Definition of Computer Worm: How Does It Work?

Cyberspace was never a safe place to begin with, but today’s online world has become more threatening to the average online user than ever before. New and well-established threats continue to hit businesses and individuals, and the losses associated with cyberattacks now run well into the billions. One of the most enduring cyber threats is computer worms.

Once a worm infects several computers on the same network, the program can overload servers and consume bandwidth. Worms also open up backdoor channels that hackers can use to control the user’s device remotely.

Computer worms are usually spread by a hacker who gains access to a network device and uses a physical device, such as a USB flash drive, to plug in one of the network devices. Once a worm infects one machine, the program continues to replicate itself on other machines as well, without any input from the hacker.

Worms also spread through messaging services, networks that provide file-sharing facilities, and email services.

Computer worms can cause a complete breakdown of a given device or even a network if the worm is allowed enough time and resources to replicate itself and, ultimately, consume all the resources of the target device or network.

What Is a Computer Worm?

A computer worm is a dangerous type of malware that cybercriminals design to spread to multiple devices. Once a worm infects a machine, the device stays infected as the worm moves on to other devices while self-replicating on the initially infected device. Computer worms do not need any input to spread or infect machines once they land on a device or network.

Worms impact devices in a variety of ways, including reduced performance, increased load on available resources, slower network speed and network congestion.

How Do Computer Worms Spread?

Computer worms spread so quickly today because of how interconnected the digital ecosystem has become. Around 6.5 billion people own smartphone devices, which is the primary medium through which computer worms spread.

Hackers who develop worms now focus on mobile platforms and devices more than any other type of platform. The primary method of contamination on mobile devices is HTML5-based apps. Almost all operating systems on the mobile platform have HTML5 security flaws. Hackers can now find those flaws more easily and inject malicious lines of code into legitimate-looking apps.

Messaging apps are another channel for computer worm contamination. Vulnerable chatting services include Facebook Messenger, which is a famous hotspot for hackers since the platform has over 1 billion monthly users worldwide. Hackers usually hide malicious executable files in JPEG images. Once the user clicks on them, the malicious worm gains entry into the device. From there, the worm continues to replicate, spy, consume HDD space and communicate with the hacker’s headquarters operation.

Computer worms can take advantage of security vulnerabilities in apps, web browsers and operating systems. Usually, worms exploit network service features to gain entry into the operating system and then replicate from there.

Another method of contamination is through email spam. Once the user clicks on a given email message’s attachment or malicious link or photo, the worm quickly infects the device and starts replicating. As a result, the worm may copy the user’s address book and send spam emails to every address in the contact list. In some cases, worms can also reply to the existing emails in the user’s inbox.

How Do Computer Worms Work?

Computer worms work by first gaining entry into the user’s device either through messaging apps, the messages themselves, spam emails, email attachments and malicious links. The user clicks on a malicious link, and the worm conveniently takes the user to a malicious website. Computer worms can also skip the link method and simply download themselves on the user’s device.

Once on the system or device, worms delete and modify files without the user’s consent. The main aim of the computer worm is to make multiple copies of itself on the user’s machine and potentially on other devices connected to the same network as well.

With enough replication, the system gets bogged down, the network becomes overloaded and the hard disk space shrinks. Worms also steal personal data, enable remote access and change system settings to make the device more prone to hacking attempts.

What Are the Names of Computer Worms?

The names of computer worms are given below.

• Morris Worm
• Nimda
• ILOVEYOU
• SQL Slammer
• Stuxnet
• Blaster
• Brontok
• Zotob
• Witty
• Welchia
• WANK
• Voyager
• Swen
• Toxbot
• Sober
• Sobig
• Koobface
• Bagle
• Code Red
• BuluBebek
• Badtrans

1. Morris Worm

Computer scientist Robert Tappan Morris created the Morris Worm in the late-1980s. His main goal was to approximate the size of ARPANET, a computer network that served as the foundation of the modern internet. The worm spread by replicating itself on thousands of other machines (which makes Morris Worm a type of internet worm), exploiting existing vulnerabilities such as weak passwords, rsh/rexec and UNIX send mail. Unintentionally, the worm caused a Distributed-Denial-of-Service (DDoS) attack when Morris Worm infected around 60,000 machines.

