Introduction to Internet Worms

The following paper provides a brief introduction into self-replicating malicious programs, the so-called "worms". It is a primer document aimed at beginning network administrators, interested home users and students of network security.
Basic understanding of TCP/IP, UDP/IP and routing is required.
The references section at the end will point you to more in-depth material for your further studies.

After defining "worm" and related terms, we will look at the main components of a worm from the perspective of a malicious worm writer who seeks to optimize its efficiency, stealth, persistence or damage.
By putting us in this position, and by looking at both in-the-wild and (as of this writing) hypothetical worm designs, we hope to achieve a more precise assessment of current and future risks than a "traditional" victim-centric approach would yield.

• initial draft and presentation (in German) Jan 15, 2004
• extended and updated XHTML version (in English) April 11, 2004.

The latest version of this document can be found at http://spunk.dnsalias.org/public_stuff/cs_papers/Worms/.

(c) Copyleft 2004 Jörn Nettingsmeier <nettings@folkwang-hochschule.de>.
This document may be freely copied, modified and re-distributed. I would welcome credit if this paper is useful to you, and ask that you do not distribute modified versions with my name on without clearly indicating all changes.
I take no responsibility if the information given is inaccurate or plain wrong and eats your hardware or damages your data. Corrections are welcome.

This paper owes most of its existence to the excellent "NetWorm FAQ" and other papers by Stuart Staniford et al., listed in the References section.
Whenever you come across a good idea, assume it has been lifted from one of the fine sources mentioned there. Stupid ideas, as well as any mistakes, are mine.

This document uses correct XHTML 1.0 with CSS/2, and so should everyone. Browsers that can render it correctly are Mozilla 1.2+ or, if you must, IE5.5+.