A worm is a program that duplicates itself from one directory, drive, computer or network to another. Most worms send themselves through e-mail and many have mass-mailing functions, which allow them to mail themselves to every address in a particular mailbox. Another popular method of transmission for worms is through Local Area Networks. A few can even come through instant messangers.

Unlike a virus a worm is a self-contained program and does not need to attach itself to an executable files, though some worms have a viral component that infects files. As they are executable programs, they can become infected with viruses and all "descendants" of that copy of the worm maybe infected with the virus and have the ability to infect files on other computers that they spread to when they are run.


As with viruses, worms come in many types. The most common method of categorization is how they spread. Some worms may have more than one method of spreading.

Email Worms

Email worms spread through email messages. Essentially, an email message with an attachment arrives in a mailbox and when the user downloads and executes that attachment, the worm creates a new email message with a copy of itself attached and mails itself to one or more other email addresses. Some email worms such as [[Nimda]] can run by themselves without any intervention from the user, and may even infect the computer from the preview pane. Details like the alleged sender, subject, message, attachment name and file type, payload (if any), and method of finding email addresses to send itself to can be radically different.

There is some speculation that Email Worms may soon go the way of the boot sector virus, as average users become more wise and follow safer email handling practices, in addition to the move by criminals to more targeted botnets. New email worms became increasingly rare in the second half of the 2000's to nearly non-existent today. However, one occasionally appears and becomes virulent, as was the case of the Imsolk worm of 2010.

Internet Worms

Internet worms spread directly over the Internet. The worm searches for open ports on the Internet and sends itself to other systems. Most of the major worms exploit known vulnerabilities to spread. Some consider these worms to be the only "true" worms, as they require absolutely no user intervention to spread. Morris, Slammer, CodeRed, Blaster and Sasser are a few examples of prominent internet worms.

Network Worms

Network worms spread over network shares. Usually a network worm is also an email, Internet or other type of worm, as it would not spread very far if it were restricted to a local network. Some network worms do manage to make it surprisingly far, such as Stuxnet, though given its purpose was probably planted deliberately in several places. Some experimental proof of concept worms may be restricted to a particular network to prevent their escape from a lab, such as the Xerox PARC worms and Inqtana. Others are classified as network worms because they spread through one particular networking protocol, like the Symbian Caribe worm that spreads through Bluetooth.

Other Types

IRC (Internet Relay Chat), IM (Instant Message), P2P (Peer-to-Peer file sharing) and other types of worms typically require that one have a client for the particular activity that allows the worm to spread through one's computer. Spybot was known to spread by Peer-to-peer file-sharing networks and Oompa spread through instant message.

Multiple Vector Worms

Multiple vector worms have two or more ways of spreading to other computers. Nimda and Swen are examples of worms that use many different ways of infecting computers. Worms that have more than one way of spreading are extremely common.


Glossary, Symantec.com

John Leyden. The Register, The strange death of the mass mailing virus. 2004.12.09

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License