20

In spite of various online articles, I'm a bit unclear on the distinction between a "worm" and a "virus".

Two related questions--

  1. Is there a useful and clear distinction here or no? If so, what is it?
  2. If there is a meaningful distinction, are virus scanners just as effective for defending against worms as they are for viruses in general? or are there other policies and safeguards not included in virus scanners that are useful to employ for defending against worms specifically?
dalimama
  • 1,065
  • 1
  • 11
  • 21
DuckMaestro
  • 301
  • 2
  • 5
  • 3
    In the old days a virus was a malicious programs that infected program files on disk to inject their own code. Worms, however, exploited network services such as email-servers, database-servers or web-servers or communication ways such as email-attachments. Nowadays, however, many people use virus and worms as summary term for all kinds of malicious software and "trojan" as a term for malicious remote administration tools. While I try to stick to the original terms, one need to be aware of the meaning assumed by many people. – Hendrik Brummermann Dec 01 '11 at 09:47

6 Answers6

24

The difference is mostly a matter of historical tradition.

Biologically, a virus is a piece of RNA. RNA is an intermediary vessel for genetic code, which temporarily duplicates a piece of the DNA (the permanent storage of genetic information in a cell). RNA then goes through some "engines" which can duplicate it and/or convert it into proteins (genetic code is really blueprints for proteins). Proteins are the active molecules which do all the work to keep a cell "alive". The virus is sufficiently small to enter some cells, where it hijacks the replicator engine, which makes other copies of the virus, by which the attack spreads. The adverse effect of the virus comes from the fact that while the replicator is busy with photocopying the virus, it does not process the "normal" RNA which comes from the cell's own genetic code. Protein production is thus slowed down or stopped altogether, and the cell ceases to function properly (or at all). Effects on the host body depend on what kind of cells are affected, and how much it hijacks the replicators. So the virus is not a living organism by itself (the question of whether a virus can be considered to be "alive" is hotly debated, and not very meaningful in the same time).

On the other hand, a worm is a fully-defined pluricellular organism, which does not interact in any way with the host genetic code and mechanism; the worm just sits there and feeds on local cells. The worm is quite definitely alive and distinct from the host, which, from the worm point of view, is mostly home and feeding ground. The worm also replicates itself, but since this is a living organism, such replication is called "reproduction".

In computers, some software pieces are called "virus" and "worm" as an analogy which, like all analogies, breaks down when you looked at it too closely. The "replicator engine" alluded to above, is considered as somehow equivalent to normal program execution. Under normal operational conditions, computers execute programs by reading executable files into memory, and ordering the CPU to consider that data as a sequence of instructions which are to be interpreted right away. A computer virus is a piece of code which hijacks normal execution by inserting its own code somewhere in that sequence of instructions. The analogy stops there, because while a biological virus just uses an RNA replication mechanism which is already in place and totally genuine, the computer virus must do its own replication, i.e. looking for other executable files to copy its own code in them. A virus may be harmful through this replication mechanism, depending on whether its forceful insertion in executable files damages them or not (a careful virus will move around the original instructions so that they still get executed; a careless virus replaces the original instructions, thus affecting the executable primary functionality). A virus may also be harmful by doing other tasks than mere replication (that's the "payload" and it can be quite nasty).

A computer worm is a piece of software which, when executed, tries to replicate itself through the network. The worm uses a few known security holes to force remote machines to execute some arbitrary code, and in the case of a worm, that arbitrary code is the worm code itself. So we have the traditional distinction: a virus replicates itself by modifying executable files (found, by essence, "locally") while a worm replicates itself through network-exploitable security holes. However, a worm which runs on a given machine will often, beyond its replication-through-network job, take steps to become "permanent", so that it will run again regularly, even if the host machine is rebooted. Permanency is achieved by inserting the worm code into some executable files; so, most worms are also virus.

This leads us to a second definition: a worm is a virus which can also replicate itself through a network, using remotely exploitable security holes, whereas a plain virus is limited to executable files.

Virus and worms where thus named because when such things began to be common place (around 1985-1990, when home computers became widespread and used floppy disks, and Internet exceeded a few hundred hosts), program execution on a basic computer was not happening "by itself": the user had to type something or click on something to launch a new executable. So the spread of a virus could be paused by getting your hands off the keyboard, whereas a worm had the seemingly magical property of happening by itself. Nowadays, the most basic PC will spawn hundreds of new processes transparently, many of them on an automatic and regular basis, so a virus will also replicate in a seemingly autonomous way, blurring the operational distinction between virus and worm.

The Trojan Horse is a big hollow wooden horse filled with ill-intentioned Greek warriors, and happens not to be Trojan at all -- it was Achaean, built against the Trojans. The cornerstone of the story (as reported in the Odyssey) is that the Trojans pulled the horse within the walls of Troy themselves, a military feat which the Achaeans had unsuccessfully tried to achieve for the ten preceding years. In computers, the expression "Trojan Horse" was applied to the case of a malicious executable which a target user launches himself consciously, lured by some advertised seemingly benign functionality of the executable. Trojans believed that the horse was an offering to the gods of the sea, hence imbued with religious and esthetic goodies.

So, what of a piece of software which, when executed, finds local executable files to copy itself, and also sends itself by email to random other people under a cunning guise ("this is your tax form, fill it ASAP or you will get fined"; or "have a peek at this screensaver full of photos of Natalie Portman"), to lure them into clicking on the attached executable file, thereby executing its contents ?

