Home > Articles > Security > Network Security

Strategies of Computer Worms

  • Print
  • + Share This
Advances in programming have brought many conveniences to our lives, but they have also given cyber-criminals increasingly sophisticated ways to commit crimes. This chapter describes the nature and evolution of the computer worm, from simple beginning to modern Bluetooth traveling cellphone worms.
This chapter is from the book

" Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect."

—Concise Oxford English Dictionary, Revised Tenth Edition

9.1 Introduction

This chapter discusses the generic (or at least "typical") structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a "worm." We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain.

The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take control of remote systems without any help from the users, usually exploiting a vulnerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats.

Table 9.1 Well-Known Computer Worms and Their Infection Methods

Name / Discovered



Execution Method

WM/ShareFun February 1997

Microsoft Mail dependent mailer

Word 6 and 7 documents

By user

Win/RedTeam January 1998

Injects outgoing mail to Eudora mailboxes

Infects Windows NE files

By user

W32/Ska@m (Happy99 worm) January 1999

32-bit Windows mailer worm

Infects WSOCK32.DLL (by inserting a little hook function)

By user

W97M/Melissa@mm March 1999

Word 97 mass-mailer worm

Infects other Word 97 documents

By user

VBS/LoveLetter@mm2 May 2000

Visual Basic Script mass-mailer worm

Overwrites other VBS files with itself

By user

W32/Nimda@mm September 2001

32-bit Windows mass-mailer worm

Infects 32-bit PE files

Exploits vulnerabilities to execute itself on target

Table 9.1 suggests that infection of file objects is a fairly common technique among early, successful computer worms. According to one of the worm definitions, a worm must be self-contained and spread whole, not depending on attaching itself to a host file. However, this definition does not mean that worms cannot act as file infector viruses in addition to network-based propagators.

Of course, many other worms, such as Morris3, Slapper4, CodeRed, Ramen, Cheese5, Sadmind6, and Blaster, do not have file infection strategies but simply infect new nodes over the network. Thus defense methods against worms must focus on the protection of the network and the network-connected node.

  • + Share This
  • 🔖 Save To Your Account