A short history of Christmas malware

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Since the very earliest days of computer viruses, malware authors have been inspired by the Christmas holidays when developing attacks.

Here’s a quick, and probably incomplete, history of some of the Christmas-related malware that we have seen over the years.

Christmas 1987
“Christmas Tree” (also known as “CHRISTMA EXEC”), which spread in December 1987, was an early example of an email-aware worm.

Using the subject line

“Let this exec run and enjoy yourself!”

the worm would display EBCDIC character art of a Christmas tree and forward itself via email to other users if activated.

Christmas Tree Exec

The worm was blamed on a German student, who claimed he just wanted to send greetings to his friends.

In 1990, the Christmas Tree worm resurfaced, forcing IBM to shut down its 350,000 network of terminals.

Sign up to our free newsletter.
Security news, advice, and tips.

Christmas 1999
The WM97/Melissa-AG virus (also known as Prilissa) infected Microsoft word documents, spreading via email using the subject line

Message from <username>

and the message text:

This document is very Important and you’ve GOT to read this !!!

Opening the attached DOC file, however, would infect your computer. The payload would trigger on December 25th, displaying a message:

Prilissa message

and inserting randomly coloured blocks in the current Word document.

Prilissa payload

As a final destructive gesture, the virus would attempt to format the C: drive on the next reboot.

Meanwhile, rumours were spreading far and wide that a game called “Elf Bowling” was infected with a computer virus.

The game which showed Santa Claus trying to knock down a pack of elves with a bowling ball, caused panic amongst companies terrified of computer viruses, and Sophos was deluged with requests for more information about the “virus” which was said to trigger on December 25th.

Elfbowling

A typical warning being spread across the internet read:

If anyone has sent you, a game called “elfbowl.exe” (cool> game, tenpin bowling with little elves as pins), it apparently has a virus that will be activated on December 25th. Either take a risk, or delete before then.

However, all copies of the game examined by Sophos researchers were found to be uninfected, and the warnings were nothing more than a hoax wasting users’ time.

Sophos’s staff did enjoy testing the game intensively, however.

Christmas 2000
The W32/Navidad virus spead via email, masquerading as an electronic Christmas card.

Infected computers could be identified by the mysterious blue eye icons it would place in the Windows system tray.

Navidad eyes

Users who moved their mouse cursor over the eyes would be presented with a variety of different messages:

Navidad virus

Another example of malware which tried to leave its mark on the holiday season in 2000 was the W32/Music email-aware worm.

Sending out messages similar to “Hi, just testing email using Merry Christmas music file, you’ll like it.”, the worm was attached as a file called music.com, music.exe or music.zip.

W32/Music worm

When run the worm attempts to play the first few bars of the song “We wish you a Merry Christmas” and displays a cartoon of Santa Claus with the caption “Music is playing, turn on your speaker if you have one” or “There is error in your sound system, music can’t be heard.”

Christmas 2001
The Maldal virus spread via email, again using the tried-and-trusted technique of pretending to be a seasonal electronic greeting card called Christmas.exe.

Maldal virus

Once installed, the Maldal malware would display a picture of Santa Claus on skis accompanied by a prancing reindeer, with the message “From the heart, Happy new year!”.

Maldal virus

Christmas 2004
The Zafi-D virus spread fear rather than cheer, attached to emails offering offering seasonal greetings. The virus, created in Hungary, could communicate in a variety of languages – spreading messages such as “FW: Merry Christmas”, “Joyeux Noel!” and “Feliz Navidad!”

In a somewhat un-Christmassy twist, it embedded a vulgar animated GIF graphic of two “smiley” faces which appeared to be enjoying themselves in a way that would make Rudolph the reindeer red-faced as well as red-nosed.

Zafi-D virus

At its height, a staggering one in every ten emails was infected by the Zafi-D virus.

Christmas 2007
The creators of the Dorf-AE worm (also known as the Storm worm) launched an attack that posed as a sexy striptease being performed by none other than the wife of Santa Claus.

Using a wide variety of subject lines, including “Your Secret Santa”, “Santa Said, HO HO HO”, “Warm Up this Christmas” and “Mrs. Clause Is Out Tonight!”, the emails attempted to direct internet users to a website containing images of scantily clad young women in a Santa suit.

Santa striptease

Christmas 2009
The pesky Koobface worm, which targets users of social networks such as Facebook, adopted a Christmas disguise by hiding on a Santa-themed webpage.

Christmas Koobface

The webpage pretended that you need to install an update to Adobe Flash Player but that was, of course, in reality a carrier for a version of the worm.

There are, no doubt, plenty of other examples of Christmas-related malware we have seen in the past – but hopefully this gives you an insight into some of the more visual examples we have seen in the past at least.

Remember that you need to take computer security seriously all year around – don’t let your guard drop and don’t fall into bad habits just because it’s the holiday season. My colleague Paul Ducklin has shared some guidelines for staying safe online this Christmas, and even made a cheery video to get you in the mood.

https://youtube.com/watch?v=3vWvX86cczc


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.