Computer worms

December 2016

Worms

A worm is a self-reproducing program which can travel over networks using networking mechanisms, without requiring any software or hardware support (such as a hard drive, a host program, a file, etc.) to spread; a worm is therefore a network virus.

How worms of the 1980s worked

The most famous worm story dates from 1988. A student (Robert T. Morris of Cornell University) had created a program which could spread over a network. He ran it, and within eight hours, it had already infected several thousand computers. Because of this, many computers crashed within just a few hours, as the "worm" (as we now know it) reproduced too quickly to be erased by the network. What's more, all of these worms clogged up bandwidth, which forced the NSA to shut down the connections for a day.

Here's how the Morris worm spread on the network:

  • The worm gained entry into a UNIX machine
  • It created a list of machines connected to it
  • It brute-forced all the passwords from a list of words
  • It passed itself off as a user from each of the other machines
  • It created a small program on the machine so it could reproduce
  • It hid itself on the infected machine
  • and so on

Current worms

Current worms spread mainly with email clients (especially the client Outlook) using attachments that contain instructions for gathering all email address found in the address book and sending copies of themselves to all of these recipients.

These worms are usually scripts (typically in VBScript) or executable files sent as an attachment, which trigger when the recipient clicks on the attachment.

How do worms spread?

It is simple to protect yourself from infection by a worm. The best method is to avoid blindly opening files which are sent to you as attachments.

If you do, any executable files, or files which the OS can interpret, may potentially infect your computer. Files with the following extensions, in particular, may potentially be infected:

exe, com, bat, pif, vbs, scr, doc, xls, msi, eml

In Windows, it is recommended to disable the feature "hide extensions", because this feature can trick the user into thinking a file has a different extension. So a file with the extension .jpg.vbs will look like a .jpg file.

Files with the following extensions are not interpreted by the OS, and therefore the risk of infection from them is minimal:

txt, jpg, gif, bmp, avi, mpg, asf, dat, mp3, wav, mid, ram, rm

It is common to hear that GIF or JPG files may contain viruses.
In reality, any kind of file may contain code carrying a virus, but the system must have first been modified by another virus in order to interpret the code found in the files.

For any files whose extension hints that the file may be infected (or for extensions that you don't recognise), be sure to install an antivirus program and systematically scan every attachment before opening it.

Here is a larger (but non-exhaustive) list of extensions for files which may be infected by a virus:

Extensions
386, ACE, ACM, ACV, ARC, ARJ, ASD, ASP, AVB, AX, BAT, BIN, BOO, BTM, CAB, CLA, CLASS, CDR, CHM, CMD, CNV, COM, CPL, CPT, CSC, CSS, DLL, DOC, DOT DRV, DVB, DWG, EML, EXE, FON, GMS, GVB, HLP, HTA, HTM, HTML, HTA, HTT, INF, INI, JS, JSE, LNK, MDB, MHT, MHTM, MHTML, MPD, MPP, MPT, MSG, MSI, MSO, NWS, OBD, OBJ, OBT, OBZ, OCX, OFT, OV?, PCI, PIF, PL, PPT, PWZ, POT, PRC, QPW, RAR, SCR, SBF, SH, SHB, SHS, SHTML, SHW, SMM, SYS, TAR.GZ, TD0, TGZ, TT6, TLB, TSK, TSP, VBE, VBS, VBX, VOM, VS?, VWP, VXE, VXD, WBK, WBT, WIZ, WK?, WPC, WPD, WML, WSH, WSC, XML, XLS, XLT, ZIP

Related :


Gusanos informáticos
Gusanos informáticos
Ver informatique
Ver informatique
Worm informatici
Worm informatici
Vermes informáticos
Vermes informáticos
This document entitled « Computer worms » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.