Sunday, May 22, 2005



By Peter Szor
Published by Addison-Wesley Professional
ISBN: 0321304543   Buy Now!
Published:February, 2005

 About the author

Peter Szor graduated from the University of Veszprem Hungary in 1991. He is best known as the author of the popular Hungarian virus scanner called Pasteur, which he developed between 1990 and 1995. Szor.s interest in computer viruses began in 1990. He worked on various anti-virus scanning engines over the last decade including F-PROT, AVP, and Norton AntiVirus. Szor was invited to join CARO (Computer Anti-virus Researchers' Organization) in 1997. He is a frequent speaker at Virus Bulletin, EICAR, and ICSA conferences, and a regular contributor to Virus Bulletin magazine.

In 1999 Szor joined Symantec, where he designs and develops anti-virus technologies for the Norton Anti-virus product line. He is the author of several U.S. patents that are pending.

Free Chapter:
      9.1 Introduction

This chapter discusses the generic (or at least "typical") structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a "worm." We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain.

The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take control of remote systems without any help from the users, usually exploiting a vulnerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats.

Table 9.1 Well-Known Computer Worms and Their Infection Methods

Name / Discovered



Execution Method

WM/ShareFun February 1997

Microsoft Mail dependent mailer

Word 6 and 7 documents

By user

Win/RedTeam January 1998

Injects outgoing mail to Eudora mailboxes

Infects Windows NE files

By user

W32/Ska@m (Happy99 worm) January 1999

32-bit Windows mailer worm

Infects WSOCK32.DLL (by inserting a little hook function)

By user

W97M/Melissa@mm March 1999

Word 97 mass-mailer worm

Infects other Word 97 documents

By user

VBS/LoveLetter@mm2 May 2000

Visual Basic Script mass-mailer worm

Overwrites other VBS files with itself

By user

W32/Nimda@mm September 2001

32-bit Windows mass-mailer worm

Infects 32-bit PE files

Exploits vulnerabilities to execute itself on target

Table 9.1 suggests that infection of file objects is a fairly common technique among early, successful computer worms. According to one of the worm definitions, a worm must be self-contained and spread whole, not depending on attaching itself to a host file. However, this definition does not mean that worms cannot act as file infector viruses in addition to network-based propagators.

Of course, many other worms, such as Morris3, Slapper4, CodeRed, Ramen, Cheese5, Sadmind6, and Blaster, do not have file infection strategies but simply infect new nodes over the network. Thus defense methods against worms must focus on the protection of the network and the network-connected node.

1 2 3 4 5 6 7 8 9  Next page >> 

" Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect."

—Concise Oxford English Dictionary, Revised Tenth Edition.

No comments: