RE: Internet worm / definitions

Joao,

You've opened a can of worms here. Excuse the pun. You'll get a dozen differing responses including my own, but most malware experts have moved away from classifying malware with conventional name types (ie. a virus vs. a worm vs. a trojan horse). Just too limiting these days. That's why we call something malware, or to borrow from my own book's title, malicious mobile code. You'll also see things called Hybrids, mixed-threat etc. Most AV companies just pick one of the conventional names that most fits the main spreading mechanism of the malware...but in reality they know that most mobile malware programs cross conventional naming boundaries.

On the conventional side, it sometimes helps explaining what a worm is by defining what computer viruses are first. Viruses infect or use other host files to spread. Actually, they don't even need to modify the original file to spread (i.e. twin or spawning viruses). But they do rely on a direct one-to-one relationship with another host files or code to spread. When the user executes the host file or boot sector, it executes the referenced virus code. The key is the original code is still executed as a part of the normal virus' operations.

A worm, by definition, spreads using its own code. It can spread by itself without any human intervention or be spread by the user executing it in the form of a trojan file. The key is that a pure worm does not infect or modify other host code to spread. Only uses it's own code is used to propagate.

Just my half cent.

Roger

-----Original Message-----
From: Joao Schim [mailto:joao@bowtie.nl] Sent: Thursday, May 15, 2003 9:38 AM
To: Focus-Virus
Subject: Internet worm / definitions

Hello virus people,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Various organisations, virus professionals, classify almost all modern virusses as being an "Internet Worm"..

What exactly is it that makes a virus a worm? Logic thinking might imply that only virusses that send them selves automatically without user intervention should be called worm. But seemingly even virusses that get _activated_ by users, by means of opening atachements, are called Internet worms..

What is the difference between a Worm and a *regular* i.e. mass-mailing virus? Or is any via internet-transported virus a worm per definition ?

Thanks for explaining in advance.

Joao.

• Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-focus-virus

• Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-focus-virus