Survey on Computer Worms

K. Ishthaq Ahamed and B. Rajesh

Associate Professor, Department of Computer Science and Engineering, G. Pulla Reddy Engineering College,
Kurnool-5!""#, And$ra Prades$, Email% is$t$a&'gmail.com.
Department of Computer Science and Engineering, G. Pulla Reddy Engineering College, Kurnool-5!""#, And$ra
Prades$, Email% ra(es$"5)'ya$oo.com
ABSTRACT The Computer worms have drawn
signii!ant attention in the resear!h !ommunity due to
their enormous"y adverse impa!t on the "o!a" networ#s
and a"so on internet. to understand the adverse impa!ts
posed $y !omputer worms it is ne!essary to understand
the !"asses o worms. This paper des!ri$es the deinition
o Computer worm% &istory and Time "ine o Computer
worms% !"assii!ation o Computer Worms% "ie !y!"e o
Computer worm and worms !ode ana"ysis.
' I(TR)*+CTI)(
Computer *orm is a self-replicating computer
program. +t uses a net*or, to send copies of itself to
ot$er nodes i.e., computers on t$e net*or, and it may
do so *it$out any user inter-ention. .iruses are need
to /e attac$ed to t$e system files /elongs to t$e
operating system it re&uires some sort of user action
to a/et t$eir propagation. .iruses tends to propagate
more slo*ly 0$ey also $a-e more mature defenses
due to t$e presence of a large anti--irus industry t$at
acti-ely see,s to identify and control t$eir spread.
1nli,e a -irus computer *orms does not need to
attac$ itself to an e2isting program.
Computer *orms almost and al*ays
cause $arm to t$e net*or, if only /y consuming
/and*idt$ *$ere as -iruses almost al*ays corrupt or
modify files on a target computer. Computer *orms
are $ated /ecause t$ey consumes more 3and*idt$
and also t$ey mig$t cras$ computers if t$ey are
infected *it$ computer *orms. +nfected computers
may also used for ot$er attac,s suc$ as DDos,
p$is$ing attac,s etc.. Computer *orms are one form
of mal*are along *it$ -iruses and 0ro(ans. A person
typically installs *orms /y inad-ertently opening an
email attac$ment or message t$at contains e2ecuta/le
scripts.
4nce installed on a computer, *orms
spontaneously generate additional email messages
containing copies of t$e *orm. 0$ey may also open
0CP ports to create net*or,s security $oles for ot$er
applications, and t$ey may attempt to 5flood5 t$e
6A7 *it$ spurious Denial of Ser-ice 8DoS9 data
transmissions

, *-.I(ITI)( ). C)/0+T-R W)R/
Definition 1. Computer *orms are malicious soft*are
applications designed to spread -ia computer
net*or,s.
Definition 2. A computer *orm is a e-il-intentioned
program t$at can replicate and run itself.
1. &IST)R2 ). C)/0+T-R W)R/
0$e first e-er program t$at could /e called a :orm,
as per definition, *as de-eloped for t$e assistance of
air traffic controllers /y 3o/ 0$omas in );. t$is
*orm program *ould notify air traffic controllers
*$en t$e controls of a plane mo-ed from on
computer to anot$er. 0$is *orm named <creeper=
*ould tra-el from one computer screen to anot$er on
t$e net*or, s$o*ing t$e message < iam reeper>
Catc$ me if you can> < t$e difference from most
*orms *as t$at t$is creeper did not reproduce it self.
0$e first +nternet infection t$at re&uired no
$uman inter-ention to propagate *as t$e ?orris
:orm, disco-ered in )!! and released /y Ro/ert
?orris. +t spread -ery &uic,ly, infecting a num/er of
-ulnera/le computers in a matter of $ours. 0$e
?orris :orm infected -arious mac$ines and also
used multiple e2ploits including /uffer o-erflo*s,
de/ugging routines in mail components, pass*ord
sniffing, and ot$er streams of e2ecution to impro-e
its a/ility to attac, ot$er computers. Alt$oug$
released on accident, t$e /enign concept doesn@t
really apply to t$e ?orris :orm, as it $ad a
significant amount of impact /ecause of t$e /ug in its
code. :$en reinfecting a computer, t$ere remained
t$e possi/ility t$at t$e ne* infection *ould /e
persistent, allo*ing ot$er *orms to run and terri/ly
impact system performance. Ao*e-er, t$is caused t$e
*orm to /e noticed instantly, and t$erefore, &uic,ly
contained.
/odern Worms. Acti-e computer *orms $a-e
returned to prominence in recent times. 0$e first one
to cause an eruption *as Code Red. 0$is infection
pro-ed $o* &uic,ly a simple self-replicating program
could spread -ia t$e internet@s current infrastructure.
