8 Computer Viruses that Brought the Internet to Its Knees

Computer viruses don’t just slow your computer down and annoy you with popups. Viruses can also steal your credit card information, hold your data hostage and even wipe your hard drive clean. Here’s a look at some of the worst viruses in history.

Melissa

The Virus

  • Created in 1999 by David L. Smith
  • He claimed to have named the virus after an exotic dancer in Florida
  • One of the first email-activated viruses
  • The virus was a Microsoft Word macro
    • A macro is a series of commands or instructions that gets carried out automatically
  • It affected users with Microsoft Word 97 and 2000 by:
    • Shutting down safeguards in those programs
    • Lowering security settings
    • Disabling macro security
  • The virus spread itself by sending an infected document via email
    • The email was designed to trick people into opening the file
  • Computers which had Microsoft Outlook would send the infected document to the top 50 contacts in the users’ address books
  • If the day of the month matched the minute, the virus would insert a Bart Simpson quote into the document it sent:
    • “Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game’s over. I’m outta here.”

The Damage

  • Tens of thousands of people couldn’t access their emails within six hours of the virus being posted
  • Hundreds of websites were affected
  • The Microsoft Corporation had to disable all incoming and outgoing email
  • Caused $1.2 billion in damages and losses
  • David L. Smith was:
    • Fined $5,000
    • Sentenced to 20 months in jail
    • Forbidden from accessing computer networks without court authorization

ILOVEYOU

The Virus

  • Launched from the Philippines in 2000
  • Allegedly written by Onel de Guzman
  • Typically spread through an infected email attachment
    • The email’s subject line would say that it was a love letter from a secret admirer
    • The name of the original file was “LOVE-LETTER-FOR-YOU.TXT.vbs”
    • .vbs is a Visual Basic Scripting file
    • Due to formatting issues, some email clients omitted the “.vbs” in the file name
      • This caused users to think they were opening a plain text file
  • The virus would:
    • Overwrite file types with copies of itself to let it continue spreading if the original version was removed from the computer
      • This erased a number of different files, including:
        • JPEG
        • MP3
        • VPOS
        • JS
        • JSE
        • CSS
        • WSH
        • SCT
        • HTA
    • Reset the infected computer’s Internet Explorer home page
    • Send the infected file to all of the user’s contacts in Microsoft Outlook
    • Download and execute a file that stole passwords and emailed them to the hacker’s email address
  • If the user entered a chat group with Internet Relay Chat, the virus would attempt to spread to all other users in the group

The Damage

  • Roughly one tenth of all Internet-connected computers in 2000 were infected with ILOVEYOU
  • The virus caused an estimated $15 billion in damages
    • It caused $5.5 billion in damages in the first week
  • ILOVEYOU reached an estimated 45 million people in one day
  • McAfee reported that a supermajority of their Fortune 100 clients were infected with the virus
  • Onel de Guzman was arrested on suspicion of creating the virus
    • He and his co-conspirator were later released as the Philippines had no laws at the time against writing malware

Code Red

The Virus

  • Code Red launched in July 2001
    • A second version of the virus, Code Red II, acted similarly and was launched later in the year
  • It infected Windows NT and 2000 machines by exploiting a buffer overload vulnerability
    • Works by sending the computer instructions after a long string of nonsense
    • Once the buffer has been filled with the nonsense information, the computer begins overwriting memory
    • The memory is overwritten with the instructions for the virus
      • This meant that the user only had to be connected to the Internet to be infected
  • Infected Windows NT machines would crash more often than normal
  • Infected Windows 2000 machines would suffer a system-level compromise
    • This means that the computer could be entirely controlled by the hacker
  • The virus would behave differently depending on a few factors:
    • The date:
      • 1st-19th: Target random IP addresses and spread the virus
      • 20th-28th: Launch a DDoS (distributed denial-of-service) attack on the White House’s IP address
      • 29th and after: Go into “sleep” mode
    • Page language:
      • English-language web pages would be defaced with the words “Hacked by Chinese!”
  • Microsoft released a patch to fix the vulnerability exploited by the virus several months before the attack

The Damage

  • In less than a day, the virus infected more than 359,000 computer systems
  • Caused over $2 billion in losses
  • Between 1 and 2 million computers were infected overall
  • CAIDA (the Center for Applied Internet Data Analysis) found that of those hosts infected by Code Red:
    • 91% were from the US
    • 57% were from Korea

Nimda

The Virus

  • Launched in September 2001, one week after 9/11
    • The FBI had to refute rumors that the virus was connected to the terrorist attack
  • Nimda is “admin” spelled backwards
  • In Computerworld Magazine, TruSecure CTO Peter Tippett reported that Nimda topped their list of viruses in just 22 minutes
    • The virus was the fastest spreading piece of malware at the time
    • More than 2 million computers were infected in 24 hours
      • While the virus could infect home PCs, its primary target was web servers
  • The virus infected computers in a variety of ways:
    • Local networks
    • Email
    • Drive-by downloads on websites
    • Loopholes created by other worms
    • Vulnerabilities in IIS (Internet Information Server), Microsoft’s web server
  • Nimda allowed attackers to have the same access to an infected machine as the current user
    • If a user had admin-level privileges, so would the hacker
  • Nimda would install itself to the root of drives C, D, and E
    • It would also replicate itself in any folder where it found .doc or .eml files

