ILOVEYOU </b></a><span style="font-weight: 400">was let loose on the Internet, and quickly became the most damaging malware of all time. It represented a visual basic script that spread through email messages with a subject line saying “I love you.” Then, the user only needed to open the attached text file to get his or her entire system files overwritten and, basically, destroyed. What made the malware spread like wildfire was its ability to send a copy of itself to all contacts stored in the victim’s Microsoft Outlook account. </span></p> <p><span style="font-weight: 400">A few years later, </span><b>My Doom</b><span style="font-weight: 400"> appeared, and it topped the record dollar cost of all previous malware attacks seen before as it hit major technology companies like Google and Microsoft with Distributed Denial of Service (DDOS) attacks. Total costs caused by My Doom have been estimated at $38 billion. It was distributed through a “Sending Failed” message from the mail server which contained an attachment laced with the malicious code. The user was supposed to click on the attachment in order to re-send the mail, however, opening the infected file resulted in the installation of the worm. My Doom then sent a copy of itself to all contacts in the user’s address book, as well as to Peer — to — Peer shared devices. </span></p> <p><img class="alignnone size-full wp-image-514452" src=https://www.enigmasoftware.com/threat-database/worms/5/"https://www.enigmasoftware.com/images/2021/most-costly-malware-outbreaks.jpg" alt="" width="600" height="400" /><em><span style="font-weight: 400">Image of Most Costly Malware Outbreaks – Source: digitaltrends.com</span></em></p> <p><span style="font-weight: 400">Other examples of successful worms from the beginning of the century include Code Red, Nimda, Jerusalem, Storm Worm, MSBlast (The Blaster Worm). </span><b>Code Red</b><span style="font-weight: 400"> attacked computers running Microsoft IIS web server in the summer of 2001. Named after the drink that the researchers were having at the time of the discovery, the worm spread by exploiting the good old buffer overflow-type of vulnerability while its payload defaced the infected website to display the message: “HELLO! Welcome to hxxp://www(dot)worm(dot)com! Hacked by Chinese”! Code Red demonstrated a brand new propagandation technique — the malware did not rely on sending copies of itself to the victim’s mailing contacts;  instead, it scanned the network to find connected IP addresses and used these as vectors of distribution.  </span><a href=https://www.enigmasoftware.com/threat-database/worms/5/"/nimda-removal/">NimdaStuxnetIran’s nuclear weapon production</a>, whereby the idea was to create the most sophisticated computer worm that the world had seen by then. Until the beginning of 2010, the worm had managed to crash 20% of Iran’s functioning centrifuges for uranium enrichment, setting back the country’s nuclear program with 2 years. It did not take long, however, before the infection leaked out and copies of the worm began spreading all over the Internet, infecting 130,000 computers worldwide. It was also in 2010 when the worm was discovered by researchers after it started <a href=https://www.enigmasoftware.com/threat-database/worms/5/"/stuxnet-related-apts-used-create-gossip-girl-threat/">affecting machines outside of the initial target range</a>. </span></p> <p><span style="font-weight: 400">The worm spread on Windows operating systems and targeted industrial control systems (ICS) made by Siemens, whereby Stuxnet is considered the first malware of that type capable of spying on and destroying such systems. Also, it was the first malware that was able to change the modifications of Programmable Logic ControlLers (PLCs) of infrastructure facilities like power plants, gas lines, water treatment facilities and so on. In order to be able to reach these highly secured systems, Stuxnet incorporated sophisticated propagation techniques which allowed it to infect target files without using the Internet or any other network. Stuxnet was able to spread across Windows computers by copying itself from a Windows computer to a USB stick.  However, PLCs are not based on Windows, therefore the worm needed to find another way to infect the target machines: it scanned Windows systems in order to find those that manage the PLCs, and dropped its payload on them. In order to alter the PLCs settings, the malware then sought out and infected the so called STEP 7 project files which are the files used by Siemens to program the PLCs. Once the malware had identified the specific PLC model, it gained complete control over all data flowing in and out of the infected PLC.