2. Nimda

Nimda is another computer worm that first came on the scene in 2001. Nimda is a virus-worm type of worm. The Nimda worm aims to infect any machine running the Windows operating system and wreak havoc, especially on Windows IIS servers, by jamming the network.

Nimda’s spread method is difficult to pin down since the worm can not only spread through websites containing malicious code but also through malicious email messages. In some ways, Nimda can be classified as a multi-vector worm.

Taking advantage of the internet, the Nimda worm infects emails and shared directories after gaining access to a local network. Nimda keeps replicating until Nimda affects all the machines on the network. Nimda comes in the form of an .exe file and is most effective against IIS servers. As with all worms, Nimda exploits security flaws to run from a simple email message and then installs itself on the device, after which it delivers the payload and starts replicating.

The safest way to remove worms like Nimda is to reformat all drives that have been infected. Moreover, all system apps must be reinstalled and security patches applied.

3. ILOVEYOU

ILOVEYOU is considered a VBScript worm. In the majority of the cases, the ILOVEYOU worm spreads from one device to another through emails. Microsoft Outlook is very susceptible against ILOVEYOU. In some cases, the worm can also behave as an overwriting VBS virus. ILOVEYOU is also able to spread via mIRC clients.

According to the worm’s developer, Onel de Guzman, the original aim was to steal passwords so he could get internet service for free. Eventually, the worm ended up infecting thousands of devices and causing massive financial losses.

Once ILOVEYOU executes on a Windows machine, the worm starts making copies of itself and placing them in the system directory of the operating system. Some of the file names include LOVE-LETTER-FOR-YOU.TXT.vbs and MSKernel32.vbs. Additionally, ILOVEYOU also makes copies in Win32DLL.vbs. After that, ILOVEYOU makes registry modifications that allow the worm to execute even if the user restarts the system.

ILOVEYOU also affects Microsoft Internet Explorer by changing the homepage to a simple link that, when clicked, executes a program WIN-BUGSFIX.exe. When the user downloads the file, ILOVEYOU adds another item to the device’s registry.

Certain online portions of ILOVEYOU are built to steal passwords from the device through Trojans, malware that appears legitimate on the surface. The ILOVEYOU-related Trojans also delete various keys in the Windows folder. After a series of steps involving manipulating and creating files to modify the system, ILOVEYOU searches for various files and folders and then moves to overwrite them with malicious code. Most of the files that get infected have the extension .vbs and .vbe.

To prevent problems arising from the ILOVEYOU worm, users should install a reputable program for virus removal. Any other precaution should come after that.

If the ILOVEYOU computer worm has downloaded itself on the computer, the user should start by restarting the device with the safe mode option turned on. From there, the user should delete all temporary files and then use a reputable anti-virus program to run a scan. A disk cleanup operation can also help speed up the computer after the worm is gone. As mentioned before, run a malware scan using any reputable malware removal application, such as Malwarebytes.

4. SQL Slammer

SQL Slammer is another worm that first appeared in 2002. The main aim of this computer virus is to cause DDoS attacks via the machine it infects first. This computer worm primarily targeted Microsoft SQL 2000 servers that hadn’t been updated in a long time.

SQL Slammer mainly spreads through the internet, where it scans the online world for systems with vulnerabilities. Hackers can program SQL Slammer in a packet sized 376 bytes. If there is a vulnerable server nearby, SQL Slammer can infect it through the internet.

This worm also does not delete or create files. Once SQL Slammer infects a machine, the program scans for other Microsoft SQL servers nearby, in addition to MSDE 2000 servers.

Since SQL Slammer is small in size and can impersonate a unit UDP packet, the worm can trick SQL servers into thinking it’s part of a normal data and database request. The target machine reprograms itself once it opens the SQL Slammer request and carries out the instructions contained inside.

SQL Slammer then generates a list of random IP addresses targeting various other computers that don’t have to be part of the same network. After that, SQL Slammer replicates by sending its code to addresses with the stamp UDP.

To remove SQL Slammer, users can employ anti-virus products from providers such as Trend Micro and Symantec, which have tools specifically designed for SQL Slammer-infected machines.

5. Stuxnet

Stuxnet was first discovered in 2010 while targeting nuclear facilities in Iran. The main aim of this worm was to destroy centrifuges in Iranian enrichment facilities. For more background, check out our article exploring the topic, “What is Stuxnet?”

