A computer worm is a type of malicious software program whose primary function is to infect other computers while remaining active on infected systems.
A computer worm is self-replicating malware that duplicates itself to spread to uninfected computers. Worms often use parts of an operating system that are automatic and invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
A computer worm is not to be confused with WORM (write once, read many).
How computer worms spread
A computer worm infection spreads without user interaction. All that is necessary is for the computer worm to become active on an infected system. Before widespread use of networks, computer worms were spread through infected storage media, such as floppy diskettes, which, when mounted on a system, would infect other storage devices connected to the victim system. USB drives are still a common vector for computer worms.
How computer worms work
Computer worms often rely on the actions of, and vulnerabilities in, networking protocols to propagate. For example, the WannaCry ransomware worm exploited a vulnerability in the first version of the Server Message Block (SMBv1) resource sharing protocol implemented in the Windows operating system. Once active on a newly infected computer, the WannaCry malware initiates a network search for new potential victims: systems that respond to SMBv1 requests made by the worm. The worm is able to continue to propagate within an organization in this way. When a bring your own device (BYOD) is infected, the worm can spread to other networks, giving hackers even more access.
Email worms work by creating and sending outbound messages to all the addresses in a user's contacts list. The messages include a malicious executable file that infects the new system when the recipient opens it. Successful email worms usually incorporate social engineering methods to prompt users to open the attached file.
Stuxnet, one of the most notorious computer worms to date, consists of a worm component for propagation of the malware through the sharing of infected USB devices, as well as malware that targets supervisory control and data acquisition (SCADA) systems, which are widely used in industrial environments, including power utilities, water supply services, sewage plants and elsewhere. Pure computer worms propagate themselves from infected systems to uninfected systems. This does not minimize the potential for damage from such computer worms.
An infected system may become unavailable or unreliable due to the computing overhead associated with propagation of the worm, while computer worms are also known to disrupt networking through saturation of network links with malicious traffic associated with worm propagation.
Types of computer worms
There are several types of malicious computer worms:
- A computer virus or worm hybrid is a piece of malware that spreads like a worm, but that also modifies program code like a virus -- or else carries some sort of malicious payload, such as a virus, ransomware or some other type of malware.
- A bot worm may be used to infect computers and turn them into zombies or bots, with the intent of using them in coordinated attacks through botnets.
- Instant messaging, or IM worms propagate through instant messaging services and exploit access to contact lists on victim computers.
- Email worms are usually spread as malicious executable files attached to what appear to be ordinary email messages.
Finally, an ethical worm is a computer worm designed to propagate across networks with the express purpose of delivering patches for known security vulnerabilities. While ethical worms have been described and discussed in academia, actual examples in the wild have not been found, most likely because the potential for unexpected harm done to systems that react unexpectedly to such software outweighs the potential for removing vulnerabilities. In any case, unleashing any piece of software that makes changes to a system without the permission of the system owner opens the publisher to various criminal and civil charges.
Differences between worms and viruses
As defined in the "Security of the Internet" report, released in 1996 by the CERT Division of the Software Engineering Institute at Carnegie Mellon University, computer worms "are self-replicating programs that spread with no human intervention after they are started." In contrast, "[v]iruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems."
After a computer worm loads and begins running on a newly infected system, it will typically follow its prime directive: to remain active on an infected system for as long as possible, and to spread to as many other vulnerable systems as possible.
How to prevent a computer worm
Users should practice good cybersecurity hygiene to protect themselves against being infected with computer worms. Measures that will help prevent the threat of computer worm infections include:
- Keeping up to date with operating systems and all other software patches and updates will help reduce the risk due to newly discovered vulnerabilities.
- Using firewalls will help reduce access to systems by malicious software.
- Using antivirus software will help prevent malicious software from running.
- Being careful not to click on attachments or links in email or other messaging applications that may expose systems to malicious software.
- Encrypt files to protect sensitive data stored on computers, servers and mobile devices
Although some worms are designed to do nothing more than propagate themselves to new victim systems, most worms are associated with viruses, rootkits or other malicious software.
How to detect a computer worm: Symptoms of a computer worm infection
The first step to remove a computer worm is to detect the presence of the worm, which can be difficult. The best way to detect a computer worm is to be aware of and recognize the symptoms of a computer worm infection.
Some symptoms that may indicate the presence of a worm include:
- Computer performance issues, including degraded system performance, system freezing or crashing unexpectedly.
- Unusual system behavior, including programs that execute or terminate without user interaction; unusual sounds, images or messages; the sudden appearance of unfamiliar files or icons, or the unexpected disappearance of files or icons; warning messages from the operating system or antivirus software; and email messages sent to contacts without user action.
How to remove a computer worm
Removing a computer worm can be difficult. In extreme cases, the system may need to be formatted, and all the software reinstalled. Use a known safe computer to download any required updates or programs to an external storage device and then install them on the affected machine. If it is possible to identify the computer worm infecting the system, there may be specific instructions or tools available to remove the infection.
The system should be disconnected from the internet or any network, wired or wireless, before attempting to remove the computer worm; removable storage devices should also be removed and scanned separately for infections. Once the system is disconnected from the network, do the following:
- Update all antivirus signatures
- Scan the computer with the up-to-date antivirus software
- Use the antivirus software to remove any malware, including worms, that it finds and to clean infected files
- Confirm that the operating system and all applications are up to date and patched
History of computer worms
Although the Morris worm, released in 1988, is widely considered the first computer worm, it actually is better characterized as the first worm to propagate widely in the wild, and on the then nascent internet.
The Morris worm was the work of Robert Tappan Morris Jr., a Cornell graduate student who was reportedly attempting to enumerate all the systems connected to the internet precursor network, ARPANET. Targeted at vulnerabilities in several different Unix programs, the Morris worm was capable of infecting a system more than once, making it difficult to eradicate completely before it produced a denial-of-service condition on the infected host. As many as 10% of the 60,000 systems then believed to be connected to ARPANET were affected by the worm.
One of the most damaging computer worms ever was the ILOVEYOU virus, malware that was propagated through several vectors, including email attachments that appeared to be text files, scripts run in IM chat sessions, and copies of the virus in executables renamed with the names of common system files.
ILOVEYOU primarily spread when targeted victims opened an email attachment, and the malware resent itself to all of the victim's contacts in Microsoft Outlook. Though, technically, this aspect of the worm required user interaction, the overall effect was that the virus spread during normal operation of desktop computers, and without the initial awareness of the victims. The malware reportedly affected as many as 45 million users on May 4, 2000, spreading so rapidly that some enterprises, including Ford Motor Company, were forced to shut down their email services.
Continue Reading About computer worm
- "Security of the Internet" report (1996) from the CERT Division of the Software Engineering Institute at Carnegie Mellon University