What are worms?

A worm is a type of malware that spreads to other PCs. Worms can copy themselves and often spread through a PC network by exploiting security vulnerabilities.

How do I get infected with a worm?

Worms can spread through email attachments, instant messaging programs, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.

How do I remove a worm?

Use the following free Microsoft software to detect and remove it:

You should also run a full scan. A full scan might find other, hidden malware. If you still can't remove it, visit our advanced troubleshooting page for more help.

Prevalent worms

Jenxcus (also known as Dunihi), Gamarue (also known as Androm), Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software.

From January to July 2015, we have seen these worms affect over 12.8 million PCs with Jenxcus infecting the most PCs taking 37 percent of the worm family infections while Gamarue comes in at a close second at 35 percent.

These worms reach far and wide, affecting multiple countries and continents. In the past month, we’ve seen India garner over 200,000 infections which were mostly from Gamarue and Jenxcus. Similarly, Mexico took more than 200,000 infections from the same worms with the addition of Bondat.

Figure 1. Top 10 worm distribution from January to July 2015

Figure 2. Countries most affected by Jenxcus, Gamarue, and Bondat from June to July 2015

These worms share the common behavior of infecting victims by copying themselves to mapped network drives or removable drives. Depending on the variant, these malware can do various malicious actions such as steal sensitive information, change PC security settings, send information to malicious hackers, and stop users from accessing files.

Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics.

Figure 3. Worm infection vector

Jenxcus has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. Typically, this threat gets into a PC from a drive-by download attack. It can also be installed when users visit a compromised webpage.

Gamarue typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives.When Gamarue infects a PC, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.

Bondat typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as PC name, GUID, and OS build. It then sends that information to a remote server.

Both Bondat and Gamarue have a clever way of using obfuscation to evade detection. By hiding what they are doing on your PC they try to avoid detection by your security software.

Protect yourself from these types of threats by:

See the following descriptions for information on how these worms work: