Email worms

Email worms spread via infected email messages. The worm may be in the form of an attachment or the email may contain a link to an infected website. However, in both cases email is the vehicle.

In the first case the worm will be activated when the user clicks on the attachment.In the second case the worm will be activated when the user clicks on the link leading to the infected site.

Email worms normally use one of the following methods to spread:

* Direct connection to SMTP servers using a SMTP API library coded into the worm
* MS Outlook services
* Windows MAPI functions

Email worms harvest email addresses from victim machines in order to spread further. Worms use one or more of the following techniques:

* Scanning the local MS Outlook address book
* Scanning the WAB address database
* Scanning files with appropriate extensions for email address-like text strings
* Sending copies of itself to all mail in the user's mailbox (worms may even 'answer' unopened items in the inbox)

While these techniques are the most common, some worms even construct new sender addresses based lists of possible names combined with common domain names.