sign in sign up
<<
Home , Code Red (computer worm), Computer virus, Computer worm, Creeper (program), Happy99, Kak worm

Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com Malicious Computer Worms and : A Survey

1B. Rajesh, 2P. Praveen Yadav and 3C. V. Chakradhar, 1,2,3Assistant Professor , Department of Computer Science and Engineering, G. Pulla Reddy Engineering College,Kurnool, Andhra Pradesh, India.

Abstract—Now a day‟s computer worms and viruses are controllers by Bob Thomas in 1971. this worm program would playing major role in the destruction of computer world. notify air traffic controllers when the controls of a plane Computer worms and viruses drawing attention of kinds of moved from on computer to another. This worm named computer users with their malicious intentions. They can attack “” would travel from one computer screen to another any one‟s computer like computer scientist, computer pioneers, on the network showing the message “iamreeper! Catch me if and computer inventers. Computer worms and viruses can do a you can! “The difference from most worms was that this lot of damage in research area of computer science and creeper did not reproduce itself. information technology and also on networking. to understand The first infection that required no human intervention the adverse impacts posed by computer worms and virsues it is to propagate was the , discovered in 1988 and necessary to understand the classes of computer worms and released by Robert Morris. It spread very quickly, infecting a viruses. This survey explains about computer worms and their number of vulnerable computers in a matter of hours. The inception, lifecycle, history, timeline. Classification of Morris Worm infected various machines and also used Computer Worms based on scanning and also based on their multiple exploits including buffer overflows, debugging behavior, life cycle of Computer worms and viruses. routines in mail components, sniffing, and other Keywords— Computer Worms Computer viruses. streams of execution to improve its ability to attack other computers. Although released on accident, the benign concept I. INTRODUCTION doesn‟t really apply tothe Morris Worm, as ithad a significant is a self-replicating . It uses amount of impact because of the bug in its code. When re a network to send copies of itself to other nodes i.e., computers infecting a computer, there remained the possibility that the on the network and it may do so without any user involvement. new infection would be persistent, allowing other worms to Viruses are need to be attached to the system files belongs to run and terribly impact system performance. However, this the it requires some kind of user action to caused the worm to be noticed instantly, and therefore, quickly assist their propagation. contained. Modern Worms: Active computer worms have returned to prominence in recent times. The first one to cause Computer is a piece of code which is capable of copying an eruption was . This infection proved how quickly itself and typically has a detrimental effect, such as corrupting a simple self-replicating program could spread via the the system or destroying data. Viruses tends to propagate more internet‟s current infrastructure. Code Red exploited a buffer slowly They also have more mature defenses due to the flow condition in the IIS (Internet Information presence of a large -virus industry that actively seeks to Server). It was able to propagate quickly because of the identify and control their spread. Unlike a virus computer “always on” nature of IIS and many versions of the Windows worms does not need to attach itself to an existing program. operating system. Code Red was also equipped with scanning Computer worms almost and always cause harm to the capabilities that improved its throughput and gave it the ability network if only by consuming bandwidth where as viruses to elude numerous IP address security features. almost always corrupt or modify files on a target computer. Computer worms are hated because they consumes more IV. LIFE OF COMPUTER WORM Bandwidth and also they might computers if they are Once the worm enters in any one of the host computer. The life infected with computer worms. Infected computers may also of the worm contain the following phases .they are used for other attacks such as DDos, attacks etc.. Computer worms are one of along with viruses A. Scanning for a victim and Trojans. A person typically installs worms by B. Exploiting the victim inadvertently opening an attachment or message that C. contains scripts. Once installed on a computer, D. Cloning itself onto the victim worms spontaneously generate additional email messages E. Stealth techniques used to hide itself. containing copies of the worm. They may also open TCP ports to create networks security holes for other applications, and they may attempt to "flood" the LAN with spurious Denial of Service (DoS) data transmissions II. DEFINITION OF COMPUTER WORM Definition1: Computer worms are malicious applications designed to spread via computer networks. Definition2: A computer worm is a evil-intentioned program that can replicate and run itself. III. BRIEF HISTORY OF COMPUTER WORM

The first ever program that could be called a Worm, as per Fig. 1: Figure indicates the life of a malicious computer definition, was developed for the assistance of air traffic worms

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 16 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com Once the worm is created the intruder sends it in to the V. CLASSIFICATION OF COMPUTER WORMS network. Once the worm is released into the network it will A. Classification based on behavior first searches for a vulnerable host i.e., victim. If victim is found it will exploit in to the victim host and then it clones  Stealth worms:This worm doesn‟t spread in a rapid itself onto the victim. fashion but instead they spread in a stealthy. They are very difficult to detect. This process will continues to spread the worm to entire  Polymorph worms:To make the signature based network without any human intervention. detection more complicated these worms can change themselves during the propagation.  File worms:These worms are modified version of viruses but unlike viruses this worms does not connect their presence with any executable files. They simply copy their code to some other disk or directory hoping that these new copies will someday be executed by the user. Fig. 2: Figure indicates spreading of a malicious computer  Multi- worms:This type of worms use worms different type of propagation methods in order to make more vulnerable for attack and effectively A. Scanning for a victim. propagate behind firewalls. Scanning for a victim means target discovery. It represents  Email worms:Email themselves to other email the mechanism by which discovers a new target to infect. addresses and make the user execute scanning requires searching a set of addresses to identify emailAttachments with malicious code or use bugs in vulnerable hosts. Two simple form of scanning are sequential the email programs to get attachments executed scanning and random scanning. The other from of scanning automatically. include full scan, subnet scan, divide and conquer scan. B. Classification based on scanning scanning worms spread comparatively slowly compared with a number of other spreading techniques, but when coupled  Random scanning:Random Scanning worm will with automatic activation, they can still spread very quickly in generate a random IP addresses using a absolute terms. pseudorandom number generator. Thus every host on the network is equally likely to be scanned. CodeRed B. Exploiting the victim. v2 and SQL Slammer are the random scanning worms. Exploiting the victim means gaining access on the victim  Localized scanning:Localized scanning is a simple computer. A small piece of code provides access to a victim technique used by computer worms to search for the computer by utilizing some flaws in the logic of a program vulnerable hosts. Localized scanning trades off running on the victim computer. Gaining the access means the between the local and the global search of vulnerable ability to run commands/programs on the host computer. hosts and has been used by Code Red II and worms C. Payload.  Sequential scanning:Sequential scanning worms‟ During this phase the worm can create backdoors in the scans IP addresses sequentially. After the worm host machine, alter or destroy files, transmit , or compromises a vulnerable host, it checks the host leave copies of itself. Worms use operating system facilities next to this vulnerable host. worm employed that are often automatic and invisible to the users. Often, worm sequential scanning. activity remains invisible until their uncontrolled replication  Topological scanning: Topological scanning worms consumes system resources; worm‟s attacks include slowing or rely on the local information contained in the halting the system, denial of services by flooding the network compromised hosts to locate new targets. Local with useless packets. Worms can also sends sensitive information includes /etc/hosts file, email addresses information to cause confusion, collect sensitive data, or etc. Topological scanning was used by Morris worm. damage data in the host machine.  Hit list scanning: The worm writer gathers a list of potentially vulnerable hosts beforehand, which are D. Cloning itself on to the victim. targeted first when the worm is released. This speeds Once the victim has been exploited the worm needs to get a up the spread of the worm at an initial stage. Hit list copy of itself on the victim. Once the copies of itself are scanning was used by Slammer worm. created they will be spread to another targeted host computer. VI. TIMELINE OF COMPUTER WORMS This process will continues in each host, until the entire host computers in the network are attacked with the worms. Year Worm Name Worm Description 1971 Creeper Author: Bob Thomas at E. Stealth techniques used to hide itself. BBN Technologies Worms uses some stealth techniques to hide itself on the host The Creeper virus, an machine when ever any antivirus programs are running on that experimental self- machine. Worms can also hide the process running on the replicating program, machine. Worms can also hide the user files and also it can Creeper infected DEC delete the logs. PDP-10 computers running the TENEX operating

