08.02 · The propagating originals

Viruses & Worms

The two families that defined malware for its first thirty years. They share a single defining trait — self-replication — and one critical distinction: whether they need a host to ride on.

The definitions that matter

Family 1

Virus

Self-replicating code that attaches to a host file (an executable, a document, a boot sector). The virus runs when the host runs. Spreading requires a user to share the infected host.

Effectively extinct in 2026 commodity malware. Modern operating systems and code-signing make host attachment hard; modern malware delivery doesn't need it.

Family 2

Worm

Self-replicating code that does not need a host. It propagates over a network on its own, usually by exploiting a vulnerability in a service that's listening. No user action required between machines.

Reborn in the 2010s after a decade of dormancy. EternalBlue (2017) and the SMB worm techniques in WannaCry, NotPetya, and Bad Rabbit proved the family was still viable when paired with a fresh exploit.

The popular press calls everything a "virus." Don't. The technical distinction predicts how the malware spreads, and therefore how you contain it. A virus is contained by stopping infected files from being opened. A worm is contained by patching the vulnerable service or segmenting the network. The defensive moves diverge immediately from the definition.

Worm propagation, visualized

Press Play. A patient zero machine in a 200-node network starts running the worm. Each tick, every infected node tries to compromise its neighbors based on the infection probability. Watch how a tiny initial foothold becomes saturation in seconds — this is why worms ate the internet repeatedly between 2001 and 2003.

SIR-style Worm Propagation Simulator
199
Healthy
1
Infected
0
Patched
0
Ticks elapsed

The model is deliberately simple (SIR — Susceptible / Infected / Resistant). Real worms hit the curve at different rates because of network topology, exploit reliability, and rate-limiting. The shape — slow start, explosive middle, then plateau as targets run out — is universal.

The worm hall of fame

YearWormVectorDamage
1988MorrisSendmail debug + rsh + weak password guessing~6,000 machines (~10% of the internet at the time). First felony conviction under the U.S. Computer Fraud and Abuse Act.
2000ILOVEYOUVBScript attachment in email, autoreplied to every Outlook contact~50M Windows machines in 10 days; ~$10B estimated cost.
2001Code RedIIS .ida buffer overflow over HTTP359K servers in 14 hours. Defaced sites and DDoS'd whitehouse.gov.
2003SQL Slammer376-byte UDP packet exploiting SQL Server resolverSaturated the global internet within 10 minutes. Took out 911 call centers, ATMs, airline check-in.
2003BlasterRPC DCOM buffer overflowMillions of XP machines. Tried (and mostly failed) to DDoS windowsupdate.com.
2008ConfickerSMB MS08-067 + USB autorun + weak admin passwords~9M machines at peak. Maintained an enormous botnet that was never fully cleaned up.
2010StuxnetUSB autorun + 4 zero-days + Siemens PLC exploitsState-level sabotage of Iranian uranium enrichment centrifuges. Genre-defining nation-state worm.
2017WannaCryEternalBlue (NSA SMB exploit leaked by Shadow Brokers)200K+ machines, 150 countries. UK National Health Service shut down; FedEx, Renault, Deutsche Bahn hit. Killed when a researcher registered the killswitch domain.
2017NotPetyaPoisoned M.E.Doc update + EternalBlue + Mimikatz lateral movementDisguised as ransomware but was an irreversible wiper. Maersk, Merck, FedEx, Mondelēz — estimated $10B in global damage. The most destructive single piece of malware in history.

Why true viruses faded

The classic virus — modify NOTEPAD.EXE on the user's machine so the virus runs when they launch Notepad — is rare in modern malware. Three changes killed it:

  • Code signing. Operating systems prefer (or require) signed executables. Modifying a signed binary breaks the signature. Most legitimate software vendors sign; modifying their binaries is loud.
  • Easier delivery. Phishing-with-a-dropper is cheaper than infecting binaries. Why modify the user's notepad.exe when you can email them a Word document with a macro?
  • Better detection. A modified-file virus has a fingerprint — the deviation from the known-good binary. Modern EDR notices that.

What survives of "virus" behavior is mostly macro viruses (malicious VBA inside Office documents) and the residual concept of malware that infects scripts or interpreted files. The Office macro family has been on the way out since Microsoft began disabling macros by default in 2022.

What lets worms come back

For a worm to spread it needs three things at once: a widely-deployed vulnerable service, an exploit that doesn't require user interaction, and a network where that service is reachable between hosts. Each ingredient is harder to assemble than it was in 2003 — but the EternalBlue era proves they still can be:

  • SMB on flat internal networks is still nearly universal in 2026 (despite a decade of "segment your network" advice).
  • Pre-auth RCE in widely deployed software still happens (recent examples: MoveIt, Citrix Bleed, Fortinet, Ivanti).
  • Slow patching on internet-exposed services keeps the window open long enough for a worm to find them.

The lesson: worms are not a museum exhibit. They are dormant infrastructure waiting for the right combination of pre-auth RCE + lateral-movement primitive + slow patching to wake up. The next one will look exactly like the last one.