Associate Professor, Department of Computer Science and Engineering, G. Pulla Reddy Engineering College, Kurnool-5!""#, And$ra Prades$, Email% is$t$a&'gmail.com. Department of Computer Science and Engineering, G. Pulla Reddy Engineering College, Kurnool-5!""#, And$ra Prades$, Email% ra(es$"5)'ya$oo.com ABSTRACT The Computer worms have drawn signii!ant attention in the resear!h !ommunity due to their enormous"y adverse impa!t on the "o!a" networ#s and a"so on internet. to understand the adverse impa!ts posed $y !omputer worms it is ne!essary to understand the !"asses o worms. This paper des!ri$es the deinition o Computer worm% &istory and Time "ine o Computer worms% !"assii!ation o Computer Worms% "ie !y!"e o Computer worm and worms !ode ana"ysis. ' I(TR)*+CTI)( Computer *orm is a self-replicating computer program. +t uses a net*or, to send copies of itself to ot$er nodes i.e., computers on t$e net*or, and it may do so *it$out any user inter-ention. .iruses are need to /e attac$ed to t$e system files /elongs to t$e operating system it re&uires some sort of user action to a/et t$eir propagation. .iruses tends to propagate more slo*ly 0$ey also $a-e more mature defenses due to t$e presence of a large anti--irus industry t$at acti-ely see,s to identify and control t$eir spread. 1nli,e a -irus computer *orms does not need to attac$ itself to an e2isting program. Computer *orms almost and al*ays cause $arm to t$e net*or, if only /y consuming /and*idt$ *$ere as -iruses almost al*ays corrupt or modify files on a target computer. Computer *orms are $ated /ecause t$ey consumes more 3and*idt$ and also t$ey mig$t cras$ computers if t$ey are infected *it$ computer *orms. +nfected computers may also used for ot$er attac,s suc$ as DDos, p$is$ing attac,s etc.. Computer *orms are one form of mal*are along *it$ -iruses and 0ro(ans. A person typically installs *orms /y inad-ertently opening an email attac$ment or message t$at contains e2ecuta/le scripts. 4nce installed on a computer, *orms spontaneously generate additional email messages containing copies of t$e *orm. 0$ey may also open 0CP ports to create net*or,s security $oles for ot$er applications, and t$ey may attempt to 5flood5 t$e 6A7 *it$ spurious Denial of Ser-ice 8DoS9 data transmissions
, *-.I(ITI)( ). C)/0+T-R W)R/ Definition 1. Computer *orms are malicious soft*are applications designed to spread -ia computer net*or,s. Definition 2. A computer *orm is a e-il-intentioned program t$at can replicate and run itself. 1. &IST)R2 ). C)/0+T-R W)R/ 0$e first e-er program t$at could /e called a :orm, as per definition, *as de-eloped for t$e assistance of air traffic controllers /y 3o/ 0$omas in );. t$is *orm program *ould notify air traffic controllers *$en t$e controls of a plane mo-ed from on computer to anot$er. 0$is *orm named <creeper= *ould tra-el from one computer screen to anot$er on t$e net*or, s$o*ing t$e message < iam reeper> Catc$ me if you can> < t$e difference from most *orms *as t$at t$is creeper did not reproduce it self. 0$e first +nternet infection t$at re&uired no $uman inter-ention to propagate *as t$e ?orris :orm, disco-ered in )!! and released /y Ro/ert ?orris. +t spread -ery &uic,ly, infecting a num/er of -ulnera/le computers in a matter of $ours. 0$e ?orris :orm infected -arious mac$ines and also used multiple e2ploits including /uffer o-erflo*s, de/ugging routines in mail components, pass*ord sniffing, and ot$er streams of e2ecution to impro-e its a/ility to attac, ot$er computers. Alt$oug$ released on accident, t$e /enign concept doesn@t really apply to t$e ?orris :orm, as it $ad a significant amount of impact /ecause of t$e /ug in its code. :$en reinfecting a computer, t$ere remained t$e possi/ility t$at t$e ne* infection *ould /e persistent, allo*ing ot$er *orms to run and terri/ly impact system performance. Ao*e-er, t$is caused t$e *orm to /e noticed instantly, and t$erefore, &uic,ly contained. /odern Worms. Acti-e computer *orms $a-e returned to prominence in recent times. 