system. Creeper gained access via the ARPANET and copied itself to the

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 17 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com remote system where the 1999 First found inJanuary 20 It message, "I'm the creeper, invisibly attaches itself to catch me if you can!" was , displays fireworks displayed. The to hide the changes being program was later created made, and wishes the user to delete Creeper. a happy New Year.It 1974 Wabbit The Wabbit virus, more a modifies system files bomb than a virus, is related to written. The Wabbit virus and (IE) makes multiple copies of on and itself on a single computer . (and was named "Wabbit" First found in March 26, for the speed at which it 1999, using holes in did so) until it clogs the , Melissa system, reducing system shut down Internet mail performance, before finally systems that got clogged reaching a threshold and with infected e-mails crashing the computer. propagating from the 1975 Animal Author: John Walker for worm. Once executed the the UNIVAC 1108. original version of Melissa Animal asked a number of used a virus to questions to the user in an spread to the first 50 attempt to guess the type of addresses in the user‟s animal that the user was Outlook address book. thinking of, while the However, if Internet access related program or Outlook were not PERVADE would create a available, it would copy copy of itself and itself to other word ANIMAL in every documents and attempt to directory to which the E-mail those documents, current user had access. It Revealing potentially spread across the multi- confidential information. user UNIVACs when users Further, it would modify with overlapping existing documents by permissions discovered the inserting quotes from the game, and to other Simpson‟s television show. computers when tapes were (Henry, 2003) shared. The program was carefully written to avoid Estimated damage: $1.1 damage to existing file or billion. directory structure, and not ExploreZip First found in June 6 to copy itself if TheExploreZip worm, permissions did not exist or which destroys Microsoft if damage could result. Its Office documents, was first spread was therefore halted detected. by an OS upgrade which First found in December 30 changed the format of the The Kak worm is a file status tables that JavaScript computer worm PERVADE used for safe that spread itself by copying. Though non- exploiting a bug in Outlook malicious, "Pervading Express. Animal" represents the first Trojan "in the wild". 2001 “Anna Kournikova First appearing in February 1988 Morris worm Author: Robert Tappan Virus" 2001 it was produced by a Morris “scrip kiddie,” and is well The Morris worm infects known only for its social DEC VAX and Sun engineering attachment machines running BSD that appeared to be a UNIX connected to the graphic image of Russian Internet, and becomes the tennis star Anna first worm to spread Kournikova. However, extensively "in the wild", when the file was opened, and one of the first well- a clandestine code known programs exploiting extension enabled the buffer overrun worm to copy itself to the vulnerabilities. Windows directory and