Code Red e2ploited a /uffer flo* condition in t$e
?icrosoft ++S 8+nternet +nformation Ser-er9. +t *as
a/le to propagate &uic,ly /ecause of t$e 5al*ays on5
nature of ++S and many -ersions of t$e :indo*s
operating system. Code Red *as also e&uipped *it$
scanning capa/ilities t$at impro-ed its t$roug$put
and ga-e it t$e a/ility to elude numerous +P address
security features.
1.' Time"ine o Computer Worms
2ear3 '45'
Worm (ame3 Creeper
*es!ription3 0$e Creeper -irus, an e2perimental
self-replicating program, is *ritten /y 3o/ 0$omas at
337 0ec$nologies. Creeper infected DEC PDP-"
computers running t$e 0E7EB operating system.
Creeper gained access -ia t$e ARPA7E0 and copied
itself to t$e remote system *$ere t$e message, 5+@m
t$e creeper, catc$ me if you can>5 *as displayed. 0$e
Reaper program *as later created to delete Creeper.
2ear3 '456
Worm (ame3 Wa$$it
*es!ription3 0$e :a//it -irus, more a for, /om/
t$an a -irus, is *ritten. 0$e :a//it -irus ma,es
multiple copies of itself on a single computer 8and
*as named 5:a//it5 for t$e speed at *$ic$ it did so9
until it clogs t$e system, reducing system
performance, /efore finally reac$ing a t$res$old and
cras$ing t$e computer.
2ear3 '457
Worm (ame3 Anima"
*es!ription3 Animal is *ritten /y Co$n :al,er for
t$e 17+.AC "!. Animal as,ed a num/er of
&uestions to t$e user in an attempt to guess t$e type
of animal t$at t$e user *as t$in,ing of, *$ile t$e
related program PER.ADE *ould create a copy of
itself and A7+?A6 in e-ery directory to *$ic$ t$e
current user $ad access. +t spread across t$e multi-
user 17+.ACs *$en users *it$ o-erlapping
permissions disco-ered t$e game, and to ot$er
computers *$en tapes *ere s$ared. 0$e program *as
carefully *ritten to a-oid damage to e2isting file or
directory structure, and not to copy itself if
permissions did not e2ist or if damage could result.
+ts spread *as t$erefore $alted /y an 4S upgrade
*$ic$ c$anged t$e format of t$e file status ta/les t$at
PER.ADE used for safe copying. 0$oug$ non-
malicious, 5Per-ading Animal5 represents t$e first
0ro(an 5in t$e *ild5.
2ear3 '488
Worm (ame3 /orris worm
*es!ription3 0$e ?orris *orm, created /y Ro/ert
0appan ?orris, infects DEC .AB and Sun mac$ines
running 3SD 17+B connected to t$e +nternet, and
/ecomes t$e first *orm to spread e2tensi-ely 5in t$e
*ild5, and one of t$e first *ell-,no*n programs
e2ploiting /uffer o-errun -ulnera/ilities.
2ear3 '444
Worm (ame3 /e"issa
*es!ription3 Dirst found in ?arc$ #E, ))), using
$oles in ?icrosoft 4utloo,, ?elissa s$ut do*n
+nternet mail systems t$at got clogged *it$ infected
e-mails propagating from t$e *orm. 4nce e2ecuted
t$e original -ersion of ?elissa used a macro -irus to
spread to t$e first 5" addresses in t$e userFs 4utloo,
address /oo,. Ao*e-er, if +nternet access or 4utloo,
*ere not a-aila/le, it *ould copy itself to ot$er *ord
documents and attempt to E-mail t$ose documents,
re-ealing potentially confidential information.
Durt$er, it *ould modify e2isting documents /y
inserting &uotes from t$e SimpsonFs tele-ision s$o*.
8Aenry, #""G9
-stimated damage% H. /illion.
2ear3 ,999
Worm (ame3 I :);- 2)+
*es!ription3 Dirst found on ?ay, G, #""" in Asia it
spread &uic,ly across t$e glo/e. +nstead of sending a
copy of t$e *orm to t$e first 5" or "" addresses in
t$e $ostFs 4utloo, address /oo, li,e ?elissa, + 6o-e
Iou used e-ery single address in t$e $ostFs address
/oo,. 0$is *orm also $ad a malicious side to it, as
t$e *orm o-er*rote important files *it$ a copy of
itself, ma,ing it -irtually impossi/le to reco-er
original files. +t also mar,ed all mpG files as $idden,
and do*nloaded a 0ro(an $orse t$at *ould steal user
names and pass*ords and t$em to t$e -irusFs aut$or.
