Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:je9p7o$ocj$1@dont-email.me:
>
>> Virus Guy wrote:
>>> http://www.telegraph.co.uk/technolog...Facebook-locks
>>> -down-45000-accounts-to-stop-worm-spreading.html
>>>
>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>
>>> Facebook has acted to stop the spread of a new variety of malicious
>>> software that has stolen login details from 45,000 mostly British
>>> and French users.
>>>
>>> 1:43PM GMT 06 Jan 2012
>>>
>>> The Ramnit worm has been spreading since April 2010, but was only
>>> recently adapted to target Facebook details, according to computer
>>> security experts. It was previously used by cyber criminals to steal
>>> login credentials for other services, including online banking.
>>>
>>> A “worm” is distinct from a normal computer virus in that it can
>>> reproduce itself without needing to attach itself to an existing
>>> program. This ability means worms can spread very rapidly online.
>>
>> Nice that they mentioned this, but it is a distinction you'll likely
>> like even less than the virus/malware dichotomy. To me, it is a
>> somewhat less important distinction and remains 'fuzzy'.
>
> Not to me. Here's why...
>
> We'll just deal with file infectors for the sake of making this less
> complicated. A virus requires a host..It will seek out an exe that
> doesn't already have it's presence and install it. (Infecting said exe
> file). this file has been modified to carry virus code. Executing it
> later will cause the virus code and maybe the original host to still run
> and further spread the virus. Simply deleting an infected executable
> will not remove the virus; as many other executables are likely
> containing it now. They have to be identified and disinfected (if
> possible) if you wish to make use of them again. You may or may not be
> able to restore them to the original byte(s) depending on the virus
> which infected them and the manner in which it used. A trojan OTH can
> be removed by deleting it's exe once you locate it.

Understood, and I agree.

> A worm OTH, is really it's own program all self contained that
> replicates by copying a complete copy of itself. For example, it
> requires no host;

"Requires" no host in order to spread, agreed. Of course that doesn't
mean it can't virally infect a program file or files for purposes other
than the spreading. It can, for instance, infect as a method aimed at
persistence.

Such a program doesn't *need* to use a host executable to *spread* and
so is a worm by the definition provided in that article (and that idea
is echoed in many other places).

In that scenario, you still need to look for virally infected programs
even though you are dealing with what is called a worm (blended threat
actually).

> it can readily create an exe called worm2.exe and drop
> it's image right into it. When worm2.exe is later run by an unsuspecting
> user on another computer, it drops worm3.exe; they're both identical for
> this discussion (polymorphic worms do exist tho)... and worm3 goes and
> does the same thing.

Understood.

> A worm can be removed in a similiar fashion as a trojan once you
> identify them all; you just delete them. Their is no host to restore as
> they didn't infect anything.

I disagree. According to all of the definitions I have found worms are
not precluded from also being viruses. It is often stated as 'a worm
does not *need* to infect in order to propagate'. I have not seen a
definition that states that a worm *must not* infect a program with a
copy of itself. It is still a worm even if it is also a virus.

I also understand that the "worms" we are talking about are not the true
worms of the computer science realm but are the modern wormlike programs
often requiring the user clicking on something he or she shouldn't have.

> These are important distinctions if it's your intention to properly
> identify the problem and repair the system with minimal (preferrably
> none) data loss in the process.

Absolutely! My point was that there are other distinctions besides the
dichotomy between the non-replicating "trojan" and the replicating
"virus" and "worm". VG may eventually understand why it is important to
distinguish the differing types of malware, especially as you pointed
out where removal of the malware or the avoidance of the malware is the
issue. Different measures need to be taken for different malware types.