What Is a Computer Worm: Types, Examples and Removal

A computer worm is malware that spreads on its own between systems, without user action, by exploiting network vulnerabilities. It also takes advantage of weak configurations or trust relationships already established between systems. The key difference with a virus is that a virus needs a host file and a human action to spread; a worm moves on its own. The difference with a trojan is that the trojan disguises itself as legitimate software and depends on the victim executing it; the worm exploits vulnerabilities to enter.

This guide explains what a computer worm actually is, the six types that appear in forensic investigations (network, email, instant messaging, IRC, P2P, mobile), the precise differences with viruses and trojans, historical examples any security lead should know (Morris, ILOVEYOU, Code Red, Slammer, Conficker, Stuxnet, WannaCry, NotPetya), how they get detected and how to eradicate them in a compromised network.

What a computer worm is

A worm is a self-replicating malicious program that moves between systems via network mechanisms. The three defining properties:

1. Self-replication. The worm copies itself onto every system it infects and from there hunts the next.
2. Autonomous propagation. Doesn't wait for the user. Takes advantage of network connectivity or already established trust relationships.
3. Optional payload. Can be destructive (encrypting, deleting), espionage, backdoor installation or simply resource consumption through propagation speed.

What it gives the attacker:

• Scale. An initial infection reaches thousands or millions of systems in hours.
• Penetration into internal networks unreachable from outside, once the worm secures the first foothold.
• Anonymity. The damage concentrates on the victim without needing directed C2 initially.
• Cover for other attacks. WannaCry and NotPetya combined worm and ransomware, elevating both.

What limits it:

• High visibility. Anomalous network activity triggers alerts relatively fast in any organisation with minimum monitoring.
• Dependency on patchable vulnerabilities. The patch closes the door.
• Fast ecosystem reaction. Microsoft, mainstream Linux and vendors push critical patches within hours of a massively exploitable vulnerability.

Worm types

Six main variants appear in recent forensic reports and classic literature.

Network worm

Exploits vulnerabilities in network-exposed services to enter the system without user interaction. Classic vector against SMB, RDP, RPC, misconfigured SSH or vulnerable web services. Paradigmatic cases: Code Red (2001, IIS), SQL Slammer (2003, SQL Server), Conficker (2008, Windows RPC), WannaCry (2017, EternalBlue against SMBv1).

The most dangerous family because propagation is fully automatic: no human clicks anything.

Email worm

Distributes as an attachment. When the user opens the attachment or the mail client processes it in a vulnerable way, the worm executes and sends copies to the user's address book. Classic cases: ILOVEYOU (2000), Melissa (1999), Mydoom (2004).

Less common vector in 2026 due to modern email defences (attachment sandboxing, macro blocking), but still works against environments without those protections or with lax configurations.

Instant messaging / social network worm

Spreads via IM clients, WhatsApp Web, Telegram, Skype, Discord or social networks. Takes advantage of active sessions to send links to contacts. Cases: Skype.D, Facebook Messenger worms circa 2016-2018. A growing vector in 2024-2026 with SaaS collaboration platforms.

IRC worm

Historical. Self-replicating IRC bots that spread through open channels. Today reduced to residual cases but still present in specific niche backbones.

P2P worm

Distributes with attractive filenames on P2P networks (BitTorrent, eMule in its time, IPFS networks today). The user downloads what they think is a legitimate program, pirate software or media content. It's a transitional vector between worm and trojan: requires user execution, but spreads because each victim serves the file to the next.

Mobile worm

Designed for Android or iOS. Takes advantage of vulnerabilities in MMS services, Bluetooth or, in specific Android supply chains, vulnerabilities of the system itself. Cases: Cabir (2004, first Bluetooth worm on Symbian), Stagefright (2015, MMS Android), Pegasus (2016-2024, state-sponsored mobile worm against iOS and Android, mixing worm + advanced spyware).

Worm vs virus vs trojan

Common confusions worth clearing up.

• Virus. Needs a host file and human action to spread. Classic example: macro virus in an Office document. The worm needs neither host nor action.
• Trojan. Malicious software disguised as legitimate that the user runs voluntarily. Doesn't spread on its own. Example: fake Notion installer. Detail in what is a trojan.
• Worm. Spreads by exploiting vulnerabilities or weak configurations. No human action.