-stimated damage3 H!.;5 /illion.
2ear3 ,99'
Worm (ame3 Anna Kourni#ova ;irus< worm
*es!ription3 Dirst appearing in De/ruary #"" it *as
produced /y a <scrip ,iddie,= and is *ell ,no*n only
for its social engineering attac$ment t$at appeared to
/e a grap$ic image of Russian tennis star Anna
Kourni,o-a. Ao*e-er, *$en t$e file *as opened, a
clandestine code e2tension ena/led t$e *orm to copy
itself to t$e :indo*s directory and t$en send t$e file
as an attac$ment to all addresses listed in your
?icrosoft 4utloo, e-mail address /oo,. 0$e 5Anna
Kourni,o-a .irus5 *orm alt$oug$ famous *as (ust a
nuisance as it did little to no damage
-stimated damage3 HEE,!#;
2ear3 ,99'
Worm (ame3 Code Red
*es!ription3 Dirst found on Culy G, #"" t$is *orm
e2ploited a -ulnera/ility in ?icrosoft@s +nternet
+nformation Ser-er 8++S9 *e/ ser-ers to deface t$e
$ostFs *e/site, and copy t$e command.com file and
rename it root.e2e in t$e :e/ ser-erFs pu/licly
accessi/le scripts directory. 0$is *ould pro-ide
complete command line control to anyone *$o ,ne*
t$e :e/ ser-er $ad /een compromised. +t also *aited
#"-#; days after it *as installed to launc$ denial of
ser-ice attac,s against t$e :$ite AouseFs +P address.
Code Red spread at a speed t$at o-er*$elmed
net*or, administrators as more t$an G5),""" ser-ers
/ecame compromised in (ust o-er J $ours. At its
pea,, more t$an #,""" ser-ers *ere /eing
compromised e-ery single minute. Estimates are t$at
Code Red compromised more t$an ;5",""" ser-ers.
8Aenry, #""G9
-stimated damage3 H#.E /illion
2ear3 ,99'
Worm (ame3 Sir!am
*es!ription3 Dirst found on Culy ), #"" t$is mass
mailing E-mail *orm not only e2ploited ?icrosoftFs
4utloo, program it $ad t$e a/ility of spreading
t$roug$ :indo*s 7et*or, s$ares. 0$e *orm $ad
t*o deadly payloads, /ut due to a program error t$ey
did not *or,.
-stimated damage3 H."G /illion
2ear3 ,99'
Worm (ame3 (I/*A
*es!ription3 Dirst appearing in Septem/er #"",
7+?DA, *$ic$ is admin spelled /ac,*ards *as not
as malicious in nature as pre-ious *orms, /ut its
ad-anced features and its different means of
propagation *$ic$ included from client to client -ia
email, from client to client -ia open net*or, s$ares,
from *e/ ser-er to client -ia /ro*sing of
compromised *e/ sites, from client to *e/ ser-er -ia
acti-e scanning for and e2ploitation of -arious
?icrosoft ++S -ulnera/ilities, and from client to *e/
ser-er -ia scanning for t$e /ac, doors left /e$ind /y
t$e 5Code Red ++5 and 5sadmindK++S5 *orms, allo*ed
it to spread faster t$an any preceding *orm. 7+?DA
also t$e first *orm t$at contained its o*n Email
program so it did not depend on t$e $ostFs E-mail
program to propagate.
-stimated damage3HEJ5 million
2ear3 ,99'
Worm (ame3 K"e=
*es!ription3 Dirst appearing in 4cto/er #E, #""
KleL, and it -ariants *ere still considered a pro/lem
late in #""G, ma,ing KleL one of t$e most persistent
-iruses e-er. KleL *as a $y/rid *orm t$at too,
ad-antage of a fla* in 4utloo, t$at allo*ed it to /e
installed simply /y -ie*ing t$e E-mail in t$e pre-ie*
panel. As a $y/rid t$reat it could /e$a-e li,e a -irus,
a *orm and at ot$er times e-en li,e a 0ro(an $orse.
KleL also incorporated a tec$ni&ue *e sa* in t$e
C$ristmas E2ec *orm as it selected one Email
address from t$e $ostFs address /oo, to use as t$e
<from= address, t$en sending t$e *orm to all t$e
ot$er addresses. +n t$is manner, t$e E-mail often
appeared to $a-e /een sent from someone t$e
addressee actually ,ne*.
