Virus vs. Worm β The Critical Distinction
- Requires user interaction to activate (run a program, open a document, click a link, boot from infected media)
- Attaches to a host file or program to replicate
- Spreads through file systems, shared drives, email attachments, removable media
- Speed of spread depends on how often users share or open files
- Stopped by: antivirus signatures, not opening suspicious files, disabling macros
- No user interaction required β self-propagates entirely autonomously
- Does not need a host file β spreads independently via the network
- Exploits network-facing vulnerabilities to install itself on remote systems
- Speed of spread is limited only by network bandwidth and number of vulnerable hosts
- Stopped by: firewalls, IDS/IPS, network segmentation, patching
The Four Virus Types
| Virus Type | Where It Hides | When It Runs | How It Spreads | Classic Example |
|---|---|---|---|---|
| Program Virus | Attached to an executable file (.exe, .com, application binary) | When the infected program is launched by the user | Injects code into other executables on local drives and network shares | Jerusalem virus, CIH/Chernobyl |
| Boot Sector Virus | Boot sector of a storage device (hard drive, USB drive) | At power-on, before the OS loads β OS security tools are not yet running | Copies itself to boot sector of any connected storage device | Stoned, Michelangelo |
| Script Virus | Script embedded in web page, email, or OS script file (JS, VBScript, PowerShell) | When the browser or OS executes the script | Via compromised web pages, email messages, shared script files | ILOVEYOU (VBScript), Anna Kournikova |
| Macro Virus | Macro embedded in document file (Word .doc/.docm, Excel .xls/.xlsm) | When the document is opened and macros execute | Via shared documents, email attachments, shared templates (e.g., Normal.dot) | Melissa, Concept |
Fileless Virus β Step-by-Step Infection Chain
No malicious file is ever written to disk until Step 6. Traditional antivirus scanning disk files sees nothing at Steps 1β5.
Why Fileless Malware Evades Antivirus
- Scans files on disk (executables, scripts, documents)
- Compares file contents against known malware signatures
- Quarantines files that match known patterns
- Monitors new files written to storage
Against fileless malware: Nothing to scan. No files are written to disk. Antivirus reports clean. The entire infection is invisible to disk-based scanning.
- Monitors process behavior in memory (not just files on disk)
- Flags anomalous actions: PowerShell making outbound network calls, unusual parent-child process relationships, scripts running without a corresponding file
- Detects suspicious registry modifications (autostart entries)
- Generates alerts based on behavior patterns regardless of file presence
Against fileless malware: Detects the in-memory execution chain, unusual PowerShell activity, and registry modifications even with no suspicious disk files present.
Worm Propagation Model
| Phase | What the Worm Does | Speed / Scale |
|---|---|---|
| 1. Initial Infection | Worm reaches the first host via an exploit, email, removable media, or existing backdoor | Single system |
| 2. Vulnerability Scan | Worm scans local network for other systems listening on the target port or running the target service | Scans hundreds of IPs per second |
| 3. Exploitation | Worm sends exploit code to each discovered vulnerable system; installs itself autonomously | No user action on any target needed |
| 4. Replication | Each newly infected host begins its own scan β exponential growth on a flat network | Doubles with each scan cycle; network-speed propagation |
| 5. Payload Delivery | Worm delivers its payload to each infected system (ransomware, backdoor, botnet enrollment, data exfiltration) | Simultaneous across all infected hosts |
Controls That Stop Worm Spread
| Control | How It Stops Worms | Limitation |
|---|---|---|
| Patching | Closes the vulnerabilities worms exploit β a fully patched system is not a viable target | Requires timely application; zero-day worms exploit unpatched vulnerabilities before patches exist |
| Perimeter Firewall | Blocks inbound traffic on ports worms use to probe and infect; prevents internet-based worms from reaching internal systems | Does not stop worm spread once it is already inside the network |
| Host-Based Firewall | Blocks the specific traffic a worm uses even between internal hosts | Must be configured and enabled on every endpoint; may interfere with legitimate services |
| IDS/IPS | Detects the characteristic scan patterns and exploit traffic of worm propagation; IPS blocks it in real time | Requires worm signatures or behavioral rules; new worm variants may evade detection initially |
| Network Segmentation | Limits blast radius β a worm in one segment cannot auto-reach other segments without crossing a controlled boundary | Does not stop spread within a segment; only contains it between segments |
WannaCry Attack Chain
The patch that would have stopped everything: MS17-010 β released by Microsoft on March 14, 2017. WannaCry launched May 12, 2017. Every organization that applied the patch in that 58-day window was fully immune. Every organization that did not was both a victim and an unwilling vector.