Malware Types: Viruses, Worms, Trojans, Ransomware, Spyware & Adware

This lesson provides an in-depth look at the different types of malware you need to know for OCR J277 Section 1.4. Each type has distinct characteristics, methods of spreading, and impacts.

---

What Is Malware?

Malware is a general term for any software that is intentionally designed to cause damage to a computer, server, client or computer network. The word comes from "malicious software."

Malware can:

• Steal sensitive data (passwords, financial information)
• Encrypt files and demand ransom
• Spy on user activity
• Damage or delete files
• Use system resources for malicious purposes (e.g. cryptocurrency mining, botnets)

---

Viruses

A computer virus is a piece of malicious code that attaches itself to a legitimate program or file. It requires human action to spread — the infected file must be opened, run, or shared.

Characteristics of viruses:

• Attach to host files (documents, programs, macros)
• Replicate by copying themselves into other files when the host is executed
• Can be dormant until triggered (e.g. on a specific date)
• Spread via email attachments, USB drives, file downloads

Feature	Detail
Needs host file	Yes
Needs user action	Yes — user must open/run the file
Self-replicating	Only when host is executed
Spread method	Email, USB, downloads

---

Worms

A worm is a standalone malicious program that replicates itself to spread to other computers. Unlike viruses, worms do not need a host file and do not require user action to spread.

How worms spread:

1. A worm exploits vulnerabilities in software or operating systems.
2. Once on a system, it automatically scans for other vulnerable machines on the network.
3. It copies itself to those machines and repeats the process.

Worms can spread extremely quickly across networks, consuming bandwidth and processing power. They can also carry a payload that performs additional malicious actions.

OCR Exam Tip: The key difference between a virus and a worm is that a worm is self-replicating and does NOT need a host file or user action. This is a very common comparison question in the exam.

---

Trojans

A trojan (short for Trojan horse) is malware that disguises itself as legitimate or useful software to trick users into installing it.

Characteristics of trojans:

• Do not self-replicate (unlike viruses and worms)
• Rely on social engineering — the user willingly installs them
• Once installed, they can create backdoors for remote access, steal data, or download additional malware
• Often bundled with free software, games, or pirated content

Feature	Virus	Worm	Trojan
Needs host file	Yes	No	No (is the file itself)
Self-replicates	Yes (with host)	Yes (standalone)	No
Needs user action	Yes	No	Yes (installation)
Disguised	Sometimes	No	Always

---

Ransomware

Ransomware is malware that encrypts the victim's files or locks their system, then demands payment (usually in cryptocurrency) for the decryption key.

How ransomware works:

1. The victim opens a malicious attachment or visits a compromised website.
2. The ransomware encrypts files on the device (and potentially on network drives).
3. A message is displayed demanding payment within a deadline.
4. If the ransom is paid, the attacker may (or may not) provide the decryption key.

Notable examples:

• WannaCry (2017) — Affected over 200,000 computers in 150 countries, including the NHS in the UK.
• NotPetya (2017) — Caused billions of pounds in damage worldwide.

Prevention:

• Keep software and operating systems up to date (patches fix vulnerabilities)
• Regular backups stored offline
• Do not open suspicious email attachments
• Use anti-malware software

OCR Exam Tip: Ransomware questions often ask about the impact on businesses. Key impacts include: loss of access to critical data, financial cost of ransom or recovery, reputational damage, and potential breach of data protection law.

---

Spyware

Spyware is malware that secretly monitors and collects information about a user's activities without their knowledge or consent.

What spyware collects:

• Keystrokes (using a keylogger)
• Browsing history and search queries
• Login credentials and financial data
• Screenshots
• Microphone and webcam recordings

Spyware often arrives bundled with free software or through malicious websites. It runs silently in the background and sends collected data back to the attacker.

---

Adware

Adware is software that automatically displays or downloads advertising material, often in the form of pop-up windows or browser redirects.

While adware is sometimes considered less harmful than other malware, it can:

• Slow down system performance
• Redirect browser searches to advertising sites
• Track browsing habits for targeted advertising
• Serve as a gateway for more serious malware

---

Summary Table

Malware Type	Key Feature	Self-Replicates?	Needs User Action?
Virus	Attaches to host files	Yes (with host)	Yes
Worm	Standalone, exploits vulnerabilities	Yes	No
Trojan	Disguised as legitimate software	No	Yes
Ransomware	Encrypts files, demands payment	Sometimes	Usually
Spyware	Secretly monitors activity	No	Usually
Adware	Displays unwanted adverts	No	Usually

The decision tree below helps you classify a malware sample by its behaviour — a useful technique when an exam scenario describes symptoms.

flowchart TD
  A[Suspicious software] --> B{Self-replicates?}
  B -- Yes --> C{Needs host file?}
  C -- Yes --> V[Virus]
  C -- No --> W[Worm]
  B -- No --> D{"Disguised as<br/>legitimate?"}
  D -- Yes --> T[Trojan]
  D -- No --> E{What does it do?}
  E -- Encrypts files for ransom --> R[Ransomware]
  E -- Monitors user secretly --> S[Spyware]
  E -- Shows unwanted adverts --> AD[Adware]

Understanding the differences between these malware types is essential for your OCR J277 exam. You should be able to identify each type from a description and explain how to protect against them.

---

Worked Example: The WannaCry Ransomware Case Study

In May 2017, WannaCry ransomware spread across the world in a matter of hours. Within a day it had affected more than 200,000 computers in 150 countries. In the United Kingdom, the National Health Service was hit particularly hard: at least 80 NHS trusts had machines infected, thousands of appointments and operations were cancelled, and A&E departments diverted ambulances to hospitals that were still able to accept patients. The incident is studied because it demonstrates how several categories of malware behaviour can combine in a single piece of software.