Computer viruses and worms are types of “malicious code,” which is defined herein as any computer program, module, or code that enters a computer system or other computing device without an authorized user's knowledge and/or without an authorized user's consent. In particular, a computer worm is malicious code that has the ability to replicate itself from one computer to another, e.g., over a computer network. The network may be a closed proprietary network or an open network such as the Internet. Ször, Péter, “Attacks on Win32,” Proceedings of the Virus Bulletin Conference, October 1998, England, and Ször, Péter, “Attacks on Win32—Part II,” Proceedings of the Virus Bulletin Conference, September 2000, England, describe various attacks by malicious code, including worms, on computer systems, with particular applicability to the Win32 API (Application Programming Interface) of Microsoft Corporation.
Modem, fast-spreading computer worms such as CodeRed and Nimda spread over the Internet by searching for vulnerable computer systems. During these searches, the computer worm may attempt thousands (or more) of connections to essentially random addresses. Because of the large number of possible addresses relative to the number of valid addresses, most of these attempted network connections fail. A worm that has a relatively high rate of connection attempts is potentially more dangerous because it can spread faster. However, such a fast-spreading worm will also tend to generate more failed connection attempts.
As writers of malicious code continue to develop fast-spreading computer worms, the need persists for reliable techniques for detecting these worms and responding to them as early as possible in order to minimize any damage they can do.