Before writing code, look at existing viruses and worms.
I'll overview viruses written on interpreted languages (script viruses) that are presented on Kaspersky Lab's site, http://www.viruslist.com/ , which is a virus encyclopedia. The worm I'm going to describe in this chapter belongs to this type of viruses.
A list of such viruses is available at http://www.viruslist.html?id=12 . They are as follows :
BAT.IBBM.generic is an innocent virus that propagates only within one computer. It infects batch files by appending its body to the end of a file. It has nothing in common with the worm described in this chapter.
CS.Gala is the first known virus that infects CorelDraw scripts. It cannot leave the computer on its own.
HTML.Internal is the first known virus that infects HTML files. It cannot reproduce itself. It infects HTML files on the client computer after the user visits an infected site. It cannot move from one computer to another on its own.
HTML.NoWarn.a is similar to HTML.Internal .
SWScript.LFM infects Macromedia Flash files.
Script.Inf.Demo infects installation files.
VBS.AVM uses File System Object (FSO) commands for reproduction but cannot leave the file system of a computer.
WinREG.Antireg.a infects Windows registry files.
WinScript.777 infects Windows script files.
All the viruses run on the client computer under the Windows operating system. They cannot leave the computer or infect the server on their own.
In addition, the virus encyclopedia contains descriptions of a few viruses written in PHP.
PHP.Pirus is the first virus written in PHP. It looks for and infects PHP and HTML files in the current directory. When infecting a file, the virus doesn't write its body into the file. Rather, it writes the link to its file. This virus cannot leave the computer. However, it is likely that it will eventually infect the entire server. (The virus cannot enter the server on its own.)
PHP.Neworld is similar to the previous virus.
PHP.virdrus is similar to the previous two viruses. Unlike them, it copies itself into the file it infects. This method of infection is more advanced.
So, none of these viruses can leave the file system of a computer. Currently, the most advanced worm is Net-Worm.Perl.Santy.a.
It acts as follows:
The virus creates a request to Google to find sites that contain the phpBB forum version 2.0.11 or earlier. These versions of this forum engine have crucial vulnerabilities that allow a malicious user to execute any code.
The virus creates HTTP requests exploiting the vulnerability and sends them to each found file. Thus, it infects vulnerable servers.
The virus increments its generation counter and starts from the beginning.
This virus has the following distinctive features:
It is written in Perl.
It infects sites through a vulnerability in a particular version of a particular product.
It infects only servers. It isn't dangerous to end users.
It can leave the computer.
The result of infection is defacement of the site.
This is the first known virus that successfully infects server computers using vulnerabilities in Web applications.
To develop this idea (the use of vulnerabilities in Web applications) you could try to write a worm that would do the following:
Exploit a particular type of vulnerability regardless of software rather than attack a particular version of a particular product.
Use several search systems to look for vulnerable sites.
During the peak of its reproduction, Net-Worm.Perl.Santy.a infected more than 40 million servers worldwide. Google began to block search requests typical of this worm and stopped its propagation.