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 18 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com then send the file as an previous worms, but its attachment to all addresses advanced features and its listed in your Microsoft different means of Outlook e-mail address propagation which book. The "Anna included from client to Kournikova Virus" worm client via email, from client although famous was just a to client via open network nuisance as it did little to shares, from to no damage client via browsing of Estimated damage: compromised web sites, $166,827 from client to web server 2001 Code Red First found on July 13, via active scanning for and 2001 this worm exploited exploitation of various vulnerability in Microsoft's Microsoft IIS Internet Information Server vulnerabilities, and from (IIS) web servers to deface client to web server via the host‟s website, and scanning for the back doors copy the command.com left behind by the "Code file and rename it root.exe Red II" and "sadmind/IIS" in the Web server‟s worms, allowed it to spread publicly accessible scripts faster than any preceding directory. This would worm. NIMDA also the provide complete first worm that contained command line control to its own Email program so anyone who knew the Web it did not depend on the server had been host‟s E-mail program to compromised. It also propagate. waited 20-27 days after it Estimated damage:$645 was installed to launch million denial of service attacks First appearing in October against the White House‟s 26, 2001 Klez, and it IP address. Code Red variants were still spread at a speed that considered a problem late overwhelmed network in 2003, making Klez one administrators as more than of the most persistent 359,000 servers became viruses ever. Klez was a compromised in just over hybrid worm that took 14 hours. At its peak, more advantage of a flaw in than 2,000 servers were Outlook that allowed it to being compromised every be installed simply by single minute. Estimates viewing the E-mail in the are that Code Red preview panel. As a hybrid compromised more than it could behave like a 750,000 servers. (Henry, virus, a worm and at other 2003) times even like a Trojan Estimated damage: $2.6 horse. Klez also billion incorporated a technique Sircam First found on July 19, we saw in the Christmas 2001 this mass mailing E- Exec worm as it selected mail worm not only one Email address from the exploited Microsoft‟s host‟s address book to use Outlook program it had the as the “from” address, then ability of spreading sending the worm to all the through Windows Network other addresses. In this shares. The worm had two manner, the E-mail often deadly payloads, but due to appeared to have been sent a program error they did from someone the not work. addressee actually knew. Estimated damage: $1.03 Estimated damage: $18.9 billion billion NIMDA First appearing in 2003 SQL Slammer Appearing January 25, September 2001, NIMDA, 2003, and taking advantage which is admin spelled of two backwards was not as bugs in Microsoft's SQL malicious in nature as Server product, it

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 19 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com spread rapidly, with a billion doubling time of 8.5 2004 Appearing January 26, seconds in the early phases 2004 and primarily of the attack allowing it to transmitted via E-mail to infecting most of its appear as a transmission victims within 10 minutes. error, Mydoom‟s rapid SQL Slammer was the first spread becomes the fastest example of a "Warhol spreading email worm worm." A ever. It slowed overall was first hypothesized in Internet performance by 2002 in a paper by about 10%, and average Nicholas Weaver, and it is web page load times by an extremely rapidly about 50%. propagating computer Estimated damage: $38.5 worm that spreads as fast billion as physically possible, infecting all vulnerable Witty Appearing March 19, 2004, machines on the entire the Witty worm was the Internet in 15 minutes or fastest developed worm to less. The term is based on date as there was only 36 Andy Warhol's remark that hours between the release "In the future, Everybody of the advisory to the will have 15 minutes of release of the virus. Witty fame.” (Computer Worm, infected the entire exposed 2005) population of twelve thousand machines in 45 Estimated damage: $1.2 minutes, and it was the first billion. widespread worm that Originally put together in destroyed the hosts it January 2003 to spread a infected (by randomly proxy server Trojan, its erasing a section of the variant Sobig.F set a record hard drive) without in sheer volume of e-mails. significantly slowing the Sobig like Nimda used a worm's expansion. built-in SMTP engine so it Estimated damage: $11 did not depend on the million host‟s E-mail program to Appearing on April 30, propagate. Then emulating 2004 and spreading by Klez, it selected one E-mail exploiting a buffer address from the host‟s overflow in the component address book to use as the known as LSASS, (Local “from” address, then Security Authority sending the worm to all the Subsystem Service) it hit other addresses. It also the Internet a little more attempted to create a copy than two weeks after of itself on network shares, Microsoft warned users of but failed due to bugs in this flaw. Although it the code. caused infected Windows Estimated damage:$36.1 XP and billion computers to repeatedly Blaster Appearing August 11, , Sasser did little 2003 Blaster exploited a damage, as was merely Microsoft DCOM RPC designed to spread and vulnerability to infect carried no payload. systems running Windows Estimated damage: $14.8 2000 and Windows XP, billion and cause instability on 2005 Zotob is a computer worm systems running Windows which exploits security NT, and Windows Server vulnerabilities in Microsoft 2003. Filtering of operating systems like virus activity by Internet Windows 2000, including service providers (ISPs) the MS05-039 plug-and- worldwide greatly reduced play vulnerability. This the spread of Blaster. worm has been known to Estimated damage: $1.3 spread on Microsoft-ds or TCP port 445."The Zotob

