COMPUTER WORM

A computer worm is a self-replicating computer program that penetrates an operating system

with the intent of spreading malicious code. Worms utilize networks to send copies of the
original code to other computers, causing harm by consuming bandwidth or possibly deleting
files or sending documents via email. Worms can also install backdoors on computers.

Computer worms are a form of malware that have the capability to rapidly infect many
computers on a network by sending copies of themselves from one system to another over
network connections

Computer worms are among the most common types of malware . They spread
over computer networks by exploiting operating system vulnerabilities. Worms
typically cause harm to their host networks by consuming bandwidth and
overloading web servers. Computer worms can also contain “payloads” that
damage host computers. Payloads are pieces of code written to perform actions on
affected computers beyond simply spreading the worm. Payloads are commonly
designed to steal data or delete files. Some payloads even create backdoors in host
computers that allow them to be controlled by other computers. Malicious parties
can use networks of these infected computers (“botnets”) to spread spam and
perform denial-of-service attacks.

CHARACTERISTICS OF COMPUTER WORM

Causal Connection Relationship

Movement between hosts is a necessary behavior of worms. Before a worm may attempt a
connection to a host there must have been an incoming connection from some other host that
deposited the worm. A victim host cannot infect other hosts before the victim itself is infected.

Self-similarity

Worms gain entry to systems by exploiting known vulnerabilities on the target systems. The
limited number of vulnerabilities and systems known to a particular worm causes the worm to
repeatedly select the same vulnerability for attacks. These attacks will exhibit a similarity to
previous attacks.

Greedy Destination Visiting Pattern

One of the design goals for worms is to infect large numbers of hosts. To accomplish this goal,
hosts infected with worms attempt to connect to more hosts than non-infected hosts would
normally attempt to connect to. This increased number of connection attempts will eventually
become apparent.
Continuity

Continuous propagation to infect new hosts is a defining characteristic of worm behavior. Even
with a slow rate of infection, “as more and more hosts of a domain become infected a growing
number of worm connections will cross the gateway of an infected domain” (p. 2). This increase
in connections from multiple hosts should also become apparent.

TYPES OF COMPUTER WORMS

Book Worms

Book worms in the realm of malicious software derive their classification from the tendency of
the worms to bore through the address books belonging to users of infected computers to locate
future targets. These worms spread through infected email messages which may contain an
attachment or a link to an infected website. This class of worm was the earliest developed type of
worm and varied from the original viruses by not requiring an infected file for a transport
mechanism. Two well known variations of the book worm class were the W97/Melissa worm
and the W32/Magistr worm.

Remote System Worms

Remote access utilities aid network administrators in managing network servers from long
distances. However, remote access services use special administrative shares and these shares are
the targets of remote system worms. McAfee Labs (2003) discovered the Mumu worm, which
targets the IPC$ and ADMIN$ shares of windows servers by using the uHFind.exe Trojan to
scan for Random class C IP addresses on the local network and retrieve share passwords. The
passwords are then used to infiltrate and control host systems.

Internet Worms

Internet worms are that scans the Internet to seek out new hosts to infect. Conficker, a widely
publicized worm, used dynamic domain generation as a command and control mechanism to
coordinate the attacks of infected hosts.

File Sharing Network Worms

Shared folders used by P2P networks are the typical targets of file sharing network worms unlike
Internet worms that may use P2P networks for command and control.The most notorious of this
type of worm was the Storm Worm, also known as Trojan Peacomm, which received its name
from the subject lines or titles used to entice victims.

SYMPTOMS OF COMPUTER WORMS

Users should be familiar with the symptoms of a computer worm so that they can quickly
recognize infections and begin the process of computer worm removal. Here are some of the
typical symptoms of a computer worm:

 Slow computer performance

 Freezing/crashing
 Programs opening and running automatically
 Irregular web browser performance
 Unusual computer behavior (messages, images, sounds, etc)
 Firewall warnings
 Missing/modified files
 Appearance of strange/unintended desktop files or icons
 Operating system errors and system error messages
 Emails sent to contacts without the user’s knowledge

HOW TO PROTECT FROM COMPUTER WORMS

Install antivirus or endpoint security software

Install antivirus or endpoint security software on all your desktops and servers, and make sure to
keep them up to date. New malware can spread extremely quickly, so have an infrastructure in
place that can update all the computers in your organization seamlessly, frequently and on short
notice.

To protect against email-borne viruses, spam and spyware, run email filtering software at your
gateway.

And don’t forget to protect laptop computers, desktop computers and mobile devices used by
employees who telecommute.

Block file types that often carry malware

Block executable file types from being received by email or downloaded from the Internet. It is
unlikely that your organization will ever need to receive these types of files from the outside
world.

Subscribe to an email alert service

Consider adding a live malware information feed to your website or intranet so your users know
about the very latest computer threats.

Use a firewall on all computers

Use a firewall to protect computers that are connected to a network. Many worms can enter even
a closed network via USB drives, CDs and mobile devices. Laptops and telecommuters will also
need firewall protection.

Stay up to date with software patches

We encourage using automatic (patch) updating, especially in the case of Windows computers.
Patches often close loopholes that can make you vulnerable to malware threats.

Back up your data regularly

Make regular backups of important work and data, and check that the backups were successful.
You should also find a safe place to store your backups, preferably off-site in case of fire. If your
computer is infected with malware, you will be able to restore any lost programs and data. Any
sensitive backup information should be encrypted and physically secured.

Implement device control

Prevent unauthorized devices from connecting to your computers. Unauthorized devices such as
USB drives, music players and mobile phones can carry malware that will infect a computer
when plugged in.

Conclusion
Worms exhibit certain behavioral characteristics that make classification of the types of worms
possible. Book worms use a victim’s address book to generate e-mail. Remote system worms
may attack the mechanisms that administrators use for remote administration. Internet worms use
the Internet namespace to aid attacks. File sharing network worms attack network shares.

Although the mechanisms for attack may differ according to the type of worm, each of the worm
types still exhibit characteristic worm behavior, chief of which is self-propagation. Worms
spread between hosts and networks using the resources of the infected host and do not require the
aid of a file to infect for transport as is the case for normal viruses. Some worms exhibit stealth
technology making those worms difficult to detect and clean from infected systems.