Email Worms
Spreading goes via infected email messages. Any form of attachment or link in an email may contain a link to an infected website. In the first case activation starts when the user clicks on the attachment while in the second case the activation starts when clicking the link in the email.
Known methods to spread are:
- MS Outlook services
- Direct connection to SMTP servers using their own SMTP API
- Windows MAPI functions
This type of worms is known to harvest an infected computer for email addresses from different sources.
- Windows Address Book database [WAB]
- MS Outlook address book
- Files with appropriate extensions will be scanned for email like strings
Be aware that during spreading some worms construct new sender addresses based on possible names combined with common domain names. So, the sender address in the email doesn't need to be the originator of the email.
Instant Messaging Worms
The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these and email worms is the way chosen to send the links.
Internet Worms
Nasty ones. These ones will scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. Attempt will be made to connect to these machines and gain full access to them.
Another way is that the worms scan the Internet for machines still open for exploitation i.e. not patched. Data packets or requests will be send which install the worm or a worm downloader. If succeeded the worm will execute and there it goes again!
IRC Worms
Chat channels are the main target and the same infection/spreading method is used as above - sending infected files or links to infected websites. Infected file sending is less effective as the recipient needs to confirm receipt, save the file and open it before infection will take place.
File-sharing Networks Worms
Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue.