Viruses and Worms – CompTIA Security+ SY0-501 – 1.1

Viruses and worms are some of the most prevalent malware infestations. In this video, you’ll learn the differences between a virus and a worm, and I’ll demonstrate how worms are able to copy themselves between systems without human intervention.

<< Previous Video: An Overview of Malware Next: Ransomware and Crypto-Malware >>

Computer viruses are named after human viruses that are able to propagate themselves from person to person. A computer virus can propagate itself from device to device. And it doesn’t necessarily need you to click anything, but it does need to run or execute a program in your computer to be able to use that replication function. It can also replicate through file systems, it can replicate through the network. And maybe just simply having an executable on your system would then allow it to find its way on to other systems on your network.

A virus that’s running on your computer may not necessarily be the end of the world. It might not be a really bad virus. It may be performing a very simple function that doesn’t bother anything else that’s running on your computer. Some viruses are simply invisible. You can’t really see that they’re running on your computer at all. While others may provide annoying pop-ups and make themselves very obvious on your computer.

This is why many of our systems have anti-virus software that will run, where they’re going to check and make sure that none of these known viruses are executing inside of your computer. And if one does try to execute, it will stop it immediately and quarantine it to a separate part of your storage device. It’s because of these viruses that we run anti-virus software on our computers. And since there are thousands of new viruses discovered every week, we have to make sure that we maintain the signature list that’s on our anti-virus software. That way if this virus does try to execute on your computer, the anti-virus software will recognize it and stop it before it installs itself onto your computer.

There are many different kinds of viruses. Probably the most well-known viruses are those that are attached to or associated with an application. We run the application. And in running that application, we also run the virus software itself. Some viruses are installed as part of the boot sector. It doesn’t necessarily even need your operating system to function, it is inside the boot sector itself, and you have to inoculate the boot sector to remove the virus.

Some viruses will run as scripts, either as part of the operating system, or inside of your browser. And even other viruses are part of macros, that may be associated with a spreadsheet or Word processing application. One type of virus that can be very damaging is a worm.

A worm is a type of virus that can move itself between systems. It doesn’t need any type of human intervention. And it can use the network that’s already in place to move from one computer to another. Because of this, we find that worms will propagate themselves and spread very quickly not only in the local area, but worldwide. As you can imagine, because these worms move so quickly, it’s difficult to contain them once they begin propagating, they can take over your systems extremely quickly. If there is a vulnerability that affects a large number of systems, you can find that many of those systems would be infected very, very quickly before you have any chance to remove this worm from the network.

If this worm is one that’s already well known, you may be able to filter it with the next generation firewall or intrusion prevention system. Those signature-based systems can filter out these worms so they won’t pass through any of those important security components. Here’s the steps that take place to have a worm propagate throughout the networks.

This is an example of the WannaCry worm, which is also called the Wannacrypt worm because it encrypted the data that was on our computers. It first starts with a computer that’s already infected. It has the Wannacrypt worm already running on that system. This device now looks over the network to try to find another system that has exactly the same kind of vulnerability that it can use to get embedded.

And this particular worm used one that took advantage of a vulnerability in Microsoft’s SMB Version 1. The Server Message Block is used to transfer files with Microsoft Windows. So it affected a large number of Windows systems.

Once it goes over the network and finds a device that is susceptible to this particular kind of vulnerability, it then installs and runs some software to embed itself onto that computer, and becomes exploited in this case, with a third party utility called eternal blue that installs a back door. And that backdoor software reaches out to the mothership and downloads the latest version of Wannacry. And now we have another system that is infected.

The process begins again by finding a vulnerable system. The back door is installed. The software is downloaded. And another system becomes encrypted. And this worm was able to operate throughout the internet without any type of user intervention, hopping from one computer to another, and trying to find as many devices as possible to encrypt the data running on those systems.