Stuxnet is considered a multi-part worm, especially in the case of attacks on Iranian nuclear facilities. The computer worm first travels via USB sticks. When the time comes for spreading, Stuxnet spreads through computers running on the Microsoft Windows operating system.

Once in a system of computers, Stuxnet runs a search for infected devices with specific software on them. The Iranian attack had a Stuxnet variant that specifically targeted computers serving as programmable logic controllers to monitor and automate plant equipment.

To prevent attacks such as those launched via Stuxnet, the IT department of any facility or department must patch everything as soon as the patch or update becomes available. In addition to strong passwords and multi-factor authentication, IT administrators should also enable virus scanning tools on the entire operating system and any portable device that forms a connection with the system.

Using firewall programs to separate normal business traffic from the network that handles industrial tasks is another method to help prevent attacks not just from Stuxnet but many other computer worms.

Use an anti-virus product like Panda Security to scan the entire infected device and then update the operating system. Most premium anti-virus products can remove Stuxnet with a single button. Keeping the anti-virus program updated is also very important if users want to make sure Stuxnet stays out of their system.

What Are the Types of Worms?

The types of worms are given below.

• Email worms
• File-sharing worms
• Cryptoworms
• Internet worms
• Instant messaging worms

1. Email Worms

Email worms’ main channel of infecting devices and spreading to other systems is through email. Email worms can first infect a link (which takes the user to the worm’s file) or an email message (as an attachment) and then use that to enter a given network. The link contains an infected file that may be hosted on a malicious website or a legitimate website hosting compromised content.

Once a user clicks on the attachment that comes with the email, the worm’s code is activated. Similarly, in the case of a link, the email worm activates when the user opens the file that was downloaded through the malicious link. The end result remains the same, in that the worm is able to activate itself because of the target user’s actions.

Email worms can use the Windows MAPI function offered by MS Outlook and connect to an SMTP server to send malicious emails to other potential targets. Sometimes, the worm’s code contains an email directory to which the worm sends messages.

To build that email list, the email worm can use the MS Outlook address book or a WAB address database, or even a simple .txt file on the user’s device containing email addresses. Email worms are also able to read email addresses from the user’s inbox.

To prevent email worms from infecting a given machine, the user should not click on any attachments or links that come in email messages unless the sender is verifiable. Users should also avoid clicking banners and third-party advertisements on any website or service they use. Visiting third-party websites is dangerous on its own, as many sites try to infect user devices with viruses and worms that can compromise security and privacy.

As always, using an anti-virus program can help protect the machine from getting infected with an email worm in the first place. Updating all existing software applications (especially web browsers), as well as the operating system itself, is a surefire way to prevent email worm infection.

2. File-Sharing Worms

File-sharing worms have the ability to copy themselves in a given shared folder. These types of worms are adept at replicating and spreading through peer-to-peer (P2P) networks.

The main aim of file-sharing worms is to use P2P networks to infect user devices. Since these worms spread through P2P networks, sometimes they’re referred to as P2P worms. Before the days of premium streaming services and content creator websites like Netflix and YouTube, online users would routinely use Kazaa, Gnutella, FastTrack, and EDonkey. These were the leading platforms through which file-sharing worms infected devices.

File-sharing worms are simpler than other advanced worms. The worms first find a way to get on a given P2P network and then wait for the opportunity to copy themselves to a specific file-sharing directory which, in the context of P2P networking, is just a folder on a user’s computer. Once a P2P worm infects that shared directory, it leverages the power of P2P networks.

Every time a user searches for a specific file, the P2P network does its job and informs of the file’s location and the user who has uploaded the file. P2P networks offer the digital infrastructure needed to transfer the file from one machine to another seamlessly. The new user only has to download the infected file from the file-sharing directory, which is enough for the worm to replicate and spread further.

P2P worms can take advantage of more complicated setups to spread and infect as well. One type of P2P worm has the ability to imitate file-sharing system network protocols. Once a user searches for a file, such P2P worms can respond to these requests. In the search results, the P2P worm presents one of its copies as an item.

To prevent P2P worm infection, the user has to exercise great caution while downloading files and accepting files other users try to share on the P2P network. Even after ensuring the source is legitimate, users should avoid downloading copyrighted pirated or illegal material from the internet.

Being mindful about what one shares on various file-sharing platforms is another way to prevent file-sharing worms from getting on the system in the first place.

