A computer worm is a type of malicious software that self-replicates, infecting other computers while remaining active on infected systems.

Worms can often go unnoticed until their uncontrolled replication process consumes system resources, halting or slowing the infected computer. Along with computing resources, networks can become congested by traffic associated with worm propagation. 

What is the Difference Between a Virus and a Worm?

The term virus is often used as a generic, catch-all, reference to any type of malware, technically this is incorrect. 

A virus, like its biological counterpart, does not reproduce or spread on its own. It is mutating program that injects malicious code into existing applications and uses their functionality or user action to spread. 

In contrast, worms are self-replicating and require no human intervention to spread once started.

How Do Computer Worms Spread?

Computer worms often rely on actions of and exploitation of security vulnerabilities in networking protocols, a computer's operating system or backdoor to propage without the user's knowledge. 

An early example is the Morris worm. The Morris worm was one of the first internet worms and was written to highlight security flaws rather than cause damage. 

It spread by exploiting known vulnerabilities, like those that would now be listed on CVE, in Unix sendmail finger, rsh/rexec, as well as weak passwords.  At its height, the Morris Worm was running on nearly 10 percent of all internet-enabled computers at the time.

However, the malicious code could infected a machine multiple times and each additional process would slow it down, eventually to the point of being unusable. 

This mistake turned a potentially harmless intellectual exercise into a denial-of-service attack and caused its creator Robert Morris to be the first person convicted under the United States' 1986 Computer Fraud and Abuse Act.

A more recent example is the WannaCry ransomware cryptworm, which many suspect is the work of North Korean cybercriminals. 

WannaCry targeted versions of Microsoft Windows operating systems that used Server Message Block (SMB v1), an outdated resource sharing protocol. 

Once the target system was infected, the worm infection would install a computer program that encrypted the user's files and requested ransom. It would then look for new victims by sending SMBv1 requests, responders would be infected by the self-replicating malware.  

Another common method are email worms. Email worms create and send outbound emails to all addresses in a user's contacts. The messages contain a malicious email attachment that infects the new system when the recipient opens it. This type of malware can be used in conjunction with social engineering, like phishing or spear phishing, to greatly increase the probability of successful infection. 

Before widespread use of computer networks, worms spread through infected external hard drives, CDs, floppy diskettes and USBs. 

Stuxnet, one of the most notorious computer worms, spread through infected USBs. Stuxnet targets supervisory control and data acquisition (SCADA) systems which are commonly used by power utilities, water supply services, sewerage plants and other industrial environments. It is believed Stuxnet was a targeted cyber attack designed to sabotage Iran's nuclear weapon production. 

What Damage Can Computer Worms Cause?

It depends on the type of computer worm and the desires of its creator. Some worms are used to spread other types of malware for cybercrime like corporate espionage and others are used to highlight particular security vulnerabilities but do no real damage (minus network congestion). 

Many of the first computer worms were proofs of concept designed to do nothing more than infect computers and reproduce themselves in the background. Often the only way to identify an infection was when a worm made too many copies of itself and caused the system to slow.

But with time, worms are becoming a means to an end, often carrying a payload that aims to steal sensitive data or cause a data breach

It's common to use the worm to gain initial access to a system and then use privilege escalation to gain further access to a system.  

What are the Different Types of Computer Worms?

There are several types of computer worms:

  • Worm virus hybrids: A piece of malware that spreads like a worm and modifies itself like computer viruses or contains another malicious payload like a trojan, spyware or rootkit.
  • Bot worms: Designed to infect computers and turn them into zombies or bots, which can be used in coordinated distributed denial-of-service attacks (DDoS attacks) through botnets. Conficker, a 2008 worm, infected millions of computers and created vast botnets. 
  • Instant messaging worms: Spread through instant messaging services by installing a malicious software program that gains access to contact lists on victim computers. The first large IM worm outbreak was reported in the Netherlands and spread through MSN Messenger through a malformed WMF file called xmas-2006 FUNNY.jpg.
  • Email worms: Spread through malicious email attachments that appear to be legitimate mail. The ILOVEYOU worm targeted victims who opened an infected email attachment and then sent itself to all the victim's contacts in Microsoft Outlook. Though it technically requires some level of user interaction, the virus reportedly infected as many as 45 million people by May 4, 2000 forcing many enterprises to shut down their email services. 
  • Ethical worm: Designed to propagate across networks and install patches for known security vulnerabilities like those listed on Common Vulnerabilities and Exposures.
  • File-sharing worms: Take advantage of the fact that file-sharers don't know exactly what they are downloading. The worm copies itself into a shared folder and users unwittingly download the worm and it copies itself and repeats the process. "Phatbot" spread to millions of computers in 2004 was able to steal sensitive data like credit card details, as well as personally identifiable information (PII) and protected health information (PHI).

How to Prevent Computer Worm Infections

Organizations with good cybersecurityinformation securitydata security and network security can protect themselves against computer worms. 

Common prevention mechanisms include: 

In the end, preventing computer worms is about information risk management and education. Many worms continue to spread because of old and unpatched computers which should have been updated years ago, don't rely on digital forensics and IP attribution to clean up successful cyber attacks. Computer security should be focused on prevention. 

And one of the most overlooked parts of computer security is vendor risk managementThird-party vendors introduce new attack vectors.

With increased outsourcing and vendors with poor security standards comes increased worm infections, data leaks and data breaches. Even if your internal security is good, you can become infected with a computer worm via a secondary infection on an internal network that a third-party vendor has access to. This is known as third-party risk and fourth-party risk (the risk introduced by your vendor's vendors). 

As much as possible, look for vendors with SOC 2 assurance and develop a third-party risk management framework and cybersecurity risk assessment process. If you're not sure where to start, see our vendor risk assessment template and learn to plan your vendor security questionnaire.

Consider investing in a tool to automate vendor risk managementmonitor your third-party risk and internal security posture.  

How to Detect Computer Worms

Detecting a computer worm can be difficult, but there are some common symptoms:

  • Degradation of computer performance
  • Unexpected freezing or crashes
  • Unusual system behavior
  • Programs executing or terminating without user interaction
  • Sudden appearance or disappearance of files
  • Warning messages from your operating systems or antivirus software
  • Email messages sent without user action

The April-June 2008 issue of IEEE Transactions on Dependable and Secure Computing described a new way to detect and combat internet worms. They suggest using software to monitor the number of scans a machine on a network sends out. When the machine starts to send out too many scans, it could be infected and administrators should be notified to take it offline and check for malware

How to Remove Computer Worms

In extreme cases, removing a computer worm may involve reformatting. Configuration management can help to quickly recover infected systems and dramatically improve incident response

If you can identify the particular worm that has infected the system, there may be specific instructions or tools designed to remove the infection.

During the removal process, disconnect from the Internet and remove any storage devices and scan them separately for the host file. Once the system has been disconnected, you can follow the instructions, run the tool or reformat the computer.

Remember that worms often spread by exploiting vulnerabilities, so make sure to update the system to reduce the risk of a secondary infection. 

How UpGuard Can Improve Your Organization's Cybersecurity

Companies like Intercontinental ExchangeTaylor FryThe New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.

We're experts in data breaches, our data breach research has been featured in the New York TimesBloombergWashington PostForbesReuters and Techcrunch.

UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry. 

Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijackingman-in-the-middle attacks and email spoofing for phishing.

Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.

UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection. 

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?