Since the very earliest days of computer viruses, malware authors have been inspired by the Christmas holidays when developing attacks.
Here’s a quick, and probably incomplete, history of some of the Christmas-related malware that we have seen over the years.
“Christmas Tree” (also known as “CHRISTMA EXEC”), which spread in December 1987, was an early example of an email-aware worm.
Using the subject line
"Let this exec run and enjoy yourself!"
the worm would display EBCDIC character art of a Christmas tree and forward itself via email to other users if activated.
The worm was blamed on a German student, who claimed he just wanted to send greetings to his friends.
In 1990, the Christmas Tree worm resurfaced, forcing IBM to shut down its 350,000 network of terminals.
The WM97/Melissa-AG virus (also known as Prilissa) infected Microsoft word documents, spreading via email using the subject line
Message from <username>
and the message text:
This document is very Important and you've GOT to read this !!!
Opening the attached DOC file, however, would infect your computer. The payload would trigger on December 25th, displaying a message:
and inserting randomly coloured blocks in the current Word document.
As a final destructive gesture, the virus would attempt to format the C: drive on the next reboot.
Meanwhile, rumours were spreading far and wide that a game called “Elf Bowling” was infected with a computer virus.
The game which showed Santa Claus trying to knock down a pack of elves with a bowling ball, caused panic amongst companies terrified of computer viruses, and Sophos was deluged with requests for more information about the “virus” which was said to trigger on December 25th.
A typical warning being spread across the internet read:
If anyone has sent you, a game called "elfbowl.exe" (cool> game, tenpin bowling with little elves as pins), it apparently has a virus that will be activated on December 25th. Either take a risk, or delete before then.
However, all copies of the game examined by Sophos researchers were found to be uninfected, and the warnings were nothing more than a hoax wasting users’ time.
Sophos’s staff did enjoy testing the game intensively, however.
The W32/Navidad virus spead via email, masquerading as an electronic Christmas card.
Infected computers could be identified by the mysterious blue eye icons it would place in the Windows system tray.
Users who moved their mouse cursor over the eyes would be presented with a variety of different messages:
Another example of malware which tried to leave its mark on the holiday season in 2000 was the W32/Music email-aware worm.
Sending out messages similar to “Hi, just testing email using Merry Christmas music file, you’ll like it.”, the worm was attached as a file called music.com, music.exe or music.zip.
When run the worm attempts to play the first few bars of the song “We wish you a Merry Christmas” and displays a cartoon of Santa Claus with the caption “Music is playing, turn on your speaker if you have one” or “There is error in your sound system, music can’t be heard.”
The Maldal virus spread via email, again using the tried-and-trusted technique of pretending to be a seasonal electronic greeting card called Christmas.exe.
Once installed, the Maldal malware would display a picture of Santa Claus on skis accompanied by a prancing reindeer, with the message “From the heart, Happy new year!”.
The Zafi-D virus spread fear rather than cheer, attached to emails offering offering seasonal greetings. The virus, created in Hungary, could communicate in a variety of languages – spreading messages such as “FW: Merry Christmas”, “Joyeux Noel!” and “Feliz Navidad!”
In a somewhat un-Christmassy twist, it embedded a vulgar animated GIF graphic of two “smiley” faces which appeared to be enjoying themselves in a way that would make Rudolph the reindeer red-faced as well as red-nosed.
At its height, a staggering one in every ten emails was infected by the Zafi-D virus.
The creators of the Dorf-AE worm (also known as the Storm worm) launched an attack that posed as a sexy striptease being performed by none other than the wife of Santa Claus.
Using a wide variety of subject lines, including “Your Secret Santa”, “Santa Said, HO HO HO”, “Warm Up this Christmas” and “Mrs. Clause Is Out Tonight!”, the emails attempted to direct internet users to a website containing images of scantily clad young women in a Santa suit.
The pesky Koobface worm, which targets users of social networks such as Facebook, adopted a Christmas disguise by hiding on a Santa-themed webpage.
The webpage pretended that you need to install an update to Adobe Flash Player but that was, of course, in reality a carrier for a version of the worm.
There are, no doubt, plenty of other examples of Christmas-related malware we have seen in the past – but hopefully this gives you an insight into some of the more visual examples we have seen in the past at least.
Remember that you need to take computer security seriously all year around – don’t let your guard drop and don’t fall into bad habits just because it’s the holiday season. My colleague Paul Ducklin has written up some guidelines for staying safe online this Christmas, and even made a cheery video to get you in the mood.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)