</span></p> <p><span style="font-weight: 400">In the following two years, Stuxnet continued to exist, and even became the framework for the development of other pieces of malware. Parts of the Stuxnet source code have been discovered in the cyber spying program </span><b>the Flame</b><span style="font-weight: 400">, while the </span><a href=https://www.enigmasoftware.com/threat-database/worms/5/"/pwsduqu-removal/">Duqu ILOVEYOU </b></a><span style="font-weight: 400">was let loose on the Internet, and quickly became the most damaging malware of all time. It represented a visual basic script that spread through email messages with a subject line saying “I love you.” Then, the user only needed to open the attached text file to get his or her entire system files overwritten and, basically, destroyed. What made the malware spread like wildfire was its ability to send a copy of itself to all contacts stored in the victim’s Microsoft Outlook account. </span></p> <p><span style="font-weight: 400">A few years later, </span><b>My Doom</b><span style="font-weight: 400"> appeared, and it topped the record dollar cost of all previous malware attacks seen before as it hit major technology companies like Google and Microsoft with Distributed Denial of Service (DDOS) attacks. Total costs caused by My Doom have been estimated at $38 billion. It was distributed through a “Sending Failed” message from the mail server which contained an attachment laced with the malicious code. The user was supposed to click on the attachment in order to re-send the mail, however, opening the infected file resulted in the installation of the worm. My Doom then sent a copy of itself to all contacts in the user’s address book, as well as to Peer — to — Peer shared devices. </span></p> <p><img class="alignnone size-full wp-image-514452" src=https://www.enigmasoftware.com/threat-database/worms/5/"https://www.enigmasoftware.com/images/2021/most-costly-malware-outbreaks.jpg" alt="" width="600" height="400" /><em><span style="font-weight: 400">Image of Most Costly Malware Outbreaks – Source: digitaltrends.com</span></em></p> <p><span style="font-weight: 400">Other examples of successful worms from the beginning of the century include Code Red, Nimda, Jerusalem, Storm Worm, MSBlast (The Blaster Worm). </span><b>Code Red</b><span style="font-weight: 400"> attacked computers running Microsoft IIS web server in the summer of 2001. Named after the drink that the researchers were having at the time of the discovery, the worm spread by exploiting the good old buffer overflow-type of vulnerability while its payload defaced the infected website to display the message: “HELLO! Welcome to hxxp://www(dot)worm(dot)com! Hacked by Chinese”! Code Red demonstrated a brand new propagandation technique — the malware did not rely on sending copies of itself to the victim’s mailing contacts;  instead, it scanned the network to find connected IP addresses and used these as vectors of distribution.  </span><a href=https://www.enigmasoftware.com/threat-database/worms/5/"/nimda-removal/">NimdaStuxnetIran’s nuclear weapon production</a>, whereby the idea was to create the most sophisticated computer worm that the world had seen by then. Until the beginning of 2010, the worm had managed to crash 20% of Iran’s functioning centrifuges for uranium enrichment, setting back the country’s nuclear program with 2 years. It did not take long, however, before the infection leaked out and copies of the worm began spreading all over the Internet, infecting 130,000 computers worldwide. It was also in 2010 when the worm was discovered by researchers after it started <a href=https://www.enigmasoftware.com/threat-database/worms/5/"/stuxnet-related-apts-used-create-gossip-girl-threat/">affecting machines outside of the initial target range</a>. </span></p> <p><span style="font-weight: 400">The worm spread on Windows operating systems and targeted industrial control systems (ICS) made by Siemens, whereby Stuxnet is considered the first malware of that type capable of spying on and destroying such systems. Also, it was the first malware that was able to change the modifications of Programmable Logic ControlLers (PLCs) of infrastructure facilities like power plants, gas lines, water treatment facilities and so on. In order to be able to reach these highly secured systems, Stuxnet incorporated sophisticated propagation techniques which allowed it to infect target files without using the Internet or any other network. Stuxnet was able to spread across Windows computers by copying itself from a Windows computer to a USB stick.  However, PLCs are not based on Windows, therefore the worm needed to find another way to infect the target machines: it scanned Windows systems in order to find those that manage the PLCs, and dropped its payload on them. In order to alter the PLCs settings, the malware then sought out and infected the so called STEP 7 project files which are the files used by Siemens to program the PLCs. Once the malware had identified the specific PLC model, it gained complete control over all data flowing in and out of the infected PLC.</span></p> <p><span style="font-weight: 400">In the following two years, Stuxnet continued to exist, and even became the framework for the development of other pieces of malware. Parts of the Stuxnet source code have been discovered in the cyber spying program </span><b>the Flame</b><span style="font-weight: 400">, while the </span><a href=https://www.enigmasoftware.com/threat-database/worms/5/"/pwsduqu-removal/">Duqu