-stimated damage3 H!.) /illion
2ear3 ,991
Worm (ame3 S>: S"ammer
*es!ription3 Appearing Canuary #5, #""G, and
ta,ing ad-antage of t*o /uffer o-erflo* /ugs in
?icrosoft@s SM6 Ser-er data/ase product, it spread
rapidly, *it$ a dou/ling time of !.5 seconds in t$e
early p$ases of t$e attac, allo*ing it to infecting
most of its -ictims *it$in " minutes. SM6 Slammer
*as t$e first e2ample of a 5:ar$ol *orm.5 A :ar$ol
*orm *as first $ypot$esiLed in #""# in a paper /y
7ic$olas :ea-er, and it is an e2tremely rapidly
propagating computer *orm t$at spreads as fast as
p$ysically possi/le, infecting all -ulnera/le mac$ines
on t$e entire +nternet in 5 minutes or less. 0$e term
is /ased on Andy :ar$ol@s remar, t$at 5+n t$e future,
E-ery/ody *ill $a-e 5 minutes of fame.=
8Computer :orm, #""59
-stimated damage3 H.# /illion.
2ear3 ,991
Worm (ame3 So$ig
*es!ription3 4riginally put toget$er in Canuary #""G
to spread a pro2y ser-er 0ro(an, its -ariant So/ig.D
set a record in s$eer -olume of e-mails. So/ig li,e
7imda used a /uilt-in S?0P engine so it did not
depend on t$e $ostFs E-mail program to propagate.
0$en emulating KleL, it selected one E-mail address
from t$e $ostFs address /oo, to use as t$e <from=
address, t$en sending t$e *orm to all t$e ot$er
addresses. +t also attempted to create a copy of itself
on net*or, s$ares, /ut failed due to /ugs in t$e code.
-stimated damage3 HGE. /illion
2ear3 ,991
Worm (ame3 B"aster
*es!ription% Appearing August , #""G 3laster
e2ploited a ?icrosoft DC4? RPC -ulnera/ility to
infect systems running :indo*s #""" and :indo*s
BP, and cause insta/ility on systems running
:indo*s 70, and :indo*s Ser-er #""G. Diltering of
-irus acti-ity /y +nternet ser-ice pro-iders 8+SPs9
*orld*ide greatly reduced t$e spread of 3laster.
-stimated damage% H.G /illion
2ear3 ,996
Worm (ame3 /ydoom
*es!ription3 Appearing Canuary #E, #""J and
primarily transmitted -ia E-mail to appear as a
transmission error, ?ydoomFs rapid spread /ecomes
t$e fastest spreading email *orm e-er. +t slo*ed
o-erall +nternet performance /y a/out "N, and
a-erage *e/ page load times /y a/out 5"N.
-stimated damage3 HG!.5 /illion
2ear3 ,996
Worm (ame3 Witty
*es!ription3 Appearing ?arc$ ), #""J, t$e :itty
*orm *as t$e fastest de-eloped *orm to date as
t$ere *as only GE $ours /et*een t$e release of t$e
ad-isory to t$e release of t$e -irus. :itty infected t$e
entire e2posed population of t*el-e t$ousand
mac$ines in J5 minutes, and it *as t$e first
*idespread *orm t$at destroyed t$e $osts it infected
8/y randomly erasing a section of t$e $ard dri-e9
*it$out significantly slo*ing t$e *orm@s e2pansion.
-stimated damage3 H million
2ear3 ,996
Worm (ame3 Sasser
*es!ription3 Appearing on April G", #""J and
spreading /y e2ploiting a /uffer o-erflo* in t$e
component ,no*n as 6SASS, 86ocal Security
Aut$ority Su/system Ser-ice9 it $it t$e +nternet a
little more t$an t*o *ee,s after ?icrosoft *arned
users of t$is fla*. Alt$oug$ it caused infected
:indo*s BP and :indo*s #""" computers to
repeatedly re/oot, Sasser did little damage, as *as
merely designed to spread and carried no payload.
-stimated damage3 HJ.! /illion
2ear3 ,997
Worm (ame3 ?oto$
*es!ription3 Ooto/ is a computer *orm *$ic$
e2ploits security -ulnera/ilities in ?icrosoft
operating systems li,e :indo*s #""", including t$e
?S"5-"G) plug-and-play -ulnera/ility. 0$is *orm
$as /een ,no*n to spread on ?icrosoft-ds or 0CP
port JJ5. 50$e Ooto/ *orm and se-eral -ariations of
it, ,no*n as R/ot.c/&, SD3ot./L$ and Ooto/.d,
infected computers at companies suc$ as A3C, C77,
0$e Associated Press, 0$e 7e* Ior, 0imes, and
Caterpillar +nc.5
-stimated damage3 H);,"""
2ear3 ,99@
Worm (ame3 (yAem
*es!ription3 0$e 7y2em *orm *as disco-ered. +t
spread /y mass-mailing. +ts payload, *$ic$ acti-ates
on t$e t$ird of e-ery mont$, starting on De/ruary G,
attempts to disa/le security-related and file s$aring
soft*are, and destroy files of certain types, suc$ as
?icrosoft 4ffice files
2ear3 ,995
Worm (ame3 Storm
*es!ription3 0$e Storm :orm is a /ac,door 0ro(an
$orse t$at affects computers using ?icrosoft
operating systems, disco-ered on Canuary ;, #"";.
