A computer worm is a type of malware whose primary function is to self-replicate and infect other computers while remaining active on infected systems.
A computer worm duplicates itself to spread to uninfected computers. It often does this by exploiting parts of an operating system that are automatic and invisible to the user.
It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
A computer worm is not to be confused with WORM (write once, read many).
How do computer worms work?
Computer worms often rely on the actions of, and vulnerabilities in, networking protocols to propagate.
After a computer worm loads and begins running on a newly infected system, it will typically follow its prime directive: to remain active on an infected system for as long as possible and to spread to as many other vulnerable systems as possible.
Once active on a newly infected computer, the WannaCry malware initiates a network search for new potential victims: systems that respond to SMBv1 requests made by the worm. The worm then continues to propagate within a network through these clients.
Worms can also be disguised to look like a nonthreatening resource, such as a work file or link, which a user clicks on or downloads -- only to later to be revealed as a worm.
What's the difference between a worm and a virus?
As defined in the "Security of the Internet" report, released in 1996 by the CERT Division of the Software Engineering Institute at Carnegie Mellon University, computer worms are "self-replicating programs that spread with no human intervention after they are started."
In contrast, the report notes that "viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems."
What types of computer worms exist?
There are several types of malicious computer worms:
Email worms work by creating and sending outbound messages to all the addresses in a user's contact list. The messages include a malicious executable file that infects the new system when the recipient opens it.
File-sharing worms are programs that are disguised as media files.
Stuxnet, one of the most notorious computer worms to date, consists of two components: a worm to propagate malware through USB devices infected with the host file, as well as malware that targets supervisory control and data acquisition systems.
File-sharing worms are widely used to target industrial environments, including power utilities, water supply services and sewage plants.
Cryptoworms work by encrypting data on the victim's system. This type of worm can be used in ransomware attacks, in which the perpetrators follow up with the victim and demand payment in exchange for a key to decrypt their files.
Some computer worms specifically target popular websites with poor security. If they can infect the site, they can infect a computer accessing the website.
From there, internet worms spread to other devices the infected computer connects to through internet and private network connections.
Instant messaging worms
Like email worms, instant messaging worms are masked by attachments or links, which the worm continues to spread to the infected user's contact list. The only difference is instead of arriving in an email, it comes as an instant message on a chat service.
If the worm hasn't had time to replicate itself onto the computer, its spread can often be resolved by simply changing the password on the user's chat service account.
How do computer worms spread?
While some computer worms require user action to initially propagate, such as clicking on a link, others can easily spread without user interaction. All that's necessary is for the computer worm to become active on an infected system.
Before the widespread use of networks, computer worms were spread through infected storage media, such as floppy diskettes, which, when mounted on a system, would infect other storage devices connected to the victim system.
Today, USB drives are a common vector for computer worms, as are internet activities such as email, chat and web surfing.
Historical cases of computer worms
Worms have existed since the beginning of the internet. Several notable cases spread so far they caused major network and business disruption.
The Morris worm
Although the Morris worm, released in 1988, is widely considered the first computer worm, it is better characterized as the first worm to propagate widely on the then-nascent internet.
The Morris worm was the work of Robert Tappan Morris Jr., a Cornell graduate student who was reportedly attempting to enumerate all the systems connected to the internet precursor network, ARPANET.
Targeting vulnerabilities in several different Unix programs, the Morris worm was capable of infecting a system more than once, making it difficult to eradicate completely before it produced a denial-of-service condition on the infected host.
As many as 10% of the 60,000 systems then believed to be connected to ARPANET were affected by the worm.
The ILOVEYOU worm
One of the most damaging computer worms ever was the ILOVEYOU worm, which launched in 2000 and propagated malware through email attachments that appeared to be text files, scripts run in IM chat sessions and executables renamed with the names of common system files.
ILOVEYOU primarily spread when targeted victims opened an email attachment, and the malware re-sent itself to all of the victim's contacts in Microsoft Outlook.
The malware reportedly affected as many as 45 million users after it was released on May 4, 2000, spreading so rapidly that some enterprises, including Ford Motor Company, were forced to temporarily shut down their email services.
As mentioned above, Stuxnet is a file-sharing worm first identified in 2010. Security researchers determined that the worm was created by U.S. and Israeli intelligence agencies to interfere with Iranian nuclear weapons production.
Stuxnet was introduced via USB drives and took advantage of flaws in the Windows operating system to spread, ultimately causing nuclear centrifuges to malfunction.
WannaCry ransomware uses a worm to infect Windows computers and encrypt files on the hard drives of PCs. It began spreading in May 2017 and affected hundreds of thousands of computers in up to 150 countries worldwide. Targets included large corporations like FedEx, banks and hospitals. Once a PC's files were locked, hackers contacted the owner demanding payment in return for a key to decrypt their files. However, even after payment, only a few victims were actually given the keys.
Security researchers connected the hack to the Lazarus Group, a nation-state group affiliated with North Korea. While WannaCry caused significant financial loss for targeted victims, its spread was quickly stopped when security researcher Marcus Hutchins discovered a kill switch that stopped it from propagating further.
How to prevent computer worm infections
Good cybersecurity hygiene is essential to protect systems from becoming infected with computer worms. Measures that will help prevent the threat of computer worm infections include:
- Install operating system updates and software patches
- Use firewalls will help reduce access to systems by malicious software
- Use antivirus software to prevent malicious software from running
- Never click on attachments or links in email or other messaging applications that may expose systems to malicious software
- Use encryption to protect sensitive data stored on computers, servers and mobile devices.
Although some worms are designed to do nothing more than propagate themselves to new victim systems, most worms are associated with viruses, rootkits or other malicious software that can cause additional damage and risk.
How to detect a computer worm
It can be hard to detect the presence of a worm. Signs that indicate a worm might be present include the following symptoms:
- Computer performance issues over time, limited computing bandwidth with no apparent explanation
- System freezing or crashing unexpectedly
- Unusual system behavior, including programs that execute or terminate without user interaction
- Unusual sounds, images or messages
- The sudden appearance of unfamiliar files or icons, or the unexpected disappearance of files or icons
- Warning messages from the operating system or antivirus software
- Email messages sent to contacts that the user didn't actually send
How to remove a computer worm
Removing a computer worm can be difficult. In extreme cases, the system may need to be reformatted, requiring all software to be reinstalled.
When beginning an incident response, it is advisable to use a known, safe computer to download any required updates or programs to an external storage device and then install them on the affected machine.
If it is possible to identify the computer worm infecting the system, there may be specific instructions or tools available to remove it without having to wipe a system entirely.
The system should also be disconnected from the internet or any network, wired or wireless, before attempting to remove the computer worm. Also, remove any nonpermanent storage devices, such as a USB or external hard drive, and scan them separately for infection.
Once the system is disconnected from the network, do the following:
- Update all antivirus signatures.
- Scan the computer with the up-to-date antivirus software.
- Use the antivirus software to remove any malware, malicious code and worms that it finds and to clean infected files.
- Confirm that the operating system and all applications are up to date and patched