0$e first one to cause an eruption *as Code Red. 0$is infection pro-ed $o* &uic,ly a simple self-replicating program could spread -ia t$e internet@s current infrastructure. Code Red e2ploited a /uffer flo* condition in t$e ?icrosoft ++S 8+nternet +nformation Ser-er9. +t *as a/le to propagate &uic,ly /ecause of t$e 5al*ays on5 nature of ++S and many -ersions of t$e :indo*s operating system. Code Red *as also e&uipped *it$ scanning capa/ilities t$at impro-ed its t$roug$put and ga-e it t$e a/ility to elude numerous +P address security features. 1.' Time"ine o Computer Worms 2ear3 '45' Worm (ame3 Creeper *es!ription3 0$e Creeper -irus, an e2perimental self-replicating program, is *ritten /y 3o/ 0$omas at 337 0ec$nologies. Creeper infected DEC PDP-" computers running t$e 0E7EB operating system. Creeper gained access -ia t$e ARPA7E0 and copied itself to t$e remote system *$ere t$e message, 5+@m t$e creeper, catc$ me if you can>5 *as displayed. 0$e Reaper program *as later created to delete Creeper. 2ear3 '456 Worm (ame3 Wa$$it *es!ription3 0$e :a//it -irus, more a for, /om/ t$an a -irus, is *ritten. 0$e :a//it -irus ma,es multiple copies of itself on a single computer 8and *as named 5:a//it5 for t$e speed at *$ic$ it did so9 until it clogs t$e system, reducing system performance, /efore finally reac$ing a t$res$old and cras$ing t$e computer. 2ear3 '457 Worm (ame3 Anima" *es!ription3 Animal is *ritten /y Co$n :al,er for t$e 17+.AC "!. Animal as,ed a num/er of &uestions to t$e user in an attempt to guess t$e type of animal t$at t$e user *as t$in,ing of, *$ile t$e related program PER.ADE *ould create a copy of itself and A7+?A6 in e-ery directory to *$ic$ t$e current user $ad access. +t spread across t$e multi- user 17+.ACs *$en users *it$ o-erlapping permissions disco-ered t$e game, and to ot$er computers *$en tapes *ere s$ared. 0$e program *as carefully *ritten to a-oid damage to e2isting file or directory structure, and not to copy itself if permissions did not e2ist or if damage could result. +ts spread *as t$erefore $alted /y an 4S upgrade *$ic$ c$anged t$e format of t$e file status ta/les t$at PER.ADE used for safe copying. 0$oug$ non- malicious, 5Per-ading Animal5 represents t$e first 0ro(an 5in t$e *ild5. 2ear3 '488 Worm (ame3 /orris worm *es!ription3 0$e ?orris *orm, created /y Ro/ert 0appan ?orris, infects DEC .AB and Sun mac$ines running 3SD 17+B connected to t$e +nternet, and /ecomes t$e first *orm to spread e2tensi-ely 5in t$e *ild5, and one of t$e first *ell-,no*n programs e2ploiting /uffer o-errun -ulnera/ilities. 2ear3 '444 Worm (ame3 /e"issa *es!ription3 Dirst found in ?arc$ #E, ))), using $oles in ?icrosoft 4utloo,, ?elissa s$ut do*n +nternet mail systems t$at got clogged *it$ infected e-mails propagating from t$e *orm. 4nce e2ecuted t$e original -ersion of ?elissa used a macro -irus to spread to t$e first 5" addresses in t$e userFs 4utloo, address /oo,. Ao*e-er, if +nternet access or 4utloo, *ere not a-aila/le, it *ould copy itself to ot$er *ord documents and attempt to E-mail t$ose documents, re-ealing potentially confidential information. Durt$er, it *ould modify e2isting documents /y inserting &uotes from t$e SimpsonFs tele-ision s$o*. 8Aenry, #""G9 -stimated damage% H. /illion. 2ear3 ,999 Worm (ame3 I :);- 2)+ *es!ription3 Dirst found on ?ay, G, #""" in Asia it spread &uic,ly across t$e glo/e. +nstead of sending a copy of t$e *orm to t$e first 5" or "" addresses in t$e $ostFs 4utloo, address /oo, li,e ?elissa, + 6o-e Iou used e-ery single address in t$e $ostFs address /oo,. 