September 16, 2021

TECH HYME

A Blog For Tech Enthusiasts

List of World’s Worst Virus and Worm Attacks

12 min read

Computer virus is a program that can “infect” legitimate programs by modifying them to include a possibly “evolved” copy of itself. Viruses spread themselves, without the knowledge or permission of the users, to potentially large numbers of programs of many machines.

A computer virus passes from computer to computer in a similar manner as a biological virus passes from person to person. Viruses may also contain malicious instructions that may cause damage or annoyance, the combination of possibly Malicious Code with the ability to spread is what makes viruses a considerable-concern. Viruses can often spread without any readily visible symptoms.

Suggested Read:

A virus can start on event-driven effects (e.g., triggered after a specific number of executions), time-driven effects (e.g., triggered on a specific date, such as Friday the 15th) or can occur at random. Viruses can take some typical actions:

  1. Display a message to prompt an action which may set of the virus;
  2. Delete files inside the system into which viruses enter;
  3. Scramble data on a hard disk;
  4. Cause erratic screen behavior;
  5. Halt the system (PC);
  6. Just replicate themselves to propagate further harm.

Computer virus has the ability to copy itself and infect the system. The term virus is also commonly but erroneously used to refer to other types of malware, Adware and Spyware programs that do not have reproductive ability. A true virus can only spread from one system to another (in some form of executable code) when its host is taken to the target computer; for instance, when a user sent it over the Internet or a network, or carried it on a removable media such as CD, DVD or USB drives.

Viruses can increase their chances of spreading to other systems by infecting files on a network file system or a file system that is accessed by another system.

As you already know, the term computer virus is sometimes used as a catch-all phrase to include all types of malware, Adware and Spyware programs that do not have reproductive ability. Malware includes computer viruses,worms, Trojans, most Rootkits, Spyware, dishonest Adware, crimeware and other malicious and unwanted software as well as true viruses.

Viruses are sometimes confused with computer worms and Trojan Horses, which are technically different. A worm spreads itself automatically to other computers through networks by exploiting security vulnerabilities, whereas a Trojan is a code/program that appears to be harmless but hides malicious functions. Worms and Trojans, such as viruses, may harm the system’s data or performance.

Some viruses and other malware have noticeable symptoms that enable computer user to take necessary corrective actions, but many viruses are surreptitious or simply do nothing for user’s to take note of them. Some viruses do nothing beyond reproducing themselves.

Difference between computer virus and worm

Computer Virus:

  • Different types: Stealth virus, self-modified virus, encryption with variable key virus, polymorphic code virus, metamorphic code virus.
  • Spread mode: Needs a host program to spread.
  • What is it? A computer virus is a software program that can copy itself and infect the data or information, without the users knowledge, However, to spread to another computer, it needs a host program that carries the virus.
  • Inception: The creeper virus was considered as the first known virus. It was spread through ARPANET in the early 1970s. It spreads through the TENEX OS and uses connected modem to dial out to a remote computer and infect it.
  • Prevalence: Over 100,000 known computer viruses have been there through not all have attacked computers (till 2005).

Worms:

  • Different types: E-Mail worms,instant messaging worms, Internet worms, IRC worms, file-sharing networks worms
  • Spread mode: Self, without user intervention
  • What is it? A computer worm is a software program, self-replicating in nature, which spreads through a network. It can send copies through the network with or without user intervention
  • Inception: The name worm originated from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner, Later researchers John F Shock and John A Hupp at Xerox PARC published a paper in 1982. The Worm Programs and after that the name was adopted
  • Prevalence: Prevalence for virus is very high as against moderate prevalence for a worm.

Types Of Viruses

Computer viruses can be categorized based on attacks on various elements of the system and can put the system and personal data on the system in danger.

1. Boot sector viruses:

It infects the storage media on which OS is stored (e.g., floppy diskettes and hard drives) and which is used to start the computer system. The entire data/programs are stored on the floppy disks and hard drives in smaller sections called sectors.

The first sector is called the BOOT and it carries the master boot record (MBR), MBR’s function is to read and load OS, that is, it enables computer system to start through OS. Hence, if a virus attacks an MBR or infects the boot record of a disk, such floppy disk infects victim’s hard drive when he/she reboots the system while the infected disk is in the drive.

Once the victim’s hard drive is infected all the floppy diskettes that are being used in the system will be infected. Boot sector viruses often spread to other systems when shared infected disks and pirated software(s) are used.

2. Program viruses:

These viruses become active when the program file (usually with extensions .bin,.com,.exe,.ovl,.drv) is executed ( i.e., opened-program is started). Once these program files get infected, the virus makes copies of itself and infects the other programs on the computer system.

3. Multipartite viruses:

It is a hybrid of a boot sector and program virus. It infects program files along with the boot record when the infected program is active. When the victim starts the computer system next time, it will infect the local drive and other programs on the victim’s computer system.

