Prank programmes, altruistic malware and stoned viruses: Kaspersky Lab remembers ‘benign’ malware

In the history of malware writing and malware hunting, there are a number of unusual stories

April 1, 2014

In the history of malware writing and malware hunting, there are a number of unusual stories involving programmes which looked like typical malware – but did nothing more damaging than putting a smile on users’ faces. In a few extraordinary cases, viruses were even seen getting rid of dangerous malware or optimising the computer’s resources. To mark April Fools’ Day, Kaspersky Lab looks back at the “benign malware” which has occasionally spread over the World Wide Web.

The first known computer virus in history was a harmless specimen. It was called the Creeper, and it appeared in 1971, written by an employee at the US Ministry of Defense’s Defense Advanced Research Projects Agency. This primitive worm looked for other computers on the network – which back then was a small, localised affair, copied itself to them and displayed the following message: “I’M THE CREEPER: CATCH ME IF YOU CAN.” If Creeper found an existing copy of itself on a computer, it simply “jumped over” to another computer. It did not cause any harm to the computer system.

Stoned was another “fun” virus whose main purpose was to promote a message to the user. It was first detected in 1988 in New Zealand. The original version of this virus landed on a computer system via the floppy disk drive, and, just like Creeper, did not cause any harm to the computer. It simply displayed the message on the screen: “Your computer is now stoned. Legalise Marijuana.”

The “prank virus” title is deservedly held by HPS, a programme which was created specifically for the Windows 98 operating system but in fact spread months before this environment was released. One of the odd things about this virus was that it was only active on Saturdays: once a week it reversed non-compressed bitmap graphic objects. In other words, it mirrored the entire display on the monitor.

The Cruncher virus also turned out to be absolutely benign. On the face of it, it was a regular resident file virus, and used an algorithm to compress data and pack the infected file, so the infected file was shorter than the original. This freed up room on the user’s hard drive. Moreover, it turned out that Cruncher used a compression algorithm from the then-popular utility DIET 1.10, so the user could use this absolutely legal programme to unpack the files infected by the virus and regain access to the data, while still enjoying the extra space created on the hard drive.

The Welchia virus also became famous for its good deeds. This was one of the most unusual worms in the history of cyber threats. Although its creators designed it to be malicious, Welchia did not in fact cause any harm. On the contrary, it helped to remove the dangerous Lovesan worm, also known as Blaster, from the system. By imitating the behaviour of this malicious programme, Welchia penetrated a computer using vulnerabilities in legal software. Then it checked if Blaster was present in the processor memory: if so, it stopped its operation and deleted the entire malicious file from the disk. This was not the end of Welchia’s mercy mission: after eliminating the malware, the “benign” virus checked if there was an update in the system to patch the vulnerability through which the worm penetrated the system. If not, the virus initiated a download from the manufacturer’s site. Welchia then destroyed itself after completing all these operations.

“These examples of funny, innocuous and even helpful viruses are of course very rare exceptions to the general rule, and are essentially tales from bygone days. Modern malware writers are no longer cyber pranksters or newbie hackers learning the ropes in a new sphere of activity. Today, practically 100% of viruses are written with just one goal in mind: stealing money or confidential data,” said Alexander Gostev, Chief Security Expert at Global Research & Analysis Team, Kaspersky Lab.