1998

Virus attacks on MS Windows, MS Office and network applications continued apace, with viruses exploiting new infection vectors and using ever more complex technologies. A wide range of Trojan programs designed to steal passwords (PSW family) and remote adminstration utilities (Backdoor) appeared. Several computer magazines distributed discs which were infected with Windows viruses, CIH and Marburg. Specifically, compact discs attached to the English, Slovenian, Swiss and later Italian versions of PC Gamer contained the Marbug virus. This virus was contained in the electronic registration program of an MGM Interactive disc with the game, Wargames PC. At the end of September, the AutoStart virus was discovered on discs which were to be distributed with the Corel DRAW 8.1 for Mac OS.

The beginning of the year borught an epidemic caused by a whole family of viruses Win32.HLLP.DeTroi which not only infected Win32 EXE files, but were also capable of transmitting information about victim machines to the author of the virus. Because the virus exploited system libraries used only in the French version of Windows, the the epidemic affected only French-speaking countries.

In February, the Excel4Paix (or Formula.Paix) virus was detected, This new macro virus install itself in Excel tables by using an unusual macro area of formulas which were capable of containing self-replicating code. Later the same month, polymorphic Windows32 viruses emerged: Win95.HPS and Win95.Marburg. Further more, they were detected in the wild. Antivirus developers were forced to rapidly develop new methods of detection for polymorphic viruses which, until then, had been only for DOS.

AccesiV, the first virus for Microsoft Access, was detected in March. Unlike the earlier Word.Concept and Excel.Laroux viruses, it did not cause much alarm, as most users had come to accept that Microsoft applications are highly vulnerable. At approximately the same time, another virus called Cross surfaced This was the first multi-platform macro virus capable of infecting documents simultaneously in two Microsoft Office applications, Word and Access. On the heels of Cross several other macro-viruses materialized, transferring their code from one Office application to another. The most notable of these was Triplicate (also known as Tristate) which was capable of infecting Word, Excel and PowerPoint.

In May of 1998, the Red Team virus became the first virus to infect Windows EXE files and distribute itself using the Eudora email client. June brought the Win95.CIH virus, which caused an epidemic of mass and then later global proportions, infecting computer networks and home computers by the thousand. The beginning of the epidemic was pin-pointed to Taiwan where an unknown hacker sent infected files to a local electronic list-serve. From there the virus spread to the States where infected files made it onto several popular web-servers and spread the virus to gaming programs. It was most likely the game servers that acted as the primary reason for the large-scale epidemic, which continued throughout the year. The virus leap-frogged in ‘popularity’ over earlier virus superstars such as Word.CAP and Excel.Laroux. Most notable was the virus payload: depending on the day of infection, the virus would erase Flash BIOS, which in some cases could make it necessary to replace the motherboard. CIH’s complex procedures caused antivirus products to significantly increase their speed of development.In August of 1998 the emergence of BackOrifice (or Backdoor.BO) caused controversy, it was designed to be a secret utility to be used for remote host administration across networks. Other similar viruses such as NetBus and Phase appeared shortly thereafter.

August also saw the emergence of the first malicious executable Java module, Java.StrangeBrew. This virus did not present a specific danger to Internet users, but it did illustrate the fact that viruses can also be found in applications actively used in viewing Web servers.

In November 1998, malicious programs continued to evolve hwith three viruses infecting the scripts of Visual Basic (VBS files) which were actively used in creating webpages. At the time, Kaspersky Labs released an in-depth study on the potential threat of VBS viruses. However, many specialists were too quick to label the company as a panic inciter and criticized the study for provoking virus hysteria. Half a year later when the LoveLetter epidemic broke, it became clear that Kaspersky’s prognosis was completely accurate. To this day, this type of virus holds onto first place in the list of most widespread and dangerous virus types.

The logical culmination of VBScript viruses were full-fledged HTML viruses like HTML.Internal. It became patently clear that virus-writers’ efforts are beginning to focus more and more on network applications. Virus writers were moving towards a networks worm which exploited flaws in MS Windows and Office and infectted remote computers through Web servers or via email.

The next MS Office application to fall victim to a virus was PowerPoint. In December 1998, a virus of unknown origins, Attach, was the first to attack. It was immediately followed by two more, ShapeShift and ShapeMaster, the author of which was likely one and the same. The appearance of PowerPoint viruses caused yet another headache for antivirus vendors. Files of this MS application use an OLE2 format which determines the way in which viruses can be scanned for in DOS and XLS files. However, the VBA modules in PPT format are stored in compressed format which meant that it was necessary to design new algorithms to decompress them and facilitate antivirus searches. Despite the complexity of what would seem like a simple task, almost all antivirus companies have integrated into their products the necessary functionality to defend against PowerPoint viruses.

In January, Virus Bulletin magazine began a new project: VB 100%. This regular testing of antivirus products is designed to determine whether the solutions can detect 100% of viruses from the wild. VB 100% is now regarded as one of the more respected independent testers.Significant changes occurred in the antivirus vendor market as well. In May, Symantec and IBM announced their unified efforts to develop an antivirus product. The combined product was to be distributed by Symantec under the same name, while IBM’s product, IBM Anti-Virus would cease to exist. Towards the end of September, Symantec announced its purchase of the antivirus business from Intel Corporation, LANDesk Virus Protect. Just two weeks later, Symantec surprised the industry yet again with another purchase, this time of QuarterDeck for $65 million. The company’s product range included such antivirus products as ViruSweep.

Such aggressive tactics did not go unnoticed by the American antivirus giant, NAI which on August 13th, announced its purchase of one of its primary competitors, English company, Dr. Solomon’s. The latter was bought for the record amount of $640 million by means of a stock swap. These events evoked true shock in the antivirus industry. A previous conflict between two large players of the industry had ended in a buy-sell deal the result of which was the disappearance of one of the more noticeable and technologically strong developers of antivirus software.

Also interesting was the purchase of EliaShim, a developer of the antivirus product E-Safe. The purchase was made in December by Alladdin Knowledge Systems, a well-known developer of equipment and software for computer security.

A curious incident occurred with the publication of computer virus warning in the December 21st edition of The New York Times. The author warned users about the appearance of a virus which spread via email and was already being detected in some networks. It later became evident that this scary virus was none other than the already well-known macro virus, Class.