Home / malware Worm:W32/Worm
First posted on 18 September 2009.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Worm.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional DetailsThis is the Worm General Information page.
A worm is a parasitic program capable of replicating itself by sending its copies in e-mail messages or copying itself to to computers over a network and other media. At one time, worms were considered more of a nuisance than a threat, but today it has become increasingly common among malware authors to create malicious, complex worms that carry viruses and backdoors inside them or that have additional features like local network spreading or password or data stealing.
Also the latest worms try to disable anti-virus and security software on infected computers. Some worms attempt to steal data by attaching images or document files to infected messages that they send out. A few worms have destructive payload and destroy an infected system after they send themselves out.
There are numerous worm sub-types, which are defined by the platform or medium in which they propagate. For example, an Email-Worm will spread copies of itself using e-mail messages; an IRC-Worm spreads through Internet Relay Chat (IRC) channels and an SMS-Worm multiplies using the Short Message System (SMS) of telecommunications networks. Read more about the different sub-types below:
Email-Worm
The most common type of worm is an Email-Worm, also known as a mass-mailer or less commonly an Internet worm. It is usually a standalone program that sends itself as an e-mail attachment to e-mail addresses that it could find on an infected computer. Mass mailers became very widespread in the beginning of 21st century.
Typically a mass mailer arrives on a computer with an infected e-mail message. In some cases an infected attachment of such message can start automatically, in other cases a user has to run an attachment to become infected. When a typical mass-mailer is activated, it installs itself to system by copying its file into Windows or Windows System folder, creates a startup key for its file in the Registry or modifies WIN.INI or SYSTEM.INI file and stays active in memory.
While active, a mass mailer collects e-mail addresses from user's Address Book or searches for specific files (for example for HTML files) and tries to locate e-mail addresses there. Finally a mass mailer connects to any available SMTP server (usually a default user's SMTP server is used) and sends itself to all or a few selected found e-mail addresses.
Some mass mailers randomly compose subjects and bodies of infected messages from words and phrases that they have in their bodies. Some worms use contents of randomly found files as e-mail message's body or subject. Worm's attachment names could be either random, or 'borrowed' from other files.
Many worms send themselves as attachments with double extension, for example .MPG.EXE or AVI.PIF. In this case a recipient in most cases can only see the first extension. Because of that some users try to start such attachments thinking that these are multimedia files.
Net-Worm
A Net-Worm or Network Worm is usually a standalone program that tries to copy itself to other computers connected to the same Local Area Network (LAN). Such worms travel from one computer to another using shares. A share is a media (hard drive for example) or part of it that can be accessed by everyone or only by users with specific access rights. In many cases corporate computers and servers have a few open shares and that eases a worm's task to infect a network. Cleaning of a network work outbreak in many cases requires to take a network down and to disinfect all infected computers one by one.
A network worms, when activated, looks for all available shared resources and if it finds that Windows directory of another computer is shared, it copy its files there. To make these copies start on remote computers, a worm usually modify WIN.INI or SYSTEM.INI files. This approach, however, does not work on NT-based operating systems. When a target computer is then restarted, it becomes infected.
Some worms copy themselves to startup folders of different users on remote computers. In this case they can start every time a user is logged on there. Some network worms can copy themselves globally using Internet. They use NetBios services on ports 137 and 139 to find vulnerable computers and to copy themselves there. Also these worms can modify Windows INI files remotely. Only Windows 9x systems are affected by this type of worms.
A few network worms attempt to disable NT-based operating system security by patching specific Windows components. In this case they get full adminstration rights on an infected computer.
One network worm attempts to copy itself to shares that are protected with a password. The worm uses a vulnerability that allows it to bruteforce a password and bypass share security.
IRC-Worm
IRC worms are also platform-specific. They work only with IRC (Internet Relay Chat) clients that connect to various IRC networks. An IRC worm is usually a standalone program that uses IRC networks to spread itself. Such worm either tries to spread itself by establishing connection to an IRC server or it can drop specific scripts to an IRC client directory. The most affected IRC client is mIRC. Usually an IRC worm replaces some INI files in mIRC directory with its own scripts and when a user connects to an IRC server and joins any channel, these scripts instruct a client to send a worm's executable file to everyone in that channel.
IIS Worm
A platform-specific worm is a worm that works only on a specific platform (software). There exist a family of worms that work only on Microsoft IIS (Internet Information Server) software. These worms are called IIS worms. The code of such a worm is usually an HTTP request that exploits a vulnerability in IIS software and makes a server run binary code that follows the HTTP request. IIS worms do not exist in file form. They only exist as a memory process. Disinfection of such worms is quite easy - special patches need to be installed to IIS software and a server has to be rebooted. Some IIS worms change startup pages of IIS servers they infect.
Last update 18 September 2009