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 20 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com worm and several compromised computer as variations of it, known as well as hijack search Rbot.cbq, SDBot.bzh and queries to display Zotob.d, infected advertisements. It was first computers at companies detected in December 2008 such as ABC, CNN, The and a more potent version Associated Press, The New appeared in March 2009. A York Times, and study by the Information Caterpillar Inc." Warfare Monitor, a Estimated damage: jointcollaboration from $97,000 SecDev Group and the 2006 Nyxem The Nyxem worm was Citizen Lab in the discovered. It spread by MunkSchool of Global mass-mailing. Its payload, Affairs at the University which activates on the third Toronto, has revealed that of every month, starting on the operators of this February 3, attempts to scheme have generated disable security-related and over $2 million in revenue file sharing software, and from June 2009 to June destroy files of certain 2010. types, such as Microsoft 2009 Daprosy Worm Daprosy Worm is a Office files malicious computer 2007 Storm The is a program that spreads via that LAN connections, affects computers using spammed e-mails and USB Microsoft operating mass storage devices. systems, discovered on Infection comes from a January 17, 2007. The single read1st.exe file worm is also known as: where several dozens of Troj/Dorf and Mal/Dorf clones are created at once () bearing the names of Trojan.DL.Tibs.Gen!Pac13 compromised folders. The [3] most obvious symptom of Trojan.Downloader-647 Daprosy infection is the Trojan.Peacomm presence of Classified.exe (Symantec) or Do not open - 2008 Koobface worm targets secrets!.exe files from users of the social infected folders. The worm networking websites belongs to the “slow” mass , MySpace, , mailer category where , and copies of which are . Koobface is attached and sent to designed to infect addresses intercepted from and the keyboard. The e-mail Mac OS X, but also works consists of a promotion of on in a limited and installation instruction fashion. Koobface for an imaginary antivirus ultimately attempts, upon product purported to successful infection, to remove unknown gather information infections from the for FTP sites, Facebook, computer. While infection and other social media cannot occur until attached platforms, but not any worm is renamed and sensitive financial data. It opened, it could spread to then uses compromised system folders in a matter computers to build a peer- of seconds! Also, it is to-peer . A known to shutdown or compromised computer hang and contacts other when its compromised computers to attempt to write on the receive commands in a system drive is denied. peer-to-peer fashion. The Also, the worm hides botnet is used to install folders and makes them additional pay-per-install "super hidden" so that data malware on the contained in them cannot