4. Stealth viruses:

It camouflages and/or masks itself and so detecting this type of virus is very difficult. It can disguise itself such a way that antivirus software also cannot detect it thereby preventing spreading into the computer system. It alerts its file size and conceals itself in the computer memory to remain in the system undetected. The first computer virus, named as Brain, was a stealth virus.

A good antivirus detects a stealth virus lurking on the victim’s system by checking the areas the virus must have infected by leaving evidence in memory.

5. Polymorphic viruses:

It acts like a “chameleon” that changes its virus signature (i.e., binary pattern) every time it spreads through the system (i.e.,multiplies and infects a new file). Hence, it is always difficult to detect polymorphic virus with the help of an antivirus program.

Polymorphic generators are the routines (i.e., small programs) that can be linked with the existing viruses. These generators are not viruses but the purpose of these generators is to hide actual viruses under the cloak of polymorphism.

The first all-purpose polymorphic generator was the mutation engine (MtE) published in 1991. Other known polymorphic generators are Dark Angel’s Multiple Encryptor (DAME), Darwinian Generic Mutation Engine (DGME),Dark Slayer Mutation Engine (DSME), MutaGen, Gen, Guns Roses Polymorphic Engine (GPE) and Dark Slayer Confusion Engine (DSCE).

6. Macroviruses:

Many applications, such as Microsoft Word and Microsoft Excel, support MACROs (l.e., macro languages). These macros are programmed as a macro embedded in a document. Once a macrovirus gets onto a victim’s computer then every document he/she produces will become infected.

This type of virus is relatively new may get slipped by the antivirus software if the user does not have the most recent version installed on his/her system.

7. Active X and Java Control:

All the web browsers have settings about Active X and Java Controls. Little awareness is needed about managing and controlling these settings of a web browser to prohibit and allow certain functions to work-such as enabling or disabling pop-ups, downloading files and sound- which invites the threats for the computer system being targeted by unwanted software(s) floating in cyberspace.

The world’s worst virus attacks!!!

1. Conficker

It is also known as Downup, Downadup and Kido. It targets Microsoft Windows OS and was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors.

The name Conficker is blended from a English term “configure” and the German word “Ficker,” which means ” to have sex with”or “to mess with” in colloquial German.

2. INF/AutoRun

AutoRun and the companion feature AutoPlay are components of the Microsoft Windows OS that dictate what actions the system takes when a drive is mounted.

This is the most common threat that infects a PC by creating an “autorun.inf” file. The file contains information about programs meant to run automatically when removable devices are connected to the computer. End-users must disable the AutoRun feature enabled by default in windows. AutoRun functionality is used in attack vector attacks.

3. Win32 PSW.OnLineGames

It is a dangerous virus that replicates itself as other viruses and spreads from one computer system to another carrying a payload of destruction.

It can infect several computers within few minutes. It is more concerned with games around the world,stealing confidential and other finical credentials as well as gaining access to the victim’s account. This virus is also termed as Trojan.

4. Win32/Agent

This virus is also termed as Trojan. It copies itself into temporary locations and steals information from the infected system.

It adds entries into the registry,creating several files as different places in the system folder, allowing it to run on every start-up,which enables to gather complete information about the infected system and then transferred to the intruder’s system.

5. Win32/FlyStudio

It is known as Trojan with characteristics of backdoor. This virus does not replicate itself, but spreads only when the circumstances are beneficial. It is called as backdoors because the information stolen from a system is sent back to the intruder.

6. Win32/Pacex.Gen

This threat designates a wide range of malwares that makes use of an obfuscation layer to steal passwords and other information from the infected system.

7. Win32/Qhost

This virus copies itself to the System32 folder of the Windows directory giving control of the computer to the attacker. The attacker then modifies the Domain Name Server/System (DNS) settings redirecting the computer to other domain.

This is done to compromise the infected machine from downloading any updates and redirect any attempts made to a website that downloads other malicious files on the victim’s computer.

8. WMA/TrojanDownloader.GetCodec

This threat as the suffix .GetCodec modifies the audio files present on the system to “wma” format and adds a URL header that points to the location of the new codec. In this manner, the host computer is forced to download the new codec and along with the new codec several other Malicious Codes are also downloaded.

This means that the end-user will download the new codec believing that something new might happen, whereas the Malicious Code runs in the background causing harm to the host computer.

At present, there is no way to verify the authenticity of the codec being downloaded as a new enhancement or a Trojan Horse; therefore, users must avoid unnecessary downloading of new codec unless they are downloaded from a trusted website. Unnecessary downloading of codecs should be avoided.

A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always corrupt or modify files on a targeted computer.

The world’s worst virus and worm attacks!!!

1. Morris Worm

It is also known as “Great Worm” or Internet Worm. It was written by a student, Robert Tappan Morris, at Cornell
University and launched on 2 November 1988 from MIT. It was reported that around 6,000 major Unix machines were infected by the Morris worm and the total cost of the damage calculated was USS 10-100 millions.