0$is *orm also $ad a malicious side to it, as t$e *orm o-er*rote important files *it$ a copy of itself, ma,ing it -irtually impossi/le to reco-er original files. +t also mar,ed all mpG files as $idden, and do*nloaded a 0ro(an $orse t$at *ould steal user names and pass*ords and t$em to t$e -irusFs aut$or. -stimated damage3 H!.;5 /illion. 2ear3 ,99' Worm (ame3 Anna Kourni#ova ;irus< worm *es!ription3 Dirst appearing in De/ruary #"" it *as produced /y a <scrip ,iddie,= and is *ell ,no*n only for its social engineering attac$ment t$at appeared to /e a grap$ic image of Russian tennis star Anna Kourni,o-a. Ao*e-er, *$en t$e file *as opened, a clandestine code e2tension ena/led t$e *orm to copy itself to t$e :indo*s directory and t$en send t$e file as an attac$ment to all addresses listed in your ?icrosoft 4utloo, e-mail address /oo,. 0$e 5Anna Kourni,o-a .irus5 *orm alt$oug$ famous *as (ust a nuisance as it did little to no damage -stimated damage3 HEE,!#; 2ear3 ,99' Worm (ame3 Code Red *es!ription3 Dirst found on Culy G, #"" t$is *orm e2ploited a -ulnera/ility in ?icrosoft@s +nternet +nformation Ser-er 8++S9 *e/ ser-ers to deface t$e $ostFs *e/site, and copy t$e command.com file and rename it root.e2e in t$e :e/ ser-erFs pu/licly accessi/le scripts directory. 0$is *ould pro-ide complete command line control to anyone *$o ,ne* t$e :e/ ser-er $ad /een compromised. +t also *aited #"-#; days after it *as installed to launc$ denial of ser-ice attac,s against t$e :$ite AouseFs +P address. Code Red spread at a speed t$at o-er*$elmed net*or, administrators as more t$an G5),""" ser-ers /ecame compromised in (ust o-er J $ours. At its pea,, more t$an #,""" ser-ers *ere /eing compromised e-ery single minute. Estimates are t$at Code Red compromised more t$an ;5",""" ser-ers. 8Aenry, #""G9 -stimated damage3 H#.E /illion 2ear3 ,99' Worm (ame3 Sir!am *es!ription3 Dirst found on Culy ), #"" t$is mass mailing E-mail *orm not only e2ploited ?icrosoftFs 4utloo, program it $ad t$e a/ility of spreading t$roug$ :indo*s 7et*or, s$ares. 0$e *orm $ad t*o deadly payloads, /ut due to a program error t$ey did not *or,. -stimated damage3 H."G /illion 2ear3 ,99' Worm (ame3 (I/*A *es!ription3 Dirst appearing in Septem/er #"", 7+?DA, *$ic$ is admin spelled /ac,*ards *as not as malicious in nature as pre-ious *orms, /ut its ad-anced features and its different means of propagation *$ic$ included from client to client -ia email, from client to client -ia open net*or, s$ares, from *e/ ser-er to client -ia /ro*sing of compromised *e/ sites, from client to *e/ ser-er -ia acti-e scanning for and e2ploitation of -arious ?icrosoft ++S -ulnera/ilities, and from client to *e/ ser-er -ia scanning for t$e /ac, doors left /e$ind /y t$e 5Code Red ++5 and 5sadmindK++S5 *orms, allo*ed it to spread faster t$an any preceding *orm. 7+?DA also t$e first *orm t$at contained its o*n Email program so it did not depend on t$e $ostFs E-mail program to propagate. -stimated damage3HEJ5 million 2ear3 ,99' Worm (ame3 K"e= *es!ription3 Dirst appearing in 4cto/er #E, #"" KleL, and it -ariants *ere still considered a pro/lem late in #""G, ma,ing KleL one of t$e most persistent -iruses e-er. KleL *as a $y/rid *orm t$at too, ad-antage of a fla* in 4utloo, t$at allo*ed it to /e installed simply /y -ie*ing t$e E-mail in t$e pre-ie* panel. As a $y/rid t$reat it could /e$a-e li,e a -irus, a *orm and at ot$er times e-en li,e a 0ro(an $orse. KleL also incorporated a tec$ni&ue *e sa* in t$e C$ristmas E2ec *orm as it selected one Email address from t$e $ostFs address /oo, to use as t$e <from= address, t$en sending t$e *orm to all t$e ot$er addresses. +n t$is manner, t$e E-mail often appeared to $a-e /een sent from someone t$e addressee actually ,ne*. -stimated damage3 H!.) /illion 2ear3 ,991 Worm (ame3 S>: S"ammer *es!ription3 Appearing Canuary #5, #""G, and ta,ing ad-antage of t*o /uffer o-erflo* /ugs in ?icrosoft@s SM6 Ser-er data/ase product, it spread rapidly, *it$ a dou/ling time of !.5 seconds in t$e early p$ases of t$e attac, allo*ing it to infecting most of its -ictims *it$in " minutes. SM6 Slammer *as t$e first e2ample of a 5:ar$ol *orm.5 A :ar$ol *orm *as first $ypot$esiLed in #""# in a paper /y 7ic$olas :ea-er, and it is an e2tremely rapidly propagating computer *orm t$at spreads as fast as p$ysically possi/le, infecting all -ulnera/le mac$ines on t$e entire +nternet in 5 minutes or less. 0$e term is /ased on Andy :ar$ol@s remar, t$at 5+n t$e future, E-ery/ody *ill $a-e 5 minutes of fame.= 8Computer :orm, #""59 -stimated damage3 H.# /illion. 2ear3 ,991 Worm (ame3 So$ig *es!ription3 4riginally put toget$er in Canuary #""G to spread a pro2y ser-er 0ro(an, its -ariant So/ig.D set a record in s$eer -olume of e-mails. So/ig li,e 7imda used a /uilt-in S?0P engine so it did not depend on t$e $ostFs E-mail program to propagate. 0$en emulating KleL, it selected one E-mail address from t$e $ostFs address /oo, to use as t$e <from= address, t$en sending t$e *orm to all t$e ot$er addresses. +t also attempted to create a copy of itself on net*or, s$ares, /ut failed due to /ugs in t$e code. -stimated damage3 HGE. /illion 2ear3 ,991 Worm (ame3 B"aster *es!ription% Appearing August , #""G 3laster e2ploited a ?icrosoft DC4? RPC -ulnera/ility to infect systems running :indo*s #""" and :indo*s BP, and cause insta/ility on systems running :indo*s 70, and :indo*s Ser-er #""G. Diltering of -irus acti-ity /y +nternet ser-ice pro-iders 8+SPs9 *orld*ide greatly reduced t$e spread of 3laster. -stimated damage% H.G /illion 2ear3 ,996 Worm (ame3 /ydoom *es!ription3 Appearing Canuary #E, #""J and primarily transmitted -ia E-mail to appear as a transmission error, ?ydoomFs rapid spread /ecomes t$e fastest spreading email *orm e-er. +t slo*ed o-erall +nternet performance /y a/out "N, and a-erage *e/ page load times /y a/out 5"N. -stimated damage3 HG!.5 /illion 2ear3 ,996 Worm (ame3 Witty *es!ription3 Appearing ?arc$ ), #""J, t$e :itty *orm *as t$e fastest de-eloped *orm to date as t$ere *as only GE $ours /et*een t$e release of t$e ad-isory to t$e release of t$e -irus. :itty infected t$e entire e2posed population of t*el-e t$ousand mac$ines in J5 minutes, and it *as t$e first *idespread *orm t$at destroyed t$e $osts it infected 8/y randomly erasing a section of t$e $ard dri-e9 *it$out significantly slo*ing t$e *orm@s e2pansion. -stimated damage3 H million 2ear3 ,996 Worm (ame3 Sasser *es!ription3 Appearing on April G", #""J and spreading /y e2ploiting a /uffer o-erflo* in t$e component ,no*n as 6SASS, 86ocal Security Aut$ority Su/system Ser-ice9 it $it t$e +nternet a little more t$an t*o *ee,s after ?icrosoft *arned users of t$is fla*. Alt$oug$ it caused infected :indo*s BP and :indo*s #""" computers to repeatedly re/oot, Sasser did little damage, as *as merely designed to spread and carried no payload. -stimated damage3 HJ.! /illion 2ear3 ,997 Worm (ame3 ?oto$ *es!ription3 Ooto/ is a computer *orm *$ic$ e2ploits security -ulnera/ilities in ?icrosoft operating systems li,e :indo*s #""", including t$e ?S"5-"G) plug-and-play -ulnera/ility. 0$is *orm $as /een ,no*n to spread on ?icrosoft-ds or 0CP port JJ5. 