The Win32 worms: classification and possibility of heuristic detection presented at Virus Bulletin 2002

by Taras Malivanchuk (Computer associates),

Tags: Security


Summary : The Win32 platform executable worms have been the most widely
distributed malware for a long time. The presence of heuristic
detection may decrease the risk of new worms. Heuristic detection is
possible if a new worm is more or less a re-development of an existing
one, using at least the same method of replication.

For heuristic detection, we need to know the file structure and viral
features that the worm uses.

The worms are classified by compiler type (lowlevel, MS C, Borland C,
Visual Basic) and by their method of replication (SMTP, MAPI, OLE,
network shares,
IRC, ICQ , secutity holes etc. ). For each type, the methods of
replication and the possibility of heuristic detection are analysed.