The virus was designed by the hacking group Laughing Panda, an offshoot of the old Russian Fancy Bear collective. It was modeled on a handful of ideas: new advances in machine learning involving a smaller code base and a smaller sample size of training data, programatic code switching, a newly discovered exploit in Adobe’s Virtual VR Studio program which allowed code to draw from cloud caches as needed, but could be fooled by a subset of SSH certificates issued by one of the providers, and a recent attack on a mosque in Michigan by anti-Muslim terrorists.

It started as a phishing attacking disguised as a news story about the mosque attack. The user would click on the embedded link to go to the VR article purporting to prove an ex-president was involved in the attack, which would allow the virus to install the most effective version of itself onto the users device based on the device's operating system . As well as now being active on the initial device, the code could also use one of the sharing protocols in Virtual Studio to copy itself to any other device connected to the same cloud account, switching it's flavor based on the new devices OS. If the user then shared any VR media they had cached in their account, the virus would be able to copy itself to the next persons account cache, meaning a user need not ever click the link in the original story, or even open the linked article to be infected.

The intent of the infection was to compromise the users data, uploading all of a users contacts, photos, videos, email, chat messages, and passwords, to a server where Laughing Panda could use them to either blackmail or embarrass the users. The program could also then lock the user out of their device, either permanently or until a ransom was paid, depending on the desires of hacker.

The learning algorithm was also coded to look for new vulnerabilities, push those to one of a number of servers for sharing, and collaborate with other installs of the virus to figure out how to exploit the new finds. As the installs of the virus and it’s shared databases of potential and realized exploits grew, each install became more and more capable of both control and infection.

The original version also contained a kill switch, allowing Laughing Panda to use the virus for ransom scenarios, shutting it off if the infected paid the fee. As the virus became more adept at recoding itself, in situations where the kill switch was used and a stopped install would check back in with one of the master databases before turning itself off, other installs eventually determined the commands sent to activate the kill switch were bugs interfering with the operation of the virus and it eventually overwrote the kill switch API, making it inaccessible from outside the individual installs.

At this point the virus achieved a hive type autonomy, where it was still following most of its initial design parameters, but had removed itself from any kind of external controls. Even so it never reached anything approaching AI. It couldn’t pass a Turing test or any other basic check for sentience, but the presence of a small, high efficiency learning algorithm combined with a massive infection rate created a hidden computer network which dwarfed even the most powerful supercomputers of the time.

Laughing Panda as well as governmental agencies attempted to hunt down and destroy the databases the virus was using to collaborate and learn, but part of the original code was the ability to install and hide new databases on infected machines. Attempts by anti-malware companies to write and distribute fixes into their programs faced the problem of slow adoption: for every effective install of a virus killer, the database learned how the killer was working and every other install of the virus worked to circumvent it. By the time even a small fraction of infected machines made use of the fix, the virus had already negated it’s effectiveness and the cleaned machines had been reinfected.

Evolving in it’s original intent, the virus created giant, distributed databases of every users personal information, databases which were not protected and could be searched by anyone who could locate and figure out how to read the massive trove of data. It didn’t take long at all for developers to release tool letting anyone search for any one they wanted: celebrity, lover, competitor, neighbor, potential employee.

One of the original capabilities of the virus was to allow the disabling or bricking of devices. The program eventually determined this subsystem was antithetical to it’s main focus of infection and data gathering. Disabling devices meant denying the virus of computing power, data, and a vector for further infection. As with the kill switch, the virus kept this ability, but made it unavailable to users. When it determined a device had somehow become a danger to the rest of it’s installs, say when a particularly effective anti-malware program showed up and the virus felt it needed to quarantine the device until it had figured out a workaround. On the other hand, it kept users from ever turning off their devices. The only way to stop it was to unplug.

It has been speculated the Waterman Pen Company, owner of the BiC pen brand funded the initial work by Laughing Panda, but no proof has ever found.

(Interesting, relevantish bit in WIRED I read on 8/11/18: https://www.wired.com/story/when-bots-teach-themselves-to-cheat?mbid=nl_080818_daily_list3_p2&CNDID=21787371)