50$e Ooto/ *orm and se-eral -ariations of it, ,no*n as R/ot.c/&, SD3ot./L$ and Ooto/.d, infected computers at companies suc$ as A3C, C77, 0$e Associated Press, 0$e 7e* Ior, 0imes, and Caterpillar +nc.5 -stimated damage3 H);,""" 2ear3 ,99@ Worm (ame3 (yAem *es!ription3 0$e 7y2em *orm *as disco-ered. +t spread /y mass-mailing. +ts payload, *$ic$ acti-ates on t$e t$ird of e-ery mont$, starting on De/ruary G, attempts to disa/le security-related and file s$aring soft*are, and destroy files of certain types, suc$ as ?icrosoft 4ffice files 2ear3 ,995 Worm (ame3 Storm *es!ription3 0$e Storm :orm is a /ac,door 0ro(an $orse t$at affects computers using ?icrosoft operating systems, disco-ered on Canuary ;, #"";. 0$e *orm is also ,no*n as% 0ro(KDorf and ?alKDorf 8Sop$os9 0ro(an.D6.0i/s.Gen>PacGPGQ 0ro(an.Do*nloader-EJ; 0ro(an.Peacomm 8Symantec9 2ear3 ,998 Worm (ame3 Koo$a!e *es!ription3 Koo/face is a computer *orm t$at targets users of t$e social net*or,ing *e/sites Dace/oo,, ?ySpace, $i5, 3e/o, Driendster and 0*itter. Koo/face is designed to infect ?icrosoft :indo*s and ?ac 4S B, /ut also *or,s on 6inu2 in a limited fas$ion. Koo/face ultimately attempts, upon successful infection, to gat$er login information for D0P sites, Dace/oo,, and ot$er social media platforms, /ut not any sensiti-e financial data. +t t$en uses compromised computers to /uild a peer-to-peer /otnet. A compromised computer contacts ot$er compromised computers to recei-e commands in a peer-to-peer fas$ion. 0$e /otnet is used to install additional pay-per-install mal*are on t$e compromised computer as *ell as $i(ac, searc$ &ueries to display ad-ertisements. +t *as first detected in Decem/er #""! and a more potent -ersion appeared in ?arc$ #""). A study /y t$e +nformation :arfare ?onitor, a (oint colla/oration from SecDe- Group and t$e CitiLen 6a/ in t$e ?un, Sc$ool of Glo/al Affairs at t$e 1ni-ersity 0oronto, $as re-ealed t$at t$e operators of t$is sc$eme $a-e generated o-er H# million in re-enue from Cune #"") to Cune #"". Koo/face spreads /y deli-ering Dace/oo, messages to people *$o are @friends@ of a Dace/oo, user *$ose computer $as already /een infected. 1pon receipt, t$e message directs t$e recipients to a t$ird-party *e/site, *$ere t$ey are prompted to do*nload *$at is purported to /e an update of t$e Ado/e Dlas$ player. +f t$ey do*nload and e2ecute t$e file, Koo/face is a/le to infect t$eir system. +t can t$en commandeer t$e computer@s searc$ engine use and direct it to contaminated *e/sites. 0$ere can also /e lin,s to t$e t$ird-party *e/site on t$e Dace/oo, *all of t$e friend t$e message came from sometimes $a-ing comments li,e 646 or I41013E. +f t$e lin, is opened t$e 0ro(an -irus *ill infect t$e computer and t$e PC *ill /ecome a Oom/ie or Aost Computer. Among t$e components do*nloaded /y Koo/face are a D7S filter program t$at /loc,s access to *ell ,no*n security *e/sites and a pro2y tool t$at ena/les t$e attac,ers to a/use t$e infected PC. 2ear3 ,994 Worm (ame3 *aprosy Worm *es!ription3 Daprosy :orm is a malicious computer program t$at spreads -ia 6A7 connections, spammed e-mails and 1S3 mass storage de-ices. +nfection comes from a single readst.e2e file *$ere se-eral doLens of clones are created at once /earing t$e names of compromised folders. 0$e most o/-ious symptom of Daprosy infection is t$e presence of Classified.e2e or Do not open - secrets>.e2e files from infected folders. 0$e *orm /elongs to t$e <slo*= mass mailer category *$ere copies of *$ic$ are attac$ed and sent to addresses intercepted from t$e ,ey/oard. 0$e e-mail consists of a promotion of and installation instruction for an imaginary anti-irus product purported to remo-e un,no*n infections from t$e computer. :$ile infection cannot occur until attac$ed *orm is renamed and opened, it could spread to system folders in a matter of seconds> Also, it is ,no*n to s$utdo*n or $ang :indo*s .ista and :indo*s ; *$en its attempt to *rite on t$e system dri-e is denied. Also, t$e *orm $ides folders and ma,e t$em 5super $idden5 so t$at data contained in t$em cannot /e easily accessed. Symantec disco-ered Daprosy :orm. Said tro(an *orm is intended to steal online- game pass*ords in internet cafes. +t could, in fact, intercept all ,eystro,es and send t$em to its aut$or. +t is particularly a -ery dangerous *orm to infect 3#3 8/usiness-to-/usiness9 systems. Daprosy *orm is rampant in pu/lic internet cafRs *it$ 6A7 connections and e2posed 1S3 mass storage dri-es. 6. :I.