Worm evolution
Later, worms quickly fell into two categories. Some camouflage themselves as interesting e-mail attachments. When such an attachment is opened, the worm executes, spreading itself in a burst of email. Then the programs can infect systems and mail themselves to every name listed in the computer's address book.
The Christmas Tree virus was perhaps the first worm on a worldwide network, spreading across BITNET--an IBM-only precursor to the Internet--in December 1987. Many of today's worms, such as Melissa, LoveLetter and AnnaKournikova, take a page from the Christmas Tree book.
Other worms need no human interaction, infecting computers that have certain security flaws and then using the new host to scan for more computers with the same flaw.
These worms are modeled after the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student.
Two recent worms, W95/Bymer and the Linux Ramen worm, can spread to other computers without any person's interaction. And worms are getting trickier with each incarnation.
Hybris uses encrypted plug-ins to update itself and monitors the infected computer's network connection to find e-mail addresses to which it can send itself. The Linux Ramen worm, formed of several hacking tools, spreads much like the Cornell Internet Worm by taking advantage of holes in servers.
New viruses worming into PCs
W95/Bymer spread by finding unprotected shared drives on Windows computers. Once it infected a computer, it would run a distributed computing client to take part in a contest hosted by Distributed.net to break an encryption code. A second variant entered the contest as a different user, and the two worms would fight over computer systems.
Such tricks will become standard fare as toolkit writers incorporate these tactics into the latest worm generator application. At least one author of such a program, [K]alamar, the 18-year-old Argentinian programmer who created the VBS Worm Generator, hopes that others will learn from his toolkit.
"I've made that tools coz i've learned to code," he said in a recent email to CNET News.com. "...and i want other people to learn like me."
[K]alamar refused to remove the tool from his site, despite the spread of the AnnaKournikova worm, and has since released a second version of the program. Previously, another virus writer--who also used the name Kalamar and had the tool on his site--claimed to be the author of the code.
Toolkits such as [K]alamar's are a long tradition in the virus-exchange, or VX, underground. As a result, techniques for creating the latest worms are quickly being passed between writers.
Another factor: Many worms are written in one of several scripting languages, which can be read by even semi-knowledgeable virus writers and changed to release variants mere hours after a major virus epidemic. Virus writers latched onto LoveLetter, for example, which struck in May 2000, and have cranked out more than 40 variants to date.
