First Computer Virus

The most important feature of a computer virus is his ability to self-replicate (in a sense every self-replicating program can be called a virus). The idea of self-replicating programs can be traced back as early as 1949, when the mathematician John von Neumann envisioned specialized computers or self-replicating automata, that could build copies of themselves and pass on their programming to their progeny.

If a computer virus has the ability to self-replicate over a computer network, e.g. Internet, it is called worm.

It is not known who created the first self-replicating program in the world, but it is clear that the first worm in the world (so called the Creeper worm) was created by the BBN engineer Robert (Bob) H. Thomas probably around 1970.

The company BBN Technologies (originally Bolt, Beranek and Newman) is a high-technology company, based in Cambridge, Massachusetts, which played an extremely important role in the development of packet switching networks (including the ARPANET and the Internet).

A number of well-known computer luminaries have worked at BBN, including Robert Kahn, J. C. R. Licklider, Marvin Minsky, Ray Tomlinson, etc. Between them was the researcher Robert H. (Bob) Thomas, working in a small group of programmers who were developing a time-sharing system called TENEX, that ran on Digital PDP-10 (see the lower image).

The first PDP-10 model (KA10) in a large configuration: disk drives (lower left) and printer (lower right) in the foreground, CPU and DECtapes right center, memory cabinets to its left and a swapping disk and controller to their left, then data channels and 9-track tapes to its right. The Teletype console is sitting on the floor near the control panel. Just above the control panel and below the bottom DECtape drive is the paper-tape reader/punch.

Let's clarify, the Creeper wasn't a real virus, not only because the notion computer virus didn't exist in 1970s, but also because it was actually an experimental self-replicating program, not destined to damage, but to demonstrate a mobile application.

Creeper was written in PDP-10 assembly, ran on the old Tenex operating system (Tenex is the OS which saw the first email programs, SNDMSG and READMAIL, in addition to the use of the "@" symbol on email addresses), and used the ARPANET (predecessor of the current Internet) to infect DEC PDP-10 computers running the TENEX. Creeper caused infected systems to display the message "I'M THE CREEPER : CATCH ME IF YOU CAN.

The Creeper would start to print a file, but then stop, find another Tenex system, open a connection, pick itself up and transfer to the other machine (along with its external state, files, etc.), and then start running on the new machine, displaying the message. The program rarely if ever actually replicated itself, rather it jumped from one system to another, attempting to remove itself from previous systems as it propagated forward, thus Creeper didn't install multiple instances of itself on several targets, actually it just moseyed around a network (the techniques developed in Creeper were later used in the McROSS (Multi-computer Route Oriented Simulation System), an air traffic simulator, to allow parts of the simulation to move across the network).

It is uncertain how much damage (if any) the Creeper actually caused. Most sources say the worm was little more than an annoyance. Some sources claim that Creeper replicated so many times, that it crowded out other programs, but the extent of the damage is unspecified. Anyway, it was immediately revealed the key problem with such worm programs: the problem with controlling the worm.

The Creeper program led to further work, including a version by a colleague of Thomas—Ray Tomlinson, that not only moved through the net, but also replicated itself at times. To complement this enhanced Creeper, the Reaper program was created, which moved through the net, replicating itself, and tried to find copies of Creeper and log them out. Thus, if Creeper was the first virus, then Reaper was the first anti-virus software.

***

Note from the author (Georgi Dalakov):After composition of this article, I referred to Mr. Ray Tomlinson with an appeal for comment. He was so kind to provide me one, as follows:

Your description agrees with my recollection, though I think it was somewhat later than 1970 and I don't recall some of the details you give, such as printing a file as evidence of its presence on a particular machine (though it must have done something to indicate its progress). I do recall making the modifications you indicate and thinking of it as the escalation of an arms race.

There was a server (or daemon or background process) (RSEXEC, I think it was called) running on the individual machines that supported this activity. That is, the creeper application was not exploiting a deficiency of the operating system. The research effort was intended to develop mechanisms for bringing applications to other machines with intention of moving the application to the most efficient computer for its task. For example, it might be preferable to move the application to the machine having the data (as opposed to bringing the data to the applications). Another use would be to bring the application to a machine that might have spare cycles because it is located in a different timezone where local users are not yet awake. The CREEPER application was a demonstration of such a mobile application.