- ). C)/0+T-R W)R/ 4nce t$e *orm enters in any one of t$e $ost computer. 0$e life of t$e *orm include t$e follo*ing p$ases .t$ey are 9 Scanning for a -ictim #9 E2ploiting t$e -ictim G9 Payload J9 Cloning itself onto t$e -ictim 59 Stealt$ tec$ni&ues used to $ide itself 0$e a/o-e figure indicates spreading of a *orm 4nce t$e *orm is created t$e intruder sends it in to t$e net*or,. 4nce t$e *orm is released into t$e net*or, it *ill first searc$es for a -ulnera/le $ost ie., -ictim. +f -ictim is found it *ill e2ploit in to t$e -ictim $ost and t$en it clone itself onto t$e -ictim. 0$is process *ill continues to spread t$e *orm to entire net*or, *it$ out any $uman inter-ention. 6.' S!anning or a vi!tim. Scanning for a -ictim means target disco-ery. +t represents t$e mec$anism /y *$ic$ disco-ers a ne* target to infect. scanning re&uires searc$ing a set of addresses to identify -ulnera/le $osts. 0*o simple form of scanning are se&uential scanning and random scanning. 0$e ot$er from of scanning include full scan, su/net scan, di-ide and con&uer scan. scanning *orms spread comparati-ely slo*ly compared *it$ a num/er of ot$er spreading tec$ni&ues, /ut *$en coupled *it$ automatic acti-ation, t$ey can still spread -ery &uic,ly in a/solute terms. J., -Ap"oiting the vi!tim. E2ploiting t$e -ictim ?eans gaining access on t$e -ictim computer. A small piece of code pro-ides access to a -ictim computer /y utiliLing some fla*s in t$e logic of a program running on t$e -ictim computer. Gaining t$e access means t$e a/ility to run commandsKprograms on t$e $ost computer. 6.1 0ay"oad. During t$is p$ase t$e *orm can create /ac,doors in t$e $ost mac$ine, alter or destroy files, transmit pass*ords, or lea-e copies of itself. :orms use operating system facilities t$at are often automatic and in-isi/le to t$e users. 4ften, *orm acti-ity remains in-isi/le until t$eir uncontrolled replication consumes system resources, *orms attac,s include slo*ing or $alting t$e system , denial of ser-ices /y flooding t$e net*or, *it$ useless pac,ets. *orms can also sends sensiti-e information to cause confusion, collect sensiti-e data, or damage data in t$e $ost mac$ine. J.6 C"oning itse" on to the vi!tim. 4nce t$e -ictim $as /een e2ploited t$e *orm needs to get a copy of itself on t$e -ictim. 4nce t$e copies of it self are created t$ey *ill /e spread to anot$er targeted $ost computer. 0$is process *ill continues in eac$ $ost, until t$e entire $ost computers in t$e net*or, are attac,ed *it$ t$e *orms. 6.7 Stea"th te!hniques used to hide itse". :orms uses some stealt$ tec$ni&ues to $ide itself on t$e $ost mac$ine *$en e-er any anti-irus programs are running on t$at mac$ine. :orms can also $ide t$e process running on t$e mac$ine. :orms can also $ide t$e user files and also it can delete t$e logs. 7 C:ASSI.ICATI)( ). C)/0+T-R W)R/S 7.' C"assii!ation $ased on $ehavior Stea"th worms. 0$is *orm doesnFt spread in a rapid fas$ion /ut instead t$ey spread in a stealt$y. t$ey are -ery difficult to detect. 0o"ymorph worms. 0o ma,e t$e signature /ased detection more complicated t$ese *orms can c$ange t$em sel-es during t$e propagation. .i"e worms. 0$ese *orms are modified -ersion of -iruses /ut unli,e -iruses t$is *orms does not connect t$eir presence *it$ any e2ecuta/le files. t$ey simply copy t$eir code to some ot$er dis, or directory $oping t$at t$ese ne* copies *ill someday /e e2ecuted /y t$e user. /u"tiBve!tor worms. 