The Win32 worms: classification and possibility of heuristic detection

Taras Malivanchuk Computer Associates

The Win32 platform executable worms have been the most widely distributed malware for a long time. The presence of heuristic detection may decrease the risk of new worms. Heuristic detection is possible if a new worm is more or less a re-development of an existing one, using at least the same method of replication.

For heuristic detection, we need to know the file structure and viral features that the worm uses.

The worms are classified by compiler type (lowlevel, MS C, Borland C, Delphi, Visual Basic) and by their method of replication (SMTP, MAPI, OLE, network shares, IRC, ICQ , secutity holes etc. ). For each type, the methods of replication and the possibility of heuristic detection are analysed.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘As always, VB is 'the' premier malware/anti-malware/spam conference.’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

VB2009

VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland. VB is currently seeking submissions from those wishing to present papers at VB2009. Full details are in the call for papers.

Virus Bulletin currently has 148,287 registered users.

Fighting malware and spam