0$e *orm is also ,no*n as%
0ro(KDorf and ?alKDorf 8Sop$os9
0ro(an.D6.0i/s.Gen>PacGPGQ
0ro(an.Do*nloader-EJ;
0ro(an.Peacomm 8Symantec9
2ear3 ,998
Worm (ame3 Koo$a!e
*es!ription3 Koo/face is a computer *orm t$at
targets users of t$e social net*or,ing *e/sites
Dace/oo,, ?ySpace, $i5, 3e/o, Driendster and
0*itter. Koo/face is designed to infect ?icrosoft
:indo*s and ?ac 4S B, /ut also *or,s on 6inu2 in
a limited fas$ion. Koo/face ultimately attempts,
upon successful infection, to gat$er login information
for D0P sites, Dace/oo,, and ot$er social media
platforms, /ut not any sensiti-e financial data. +t t$en
uses compromised computers to /uild a peer-to-peer
/otnet. A compromised computer contacts ot$er
compromised computers to recei-e commands in a
peer-to-peer fas$ion. 0$e /otnet is used to install
additional pay-per-install mal*are on t$e
compromised computer as *ell as $i(ac, searc$
&ueries to display ad-ertisements. +t *as first
detected in Decem/er #""! and a more potent
-ersion appeared in ?arc$ #""). A study /y t$e
+nformation :arfare ?onitor, a (oint colla/oration
from SecDe- Group and t$e CitiLen 6a/ in t$e ?un,
Sc$ool of Glo/al Affairs at t$e 1ni-ersity 0oronto,
$as re-ealed t$at t$e operators of t$is sc$eme $a-e
generated o-er H# million in re-enue from Cune #"")
to Cune #"".
Koo/face spreads /y deli-ering
Dace/oo, messages to people *$o are @friends@ of a
Dace/oo, user *$ose computer $as already /een
infected. 1pon receipt, t$e message directs t$e
recipients to a t$ird-party *e/site, *$ere t$ey are
prompted to do*nload *$at is purported to /e an
update of t$e Ado/e Dlas$ player. +f t$ey do*nload
and e2ecute t$e file, Koo/face is a/le to infect t$eir
system. +t can t$en commandeer t$e computer@s
searc$ engine use and direct it to contaminated
*e/sites. 0$ere can also /e lin,s to t$e t$ird-party
*e/site on t$e Dace/oo, *all of t$e friend t$e
message came from sometimes $a-ing comments li,e
646 or I41013E. +f t$e lin, is opened t$e 0ro(an
-irus *ill infect t$e computer and t$e PC *ill
/ecome a Oom/ie or Aost Computer. Among t$e
components do*nloaded /y Koo/face are a D7S
filter program t$at /loc,s access to *ell ,no*n
security *e/sites and a pro2y tool t$at ena/les t$e
attac,ers to a/use t$e infected PC.
2ear3 ,994
Worm (ame3 *aprosy Worm
*es!ription3 Daprosy :orm is a malicious computer
program t$at spreads -ia 6A7 connections, spammed
e-mails and 1S3 mass storage de-ices. +nfection
comes from a single readst.e2e file *$ere se-eral
doLens of clones are created at once /earing t$e
names of compromised folders. 0$e most o/-ious
symptom of Daprosy infection is t$e presence of
Classified.e2e or Do not open - secrets>.e2e files
from infected folders. 0$e *orm /elongs to t$e
<slo*= mass mailer category *$ere copies of *$ic$
are attac$ed and sent to addresses intercepted from
t$e ,ey/oard. 0$e e-mail consists of a promotion of
and installation instruction for an imaginary anti-irus
product purported to remo-e un,no*n infections
from t$e computer. :$ile infection cannot occur until
attac$ed *orm is renamed and opened, it could
spread to system folders in a matter of seconds> Also,
it is ,no*n to s$utdo*n or $ang :indo*s .ista and
:indo*s ; *$en its attempt to *rite on t$e system
dri-e is denied. Also, t$e *orm $ides folders and
ma,e t$em 5super $idden5 so t$at data contained in
t$em cannot /e easily accessed.
