Dustin <bughunter.dustin@gmail.com> wrote in
news:Xns9FD38B634499DHHI2948AJD832@no:

> FromTheRafters <erratic@nomail.afraid.org> wrote in
> news:je9p7o$ocj$1@dont-email.me:
>
>> Virus Guy wrote:
>>> http://www.telegraph.co.uk/technolog.../Facebook-lock
>>> s -down-45000-accounts-to-stop-worm-spreading.html
>>>
>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>
>>> Facebook has acted to stop the spread of a new variety of malicious
>>> software that has stolen login details from 45,000 mostly British
>>> and French users.
>>>
>>> 1:43PM GMT 06 Jan 2012
>>>
>>> The Ramnit worm has been spreading since April 2010, but was only
>>> recently adapted to target Facebook details, according to computer
>>> security experts. It was previously used by cyber criminals to
>>> steal login credentials for other services, including online
>>> banking.
>>>
>>> A “worm” is distinct from a normal computer virus in that it can
>>> reproduce itself without needing to attach itself to an existing
>>> program. This ability means worms can spread very rapidly online.
>>
>> Nice that they mentioned this, but it is a distinction you'll likely
>> like even less than the virus/malware dichotomy. To me, it is a
>> somewhat less important distinction and remains 'fuzzy'.
>
> Not to me. Here's why...
>
> We'll just deal with file infectors for the sake of making this less
> complicated. A virus requires a host..It will seek out an exe that
> doesn't already have it's presence and install it. (Infecting said
> exe file). this file has been modified to carry virus code. Executing
> it later will cause the virus code and maybe the original host to
> still run and further spread the virus. Simply deleting an infected
> executable will not remove the virus; as many other executables are
> likely containing it now. They have to be identified and disinfected
> (if possible) if you wish to make use of them again. You may or may
> not be able to restore them to the original byte(s) depending on the
> virus which infected them and the manner in which it used. A trojan
> OTH can be removed by deleting it's exe once you locate it.
>
> A worm OTH, is really it's own program all self contained that
> replicates by copying a complete copy of itself. For example, it
> requires no host; it can readily create an exe called worm2.exe and
> drop it's image right into it. When worm2.exe is later run by an
> unsuspecting user on another computer, it drops worm3.exe; they're
> both identical for this discussion (polymorphic worms do exist
> tho)... and worm3 goes and does the same thing.
>
> A worm can be removed in a similiar fashion as a trojan once you
> identify them all; you just delete them. Their is no host to restore
> as they didn't infect anything.
>
> These are important distinctions if it's your intention to properly
> identify the problem and repair the system with minimal (preferrably
> none) data loss in the process.
>
>

Minor followup:

There are worm/virus combos. They drop an exe of themselves in a worm
fashion. This is a new exe, so you can just delete it like you would a
trojan. You will have to identify the viral code in other pre-existing
executables and disinfect if possible to remove the virus portion.
Failure to complete both steps will likely result in a reinfection of
virus and worm.

For simple examples, See Toadie and Irok viruses. They're old, all well
known, and do exactly as I've described and are removed in the processes
I've already outlined above. These are textbook real world examples
which correctly fit the well established definitions above.




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts