A computer worm is a type of malicious software program whose primary function is to infect other computers while remaining active on infected systems.
A computer worm is self-replicating malware that duplicates itself to spread to uninfected computers. Worms often use parts of an operating system that are automatic and invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
A computer worm is not to be confused with WORM (write once, read many).
How computer worms spread
A computer worm infection spreads without user interaction. All that is necessary is for the computer worm to become active on an infected system. Before widespread use of networks, computer worms were spread through infected storage media, such as floppy diskettes, which, when mounted on a system, would infect other storage devices connected to the victim system. USB drives are still a common vector for computer worms.
Computer worms often rely on the actions of, and vulnerabilities in, networking protocols to propagate. For example, the WannaCry ransomware worm exploited a vulnerability in the first version of the Server Message Block (SMBv1) resource sharing protocol implemented in the Windows operating system. Once active on a newly infected computer, the WannaCry malware initiates a network search for new potential victims: systems that respond to SMBv1 requests made by the worm. The worm is able to continue to propagate within an organization in this way. When a bring your own device is infected, the worm can spread to other networks.
Email worms spread by creating and sending outbound messages to all the addresses in a user's contacts list.
Stuxnet, one of the most notorious computer worms to date, consists of a worm component for propagation of the malware through the sharing of infected USB devices, as well as malware that targets supervisory control and data acquisition systems, which are widely used in industrial environments, including power utilities, water supply services, sewage plants and elsewhere.
Types of computer worms
Pure computer worms propagate themselves from infected systems to uninfected systems. This does not minimize the potential for damage from such computer worms.
An infected system may become unavailable or unreliable due to the computing overhead associated with propagation of the worm, while computer worms are also known to disrupt networking through saturation of network links with malicious traffic associated with worm propagation.
More commonly, a computer worm is either a virus or worm hybrid -- a piece of malware that spreads like a worm, but that also modifies program code like a virus -- or else carries some sort of malicious payload, such as a virus, ransomware or some other type of malware.
A bot worm may be used to infect computers and turn them into zombies or bots, with the intent of using them in coordinated attacks through botnets. Instant messaging, or IM worms propagate through instant messaging services and exploit access to contact lists on victim computers.
Email worms are usually spread as malicious executable files attached to what appear to be ordinary email messages. The email worm spreads by forcing an infected system to resend the worm to email addresses in user contact lists; the worm infects new systems when email recipients open the file. Successful email worms usually incorporate social engineering methods to prompt users to open the attached file.
An ethical worm is a computer worm designed to propagate across networks with the express purpose of delivering patches for known security vulnerabilities. While ethical worms have been described and discussed in academia, actual examples in the wild have not been found, most likely because the potential for unexpected harm done to systems that react unexpectedly to such software outweighs the potential for removing vulnerabilities. In any case, unleashing any piece of software that makes changes to a system without the permission of the system owner opens the publisher to various criminal and civil charges.
Differences between worms and viruses
As defined in the "Security of the Internet" report, released in 1996 by the CERT Division of the Software Engineering Institute at Carnegie Mellon University, computer worms "are self-replicating programs that spread with no human intervention after they are started." In contrast, "[v]iruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems."
After a computer worm loads and begins running on a newly infected system, it will typically follow its prime directive: to remain active on an infected system for as long as possible, and to spread to as many other vulnerable systems as possible.
Prevention, detection and removal of computer worms
Users should practice good cybersecurity hygiene to protect themselves against being infected with computer worms. Measures that will help prevent computer worm infections include:
- Keeping up to date with operating systems and all other software patches and updates will help reduce the risk due to newly discovered vulnerabilities.
- Using firewalls will help reduce access to systems by malicious software, while using antivirus software will help in preventing malicious software from running.
- Being careful with links in email or other messaging applications, which may expose systems to malicious software. Likewise, attachments to messages from unknown senders are also often used as vectors for distributing malicious software.
Although some worms are designed to do nothing more than propagate themselves to new victim systems, most worms are associated with viruses, rootkits or other malicious software.
The first step to remove a computer worm is to detect the presence of the worm, which can be difficult. Some factors that may indicate the presence of a worm include:
- Computer performance issues, including degraded system performance, system freezing or crashing unexpectedly.
- Unusual system behavior, including programs that execute or terminate without user interaction; unusual sounds, images or messages; the sudden appearance of unfamiliar files or icons, or the unexpected disappearance of files or icons; warning messages from the operating system or antivirus software; and email messages sent to contacts without user action.
Removing a computer worm can be difficult. In extreme cases, the system may need to be formatted, and all the software reinstalled. If it is possible to identify the computer worm infecting the system, there may be specific instructions or tools available to remove the infection. However, the system should be disconnected from the internet or any network, wired or wireless, before attempting to remove the computer worm; removable storage devices should also be removed and scanned separately for infections.
History of computer worms
Although the Morris worm, released in 1988, is widely considered the first computer worm, it actually is better characterized as the first worm to propagate widely in the wild, and on the then nascent internet.
The Morris worm was the work of Robert Tappan Morris Jr., a Cornell graduate student who was reportedly attempting to enumerate all the systems connected to the internet precursor network, ARPANET. Targeted at vulnerabilities in several different Unix programs, the Morris worm was capable of infecting a system more than once, making it difficult to eradicate completely before it produced a denial-of-service condition on the infected host. As many as 10% of the 60,000 systems then believed to be connected to ARPANET were affected by the worm.
One of the most damaging computer worms ever was the ILOVEYOU virus, malware that was propagated through several vectors, including email attachments that appeared to be text files, scripts run in IM chat sessions, and copies of the virus in executables renamed with the names of common system files.
ILOVEYOU primarily spread when targeted victims opened an email attachment, and the malware resent itself to all of the victim's contacts in Microsoft Outlook. Though, technically, this aspect of the worm required user interaction, the overall effect was that the virus spread during normal operation of desktop computers, and without the initial awareness of the victims. The malware reportedly affected as many as 45 million users on May 4, 2000, spreading so rapidly that some enterprises, including Ford Motor Company, were forced to shut down their email services.