Symantec disco-ered Daprosy
:orm. Said tro(an *orm is intended to steal online-
game pass*ords in internet cafes. +t could, in fact,
intercept all ,eystro,es and send t$em to its aut$or. +t
is particularly a -ery dangerous *orm to infect 3#3
8/usiness-to-/usiness9 systems. Daprosy *orm is
rampant in pu/lic internet cafRs *it$ 6A7
connections and e2posed 1S3 mass storage dri-es.
6. :I.- ). C)/0+T-R W)R/
4nce t$e *orm enters in any one of t$e $ost
computer. 0$e life of t$e *orm include t$e follo*ing
p$ases .t$ey are
9 Scanning for a -ictim
#9 E2ploiting t$e -ictim
G9 Payload
J9 Cloning itself onto t$e -ictim
59 Stealt$ tec$ni&ues used to $ide itself
0$e a/o-e figure indicates spreading of a *orm
4nce t$e *orm is created t$e intruder sends it in to
t$e net*or,. 4nce t$e *orm is released into t$e
net*or, it *ill first searc$es for a -ulnera/le $ost ie.,
-ictim. +f -ictim is found it *ill e2ploit in to t$e
-ictim $ost and t$en it clone itself onto t$e -ictim.
0$is process *ill continues to spread t$e *orm to
entire net*or, *it$ out any $uman inter-ention.
6.' S!anning or a vi!tim. Scanning for a -ictim
means target disco-ery. +t represents t$e mec$anism
/y *$ic$ disco-ers a ne* target to infect. scanning
re&uires searc$ing a set of addresses to identify
-ulnera/le $osts. 0*o simple form of scanning are
se&uential scanning and random scanning. 0$e ot$er
from of scanning include full scan, su/net scan,
di-ide and con&uer scan. scanning *orms spread
comparati-ely slo*ly compared *it$ a num/er of
ot$er spreading tec$ni&ues, /ut *$en coupled *it$
automatic acti-ation, t$ey can still spread -ery
&uic,ly in a/solute terms.
J., -Ap"oiting the vi!tim. E2ploiting t$e -ictim
?eans gaining access on t$e -ictim computer. A
small piece of code pro-ides access to a -ictim
computer /y utiliLing some fla*s in t$e logic of a
program running on t$e -ictim computer. Gaining t$e
access means t$e a/ility to run commandsKprograms
on t$e $ost computer.
6.1 0ay"oad. During t$is p$ase t$e *orm can
create /ac,doors in t$e $ost mac$ine, alter or destroy
files, transmit pass*ords, or lea-e copies of itself.
:orms use operating system facilities t$at are often
automatic and in-isi/le to t$e users. 4ften, *orm
acti-ity remains in-isi/le until t$eir uncontrolled
replication consumes system resources, *orms
attac,s include slo*ing or $alting t$e system , denial
of ser-ices /y flooding t$e net*or, *it$ useless
pac,ets. *orms can also sends sensiti-e information
to cause confusion, collect sensiti-e data, or damage
data in t$e $ost mac$ine.
J.6 C"oning itse" on to the vi!tim. 4nce t$e
-ictim $as /een e2ploited t$e *orm needs to get a
copy of itself on t$e -ictim. 4nce t$e copies of it self
are created t$ey *ill /e spread to anot$er targeted
$ost computer. 0$is process *ill continues in eac$
$ost, until t$e entire $ost computers in t$e net*or,
are attac,ed *it$ t$e *orms.
6.7 Stea"th te!hniques used to hide itse". :orms
uses some stealt$ tec$ni&ues to $ide itself on t$e $ost
mac$ine *$en e-er any anti-irus programs are
running on t$at mac$ine. :orms can also $ide t$e
process running on t$e mac$ine. :orms can also $ide
t$e user files and also it can delete t$e logs.
7 C:ASSI.ICATI)( ). C)/0+T-R W)R/S
7.' C"assii!ation $ased on $ehavior
Stea"th worms. 0$is *orm doesnFt spread in a
rapid fas$ion /ut instead t$ey spread in a stealt$y.
t$ey are -ery difficult to detect.
0o"ymorph worms. 0o ma,e t$e signature /ased
detection more complicated t$ese *orms can c$ange
t$em sel-es during t$e propagation.
.i"e worms. 0$ese *orms are modified -ersion of
-iruses /ut unli,e -iruses t$is *orms does not
connect t$eir presence *it$ any e2ecuta/le files. t$ey
simply copy t$eir code to some ot$er dis, or
directory $oping t$at t$ese ne* copies *ill someday
/e e2ecuted /y t$e user.
/u"tiBve!tor worms. 0$is type of *orms use
different type of propagation met$ods in order to
ma,e more $osts -ulnera/le for attac, and effecti-ely
propagate /e$ind fire*alls.
