WORM: Definition, Prevention & Removal

DEFINITION

Computer worms share some common traits with viruses, but they also have some unique aspects that set them apart. Like a virus, a worm is a small program that can reproduce itself and thereby spread to other computers. Worms are not executable programs as such, nor do they utilize the Windows .exe extension or run capability. Rather, a worm is similar to a shell script or an executable .bin file that runs in the background without the knowledge of the user. Once installed on a machine, a worm can sometimes run as a process rather than a program, making it harder to find without the assistance of software tools.

The purpose of each individual worm is depends on the "payload" it carries. The payload is the part of the code designed to accomplish a specific task, whereas another part of the code deals with replication. Payloads can be programmed to delete files on the infected computer, launch a cryptoviral attack, open and close communications ports to disrupt network traffic, and attack email networks for various purposes. Worms are used quite often to disrupt network services or create Denial of Service (DoS) attacks against large organizations.

One of the most popular uses of the computer worm is to hijack infected computers for use in unintended ways. These hijacked computers are called "zombies" and are controlled by the author or user of the worm. Zombie machines are created by spammers through which they can send millions of unwanted emails. Using the zombies allows the spammers to conceal their true IP address and return address for email. With the explosion of internet pornography since the 1990s, porn producers are also big users of computer worms. Like the spammers, they create zombie machines to distribute their material, keep their bandwidth down, and make it harder to find them should they be involved in illegal activities.

PREVENTION

Unlike a virus, a worm can be easily spread over a WAN or LAN without the need to be attached to a host file. This makes the worm an especially dangerous piece of malicious software. A worm can be embedded on a website for instance, making every visitor a potential victim and/or carrier.

One of the best methods of fighting computer worms is by using a firewall. Firewall hardware or software can be configured to monitor all incoming traffic, including unsolicited queries by infected web sites or machines. If set up properly, a firewall should ask the user for permission before allowing any unsolicited traffic to pass through. While the firewall is a good weapon against computer worms, anti-virus protection is also necessary. Due to the fact that a website can become infected, worms can spread from a legitimate site that users frequent. Up-to-date anti-virus software should reduce the likelihood of a worm attack. Users should also periodically check for security updates issued by software vendors. These updates are usually patches designed specifically to close the vulnerability that the worm has exploited.

REMOVAL

Where viruses attach themselves to specific files on a computer for the purposes of destroying data, a worm is much more benign in its mode of attack. Most worms do not by design tend to damage the machines they infect. Any damage done is usually the result of unintended consequences brought about by the worm's activity and is minimal. Symptoms of a worm infection mimic the symptoms of low memory, a fragmented hard drive, or slow internet connection. Usually an anti-virus program is the only method of detection.

Worms are easily identified and defended against by anti-virus software if the attack is made through normal channels. To get around this, many worms are written to take advantage of "back doors" created by other viruses or rootkits. Complete removal requires that these back doors be closed to prevent future attacks. Users should visit the website of their anti-virus vendor for removal tools and further instructions. The complexity of worm attacks almost always requires the modification of system files or the registry to completely remove the worm. Once the removal is complete, the proper security patches should be downloaded and installed.