Many members of our team have been in cybersecurity for some time now. With the recent news about the latest COVID variant, the oldest of us were reminded of the curious tale of the “original” Omicron virus. Sit back and relax for a vintage cybersecurity tale from Fernando Braquehais, founder and head of development.
A few days ago, revising a colleague’s merge request, the Omicron variant of COVID-19 came up. I mentioned what a huge coincidence it was that this variant had the world turned upside down exactly like the famed Flip/Omicron computer virus from decades ago.
His blank look made me realize that probably only the oldest of us IT folk remember that the first appearance of an Omicron virus was not a coronavirus but a computer virus, dating back to the early 1990s. Although it is hard to find information nowadays about it, it was also known as “Flip”. This is what the F-Secure virus encyclopedia tells us about it:
When the virus activates on a computer with an EGA or VGA display adapter, it will “flip” the screen horizontally and switch to a special character set, which reverses each character. This effect only happens on the second day of each month, between 16:00 and 16:59. The Tequila virus is clearly derived from Flip, and is probably from the same author.
Flip contains this encrypted text: “OMICRON by PsychoBlast”.
This virus came about at a time when the Internet and digital technology in general were virtually unknown to most people and looked quite a bit different from today. In the 1990s, infecting hundreds of computers across the globe, although it mostly disrupted European countries.
The story begins in July, 1990 in West Germany, which is where this virus was detected for the first time. It was baptized Flip-2343 (the number coming from the size of the virus—2,343 bytes).
The Flip virus was a total novelty in its day, thanks to its utter sophistication. It was one of the first “multipartite” viruses, a virus that is capable of infecting machines using different methods. In the case of the Flip virus, it was capable of infecting executables and also modify the master boot record of hard drives which allowed it to survive restarts thereby “gaining persistence”. Curiously there is also the concept of “multipartite” biological viruses, which are those made by different segmented genomes that are able to infect different types of cells (although SARS-CoV-2 is not this type of virus).
The Flip virus was also known as the Omicron virus, as it contained the “OMICRON by PsychoBlast” string. Its main characteristic was the fact that it flipped the screen’s content horizontally on the second day of every month, between 4:00 and 4:59pm.
It is believed that the virus was created in Switzerland by two brothers, 18 and 21 years old. These same brothers later created the Tequila virus, which was even more widespread and was one of the first polymorphic viruses that became something more than a proof of concept.
In Spain, the virus became known as “the tax virus” since it was distributed with a program used to do tax returns (likely via an infected floppy disk copied many times over). The virus caused a big scare in around 100 Spanish companies on September 2, 1991, although by October 2 it seemed to have mostly died out, affecting only a few smaller companies.
“Flip” had many variants, from the years 1990 to 1994 (Flip-2153, Flip-2153B, Flip-2153C, Flip-2343B, Prism and Raistlin), with such improvements as higher infection rate and the ability to avoid antivirus programs at the time. Sound familiar?
The Patricia Hoffman’s Virus Information Summary List web page has a great entry for the “Flip” virus:
If you manage to find the book “Computer viruses in MS-DOS” written in 1992 by Eugene Kaspersky you may be able to get some insights on the virus on pages 103 and 104:
…if you can read Russian, that is.
In another coincidence, the Omicron computer virus of the nineties and the Omicron variant of the biological virus of today both have mysterious provenance. The best article I was able to find about it is this article from “El País” (the principal Spanish newspaper) published on Sep 6, 1991.
It is truly amazing, it talks about how the virus increases infected binaries’ size by 2.153 bytes, and how there were two versions of it (“A” and “B”). The article states it was the latter that “was the less dangerous one”, the one that affected Spanish companies.
Then they estimate that a hundred enterprises (40 of them “big companies”) may have been infected by it. The article even dares to say that it was developed in Taiwan (yes, in the good old days, they risked everything for public attribution!). However, the most amazing thing is people elaborated the wildest theories about it:
Last Monday, the letters on a PC belonging to the Ramón Borja company in Torrejón de Ardoz turned upside down as two fighter planes passed overhead at low altitude. Technicians from Olivetti, the PC’s manufacturer, explained that the vibrations produced by the planes could have altered the computer’s graphics cards. However, it was the virus.
“It doesn’t make sense to think that the texts turned upside down because of interference from passing fighter planes,” Perea adds.1
Read further about the first Omicron virus at some of these links:
Technical analysis of the virus:
Antivirus vendors and virus encyclopedias references:
Fernando Braquehais is a founder and Head of Development at CounterCraft.