3 types of “viruses” demystified

In the anti-malware business we often quibble over details the general public does not care about. To us these differences are important, though, as classifying a piece of malware helps us define and understand its nature and helps those of us stuck with detecting or cleaning up an infection.

Many people, especially journalists and Mac users, try to use their understanding of these terms to defend their poor choices in security practices. I thought it might be a good time for a little review over the Easter weekend to explain the differences between these types of malware, and unblur the lines between them.

Let’s begin with the obvious. Technically, what is a virus?


Skull and crossbones

Just as the trade name Kleenex has come to refer to all brands of facial tissue, the term virus is used generically to refer to many different types of malware and malicious code. However, the most basic definition of a virus is a parasitic application that can self-replicate.

Viruses require a carrier, that is, a file that a user wants or needs that it can hide inside of. This is how viruses move around; they embed themselves into files you are likely to share with someone, like documents or other files you might store on a USB drive or network share. A virus cannot transport itself, but can copy itself into other files on your computer and hope you transfer the infected files to other computers.

Old-school users may remember boot sector viruses. This type of virus depended on good old sneakernet: moving files from one computer to another using floppy disks. This type of virus was common on DOS/Windows, Amiga, and Apple Mac computers.

Many Mac users take glee in pointing out to me that there are no known viruses for OS X. This is not technically true. While the BadBunny malware was both a virus and a worm on Linux and Windows platforms, it only behaved as a virus on OS X.


Worm diagram

Worms are another sub-type of virus. Worms are traditionally defined as network-aware malware, although they can spread through USB or other methods. Worms typically spread by exploiting vulnerabilities in network-facing software and injecting themselves into the target system. Some recent examples of very successful worms are Conficker, QBot, and Koobface.

Like viruses, worms can be multi-component threats and many are both Trojans and worms. However, the term worm specifically refers to the malcode’s ability to reach out to machines across your LAN or the internet and actively infect remote computers without user intervention.



Key to the definition of a Trojan is that it is not self-replicating. Like the Trojan horse of ancient Greece, most Trojans are disguised as useful files or applications that entice you into executing them. Some of the more common ruses we have seen to distribute Trojans are the rash of fake codecs or plug-ins that are required to view online videos and the famous “Nude Angelina Jolie” emails.

This is where some confusion sets in. It would appear that, to be infected by a Trojan, you must open a malicious attachment, or choose to download a file from a dangerous source. What many people do not understand is that Trojan is simply the technical classification of the sample. It does not require the user to choose to run it.

The best example of Trojans that do not require user intervention are the many drive-by exploits we see running roughshod through compromised websites. The file that gets loaded onto your computer is in fact a Trojan. Unlike a virus or worm, it is not self-replicating, and unlike a virus, it does not require a host file to infect. By exploiting your browser/document reader/media player/extension/plug-in, the attacker is able to transfer the Trojan to your computer and run it without intervention.

It doesn’t really matter whether your computer is vulnerable to viruses, worms, or Trojans. All malware is, by definition, malicious. Fortunately, anti-virus stops not only viruses, but a wide variety of threats. Sophos publishes a booklet explaining many of these as well as other terms related to computer security. We call it the “threatsaurus: the a to z of computer security threats”.