Since file-sharing worms are just types of worms, which in turn are just viruses, any good anti-virus or anti-malware application can effectively take care of these worms. Malwarebytes is one of the most recommended tools for removing all sorts of file-sharing worms from a given machine.

3. Cryptoworms

Cryptoworms are the latest type of semi-autonomous and self-propagating ransomware. Like a normal computer worm, a cryptoworm does not need any input from a human to replicate and infect devices.

The aim of cryptoworms is like that of any other ransomware. Cryptoworms want to infect a given device and encrypt all its data, then demand money from the device’s owner to return the data. Cryptoworms spread via methods such as spam email and malicious links on compromised websites.

Once on a given device, cryptoworms usually target executable files that do not have any protection. Some cryptoworms come with another advanced component that searches for mapped remote and local drives. When found, the cryptoworm scans them to identify devices connected to the remote or local drives. Then, when an opportunity opens up, cryptoworms infect those machines with malicious programs as well. Authentication infrastructures that contain weaknesses are also at risk of exploitation.

Cryptoworms also come with advanced modules that keep them safe from any program discovering them. Advanced cryptoworms limit CPU usage and network traffic, so it’s hard to know if the system has been infected.

To prevent cryptoworm attacks, users should always stay on top of any patches released for applications on their devices. Using a well-configured firewall and a robust anti-virus solution is also a great way to limit cryptoworm attacks. Users should also use reputable add-ons and email services to open and read their emails.

To remove cryptoworms from a system, users could pay the hackers who infected the machine and get their data back, but experts tend to advise against this. Another method is to actually remove the cryptoworm through a reputable anti-malware or anti-virus application like F-Secure or Malwarebytes. Finally, if none of these methods work, users need to wipe their whole device and install everything again.

Users who have made regular backups can simply use their backups to restore everything to normal. Decryptor programs may also work, but the best way to ensure the cryptoworm is gone from the system is to wipe all devices holding data and then install everything fresh.

4. Internet Worms

Internet worms are able to copy themselves to one device or multiple devices and then replicate themselves through the networks the infected devices have connected to.

The main aim of internet worms is to spread themselves on as many devices as possible and as quickly as resources permit. Internet worms also aim to take control of infected machines, steal sensitive information and encrypt user data to later get a ransom. Some internet worms want to control other devices remotely and turn them into digital bots for launching DDoS attacks and other malicious operations.

To prevent infection from internet worms, users should always install an anti-virus program on their machines. Updating the program regularly is also a must. Since modern internet worms evolve quickly, keeping the operating system and other applications patched up is critical.

Firewall products can stop worms from communicating with a remote server. Turning off administrative privileges for day-to-day work on a device also thwarts internet worms.

5. Instant Messaging Worms

An instant messaging worm is a special kind of computer worm that infects devices and replicates itself without any human input by leveraging the infrastructure provided by instant messaging networks.

All computer worms are alike in general, but instant messaging worms only spread by exploiting loopholes found in the networks of popular instant messaging applications. After infecting a device, instant messaging worms try to find the contact list associated with the instant messaging app on the device. Then, the computer worm sends itself to every address found in the contact list.

As is the case with most worms, instant messaging worms also thrive on security vulnerabilities that exist in the codebase of operating systems and applications. Hence, users must keep their operating systems and all applications completely up-to-date. The same goes for any patches for instant messaging apps. Using an anti-virus product and an anti-malware scanner like Malwarebytes always helps.

To remove any instant messaging worm, the user can try any reputable anti-virus program like Norton or Symantec. Before doing so, users should update the virus definitions associated with their anti-virus product and disable the Windows Restore feature. After that, they should run a complete scan of the whole system. If there is a new and suspicious-looking item added to the registry, users should delete that as well.

How to Detect If There Are Worms in the Computer?

The most important step to detect if there are worms in the computer is to look at email messages, specifically those with suspicious attachments.

Many types of worms exploit email attachments because users often don’t pay much attention while clicking them. If the user clicks on an attachment containing a worm, the computer usually starts to behave differently. A sudden increase in previously-unseen dialogue boxes is also a good sign that a worm has infected the device.

Another low-tech solution to detect if there are worms in a computer is to send email messages to the people on the contact list and ask. If people on the contact list mention email messages that the user does not remember sending, that’s a sign of worm infection. Most of the time, files attached to email messages have extensions like .bat, .scr, .vbs and .exe. Users should check if the email inbox has such messages. If so, that’s a symptom of worm infection.

