Malware, Virus, Worm, and Trojan Symptoms

Network attack questions often describe symptoms before naming the attack. That is intentional. A security analyst should not call every compromise a "virus" or every outage a "DDoS." The better skill is reading the pattern: how did it arrive, how did it spread, what systems are affected, what traffic changed, and what evidence supports the conclusion. The current ISC2 CC outline is effective October 1, 2025, and a new outline is effective September 1, 2026.

The exam is computer adaptive testing, runs for 2 hours, includes 100 to 125 items, and uses a 700 out of 1000 passing grade. Domain 4 is part of the current five-domain weighting of 26 percent, 10 percent, 22 percent, 24 percent, and 18 percent.

Virus

A virus attaches itself to a file, document, macro, boot sector, or executable and spreads when that host item is moved and executed. In a scenario, look for clues such as infected documents sent by email, macros that run when a user opens a file, or executable files that infect other files on the same system. A virus usually needs some user action or process execution to spread. Controls include endpoint protection, disabling unnecessary macros, patching, least privilege, application control, email filtering, and user awareness.

Worm

A worm spreads itself without needing to attach to a separate host file. Worm scenarios often include rapid scanning, many hosts becoming infected quickly, exploitation of an unpatched service, or traffic spikes between internal systems. A worm can create network congestion because infected machines look for new victims. If a monitoring tool shows hundreds of internal hosts attempting the same connection to many peers, think worm-like propagation or automated scanning. Controls include timely patching, network segmentation, vulnerability management, endpoint detection, and blocking unnecessary lateral movement.

Trojan

A Trojan pretends to be something useful while hiding malicious behavior. A user may install a fake update, pirated tool, game, document converter, or "security scanner" that actually steals credentials or installs remote access. Trojans rely heavily on deception, so they overlap with phishing and social engineering. Unlike a worm, a Trojan does not necessarily self-propagate. The clue is disguise: the user intentionally opened or installed something they believed was legitimate.

Symptom-Based Identification

Do not stop at the label. Response priorities are to contain, preserve useful evidence, reduce spread, and restore safely. If a worm is suspected, segmentation and blocking the exploited service may be urgent. If a Trojan stole credentials, password resets and session revocation may matter as much as cleaning the endpoint. If a virus came through email, filtering and attachment controls may prevent more infections.

Practical Scenario

A finance employee receives an email that appears to come from a vendor. The attachment opens a spreadsheet and asks the user to enable macros. Soon, local files are modified, and the same attachment is sent to several contacts. The attachment, macro execution, and file infection point toward virus behavior delivered through phishing. The response should include isolating the host, collecting the email artifact, scanning related systems, blocking the attachment hash if available, reviewing mailbox forwarding rules, and reminding users not to enable untrusted macros.

Another scenario: after a weekend, many unpatched lab systems generate outbound traffic to the same port on every internal subnet. That pattern is more worm-like because the spread is automated and network-based. The answer should focus on containment, patching, and blocking unnecessary east-west traffic.