-mai" worms. Email t$emsel-es to ot$er email
addresses and ma,e t$e user e2ecute email
attac$ments *it$ malicious code or use /ugs in t$e
email programs to get attac$ments e2ecuted
automatically.
7., C"assii!ation $ased on s!anning
Random s!anning. Random Scanning *orm *ill
generate a random +P addresses using a seudorandom
num/er generator. 0$us e-ery $ost on t$e net*or, is
e&ually li,ely to /e scanned. CodeRed -
#
and SM6
Slammer are t$e random scanning *orms.
:o!a"i=ed s!anning. 6ocaliLed scanning is a
simple tec$ni&ue used /y computer *orms to searc$
for t$e -ulnera/le $osts. 6ocaliLed scanning trades
off /et*een t$e local and t$e glo/al searc$ of
-ulnera/le $osts and $as /een used /y Code Red ++
and 7imda *orms
Sequentia" s!anning. Se&uential scanning *ormsF
scans +P addresses se&uentially. After t$e *orm
compromises a -ulnera/le $ost, it c$ec,s t$e $ost
ne2t to t$is -ulnera/le $ost. 3laster *orm employed
se&uential scanning.
Topo"ogi!a" s!anning. 0opological scanning
*orms relies on t$e local information contained in
t$e compromised $osts to locate ne* targets. 6ocal
information includes KetcK$osts file, email addresses
etc. 0opological scanning *as used /y ?orris *orm.
&it"ist s!anning. 0$e *orm *riter gat$ers a list of
potentially -ulnera/le $osts /efore$and, *$ic$ are
targeted first *$en t$e *orm is released. 0$is speeds
up t$e spread of t$e *orm at an initial stage. Aitlist
scanning *as used /y Slammer *orm.
@ C)*- A(A:2S-S ). C)/0+T-R W)R/S
@.' Code ana"ysis or !omputer worm Code Red.
Code Red is an internet *orm t$at replicates
/et*een :indo*s ser-ers running ?icrosoftFs
++S8+nternet +nformation Ser-ices9 and ?icrosoft
+nde2 Ser-er #." or t$e :indo*s #""" +nde2ing
Ser-ice. Code Red can infect more t$an #,""" ne*
$osts in eac$ minute.
'. Se"e!tion o Target. 0$e *orm sends its code as
an A00P re&uest. 0$is re&uest e2ploits /uffer-
o-erflo* -ulnera/ility in +nde2ing Ser-ices used /y
?icrosoft ++S.
,. Ine!ting the target /a!hine. 0$e *orm attempts
to connect to 0CP port !" on a randomly c$osen $ost
assuming t$at a *e/ ser-er *ill /e found. 1pon a
successful connection to port !", t$e attac,ing $ost
sends a crafted A00P GE0 re&uest to t$e -ictim,
attempting to e2ploit a /uffer o-erflo* in t$e
+nde2ing Ser-ice of ?icrosoft ++S *e/ ser-er
soft*are.
.igure3 ."ow Chart o the Code Red Worm
1. 0ay"oad. 0$e *orm *ill attempt to connect to an
+P address associated *it$ t$e popular site
@***.*$ite$ouse.go-@, and tries to flood it *it$
connection attempts. 0$e *orm creates copies of
itself in t$e memory in order to attac, e-en more ++S
ser-ers. 4-erall, t$e payload of t$e *orm degrades
performance of t$e $ost mac$ine and causes system
insta/ility as it spa*ns multiple t$reads and uses
/and*idt$
6. (etwor# 0ropagation. :orm uses t$e random
num/er generator to generate t$e address of ser-ers
for furt$er attac,. 0$e *orm created $undreds of
t$reads of itself on t$e infected system. 0$e *orm
spreads to ot$er ser-ers /y using t$e static seed
mec$anism to generate a series of +P addresses. 0$e
ne2t )) t$reads attempt to e2ploit more computers /y
targeting random +P addresses. 0o a-oid looping /ac,
to re-infect t$e source computer, t$e *orm does
not ma,e A00P re&uests to its o*n +P address.
@., Code ana"ysis or !omputer worm S"ammer.
Slammer is t$e fastest computer *orm in
$istory, *$ic$ *as released on Canuary #5
t$
#""G. +t
dou/led in siLe e-ery !.5 seconds. +t infected ;5,"""
$osts, *$ic$ *as more t$an )"N of -ulnera/le $osts
*it$in " minutes.

.igure3 ."ow !hart o the S"ammer
'. Se"e!t Target. E2ploits -ulnera/ility centered in
t$e ?icrosoft SM6 Ser-er Resolution Ser-ice running
on 1DP port JGJ of SM6 Ser-er #""" systems and
systems *it$ t$e ?icrosoft Des,top Engine #"""
8?SDE9 installed.
