “ILOVEYOU” e-mail, only Microsoft Windows systems would be infected.

The alleged authors of the worm were reported to be Filipinos. Siblings Irene and Onel de Guzman of Manila; Irene’s boyfriend, Reomel Lamores, who was briefly held in May 2000 in connection with the worm outbreak; and Michael Buenafe, a fellow student of de Guzman at AMA. Onel finally came forward but denied writing the worm, although he said he may have inadvertently been responsible for its release. As there were no laws in the Philippines against malware-writing at the time, he was released and in August the prosecutors dropped all charges against him. The original charges brought up against her dealt with the illegal use of passwords for credit card and bank transactions.

MELISSA WORM

The Melissa worm, also known as “Mailissa”, “Simpsons“, “Kwyjibo“, or “Kwejeebo”, is a mass-mailing macro virus. As it is not a standalone program, it is not in fact a worm.

First found on March 26, 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the virus. Melissa was not originally designed for harm, but it overloaded servers and caused unplanned problems.

Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called “List.DOC”, which contained passwords that allow access into 80 pornographic websites. The virus original form was sent via e-mail to many people.

Melissa was written by David L. Smith in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component. Smith was sentenced to 20 months in a federal prison and fined $5,000 United States dollars.^[1] This arrest was a result of collaboration between the FBI, New Jersey State Police and Monmouth Internet. Smith would later go on to help the FBI in tracking down Jan de Wit, the Dutch creator of the Anna Kournikova Computer virus.

CONFICKER VIRUS

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has more than five million computers now under its control — government, business and home computers in more than 200 countries, according to the New York Times. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.

The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. Researchers believe that these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker.

Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.