The call came from a 40-person law firm at 9:15 AM Monday. Three attorneys had reported that Microsoft Word was behaving strangely β opening slowly, generating unexpected macro warnings, and in two cases creating unknown copies of documents in shared directories. By the time Reza arrived, the number was eleven.
His junior analyst, Dara, pulled the first infected file within twenty minutes. "It's in the quarterly report template," she said. "The one on the shared drive that everyone uses for client billing."
"How long has that template been there?"
"Looks like it was modified Thursday afternoon. The file timestamps changed."
Reza pulled up the macro embedded in the template. It was a Word macro virus β malicious code written in the VBA macro language and embedded inside the document itself. Every time an attorney opened the template to start a billing report, the macro ran. The macro's first action was to copy itself into the user's Normal.dot file β Word's global default template. From that point, the macro spread to every new Word document that user created or opened, regardless of whether those documents had macros enabled by the user.
"So the original infection was in one template," Dara said, "and it spread to every attorney who opened it?"
"And to every document they created after that. That's how a virus works. It needs you to do something β open a file, run a program, click a link. But once you do, it replicates itself into other files. By Thursday afternoon when the template was first infected, we estimate at least six people opened it before the weekend. By Monday morning, each of those six had been creating and sharing documents for two more days."
Dara counted the chain in her head. "Eleven makes sense."
"It'll be more by lunch," Reza said. "Pull the shared drive and quarantine it before anyone else opens another document."
A computer virus is malware that replicates itself β it copies its code into other files, programs, or storage locations. The defining characteristic is that it requires some form of user interaction to activate: executing a program, opening a document, clicking a link, or booting from infected media. The virus cannot spread on its own without that initial trigger.
Once activated, the virus reproduces by attaching copies of itself to other files on the file system, on removable media, or across network shares. Not all viruses cause immediate visible damage β some operate quietly in the background for weeks, spreading as widely as possible before triggering a destructive payload. Others cause immediate symptoms: slowdowns, file corruption, unexpected behavior.
Why antivirus signatures must stay current: Antivirus software identifies viruses by matching files against a database of known malware patterns called signatures. Thousands of new virus variants are created every week. A signature file that is days old may not include patterns for the newest variants β meaning new viruses will pass through undetected. Current signatures are a prerequisite, not a guarantee.
While Dara was isolating the shared drive, a paralegal named Tom asked if his laptop needed to be looked at. He hadn't opened the template, but he had plugged in a USB drive shared with one of the infected attorneys the previous week.
Reza plugged the USB into an isolated analysis machine. "This might be a different problem." The USB drive had a modified boot sector β a separate infection entirely, probably predating the document virus. "This is a boot sector virus. Different animal."
"Isn't it all the same thing?" Tom asked.
"Same category, different method," Reza said, and he turned to Dara. "Walk him through the types."
Dara had been through this briefing before. "There are four main virus types. The first is a program virus β it attaches to an executable. When you run the program, the virus runs too and copies itself to other executables. The second is a boot sector virus β" she pointed to Tom's USB β "like this one. It infects the boot sector of a storage device. When the device boots, the virus runs before the operating system even loads. That's what makes it nasty: the OS isn't up yet, so OS-level defenses aren't running either."
"What are the other two?" Tom asked.
"Script viruses use scripting languages β JavaScript, VBScript, PowerShell β that browsers and operating systems can run. You visit a compromised web page, the script runs automatically, and the virus executes. And then macro viruses, like the one in your firm's template, are written in the macro language of an application. Microsoft Office macros are the classic example. The document is the carrier; the macro is the virus."
Tom looked at the USB drive in Reza's hand. "So you can get two different viruses at once?"
"You can get all four at once if you're spectacularly unlucky," Reza said. "Let's focus on what you've got."
| Type | Where It Lives | When It Activates | How It Spreads |
|---|---|---|---|
| Program Virus | Attached to an executable (.exe, .com, application) | When the infected program is launched | Copies itself into other executables on the file system or network shares |
| Boot Sector Virus | Boot sector of a storage device (hard drive, USB drive) | At system startup, before the OS loads | Spreads to any storage device that is connected and written to during boot |
| Script Virus | Script embedded in a web page, email, or OS script file | When the browser or OS executes the script | Via email, compromised web pages, or shared script files |
| Macro Virus | Macro embedded in a document (Word, Excel, PowerPoint) | When the infected document is opened and macros run | Via shared documents, email attachments, shared templates |
By afternoon, Reza had found something unexpected on one of the partner's laptops. The antivirus was reporting clean. The machine showed no infected files. But the behavioral monitoring tool Reza had installed was flagging PowerShell sessions running at startup that were not associated with any installed application.
"The antivirus isn't seeing anything," Dara said, "but those PowerShell processes are making outbound network calls. Look β they're pulling something down from an external IP."
"Fileless," Reza said immediately.
This was a separate, more sophisticated infection. Sometime earlier β probably weeks before the macro virus hit β the partner had clicked on a link in an email. The link had loaded a web page that exploited a vulnerability in an outdated version of a browser plugin. The exploit code ran entirely in memory, never touching the disk. It launched PowerShell β a legitimate Windows administration tool β and passed it a script to run, also in memory. The PowerShell script downloaded additional scripts from the attacker's server, also running them in memory. Those scripts were now silently monitoring keystrokes and exfiltrating data.
"Why doesn't the antivirus see it?" Dara asked.
"Because antivirus scans files on disk. There are no files on disk to scan. The malware exists only in RAM. It has never been written to a storage drive. As far as antivirus is concerned, nothing is there."
