Computer worms

Introduction

Computer Worms are reproducing programs that run independently and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread.

A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread itself through network connections.

An example of a worm is the famous internet worm of 1988: Overnight the worm copied itself across the internet, infecting every Sun-3 and VAX system with so many copies of itself that the systems were unusable. Eventually several sites disconnected themselves from the internet to avoid reinfection.

Different types of Computer Worms

Email Worms
Spreading goes via infected email messages. Any form of attachment or link in an email may contain a link to an infected website. In the first case activation starts when the user clicks on the attachment while in the second case the activation starts when clicking the link in the email.

Known methods to spread are:
- MS Outlook services
- Direct connection to SMTP servers using their own SMTP API
- Windows MAPI functions

This type of worm harvests an infected computer for email addresses from
- Windows Address Book database [WAB]
- MS Outlook address book
- Files with appropriate extensions will be scanned for email like strings

Be aware that during spreading some worms construct new sender addresses based on possible names combined with common domain names. So, the sender address in the email doesn't need to be the originator of the email.

Instant Messaging Worms
The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these and email worms is the way chosen to send the links.

Internet Worms
Nasty ones. These ones will scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. Attempt will be made to connect to these machines and gain full access to them.

Another way is that the worms scan the Internet for machines still open for exploitation i.e. not patched. Data packets or requests will be send which install the worm or a worm downloader. If succeeded the worm will execute and there it goes again!

IRC Worms
Chat channels are the main target and the same infection/spreading method is used as above - sending infected files or links to infected websites. Infected file sending is less effective as the recipient needs to confirm receipt, save the file and open it before infection will take place.

File-sharing Networks Worms
Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue.

Conclusion

Computer worms which spread like trojan horses can best be defended against by not opening attachments in your e-mail. These infected attachments are not limited to .EXE files. Microsoft Word and Excel files can contain macros which spread infection.

Detection and removal

Nearly all virus scanning programmes protect against worms.

Active Virus Shield
AntiVir Personal Edition
Comodo AntiVirus - Eliminates all known viruses, worms and Trojans. On-demand and On-access scanning, email scanning, process monitoring, worm blocker, scheduling & more. It’s easy to use; doesn’t slow down your PC and is free for life to the end user.