A worm is a parasitic program capable of replicating itself by
sending its copies in e-mail messages or copying itself to to
computers over a network and other media. There exist several
types of worms: internet worm also called mass-mailer, network
worm and platform-specific worm.
A mass-mailer, also called an Internet worm, is usually a
standalone program that sends itself as an e-mail attachment to
e-mail addresses that it could find on an infected computer. Mass
mailers became very widespread in the beginning of 21st century.
Most of the malware nowdays are mass-mailers.
Typically a mass mailer arrives on a computer with an infected
e-mail message. In some cases an infected attachment of such
message can start automatically, in other cases a user has to run
an attachment to become infected. When a typical mass-mailer is
activated, it installs itself to system by copying its file into
Windows or Windows System folder, creates a startup key for its
file in the Registry or modifies WIN.INI or SYSTEM.INI file and
stays active in memory. While active, a mass mailer collects
e-mail addresses from user's Address Book or searches for
specific files (for example for HTML files) and tries to locate
e-mail addresses there. Finally a mass mailer connects to any
available SMTP server (usually a default user's SMTP server is
used) and sends itself to all or a few selected found e-mail
addresses.
Some mass mailers randomly compose subjects and bodies of
infected messages from words and phrases that they have in their
bodies. Some worms use contents of randomly found files as e-mail
message's body or subject. Worm's attachment names could be
either random, or 'borrowed' from other files.
Many worms send themselves as attachments with double extension,
for example .MPG.EXE or AVI.PIF. In this case a recipient in most
cases can only see the first extension. Because of that some
users try to start such attachments thinking that these are
multimedia files.
It has become a tradition to create complex worms that carry
viruses and backdoors inside them or that have additional
features like local network spreading or password or data
stealing.
Also the latest worms try to disable anti-virus and security
software on infected computers. Some worms attempt to steal data
by attaching images or document files to infected messages that
they send out. A few worms have destructive payload and destroy
an infected system after they send themselves out.
A network worm is usually a standalone program that tries to copy
itself to other computers connected to the same LAN (Local Area
Network). Such worms travel from one computer to another using
shares. A share is a media (hard drive for example) or part of it
that can be accessed by everyone or only by users with specific
access rights. In many cases corporate computers and servers have
a few open shares and that eases a worm's task to infect a
network. Cleaning of a network work outbreak in many cases
requires to take a network down and to disinfect all infected
computers one by one.
A network worms, when activated, looks for all available shared
resources and if it finds that Windows directory of another
computer is shared, it copy its files there. To make these copies
start on remote computers, a worm usually modify WIN.INI or
SYSTEM.INI files. This approach, however, does not work on
NT-based operating systems. When a target computer is then
restarted, it becomes infected.
Some worms copy themselves to startup folders of different users
on remote computers. In this case they can start every time a
user is logged on there.
A few network worms attempt to disable NT-based operating system
security by patching specific Windows components. In this case
they get full adminstration rights on an infected computer.
One network worm attempts to copy itself to shares that are
protected with a password. The worm uses a vulnerability that
allows it to bruteforce a password and bypass share security.
Some network worms can copy themselves globally using Internet.
They use NetBios services on ports 137 and 139 to find vulnerable
computers and to copy themselves there. Also these worms can
modify Windows INI files remotely. Only Windows 9x systems are
affected by this type of worms.
A platform-specific worm is a worm that works only on a specific
platform (software). There exist a family of worms that work only
on Microsoft IIS (Internet Information Server) software. These
worms are called IIS worms. The code of such a worm is usually an
HTTP request that exploits a vulnerability in IIS software and
makes a server run binary code that follows the HTTP request. IIS
worms do not exist in file form. They only exist as a memory
process. Disinfection of such worms is quite easy - special
patches need to be installed to IIS software and a server has to
be rebooted. Some IIS worms change startup pages of IIS servers
they infect.
IRC worms are also platform-specific. They work only with IRC
(Internet Relay Chat) clients that connect to various IRC
networks. An IRC worm is usually a standalone program that uses
IRC networks to spread itself. Such worm either tries to spread
itself by establishing connection to an IRC server or it can drop
specific scripts to an IRC client directory. The most affected
IRC client is mIRC. Usually an IRC worm replaces some INI files
in mIRC directory with its own scripts and when a user connects
to an IRC server and joins any channel, these scripts instruct a
client to send a worm's executable file to everyone in that
channel.
Disinfection
Automatic Disinfection
Usually standalone malware (backdoors, worms, trojans, etc.) is
automatically removed by F-Secure Anti-Virus (FSAV) starting from
version 5.40. Malware files get automatically renamed by FSAV, so
they can not be started any more. In some rare cases, when
automatic disinfection is not possible, a user can select
disinfection action by him/herself to make FSAV rename or delete
an infected file. In some special cases it is recommended to use
specific disinfection tools provided by F-Secure. They can be
downloaded from our ftp site:
F-Secure Anti-Virus can be purchased from our webshop or from our
authorised distributors. A trial version F-Secure Anti-Virus,
limited to 30 days, can be downloaded from our website:
All the latest versions of FSAV can download anti-virus database
updates automatically. However, these updates can be also
downloaded and installed manually from our web or ftp sites:
To manually disinfect standalone malware (backdoors, worms,
trojans, etc.) it's usually enough to delete all infected files
from a computer and to restart it. Active malware files are
usually locked by operating system so different disinfection
approaches are required for different operating systems.
Please note that manual disinfection is a risky process, so it is
recommended only for advanced users.
Windows 95, 98, ME
If Windows 9x operating system is used, it is recommended to
restart a computer from a bootable system diskette and to delete
an infected file from command prompt. For example if a malicious
file named ABC.EXE is located in Windows folder, it is usually
enough to type the following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone.
Windows NT, 2000, XP
If Windows NT, 2000 or XP is used, a malicious file has to be
renamed with a different extension (for example .VIR) and then a
system has to be restarted. After restart a renamed malicious
file will no longer be active and it can be easily deleted
manually.
System Restore issue
If Windows ME or XP is used, it is recommended to disable System
Restore feature of these operating systems to prevent a computer
from re-infection by an already removed malware. The fact is that
System Restore feature of these operating systems might save an
infected file into the special folder and copy it back to a hard
drive it every time it's been renamed or deleted by F-Secure
Anti-Virus or by a user. Instructions on how to disable System
Restore feature are here:
It is recommended to re-enable System Restore after disinfection
in order to restore stable system configuration in the future,
if any crash or incompatibility issue occurs.
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer
technician or send a message (and a sample) to our Viruslab. We
have guidelines for sending virus samples, hoaxes and
virus-related questions to F-Secure Viruslab published here:
