Common, famous, and infamous worms
While it’s become impossible to catalogue an exact database of worms outside of a major computer security company or university, some of the more common and oft-reported worms in the news over recent years are listed below:
Mydoom worm
Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on 26 January 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm.
Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message “andy; I’m just doing my job, nothing personal, sorry,” leading many to believe that the worm’s creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25% of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group’s own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group’s controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.[4]
Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail.R—prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text “mydom” within a line of the program’s code. He noted: “It was evident early on that this would be very big. I thought having ‘doom’ in the name would be appropriate.”
Morris worm
The Morris worm or Internet worm of November 2, 1988 was one of the first computer worms distributed via the Internet. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT.
According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. However, the worm was released from MIT to disguise the fact that the worm originally came from Cornell. (Incidentally, Morris is now a professor at MIT.) Additionally, the Morris worm worked by exploiting known vulnerabilities in Unix sendmail, Finger, and rsh/rexec, as well as weak passwords.
A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. The main body of the worm could only infect DEC VAX machines running 4BSD, and Sun-3 systems. A portable C “grappling hook” component of the worm was used to pull over the main body, and the grappling hook could run on other systems, loading them down and making them peripheral victims.
It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm. The U.S. GAO put the cost of the damage at $10M–100M.[4]
The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies. Gene Spafford also created the Phage mailing list to coordinate a response to the emergency.
Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse Act. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.
The Morris worm has sometimes been referred to as the “Great Worm”, because of the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name was derived from the “Great Worms” of Tolkien: Scatha and Glaurung.
ExploreZip
ExploreZip, also known as I-Worm.ZippedFiles, is a destructive computer worm which attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999.
It is distributed in the form of an e-mail message with the words:
Hi!
I have received your email and I shall send you a reply ASAP. Till then take a look at the attached zipped docs.
Bye!
The message includes an attachment with the name ZIPPED_FILES.EXE. If opened, a dialog box appears in Windows resembling the one normally appearing when opening a corrupted Zip archive, while the worm copies itself onto the machine’s hard drive. It also modifies the WIN.INI file (Windows 9x) or the Windows Registry (Windows NT) so that it re-executes on reboot.
The worm looks for a copy of Microsoft Outlook to mail itself to all other people in the user’s address book and also destroys Microsoft Office documents and C and C++ source files on the user’s hard-drive by overwriting them with zero-byte files.
Many other worms were to follow the pattern established by ExploreZip, by trying to infect user machines by hijacking email clients, and sending copies of itself via contacts lists as an attachment.
DoomJuice
Doomjuice is a variant of the Mydoom computer worm, in two variants known as Doomjuice.A or Doomjuice.B. It infects Microsoft Windows utilizing the ports left open by the Mydoom.A and Mydoom.B worms. This worm also launches a Denial of Service (DoS) attack on the Microsoft Web site.
The Doomjuice variants are currently spreading to computers that were already infected with Mydoom.A. Users who have successfully removed Mydoom.A from their computers are not at risk for infection by Doomjuice.
Blaster Worm
The Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005.
Nachia worms
The Nachia worm is a computer worm that exploits a vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However unlike Blaster, it tries to help the user by downloading and installing security patches from Microsoft, so it is a helpful worm.
Though even as it implies no harm, it can increase network traffic, reboot the infected computer, and more important—it operates without consent and does not log anything. It has had several different variants and childworms. It was discovered on August 18, 2003.
This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666-765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm by TFTPD.EXE. TFTPD is only on certain OS’s, and, without it, the connection fails at this stage. Specifically, the welchia worm targeted machines running Windows XP.
Once in the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches. It then would attempt to remove the “W32/Lovsan.worm.a” by deleting MSBLAST.EXE. If still in the system, the worm was programmed to self-remove on January 1, 2004, or after 120 days of processing, whichever would have come first.
While this worm did no apparent damage to individual systems — indeed, it actually helped to secure certain systems — it did create vast amounts of traffic by its transmission method, thereby slowing down the Internet and the Microsoft website. The worm also made some systems unstable by its workings, and, once the patches had been installed, it rebooted the system. Because of these effects, the worm was perceived as a threat, and a patch was released by all major anti-viral companies.
XSS worms
XSS Worms exploit a vulnerability known as cross site scripting (or XSS for short) within a website, normally infecting users whereas other users can be infected in a variety of ways depending on the vulnerability.
Cross-site scripting vulnerabilities are commonly exploited in the form of worms on popular social or commercial websites, such as MySpace, Yahoo!, Orkut, Justin.tv, Facebook and Twitter. These worms can be used for malicious intent, giving an attacker the basis to steal personal information, cookies, and other relevant data regarding the website or the infected visitor.
In the case of the Samy worm, the largest known XSS worm, which infected over 1 million MySpace profiles in less than 20 hours, the virus’s author was sued and entered a plea agreement to a felony charge.[3]
General application of the XSS worm concept includes the infection of profiles, chat systems, and more. Since XSS vulnerabilities vary frequently, most worms will be different and coded specifically for the vulnerability.
XSS worms spread very quickly because their spread is done by the client and the coordination of most XSS worms are done by the server storing the payload because it is vulnerable.