2. ILOVEYOU

It is also known as VBS/Loveletter or Love Bug Worm. It successfully attacked tens of millions of Windows computers in 2000. The E-Mail was sent with the subject line as “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs,” The file extension “vbs,” was hidden, hence the receiver downloads the attachment
and opens it to see the contents.

3. Nimda

It is the most widespread computer worm and a file infector. It can affect Internet’s within 22 minutes. Nimda affected both user workstations (i.e., client) running on Windows 95, 98, Me,NT,2000 or XP and Servers running on Windows NT and 2000. It is “admin” when this worm’s name is spelled backward.

4. Code Red

This computer worm was observed on the Internet on 13 July 2001. It attacked computers running on Microsoft’s IIS web server.

The Code Red worm was first discovered and researched by eEye Digital Security employees, Marc Maiffret and Ryan Permeh. They named the worm Code Red because they were drinking Pepsi’s” Mountain Dew Code Red” over the weekend.

They analyzed it because of the phrase “Hacked by Chinese!” with which the worm defaced websites. On 4 August 2001 “Code Red II” appeared on the Internet and was found to be a variant of the original Code Red worm.

5. Melissa

It is also known as “Melissa,””Simpsons,” Kwyjibo” or Kwejeebo”. It is a mass-mailing macro worm. Melissa was
written by David L. Smith in Aberdeen Township, New Jersey, who named it after a lap dancer he met in Florida. The worm was in a file called “List.DOC” which had passwords that allow the access into 80 pornographic websites.

This worm in the original form was sent through an E-Mail to many Internet users,Melissa spread on Microsoft Word 97, Word 2000 and also on Microsoft Excel 97, 2000 and 2003. It can mass-mail itself from E-Mail client Microsoft Outlook 97 or Outlook 98.

6. MSBlast

The Blaster Worm: It is also known as Lovsan or Lovesan, found during August 2003, which spread across the systems running on Microsoft Windows XP and Windows 2000. The worm also creates an entry under OS registry to launch the worm every time Windows starts.

This worm contains two messages hidden in strings. The first,”I just want to say LOVE YOU SAN!!!”and so the worm sometimes was called “Lovesan worm”. The second message,”Billy gates why do you make this possible? Stop making money and fix your software!!” This message was for Bill Gates, the co-founder of Microsoft and target of the worm.

7. Sobig

This worm, found during August 2003, infected millions of Internet-connected computers that were running on Microsoft Windows. It was written in Microsoft Visual C++ and compressed using a data compression tool,”tElock.”
This Worm not only replicates by itself but also a Trojan Horse that it masquerades as something other than
malware. It will appear as an E-Mail with one of the following subjects;

  • Re: Approved
  • Re: Details
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

It will contain the text as “See the attached file for details” or”please see the attached file for details.” The E-Mail will also contain an attachment by one of the names mentioned below:

  • application.pif
  • details.pif
  • document_9446.pif
  • document all.pif
  • movie005.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr

8. Storm Worm

This worm found on 17 January 2007, is also known as a backdoor Trojan Horse that affects the systems running on
Microsoft OSs. The Storm worm infected thousands of computer systems in Europe and in the US on Friday, 19
January 2007, through an E-Mail with a subject line about a recent weather disaster,”230 dead as storm batters Europe”.

The worm is also known as:

  • Small.dam or Trojan-Downloader.Win32.Small.dam
  • CME-711
  • W32/Nuwar@M.M and Downloader-BAI
  • Troj/Dorf and Mal/Dorf
  • Trojan.DL.Tibs.Gen!Pac13
  • Trojan.Downloader-647
  • Trojan.Peacomm
  • TROJ_SMALL.EDW
  • Win32/Nuwar
  • Win32/Nuwar.N@M.M!CME-711
  • W32/Zhelatin
  • Trojan.Peed, Trojan.Tibs

9. Michelangelo

It is a worm discovered in April 1991 in New Zealand. This worm was designed primarily to infect the systems that
were running on disk operating system (DOS) systems. Like other boot sector viruses, Michelangelo operated at
the BIOS level and remained dormant until 6 March, the birthday of an artist”Michelangelo di Lodovico Buonarroti
Simoni”- an Italian Renaissance painter, sculptor,architect and poet.

10. Jerusalem

This worm is also known as “BlackBox.” Jerusalem infected the files residing on DOS that was detected in Jerusalem, Israel, in October 1987. It has become memory resident (using 2 KB of memory). Once the system gets infected then it infects every executable file, except “COMMAND.COM.” “.COM” files grow by 1,813 bytes when infected by Jerusalem and are not reinfected.

Similarly “EXE” files grow from 1,813 to 1,823 bytes each time they get infected. Jerusalem reinfects “EXE” files each time the file is loaded until their size is increased that is found to be “too large to load into memory.”

Leave a Reply