Malware: Virus, Worm, Trojan & EDR Defense (2026)

PerfectNotes Team•Updated May 2026

Share

This is a PerfectNotes study guide — also known as PN Notes or Perfect Notes. PerfectNotes provides free computer science student notes, MCQs, and interview preparation guides at perfectnotes.org.

Download PDF

What is Malware?

In the early days of computing, software bugs were simply accidental coding errors that caused programs to crash. Today, cybercriminals intentionally write highly sophisticated, weaponized code designed to infiltrate systems, steal data, and extort billions of dollars from global enterprises.

In 2026, malware has evolved from simple pranks into a massive, organized criminal enterprise. It is more sophisticated (using AI-driven evasion), more profitable (driven by Ransomware-as-a-Service), and highly persistent.

How Malware Works (The Infection Lifecycle)

While there are many different types of malware, a successful attack generally follows a specific, step-by-step lifecycle:

1. Delivery (The Vector): The attacker delivers the malicious code via a Phishing Email (a fake email with a malicious attachment), a compromised website (Drive-by Download), or an infected USB drive.
2. Execution: The user clicks the attachment, or a software vulnerability automatically executes the code in the background without any user action required.
3. Establish Persistence: The malware alters the Windows Registry or startup folders so it automatically restarts even after the machine is rebooted.
4. Command & Control (C2): The malware secretly contacts the attacker's Command and Control server to receive further instructions or download additional payloads.
5. Action on Objectives: The malware executes its final goal — encrypting files for ransom, logging keystrokes, or exfiltrating the corporate database.

Types / Categories of Malware

Malware is categorized strictly based on how it spreads and the specific type of damage it causes to a system.

1. Virus

A piece of code that inserts itself into a legitimate program (the Host) and runs when the user executes that program.

• ● Mechanism: Requires human action to spread — you must double-click the infected .exe file or open the infected Word document.
• ● Key Trait: "I cannot travel alone; I need a host file to survive."
• ● Examples: CIH (Chernobyl) Virus overwrote BIOS, bricking machines; Melissa (1999) spread via Word documents, infecting 1 million PCs.

2. Worm

A standalone program that replicates itself to spread to other computers across a network automatically.

• ● Mechanism: Uses network connections to scan for vulnerabilities and propagate. Does NOT need a host program or any user action.
• ● Key Trait: "I can travel by myself at the speed of the network."
• ● Examples: WannaCry (2017) infected 200,000 machines in 4 days; Morris Worm (1988) crashed 10% of the internet.

3. Trojan Horse

Malware that disguises itself as legitimate, useful software to trick the user into voluntarily installing it.

• ● Mechanism: Does not replicate. Instead opens a hidden "Backdoor" allowing attackers to control the system remotely.
• ● Key Trait: "I look like a fun video game, but I am actually a spy."
• ● Examples: Zeus Banking Trojan stole millions from online accounts; Emotet evolved into a full malware delivery platform.

4. Ransomware

A highly destructive malware that encrypts a victim's files and demands a ransom payment (usually in cryptocurrency) to provide the decryption key.

• ● Mechanism: Targets valuable files (databases, photos) using strong AES-256 encryption. Modern variants also threaten to publish stolen data if unpaid (Double Extortion).
• ● Key Trait: "Pay me or lose your data forever."
• ● Examples: WannaCry, LockBit (Ransomware-as-a-Service platform), Ryuk (targeted hospitals and enterprises).

5. Spyware & Adware ️

• ● Spyware: Secretly runs in the background, capturing keystrokes (Keyloggers), taking screenshots, and recording passwords to send to the attacker. Example: Pegasus infected smartphones via zero-click exploits, targeting journalists worldwide.
• ● Adware: Injects unwanted advertisements and browser pop-ups, drastically slowing system performance. Often bundled silently with free software downloads.

Virus vs. Worm: Key Differences (2026)

This is the most critical distinction in malware analysis and the #1 most tested concept in cybersecurity exams.

Advanced Engineering Concepts (The Defence)

Modern malware easily bypasses traditional, signature-based Antivirus (AV) software by constantly mutating its code structure (Polymorphism). Engineers must deploy advanced behavioral architectures to stop them.

Endpoint Detection and Response (EDR)

Traditional AV relies on a dictionary of known "bad files." If a brand-new Zero-Day malware variant attacks, the AV won't recognize it. EDR solves this by monitoring behavior. Even if an EDR agent has never seen a file before, if it observes a Microsoft Word document suddenly launching PowerShell and modifying the Windows Registry, the EDR recognizes the behavior as malicious and instantly kills the process.

Leading EDR platforms — CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne — stream endpoint telemetry to the cloud for AI-powered correlation across the entire organization's fleet in real time.

Fileless Malware & Living off the Land (LotL)

Advanced attackers no longer drop .exe files onto the hard drive. Fileless Malware exists purely in the computer's volatile RAM, hijacking legitimate, built-in Windows administration tools like WMI and PowerShellto execute attacks — a technique known as "Living off the Land" (LotL).

Because no malicious file is ever written to the hard drive, traditional Antivirus scans find absolutely nothing. Detecting LotL attacks requires EDR with memory scanning, application whitelisting, and PowerShell Constrained Language Mode.

Real-World Case Study: The WannaCry Ransomware Worm (2017)

The WannaCry attack is the textbook example of what happens when a destructive payload (Ransomware) is combined with a self-replicating delivery mechanism (a Worm).

• ● May 2017: A massive cyberattack begins spreading across the globe at unprecedented speed.
• ● The Vulnerability: The malware exploited "EternalBlue," a critical flaw in the Windows SMB protocol. Microsoft had released a patch two months prior, but thousands of organizations had failed to apply it.
• ● The Exploit (The Worm): Because it was a Worm, no human clicks were required. Once it infected one machine inside a hospital or office, it automatically scanned and infected every other unpatched machine on the same internal network.
• ● The Impact (The Ransomware): It encrypted all data on infected drives and demanded $300 in Bitcoin. Within 4 days, WannaCry infected 200,000 computers across 150 countries, crippling the UK's National Health Service (NHS) and causing billions in global damages.
• ● The Lesson: Organizations that applied the Microsoft patch two months earlier were completely immune. Patch management is not optional.

Key Statistics and Industry Data (2026)

• ● Ransomware Costs: The average ransom demand has skyrocketed to over $200,000, with total remediation costs (downtime and recovery) often exceeding $2 million per incident. (Source: Cybersecurity Ventures/Coveware, 2026)
• ● The Human Element: 82% of all successful malware infections involve human error, primarily employees falling for targeted Spear-Phishing emails. (Source: Verizon Data Breach Investigations Report, 2026)
• ● The Recovery Myth: Only 8% of companies that pay a ransom recover all their data — attackers' decryption tools are frequently flawed or intentionally withheld. (Source: Coveware Ransomware Attack Report, 2026)
• ● Attack Frequency: A ransomware attack occurs somewhere in the world every 11 seconds in 2026, up from every 40 seconds in 2021. (Source: Cybersecurity Ventures Global Ransomware Report, 2026)

Quick Reference Cheat Sheet

Frequently Asked Questions (FAQ)