Since 1990 virus researchers have pieced together a history of Yankee Doodle. It was first spotted in 1989 in the United Nations offices in Vienna on a computer game called Outrun. The game is proprietary, though unauthorized pirate copies are often passed , around on diskette. Someone, somewhere, is thought to have infected a copy of the game, accidentally or deliberately, and the Virus began its travels, first to Vienna, then around the world courtesy of the United Nations. Though there are known to be fifty-one versions of the virus, they are all based on one original prototype. And that program, despite the virus's all-American name, was written in Bulgaria.
In the same month that the California publishing company was trying to eradicate Yankee Doodle, a major financial-services house on the other side of the country was hit by another bug. This one wasn't a joke; it was deliberately malicious.
The first symptoms appeared when one of the secretaries was unable to print out a letter she had just entered into her computer. In such cases people usually follow the same routine: the secretary checked the paper, switched both the computer and the printer off and on, and then fiddled with the connecting cables. Still nothing printed out. Finally she rang her company's technical-support office.
When the specialist arrived, he began running tests on the affected machine. First he created a new document and tried printing it out, but that didn't work. He then guessed that the word-processing program itself was defective, that one of its files had become corrupted and was preventing the machine from printing. He went to another computer and copied out the list of program files used by the company, which showed the names of the programs and their size, in bytes (or characters). He then compared the files on the problem machine with the list. Everything matched, except that eight of the files on the affected computer were slightly larger than on the other. He checked the differences, and in each case the files on the problem machine were exactly 1,800 bytes larger.
With that information, the specialist knew immediately that the company had been hit by a virus; he also knew it was 1,800 bytes long and attached itself to program files. He called his supervisor, who hurried over with a virus-detection diskette. They inserted it in the infected computer and instructed it to check the machine for viruses. Program file names appeared briefly, one by one on the screen, as the virus detector bustled through its checks, examining each file for known bugs. After five minutes, a message appeared on the screen: it stated that eighty-three files had been checked and no virus had been found. In exasperation, the supervisor called the vendor of the virus-detection program.
"It does sound like you've got a virus," the vendor agreed. 'But if it's not getting picked up by our software, then it must be a new virus. Or a new strain of an old one."
Most virus-detection programs operate by looking for known characteristics of familiar viruses--in other words, for a string of text or a jumble of characters that is known to be contained within the program of a previously discovered bug. Such virus detection kits are, of course, unable to detect new or modified viruses.
At the suggestion of the vendor, the technical-support staff began a search of one of the infected files, looking for text or messages. Specialized software is needed to inspect the inside of the program file; during the inspection the screen displays a jumble of computer code. But within the code the staff saw two strings of text: EDDIE LIVES . . . SOMEWHERE IN TIME! said the first. The second announced: THIS PROGRAM WAS WRITTEN IN THE CITY OF SOFIA 1988--1989 (C) DARK AVENGER.
The supervisor phoned the vendor again: "Who the hell is the Dark Avenger?"
The short answer, the vendor explained patiently, is that no one knows. The Dark Avenger is an enigma. Most virus writers remain anonymous, their viruses appearing, seemingly, out of the ether, without provenance or claimed authorship, but the Dark Avenger is different: not only does he put his name to his viruses, he also signals where they were written--Sofia, the capital of Bulgaria. The Dark Avenger's viruses began seeping into the West in 1989. They are all highly contagious and maliciously destructive.
"The virus you've been hit with is called Eddie, or sometimes the Dark Avenger, the vendor told the increasingly worried technical-support supervisor. "It must be a new strain or something. That's why it wasn't picked up. Is there any other text message, a girl's name?"
