|| Author: sk0r,Czybik/EOF || Back to articles ||
||General things about malware 
||focusing on
||Worms and Viruses

|1: General things about malware          |+
|2: The structure of worms                |+
|3: Different types of worms              |+
|4: Famous worms                          |+
|5: Nowadays trends                       |+

|Author: sk0r/Czybik                                  |+
|Translated by: SkyOut                                |+

|www.sk0r-czybik.de.vu                                |+
|www.eof-project.net                                  |+

Date: 10th April 2006

|1: General things about malware|

There are several types of malware, most important are:

|# Worms                       |
|# Viruses                     |
|# Trojan horses               |
|# Hoaxes                      |
|# Bad-Jokes                   |
|# Creation-Kits               |


Worms are in most cases destructive programs, which have the ability to
spread automatically. This can be done with several ways, the most used way
is the spreading via Email, Peer-to-Peer and Internet-Relay-Chat. Of course there
are other ways to spread, for example worms copying itself to a network shares
folder or others spreading via a vulnerability, using an exploit code, well known
example is the Sasser worm. Normally they contain a payload with destructive


Viruses do not have the ability to spread automatically, likely they don't spread
much. If they spread or get executed, they use a host program to connect themselves

Trojan horses:

Trojan horses don't spread automatically. They simulate a useful program to trick
the user, but if they get executed they activate some sort of backdoor, which makes
it possible for others to get access to the affected system and control it. Often
they are called RATs, which stands for Remote Administration Tools.


Hoaxes are no malware in its normal sense, they are notifications about viruses,
which do not really exist. Mostly they spread via Email and their only sense is 
to make Spam and circulate the message of the fake virus.


Bad-Jokes are programs simulating destructive operations on the users system,
for example it fakes formatting the local drive. Those programs don't harm the
system, but want to scare the user, it's a "bad joke". In most cases the user
will see some message, that he was tricked before the program quits.


Creation-Kits are tools to create worms, viruses and trojan horses. You only need
a few clicks and get functional malware. Some famous worms were done by such tools,
for example Melissa or the Anna-Kurnikowa worm.

|2: The structure of worms|

Worms are based on a simple structure, you can say they consist of three parts:

1)Routines: Routines the worm is containing get executed
2)Spreading: The functions making the worm spread automatically
3)Payload: Executing the (destructive) code when some special event appears

|3: Different types of worms|

Worms can be categorized into several groups, lets look at some of them:

Net-Worms: Those worms often use security holes, network shares or other unknown
           ways to spread
P2P-Worms: They spread via Peer-to-Peer networks
IRC-Worms: They spread via IRC-Clients, for example mIRC, Pirch etc.
Email-Worms: Those worms spread via Email, in most cases they use Outlook
IM-Worms: They spread via Instant Messengers, like ICQ, MSN or AIM

You can see, there are several ways to spread. Of course there are much more to
do so, but they are mostly categorized in Net-Worms or I-Worms (Internet Worms).

|4: Famous worms|

There have been several worms or viruses in the past, which became famous by their
functionality, payload or a security whole they exploited. In the following I will
list some well known worms and the current top 10:

This one became famous by infecting Webservers via a buffer overflow vulnerability,
getting administrator rights on the system and trying to start a DoS attack against the
site of the White House.

This Visual-Basic-Script earned much fame because it spread via Email and made the user
believe it contains a love letter adressed to him or her. Many people really believed
they got a love letter and so many computers were infected. This worm also spread
via IRC, a Chat used by many worms.

Infected 75000 SQL-Servers in January 2003, which paralyzed the internet for a short
moment. It used an exploit and has not been detected by the AV programs. The
consequenzes were: Emergency telephone codes of the police in Seatlle did not work
anymore, about 14000 post offices in Italy did not open and the online stock exchange
dealing suffered of it. In Korea KT Corp was temporary not reachable. The index
there decreased about 3% and China blocked every external network traffic.

This worm used a vulnerability in Windows to infect PCs over randomly generated
IP adresses.

In 2003 this worm spread ten times faster then every one before.

A worm by Sven J. (Sasser) and the SkyNet Malware Group.

This worm used a vulnerability in the LSASS Windows System. It spread via Email
over the whole world and resulted in damages of millions of dollars. Airplanes and
trains were stopped, hospitals must stop working, just to mention some of the things
happening. It seemed to be an advancement of the NetSky worm.

|Current top 10 are:                 |
|-------------------                 |
|1) Win32/MyTob                      |
|2) Win32/NetSky                     |
|3) Worm.Zafi                        |
|4) Win32/Bagle                      |
|5) Worm/Lovegate                    |
|6) Win32/Nyxem                      |
|7) Worm.Mydoom                      | 
|8) TR.Spy/HTML.bankfraud            |
|9) Win32.Feebs.gen                  |
|10) Win32/Parite                    |

|5: Nowadays trends|

In the past there have been many worms becoming very famous, but there structure
was very simple (e.g. VBS/LoveLetter). Since 2006 more and more trojan horses are
used to spy user data. Since 2005 more trojan horses have been recognized then
worms. Virus activities are getting less and almost disappeared. Important to know:
In the past worms were used to create zombie networks with the infected machines, those
networks were used to start DDoS attacks against companies to press money. Or those
networks were hired for money to send spam as one example. It changed a bit, nowadays
more and more the users themselves are the targets, called "Ransomware". The idea
behind this is easy: If the user does not pay he will loose his data! The first known
trojan horse doing this was Win32.Krotten. It modified the Registry and made the
computer almost inoperative. About the middle of 2005 new trojan horses followed,
nowadays there are several ones, like:

|# Trojan.Win32/Krotten              |
|# Virus.Win32/GPCode                |
|# Worm/Skowor.B                     |
|# Trojan.Win32/Cryzip.A             |
|# P2P-Worm.Win32/Ransom.A           |


END ! :D Resources: My own knowledge, AntiVirusLba.com and Kaspersky