Change Region

Malware Research Threat Database Worms

Worms

Most Trending Worms in the Last 2 Weeks

# Threat Name Severity Level Alias(es) Detections
1. Not-a-virus.Keygen.CloneDVD 60 % (Medium) Generic25.CJCV
W32/BDoor.CEP!tr.bdr
Trojan/Win32.ADH 		598
2. W32.Blaster.Worm 50 % (Medium) Trj/Banker.FWD
Trojan/Win32.Banbra.gen
PUA.Packed.Thinstall2425 		31
3. ALS.Kenilfe!inf
4. IM Worm.Win32.Sohanad.bm
5. Email-Worm.Win32.Joleee.efc 90 % (High) TR/Kazy.3567.7
Trojan.Spambot.9106
Email-Worm.Win32.Joleee.fqw 		2
6. P2P-Worm.Win32.Malas.c 90 % (High) WORM_MALAS.C
W32.SillyFDC
W32/Malas-G 		8
7. Email-Worm.Win32.Runouce.b
8. Worm.Win32.Randex 60 % (Medium) 1
9. W32.Pilleuz!gen6 P2P-Worm.Win32.Palevo
Worm:Win32/Rimecud.B
Mal/Palevo-A
10. Net-Worm.Win32.Kido.ir
11. NGRBot 50 % (Medium) 693
12. HIDDENEXT/Worm.Gen 10 % (Normal) 4,265
13. Worm:JS/Beutanni.A 20 % (Normal)
14. Worm.Verecno 50 % (Medium) 13
15. Raspberry Robin
16. W32.Pholdicon 20 % (Normal)
17. Worm:Win32/Gamarue.B
18. Win32/Helompy 50 % (Medium) 413
19. VirTool:INF/Autorun.gen!F 20 % (Normal) 1,136
20. Cetus Malware
21. W32.Gosys
22. Worm:VBS/Jenxcus.A 50 % (Medium) 4,733
23. SMSS-DoOoM 50 % (Medium) 50
24. VBS.Sasan 50 % (Medium) JS/Heur
Virus.JS.Heur
Trojan.Script.Suspic.gen 		6
25. ACAD/Medre.A 50 % (Medium)
26. Worm.Brontok.BL@mm 50 % (Medium) W32/Brontok.O.worm
Worm/Generic_c.BMH
W32/Brontok.C@mm 		57
27. VBS/Autorun.worm.aapn!lnk 10 % (Normal) 1,416
28. Worm.Win32.Vobfus 50 % (Medium) WORM_VBNA.SMN
W32.Changeup.C
Mal/SillyFDC-D
29. Downadup Net-Worm.Win32.Kido.bt
Win32/Conficker.A
Conficker.A
30. Surabaya

Last updated: 2023-07-03

Threat Name Severity Level Detections
Helkern Worm
Heur.Worm.Generic 90 % (High) 0
HIDDENEXT/Worm.Gen 10 % (Normal) 4,265
Honditost
I-Worm.Brontok.CJ
I-Worm.Chir.B 70 % (High) 0
I-Worm.Generic
I-Worm.Netsky.Q1
IM Worm.Win32.Sohanad.bm
IM-Worm.Win32.Agent.mg
IM-Worm.Win32.Kelvir.k
IM-Worm.Win32.Sohanad.as 90 % (High) 15
IM-Worm.Win32.Sohanad.qc 90 % (High) 42
IM-Worm.Win32.Sohanad.qi 50 % (Medium) 0
IM-Worm.Win32.Sohanad.qr
IM-Worm.Win32.VB.bn
IM-Worm.Win32.XorBot.a 80 % (High) 141
IM-Worm.Win32.Yahos
IM-Worm.Win32.Yahos.hb
IM-Worm.Win32.Yahos.hh
IM-Worm.Win32.Zeroll.g
IM-Worm.Win32.Zeroll.i 80 % (High) 288
IM.Worm.VB.as 90 % (High) 0
Imbot.AC 50 % (Medium) 1
Invitation Card.zip
1 2 3 4 5 6 7 8 9 10 56