The Damages

  • Caused $635 million in losses
  • A Florida Federal court had to operate using paper copies of all of their documents when their system was infected with a Nimda variant
  • The virus spread so quickly that it significantly slowed Internet browsing times and crashed several networks

SQL Slammer/Sapphire

The Virus

  • Launched in 2003
  • Spread through a buffer overflow vulnerability in Microsoft’s SQL Server database management service
  • Randomly selected IP addresses to infect
  • Servers infected with SQL Slammer would spawn millions of copies to infect other servers
    • Within 3 minutes of attacking its first victim, the number of servers infected by Slammer doubled every 8.5 seconds

The Damage

  • Caused $750 million in damages
  • Crashed Bank of America’ ATM service
    • A number of other banks were affected by the virus
  • Caused outages to Seattle’s 911 service
  • Infected Continental Airlines online ticketing systems and electronic kiosks, rendering them inoperable
  • Several newspapers had publishing problems, including:
    • The Atlanta Journal Constitution
    • The Associated Press
    • The Philadelphia Inquirer
  • US Government websites affected included:
    • Department of Agriculture
    • Department of Commerce
    • Defense Department
  • Alfred Huger, from Symantec Security Response, reported that SQL Slammer caused network issues over the entire Internet
  • South Korea lost almost all Internet access
    • 70% of homes at the time were connected to the web

Sasser

The Virus

  • Launched in 2004
  • Created by Sven Jaschan, a 17-year-old from Germany
  • Sasser worked by exploiting a vulnerability in a Windows system called LSASS (Local Security Authority Subsystem Service)
    • The virus scanned IP addresses until it found one that was vulnerable
    • Then it downloaded itself into the Windows directory
    • The next time the computer was booted up, it would be infected
  • Sasser also affected the operating system
    • This made shutting down infected computers without pulling the plug difficult.
  • The virus affected Windows 2000 and XP
    • Unlike other viruses, users didn’t have to open any email attachments in order to be infected by Sasser; they only need to be online

The Damage

  • Caused $500 million in damages
  • Infected all 19 of the British Coastguard’s control rooms
    • Staff had to use paper maps and pens
  • Delayed British Airways flights
  • Sasser brought down a third of Taiwan’s post offices
  • Sven Jaschan was sentenced to:
    • 1 year, 9 months’ probation
    • 30 hours of community service
      • He was tried as a junior

MyDoom

The Virus

  • Launched in 2004
  • Originally began spreading through KaZaA, a file-sharing application, but then spread to emails
    • In both cases, users had to open a file in order to become infected
  • At its peak, MyDoom infected one in 12 emails as it tried to spread itself
  • Computers infected with MyDoom would launch a DDoS on www.sco.com (a Linux softare company)
    • The virus would also open ports on victims’ computers so that hackers would have backdoor access to their systems
  • A second attack later that year affected search engines
  • MyDoom-infected computers would send search requests to search engines in an attempt to find email addresses
    • Some search engines received so many requests that they crashed
  • MyDoom was capable of spoofing its infection emails, making it more difficult to track
    • “Spoofing” involves forging the “From” address in an email
  • Infected between 600,000 and 700,000 computers

The Damage

  • Caused $38 billion in damages
  • McAfee reported that MyDoom:
    • Slowed down Internet access worldwide by 10 percent
    • Reduced access to some websites by as much as 50 percent

Conficker

The Virus

  • Launched in 2008
  • Took advantage of an exploit in Windows 2000, XP, 2003 servers that could cause them to install an unauthenticated file
    • It could even affect servers with firewalls, as long as they had print and file sharing enabled
  • Infected millions of computers
  • Spread by infected USB drives and over networks
  • Later variants were capable of:
    • Disabling anti-malware programs
    • Creating backdoors in firewalls
    • Communicating with other infected machines via peer-to-peer networks
  • Conficker was supposed to do something on April 1, 2009, but nothing happened
  • Experts were worried computers infected with Conficker would possibly:
    • Become a botnet
    • Create a criminal version of a search engine, copying private information from infected systems and then selling that information
    • Launch massive DDoS attacks

The Damage

  • Caused $9.1 billion in damages
  • French fighter planes were grounded when they couldn’t download their flight plans
  • In England, military systems were infected, including:
    • More than two dozen British Royal Air Force bases
    • 75% of the Royal Navy fleet
  • The Manchester City Council IT system went down, rendering the city unable to process fines
  • Computers and medical devices at hospitals in the US and the UK were infected

While the majority of these viruses are no longer the threats they once were, there are still many viruses on the Internet and more being created every day. To avoid getting infected, remember these tips: Update your antivirus software often, download OS patches when they come out, and don’t open untrustworthy files.