"Then how does it survive a reboot?"
Reza pointed to the registry. "One small registry entry. An autostart key that re-runs a legitimate-looking PowerShell command at startup. The command looks like a normal system task β but it triggers the whole chain again. One registry value is all that's on disk. And registry keys don't get scanned by most signature-based antivirus."
Dara stared at the screen. "So the whole malware operation is invisible."
"Almost. The only way to catch it is behavioral monitoring β watching what processes are doing, not what files are present. This is why EDR exists. If you're only running signature antivirus, this entire infection is completely invisible to you."
A fileless virus (also called fileless malware) does not install itself as a file on the system's storage drive. It operates entirely in memory (RAM) and uses legitimate system tools β most commonly PowerShell or Windows Management Instrumentation (WMI) β to execute its malicious code. Because traditional antivirus software scans files stored on disk, fileless malware can evade detection entirely.
Typical fileless infection chain:
- User clicks a malicious link in email or on a website
- Web page exploits a vulnerability in the browser, a plugin (Flash, Java), or a known OS vulnerability
- Exploit code runs in memory β launches PowerShell with a malicious script passed as a command-line argument
- PowerShell script (running in memory) downloads additional scripts from the attacker's server and runs them in memory
- The in-memory scripts perform malicious actions: keystroke logging, data exfiltration, credential theft, installation of additional payloads
- To survive reboots, a single autostart entry is added to the Windows registry, which re-triggers the PowerShell chain on next startup
What stops fileless malware: Behavioral detection (EDR) β monitoring what processes do in memory rather than scanning disk files. Keeping applications patched eliminates the browser/plugin vulnerabilities that enable the initial exploit.
Thursday morning, Reza was at a different client β a manufacturing company with a plant floor full of Windows-based industrial control terminals. The IT manager had called at 6 AM: machines were going offline one by one, and no one could figure out why.
"Who opened what?" Reza asked as he walked the floor.
"That's the thing," the IT manager said. "The first machine to go offline was in an isolated area. No one had used it for eighteen hours before the alert. Night shift left at midnight; the machine was offline by 3 AM."
Reza stopped. "No user interaction."
"Not a single click."
"That's not a virus. That's a worm."
A worm does not need a human to activate it. It finds vulnerable systems on the network on its own, exploits a vulnerability to install itself, and immediately begins scanning for more vulnerable systems to infect. The first machine in this plant had an unpatched Windows service vulnerability β the worm found it from another system on the network, installed itself automatically, and within minutes was scanning the local subnet. At 3 AM with no users present and no firewalls between the industrial terminals, it had moved to eleven machines by 4 AM and twenty-three by 6 AM.
"How do we stop it?" the IT manager asked.
"Network segmentation, now. Isolate the plant floor from the corporate network. Then we patch the vulnerability on every terminal it hasn't hit yet and start remediating the ones it has." Reza was already at the network switch. "The good news is worms are a relatively rare occurrence compared to viruses. The bad news is when they go, they go fast. They replicate at the speed of your network."
A worm is self-replicating malware that spreads automatically across networks without requiring any user interaction. This is the fundamental distinction from a virus: a worm does not need a human to click, open, or run anything. It finds vulnerable systems, exploits them, installs itself, and continues scanning.
Why worms spread so fast: Worms propagate at network speed. On a flat, unsegmented network with no internal firewalls, a worm can reach every system in minutes. Unlike a virus that depends on users sharing files, a worm's only dependency is network connectivity to a vulnerable host.
What limits worm spread:
- Firewalls (perimeter and host-based) β block the network traffic the worm uses to probe and infect new targets
- Intrusion Detection/Prevention Systems (IDS/IPS) β detect the characteristic scanning behavior of worms and block or alert on it
- Network segmentation β prevents a worm that enters one network segment from reaching other segments; contains the blast radius
- Patching β closes the vulnerabilities worms exploit; a fully patched system is not a viable target for most worms
Important limitation: Firewalls and IDS/IPS help most at the perimeter. Once a worm is inside a network, internal controls (segmentation, host firewalls, endpoint patching) determine how far it spreads. A worm inside a flat, unsegmented network with no internal controls can reach everything.
While Reza's team worked through the plant floor, one of the younger technicians asked the question that was clearly on everyone's mind: "Is this going to encrypt everything like WannaCry?"
Reza paused from his work. "Not this worm β this one is just propagating, not carrying a ransomware payload. But WannaCry is the perfect example of what a worm can become when someone arms it."
He pulled up the case on his laptop. "WannaCry in 2017 used a Windows exploit called EternalBlue β it targeted the SMB file-sharing protocol that Windows machines use to talk to each other on a network. No user action needed. A vulnerable machine on the same network was enough. The worm found it, exploited EternalBlue, installed a backdoor, and then pulled down the ransomware payload from the attacker's infrastructure. The ransomware encrypted all the user data files. Then the worm moved on to the next machine and did it again."
"So the worm was the delivery mechanism," the technician said.
"Exactly. The ransomware was the payload. By itself, the ransomware would need someone to download and run it. With the worm attached, it needed nothing β it found its own victims. That combination is what made WannaCry hit 200,000 systems across 150 countries in a matter of days. A patch for EternalBlue had been available for two months before the attack. Every system that was patched was immune. Every system that wasn't became both a victim and a vector."
The technician looked at the machines going dark one by one on the monitoring panel. "Patching would have stopped all of this."
"Patching," Reza said, "stops most of what I get called out for."