This episode of SciShow might make you a little paranoid about computer viruses and internet security. But that’s probably at’s probably a good thing. When we talk about a computer virus, we usually mean any kind of code that’s designed to do harm and spread itself to more computers. They’re created by malicious programmers who might want to use your computer to attack other targets, or make money by stealing your personal information. They could also just be trying to see how far their virus will spread. Different viruses can affect Windows, Mac, and Linux computers, and even the data servers that keep companies, and the internet itself, running. Antivirus programs help, but they can have trouble dealing with threats they’ve never seen before.
Over the years, there have been thousands and thousands of viruses spread online, and they’ve caused billions of dollars of damage from lost productivity, wasted resources, and broken machines. A few dozen of those viruses stand out, some spread especially quickly, or affected a lot of people, or created a ton of damage all by themselves. Some did all of the above. Since a lot of viruses were very bad, in a lot of different ways, it’s hard to pick out which ones were objectively the worst. But with that in mind, here are 5 of those extra-destructive viruses. These are snippets of code that changed the way people thought about computer security, both the people designing the viruses, and the people trying to protect against them.
Say it’s May 1999. You’re an unsuspecting computer user who’s never gotten a virus, let alone been trained to look for the signs that an email might be malicious. You get an email from someone you know, with a subject line that says it’s an important message. The message inside just says “Here’s that document you asked for … don’t show anyone else,” with a winking emoticon. The attachment is a word document labeled “LIST.” So you click on it, because you’re curious … and a list of porn sites pops up. At this point, you realize the email was probably some kind of virus. But it’s too late, the first 50 people in your address book have already gotten a copy of the exact same email, with a subject line saying that the message is from you.
That was the Melissa virus. It spread through Microsoft’s Outlook email program, and even though the attachment seemed like an innocent Word document, it was able to infect computers because of something called a macro. A macro is a specific kind of computer program that’s used to create shortcuts. In Word, they’re meant to make it easier to edit a document. Instead of manually making a set of changes to the document one by one, a macro is a piece of code that will let you do it all with one click. The problem is, that functionality gives macros a lot of power over your computer.
So a macro that’s actually a virus, like Melissa, takes advantage of that power using malicious code. In just a few days, Melissa spread to hundreds of thousands of computers. It didn’t do any damage to the computers themselves, but it did make email services slow WAY down, and cost companies about $80 million overall. Eventually, IT professionals and antivirus programs put safeguards in place to stop the virus, both by preventing the emails from sending, and by keeping them from reaching other people’s inboxes if they DID send.
The programmer behind the virus, David L. Smith, was caught about a week after Melissa was first released. He spent 20 months in prison and paid a $5000 fine. Why Melissa? Apparently that was the name of a stripper he met in Florida. Melissa spread very quickly because of social engineering: it was designed to make people curious enough to open the attachment. The ILOVEYOU virus, which spread about a year later, in May of 2000, was also successful because of social engineering. It reached around 45 million computers in just two days, and caused about $10 billion dollars in damage.
The infected email had the subject line “ILOVEYOU”, and came with an attachment titled “love letter for you.txt”. When you clicked on the attachment, the virus would go through your system’s files, looking for media like documents, images, and audio files. Then it would overwrite them with copies of itself, so if you didn’t have your files backed up, you’d lose all your data. Meanwhile, the virus would send itself to everyone in your address book. ILOVEYOU was a type of virus called a worm, which means that it was a standalone program that didn’t use a host program to run, the way Melissa used Microsoft Word.
It looked like a text document, so opening it seemed relatively harmless, but the “love letter for you” file was actually a type of file called a visual basic script, which uses the file extension .vbs. Users couldn’t see the vbs at the end of the filename, though, because the Windows operating system they were using was hiding file extensions by default. Visual basic scripts send your computer a list of instructions to execute. So if they’re meant to cause harm, they can be very dangerous, and do things like delete all of your files. Like Melissa, the ILOVEYOU worm was mostly contained after a few days.
It was filtered out of people’s inboxes and companies released fixes for machines that had been infected. But plenty of damage had already been done. The virus was attributed to two programmers in the Philippines. But even though they were both arrested, they were released because at the time, there weren’t any laws against what they’d done. ILOVEYOU showed just how easily, and quickly, a worm could spread, and how much damage it could do. On January 25, 2003, just before 6 AM, the internet broke. South Korea lost both internet and cell phone service. 300,000 people in Portugal couldn’t connect to the internet.
