A worm is a virus that uses open (insecure)
computers or known security bugs to gain
access to a machine. A worm is a self-replicating
program like a virus. However, unlike a
virus, a worm does not infect other programs.
Worms are generally embedded in programs
or attachments to email messages. When the
user opens the file, the work begins a two-part
attack on the system. First, the worm performs
its damage, such as destroying files, corrupting
programs or damaging the operating system.
Then, the virus uses a process known as
replication to transmit itself to everyone
in the infected user's email address book.
If the computer is not on the internet at
the time, then the transmission could be
stopped; however, with the increasing number
of users who have 'always-on' connections
via DSL or cable-modems, the worm is usually
able to transmit itself to thousands of
unsuspecting recipients in a flash!
Worms can also infect Microsoft's Active-X
and Sun's Java script controls, which means
that worms can be embedded in web pages
and launch themselves upon visitors who
simply visit the site and view the web page!
While this has rarely occurred to date,
it is a distinct possibility in the future
that simply browsing the web could be very
dangerous without adequate antivirus protection!
The scariest part of worm attacks is that
they are usually invisible to the infected
user. Worms work silently in the background,
and if they do not actually damage obvious
files in the user's computer, they go undetected
for a long time while they continue to transmit
themselves to recipients via email.
There are many Infamous worms i.e. The
Anna Kournikova Worm, I love you worm, Code
Red. or Nimda which is reputed to be the
worst to date. Nimda was released on September
18, 2001
The Nimda worm has the potential to affect
both user workstations (clients) running
Windows 95, 98, ME, NT, or 2000 and servers
running Windows NT and 2000. It spreads
via email, network shares and websites.
Its main goal is simply to spread over the
Internet and Intranet, infecting as many
users as possible and creating so much traffic
that networks are virtually unusable. It
may also take up a large amount of space
on your hard drive.
The email messages created by the worm
contain an attachment that can be executed
even if the user does not open it and without
the user's knowledge. It infects HTML documents.
When the infected documents are accessed
(locally or remotely), the machine viewing
the page is infected. When the virus finds
an open share, it copies itself to each
folder on the drive in .EML format. This
can include the START UP folder.
The worm scans IP addresses looking for
IIS servers to infect via the Web Folder
Transversal vulnerability. It tries to use
the backdoor created by W32/CodeRed.c to
infect. It adds worm code to .EXE files.
Email addresses are gathered by extracting
the email addresses from MAPI messages in
Microsoft Outlook and Microsoft Outlook
Express, as well as from HTM and HMTL documents.
Once infected, your system is used to seek
out others to infect over the web. As this
creates a lot of port scanning, this can
cause a network traffic jam.