Lack of free space is another symptom of worm infection. Most users know how much data resides on the HDD of the device. Since the main aim of any worm is to replicate and spread, worms can quickly consume HDD space by making copies of themselves.

Slow speeds may also occur on a worm-infected computer. Since the worm is taking up resources to replicate and spread itself, the user’s device can’t give proper resources to normal operations and hence slows down.

One of the most effective ways to detect worms on a computer is to look at which programs are installed on the system. If several programs suddenly stop working correctly or start to show the dreaded “not responding” error, a worm might be present.

Worms often manage to delete the most critical programs in a target’s computer. If the user’s operating system is unable to carry out routine administrative tasks, it might be infected with a worm.

Finally, using an anti-virus can also help to detect worms on a device. But not all anti-virus programs can detect worms, and even the ones that do cannot detect every worm that exists. Therefore, the user has to use the anti-virus program or anti-malware program in conjunction with the methods mentioned above to ascertain the presence of a worm on a computer.

How to Prevent Computer Worm?

There are many tools to detect and prevent computer worms, the foremost of which are anti-virus and anti-malware products.

A reputable anti-virus or anti-malware product can prevent any computer worm from infecting the system in the first place. Such tools are very effective at keeping a vast portion of worms in the wild at bay.

Some of the tools used to prevent computer worms are given below.

• Microsoft Malicious Software Tool
• Malwarebytes, Kaspersky or any anti-virus tool that can detect worms
• System Restore feature on the Windows platform
• Backup generators
• Windows Firewall

What Are the Examples of Worm Attacks?

The examples of worm attacks are given below.

• Melissa infected devices in the thousands back in 1999. This email worm hacked email accounts and injected malware into Microsoft Word attachments. The worm effectively changed email subject lines and modified attachment files. The difference between Melissa and its predecessors was the worm leveraged social engineering concepts before other worms employed this technique. Melissa did not require human input to spread and caused close to $80 million in losses.
• MyDoom caused technology firms like Microsoft and Google to suffer DDoS attacks. The difference between MyDoom and other worms was that MyDoom used email to move from one infected computer to another. MyDoom used unique and relevant email subject lines containing keywords like Test, Error and Mail Delivery System to dupe users into opening the email message and clicking on a link or attachment. MyDoom also enabled hackers to access infected machines remotely.
• Code Red represented a worm that exploited security vulnerabilities in Microsoft IIS servers. Code Red essentially caused buffer overflow before replicating itself onto other computers on the same network that suffered from the same kind of vulnerability.
  The effect of Code Red on infected machines was that infected machines showed users a legitimate-looking message on the screen explaining that China had hacked a site. Once the message was shown, it took Code Red another month to launch DDoS attacks with the help of all the infected devices, which created a botnet. Code Red was different because it targeted websites of all sizes, including that of the White House.
• Jerusalem represented the early stages of worms. Fundamentally, the effect of Jerusalem was similar to a strong malware attack. Once Jerusalem infected a system, the worm moved to delete files and programs that the user or the device itself executed on Friday the 13th. The Jerusalem worm also slowed down the computer by depleting the available resources when it tried to replicate itself. The size of existing files on the infected machine also increased after infection.
• Michelangelo was a type of computer worm that hit computers running MS-DOS. Michelangelo was one of the first worms that could modify the contents of the infected device’s hard disks and alter the device’s master boot record. The effect of this worm was similar to any other type of worm: Michelangelo damaged systems and caused data loss, which inevitably led to financial losses.

What Are the Facts about Computer Worm?

The facts about computer worms are given below. 

• Computer worms are spread through operating system vulnerabilities. Generally, worms take advantage of security flaws in operating systems. Worms can certainly use many other methods to spread and replicate, but in most cases, computer worms find the weak spot in a given operating system’s code. Since every computer in the world (including servers) has an operating system, all computers are vulnerable to worms.
• Worms can infect computers owned by corporations and home users, as well as servers and networks.
• Computer worms have infected hundreds and millions of devices, some of which can’t even detect if an infection has occurred.
• British science fiction author John Brunner was the first person to describe a worm as a self-propagating, self-replicating and self-contained computer program in the 1970s.
• Computer worms do not need a host to replicate and spread.