Airlines couldn’t process tickets and had to cancel flights. Bank ATMs went down. 911 in Seattle had to start using paper to log calls. Even for a lot of devices that were still connected to the internet, the connections had become suddenly very slow, even by 2003 standards. So what happened? As you can probably guess by now, all of this chaos was caused by a virus. But it wasn’t the kind of virus that spreads through email, or infects the sort of computer most people have at home.
Slammer was a worm that targeted SQL servers, which store databases using a piece of Microsoft software called … Microsoft SQL Server. It worked by taking advantage of a bug in the software: it sent the server a specially-formatted piece of code, one that looked like it was just an ordinary request for information, but actually reprogrammed the server to send out more copies of the same worm. The worm spread faster than any other virus ever had, infecting 75,000 servers in just 10 minutes. Those servers were all sending requests to thousands of other servers, which couldn’t handle all the traffic. In all, millions of servers were affected, and the internet went kaput for a while.
Slammer is thought to have caused about $1.2 billion in damage before it was stopped, and the programmer behind it was never caught. The whole mess could have been prevented, though, six months earlier, Microsoft released a fix for the bug that Slammer exploited, but lots of people just hadn’t installed it yet. The 2007 Storm Worm was another worm that spread through email. But its purpose wasn’t to destroy your computer or information, it wanted to take over your computer instead. The original subject line read “230 dead as storm batters europe,” which is where the virus gets its name. But instead of an attachment, the email contained a link to a website, which promptly downloaded the virus onto the user’s machine.
And then … nothing happened. Or at least, nothing the user could see. Storm Worm was designed to be as invisible as possible, so that you wouldn’t detect and destroy it. This way, it was able to use your computer to do all kinds of stuff in the background. The virus would connect your machine to what’s known as a bot-net, a collection of computers that form a network. A bot-net can do all kinds of things, from launching coordinated attacks that slow down or disable the web servers that keep a company going, to stealing passwords, banking, and identity information. But at first, the network didn’t actually do very much, it just grew. Antivirus and IT companies knew it was there, but it was hard to stop it.
For one thing, different machines in the network had different jobs. Only a small fraction of infected computers were in charge of spreading the virus. Another small set of computers served as the command-and-control centers, which sent out instructions and helped control the rest of the bot-net. The rest just followed those instructions. So even if you shut down most of the computers spreading the virus, the network would still be out there, doing its thing. But it was hard to stop Storm Worm from spreading in the first place.
Sure, it started out as an email about a storm in Europe, but soon there were emails with all kinds of different headlines. And since they were coming from someone in your address book, they seemed relatively innocent. To make matters worse, antivirus programs had trouble finding the virus on an infected machine. The code for Storm Worm was designed to change every half hour, so it always looked different.
At its peak, the Storm Worm bot-net consisted of about 1.5 million machines. The programmers didn’t seem to be using it for anything nefarious, though, they just sold the network to other criminals and scammers. After a while, companies did figure out how to stop the virus from spreading. They removed it from infected machines, and by late 2008, the bot-net was mostly gone. But, like with Slammer, the people behind it were never caught. Mebroot is also a virus that slowly started to spread in 2007.
And its main goal was also to hook you up to a bot-net, called Torpig. Both are especially sophisticated. Mebroot usually gets into your computer via a drive-by download, where you visit a malicious web page and the program downloads in the background without you even knowing it. From there, it overwrites what’s known as the Master Boot Record, the part of your computer’s hard drive that stores the instructions that tell your computer how to start up. Being able to control the Master Boot Record gives mebroot a lot of power, because it can tell your computer what to do right from the start. And what it tells your computer, is to connect to the Torpig bot-net … which then steals all of your information.
Torpig uses a spying technique known as Man-in-the-Browser, which is as creepy as it sounds. It lurks in your browser, logging everything you do and any private information you happen to enter. It’ll also try to actively steal information, using fake websites that look and behave exactly like the originals, but send the data to the Torpig servers instead. And all the while, you’d never know it was there. By late 2008, Torpig had stolen info connected to 500,000 bank accounts, and again, the people who created it haven’t been caught.
By now, you might be wondering whether a worm will make the internet go down tomorrow, or whether your computer is secretly part of a bot-net. And I don’t really blame you. There are things you can do to avoid getting viruses: install an antivirus program. Don’t click on suspicious links or emails from Nigerian princes. Keep your operating system and computer programs updated with the latest security patches.
Computers are amazing, but they just do what they’re told, and when viruses tell them to do bad things, it can create a lot of damage. Thanks for watching this episode of SciShow, brought to you by our patrons on Patreon. If you want to help support the show, just go to patreon.com/scishow. And don’t forget to go to youtube.com/scishow and subscribe!