Viruses, Worms and Trojan Horses Explained
By Robert Lemos
Special to CNET News.com
March 15, 2001, 4:00 a.m. PT
Hardly a day goes by without a new virus, worm or Trojan horse popping up to worry the average Net surfer. As a group, such programs are called
"malicious code," and only a few guidelines exist to determine the classification of any particular program. Moreover, classifying
malicious code is not always clear-cut. Many programs can be classified as all three. For example, the original Melissa virus infects files
(making it a virus), but also uses e-mail to spread itself to other computers (making it a worm) and appears to be a list of porn sites
(making it a Trojan horse). The classification of malicious code is not a comment about how dangerous or destructive the code can be. A virus,
worm or Trojan horse may only spread itself or it may erase a computer's hard drive, or anything in between.
Here are the main types of malicious code:
Virus (Infector filus)
A virus is a program that spreads itself by infecting files. When it
runs, a virus will essentially wrap a file's data in its own code. When the file is opened, the virus runs its program first and then opens the
file as initially requested. Standard viruses will spread only when an infected file is transferred from one computer to another.
CIH--sometimes called the Chernobyl virus--is a prime example of a standard virus.
Worm, mass mailer (Cestoidea emailus)
Worms, unlike viruses, don't infect files, but entire disks or computer systems. Because worms can't rely on file-to-file transfers to spread
their code, they need to have a way of sending themselves to other computer systems. Perhaps the most common way today is via e-mail. Known
as mass mailers due to the technique of spamming themselves to every address in the e-mail address book, such worms generally require a
person's action to spread. Typically, that means opening an attachment
in the infected e-mail. By scamming people, such mass-mailing worms are similar to Trojan horses. A good example of a mass mailer is the recent
Anna Kournikova worm.
Worm, network-aware (Cestoidea network)
Some worms squirm into another computer through security holes. Whether taking advantage of unprotected, shared drives or of a vulnerability in
FTP software, such network-aware worms don't require a person's action to spread. While defense against mass-mailing worms only requires
someone to passively reject any e-mail attachments and employ antivirus software, defense against network-aware worms requires a computer's
owner to patch security holes, assign passwords to systems and use a
personal firewall. The Linux Ramen worm and W95/Bymer are two examples of network-aware worms.
Trojan horse (Equus chameleus)
Unlike worms and viruses, the purpose of a Trojan horse is not to
spread, but to have a particular target--that is, a computer's owner--to run the program. A strict definition of a Trojan horse is any program
that does something besides what a person believes it will do. Modified programs that open a back door into a system or a program hidden inside
of a humorous animation are typical examples of Trojan horses. Yet some have broadened the definition to include commercial software that
collects data on the person running the program and sends it back to the company without adequate warning to that person. Many mass-mailing worms
are considered Trojan horses because they have to convince someone to open them. The SubSeven server--software that lets an attacker remotely
control any computer on which it is installed--is an example of a program typically embedded in a Trojan horse.
-RL
|