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 21 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com be easily accessed. bot is also designed to 2010 First found in June 17 infect HTML pages with Stuxnet, a Windows inline frames ([HTML Trojan, was detected. It is element#Frames|[iframes]] the first worm to attack ), causing redirections, SCADA systems.[55] blocking victims from There are suggestions that getting updates from it was designed to target security/antimalware Iranian nuclear products, and killing those facilities.[56] It uses a services. The bot is valid certificate from designed to connect via a Realtek. predefined IRC channel and communicate with a 2011 Summer Summer The Morto worm remote botnet. attempts to propagate itself to additional computers via 2013 worm W32.Welchia.Worm is a the Microsoft Windows worm that exploits multiple vulnerabilities, including: (RDP). Morto spreads by The DCOM RPC forcing infected systems to vulnerability (first scan for Windows servers described in Microsoft allowing RDP login. Once Security Bulletin MS03- Morto finds an RDP- 026) using TCP port 135. accessible system, it The worm specifically attempts to log into a targets Windows XP domain or local system machines using this account named exploit. Users are 'Administrator' using a recommended to this number of common vulnerability by applying passwords. A detailed Microsoft Security Bulletin overview of how the worm MS03-039. The WebDav works—along with the vulnerability (described in password dictionary Morto Microsoft Security Bulletin uses—was done by MS03-007) using TCP port Imperva. 80. The worm specifically targets machines running Duqu First found in September 1 Microsoft IIS 5.0 using this Duqu is a worm thought to exploit. As coded in this be related to the Stuxnet worm, this exploit will worm. The Laboratory of impact Windows 2000 Cryptography and System systems and may impact Security (CrySyS Lab)[64] Windows NT/XP systems. of the Budapest University of Technology and 2014 Win32. Win32.IRCBot is a Economics in Hungary IRCBot backdoor computer worm discovered the threat, that is spread through analysed the malware, and MSN Messenger and wrote a 60-page report Windows Live Messenger. naming the threat Duqu. Once installed on a PC, Duqu gets its name from the worm copies itself into the prefix "~DQ" it gives a Windows system folder, to the names of files it creates a new file creates. displayed as “Windows 2012 NGRBot First found in September Genuine Advantage 20NGRBot is a worm that Validation Notification” uses the IRC network for and becomes part of the file transfer, sending and computer‟s automatic receiving commands startup.[2] In addition, it between network attempts to send itself to machines and the attacker‟s all MSN contacts by IRC server, and monitoring offering an attachment and controlling network named „photos.zip‟. connectivity and intercept. Executing this file will It employs a user-mode install the worm onto the technique to hide local PC. The and steal its victim‟s Win32.IRCBot worm information. This family of provides a backdoor server

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 22 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com and allows a remote website. This is to trick the intruder to gain access and user into thinking they had control over the computer entered the wrong via an Internet Relay Chat information and proceed channel. This allows for as normal, although now confidential information to Tinba has captured the be transmitted to a . credentials and sent them 2015 BASHLITE The Bashlite malware is to its host. leaked leading to a First found on September, massive spike in DDoS 2016. attacks. Mirai creates headlines by Linux.Wifatch Linux.Wifatch is revealed launching some of the to the general public. It is most powerful and found to attempt to secure disruptive DDoS attacks devices from other more seen to date by infecting malicious malware the Internet of Things. 2016 RansomwareLocky First found in February, Mirai ends up being used 2016. in the DDoS attack on 20 RansomwareLocky with September 2016 on the its over 60 derivatives Krebs on Security site spread throughout Europe which reached 620 Gbit/s. and infected several ArsTechnica also reported million computers. At the a 1 Tbit/s attack on French height of the spread over web host OVH. On 21 five thousand computers October 2016 multiple per hour were infected in major DDoS attacks in Germany alone. Although DNS services of DNS was not a new service provider Dyn thing at the time, occurred using Mirai insufficient cyber security malware installed on a as well as a lack of large number of IoT standards in IT was devices, resulting in the responsible for the high inaccessibility of several number of infections. high-profile websites such Unfortunately even up to as GitHub, Twitter, date antivirus and internet Reddit, Netflix, Airbnb security software was and many others.The unable to protect systems attribution of the attack to from early versions of the Mirai botnet was Locky. originally reported by BackConnect Inc., a Tiny Banker Trojan Found in February, 2016 security firm. (Tinba) Tiny Banker Trojan 2017 First found on May, 2017. (Tinba) makes headlines. WannaCryransomw are attack Since its discovery, it has The been found to have WannaCryransomware infected more than two attack spreads globally. dozen major banking Exploits revealed in the institutions in the United NSA hacking toolkit leak States, including TD Bank, of late 2016 were used to Chase, HSBC, Wells enable the propagation of Fargo, PNC and Bank of the malware. Shortly after America. Tiny Banker the news of the infections Trojan uses HTTP broke online, a UK injection to force the user's cybersecurity researcher in computer to believe that it collaboration with others is on the bank's website. found and activated a "kill This spoof page will look switch" hidden within the and function just as the ransomware, effectively real one. The user then halting the initial wave of enters their information to its global propagation. The log on, at which point next day, researchers Tinba can launch the bank announced that they had webpage's "incorrect login found new variants of the information" return, and malware without the kill redirect the user to the real switch.

