Computer worm definition
A computer worm is a type of malware that can automatically propagate or self-replicate without human interaction, enabling its spread to other computers across a network. A worm often uses the victim organization’s internet or a local area network (LAN) connection to spread itself.
Worm vs. virus vs. Trojan horse
Cybercriminals have many cyberattack methods at their disposal, and it can be easy to get them confused. One common misconception is that computer worms are the same thing as viruses or Trojan horses, but there are differences in the ways the attacks propagate themselves (or don’t).
- Worms spread from computer to computer and can move and operate independently. A worm’s ability to send out hundreds or thousands of copies of itself is one of its biggest dangers.
- Viruses are almost always attached to an executable file and remain dormant until the victim activates the attack, either by opening an infected application, downloading a corrupt file, or clicking a link. Viruses cannot spread without human action.
- Trojan horses are a type of malware that disguise themselves as legitimate code. Attackers can export files, modify data, and delete files on your device. Generally, Trojan horses do not attempt to inject themselves into other files or otherwise propagate themselves.
Learn More
Read our article describing 12 types of malware to learn how each type operates and prepare for when an attack comes.
How does a computer worm work?
Worms target vulnerabilities in operating systems to install themselves into networks. They may gain access in several ways: through backdoors built into software, through unintentional software vulnerabilities, or through flash drives. Once in place, cybercriminals can use worms to perform a range of malicious actions, such as:
- Launching distributed denial of service (DDoS) attacks
- Conducting ransomware attacks
- Stealing sensitive data
- Dropping other malware
- Consuming bandwidth
- Deleting files
- Overloading networks
Expert Tip
Most common ways a worm spreads
Some of the most common ways computer worms spread include:- Email: Email attachments remain popular hiding spots for worms.
- Networks: Worms can self-propagate across connected networks.
- System vulnerabilities: Some worms are specifically coded to take advantage of operating system and software vulnerabilities.
- File sharing: Peer-to-peer (P2P) file networks can carry malware like worms.
- Instant messaging (IM): Worms can spread through instant messaging platforms such as Internet Relay Chat (IRC).
Why are worms dangerous?
A computer worm is harmful because it may perform a broad range of attacks, including crashing systems through self-replication, downloading malicious applications, and providing hackers with backdoor access to equipment.
Worms can also be hard to remediate. Because they spread automatically and quickly, it can take a lot of time and effort to eradicate a worm outbreak from the environment and fully recover. When a worm spreads inside a data storage environment, for example, it can take months to completely clean it up. Even when a worm doesn’t have a malicious payload that does damage, it poses a serious nuisance for IT managers who have to dedicate valuable resources to navigate the incident response process.
Types of computer worms
There are several types of malicious computer worms, including:
| Type | Description |
|---|---|
| Email Worms | As the name suggests, an email worm spreads via email. Also known as a mass-mailer worm, an email worm distributes a copy of itself as an email attachment or as a link to an infected file on a compromised or hacker-owned website. |
| File-Sharing Worms | File-sharing worms embed and disguise themselves as innocent media files. When an unsuspecting user downloads the file, the worm infects their device. Once the worm has compromised the device, it can capture confidential information that the adversary can use to their advantage or sell to other attackers. |
| IM Worms | IM worms masquerade as attachments and links on social media platforms, and they frequently include content that baits the victim to click on the URL. Once it’s executed, the IM worm can spread through an instant messaging network. |
| Cryptoworms | A cryptoworm is a worm attack that encrypts data on the victim's system and then demands a ransom payment to regain access to the data. |
| IRC Worms | An IRC worm is a malicious program designed to exploit IRC channels to infect chat rooms and message forums by sending infected messages. |
| P2P Worms | P2P worms use the mechanisms of P2P networks to distribute copies to unsuspecting P2P users. |
Examples of computer worms
Computer worms have a long history that spans more than five decades. The first computer worm, named Creeper, was created in 1971. Even though Creeper wasn’t actively malicious, it helped lay the foundation for many significant computer worm attacks we’ve seen since. Examples of some computer worms that have caused considerable harm in the past include the following:
Morris
In 1988, MIT graduate student Robert Morris distributed the Morris worm, which increased the load on over 6,000 UNIX machines across the country, causing them to crash. Although Morris’ intentions were not malicious, the worm caused between $100,000 and $10 million in damage. It also resulted in the first felony conviction in the U.S. under the 1986 Computer Fraud and Abuse Act.
