General security

Malware spotlight: What are worms?

Greg Belding
October 15, 2019 by
Greg Belding


Worms are a particularly virulent type of malware that has been around since the 1980s and wreaking havoc on infected systems ever since. Some believe that viruses and worms are the same thing, but this could not be less true: in fact, it is the differences between the two that make worms a unique, dangerous type of malware. 

This article will detail what worms are and how they operate and will examine the different types of worms afflicting systems worldwide. 

A little about worms

Worms belong to a self-replicating category of malware that can search for computers in a local area network (LAN) and wireless networks to deliver a malicious payload or perform a programmed task. Common examples of these tasks include deleting files and stealing information. A common attack point for worms is vulnerabilities that exist in operating systems. All the more motivation to keep your system updated! 

Some have classified worms as viruses, but this view is ignoring a major difference between the two — a virus requires user input (activation) to perform its programmed task, and a worm does not. This ability to function without user input makes worms a potentially much more dangerous threat in contrast to viruses, because a virus can lie dormant for a long time if the application it is attached to is not run often, or the user input required is rarely performed.

What’s especially interesting about worms is how they have evolved over time. The first worm to spread over the internet is known as the Morris worm. Invented by Robert Morris, this worm’s sole goal was to spread. It did not perform any other tasks, nor did it have a payload to inflict upon infected systems. 

The first recorded worm that carried a payload was called Witty, and it focused on attacking a specific manufacturer’s firewall and information security products. Since then, payload-delivering worms have been the norm instead of the exception.

Worm life cycle (or lack thereof)

Unlike viruses, worms do not have an easily quantifiable life cycle. This is based on the fact that worms act independent of the actions of third parties. As a system becomes infected, the worm will replicate, find other computers on the infected computer’s network, and perform its programmed task. This process can be completed in such a short amount of time there is no life cycle to speak of, aside from infection, replication and spreading throughout the network. 

Different types of worms

There are several different types of worms in use today, each having their own method of infecting a target system. 

Email worms

As the name suggests, email worms infect target systems by using the email client of said system. Email worms initiate their infections either by way of an infected email attachment that infects the system when the file is downloaded and opened, or by a malicious link that will infect the system when clicked.

A landmark instance of email worms afflicting the information security landscape was the ILOVEYOU worm. Launched in 2000, this worm had infected millions of systems by the time it ran its course.

Internet-based worms

Another well-represented worm in existence is the internet-based worm. This type is not picked up via web browsing; instead, it spreads when an infected system scans the internet for vulnerable machines that it can infect. 

This type of worm takes advantage of systems that have not received recent security and operating system updates. By focusing on the vulnerabilities that have been recently fixed, all the worm needs to do is locate a computer that has not installed these updated. Many users not updating means many potential targets and many headaches spread around. 

Bot worms

Bot worms are a nasty type of worm that infects a system and then turns it into an unwitting bot or zombie. The infected system is then used in conjunction with other infected system to form botnets. Botnets are used by attackers to launch large-scale, coordinated attacks. 

File-sharing network worms

Despite their attractive, easy access to valuable files, file-sharing networks have a glaring security weakness: you really don’t know what you are downloading. Remember that blockbuster film that you just downloaded for free? It may contain one of these worms.

This type of worm uses downloads just like these to enter your system, after which it will be subject to whatever malicious actions the worm is programmed to do (along with copious self-replication, of course).

Chat room and instant message worms

This type of worm is similar to the email worm in that it will use the user’s chat room contact list or instant messenger to send out messages containing malicious links. These links will send you to a malicious website laden with worms in its code or may simply download the worm itself. 

This type of worm has some downsides associated with it (from the attacker’s perspective) — they require user input by way of accepting the message/clicking the infected link and the worm will only be able to access contact lists of the respective infected chat room or instant messenger. 


Worms do indeed operate similarly to viruses in that they self-replicate and will perform a programmed task toward a malicious end. However, they are a different breed unto themselves. Viruses suffer from the capability limitation of required user input, while worms can perform their programmed tasks and move from computer to computer, without any user input at all. This minor difference in programming makes worms a more formidable information security foe and a more serious threat overall. 

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.



  1. Worm, TechTarget
  2. Different Types of Computer Worms, Techwalla
  3. A Brief History of the Worm, Symantec
  4. What is a computer worm and how does it spread?, Emsisoft
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.