In modern practice, the categories blur. WannaCry is ransomware with worm propagation. NotPetya is a wiper with a worm. Emotet started as a trojan and added SMB lateral propagation. The classic taxonomy is still useful to understand the entry vector and movement pattern, not as airtight boxes.

Essential historical examples

Cases any security lead should know because the concepts still apply.

Morris Worm (1988). The first Internet worm. Robert Tappan Morris, a Cornell student, released a program exploiting vulnerabilities in sendmail, fingerd and rsh on Unix machines connected to ARPANET. Due to a design error, it replicated multiple times on each host and consumed resources. It infected around 10% of connected machines (about 6,000 systems at the time). Morris was the first conviction under the US Computer Fraud and Abuse Act.

ILOVEYOU (2000). Visual Basic Script worm distributed via email with subject "ILOVEYOU". The attachment LOVE-LETTER-FOR-YOU.txt.vbs executed on opening, overwrote files with its own code and forwarded itself to the Outlook address book. Estimated damages in the billions of dollars globally. Served as a wake-up call about macros in email clients.

Code Red (2001). Network worm that exploited a buffer overflow in Microsoft IIS. Infected hundreds of thousands of servers in hours and defaced websites with the "Hacked by Chinese" message. Estimated damage of one billion dollars in cleanup and response.

SQL Slammer (2003). Probably the fastest worm in history: 376 bytes of code propagating via a single UDP packet against MS SQL Server with vulnerability. Doubled the number of infected machines every 8.5 seconds in the first minutes. Took down part of the Internet and banking services in the US and Asia.

Conficker (2008-2009). Worm against Windows that exploited MS08-067. Infected between 9 and 15 million machines at peak. Notable for its DGA (domain generation algorithm) mechanism for C2 and its persistence: variants kept appearing years later. Forced response coordination between Microsoft, ICANN and TLD registrars.

Stuxnet (2010). State-sponsored worm (attributed to NSA and Unit 8200 of Israel) against uranium centrifuges in Natanz, Iran. Combined four 0-days, two stolen signing certificates, USB propagation to reach air-gapped networks and a specific payload against Siemens S7 controllers. Marked the start of offensive cyberwar with sophisticated malware against industrial infrastructure.

WannaCry (2017). Ransomware with worm propagation via EternalBlue (NSA exploit leaked by Shadow Brokers against SMBv1). Encrypted systems in 150 countries, including the UK NHS, Telefónica Spain, Renault, FedEx. Estimated damage $4 billion. Stopped when a researcher (MalwareTech) registered a domain acting as a kill switch.

NotPetya (2017). Disguised as ransomware but designed as a wiper (irreversible encryption). Propagated via a compromised M.E.Doc (Ukrainian tax software) updater and then laterally with EternalBlue, EternalRomance and credential theft with Mimikatz. Maersk, Merck, FedEx, Mondelez, WPP and others suffered collective damage above $10 billion. Attributed to Russian actors.

How they get detected

The fronts covered by a modern defensive team.

EDR/XDR with behavioural detection. Patterns that trigger alerts: unknown process scanning ports on other hosts, anomalous outbound SMB connections, mass file writes, execution of known exploits. Detail in what is an EDR.

NDR (Network Detection and Response). Public Sigma rules for Conficker, WannaCry, anomalous SMB propagation, lateral scanning.

SIEM with correlation. Detects unusual traffic spikes between hosts, authentication failure spikes, atypical process executions. Detail in what is a SIEM.

Vulnerability management. Updated inventory with CVE prioritisation. Detect vulnerable versions before a worm exploits them. Detail in what is a CVE.

Honeypots. Fake network services (Dionaea for SMB, Cowrie for SSH) that detect scans and exploitation attempts by worms before they reach real systems.

Proactive threat hunting on IoCs derived from known campaigns and propagation patterns. Detail in threat hunting.

How to eradicate

A live worm in a corporate network requires coordinated IR response.