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 23 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com Petya First found on june, 2017. [4] ”Timeline of Computer Worms and Viruses “ [online] The Petya (malware) Availableat http://en.wikipedia.org/wiki/Timeline_of_ attack spreads globally computer_viruses_and_worms. affecting Windows [5] CraigFosnock,”Computer Worms: Past, Present, and systems. Researchers at Future”- East Carolina University, Published in 2005 Symantec reveal that this [6] Pankaj Kohli, “Worms - survey and propagation”MS by ransomware uses the Research - Computer Science and Engineering EternalBlue exploit, International Institute of Information Technology similar to the one used in Hyderabad, India [online] Available at the WannaCryransomware http://www.pank4j.com/research/worms.pdf attack [7] Simon Byers, Aviel Rubin, and David Xafecopy First found on September, Kormann.Defending against internet-based attack on the 2017. physical world, http://www.avirubin.com/ scripted.attacks.pdf. The Xafecopy Trojan [8] Modern Worms [online] Available at attack 47 countries http://www.spamlaws.com/history-of-worms.html. affecting only android [9] MChristodorescu “Static analysis of to detect operating systems. malicious patterns” Proceedings of the 12th conference on Kaspersky Lab identified 2003. [online] Available at portal.acm.org it as a malware from the [10] Moriss Worm “history of computer worms [online] Ubsod family, stealing Available at http://www.spamlaws.com/history-of- money through click based worms. WAP billing systems. [11] Phases of Computer Worm Nicholas Weaver, Vern Kedi RAT First found on September, Paxson, Stuarts Staniford, Robert Cunningham, “A 2017. Taxonomy of Computer Worms” First Workshop on A new variety of RAT Rapid Malcode (WORM), 2003. Trojan, Kedi RAT [12] Puja Bajaj, Arjun Guha Roy, Department of Computer (Remote Access Trojan) Science St. Cloud State University, St. Cloud MN 56301, distributed in a Spear Classification based on behavior. Phishing Campaign. The attack targeted Citrix users. The Trojan was able to evade usual system scanners. Kedi Trojan has all characteristics of a common Remote Access Trojan and it could communicate to its Command and Control center via gmail using common HTML, HTTP protocols

CONCLUSION In this paper, the study on how the computer worms are came in to this world and how they evolved and how much amount of damage they have caused to the networks and their lifestyle, classification, code analysis are done. By summarizing this work it will clear that, they are very dangerous. We can also understand that computer worms have caused a massive damage to the computer world. References

[1] Sarah H. Sellke, Ness B. Shroff, SaurabhBagchi, Modeling and Automated Containment of Worms”, Journal IEEE Transaction on Secure and Dependable Computing, Vol 5, No 2, Published on April-June 2008. [2] Cliff Changchun Zou, Weibo Gong, Don Towsley, “Code red worm propagation modeling and analysis” Conference on Computer and Communications Security, Proceedings of the 9th ACM conference on Computer and communications security [3] Nicholas Weaver, Vern Paxson, Stuarts Staniford, Robert Cunningham, “A Taxonomy of Computer Worms” First Workshop on Rapid Malcode (WORM), 2003.

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 24 | P a g e Special Issue Published in International Journal of Trend in Research and Development (IJTRD), ISSN: 2394-9333, www.ijtrd.com

National Conference on Recent Innovations in Engineering and Technology (RIET -2017) organized by G Pullaiah College of Engineering & Technology, Kurnool, Andhra Pradesh on 15th & 16th Dec-17 25 | P a g e