0$is type of *orms use different type of propagation met$ods in order to ma,e more $osts -ulnera/le for attac, and effecti-ely propagate /e$ind fire*alls. -mai" worms. Email t$emsel-es to ot$er email addresses and ma,e t$e user e2ecute email attac$ments *it$ malicious code or use /ugs in t$e email programs to get attac$ments e2ecuted automatically. 7., C"assii!ation $ased on s!anning Random s!anning. Random Scanning *orm *ill generate a random +P addresses using a seudorandom num/er generator. 0$us e-ery $ost on t$e net*or, is e&ually li,ely to /e scanned. CodeRed - # and SM6 Slammer are t$e random scanning *orms. :o!a"i=ed s!anning. 6ocaliLed scanning is a simple tec$ni&ue used /y computer *orms to searc$ for t$e -ulnera/le $osts. 6ocaliLed scanning trades off /et*een t$e local and t$e glo/al searc$ of -ulnera/le $osts and $as /een used /y Code Red ++ and 7imda *orms Sequentia" s!anning. Se&uential scanning *ormsF scans +P addresses se&uentially. After t$e *orm compromises a -ulnera/le $ost, it c$ec,s t$e $ost ne2t to t$is -ulnera/le $ost. 3laster *orm employed se&uential scanning. Topo"ogi!a" s!anning. 0opological scanning *orms relies on t$e local information contained in t$e compromised $osts to locate ne* targets. 6ocal information includes KetcK$osts file, email addresses etc. 0opological scanning *as used /y ?orris *orm. &it"ist s!anning. 0$e *orm *riter gat$ers a list of potentially -ulnera/le $osts /efore$and, *$ic$ are targeted first *$en t$e *orm is released. 0$is speeds up t$e spread of t$e *orm at an initial stage. Aitlist scanning *as used /y Slammer *orm. @ C)*- A(A:2S-S ). C)/0+T-R W)R/S @.' Code ana"ysis or !omputer worm Code Red. Code Red is an internet *orm t$at replicates /et*een :indo*s ser-ers running ?icrosoftFs ++S8+nternet +nformation Ser-ices9 and ?icrosoft +nde2 Ser-er #." or t$e :indo*s #""" +nde2ing Ser-ice. Code Red can infect more t$an #,""" ne* $osts in eac$ minute. '. Se"e!tion o Target. 0$e *orm sends its code as an A00P re&uest. 0$is re&uest e2ploits /uffer- o-erflo* -ulnera/ility in +nde2ing Ser-ices used /y ?icrosoft ++S. ,. Ine!ting the target /a!hine. 0$e *orm attempts to connect to 0CP port !" on a randomly c$osen $ost assuming t$at a *e/ ser-er *ill /e found. 1pon a successful connection to port !", t$e attac,ing $ost sends a crafted A00P GE0 re&uest to t$e -ictim, attempting to e2ploit a /uffer o-erflo* in t$e +nde2ing Ser-ice of ?icrosoft ++S *e/ ser-er soft*are. .igure3 ."ow Chart o the Code Red Worm 1. 0ay"oad. 0$e *orm *ill attempt to connect to an +P address associated *it$ t$e popular site @***.*$ite$ouse.go-@, and tries to flood it *it$ connection attempts. 0$e *orm creates copies of itself in t$e memory in order to attac, e-en more ++S ser-ers. 4-erall, t$e payload of t$e *orm degrades performance of t$e $ost mac$ine and causes system insta/ility as it spa*ns multiple t$reads and uses /and*idt$ 6. (etwor# 0ropagation. :orm uses t$e random num/er generator to generate t$e address of ser-ers for furt$er attac,. 0$e *orm created $undreds of t$reads of itself on t$e infected system. 0$e *orm spreads to ot$er ser-ers /y using t$e static seed mec$anism to generate a series of +P addresses. 0$e ne2t )) t$reads attempt to e2ploit more computers /y targeting random +P addresses. 0o a-oid looping /ac, to re-infect t$e source computer, t$e *orm does not ma,e A00P re&uests to its o*n +P address. @., Code ana"ysis or !omputer worm S"ammer. Slammer is t$e fastest computer *orm in $istory, *$ic$ *as released on Canuary #5 t$ #""G. +t dou/led in siLe e-ery !.5 seconds. +t infected ;5,""" $osts, *$ic$ *as more t$an )"N of -ulnera/le $osts *it$in " minutes.
