Meanwhile, Teodor continued experimenting. By December 15, 1988 he had advanced to Version 8. On this variant the payload--the innocuous beep--now sounded only when an infected computer was restarted from the keyboard (a "warm reboot"), allowing it to remain hidden for longer. In the best programming tradition, all his improvements were duly documented and given version numbers as they appeared.
Later in December a new Bulgarian virus was discovered. It carried a text string which said it had been authored by a Vladimir Botchev. The bug was almost certainly written in response to one of Vesko's magazine articles: in November Vesko had stated that it would be "difficult" to write a virus that could infect all EXE files, including the longer ones, and Vladimir had presumably seen that as a challenge. His virus appeared less than a month after the article was published. It employed a novel and technically elegant device that enabled it to attach itself to any EXE file, no matter what length. After it infected a file it played the tune "Yankee Doodle"--in celebration, perhaps.
This virus was generally not damaging--its payload was the tune--and because it was easy to detect, it never spread. But the new bug's payload was immediately copied by Teodor in his new variant, Version 18, which appeared on January 6, 1989. This one didn't beep; instead it played "Yankee Doodle," which Teodor had lifted, note for note, straight from Vladimir's program.
Five days later, Teodor produced Version 21, which could remove the virus from infected files if a more recent version of this bug attacked the same system. Then, on February 6, 1989, Version 30 appeared. It incorporated a "detection and repair" capability, that would warn the virus if it had been modified or corrupted while replicating. Eerily, it could then fix the damage itself by changing the corrupted instructions back to their original form. It was a kind of artificial life, though the repair capability was limited (it could handle only changes of up to 16 bytes in length).
By the end of February Teodor was on to Version 39 and his virus was now full of tricks: it could infect EXE files of any size, it could even evade antiviral software. As soon as it noted the presence of a detection program, it would detach itself from the infected file and hide elsewhere in the computer's memory.
With Version 42, which appeared in March, his virus took on a new role: virus fighter. The Ping Pong boot-sector virus, which is believed to have been created at Turin University in Italy, had now reached Bulgaria. Ping Pong (also called Bouncing Ball) was a joke virus: from time to time it simply sent a dot careering around the screen, like a ball in a squash court. Teodor's new virus could detect Ping Pong and was able to modify it in such a way that, after a time, it destroyed itself, leaving behind its corpse. He persisted with the tune "Yankee Doodle" as his payload, but he varied the time and frequency it would play. One of his next variants was Version 44, which plays the tune every eight days at 5 P.M. This was the version destined to become the most widely traveled of all Teodor's viruses: once again, it escaped from his office machine, probably on a diskette, and spread through Bulgaria; on September 30, 1989 it was sighted in offices of the United Nations in Vienna; and from there, now known as Yankee Doodle, it traveled the world. It was this version which caused mayhem at the California publishing house in July 1991.
Teodor continued to develop his virus. The last variant was Version 50, by which time it had been given the additional power to detect and destroy the Cascade bug, which had just arrived in Bulgaria from Austria. Cascade was another joke virus: it caused the letters on a computer terminal to fall down and pile up in heaps at the bottom of the screen to an accompanying clicking noise. After it had finished its performance, a user could resume his work--though he would need to replace the letters and words that had fallen from his screen. It wasn't particularly damaging, though the operator's nerves could well have been frayed.
After Version 50 Teodor began to explore some of his other ideas. One was a joke virus that hopped around a hard disk while challenging the operator to FIND ME! It was unusual in that it was nearly undetectable: unlike other viruses, Find Me! wouldn't infect the boot sector or a program file. It created its own home within infected systems by stealing the name of an EXE file and attributing it to a new COM file; this new COM file became its hiding place.