1. Network isolation. Segment and disconnect compromised VLANs to halt propagation.
2. Initial vector identification. Forensic analysis of the patient zero system to understand which vulnerability it exploits and what it leaves open on the network.
3. Massive patching. Deployment of patches that close the vector. If the worm uses a 0-day, temporary mitigations (firewall, service disabling).
4. Per-host cleanup. Clean OS reinstall on compromised hosts. In-place cleanup is rarely defensible if the worm has modified the system deeply.
5. Credential rotation. If the worm has touched credentials (Mimikatz, LSASS dumping), massive rotation of privileged accounts and Kerberos keys. Detail in Kerberos attacks.
6. Restoration from clean backups if there's data corruption. Validate that backups aren't compromised.
7. Hunting across the rest of the network with IoCs from the analysis to detect non-obvious pockets.
8. Legal and client notification per applicable frameworks (GDPR 72h, NIS2 24/72h, sectoral authorities).
9. Lessons learned. Honest post-mortem and documented improvements: why wasn't the patch in place? why wasn't the segment isolated? why did the SOC take X?

Compliance fit

Worm risk management covers direct points in current frameworks:

• NIS2 (article 21). Risk management measures, vulnerability management, 24/72h notification.
• DORA (article 9). ICT risk management in financial services. Formalised patch management.
• ISO 27001:2022 (controls 8.7, 8.8, 8.32). Malware protection, technical vulnerability management, change management.
• ENS Royal Decree 311/2022 (op.exp.6, op.exp.5). Malicious code protection and change management.
• PCI DSS v4.0 (req. 5, 6). Mandatory anti-malware and patch management.
• GDPR. An infection leaking personal data is a notifiable breach.

Frequently asked questions

Key difference between virus, worm and trojan?

The virus inserts itself into files and needs human action to spread. The worm spreads on its own by exploiting network or vulnerabilities. The trojan disguises itself as legitimate software and needs voluntary execution. In 2026 the categories mix in modern families, but the distinction helps understand the entry vector.

Is the network worm still viable in 2026?

Yes. Although modern defences (EDR, segmentation, faster patching) close the classic Conficker scenario, worms keep appearing when a serious exploit emerges in widely deployed software. EternalBlue (2017) is the recent example; any 0-day in a critical remote service can repeat the pattern.

Does my antivirus protect me against worms?

Modern antivirus detects signatures of known worms. EDRs with behavioural detection cover new variants better. But the main defence is aggressive patch management: if the vulnerability the worm exploits is patched, the attack fails.

How long can a worm take to spread?

SQL Slammer (2003) doubled infections every 8.5 seconds in the initial phase. Conficker spread in hours. WannaCry reached 150 countries in under 24 hours. Propagation speed is proportional to the number of vulnerable exposed services and the scan rate. An exploitable vulnerability on Internet-facing SMB can infect millions of machines in less than a day.

Is WannaCry still active?

Yes, to a lesser extent. There are recurring reports of residual infections in organisations with old unpatched Windows systems and exposed SMBv1. Microsoft still maintains specific recommendations to mitigate.

Could Stuxnet be used today against European infrastructure?

Conceptually yes. The techniques (USB for air gap, code signing abuse, 0-days in industrial services) remain viable. What changes is that state actors with that capability are few, targets are more closely watched and public attribution has grown. OT industrial protection against this type of attack falls within NIS2 scope for critical sectors.

How is a worm outbreak distinguished from a targeted attack?

A worm generates a lot of network noise and moves without discrimination. A targeted attack is silent, moves only to selected hosts and prioritises persistence. Modern EDR/NDR platforms distinguish the two patterns relatively well; the human threat hunter also distinguishes by context (are we the only ones infected? is it a global campaign?).

Related resources

• Types of malware: broader family where worms sit alongside viruses, trojans, ransomware and rootkits.
• What is a trojan: comparison with the most frequently confused category.
• What is ransomware: WannaCry and NotPetya combined worm and ransomware in the most damaging cases of the last decade.
• What is a keylogger: module a worm can deliver as second stage.
• What is a CVE: identifier for vulnerabilities worms exploit at scale.
• What is an EDR and what is MDR: modern controls that detect lateral propagation before it escalates.
• NIS2 in Spain: the framework requiring formalised patch management and 24/72h notification.

Worm defence at Secra

At Secra we address worm risk on three usual fronts: review of the client's vulnerability management programme (coverage, SLAs, real metrics for applying critical patches), audit of internal network segmentation and policies for exposed SMB/RDP/RPC, and Red Team exercises that validate whether the organisation would detect simulated lateral propagation before it escalates. If your organisation has a large Active Directory, unpatched legacy segments or has never measured how long it takes to patch a critical one from official publication, get in touch via contact.