Chapter 41 Β· Flashcards

Viruses and Worms Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Virus β€” The Key Requirement
Tap to reveal
A virus replicates itself but requires user interaction to activate: executing a program, opening a document, running a script, or booting from infected media. Without that trigger, the virus cannot spread. This is the defining difference between a virus and a worm. Viruses copy themselves into other files, programs, or storage locations once activated. They may cause immediate visible damage or operate silently for extended periods before triggering a destructive payload.
Program Virus
Tap to reveal
A virus that attaches to an executable file (.exe, .com, or application binary). It runs when the user launches the infected program. Once running, it injects copies of itself into other executable files on local drives and accessible network shares. Program viruses are the "classic" type β€” the infection is inseparable from running an infected program. Also called file infector viruses. Detection: antivirus scanning executables for known signatures.
Boot Sector Virus
Tap to reveal
A virus that infects the boot sector of a storage device β€” the code executed at power-on before the OS loads. Because it runs before the OS, OS-level security tools are not yet active. Spreads to boot sectors of any connected storage media. Historically significant on floppy disks; modern variants target hard drives and USB drives. A boot sector virus on a USB drive infects any computer that boots from (or is configured to check) that USB device.
Script Virus
Tap to reveal
A virus written in a scripting language supported by an OS or browser β€” JavaScript, VBScript, PowerShell, Python. Executes when the browser renders a compromised page, when an OS script is run, or when a malicious script is opened. Classic examples: ILOVEYOU (VBScript attached to email), Anna Kournikova. Spreads via email, web pages, and shared script files. Because scripts are text files, they can evade binary-focused antivirus scanning. User must open/run the script β€” user action required.
Macro Virus
Tap to reveal
A virus embedded as a macro in a document file (most commonly Microsoft Word, Excel, PowerPoint). Executes when the document is opened and macros run. Spreads by copying itself into other documents the user opens and into the application's default template (e.g., Word's Normal.dot), so every new document inherits the infection. Melissa (1999) spread to 50 Outlook contacts per infected machine. Defense: disable macros by default, use Protected View for external documents, apply macro signing policies.
Fileless Virus / Fileless Malware
Tap to reveal
Malware that operates entirely in memory (RAM) without writing malicious files to disk. Exploits a browser/plugin vulnerability to gain access, then uses legitimate tools (PowerShell, WMI) to run malicious code in memory. Traditional antivirus scans disk files β€” nothing to find. The only disk artifact is typically a single registry autostart entry that re-triggers the in-memory chain on reboot. Detected through behavioral monitoring (EDR) watching what processes do, not what files exist. Stopped by: patching browsers/plugins + EDR behavioral detection.
Worm β€” Self-Propagation
Tap to reveal
A worm replicates and spreads automatically across networks with no user interaction. It scans for vulnerable systems, exploits them, installs itself, and continues scanning β€” all autonomously. No human needs to click, open, or run anything on the target. Spreads at network speed; can infect thousands of systems in minutes on a flat network. Controls: firewalls, IDS/IPS (detect scanning patterns), network segmentation (contain blast radius), patching (eliminate the vulnerability being exploited). WannaCry's EternalBlue component is the definitive modern worm example.
EternalBlue
Tap to reveal
A Windows exploit targeting the SMB protocol (port 445) that allows remote code execution with no user interaction. Developed by the NSA, leaked publicly in April 2017. Used by WannaCry (May 2017) and later NotPetya (June 2017) to self-propagate as worms. The patch (MS17-010) was released March 14, 2017 β€” 58 days before WannaCry launched. Systems that applied the patch were immune; unpatched systems were both victims and vectors. EternalBlue is the exam's canonical example of the vulnerability that enables worm propagation.
Antivirus Signature Files
Tap to reveal
A database of known malware patterns that antivirus software uses to detect malicious files by comparing them against the signature database. Must be updated frequently because thousands of new virus variants are created weekly β€” outdated signatures miss recent variants. Effective against known viruses; blind to: (1) zero-day variants with no signature yet; (2) fileless malware that writes no disk files; (3) heavily obfuscated variants designed to evade pattern matching. Current signatures are necessary but not sufficient for complete malware defense.
Virus vs. Worm β€” One-Line Distinction
Tap to reveal
Virus: user must do something to spread it. Worm: no user action needed β€” it spreads itself.

Both are self-replicating malware. The difference is the propagation mechanism. A virus needs a human trigger (run a program, open a file, click a link). A worm autonomously exploits network vulnerabilities to reach new targets. This distinction determines what defenses apply: user training and disabling auto-execution help against viruses; firewalls, IDS/IPS, segmentation, and patching are the worm defenses. On the exam: "no user interaction" = worm.