Re: What is the difference between a worm and a trojan ?

From: FromTheRafters (!0000_at_nomad.fake)
Date: 06/04/04 

Date: Fri, 4 Jun 2004 00:31:40 -0400

"Jay T. Blocksom" <not.deliverable+USENET@appropriate-tech.net> wrote in message
news:3laub09ko0av27dpo99jd29naj3152l8ru@news.rcn.com...
> [Bogus "Newsgroups:" and "Followup-to:" fixed]
>
> On Wed, 19 May 2004 01:31:55 +0200, in <alt.privacy.spyware>,
> pmeister2@lycos.com (Peter Meister) wrote:
> >
> > Ok, I know the difference between a virus and a trojan. But what is the
> > difference between a worm and a trojan?
> [snip]
>
> Given your second sentence, I don't have a lot of faith in the first one.

:O)

> However...
>
> > Is the one a subset of the other type or are they completele different ?
> >
> > Peter
>
> The terms have become somewhat muddied, both through widespread sloppy usage
> and the fact that a great many malicious programs exhibit characteristics of
> at least two (sometimes all three) of these particular types of malware.

Right on!

> In short, a "trojan" is any program which masquerades as something
> substantively different from what it really is -- typically, but not
> necessarily, for nefarious purposes. The key here is that, like the Trojan
> Horse of Greek mythology, trojans generally depend on tricking the user into
> believing the disguise, and thus naively accepting the threat. A closely
> related topic is "Social Engineering".
>
> Both worms and virii are similar, to the extent that they (attempt to)
> propagate themselves from one host to the next. Usually, this occurs with
> little user intervention; but if it is literally *no* user intervention, it is
> best described as a "worm". Also, a pure worm is generally only a threat for
> the duration it is permitted to execute, and it's sole (or at least primary)
> deleterious effect is the traffic it generates while propagating itself (cf.,
> the original ARPAnet worm
> <http://sise.ttu.ee/it/vorgutarkvara/itv0010/timeline/tcm.org/html/history/detail/1988-worm.html>).
>
> OTOH, a "virus" is distinguished by its ability to semi-permanently *infect* a
> host system, which will then in turn attempt to infect other systems, etc., ad
> infinitum. If re-booting the system will clear the parasite, it is not a
> virus (tho' it may still be a worm, and/or a trojan).

That's a pretty good assessment, but lacks the look of a defintion. I cant
really disagree with any of those points - ecept possibly part of the last.

I'm not quite sure what you mean by the rebooting. A worm file can
still insinuate itself into the startup axis without "infecting" a program.
Rebooting in this case won't clear the parasite because it has installed.

The best definitons I have seen so far are the ones in VirusL/Comp.viruss
FAQ

http://www.faqs.org/faqs/computer-virus/faq/

But one should be careful not to confuse the defintions with the amplifying
information provided by the author(s). The "bare bones" of it is (as I see it):

=============================================
"A computer VIRUS is a self-replicating program containing code that
explicitly copies itself and that can "infect" other programs by
modifying them or their environment such that a call to an infected
program implies a call to a possibly evolved copy of the virus."

"A computer WORM is a self-contained program (or set of programs), that
is able to spread functional copies of itself or its segments to other
computer systems."

"A TROJAN HORSE is a program that does something undocumented that the
programmer intended, but that some users would not approve of if they
knew about it."
=============================================

...and as you say, they are *not* mutually exclusive terms.

Relevant Pages

  • RE: New "concept" virus/worm?
    ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ...
    (Incidents)
  • RE: New "concept" virus/worm?
    ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ...
    (Vuln-Dev)
  • Oxygen3 24h-365d [Weekly virus report - 10/26/03]
    ... Lohack.C spreads via e-mail and across network drives. ... this worm tries to trick users by referring to the Spanish Information ... The fourth malicious code in today's report is a Trojan called Sdbot.N. ... Vix.A is a virus with worm characteristics that infects PE files ...
    (microsoft.public.security.virus)
  • virus, worm, trojan definitions (was: Re: Virus attacking Mac OS X found)
    ... a virus is a self-replicating ... A computer worm is a self-replicating computer program, ... In the context of computer software, a Trojan horse is a malicious ... execute a command to do anything; ...
    (comp.sys.mac.system)
  • Re: What is the difference between a worm and a trojan ?
    ... I know the difference between a virus and a trojan. ... | the difference between a worm and a trojan? ... Worm, Trojan horse, virus. ...
    (microsoft.public.security)