WORMS

By Michael Carlisle

CpSc 420

December 6, 2007

Worms – A Definition!

Worm – a program that copies itself from one computer to another.

Common Terms

Payload – the code’s harmful results.Example – Nyxem worm – targets files with

commonly used extensions○ ZIP, DOC, PDF, PPT, XLS …○ Replaces data in those files with the text

“DATA Error [47 0F 94 93 F4 F5]”

Example – Melissa.U – deletes critical files on Windows computers.○ Command.com, IO.sys, Ntdetect.com,

Suhdlog.dat

Common Terms (cont.)

Mitigation – make something less severe, or to eliminate possiblity of adverse actionMany types

○ Patches○ Updates

Propagation – spreading or self-replication of a worm.

Good Worms?!? Xerox PARC – created in the late 1970’s

Designed to find idle processors on a networkOnce found, helped to share processing and

improve CPU cycle use efficiency Welchia (Nachia)

Downloaded patches and updates from Microsoft

Found the vulnerability it used and patched itMany considered this a malicious worm

○ Created a lot of traffic○ Rebooted computers

Malicious Intent

Melissa – macro virus Attacked Outlook and WordDistributed by an infected attachmentSends infected file to first fifty e-mail

addresses encountered modified Word documents by adding a

quote from “The Simpsons”Damage – 300 – 600 million dollars!

Malicious Intent

ILOVEYOU

VBscript appeared as e-mail attachment (LOVE-LETTER-FOR-YOU.TXT.vbs)

Overwrote music and image files with copy of itself

Damage – 10 to 15 billion dollars!

http://www.dia.unisa.it/~ads/corso-security/www/CORSO-0102/macrovirus/ilovey3.jpg

Malicious Intent

Mydoom – one of the fastest spreading worms everTransmitted by e-mailFinds local files – address bookFinds folders entitled “shared folder” to

spread via file sharing networksSupposedly responsible for…

○ Decrease 10% in global Internet performance○ 50% decrease Web load times

ILOVEYOU Worm Searches Microsoft Outlook address book and retrieves all addresses No limit in number of recipients Social engineering – e-mails addressed with subject “ILOVEYOU” Works only with systems that have WSH (windows scripting host)

installed Copies itself to 2 directories

Main windows directory ○ File named Win32DLL.vbs

System directory○ File named MSKernel32.vbs

Modifies Windows Registry to make sure it runs during every boot Overwrites music and image files and copies itself… adds .vbs

extension Searches for mIRC

Tries to send html file across IRC channels File has prompt to download an ActiveX control

ILOVEYOU Worm (cont.)

HTML file sent through IRC

Preventative Measures

Education, Education, Education!User’s need to be aware of common worm

tactics (social engineering) Updates

Make sure software is updated regularlyIMPORTANT – OS updates regularly!

Patches

Any Questions?

References Bezroukov, Dr. Nikolai. “Melissa Worm/Virus – a Worm Parasiting on Ms Office 97 Architectural

Problems and Ms Word Users’ ignorance.” 6 March 2007. 1 December 2007. <http://www.softpanorama.org/Malware/Malware_defense_history/Malware_gallery/Macro_viruses/melissa.shtml>

“Computer Worm”. Wikipedia, The Free Encyclopedia. 7 November 2007. 1 December 2007. <http://en.wikipedia.org/wiki/Computer_worm>

“ILOVEYOU”. Wikipedia, The Free Encyclopedia. 30 November 2007. 1 December 2007. <http://en.wikipedia.org/wiki/ILOVEYOU>

Kehoe, Brendan. “Zen and the Art of the Internet.” 1992. 27 November 2007. <http://www.cs.indiana.edu/docproject/zen/zen-1.0_10.html#SEC91>

Landesman, Mary. “Nyxem aka Blackmal Worm.” 29 November 2007. <http://antivirus.about.com/od/virusdescriptions/a/nyxem.htm>

“Melissa Worm.” Wikipedia, The Free Encyclopedia. 7 November 2007. 1 December 2007. <http://en.wikipedia.org/wiki/Melissa_worm>

“Mitigation.” The Free Dictionary. Farlex. 30 November 2007. <http://www.thefreedictionary.com/mitigation>

“Morris Worm.” Wikipedia, The Free Encyclopedia. 28 November 2007. Wikimedia Foundation. 1 December 2007. <http://en.wikipedia.org/wiki/Morris_Worm>

Seeley, Donn. “The Internet Worm of 1988.” 27 November 2007. <http://world.std.com/~franl/worm.html>

“VBS.ILoveYou.A”. CA. 11 October, 2005. <http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=9024>

“Welchia”. Wikipedia, The Free Encyclopedia. 7 November 2007. 1 December 2007. <http://en.wikipedia.org/wiki/Welchia>