Worm A worm is a self

BACK

Worm

A worm is a self-reproducing program that does not infect other programs as a virus will, but instead creates copies of itself, and these create even more copies.

Worms are usually seen on networks and on multi-processing operating systems, where the worm will create copies of itself that are also executed. Each new copy will create more copies quickly clogging the system.

The so-called ARPANET/INTERNET "virus" was actually a worm. It created copies of itself through the network, eventually bringing the network to its knees. It did not infect other programs as a virus would, but simply kept creating copies of itself that would then execute and try to spread to other machines.

Most computer worms spread using e-mails, normally in a file attached to the message. When the file is run, the worm will send itself out to all contacts in the user's address book, or to addresses found in other applications or files. However, as users got wise to these techniques, the creators of these worms realized that they would have to get more sophisticated if they wanted their creations to spread across the Internet. For that reason, the creators have modified the codes, so that they can reach a larger number of computers. As a result, worms can be classified according to the following groups:

- "Social engineering" worms use techniques to trick the user into running the file that contains the malicious code. LoveLetter was probably the most effective virus of this type. With just three words: "I Love You" this worm managed to infect hundreds of thousands of computers around the world.

- Worms with their own SMTP engine. This allows a malicious code to send itself out without the user realizing and without leaving any traces of its activity. They can use both the SMTP server that the user of the affected computer normally uses or a default server defined by the virus writer. Worms of this type include Lentin.L which, regardless of the mail reader, sends itself out to the addresses in Windows, MSN Messenger, .NET Messenger, Yahoo Pager, and all those it finds in the HTM files on the computer.

- Worms that exploit vulnerabilities in commonly used software. These are designed to exploit security holes in the most widely used programs, such as e-mail clients, Internet browsers, etc. By doing this they can carry out a wide range of actions, including the possibility to run automatically. This group includes the worms Nimda and Klez.I, which exploit a vulnerability in the browser Internet Explorer to run automatically when the message carrying the worm is viewed in the preview pane. Others exploit vulnerabilities in servers, such as CodeRed, which targeted IIS servers or Slammer, which attacks SQL servers.

Worms can spread in a variety of ways(using their own SMTP engine, exploiting vulnerabilities, etc.). The following list describes yet more methods used by this type of malicious code to propagate.

- Spreading through local networks. These worms spread across resources shared on LANs, and can even crash the network. Some examples of this type of worm include Lovgate, Sobig or the dangerous Bugbear.B.

- Spreading through P2P (peer-to-peer) applications. The popularity of these kinds of applications, designed to allow Internet users to swap files, has turned programs like KaZaA or iMesh into excellent means of transmitting malicious code. In order to exploit these programs, these worms create files in the shared directories of these applications, with names that trick other users into downloading them to their computers. Redisto.B or Fizzer are examples of this kind of worm.

- Spreading through IRC and similar applications. This method is normally used as a complementary means of transmission, as the majority of worms designed to spread through chat or instant messaging programs also use e-mail.

- Hiding in the HTML code of e-mail messages. This means of transmission allows a worm to infect a computer without needing the user to perform any operations. An example of this type is Kakworm, which spreads by hiding in the AutoSignature of the e-mail messages sent from the affected computer. It is then automatically run when the message is viewed through the preview pane in Outlook.

- Spreading directly across the Internet. This kind of virus does not need any carrier to spread from one computer to another, as its strategy is to look for unprotected communication ports in order to get into a computer without the user realizing.