,. Ine!t target ma!hines. 0$e *orm sends multiple
of its G;E-/yte code pac,ets to randomly-generated
+P addresses. +t does not *rite itself to t$e dis,. +t
e2ists only as net*or, pac,ets and in running
processes on t$e infected computers.
1. 0ay"oad. 0$e *orm payload does not contain any
additional malicious content in t$e form of
/ac,doors, etc. 0$e speed at *$ic$ it attempts to re-
infect systems to create a denial-of-ser-ice attac,
against infected net*or,s is astonis$ing.
6. (etwor# 0ropagation. :$en t$e SM6 ser-er
recei-es t$e malicious re&uest, t$e o-errun in t$e
ser-er@s /uffer allo*s t$e *orm code to /e e2ecuted.
After t$e *orm $as entered t$e -ulnera/le system,
first it gets t$e addresses to certain system functions
and t$en starts an infinite loop to scan for ot$er
-ulnera/le $osts on t$e +nternet. Slammer performs a
simple pseudo-random num/er generation formula
using t$e returned gettic,count8 9 -alue to generate
an +P address t$at is used as t$e target, t$ere/y
spreading furt$er into t$e net*or, and infecting
-ulnera/le mac$ines. ?ultiple instances of t$e *orm
can infect a $ost /ecause t$e *orm does not c$ec,
for pre-ious infections of t$e target system.
5. C)(C:+SI)(
+n t$is paper, t$e study on $o* t$e computer *orms
are came in to t$is *orld and $o* t$ey e-ol-ed and
$o* muc$ amount of damage t$ey $a-e caused to t$e
net*or,s and t$eir lifestyle, classification, code
analysis are done. 3y summariLing t$is *or, it *ill
clear t$at, t$ey are -ery dangerous. :e can also
understand t$at computer *orms $a-e caused a
massi-e damage to t$e computer *orld.
R-.-R-(C-S
PQ Sara$ A. Sell,e, 7ess 3. S$roff, Saura/$
3agc$i, ?odeling and Automated Containment
of :orms=, Cournal +EEE 0ransaction on
Secure and Dependa/le Computing, .ol 5, 7o #,
Pu/lis$ed on April-Cune #""!.
P#Q Cliff C$angc$un Oou, :ei/o Gong, Don 0o*sley,
<Code red *orm propagation modeling and
analysis= Conference on Computer and
Communications Security, Proceedings of t$e
)t$ AC? conference on Computer and
communications security
PGQ 7ic$olas :ea-er, .ern Pa2son, Stuarts Staniford,
Ro/ert Cunning$am, <A 0a2onomy of Computer
:orms= Dirst :or,s$op on Rapid ?alcode
8:4R?9, #""G.
PJQ =0imeline of Computer :orms and .iruses <
PonlineQ A-aila/le at
$ttp%KKen.*i,ipedia.orgK*i,iK0imelineSofScompu
terS-irusesSandS*orms.
P5Q Craig Dosnoc,,= Computer :orms% Past, Present,
and Duture= - East Carolina 1ni-ersity,
Pu/lis$ed in #""5
PEQ Pan,a( Ko$li, <:orms - sur-ey and propagation=
?S /y Researc$ - Computer Science and
Engineering +nternational +nstitute of
+nformation 0ec$nology Aydera/ad, +ndia
PonlineQ A-aila/le at
$ttp%KK***.pan,J(.comKresearc$K*orms.pdf
P;Q Simon 3yers, A-iel Ru/in, and Da-id
Kormann.Defending against internet-/ased
attac, on t$e p$ysical *orld,
$ttp%KK***.a-iru/in.comK scripted.attac,s.pdf.
P!Q ?odern :orms PonlineQ A-aila/le at
$ttp%KK***.spamla*s.comK$istory-of-
*orms.$tml.
P)Q ? C$ristodorescu <Static analysis of e2ecuta/les
to detect malicious patterns= Proceedings of t$e
#t$ conference on #""G. PonlineQ A-aila/le at
portal.acm.org
P"Q ?oriss :orm <$istory of computer *orms
PonlineQ A-aila/le at
$ttp%KK***.spamla*s.comK$istory-of-
*orms.$tml
PQ P$ases of Computer :orm 7ic$olas :ea-er,
.ern Pa2son, Stuarts Staniford, Ro/ert
Cunning$am, <A 0a2onomy of Computer
:orms= Dirst :or,s$op on Rapid ?alcode
8:4R?9, #""G.
P#Q Pu(a 3a(a(, Ar(un Gu$a Roy, Department of
Computer Science St. Cloud State 1ni-ersity,
St. Cloud ?7 5EG", Classification /ased on
/e$a-ior.