 Welcome to my analysis for head shocks. I actually have some time today I know it's been a long time since the last video I wasn't even sure when I will do the next one but it's just how it is so I do them and have time and that's it now we have the corona situation so yeah that's the reason I have time I know so today's topic is computer worms and maybe I think I already told you that but this is the book I'm using computer virus research and defense so we will be looking into some parts of that book which describe computer worm network worm components what is a worm actually according to this book a worm is a self replicating program able to propagate itself across network typically having a dead tremental effect so what's the difference between a worm and a virus well Peter saw things worms a subtype of a virus viruses usually need files to infect they have host files and they somehow attach to them whereas worms will you know somehow replicate by using the network or USB flash drives and they put their whole body into it they don't usually do not need you know a host file to do that so worms are kind of malware type and they're different types depending on you can distinguish malware based on how they propagate oftentimes you have types that describe the behavior of the payload and then you also have malware types that will describe some kind of concealment methods so people don't actually see that this is malware examples for concealment malware types atrogyan root kit subclass of a root kid is a boot kid or the behavior of the payload that can be can be a stealer can be a ransomware and it can also be a banker or something else you get the drift now propagation for propagation itself propagation we have virus and worm or nothing and worms generally have either network worms or they propagate via USB drives for instance a typical example is WannaCry which is a network worm and it's also a ransomware so you will find both descriptions here so let's take a look at the components that the main components of a network worm there are six of them according to Peter thought Peter saw and the most important ones are the first two which are related to the propagation so there's the target locator sorry and there's the infection propagator these two components are essential you don't have without them you don't have a worm the other components are optional those are payload some kind of self-tracking mechanism and a life cycle manager and last but not least there's often some kind of remote control and update interface that the attacker uses to add more infection vectors for instance especially when they use exploits those need to be updated after some time all right now the about the target locator a lot of worms in the past have been mass email worms so they they spread via email so in order to locate targets they will collect email addresses by parsing files on the drive or they may specifically look into email address books or they even monitored outgoing emails so to see whom they were sent to so these are possibilities for the target locator to harvest emails as you know there are also worms and use exploits to travel through the networks to other machines they may enumerate network shares so the target locator may do that and they may also scan the network just generate IP addresses and then check if they can infect those and the infection propagator is the component that does the actual infection so this can work via exploit like WannaCry social engineering is mostly used by these mass email worms like love letter and there are also lots of worms that will propagate via peer-to-peer and instant messengers they are still out there as long as peer-to-peer and instant messages exist they won't die yeah the payload very typically for worms in the past was denial of service attacks using the remote control interface but they can also be used to send spam emails or as some kind of computing use the computing power that combine all of these the surf tracking mechanism is out of interest for the attacker they may want to know which path the one took through the network or which machines got infected so they know how many and what kind of operating system and the life-saver manager some worms had a date where they just killed themselves so I don't think those exist anymore like most of them live forever but some yeah they had a kill date and some people actually moved that component and created the same room without the kill date which is kind of hmm that's it already so if you have any questions please put it in the comment below or hit me up on Twitter I will put the link to it in the description