This is a virus, since it copies itself into local executable files. This is a worm, since it replicates itself through the network (the remotely exploitable hole being the combination of the user, who has little awareness of security issues, and his mail reader application, which happily runs executable files with only the flimsiest of guardrails). This is a Trojan Horse since it exploits user gullibility and lures him into launching malicious code.

Hence, the distinction between virus, worm and Trojan Horse is not absolute and has become quite fuzzy in recent years. The terminology does not offer practical information anymore.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    "_Biologically, a virus is a piece of RNA._" or DNA. – curiousguy Dec 02 '11 at 12:13
  • 5
    @curiousguy - Not really. The distinction might be subtle, but translates to huge differences in how (or more precisely -where) they work. RNA uses _ribose_ whereas DNA _deoxyribose_ (thus the name). DNA has a base pair _adenine-thymine_, RNA has _adenine-uracil_. RNA is also a single-stranded molecule, and DNA is double-stranded. In reproduction, DNA is usually too big to exit cell walls, while RNA isn't. These are some essential differences between the two, but one could also argue that RNA is a function of DNA, since DNA needs to split to RNA to form a new DNA. I'm highly simplifying BTW ;) – TildalWave Apr 19 '13 at 08:51
  • "Worms's permanency is achieved by inserting the worm code into some executable files". Not true. A worm typically exists as an independent executable with misleading names and runs as independent processes. It achieves persistence by changing the registry. In contrast, a virus inserts itself into executables or documents (Macro virus) and is not independent (i.e., self-contained) – Infinite Jan 20 '17 at 03:00
6

The term "virus" in a computer context has evolved significantly in the past several decades primarily due to a lack of understanding of exactly what type of code it represents.

Strictly speaking, a "virus" is a piece of executable code that is attached (usually prepended) to an existing program. When the program is executed, the virus code executes first, then it runs the "host" executable once the virus is loaded into memory and capable of performing its own work in the background. A virus replicates by modifying the other executable on the same machine to to also contain the virus code. Generally, viruses will also modify any executable that pass through the machine's control, such as whenever a removable disk is mounted. An executable with the virus code attached is considered "infected", and "anti-virus" programs were created to detect common virus patterns and "disinfect" programs by removing the virus code.

A true virus is a significantly more difficult to write than simpler forms of malware, such as "trojan horses" (a much more common form of malware). However, since viruses once represented such a troublesome threat to computing security, and since the "anti-virus" industry was developed to deal with specifically that threat, it has become common to refer to almost all malware as a "virus".

Here's a quick rundown of the malware taxonomy:

  • virus: Malicious code fragment attached to a "host" executable which replicates by attaching itself to other executables.
  • trojan horse: Malicious program which spreads by appearing to be something innocent, such as a game or a document. A trojan horse must be actively acquired and executed by the user.
  • worm: Malicious code which replicates automatically itself over a network. Worms generally exploit some flaw or weakness in an existing piece of software such as a web server or email client.
TRiG
  • 609
  • 5
  • 14
tylerl
  • 82,225
  • 25
  • 148
  • 226
  • "_Strictly speaking, a "virus" is a piece of executable code that is attached (usually prepended) to an existing program._" so a boot sector virus is not a virus? – curiousguy Dec 02 '11 at 19:47
  • @curiousguy - boot-sector code could be installed by a virus, a worm, a trojan -- just about anything. In a sense it could be considered a virus that uses the computer startup as its host rather than an application. – tylerl Dec 02 '11 at 23:47
  • @curiousguy the boot sector counts as an existing program, surely? – Graham Hill Nov 20 '12 at 11:23
  • @GrahamHill An existing boot loader certainly counts as an existing program. What about a boot "virus" that installs itself on a floppy disk that was not bootable? – curiousguy Jan 23 '13 at 18:07
3

I have never seen any authoritative definition of these terms, probably because there is no authority that defines these things.

However, as I understand it, the fundamental difference between viruses and worms is that a virus requires a human to execute the program whereas a worm will exploit a flaw in another program in order to execute itself. Apart from that, there is no other distinction between them.

Wikipedia comes to the same conclusion. (Also separately on the Virus and Worm pages.)

That said, "common usage" rarely conforms to strict definitions, so outside of the security community there is even less distinction. Many people consider it "hacking" when they post humorous messages on their friends Facebook accounts that have been left logged in and unattended.

To answer your second question, most virus scanners actually scan for "Malware" without much distinction between Viruses, Worms, Spyware, Ransomware, Trojan horses, Rootkits, Keyloggers and even sometimes useful security tools. This is a policy decision and not a technical one.

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
1
  • Virus and Worms are malwares(malicious software programs).

  • Virus spread from one machine to another via physical contact(USB) or sharing(e-mails), replicates itself by modifying other computer programs and inserting its own code. It is same like biological virus, it require living hosts — such as people, plants or animals.

  • Worms burrow from one machine to another across a network to spread itself. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Premraj
  • 131
  • 4
-1

Virus and worm both are malicious software. Virus need a host program to propagate, virus is a depended program. worm doesn't need any host program to propagate, worm is a independent program. virus and worm both are replicating software, when executed, may produce one or more copies of itself to be activated later on the same system or some other system.

-3

Worms are programs that spread from one machine to another, infecting thousands of computer. However, a virus is a malicious program that will do harm to the victim's computer in some way.

A virus program can be a worm, means it spreads to thousands of systems in the network and affect them maliciously.

So, it is just like a property of some malicious program. There is no specific group by which we can bifurcate these two categories of programs.

And so far I know, an antivirus program can detect both virus and a worm equally.

whitehat
  • 543
  • 1
  • 5
  • 7