Is a Worm a Virus?

No. After defining what is a virus, it should become clear that a worm is slightly different from a virus. This confusion is tied to the aim and end result of having worms and viruses on a device. Both damage machines, steal data and consume resources.

Which Is More Dangerous, Virus or Worm?

Generally, a worm is more dangerous. The actual threat level of a virus or a worm depends on the skill of the hacker and the scale of the cyberattack in question. Worms are considered worse for the security of any device because worms infect machines much more stealthily than viruses. Users may not even realize there’s a worm on their machines. The share of viruses that can infiltrate a system and not leave any traces is still minimal.

The consequences of viruses and worms are mostly the same. Both viruses and worms invade user privacy by stealing data and sending the data to a remote server. Viruses and worms also cause a host of security problems. Some cyberattacks, such as WannaCry, use a mix of viruses and worms that can damage entities and organizations even more.

Since viruses need the user to first connect an infected USB drive to the system, run an infected app or boot from an infected disk to actually get going and damage device operations, viruses are a bit restricted.

On the other hand, worms can be effective without the user carrying out any tasks. Worms do not rely on a malicious program or an infected disk. After entering a system, worms have everything they need to start replicating and spreading to other parts of the infected system and beyond. They can then infect other devices through the network the infected device has connected to.

The ability to replicate on its own is what makes worms more dangerous than viruses. Consequently, worms present more dangers such as network overloading, lack of clear signs of infection, remains of the worm even after an anti-virus scan and less bandwidth.

As mentioned, whether or not a worm is more dangerous than a virus depends on the case being referred to, the skill of the hacker, the resources available and the scale of the attack.

What Are the Characteristics of Computer Worms? 

The characteristics of computer worms are given below.

• Worms slow down the user’s computer.
• Computer worms reduce system performance.
• Worms can remove files from a system.
• Threats like worms can make the computer behave in unexpected ways.
• Sometimes, worms simply disable the computer firewall product.
• Worms can also disable anti-virus products.
• Computer worms can open random websites once a web browser is launched.
• More and more applications start to malfunction.
• Worms can slow down the internet connection as well.

What Are the Most Famous Computer Worms?

The most famous computer worms are given below.

• Conficker famously created the infrastructure for hackers to install apps on infected computers remotely. The worm mostly uses the infected machines as botnet contributors rather than killing them entirely.
• Blaster is another worm known for triggering a menacing payload that resulted in DDoS attacks against major websites, such as windowsupdate.com and others. Blaster worm is also known for generating exciting error messages once the worm infected a domain. The worm didn’t kill machines entirely but used the infected devices as botnet members.
• Storm was a worm most famous for infecting the main domain of Microsoft. Similar to other worms, Storm infected devices and then spread to other devices, using them as contributing members to launch DDoS attacks.

What Are the Computer Worms for Kids?

There is no difference between a computer worm for kids and a normal computer worm. Both are designed to act as standalone malicious programs capable of replicating on a given infected device and then spreading to others through the network the first infected device is connected to.

There are many other ways for computer worms to spread as well.

What Are the Malware Differences Between Computer Viruses, Worms and Trojans?

Any code or program designed to damage and harm computer systems and networks is known as malware.

The terms “malware” and “virus” are sometimes used interchangeably. Viruses are programs that infect a device and copy themselves to the device before spreading to other files and folders. Eventually, viruses spread from one device to another as well, but only when the files are shared or transferred.

Worms are self-replicating pieces of code that use network and operating system vulnerabilities to gain access to devices. Worms then make copies of themselves to consume space and network resources. Worms use network vulnerabilities to spread to other devices and then restart the replication process until all devices in the network are infected.

But what is Trojan? Trojans are apps that install backdoors in infected devices. Trojans hide their activities and pose as harmless entities while using malicious code to install backdoors in the infected devices. Hackers then use these backdoors to control the infected devices remotely. Eventually, the infected device can be used to launch DDoS attacks, send spam or work as a proxy server for illegal activities.

Worms are different from viruses as worms do not need the user to transfer a worm to another device to spread. Worms can spread on their own via network exploits.  Viruses also require the user to launch the infected apps to start working or install an infected app via a USB drive or an online resource. Worms do not need to infect an app to work. Worms copy themselves and then launch those copies to make more copies.