Malware, Virus, Worm, and Trojan Symptoms

Reading Symptoms Before Naming the Attack

Network attack questions on the ISC2 Certified in Cybersecurity (CC) exam almost always describe behavior before they ever name the threat. That is deliberate. A junior analyst who calls every infection a "virus" and every outage a "DDoS" will choose wrong answers. The skill being tested is pattern reading: How did the code arrive? How did it spread? Which hosts are affected? What traffic changed? What evidence supports the conclusion?

For context, the current CC exam blueprint is effective October 1, 2025, and a refreshed outline takes effect September 1, 2026. The exam is computer adaptive testing (CAT), runs 120 minutes, presents 100 to 125 items, and uses a 700 out of 1000 scaled passing score. The five domains are weighted Security Principles 26 percent, Business Continuity / Disaster Recovery / Incident Response 10 percent, Access Controls 22 percent, Network Security 24 percent, and Security Operations 18 percent. This chapter sits in the 24 percent Network Security domain, the second-largest on the test.

Virus

A virus attaches itself to a host item — a document, macro, boot sector, or executable — and spreads only when that host is moved and then opened or run. The defining trait is dependence on a carrier and on user or process execution. Scenario clues: an infected attachment emailed between users, a macro that fires when a spreadsheet opens, or an executable that infects other executables on the same disk. Controls include endpoint protection, disabling macros by default, patching, least privilege, application allow-listing, email attachment filtering, and user awareness.

Worm

A worm needs no host file; it self-propagates by exploiting a reachable, often unpatched, service. Worm scenarios show rapid network scanning, many hosts infected in minutes, and east-west (internal lateral) traffic spikes as each victim hunts for new victims. If a sensor shows hundreds of internal hosts hammering the same port across every subnet, think worm or automated propagation. Controls: timely patching, network segmentation, vulnerability management, endpoint detection, and blocking unnecessary lateral movement.

Trojan

A Trojan disguises malicious behavior inside something the user believes is useful — a fake update, a cracked tool, a game, a "document converter," or a bogus security scanner — that actually steals credentials or installs remote access. The clue is willing installation under false pretenses, so Trojans overlap heavily with phishing and social engineering. Unlike a worm, a Trojan does not self-replicate.

Symptom-to-Type Mapping

Common Traps

Do not stop at the label — CC also tests response priority: contain, preserve evidence, reduce spread, restore safely. A worm demands fast segmentation and blocking the exploited port. A Trojan that stole credentials demands password resets and session revocation as urgently as cleaning the endpoint. A trap answer often "cleans the one machine" while ignoring the propagation path or stolen secrets.

Worked Scenario

A finance employee opens a vendor email; the spreadsheet asks them to enable macros. Soon local files are modified and the same attachment is auto-sent to contacts. Macro execution plus file infection plus self-mailing points to virus behavior delivered by phishing. Response: isolate the host, capture the email artifact, scan related systems, block the attachment hash, review mailbox forwarding rules, and reinforce "never enable untrusted macros."

Contrast: after a weekend, dozens of unpatched lab systems generate outbound traffic to the same port on every subnet — automated, network-based spread, i.e., worm-like. Here the correct answer centers on containment, patching, and blocking east-west traffic, not on re-imaging a single endpoint.

Other Malware Terms You May See

The CC blueprint also expects familiarity with a handful of related terms, even though viruses, worms, and Trojans dominate. Ransomware encrypts a victim's files and demands payment for the decryption key; its tell is mass file encryption, ransom notes, and renamed extensions. A logic bomb is dormant code that triggers on a condition such as a date or a fired employee's account being disabled; the clue is damage tied to an event, not propagation.

Spyware quietly collects activity and data; adware injects unwanted advertising; a rootkit hides at a deep level to evade detection and maintain persistence; and a bot turns the host into a remotely controlled member of a botnet used for spam or DDoS. None of these self-propagate the way a worm does, and most reach the host through a Trojan or a phishing lure.

How Malware Usually Arrives

Understanding the delivery vector sharpens identification. Most endpoint infections in CC scenarios start with one of three doors: a malicious email attachment or link (the most common), a drive-by download from a compromised or malicious website, or a removable USB device carrying an infected file. A second wave then spreads internally either by users opening the carrier again (virus) or by the code exploiting an unpatched service on its own (worm).

When a question gives both an arrival method and a spread method, weight the spread method most heavily to choose the malware type, then use the arrival method to choose the preventive control. For example, "arrived as an email macro, then spread by automated network exploitation" is best read as malware that began like a virus but propagated like a worm — and the answer that mentions both patching and email filtering usually beats one that mentions only a single control.