SQL Slammer
SQL Slammer is a 2003 computer worm that caused a denial of service on some internet hosts, delayed general internet traffic, and crashed routers all around the world. It spread quickly, infecting the vast majority of its 75,000 victims within 10 minutes.
Mydoom
Mydoom is a computer worm that targets Windows computers and is regarded as one of the most rapidly spreading worms in history, infecting millions of machines since its release in 2004. Mydoom caused an estimated damage of $38 billion in 2004, and the worm is still around today, accounting for 1% of all malicious emails.
Storm Worm
Debuting in 2007, the Storm Worm attacked millions of computers using an email about a recent weather disaster in Europe, baiting recipients with a doomsday subject line: "230 dead as storm batters Europe.”
Duqu
Duqu is a sophisticated computer worm that was first discovered in 2011. It is thought to have been produced by the same people that generated the Stuxnet worm, which caused Iranian nuclear turbines to fail in 2010. Duqu has a valid but abused digital signature and collects information that could be useful in attacking industrial control systems.
ILOVEYOU
Sometimes referred to as Love Bug, the ILOVEYOU worm spread through emails in 2000 posing as a love letter attachment. It infected more than 50 million PCs within ten days and wracked up an estimated $15 billion in expenses to remove the worm.
2024 CrowdStrike Global Threat Report
The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.
Download NowSigns of a worm infection
Endpoint protection solutions are essential for safeguarding against computer worms. One way to make sure the security control is doing its job in stopping worms (and other attacks) is to open the dashboard and view the latest endpoint protection report.
On the other hand, if an endpoint protection solution failed to detect and block a computer worm, there are some telltale signs to look out for:
- Slow system performance stemming from high CPU resource usage
- Hidden or missing files and folders
- Emails sent to your contacts without your awareness
- Computer programs crashing without warning
- Mysterious files or programs that you didn’t install on the computer
- Programs running or websites launching automatically
- Unusual browser performance or program behavior
How to remove worms
Your organization needs to have a plan in place detailing how to respond if there’s a worm attack, especially because worms can spread so rapidly. Response planning is important because it will help your organization react quickly when there’s a worm or other security incident to effectively minimize the impact and improve the recovery time.
For your recovery, you should:
- Effectively contain the attack to stop it from moving into other systems or doing further damage
- Assess the scope of the attack by identifying all the systems where the worm has successfully installed itself
- Eliminate any traces of the worm from the environment (this may entail remediating malware from all compromised hosts, closing or changing the passwords for compromised user accounts, and restoring systems from uncompromised backups)
Prevention best practices
Given the dangers of worms, it’s critical to take preventative steps to keep them at bay. Organizations should consider taking the following measures:
- Use endpoint protection software:
By using a modern endpoint protection solution — ideally endpoint detection and response (EDR) — you can ensure that worms and other cyberattacks are discovered and eradicated from your host computers before they can do damage.
- Implement employee awareness training: Employees must be trained to be on the alert for signs of a computer worm threat to reduce the risk of accidentally spread this malware by clicking on problematic links or downloading attachments.
- Use DNS filtering: Web security mechanisms allow you to filter bad or unwanted web content to ensure users don’t inadvertently access malicious websites.
- Update software and patch systems: Patch management is the cornerstone for avoiding worms that take advantage of system flaws. Ensure you have a strong patch management process that’s always on and connected to provide the visibility you need into which patches are high priority and require immediate deployment to your impacted systems.
How CrowdStrike can help
When cybercriminals launch a computer worm attack, the goal is to infect your endpoint devices and spread from there. To safeguard against computer worms and other cyber threats, organizations need effective endpoint protection.
CrowdStrike Falcon® Prevent delivers superior endpoint protection with a single lightweight-agent architecture that operates without the need for constant signature updates, on-premises management infrastructure, or complex integrations. Purpose-built in the cloud, Falcon Prevent eliminates complexity, simplifies endpoint security, and delivers leading protection against all types of attacks, from commodity malware to sophisticated attacks — even when users are offline.
Learn more about CrowdStrike Falcon Prevent.
Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.