.igure3 ."ow !hart o the S"ammer '. Se"e!t Target. E2ploits -ulnera/ility centered in t$e ?icrosoft SM6 Ser-er Resolution Ser-ice running on 1DP port JGJ of SM6 Ser-er #""" systems and systems *it$ t$e ?icrosoft Des,top Engine #""" 8?SDE9 installed. ,. Ine!t target ma!hines. 0$e *orm sends multiple of its G;E-/yte code pac,ets to randomly-generated +P addresses. +t does not *rite itself to t$e dis,. +t e2ists only as net*or, pac,ets and in running processes on t$e infected computers. 1. 0ay"oad. 0$e *orm payload does not contain any additional malicious content in t$e form of /ac,doors, etc. 0$e speed at *$ic$ it attempts to re- infect systems to create a denial-of-ser-ice attac, against infected net*or,s is astonis$ing. 6. (etwor# 0ropagation. :$en t$e SM6 ser-er recei-es t$e malicious re&uest, t$e o-errun in t$e ser-er@s /uffer allo*s t$e *orm code to /e e2ecuted. After t$e *orm $as entered t$e -ulnera/le system, first it gets t$e addresses to certain system functions and t$en starts an infinite loop to scan for ot$er -ulnera/le $osts on t$e +nternet. Slammer performs a simple pseudo-random num/er generation formula using t$e returned gettic,count8 9 -alue to generate an +P address t$at is used as t$e target, t$ere/y spreading furt$er into t$e net*or, and infecting -ulnera/le mac$ines. ?ultiple instances of t$e *orm can infect a $ost /ecause t$e *orm does not c$ec, for pre-ious infections of t$e target system. 5. C)(C:+SI)( +n t$is paper, t$e study on $o* t$e computer *orms are came in to t$is *orld and $o* t$ey e-ol-ed and $o* muc$ amount of damage t$ey $a-e caused to t$e net*or,s and t$eir lifestyle, classification, code analysis are done. 3y summariLing t$is *or, it *ill clear t$at, t$ey are -ery dangerous. :e can also understand t$at computer *orms $a-e caused a massi-e damage to t$e computer *orld. R-.-R-(C-S PQ Sara$ A. Sell,e, 7ess 3. S$roff, Saura/$ 3agc$i, ?odeling and Automated Containment of :orms=, Cournal +EEE 0ransaction on Secure and Dependa/le Computing, .ol 5, 7o #, Pu/lis$ed on April-Cune #""!. P#Q Cliff C$angc$un Oou, :ei/o Gong, Don 0o*sley, <Code red *orm propagation modeling and analysis= Conference on Computer and Communications Security, Proceedings of t$e )t$ AC? conference on Computer and communications security PGQ 7ic$olas :ea-er, .ern Pa2son, Stuarts Staniford, Ro/ert Cunning$am, <A 0a2onomy of Computer :orms= Dirst :or,s$op on Rapid ?alcode 8:4R?9, #""G. PJQ =0imeline of Computer :orms and .iruses < PonlineQ A-aila/le at $ttp%KKen.*i,ipedia.orgK*i,iK0imelineSofScompu terS-irusesSandS*orms. P5Q Craig Dosnoc,,= Computer :orms% Past, Present, and Duture= - East Carolina 1ni-ersity, Pu/lis$ed in #""5 PEQ Pan,a( Ko$li, <:orms - sur-ey and propagation= ?S /y Researc$ - Computer Science and Engineering +nternational +nstitute of +nformation 0ec$nology Aydera/ad, +ndia PonlineQ A-aila/le at $ttp%KK***.pan,J(.comKresearc$K*orms.pdf P;Q Simon 3yers, A-iel Ru/in, and Da-id Kormann.Defending against internet-/ased attac, on t$e p$ysical *orld, $ttp%KK***.a-iru/in.comK scripted.attac,s.pdf. P!Q ?odern :orms PonlineQ A-aila/le at $ttp%KK***.spamla*s.comK$istory-of- *orms.$tml. P)Q ? C$ristodorescu <Static analysis of e2ecuta/les to detect malicious patterns= Proceedings of t$e #t$ conference on #""G. PonlineQ A-aila/le at portal.acm.org P"Q ?oriss :orm <$istory of computer *orms PonlineQ A-aila/le at $ttp%KK***.spamla*s.comK$istory-of- *orms.$tml PQ P$ases of Computer :orm 7ic$olas :ea-er, .ern Pa2son, Stuarts Staniford, Ro/ert Cunning$am, <A 0a2onomy of Computer :orms= Dirst :or,s$op on Rapid ?alcode 8:4R?9, #""G. P#Q Pu(a 3a(a(, Ar(un Gu$a Roy, Department of Computer Science St. Cloud State 1ni-ersity, St. Cloud ?7 5EG", Classification /ased on /e$a-ior.